Update index.yaml

Signed-off-by: szaimen <szaimen@users.noreply.github.com>

.gitattributes

@@ -1 +0,0 @@
-* text=auto

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -1,15 +1,12 @@
 ---
-name: 🐛 Bug report - no questions and no support!
-about: Help us improving by reporting a bug - this category is not for questions and also not for support! Please use one of the options below for questions and support
-labels: 0. Needs triage
+name: 🐛 Bug report
+about: Help us improving by reporting a bug
+labels: bug, 0. Needs triage
 ---
 
 <!---
-- Before submitting a bug report, please read through the documentation available at https://github.com/nextcloud/all-in-one#faq
-- Additional documentation is available here: https://github.com/nextcloud/all-in-one/discussions/categories/wiki
-- You should also read through existing questions and their answer here: https://github.com/nextcloud/all-in-one/discussions/categories/questions
-- Additional threads can be found here: https://help.nextcloud.com/tag/aio
-- Existing feature requests are listed here: https://github.com/nextcloud/all-in-one/discussions/categories/ideas
+- If you use Cloudflare Tunnel or Cloudflare Proxy, see https://github.com/nextcloud/all-in-one#notes-on-cloudflare-proxytunnel for known issues/limitations and workarounds.
+- For issues with Collabora or Talk, make sure to follow https://github.com/nextcloud/all-in-one/discussions/1358. It may already resolve your issue and makes it easier to help you.
 --->
 
 <!--- Please fill out the whole template below -->
@@ -23,17 +20,11 @@ labels: 0. Needs triage
 ### Actual behavior <!--- Tell us what happens instead -->
 
 
-### Other information
-#### Host OS <!--- (the host OS on which you are trying to install AIO on) -->
+### Host OS <!--- (the host OS on which you are trying to install AIO on) -->
 
-#### Output of `sudo docker info`
 
-#### Docker run command or docker-compose file that you used
+#### Nextcloud AIO version <!--- (see Nextcloud AIO interface) -->
 
-#### Output of `sudo docker logs nextcloud-aio-mastercontainer`
+#### Current channel <!--- (see the channel name in the AIO interface) -->
 
-#### Output of `sudo docker inspect nextcloud-aio-mastercontainer`
-
-#### Output of `sudo docker ps -a`
-
-#### Other valuable info <!--- (like additional logs, screenshots & Co.) -->
+#### Other valuable info <!--- (like logs, screenshots & Co.) -->

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -1,7 +1,7 @@
 ---
 name: 📖 Existing feature/documentation enhancement
 about: Suggest an enhancement of an existing feature/documentation - for other types, please use the feature request option below
-labels: 0. Needs triage
+labels: enhancement, 0. Needs triage
 ---
 
 <!--- Please fill out the whole template below -->

.github/ISSUE_TEMPLATE/config.yml

@@ -1,14 +1,14 @@
 blank_issues_enabled: false
 contact_links:
-    - name: 📘 Documentation on Nextcloud AIO
-      url: https://github.com/nextcloud/all-in-one#faq
-      about: Please read the docs first before submitting any report or request!
-    - name: ⛑️ Questions and support
-      url: https://help.nextcloud.com/tag/aio
-      about: For questions, support and help
     - name: 💡 Suggest a new feature or discuss one
       url:  https://github.com/nextcloud/all-in-one/discussions/categories/ideas
       about: For new feature requests and discussion of existing ones
+    - name: ❓ Questions on AIO
+      url: https://github.com/nextcloud/all-in-one/discussions/categories/questions
+      about: For questions regarding AIO
+    - name: ⛑️ Community Support and Help
+      url: https://help.nextcloud.com/tag/aio
+      about: For other types of questions
     - name: 💼 Nextcloud Enterprise
       url: https://portal.nextcloud.com/
-      about: If you are a Nextcloud Enterprise customer, or need Professional support, so it can be resolved directly by our dedicated engineers more quickly
+      about: If you are a Nextcloud Enterprise customer, or need Professional support, so it can be resolved directly by our dedicated engineers more quickly

.github/dependabot.yml

@@ -1,62 +1,158 @@
 version: 2
 updates:
 - package-ecosystem: "github-actions"
-  directory: ".github/workflows"
+  directory: "/"
   schedule:
     interval: "daily"
     time: "12:00"
   open-pull-requests-limit: 10
-  rebase-strategy: "disabled"
-  labels:
-  - 3. to review
-  - dependencies
-  cooldown:
-    default-days: 7
 - package-ecosystem: composer
   directory: "/php/"
   schedule:
     interval: "daily"
     time: "12:00"
   open-pull-requests-limit: 10
-  rebase-strategy: "auto"
   labels:
   - 3. to review
   - dependencies
 - package-ecosystem: "docker"
-  directories:
-    - "/Containers/alpine"
-    - "/Containers/apache"
-    - "/Containers/borgbackup"
-    - "/Containers/clamav"
-    - "/Containers/collabora"
-    - "/Containers/docker-socket-proxy"
-    - "/Containers/domaincheck"
-    - "/Containers/fulltextsearch"
-    - "/Containers/imaginary"
-    - "/Containers/mastercontainer"
-    - "/Containers/nextcloud"
-    - "/Containers/notify-push"
-    - "/Containers/onlyoffice"
-    - "/Containers/postgresql"
-    - "/Containers/redis"
-    - "/Containers/talk"
-    - "/Containers/talk-recording"
-    - "/Containers/watchtower"
-    - "/Containers/whiteboard"
+  directory: "/Containers/apache"
   schedule:
     interval: "daily"
-    time: "04:00"
+    time: "12:00"
   open-pull-requests-limit: 10
-  rebase-strategy: "disabled"
   labels:
   - 3. to review
   - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/borgbackup"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/collabora"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/domaincheck"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/mastercontainer"
+  schedule:
+    interval: "daily"
+    time: "12:00"
   ignore:
     - dependency-name: "php"
       update-types: ["version-update:semver-major", "version-update:semver-minor"]
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/nextcloud"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  ignore:
+    - dependency-name: "php"
+      update-types: ["version-update:semver-major", "version-update:semver-minor"]
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/postgresql"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  ignore:
     - dependency-name: "postgres"
       update-types: ["version-update:semver-major"]
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/redis"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  ignore:
     - dependency-name: "redis"
       update-types: ["version-update:semver-major"]
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/talk"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/watchtower"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/clamav"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/onlyoffice"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/imaginary"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/fulltextsearch"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  ignore:
     - dependency-name: "elasticsearch"
       update-types: ["version-update:semver-major"]
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies

.github/pull_request_template.md

@@ -1,5 +0,0 @@
-<!--
-  - 🚨 SECURITY INFO
-  -
-  - Before sending a pull request that fixes a security issue please report it via our HackerOne page (https://hackerone.com/nextcloud) following our security policy (https://nextcloud.com/security/). This allows us to coordinate the fix and release without potentially exposing all Nextcloud servers and users in the meantime.
--->

.github/release.yml

@@ -1,14 +0,0 @@
-changelog:
-  categories:
-    - title: 🏕 New features and other improvements
-      labels:
-        - enhancement
-    - title: 🐞 Fixed bugs
-      labels:
-        - bug
-    - title: 👒 Updated dependencies
-      labels:
-        - dependencies
-    - title: 📄 Improved documentation
-      labels:
-        - documentation

.github/workflows/codespell.yml

@@ -1,20 +0,0 @@
-name: 'Codespell'
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-
-jobs:
-  codespell:
-    name: Check spelling
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Check spelling
-        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2
-        with:
-          check_filenames: true
-          check_hidden: true

.github/workflows/collabora.yml

@@ -1,30 +0,0 @@
-name: collabora-update
-
-on:
-  workflow_dispatch:
-  schedule:
-  - cron:  '00 12 * * *'
-
-jobs:
-  collabora-update:
-    name: update collabora
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-    - name: Run collabora-profile-update
-      run: |
-        rm -f php/cool-seccomp-profile.json
-        wget https://raw.githubusercontent.com/CollaboraOnline/online/refs/heads/main/docker/cool-seccomp-profile.json
-        mv cool-seccomp-profile.json php/
-        
-    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        commit-message: collabora-seccomp-update automated change
-        signoff: true
-        title: collabora seccomp update
-        body: Automated collabora seccomp profile update
-        labels: dependencies, 3. to review
-        milestone: next
-        branch: collabora-seccomp-update

.github/workflows/command-rebase.yml

@@ -0,0 +1,51 @@
+# This workflow is provided via the organization template repository
+#
+# https://github.com/nextcloud/.github
+# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
+
+name: Rebase command
+
+on:
+  issue_comment:
+    types: created
+
+permissions:
+  contents: read
+
+jobs:
+  rebase:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: none
+
+    # On pull requests and if the comment starts with `/rebase`
+    if: github.event.issue.pull_request != '' && startsWith(github.event.comment.body, '/rebase')
+
+    steps:
+      - name: Add reaction on start
+        uses: peter-evans/create-or-update-comment@v2
+        with:
+          token: ${{ secrets.COMMAND_BOT_PAT }}
+          repository: ${{ github.event.repository.full_name }}
+          comment-id: ${{ github.event.comment.id }}
+          reaction-type: "+1"
+
+      - name: Checkout the latest code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.COMMAND_BOT_PAT }}
+
+      - name: Automatic Rebase
+        uses: cirrus-actions/rebase@1.8
+        env:
+          GITHUB_TOKEN: ${{ secrets.COMMAND_BOT_PAT }}
+
+      - name: Add reaction on failure
+        uses: peter-evans/create-or-update-comment@v2
+        if: failure()
+        with:
+          token: ${{ secrets.COMMAND_BOT_PAT }}
+          repository: ${{ github.event.repository.full_name }}
+          comment-id: ${{ github.event.comment.id }}
+          reaction-type: "-1"

.github/workflows/community-containers.yml

@@ -1,37 +0,0 @@
-name: Validate community containers
-
-on:
-  pull_request:
-    paths:
-      - 'community-containers/**'
-  push:
-    branches:
-      - main
-    paths:
-      - 'community-containers/**'
-
-jobs:
-  validator-community-containers:
-    name: Validate community containers
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Validate structure
-        run: |
-          CONTAINERS="$(find ./community-containers -mindepth 1 -maxdepth 1 -type d)"
-          mapfile -t CONTAINERS <<< "$CONTAINERS"
-          for container in "${CONTAINERS[@]}"; do
-            container="$(echo "$container" | sed 's|./community-containers/||')"
-            if ! [ -f ./community-containers/"$container"/"$container.json" ]; then
-                echo ".json file must be named like its parent folder $container"
-                FAIL=1
-            fi
-            if ! [ -f ./community-containers/"$container"/readme.md ]; then
-                echo "There must be a readme.md file in the folder!"
-                FAIL=1
-            fi
-            if [ -n "$FAIL" ]; then
-                exit 1
-            fi
-          done

.github/workflows/create-psalm-container.yml

@@ -0,0 +1,54 @@
+name: Create Psalm Container
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '5 4 * * *'
+
+jobs:
+  push_to_registry:
+    runs-on: ubuntu-latest
+
+    name: Create Psalm Container
+
+    permissions:
+      packages: write
+      contents: read
+
+    steps:
+      - name: Check out the repo
+        run: |
+          git clone https://github.com/psalm/psalm-github-actions.git
+      
+      - name: Modify the Dockerfile
+        run: |
+          set -x
+          sed -i 's|FROM php:7.4-alpine|FROM php:8.1-alpine|' "psalm-github-actions/Dockerfile"
+          cat << APCU >> "psalm-github-actions/Dockerfile"
+          RUN mkdir -p /usr/src/php/ext/apcu && \
+            curl -fsSL https://pecl.php.net/get/apcu | tar xvz -C "/usr/src/php/ext/apcu" --strip 1 && \
+            docker-php-ext-install apcu
+          APCU
+
+      - name: Log in to GitHub Docker Registry
+        uses: docker/login-action@v2
+        with:
+          registry: docker.pkg.github.com
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build container image
+        uses: docker/build-push-action@v4
+        with:
+          push: true
+          context: 'psalm-github-actions'
+          file: 'psalm-github-actions/Dockerfile'
+          tags: |
+            ghcr.io/nextcloud/all-in-one-psalm:latest

.github/workflows/dependency-updates.yml

@@ -8,29 +8,28 @@ on:
 jobs:
   dependency_updates:
     name: Run dependency update script
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-    - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+    - uses: actions/checkout@v3
+    - uses: shivammathur/setup-php@v2
       with:
-        php-version: 8.5
+        php-version: 8.1
         extensions: apcu
     - name: Run dependency update script
       run: |
         set -x
         cd ./php
-        composer update --with-all-dependencies
-        # Disable dependency updates for now
-        # set +e
-        # ALL_LINES="$(composer outdated | grep -v "^$\|Direct dependencies\|Everything up to date\|Transitive dependencies")"
-        # set -e
-        # while [ -n "$ALL_LINES" ]; do
-        #   CURRENT_LINE="$(echo "$ALL_LINES" | head -1)"
-        #   composer require "$(echo "$CURRENT_LINE" | awk '{print $1}')" "^$(echo "$CURRENT_LINE" | awk '{print $4}')" --with-all-dependencies
-        #   ALL_LINES="$(echo "$ALL_LINES" | sed '1d')"
-        # done
-        # echo "outdated dependencies:
-        # $(composer outdated)"
+        composer update
+        set +e
+        ALL_LINES="$(composer outdated | grep -v "^$\|Direct dependencies\|Everything up to date\|Transitive dependencies")"
+        set -e
+        while [ -n "$ALL_LINES" ]; do
+          CURRENT_LINE="$(echo "$ALL_LINES" | head -1)"
+          composer require "$(echo "$CURRENT_LINE" | awk '{print $1}')" "^$(echo "$CURRENT_LINE" | awk '{print $4}')" --with-all-dependencies
+          ALL_LINES="$(echo "$ALL_LINES" | sed '1d')"
+        done
+        echo "outdated dependencies:
+        $(composer outdated)"
     - name: Update apcu
       run: |
         # APCU
@@ -43,23 +42,13 @@ jobs:
             | tail -1
         )"
         sed -i "s|pecl install APCu.*\;|pecl install APCu-$apcu_version\;|" ./Containers/mastercontainer/Dockerfile
-
-        # CADDY_REMOTE_HOST_HASH
-        CADDY_REMOTE_HOST_HASH="$(
-          git ls-remote https://github.com/muety/caddy-remote-host master \
-            | cut -f1 \
-            | tail -1
-        )"
-        sed -i "s|^ARG CADDY_REMOTE_HOST_HASH.*$|ARG CADDY_REMOTE_HOST_HASH=$CADDY_REMOTE_HOST_HASH|" ./Containers/mastercontainer/Dockerfile
-
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@v4
       with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        commit-message: php dependency updates
+        commit-message: dependency updates
         signoff: true
-        title: PHP dependency updates
-        body: Automated php dependency updates since dependabot does not support grouped updates
-        labels: dependencies, 3. to review
+        title: Dependency updates
+        body: Automated dependency updates since dependabot does not support grouped updates
+        labels: dependencies, enhancement
         milestone: next
         branch: aio-dependency-update

.github/workflows/docker-lint.yml

@@ -1,46 +0,0 @@
-name: Docker Lint
-
-on:
-  pull_request:
-    paths:
-      - 'Containers/**'
-  push:
-    branches:
-      - main
-    paths:
-      - 'Containers/**'
-
-permissions:
-  contents: read
-
-concurrency: 
-  group: docker-lint-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  docker-lint:
-    runs-on: ubuntu-latest
-
-    name: docker-lint
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Install hadolint
-        run: |
-          sudo wget https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -O /usr/bin/hadolint
-          sudo chmod +x /usr/bin/hadolint
-
-      - name: run lint
-        run: |
-          DOCKERFILES="$(find ./Containers -name Dockerfile)"
-          mapfile -t DOCKERFILES <<< "$DOCKERFILES"
-          for file in "${DOCKERFILES[@]}"; do
-            # DL3018 warning: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
-            # DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
-            hadolint "$file" --ignore DL3018 --ignore DL4006 | tee -a ./hadolint.log
-          done
-          if grep -q "DL[0-9]\+\|SC[0-9]\+" ./hadolint.log; then
-            exit 1
-          fi

.github/workflows/fail-on-prerelease.yml

@@ -1,50 +0,0 @@
-name: Block if prerelease is present
-
-on:
-  pull_request:
-
-permissions:
-  contents: read
-
-jobs:
-  check-latest-release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Check latest published release isn't a prerelease"
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v6
-        with:
-          script: |
-            const tags = await github.rest.repos.listTags({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              per_page: 1
-            });
-
-            if (!tags.data || tags.data.length === 0) {
-              core.info('No tags found for this repository; skipping prerelease check.');
-              return;
-            }
-
-            const latestTag = tags.data[0].name;
-            core.info(`Latest tag found: ${latestTag}`);
-
-            try {
-              const { data } = await github.rest.repos.getReleaseByTag({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                tag: latestTag
-              });
-
-              if (data.prerelease) {
-                core.setFailed(`Release for tag ${latestTag} (${data.tag_name}) is a prerelease. Blocking merges to main as we need to wait for the prerelease to become stable.`);
-              } else {
-                core.info(`Release for tag ${latestTag} (${data.tag_name}) is not a prerelease.`);
-              }
-
-            } catch (err) {
-              if (err.status === 404) {
-                core.info(`No release found for tag ${latestTag}; skipping prerelease check.`);
-              } else {
-                throw err;
-              }
-            }

.github/workflows/helm-release.yml

@@ -6,17 +6,17 @@ on:
     branches:
       - main
     paths:
-      - 'nextcloud-aio-helm-chart/**'
+      - 'helm-chart/**'
 
 jobs:
   release:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v3
 
       - name: Turnstyle
-        uses: softprops/turnstyle@e15e934b3f69ee283ba389ea05c8886baa656d93 # v2
+        uses: softprops/turnstyle@v1
         with:
           continue-after-seconds: 180
         env:
@@ -32,19 +32,17 @@ jobs:
 
       # See https://github.com/helm/chart-releaser-action/issues/6
       - name: Set up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@v3.1
         with:
           version: v3.6.3
 
-      - name: Run Helm Lint
-        run: |
-          helm lint ./nextcloud-aio-helm-chart
-
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0
+        # TODO: switch back @main to a specific version like @v1.5.1 or higher
+        uses: helm/chart-releaser-action@main
         with:
+          charts_repo_url: https://nextcloud.github.io/all-in-one
+          charts_dir: helm-chart
           mark_as_latest: false
-          charts_dir: .
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"

.github/workflows/imaginary-update.yml

@@ -1,34 +0,0 @@
-name: imaginary-update
-
-on:
-  workflow_dispatch:
-  schedule:
-  - cron:  '00 12 * * *'
-
-jobs:
-  run_update:
-    name: update to latest imaginary commit on master branch
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-    - name: Run imaginary-update
-      run: |
-        # Imaginary
-        imaginary_version="$(
-          git ls-remote https://github.com/h2non/imaginary master \
-            | cut -f1 \
-            | tail -1
-        )"
-        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH=$imaginary_version|" ./Containers/imaginary/Dockerfile
-        
-    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        commit-message: imaginary-update automated change
-        signoff: true
-        title: Imaginary update
-        body: Automated Imaginary container update
-        labels: dependencies, 3. to review
-        milestone: next
-        branch: imaginary-container-update

.github/workflows/json-validator.yml

@@ -1,37 +1,20 @@
-name: Json Validator
-
-on:
-  pull_request:
-    paths:
-      - '**.json'
-  push:
-    branches:
-      - main
-    paths:
-      - '**.json'
-
-jobs:
-  json-validator:
-    name: Json Validator
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Validate Json
-        run: |
-          sudo apt-get update
-          sudo apt-get install python3-venv -y --no-install-recommends
-          python3 -m venv venv
-          . venv/bin/activate
-          pip3 install json-spec
-          if ! json validate --schema-file=php/containers-schema.json --document-file=php/containers.json; then
-            exit 1
-          fi
-          JSON_FILES="$(find ./community-containers -name '*.json')"
-          mapfile -t JSON_FILES <<< "$JSON_FILES"
-          for file in "${JSON_FILES[@]}"; do
-            json validate --schema-file=php/containers-schema.json --document-file="$file" 2>&1 | tee -a ./json-validator.log
-          done
-          if grep -q "document does not validate with schema.\|invalid JSONFile" ./json-validator.log; then
-            exit 1
-          fi
+name: Json Validator
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  psalm:
+    name: Json Validator
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Validate Json
+        run: |
+          sudo apt install python3-pip --no-install-recommends
+          sudo pip3 install json-spec
+          json validate --schema-file=php/containers-schema.json --document-file=php/containers.json

.github/workflows/lint-helm.yml

@@ -1,24 +0,0 @@
-name: Lint Helm Charts
-
-on:
-  workflow_dispatch:
-  pull_request:
-    paths:
-      - 'nextcloud-aio-helm-chart/**'
-
-jobs:
-  lint-helm:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-
-      - name: Install Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
-        with:
-          version: v3.11.1
-
-      - name: Lint charts
-        run: helm lint nextcloud-aio-helm-chart

.github/workflows/lint-php.yml

@@ -2,26 +2,19 @@
 #
 # https://github.com/nextcloud/.github
 # https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
-#
-# SPDX-FileCopyrightText: 2021-2024 Nextcloud GmbH and Nextcloud contributors
-# SPDX-License-Identifier: MIT
 
-name: Lint php
+name: Lint
 
 on:
   pull_request:
-    paths:
-      - 'php/**'
   push:
     branches:
       - main
-    paths:
-      - 'php/**'
 
 permissions:
   contents: read
 
-concurrency:
+concurrency: 
   group: lint-php-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
@@ -30,24 +23,19 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        php-versions: [ "8.5" ]
+        php-versions: ["8.1"]
 
     name: php-lint
 
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+        uses: actions/checkout@v3
 
       - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@v2
         with:
           php-version: ${{ matrix.php-versions }}
           coverage: none
-          ini-file: development
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Lint
         run: cd php && composer run lint
@@ -55,7 +43,7 @@ jobs:
   summary:
     permissions:
       contents: none
-    runs-on: ubuntu-latest-low
+    runs-on: ubuntu-latest
     needs: php-lint
 
     if: always()

.github/workflows/lint-yaml.yml

@@ -1,42 +0,0 @@
-# This workflow is provided via the organization template repository
-#
-# https://github.com/nextcloud/.github
-# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
-#
-# SPDX-FileCopyrightText: 2021-2024 Nextcloud GmbH and Nextcloud contributors
-# SPDX-License-Identifier: MIT
-
-name: Lint YAML
-
-on: 
-  pull_request:
-    paths:
-      - '**.yml'
-
-permissions:
-  contents: read
-
-jobs:
-  yaml-lint:
-    runs-on: ubuntu-latest
-
-    name: yaml
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.1
-        with:
-          persist-credentials: false
-
-      - name: GitHub action templates lint
-        uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
-        with:
-          file_or_dir: .github/workflows
-          config_data: |
-            line-length: warning
-
-      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
-
-      - name: Check GitHub actions
-        run: uvx zizmor --min-severity medium .github/workflows/*.yml

.github/workflows/lock-threads.yml

@@ -14,7 +14,7 @@ jobs:
   action:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v5
+      - uses: dessant/lock-threads@v4
         with: 
           issue-inactive-days: '14'
           process-only: 'issues'

.github/workflows/nextcloud-update.yml

@@ -11,7 +11,7 @@ jobs:
     name: Run nextcloud-update script
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@v3
     - name: Run nextcloud-update script
       run: |
         # Inspired by https://github.com/nextcloud/docker/blob/master/update.sh
@@ -25,7 +25,7 @@ jobs:
             | sort -V \
             | tail -1
         )"
-        sed -i "s|\(pecl install[^;]*APCu-\)[0-9.]*|\1$apcu_version|" ./Containers/nextcloud/Dockerfile
+        sed -i "s|pecl install APCu.*\;|pecl install APCu-$apcu_version\;|" ./Containers/nextcloud/Dockerfile
         
         # Memcached
         memcached_version="$(
@@ -36,7 +36,7 @@ jobs:
             | sort -V \
             | tail -1
         )"
-        sed -i "s|\(pecl install[^;]*memcached-\)[0-9.]*|\1$memcached_version|" ./Containers/nextcloud/Dockerfile
+        sed -i "s|pecl install memcached.*\;|pecl install memcached-$memcached_version\;|" ./Containers/nextcloud/Dockerfile
         
         # Redis
         redis_version="$(
@@ -47,45 +47,31 @@ jobs:
             | sort -V \
             | tail -1
         )"
-        sed -i "s|\(pecl install[^;]*redis-\)[0-9.]*|\1$redis_version|" ./Containers/nextcloud/Dockerfile
+        sed -i "s|pecl install redis.*\;|pecl install redis-$redis_version\;|" ./Containers/nextcloud/Dockerfile
         
         # Imagick
         imagick_version="$(
-          git ls-remote --tags https://github.com/imagick/imagick.git \
+          git ls-remote --tags https://github.com/mkoppanen/imagick.git \
             | cut -d/ -f3 \
             | grep -viE '[a-z]' \
             | tr -d '^{}' \
             | sort -V \
             | tail -1
         )"
-        sed -i "s|\(pecl install[^;]*imagick-\)[0-9.]*|\1$imagick_version|" ./Containers/nextcloud/Dockerfile
-
-        # Igbinary
-        igbinary_version="$(
-          git ls-remote --tags https://github.com/igbinary/igbinary.git \
-            | cut -d/ -f3 \
-            | grep -viE '[a-z]' \
-            | tr -d '^{}' \
-            | sort -V \
-            | tail -1
-        )"
-        sed -i "s|\(pecl install[^;]*igbinary-\)[0-9.]*|\1$igbinary_version|" ./Containers/nextcloud/Dockerfile
+        sed -i "s|pecl install imagick.*\;|pecl install imagick-$imagick_version\;|" ./Containers/nextcloud/Dockerfile
 
         # Nextcloud
         NC_MAJOR="$(grep "ENV NEXTCLOUD_VERSION" ./Containers/nextcloud/Dockerfile | grep -oP '[23][0-9]')"
         NCVERSION=$(curl -s -m 900 https://download.nextcloud.com/server/releases/ | sed --silent 's/.*href="nextcloud-\([^"]\+\).zip.asc".*/\1/p' | grep "$NC_MAJOR" | sort --version-sort | tail -1)
-        if [ -n "$NCVERSION" ]; then
-          sed -i "s|^ENV NEXTCLOUD_VERSION.*|ENV NEXTCLOUD_VERSION=$NCVERSION|" ./Containers/nextcloud/Dockerfile
-        fi
+        sed -i "s|^ENV NEXTCLOUD_VERSION.*|ENV NEXTCLOUD_VERSION $NCVERSION|" ./Containers/nextcloud/Dockerfile
 
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@v4
       with:
-        token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: nextcloud-update automated change
         signoff: true
-        title: Nextcloud dependency update
+        title: Nextcloud update
         body: Automated Nextcloud container update
-        labels: dependencies, 3. to review
+        labels: dependencies, enhancement
         milestone: next
         branch: nextcloud-container-update

.github/workflows/php-deprecation-detector.yml

@@ -3,24 +3,20 @@ name: PHP Deprecation Detector
 
 on:
   pull_request:
-    paths:
-      - 'php/**'
   push:
     branches:
       - main
-    paths:
-      - 'php/**'
 
 jobs:
-  phpdd:
+  psalm:
     name: PHP Deprecation Detector
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Set up php
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+      - uses: actions/checkout@v3
+      - name: Set up php8.1
+        uses: shivammathur/setup-php@v2
         with:
-          php-version: 8.5
+          php-version: 8.1
           extensions: apcu
           coverage: none
 
@@ -28,6 +24,7 @@ jobs:
         run: |
           set -x
           cd php
+          composer global require wapmorgan/php-deprecation-detector dev-master
           composer install
           composer run php-deprecation-detector | tee -i ./phpdd.log
           if grep "Total issues:" ./phpdd.log; then

.github/workflows/playwright-on-push.yml

@@ -1,133 +0,0 @@
-name: Playwright Tests on push
-
-on:
-  pull_request:
-    paths:
-      - 'php/**'
-      - 'Containers/mastercontainer/*.Caddyfile'
-      - 'Containers/mastercontainer/start.sh'
-  push:
-    branches:
-      - main
-    paths:
-      - 'php/**'
-      - 'Containers/mastercontainer/*.Caddyfile'
-      - 'Containers/mastercontainer/start.sh'
-
-concurrency:
-  group: playwright-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-env:
-  BASE_URL: https://localhost:8080
-
-jobs:
-  test:
-    timeout-minutes: 60
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
-        with:
-          node-version: lts/*
-
-      - name: Install dependencies
-        run: cd php/tests && npm ci
-
-      - name: Install Playwright Browsers
-        run: cd php/tests && npx playwright install --with-deps chromium
-
-      - name: Set up php 8.5
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
-        with:
-          extensions: apcu
-          php-version: 8.5
-          coverage: none
-          ini-file: development
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Adjust some things and fix permissions
-        run: |
-          cd php
-          rm -r ./data
-          rm -r ./session
-          composer install --no-dev
-          composer clear-cache
-          sudo chmod 777 -R ../
-
-      - name: Start fresh development server
-        run: |
-          docker rm --force nextcloud-aio-{mastercontainer,apache,notify-push,nextcloud,redis,database,domaincheck,whiteboard,imaginary,talk,collabora,borgbackup} || true
-          docker volume rm nextcloud_aio_{mastercontainer,apache,database,database_dump,nextcloud,nextcloud_data,redis,backup_cache,elasticsearch} || true
-          docker pull ghcr.io/nextcloud-releases/all-in-one:develop
-          docker run \
-            -d \
-            --init \
-            --name nextcloud-aio-mastercontainer \
-            --restart always \
-            --publish 8080:8080 \
-            --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
-            --volume ./php:/var/www/docker-aio/php \
-            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
-            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
-            --volume ./Containers/mastercontainer/start.sh:/start.sh \
-            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
-            --env SKIP_DOMAIN_VALIDATION=true \
-            --env APACHE_PORT=11000 \
-            ghcr.io/nextcloud-releases/all-in-one:develop
-          echo Waiting for 10 seconds for the development container to start ...
-          sleep 10
-
-      - name: Run Playwright tests for initial setup
-        run: |
-          cd php/tests
-          export DEBUG=pw:api
-          if ! npx playwright test tests/initial-setup.spec.js; then
-            docker logs nextcloud-aio-mastercontainer
-            docker logs nextcloud-aio-borgbackup
-            exit 1
-          fi
-
-      - name: Start fresh development server
-        run: |
-          docker rm --force nextcloud-aio-{mastercontainer,apache,notify-push,nextcloud,redis,database,domaincheck,whiteboard,imaginary,talk,collabora,borgbackup} || true
-          docker volume rm nextcloud_aio_{mastercontainer,apache,database,database_dump,nextcloud,nextcloud_data,redis,backup_cache,elasticsearch} || true
-          docker run \
-            -d \
-            --init \
-            --name nextcloud-aio-mastercontainer \
-            --restart always \
-            --publish 8080:8080 \
-            --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
-            --volume ./php:/var/www/docker-aio/php \
-            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
-            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
-            --volume ./Containers/mastercontainer/start.sh:/start.sh \
-            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
-            --env SKIP_DOMAIN_VALIDATION=false \
-            --env APACHE_PORT=11000 \
-            ghcr.io/nextcloud-releases/all-in-one:develop
-          echo Waiting for 10 seconds for the development container to start ...
-          sleep 10
-
-      - name: Run Playwright tests for backup restore
-        run: |
-          cd php/tests 
-          export DEBUG=pw:api
-          if ! npx playwright test tests/restore-instance.spec.js; then
-            docker logs nextcloud-aio-mastercontainer
-            docker logs nextcloud-aio-borgbackup
-            exit 1
-          fi
-
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        if: ${{ !cancelled() }}
-        with:
-          name: playwright-report
-          path: php/tests/playwright-report/
-          retention-days: 14
-          overwrite: true

.github/workflows/playwright-on-workflow-dispatch.yml

@@ -1,91 +0,0 @@
-name: Playwright Tests
-
-on:
-  workflow_dispatch:
-
-env:
-  BASE_URL: https://localhost:8080
-
-jobs:
-  test:
-    timeout-minutes: 60
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
-        with:
-          node-version: lts/*
-
-      - name: Install dependencies
-        run: cd php/tests && npm ci
-
-      - name: Install Playwright Browsers
-        run: cd php/tests && npx playwright install --with-deps chromium
-
-      - name: Start fresh development server
-        run: |
-          docker rm --force nextcloud-aio-{mastercontainer,apache,notify-push,nextcloud,redis,database,domaincheck,whiteboard,imaginary,talk,collabora,borgbackup} || true
-          docker volume rm nextcloud_aio_{mastercontainer,apache,database,database_dump,nextcloud,nextcloud_data,redis,backup_cache,elasticsearch} || true
-          docker pull ghcr.io/nextcloud-releases/all-in-one:develop
-          docker run \
-            -d \
-            --init \
-            --name nextcloud-aio-mastercontainer \
-            --restart always \
-            --publish 8080:8080 \
-            --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
-            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
-            --env SKIP_DOMAIN_VALIDATION=true \
-            --env APACHE_PORT=11000 \
-            ghcr.io/nextcloud-releases/all-in-one:develop
-          echo Waiting for 10 seconds for the development container to start ...
-          sleep 10
-
-      - name: Run Playwright tests for initial setup
-        run: |
-          cd php/tests
-          export DEBUG=pw:api
-          if ! npx playwright test tests/initial-setup.spec.js; then
-            docker logs nextcloud-aio-mastercontainer
-            docker logs nextcloud-aio-borgbackup
-            exit 1
-          fi
-
-      - name: Start fresh development server
-        run: |
-          docker rm --force nextcloud-aio-{mastercontainer,apache,notify-push,nextcloud,redis,database,domaincheck,whiteboard,imaginary,talk,collabora,borgbackup} || true
-          docker volume rm nextcloud_aio_{mastercontainer,apache,database,database_dump,nextcloud,nextcloud_data,redis,backup_cache,elasticsearch} || true
-          docker run \
-            -d \
-            --init \
-            --name nextcloud-aio-mastercontainer \
-            --restart always \
-            --publish 8080:8080 \
-            --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
-            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
-            --env SKIP_DOMAIN_VALIDATION=false \
-            --env APACHE_PORT=11000 \
-            ghcr.io/nextcloud-releases/all-in-one:develop
-          echo Waiting for 10 seconds for the development container to start ...
-          sleep 10
-
-      - name: Run Playwright tests for backup restore
-        run: |
-          cd php/tests 
-          export DEBUG=pw:api
-          if ! npx playwright test tests/restore-instance.spec.js; then
-            docker logs nextcloud-aio-mastercontainer
-            docker logs nextcloud-aio-borgbackup
-            exit 1
-          fi
-
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        if: ${{ !cancelled() }}
-        with:
-          name: playwright-report
-          path: php/tests/playwright-report/
-          retention-days: 14
-          overwrite: true

.github/workflows/psalm-analysis.yml

@@ -0,0 +1,28 @@
+name: Psalm Analysis
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  psalm:
+    name: Psalm
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up php8.1
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 8.1
+          extensions: apcu
+          coverage: none
+
+      - name: Run script
+        run: |
+          set -x
+          cd php
+          composer global require vimeo/psalm --prefer-dist --no-progress --dev
+          composer install
+          composer run psalm

.github/workflows/psalm-security.yml

@@ -0,0 +1,25 @@
+name: Psalm Security Analysis
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  psalm:
+    name: Psalm
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Psalm
+        uses: docker://ghcr.io/nextcloud/all-in-one-psalm
+        with:
+          relative_dir: php
+          security_analysis: true
+          composer_ignore_platform_reqs: false
+          report_file: results.sarif
+      - name: Upload Security Analysis results to GitHub
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: php/results.sarif

.github/workflows/psalm-update-baseline.yml

@@ -10,38 +10,39 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v3
 
-      - name: Set up php
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+      - name: Set up php8.1
+        uses: shivammathur/setup-php@v2
         with:
-          php-version: 8.5
+          php-version: 8.1
           extensions: apcu
           coverage: none
-          ini-file: development
 
       - name: Run script
         run: |
           set -x
           cd php
+          composer global require vimeo/psalm --prefer-dist --no-progress --dev
           composer install
-          composer run psalm:update-baseline
+          composer run psalm -- --monochrome --no-progress --output-format=text --update-baseline
           git clean -f lib/composer
           git checkout composer.json composer.lock lib/composer
         continue-on-error: true
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@v4
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.COMMAND_BOT_PAT }}
           commit-message: Update psalm baseline
           committer: GitHub <noreply@github.com>
           author: nextcloud-command <nextcloud-command@users.noreply.github.com>
           signoff: true
           branch: automated/noid/psalm-baseline-update
+          # Make sure we can open multiple PRs
+          branch-suffix: timestamp
           title: '[Automated] Update psalm-baseline.xml'
-          milestone: next
           body: |
             Auto-generated update psalm-baseline.xml with fixed psalm warnings
           labels: |
-            3. to review, dependencies
+            3. to review

.github/workflows/psalm.yml

@@ -1,55 +0,0 @@
-# This workflow is provided via the organization template repository
-#
-# https://github.com/nextcloud/.github
-# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
-#
-# SPDX-FileCopyrightText: 2022-2024 Nextcloud GmbH and Nextcloud contributors
-# SPDX-License-Identifier: MIT
-
-name: Static analysis
-
-on:
-  pull_request:
-    paths:
-      - 'php/**'
-  push:
-    branches:
-      - main
-    paths:
-      - 'php/**'
-
-concurrency:
-  group: psalm-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-permissions:
-  contents: read
-
-jobs:
-  static-analysis:
-    runs-on: ubuntu-latest
-
-    name: static-psalm-analysis
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Set up php
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
-        with:
-          php-version: 8.5
-          extensions: apcu
-          coverage: none
-          ini-file: development
-
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Install dependencies and run psalm
-        run: |
-          set -x
-          cd php
-          composer install
-          composer run psalm

.github/workflows/shellcheck.yml

@@ -2,22 +2,18 @@ name: Shellcheck
 
 on:
   pull_request:
-    paths:
-      - '**.sh'
   push:
     branches:
       - main
-    paths:
-      - '**.sh'
 
 jobs:
   shellcheck:
     name: Check Shell
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@v3
     - name: Run Shellcheck
-      uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
+      uses: ludeeus/action-shellcheck@2.0.0
       with:
         check_together: 'yes'
       env:

.github/workflows/spellcheck.yml

@@ -0,0 +1,23 @@
+name: 'Spellcheck'
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  spellcheck:
+    name: Check spelling
+    runs-on: ubuntu-latest
+    steps:
+      - name: spelling or typos
+        uses: actions/checkout@v3
+      - name: fix permission for reviewdog
+        run: sudo chown -R root:root $GITHUB_WORKSPACE
+      - name: misspell
+        uses: reviewdog/action-misspell@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          locale: "US"
+          fail_on_error: true

.github/workflows/sync-workflow-templates.yml

@@ -1,140 +0,0 @@
-# This workflow is provided via the organization template repository
-#
-# https://github.com/nextcloud/.github
-# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
-#
-# SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
-# SPDX-License-Identifier: MIT
-
-# This workflow will update all workflow templates
-# Additionally it will reapply `workflow.yml.patch` files after syncing and only then commit the result
-name: Update workflows
-on:
-  workflow_dispatch:
-  schedule:
-      - cron: "5 2 * * 0"
-
-permissions:
-  contents: read
-
-jobs:
-  dispatch:
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-      matrix:
-        branches:
-          - ${{ github.event.repository.default_branch }}
-          - 'stable33'
-          - 'stable32'
-
-    name: Update workflows in ${{ matrix.branches }}
-
-    permissions:
-      contents: write
-      pull-requests: write
-
-    steps:
-      - name: Check actor permission
-        uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0
-        with:
-          require: admin
-
-      - name: Checkout workflow repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-          path: source
-          repository: nextcloud/.github
-
-      - name: Checkout app
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-          path: target
-          ref: ${{ matrix.branches }}
-
-      - name: Copy all workflow templates
-        run: |
-          echo 'SUMMARY<<EOF' >> $GITHUB_ENV
-          draft_only=0
-          for workflow in ./source/workflow-templates/*.yml; do
-            echo "❓ Looking for $workflow"
-            if [ -f "$workflow" ]; then
-              filename=$(basename "$workflow")
-              target_file="./target/.github/workflows/$filename"
-
-              # Only copy if the file exists in the target repository
-              if [ -f "$target_file" ]; then
-                if [ -f "./target/.github/actions-lock.txt" ]; then
-                  locked_version=$(grep " $filename" ./target/.github/actions-lock.txt | cat)
-                else
-                  echo "# SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors" >> ./target/.github/actions-lock.txt
-                  echo "# SPDX-License""-Identifier: MIT" >> ./target/.github/actions-lock.txt
-                  locked_version=""
-                fi
-                locked_version=$(echo $locked_version | cut -f 1 -d " ")
-                new_version=$(md5sum $workflow | cut -f 1 -d " ")
-
-                # Only update if the action changes
-                if [[ "$locked_version" != "$new_version" ]]; then
-                  echo "ℹ️ Locked version: $locked_version"
-                  echo "ℹ️ Current version: $new_version"
-                  echo "🆙 Updating existing workflow: $filename"
-                  echo "- 🆙 Updated [$filename](https://github.com/nextcloud/.github/commits/master/workflow-templates/$filename)" >> $GITHUB_ENV
-
-                  cp "$workflow" "$target_file"
-
-                  # Apply patch if one exists
-                  if [ -f "$target_file.patch" ]; then
-                    echo "🩹 Applying patch"
-                    cd ./target
-                    set +e
-                    patch -p1 < ".github/workflows/$filename.patch"
-                    patch_worked=$?
-                    set -e
-                    cd -
-                    if [[ "$patch_worked" == "0" ]]; then
-                      echo "  - Patch applied" >> $GITHUB_ENV
-                    else
-                      echo "  - [ ] ❌ Patch failed" >> $GITHUB_ENV
-                      draft_only=1
-                    fi
-                  fi
-
-                  if [[ "$locked_version" != "" ]]; then
-                    sed -i "s/$locked_version $filename/$new_version $filename/" ./target/.github/actions-lock.txt
-                  else
-                    echo "$new_version $filename" >> ./target/.github/actions-lock.txt
-                  fi
-                else
-                  echo "✅ Skipping $filename: already up to date"
-                fi
-              else
-                echo "⏭️ Skipping $filename: does not exist in target repository"
-              fi
-            fi
-          done
-          echo 'EOF' >> $GITHUB_ENV
-          echo "DRAFT_ONLY=${draft_only}" >> $GITHUB_ENV
-
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
-        with:
-          token: ${{ secrets.COMMAND_BOT_WORKFLOWS }} # zizmor: ignore[secrets-outside-env]
-          commit-message: 'ci(actions): Update workflow templates from organization template repository'
-          committer: GitHub <noreply@github.com>
-          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
-          path: target
-          signoff: true
-          branch: 'automated/noid/${{ matrix.branches }}-update-workflows'
-          title: '[${{ matrix.branches }}] ci(actions): Update workflow templates from organization template repository'
-          draft: ${{ env.DRAFT_ONLY == 1 }}
-          add-paths: .github/workflows/*.yml,.github/actions-lock.txt
-          body: |
-            Automated update of all workflow templates from [nextcloud/.github](https://github.com/nextcloud/.github)
-            ${{ env.SUMMARY }}
-          labels: |
-            dependencies
-            3. to review

.github/workflows/talk.yml

@@ -1,57 +0,0 @@
-name: talk-update
-
-on:
-  workflow_dispatch:
-  schedule:
-  - cron:  '00 12 * * *'
-
-jobs:
-  talk-update:
-    name: update talk
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-    - name: Run talk-container-update
-      run: |
-        # Recording
-        recording_version="$(
-          git ls-remote https://github.com/nextcloud/nextcloud-talk-recording v* \
-            | cut -d/ -f3 \
-            | sort -V \
-            | grep -E "^v[0-9\.]+$" \
-            | tail -1
-        )"
-        sed -i "s|^ENV RECORDING_VERSION.*$|ENV RECORDING_VERSION=$recording_version|" ./Containers/talk-recording/Dockerfile
-        curl -L "https://raw.githubusercontent.com/nextcloud/nextcloud-talk-recording/$recording_version/server.conf.in" -o Containers/talk-recording/recording.conf
-        
-        # Signaling
-        signaling_version="$(
-          git ls-remote https://github.com/strukturag/nextcloud-spreed-signaling v*.*.* \
-            | cut -d/ -f3 \
-            | sort -V \
-            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
-            | tail -1
-        )"
-        curl -L "https://raw.githubusercontent.com/strukturag/nextcloud-spreed-signaling/$signaling_version/server.conf.in" -o Containers/talk/server.conf.in
-        
-        # Janus
-        janus_version="$(
-          git ls-remote https://github.com/meetecho/janus-gateway v1.*.* \
-            | cut -d/ -f3 \
-            | sort -V \
-            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
-            | tail -1
-        )"
-        sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
-        
-    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        commit-message: talk-update automated change
-        signoff: true
-        title: talk container update
-        body: Automated talk container update
-        labels: dependencies, 3. to review
-        milestone: next
-        branch: talk-container-update

.github/workflows/twig-lint.yml

@@ -1,40 +0,0 @@
-name: Twig Lint
-
-on:
-  pull_request:
-    paths:
-      - '**.twig'
-  push:
-    branches:
-      - main
-    paths:
-      - '**.twig'
-
-permissions:
-  contents: read
-
-concurrency:
-  group: lint-twig-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  twig-lint:
-    runs-on: ubuntu-latest
-    name: twig-lint
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
-        with:
-          php-version: 8.5
-          extensions: apcu
-          coverage: none
-
-      - name: twig lint
-        run: |
-          cd php
-          composer install
-          composer run lint:twig

.github/workflows/update-copyright.yml

@@ -1,11 +0,0 @@
-name: Update Copyright
-
-on:
-  workflow_dispatch:
-
-jobs:
-  update-copyright:
-    name: update copyright
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/update-helm.yml

@@ -6,30 +6,28 @@ on:
   - cron:  '00 12 * * *'
 
 jobs:
-  update-helm:
+  psalm:
     name: update helm chart
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v3
       - name: update helm chart
         run: |
-          set -x
-          GHCR_TOKEN="$(curl https://ghcr.io/token?scope=repository:nextcloud-releases/nce-php-fpm-mgmt:pull | jq '.token' | sed 's|"||g')"
-          DOCKER_TAG="$(curl -H "Authorization: Bearer ${GHCR_TOKEN}" -L -s 'https://ghcr.io/v2/nextcloud-releases/all-in-one/tags/list?page_size=1024' | jq '.tags' | sed 's|"||g;s|[[:space:]]||g;s|,||g' | grep '^20[0-9_]\+' | grep -v latest | sort -r | head -1)"
+          DOCKER_TAG="$(curl -L -s 'https://registry.hub.docker.com/v2/repositories/nextcloud/all-in-one/tags?page_size=1024' | jq '."results"[]["name"]' | sed 's|"||g' | grep '^20' | sort -r | head -1)"
+          DOCKER_TAG="${DOCKER_TAG%%-latest*}"
           export DOCKER_TAG
-          set +x
-          if [ -n "$DOCKER_TAG" ] && ! grep -q "aio-nextcloud:$DOCKER_TAG" ./nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml; then
-            sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"
+          if [ -n "$DOCKER_TAG" ] && ! grep -q "$DOCKER_TAG" ./helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml; then
+            sudo bash helm-chart/update-helm.sh "$DOCKER_TAG"
           fi
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@v4
         with:
           commit-message: Helm Chart updates
           signoff: true
           title: Helm Chart updates
           body: Automated Helm Chart updates for the yaml files. It can be merged if it looks good at any time which will automatically trigger a new release of the helm chart.
-          labels: dependencies, 3. to review
+          labels: dependencies
           milestone: next
           branch: aio-helm-update
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/update-yaml.yml

@@ -6,23 +6,23 @@ on:
   - cron:  '00 12 * * *'
 
 jobs:
-  update-yaml:
+  psalm:
     name: update yaml files
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v3
       - name: update yaml files
         run: |
           sudo bash manual-install/update-yaml.sh
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@v4
         with:
           commit-message: Yaml updates
           signoff: true
           title: Yaml updates
           body: Automated yaml updates for the docker-compose files. Should only be merged shortly before the next latest release.
-          labels: dependencies, 3. to review
+          labels: dependencies
           milestone: next
           branch: aio-yaml-update
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/watchtower-update.yml

@@ -1,38 +0,0 @@
-name: watchtower-update
-
-on:
-  workflow_dispatch:
-  schedule:
-  - cron:  '00 12 * * *'
-
-jobs:
-  watchtower-update:
-    name: update watchtower
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-    - name: Run watchtower-container-update
-      run: |
-        # Watchtower
-        watchtower_version="$(
-          git ls-remote https://github.com/nicholas-fedor/watchtower v* \
-            | cut -d/ -f3 \
-            | sort -V \
-            | grep -E "^v[0-9\.]+$" \
-            | tail -1
-        )"
-        watchtower_commit_hash="$(git ls-remote https://github.com/nicholas-fedor/watchtower $watchtower_version | sed 's/refs.*//')"
-        sed -i "s|^ENV WATCHTOWER_COMMIT_HASH.*$|ENV WATCHTOWER_COMMIT_HASH=$watchtower_commit_hash|" ./Containers/watchtower/Dockerfile
-        sed -i "s|\$WATCHTOWER_COMMIT_HASH.*$|\$WATCHTOWER_COMMIT_HASH # $watchtower_version|" ./Containers/watchtower/Dockerfile
-        
-    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        commit-message: watchtower-update automated change
-        signoff: true
-        title: watchtower container update
-        body: Automated watchtower container update
-        labels: dependencies, 3. to review
-        milestone: next
-        branch: watchtower-container-update

.gitignore

@@ -1,15 +1,9 @@
 .DS_Store
-.idea/
-*.iml
-
-/php/data/*
-/php/session/*
-!/php/data/.gitkeep
-!/php/session/.gitkeep
+/php/data/containers.json
+/php/data/configuration.json
+/php/data/backupsecret.json
 /php/vendor
-
 /manual-install/*.conf
 !/manual-install/sample.conf
 /manual-install/docker-compose.yml
-/manual-install/compose.yaml
 /manual-install/.env

CODE_OF_CONDUCT.md

@@ -1,13 +0,0 @@
-<!--
- - SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors
- - SPDX-License-Identifier: AGPL-3.0-or-later
--->
-In the Nextcloud community, participants from all over the world come together to create Free Software for a free internet. This is made possible by the support, hard work and enthusiasm of thousands of people, including those who create and use Nextcloud software.
-
-Our code of conduct offers some guidance to ensure Nextcloud participants can cooperate effectively in a positive and inspiring atmosphere, and to explain how together we can strengthen and support each other.
-
-The Code of Conduct is shared by all contributors and users who engage with the Nextcloud team and its community services. It presents a summary of the shared values and “common sense” thinking in our community.
-
-You can find our full code of conduct on our website: https://nextcloud.com/code-of-conduct/
-
-Please, keep our CoC in mind when you contribute! That way, everyone can be a part of our community in a productive, positive, creative and fun way.

Containers/alpine/Dockerfile

@@ -1,12 +0,0 @@
-# syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
-
-RUN set -ex; \
-    apk upgrade --no-cache -a
-
-LABEL org.opencontainers.image.title="Alpine for Nextcloud AIO" \
-    org.opencontainers.image.description="Minimal Alpine Linux image for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/apache/Caddyfile

@@ -5,82 +5,70 @@
         root /mnt/data/caddy
     }
 
-    servers {
-        # trusted_proxies placeholder
-    }
-
     log {
         level ERROR
     }
 }
 
-https://{$ADDITIONAL_TRUSTED_DOMAIN}:443,
-http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI requests, see containers.json
 {$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} {
-    header {
-        Strict-Transport-Security max-age=31536000;
-
-        -Server
-        -X-Powered-By
-        -Via
-    }
-
-    # Collabora
-    route /browser/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
-    }
-    route /hosting/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
-    }
-    route /cool/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
-    }
 
     # Notify Push
     route /push/* {
         uri strip_prefix /push
-        reverse_proxy {$NOTIFY_PUSH_HOST}:7867
-    }
-
-    # Onlyoffice
-    route /onlyoffice/* {
-        uri strip_prefix /onlyoffice
-        reverse_proxy {$ONLYOFFICE_HOST}:80 {
-            header_up X-Forwarded-Host {http.request.hostport}/onlyoffice
-            header_up X-Forwarded-Proto https
+        reverse_proxy {$NEXTCLOUD_HOST}:7867 {
+            # trusted_proxies placeholder
         }
     }
 
     # Talk
     route /standalone-signaling/* {
         uri strip_prefix /standalone-signaling
-        reverse_proxy {$TALK_HOST}:8081
+        reverse_proxy {$TALK_HOST}:8081 {
+            # trusted_proxies placeholder
+        }
     }
 
-    # Whiteboard
-    route /whiteboard/* {
-        uri strip_prefix /whiteboard
-        reverse_proxy {$WHITEBOARD_HOST}:3002
+    # Collabora
+    route /browser/* {
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
+    }
+    route /hosting/* {
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
+    }
+    route /cool/* {
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
     }
 
-    # HaRP (ExApps)
-    route /exapps/* {
-        reverse_proxy {$HARP_HOST}:8780
+    # Onlyoffice
+    route /onlyoffice/* {
+        uri strip_prefix /onlyoffice
+        reverse_proxy {$ONLYOFFICE_HOST}:80 {
+            header_up X-Forwarded-Host {http.request.host}/onlyoffice
+            header_up X-Forwarded-Proto https
+            # trusted_proxies placeholder
+        }
     }
 
     # Nextcloud
     route {
-        reverse_proxy 127.0.0.1:8000
+        rewrite /.well-known/carddav /remote.php/dav
+        rewrite /.well-known/caldav /remote.php/dav
+        header Strict-Transport-Security max-age=31536000;
+        reverse_proxy localhost:8000 {
+            # See https://github.com/nextcloud/all-in-one/issues/828
+            # trusted_proxies placeholder
+        }
     }
-    redir /.well-known/carddav /remote.php/dav/ 301
-    redir /.well-known/caldav /remote.php/dav/ 301
 
     # TLS options
     tls {
         issuer acme {
-            profile shortlived
-            # Disable HTTP challenge because that would require port 80, which we don't get (it's exposed to the mastercontainer).
-            # This container by default only exposes port 443 if not configured otherwise via APACHE_PORT.
             disable_http_challenge
         }
     }

Containers/apache/Dockerfile

@@ -1,111 +1,85 @@
-# syntax=docker/dockerfile:latest
-FROM caddy:2.11.3-alpine AS caddy
+# Caddy is a requirement
+FROM caddy:2.6.4-alpine as caddy
 
-# From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.67-alpine3.23
+FROM httpd:2.4.56-alpine3.17
 
-COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
+RUN set -ex; \
+    apk add --no-cache shadow; \
+    groupmod -g 333 xfs; \
+    usermod -u 333 -g 333 xfs; \
+    groupmod -g 33 www-data; \
+    usermod -u 33 -g 33 www-data; \
+    apk del --no-cache shadow
 
-COPY --chown=33:33 Caddyfile /Caddyfile
-COPY --chmod=664 nextcloud.conf /usr/local/apache2/conf/nextcloud.conf
-COPY --chmod=664 supervisord.conf /supervisord.conf
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
+RUN mkdir -p /mnt/data; \
+    chown www-data:www-data /mnt/data;
 
 VOLUME /mnt/data
 
 RUN set -ex; \
-    apk upgrade --no-cache -a; \
-    apk add --no-cache shadow; \
-    groupmod -g 33 www-data; \
-    usermod -u 33 -g 33 www-data; \
-    apk del --no-cache shadow; \
-    \
-    mkdir -p /mnt/data; \
-    chown -R www-data:www-data /mnt/data; \
-    chown -R 777 /tmp; \
-    \
     apk add --no-cache \
         bash \
         supervisor \
+        wget \
         tzdata \
         ca-certificates \
         openssl \
-        bind-tools \
-        netcat-openbsd; \
-    \
-    sed -i \
-            -e '/^Listen /d' \
-            -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_proxy.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_proxy_fcgi.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_setenvif.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_alias.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_brotli.so\)/\1/' \
-            -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
-            -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
-            -e 's/\(ScriptAlias \)/#\1/' \
-        /usr/local/apache2/conf/httpd.conf; \
-    echo "Include conf/nextcloud.conf" | tee -a /usr/local/apache2/conf/httpd.conf; \
-    echo "ServerName localhost" | tee -a /usr/local/apache2/conf/httpd.conf; \
-# Sync this with max db connections and pm.max_children
-# We don't actually expect so many workers but don't want to limit it artificially because people will report issues otherwise.
-    sed -i 's|MaxRequestWorkers.*|MaxRequestWorkers 5000|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-    grep -q '<IfModule mpm_event_module>' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# ServerLimit needs to be set to MaxRequestWorkers divided by ThreadsPerChild which is set to 25 by default
-    sed -i '/<IfModule mpm_event_module>/a\ \ \ \ ServerLimit 200' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# Pin ThreadsPerChild so the value is deterministic regardless of the httpd base-image
-# defaults; 25 threads per process balances concurrency against per-process memory use.
-    sed -i 's|ThreadsPerChild.*|ThreadsPerChild 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# Start two server processes on boot to absorb the first requests without spawning
-# new processes on the critical path, while avoiding unnecessary memory overhead.
-    sed -i 's|StartServers.*|StartServers 2|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# Keep at least 25 idle threads (one full process worth) so traffic bursts can be
-# absorbed immediately without triggering new process creation.
-    sed -i 's|MinSpareThreads.*|MinSpareThreads 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# Retire idle threads above 50 to reclaim memory during quiet periods. 50 is the
-# minimum valid value (MinSpareThreads + ThreadsPerChild = 25 + 25) and is enough
-# to absorb typical bursts without respawning a new process.
-    sed -i 's|MaxSpareThreads.*|MaxSpareThreads 50|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-    \
-    rm -rf /usr/local/apache2/conf/original /var/www; \
-    mkdir -p /var/www; \
-    chown -R www-data:www-data /var/www; \
-    \
-    mkdir /var/log/supervisord; \
+        netcat-openbsd
+
+COPY --from=caddy /usr/bin/caddy /usr/bin/
+RUN chmod +x /usr/bin/caddy
+
+RUN sed -i \
+                -e '/^Listen /d' \
+                -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_proxy.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_proxy_fcgi.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_setenvif.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_alias.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
+                -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
+                -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
+                conf/httpd.conf; \
+		echo "Include conf/nextcloud.conf" | tee -a conf/httpd.conf; \
+                echo "ServerName localhost" | tee -a conf/httpd.conf
+		
+COPY nextcloud.conf conf
+
+RUN set -ex; \
+    rm -rf conf/original conf/original && \
+    rm -rf /var/www/html/* && \
+    mkdir /var/www && \
+    chown -R www-data:www-data /var/www;
+
+RUN mkdir /var/log/supervisord; \
     mkdir /var/run/supervisord; \
     chown www-data:www-data /var/run/supervisord; \
-    chown www-data:www-data /var/log/supervisord; \
-    chmod 777 /var/run/supervisord; \
-    chmod 777 /var/log/supervisord; \
-    \
+    chown www-data:www-data /var/log/supervisord;
+
+COPY Caddyfile /
+
+COPY start.sh /usr/bin/
+COPY healthcheck.sh /usr/bin/
+COPY supervisord.conf /
+RUN chmod +x /usr/bin/start.sh; \
+    chmod +x /usr/bin/healthcheck.sh; \
+    chmod +r /supervisord.conf; \
+    chown www-data:www-data /Caddyfile; \
     chown -R www-data:www-data /usr/local/apache2; \
-    chmod +r -R /usr/local/apache2; \
-    mkdir -p /usr/local/apache2/logs; \
-    chmod 777 -R /home/www-data; \
-    chmod 777 -R /usr/local/apache2/logs; \
-    rm -rf /usr/local/apache2/cgi-bin/; \
-    \
-    echo "root:$(openssl rand -base64 12)" | chpasswd; \
-    apk --no-cache del openssl
+    chmod +r -R /usr/local/apache2
 
-USER 33
+# Give root a random password
+RUN echo "root:$(openssl rand -base64 12)" | chpasswd
 
-ENTRYPOINT ["/start.sh"]
+USER www-data
+
+ENTRYPOINT ["start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 
-HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
-    org.opencontainers.image.title="Apache and Caddy for Nextcloud AIO" \
-    org.opencontainers.image.description="Apache HTTP server with Caddy for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+HEALTHCHECK CMD healthcheck.sh
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/apache/healthcheck.sh

@@ -1,9 +1,9 @@
 #!/bin/bash
 
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
-nc -z 127.0.0.1 8000 || exit 1
-nc -z 127.0.0.1 "$APACHE_PORT" || exit 1
+nc -z localhost 8000 || exit 1
+if [ "$APACHE_PORT" != '443' ]; then
+    nc -z localhost "$APACHE_PORT" || exit 1
+else
+    nc -z "$NC_DOMAIN" "$APACHE_PORT" || exit 1
+fi

Containers/apache/nextcloud.conf

@@ -3,67 +3,21 @@ Listen 8000
     ServerName localhost
 
     # Add error log
-    CustomLog /proc/self/fd/1 proxy
-    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+    CustomLog /proc/self/fd/1 combined
     ErrorLog /proc/self/fd/2
-    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
-    LogLevel ${AIO_LOG_LEVEL}
-
-    # KeepAlive On: allow the same TCP connection to carry multiple HTTP requests.
-    # Without this each asset (JS, CSS, image) would require a full TCP handshake,
-    # which is especially expensive on TLS connections and noticeably slows down
-    # Nextcloud's login page and file manager that load dozens of resources at once.
-    KeepAlive On
-    # KeepAliveTimeout: close an idle keep-alive connection after 5 seconds.
-    # A short timeout frees Apache worker threads quickly so they are available
-    # for new requests; 5 s is long enough to cover the gap between requests
-    # that a browser issues while rendering a page (typically < 1 s), yet short
-    # enough to avoid holding threads open for idle or slow clients.
-    KeepAliveTimeout 5
-    # MaxKeepAliveRequests: allow at most 500 requests per persistent connection.
-    # 100 (the Apache default) is too low for Nextcloud: the desktop and mobile
-    # sync clients issue many small API calls (PROPFIND, GET, PUT, checksums …)
-    # per sync cycle and routinely exceed 100 requests on a single connection.
-    # Hitting the limit forces a new TCP/TLS handshake, adding latency and CPU
-    # overhead. 500 gives sync clients enough headroom while still periodically
-    # recycling threads to contain per-process memory growth.
-    MaxKeepAliveRequests 500
-
-    # sendfile(2) is disabled because it bypasses Apache's output-filter chain: with
-    # it enabled, mod_brotli is silently skipped for static files (JS, CSS, SVG),
-    # negating the compression configured below.  MMAP is also
-    # disabled because files can be replaced by Nextcloud at any time and mmap'd
-    # pages could serve stale data.
-    EnableSendfile Off
-    EnableMMAP Off
 
     # PHP match
     <FilesMatch "\.php$">
         SetHandler "proxy:fcgi://${NEXTCLOUD_HOST}:9000"
     </FilesMatch>
-
-    <Proxy "fcgi://${NEXTCLOUD_HOST}:9000" flushpackets=on>
-    </Proxy>
-
-    # Compress JS, CSS and SVG responses with Brotli (quality 4 gives good
-    # compression with reasonable CPU cost; the default of 0 barely compresses).
-    # Other plain-text files are already compressed by Nextcloud itself.
-    # No deflate fallback is needed: every browser that Nextcloud supports
-    # (Chrome 49+, Firefox 44+, Safari 11+, Edge 15+ — all from 2016-2017)
-    # supports Brotli. Internet Explorer, the only browser that never gained
-    # Brotli support, was dropped by Nextcloud with NC15 (2019).
-    # Desktop and mobile sync clients never request JS/CSS/SVG assets.
-    <IfModule mod_brotli.c>
-        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
-        BrotliCompressionQuality 4
-    </IfModule>
-
     # Nextcloud dir
     DocumentRoot /var/www/html/
     <Directory /var/www/html/>
-        Options FollowSymLinks MultiViews
+        Options Indexes FollowSymLinks
         Require all granted
         AllowOverride All
+        Options FollowSymLinks MultiViews
+        Satisfy Any
         <IfModule mod_dav.c>
             Dav off
         </IfModule>
@@ -73,6 +27,10 @@ Listen 8000
         Require all denied
     </Files>
 
+    # Fix zero file sizes 
+    # See https://github.com/nextcloud/server/issues/3056#issuecomment-954209565
+    SetEnv proxy-sendcl 1
+
     # See https://httpd.apache.org/docs/current/en/mod/core.html#limitrequestbody
     LimitRequestBody ${APACHE_MAX_SIZE}
 
@@ -81,7 +39,4 @@ Listen 8000
 
     # See https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxytimeout
     ProxyTimeout ${APACHE_MAX_TIME}
-
-    # See https://httpd.apache.org/docs/trunk/mod/core.html#traceenable
-    TraceEnable Off
 </VirtualHost>

Containers/apache/start.sh

@@ -1,20 +1,10 @@
 #!/bin/bash
 
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -z "$NC_DOMAIN" ]; then
     echo "NC_DOMAIN and NEXTCLOUD_HOST need to be provided. Exiting!"
     exit 1
 fi
 
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    export SUPERVISORD_STDOUT=/dev/stdout
-else
-    export SUPERVISORD_STDOUT=NONE
-fi
-
 # Need write access to /mnt/data
 if ! [ -w /mnt/data ]; then
     echo "Cannot write to /mnt/data"
@@ -27,13 +17,6 @@ while ! nc -z "$NEXTCLOUD_HOST" 9000; do
     sleep 5
 done
 
-# Get ipv4-address of Apache
-# shellcheck disable=SC2153
-IPv4_ADDRESS="$(dig "$APACHE_HOST" A +short +search | head -1)"
-# Bring it in CIDR notation
-# shellcheck disable=SC2001
-IPv4_ADDRESS="$(echo "$IPv4_ADDRESS" | sed 's|[0-9]\+$|0/16|')"
-
 if [ -z "$APACHE_PORT" ]; then
     export APACHE_PORT="443"
 fi
@@ -52,35 +35,22 @@ if [ "$APACHE_PORT" != '443' ]; then
 else
     CADDYFILE="$(sed 's|auto_https.*|auto_https disable_redirects|' /Caddyfile)"
 fi
-echo "$CADDYFILE" > /tmp/Caddyfile
+echo "$CADDYFILE" > /Caddyfile
 
 # Change the trusted_proxies in case of reverse proxies
 if [ "$APACHE_PORT" != '443' ]; then
-    # Here the 100.64.0.0/10 range gets added which is the CGNAT range used by Tailscale nodes
-    # See https://github.com/nextcloud/all-in-one/pull/6703 for reference
-    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies static private_ranges 100.64.0.0/10|' /tmp/Caddyfile)"
+    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies private_ranges|' /Caddyfile)"
 else
-    CADDYFILE="$(sed "s|# trusted_proxies placeholder|trusted_proxies static $IPv4_ADDRESS|" /tmp/Caddyfile)"
+    CADDYFILE="$(sed 's|trusted_proxies private_ranges|# trusted_proxies placeholder|' /Caddyfile)"
 fi
-echo "$CADDYFILE" > /tmp/Caddyfile
-
-# Remove additional domain if not given
-if [ -z "$ADDITIONAL_TRUSTED_DOMAIN" ]; then
-    CADDYFILE="$(sed '/ADDITIONAL_TRUSTED_DOMAIN/d' /tmp/Caddyfile)"
-fi
-echo "$CADDYFILE" > /tmp/Caddyfile
+echo "$CADDYFILE" > /Caddyfile
 
 # Fix the Caddyfile format
-caddy fmt --overwrite /tmp/Caddyfile
+caddy fmt --overwrite /Caddyfile
 
 # Add caddy path
 mkdir -p /mnt/data/caddy/
 
-# Fix caddy startup
-if [ -d "/mnt/data/caddy/locks" ]; then
-    rm -rf /mnt/data/caddy/locks/*
-fi
-
 # Fix apache startup
 rm -f /usr/local/apache2/logs/httpd.pid
 

Containers/apache/supervisord.conf

@@ -1,15 +1,16 @@
 [supervisord]
 nodaemon=true
+nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error
 
 [program:apache]
-# Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
+# stdout_logfile=/dev/stdout
+# stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=apachectl -DFOREGROUND
@@ -19,4 +20,4 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /tmp/Caddyfile
+command=/usr/bin/caddy run --config /Caddyfile

Containers/borgbackup/Dockerfile

@@ -1,9 +1,7 @@
-# syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.17.2
 
 RUN set -ex; \
     \
-    apk upgrade --no-cache -a; \
     apk add --no-cache \
         util-linux-misc \
         bash \
@@ -11,24 +9,15 @@ RUN set -ex; \
         rsync \
         fuse \
         py3-llfuse \
-        jq \
-        openssh-client
+        jq
 
 VOLUME /root
 
-COPY --chmod=770 *.sh /
-COPY borg_excludes /
+COPY start.sh /usr/bin/
+COPY backupscript.sh /
+RUN chmod +x /usr/bin/start.sh; \
+    chmod +x /backupscript.sh
 
-ENTRYPOINT ["/start.sh"]
-# hadolint ignore=DL3002
 USER root
-
-LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
-    org.opencontainers.image.title="Borgbackup for Nextcloud AIO" \
-    org.opencontainers.image.description="BorgBackup-based backup service for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
+ENTRYPOINT ["start.sh"]
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/borgbackup/backupscript.sh

@@ -1,9 +1,5 @@
 #!/bin/bash
 
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Functions
 get_start_time(){
     START_TIME=$(date +%s)
@@ -28,34 +24,22 @@ for directory in "${VOLUME_DIRS[@]}"; do
         exit 1
     fi
 done
-# Test if default volumes are there
-DEFAULT_VOLUMES=(nextcloud_aio_apache nextcloud_aio_nextcloud nextcloud_aio_database nextcloud_aio_database_dump nextcloud_aio_elasticsearch nextcloud_aio_nextcloud_data nextcloud_aio_mastercontainer)
-for volume in "${DEFAULT_VOLUMES[@]}"; do
-    if ! mountpoint -q "/nextcloud_aio_volumes/$volume"; then
-        echo "$volume is missing which is not intended."
-        exit 1
-    fi
-done
 
 # Check if target is mountpoint
-if [ -z "$BORG_REMOTE_REPO" ] && ! mountpoint -q "$MOUNT_DIR"; then
-    echo "$MOUNT_DIR is not a mountpoint which is not allowed."
+if ! mountpoint -q /mnt/borgbackup; then
+    echo "/mnt/borgbackup is not a mountpoint which is not allowed"
     exit 1
 fi
 
-# Check if repo is uninitialized
-if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
-    if [ -n "$BORG_REMOTE_REPO" ]; then
-        echo "The repository is uninitialized or cannot connect to remote. Cannot perform check or restore."
-    else
-        echo "The repository is uninitialized. Cannot perform check or restore."
-    fi
+# Check if target is empty
+if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
+    echo "The repository is empty. cannot perform check or restore."
     exit 1
 fi
 
 # Do not continue if this file exists (needed for simple external blocking)
-if [ -z "$BORG_REMOTE_REPO" ] && [ -f "$BORG_BACKUP_DIRECTORY/aio-lockfile" ]; then
-    echo "Not continuing because aio-lockfile exists – it seems like a script is externally running which is locking the backup archive."
+if [ -f "$BORG_BACKUP_DIRECTORY/aio-lockfile" ]; then
+    echo "Not continuing because aio-lockfile exists - it seems like a script is externally running which is locking the backup archive."
     echo "If this should not be the case, you can fix this by deleting the 'aio-lockfile' file from the backup archive directory."
     exit 1
 fi
@@ -65,15 +49,6 @@ if [ "$BORG_MODE" = backup ] || [ "$BORG_MODE" = restore ]; then
     touch "/nextcloud_aio_volumes/nextcloud_aio_database_dump/backup-is-running"
 fi
 
-if [ -n "$BORG_REMOTE_REPO" ] && ! [ -f "$BORGBACKUP_KEY" ]; then
-    echo "First run, creating borg ssh key"
-    ssh-keygen  -f "$BORGBACKUP_KEY" -N ""
-    echo "You should configure the remote to accept this public key"
-fi
-if [ -n "$BORG_REMOTE_REPO" ] && [ -f "$BORGBACKUP_KEY.pub" ]; then
-    echo "Your public ssh key for borgbackup is: $(cat "$BORGBACKUP_KEY.pub")"
-fi
-
 # Do the backup
 if [ "$BORG_MODE" = backup ]; then
 
@@ -81,102 +56,66 @@ if [ "$BORG_MODE" = backup ]; then
     if ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" ]; then
         echo "configuration.json not present. Cannot perform the backup!"
         exit 1
-    elif ! grep -q '"domain"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" \
-    || ! grep -q '"wasStartButtonClicked"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json"; then
-        echo "It seems like the configuration.json setup was not done correctly. Something is wrong! (Most likely the provided configuration.json is invalid)"
-        exit 1
     elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/config/config.php" ]; then
-        echo "config.php is missing. Cannot perform backup!"
+        echo "config.php is missing cannot perform backup"
         exit 1
     elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/database-dump.sql" ]; then
-        echo "database-dump is missing. Cannot perform backup!"
-        echo "Please check the database container logs!"
-        exit 1
-    elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/.ocdata" ] && ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/.ncdata" ]; then
-        echo "The .ncdata or .ocdata file is missing in Nextcloud datadir which means it is invalid!"
-        echo "Is the drive where the datadir is located on still mounted?"
+        echo "database-dump is missing. cannot perform backup"
         exit 1
     fi
 
-    # Test that default volumes are not empty
-    for volume in "${DEFAULT_VOLUMES[@]}"; do
-        if [ -z "$(ls -A "/nextcloud_aio_volumes/$volume")" ] && [ "$volume" != "nextcloud_aio_elasticsearch" ]; then
-            echo "/nextcloud_aio_volumes/$volume is empty which should not happen!"
+    # Test that nothing is empty
+    for directory in "${VOLUME_DIRS[@]}"; do
+        if [ -z "$(ls -A "$directory")" ] && [ "$directory" != "/nextcloud_aio_volumes/nextcloud_aio_elasticsearch" ]; then
+            echo "$directory is empty which is not allowed."
             exit 1
         fi
     done
 
     if [ -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/export.failed" ]; then
+        echo "Database export failed the last time. Most likely was the export time not high enough."
         echo "Cannot create a backup now."
-        echo "Reason is that the database export failed the last time."
-        echo "Most likely was the database container not correctly shut down via the AIO interface."
-        echo ""
-        echo "You might want to try the database export again manually by running the three commands:"
-        echo "sudo docker start nextcloud-aio-database"
-        echo "sleep 10"
-        echo "sudo docker stop nextcloud-aio-database -t 1800"
-        echo ""
-        echo "Afterwards try to create a backup again and it should hopefully work."
-        echo "If it should still fail, feel free to report this to https://github.com/nextcloud/all-in-one/issues and post the database container logs and the borgbackup container logs into the thread. Thanks!"
+        echo "Please report this to https://github.com/nextcloud/all-in-one/issues. Thanks!"
         exit 1
     fi
 
-    if [ -z "$BORG_REMOTE_REPO" ]; then
-        # Create backup folder
-        mkdir -p "$BORG_BACKUP_DIRECTORY"
-    fi
+    # Create backup folder
+    mkdir -p "$BORG_BACKUP_DIRECTORY"
 
-    # Initialize the repository if can't get info from target
-    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+    # Initialize the repository if the target is empty
+    if ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
         # Don't initialize if already initialized
         if [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
-            if [ -n "$BORG_REMOTE_REPO" ]; then
-                echo "Borg could not get info from the remote repo."
-                echo "This might be a failure to connect to the remote server. See the above borg info output for details."
-            else
-                echo "Borg could not get info from the targeted directory."
-                echo "This might happen if the targeted directory is located on an external drive and the drive not connected anymore. You should check this."
-            fi
-            echo "If you instead want to initialize a new backup repository, you may delete the 'borg.config' file that is stored in the mastercontainer volume manually, which will allow you to initialize a new borg repository in the chosen directory:"
+            echo "Cannot initialize a new repository as that was already done at least one time."
+            echo "If you still want to do so, you may delete the 'borg.config' file that is stored in the mastercontainer volume manually, which will allow you to initialize a new borg repository in the chosen directory:"
             echo "sudo docker exec nextcloud-aio-mastercontainer rm /mnt/docker-aio-config/data/borg.config"
             exit 1
         fi
 
-        echo "Initializing repository..."
+        echo "initializing repository..."
         NEW_REPOSITORY=1
-        if ! borg "$BORG_LOG_LEVEL_FLAG" init --encryption=repokey-blake2; then
+        if ! borg init --debug --encryption=repokey-blake2 "$BORG_BACKUP_DIRECTORY"; then
             echo "Could not initialize borg repository."
+            rm -f "$BORG_BACKUP_DIRECTORY/config"
             exit 1
         fi
+        borg config "$BORG_BACKUP_DIRECTORY" additional_free_space 2G
 
-        if [ -z "$BORG_REMOTE_REPO" ]; then
-            # borg config only works for local repos; it's up to the remote to ensure the disk isn't full
-            borg "$BORG_LOG_LEVEL_FLAG" config :: additional_free_space 2G
+        # Fix too large Borg cache
+        # https://borgbackup.readthedocs.io/en/stable/faq.html#the-borg-cache-eats-way-too-much-disk-space-what-can-i-do
+        BORG_ID="$(borg config "$BORG_BACKUP_DIRECTORY" id)"
+        rm -r "/root/.cache/borg/$BORG_ID/chunks.archive.d"
+        touch "/root/.cache/borg/$BORG_ID/chunks.archive.d"
 
-            # Fix too large Borg cache
-            # https://borgbackup.readthedocs.io/en/stable/faq.html#the-borg-cache-eats-way-too-much-disk-space-what-can-i-do
-            BORG_ID="$(borg config :: id)"
-            rm -r "/root/.cache/borg/$BORG_ID/chunks.archive.d"
-            touch "/root/.cache/borg/$BORG_ID/chunks.archive.d"
-        fi
-
-        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
-            echo "Borg can't get info from the repo it created. Something is wrong."
+        # Make a backup from the borg config file
+        if ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
+            echo "The borg config file wasn't created. Something is wrong."
             exit 1
         fi
-
         rm -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config"
-        if [ -n "$BORG_REMOTE_REPO" ]; then
-            # `borg config` does not support remote repos so instead create a dummy file and rely on the remote to avoid
-            # corruption of the config file (which contains the encryption key). We don't actually use the contents of
-            # this file anywhere, so a touch is all we need so we remember we already initialized the repo.
-            touch "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config"
-        else
-            # Make a backup from the borg config file
-            if ! cp "$BORG_BACKUP_DIRECTORY/config" "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config"; then
-                echo "Could not copy config file to second place. Cannot perform backup."
-                exit 1
-            fi
+        if ! cp "$BORG_BACKUP_DIRECTORY/config" "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config"; then
+            echo "Could not copy config file to second place. Cannot perform backup."
+            exit 1
         fi
 
         echo "Repository successfully initialized."
@@ -188,43 +127,18 @@ if [ "$BORG_MODE" = backup ]; then
     # Borg options
     # auto,zstd compression seems to has the best ratio based on:
     # https://forum.level1techs.com/t/optimal-compression-for-borg-backups/145870/6
-    BORG_OPTS=(-v --stats --compression "auto,zstd")
-    if [ "$NEW_REPOSITORY" = 1 ]; then
-        BORG_OPTS+=(--progress)
-    fi
+    BORG_OPTS=(-v --stats --compression "auto,zstd" --exclude-caches --checkpoint-interval 86400)
 
     # Exclude the nextcloud log and audit log for GDPR reasons
-    BORG_EXCLUDE=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/nextcloud.log*" --exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/audit.log" --exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/lost+found")
-    BORG_INCLUDE=()
-
-    # Exclude datadir if .noaiobackup file was found
-    # shellcheck disable=SC2144
-    if [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/.noaiobackup" ]; then
-        BORG_EXCLUDE+=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/")
-        BORG_INCLUDE+=(--pattern="+/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/.noaiobackup")
-        echo "⚠️⚠️⚠️ '.noaiobackup' file was found in Nextcloud's data directory. Excluding the data directory from backup!"
-    # Exclude preview folder if .noaiobackup file was found
-    elif [ -f /nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_*/preview/.noaiobackup ]; then
-        BORG_EXCLUDE+=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_*/preview/")
-        BORG_INCLUDE+=(--pattern="+/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_*/preview/.noaiobackup")
-        echo "⚠️⚠️⚠️ '.noaiobackup' file was found in the preview directory. Excluding the preview directory from backup!"
-    fi
-
-    # Make sure that there is always a borg.config file before creating a new backup
-    if ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
-        echo "Did not find borg.config file in the mastercontainer volume."
-        echo "Cannot create a backup as this is wrong."
-        exit 1
-    fi
+    BORG_EXCLUDE=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/nextcloud.log*" --exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/audit.log")
 
     # Create the backup
     echo "Starting the backup..."
     get_start_time
-    if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
+    if ! borg create "${BORG_OPTS[@]}" "${BORG_EXCLUDE[@]}" "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/"; then
         echo "Deleting the failed backup archive..."
-        borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-nextcloud-aio"
+        borg delete --stats "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-nextcloud-aio"
         echo "Backup failed!"
-        echo "You might want to check the backup integrity via the AIO interface."
         if [ "$NEW_REPOSITORY" = 1 ]; then
             echo "Deleting borg.config file so that you can choose a different location for the backup."
             rm "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config"
@@ -236,19 +150,18 @@ if [ "$BORG_MODE" = backup ]; then
     rm -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/skip.update"
 
     # Prune options
-    read -ra BORG_PRUNE_OPTS <<< "$BORG_RETENTION_POLICY"
-    echo "BORG_PRUNE_OPTS are ${BORG_PRUNE_OPTS[*]}"
+    BORG_PRUNE_OPTS=(--stats --keep-within=7d --keep-weekly=4 --keep-monthly=6 "$BORG_BACKUP_DIRECTORY")
 
     # Prune archives
     echo "Pruning the archives..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
+    if ! borg prune --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
         echo "Failed to prune archives!"
         exit 1
     fi
 
     # Compact archives
     echo "Compacting the archives..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+    if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
         echo "Failed to compact archives!"
         exit 1
     fi
@@ -265,20 +178,20 @@ if [ "$BORG_MODE" = backup ]; then
                 fi
             done
             echo "Starting the backup for additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
+            if ! borg create "${BORG_OPTS[@]}" "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
                 echo "Deleting the failed backup archive..."
-                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-docker-volumes"
+                borg delete --stats "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-additional-docker-volumes"
                 echo "Backup of additional docker-volumes failed!"
                 exit 1
             fi
             echo "Pruning additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg prune --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
                 echo "Failed to prune additional docker-volumes archives!"
                 exit 1
             fi
             echo "Compacting additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
-                echo "Failed to compact additional docker-volume archives!"
+            if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
+                echo "Failed to compact archives!"
                 exit 1
             fi
         fi
@@ -295,20 +208,20 @@ if [ "$BORG_MODE" = backup ]; then
                 EXCLUDE_DIRS+=(--exclude "/host_mounts/$directory/")
             done
             echo "Starting the backup for additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
+            if ! borg create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
                 echo "Deleting the failed backup archive..."
-                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-host-mounts"
+                borg delete --stats "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-additional-host-mounts"
                 echo "Backup of additional host-mounts failed!"
                 exit 1
             fi
             echo "Pruning additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg prune --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
                 echo "Failed to prune additional host-mount archives!"
                 exit 1
             fi
             echo "Compacting additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
-                echo "Failed to compact additional host-mount archives!"
+            if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
+                echo "Failed to compact archives!"
                 exit 1
             fi
         fi
@@ -316,7 +229,7 @@ if [ "$BORG_MODE" = backup ]; then
 
     # Inform user
     get_expiration_time
-    echo "Backup finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
+    echo "Backup finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
     if [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/update.failed" ]; then
         echo "However a Nextcloud update failed. So reporting that the backup failed which will skip any update attempt the next time."
         echo "Please restore a backup from before the failed Nextcloud update attempt."
@@ -329,38 +242,17 @@ fi
 if [ "$BORG_MODE" = restore ]; then
     get_start_time
 
-    # Pick archive to restore
+    # Perform the restore
     if [ -n "$SELECTED_RESTORE_TIME" ]; then
-        SELECTED_ARCHIVE="$(borg list | grep "nextcloud-aio" | grep "$SELECTED_RESTORE_TIME" | awk -F " " '{print $1}' | head -1)"
+        SELECTED_ARCHIVE="$(borg list "$BORG_BACKUP_DIRECTORY" | grep "nextcloud-aio" | grep "$SELECTED_RESTORE_TIME" | awk -F " " '{print $1}' | head -1)"
     else
-        SELECTED_ARCHIVE="$(borg list | grep "nextcloud-aio" | awk -F " " '{print $1}' | sort -r | head -1)"
+        SELECTED_ARCHIVE="$(borg list "$BORG_BACKUP_DIRECTORY" | grep "nextcloud-aio" | awk -F " " '{print $1}' | sort -r | head -1)"
     fi
     echo "Restoring '$SELECTED_ARCHIVE'..."
-
-    ADDITIONAL_RSYNC_EXCLUDES=()
-    ADDITIONAL_BORG_EXCLUDES=()
-    ADDITIONAL_FIND_EXCLUDES=()
-    # Exclude datadir if .noaiobackup file was found
-    # shellcheck disable=SC2144
-    if [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/.noaiobackup" ]; then
-        # Keep these 3 in sync. Beware, the pattern syntax and the paths differ
-        ADDITIONAL_RSYNC_EXCLUDES=(--exclude "nextcloud_aio_nextcloud_data/**")
-        ADDITIONAL_BORG_EXCLUDES=(--exclude "sh:nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/**")
-        ADDITIONAL_FIND_EXCLUDES=(-o -regex 'nextcloud_aio_volumes/nextcloud_aio_nextcloud_data\(/.*\)?')
-        echo "⚠️⚠️⚠️ '.noaiobackup' file was found in Nextcloud's data directory. Excluding the data directory from restore!"
-        echo "You might run into problems due to this afterwards as potentially this makes the directory go out of sync with the database."
-        echo "You might be able to fix this by running 'occ files:scan --all' and 'occ maintenance:repair' and 'occ files:scan-app-data' after the restore."
-        echo "See https://github.com/nextcloud/all-in-one#how-to-run-occ-commands"
-    # Exclude previews from restore if selected to speed up process or exclude preview folder if .noaiobackup file was found
-    elif [ -n "$RESTORE_EXCLUDE_PREVIEWS" ] || [ -f /nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_*/preview/.noaiobackup ]; then
-        # Keep these 3 in sync. Beware, the pattern syntax and the paths differ
-        ADDITIONAL_RSYNC_EXCLUDES=(--exclude "nextcloud_aio_nextcloud_data/appdata_*/preview/**")
-        ADDITIONAL_BORG_EXCLUDES=(--exclude "sh:nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_*/preview/**")
-        ADDITIONAL_FIND_EXCLUDES=(-o -regex 'nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_[^/]*/preview\(/.*\)?')
-        echo "⚠️⚠️⚠️ Excluding previews from restore!"
-        echo "You might run into problems due to this afterwards as potentially this makes the directory go out of sync with the database."
-        echo "You might be able to fix this by running 'occ files:scan-app-data preview' after the restore."
-        echo "See https://github.com/nextcloud/all-in-one#how-to-run-occ-commands"
+    mkdir -p /tmp/borg
+    if ! borg mount "$BORG_BACKUP_DIRECTORY::$SELECTED_ARCHIVE" /tmp/borg; then
+        echo "Could not mount the backup!"
+        exit 1
     fi
 
     # Save Additional Backup dirs
@@ -373,12 +265,27 @@ if [ "$BORG_MODE" = restore ]; then
         DAILY_BACKUPTIME="$(cat /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/daily_backup_time)"
     fi
 
+    # Restore everything except the configuration file
+    if ! rsync --stats --archive --human-readable -vv --delete \
+    --exclude "nextcloud_aio_apache/caddy/**" \
+    --exclude "nextcloud_aio_mastercontainer/caddy/**" \
+    --exclude "nextcloud_aio_nextcloud/data/nextcloud.log*" \
+    --exclude "nextcloud_aio_nextcloud/data/audit.log" \
+    --exclude "nextcloud_aio_mastercontainer/certs/**" \
+    --exclude "nextcloud_aio_mastercontainer/data/configuration.json" \
+    --exclude "nextcloud_aio_mastercontainer/data/daily_backup_running" \
+    --exclude "nextcloud_aio_mastercontainer/data/session_date_file" \
+    --exclude "nextcloud_aio_mastercontainer/session/**" \
+    /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes; then
+        RESTORE_FAILED=1
+        echo "Something failed while restoring from backup."
+    fi
+
     # Save current aio password
     AIO_PASSWORD="$(jq '.password' /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json)"
 
-    # Save current backup location vars
+    # Save current path
     BORG_LOCATION="$(jq '.borg_backup_host_location' /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json)"
-    REMOTE_REPO="$(jq '.borg_remote_repo' /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json)"
 
     # Save current nextcloud datadir
     if grep -q '"nextcloud_datadir":' /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json; then
@@ -387,116 +294,21 @@ if [ "$BORG_MODE" = restore ]; then
         NEXTCLOUD_DATADIR='""'
     fi
 
-    if [ -z "$BORG_REMOTE_REPO" ]; then
-        mkdir -p /tmp/borg
-        if ! borg "$BORG_LOG_LEVEL_FLAG" mount "::$SELECTED_ARCHIVE" /tmp/borg; then
-            echo "Could not mount the backup!"
-            exit 1
-        fi
-
-        # Restore everything except the configuration file
-        #
-        # These exclude patterns need to be kept in sync with the borg_excludes file and the find excludes in this file,
-        # which use a different syntax (patterns appear in 3 places in total)
-        if ! rsync --stats --archive --human-readable -vv --delete \
-        --exclude "nextcloud_aio_apache/caddy/**" \
-        --exclude "nextcloud_aio_mastercontainer/caddy/**" \
-        --exclude "nextcloud_aio_nextcloud/data/nextcloud.log*" \
-        --exclude "nextcloud_aio_nextcloud/data/audit.log" \
-        --exclude "nextcloud_aio_mastercontainer/certs/**" \
-        --exclude "nextcloud_aio_mastercontainer/data/configuration.json" \
-        --exclude "nextcloud_aio_mastercontainer/data/daily_backup_running" \
-        --exclude "nextcloud_aio_mastercontainer/data/session_date_file" \
-        --exclude "nextcloud_aio_mastercontainer/session/**" \
-        --exclude "nextcloud_aio_nextcloud_data/lost+found" \
-        "${ADDITIONAL_RSYNC_EXCLUDES[@]}" \
-        /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes/; then
-            RESTORE_FAILED=1
-            echo "Something failed while restoring from backup."
-        fi
-
-        # Restore the configuration file
-        if ! rsync --archive --human-readable -vv \
-                /tmp/borg/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json \
-                /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json; then
-            RESTORE_FAILED=1
-            echo "Something failed while restoring the configuration.json."
-        fi
-
-        if ! umount /tmp/borg; then
-            echo "Failed to unmount the borg archive but should still be able to restore successfully"
-        fi
-    else
-        # Restore nearly everything
-        #
-        # borg mount is really slow for remote repos (did not check whether it's slow for local repos too),
-        # using extract to /tmp would require temporarily storing a second copy of the data.
-        # So instead extract directly on top of the destination with exclude patterns for the config, but
-        # then we do still need to delete local files which are not present in the archive.
-        #
-        # Older backups may still contain files we've since excluded, so we have to exclude on extract as well.
-        cd /  # borg extract has no destination arg and extracts to CWD
-        if ! borg "$BORG_LOG_LEVEL_FLAG" extract "::$SELECTED_ARCHIVE" --progress --exclude-from /borg_excludes "${ADDITIONAL_BORG_EXCLUDES[@]}" --pattern '+nextcloud_aio_volumes/**'
-        then
-            RESTORE_FAILED=1
-            echo "Failed to extract backup archive."
-        else
-            # Delete files/dirs present locally, but not in the backup archive, excluding conf files
-            # https://unix.stackexchange.com/a/759341
-            # This comm does not support -z, but I doubt any file names would have \n in them
-            #
-            # These find patterns need to be kept in sync with the borg_excludes file and the rsync excludes in this
-            # file, which use a different syntax (patterns appear in 3 places in total)
-            echo "Deleting local files which do not exist in the backup"
-            if ! find nextcloud_aio_volumes \
-                    -not \( \
-                        -path nextcloud_aio_volumes/nextcloud_aio_apache/caddy \
-                        -o -path "nextcloud_aio_volumes/nextcloud_aio_apache/caddy/*" \
-                        -o -path nextcloud_aio_volumes/nextcloud_aio_mastercontainer/caddy \
-                        -o -path "nextcloud_aio_volumes/nextcloud_aio_mastercontainer/caddy/*" \
-                        -o -path nextcloud_aio_volumes/nextcloud_aio_mastercontainer/certs \
-                        -o -path "nextcloud_aio_volumes/nextcloud_aio_mastercontainer/certs/*" \
-                        -o -path nextcloud_aio_volumes/nextcloud_aio_mastercontainer/session \
-                        -o -path "nextcloud_aio_volumes/nextcloud_aio_mastercontainer/session/*" \
-                        -o -path "nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/nextcloud.log*" \
-                        -o -path nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/audit.log \
-                        -o -path nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/daily_backup_running \
-                        -o -path nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/session_date_file \
-                        -o -path "nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/id_borg*" \
-                        -o -path "nextcloud_aio_nextcloud_data/lost+found" \
-                        "${ADDITIONAL_FIND_EXCLUDES[@]}" \
-                    \) \
-                    | LC_ALL=C sort \
-                    | LC_ALL=C comm -23 - \
-                        <(borg "$BORG_LOG_LEVEL_FLAG" list "::$SELECTED_ARCHIVE" --short --exclude-from /borg_excludes  --pattern '+nextcloud_aio_volumes/**' | LC_ALL=C sort) \
-                    > /tmp/local_files_not_in_backup
-            then
-                RESTORE_FAILED=1
-                echo "Failed to delete local files not in backup archive."
-            else
-                # More robust than e.g. xargs as I got a ~"args line too long" error while testing that, but it's slower
-                # https://stackoverflow.com/a/21848934
-                while IFS= read -r file
-                do rm -vrf -- "$file" || DELETE_FAILED=1
-                done < /tmp/local_files_not_in_backup
-
-                if [ "$DELETE_FAILED" = 1 ]; then
-                    RESTORE_FAILED=1
-                    echo "Failed to delete (some) local files not in backup archive."
-                fi
-            fi
-        fi
+    # Restore the configuration file
+    if ! rsync --archive --human-readable -vv \
+    /tmp/borg/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json \
+    /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json; then
+        RESTORE_FAILED=1
+        echo "Something failed while restoring the configuration.json."
     fi
 
     # Set backup-mode to restore since it was a restore
     CONTENTS="$(jq '."backup-mode" = "restore"' /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json)"
     echo -E "${CONTENTS}" > /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json
 
-    # Reset the backup location vars to the currently used one
+    # Reset the backup path to the currently used one
     CONTENTS="$(jq ".borg_backup_host_location = $BORG_LOCATION" /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json)"
     echo -E "${CONTENTS}" > /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json
-    CONTENTS="$(jq ".borg_remote_repo = $REMOTE_REPO" /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json)"
-    echo -E "${CONTENTS}" > /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json
 
     # Reset the AIO password to the currently used one
     CONTENTS="$(jq ".password = $AIO_PASSWORD" /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json)"
@@ -520,17 +332,15 @@ if [ "$BORG_MODE" = restore ]; then
         chmod 770 "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/daily_backup_time"
     fi
 
+    umount /tmp/borg
+
     if [ "$RESTORE_FAILED" = 1 ]; then
         exit 1
-    elif ! grep -q '"domain"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" \
-    || ! grep -q '"wasStartButtonClicked"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json"; then
-        echo "It seems like the restore of the configuration.json was not done correctly. Something is wrong! (Most likely is the restore archive already incorrect)!"
-        exit 1
     fi
 
     # Inform user
     get_expiration_time
-    echo "Restore finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
+    echo "Restore finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
 
     # Add file to Nextcloud container so that it skips any update the next time
     touch "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/skip.update"
@@ -540,12 +350,6 @@ if [ "$BORG_MODE" = restore ]; then
     touch "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/fingerprint.update"
     chmod 777 "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/fingerprint.update"
 
-    # Add file to Netcloud container to trigger a preview scan the next time it starts
-    if [ -n "$RESTORE_EXCLUDE_PREVIEWS" ]; then
-        touch "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/trigger-preview.scan"
-        chmod 777 "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/trigger-preview.scan"
-    fi
-
     # Delete redis cache
     rm -f "/mnt/redis/dump.rdb"
 fi
@@ -556,15 +360,14 @@ if [ "$BORG_MODE" = check ]; then
     echo "Checking the backup integrity..."
 
     # Perform the check
-    if ! borg "$BORG_LOG_LEVEL_FLAG" check -v --verify-data; then
+    if ! borg check -v --verify-data "$BORG_BACKUP_DIRECTORY"; then
         echo "Some errors were found while checking the backup integrity!"
-        echo "Check the AIO interface for advice on how to proceed now!"
         exit 1
     fi
 
     # Inform user
     get_expiration_time
-    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
+    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
     exit 0
 fi
 
@@ -574,62 +377,37 @@ if [ "$BORG_MODE" = "check-repair" ]; then
     echo "Checking the backup integrity and repairing it..."
 
     # Perform the check-repair
-    if ! echo YES | borg "$BORG_LOG_LEVEL_FLAG" check -v --repair; then
+    if ! echo YES | borg check -v --repair "$BORG_BACKUP_DIRECTORY"; then
         echo "Some errors were found while checking and repairing the backup integrity!"
         exit 1
     fi
 
     # Inform user
     get_expiration_time
-    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
+    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
     exit 0
 fi
 
 # Do the backup test
 if [ "$BORG_MODE" = test ]; then
-    if [ -n "$BORG_REMOTE_REPO" ]; then
-        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
-            echo "Borg could not get info from the remote repo."
-            echo "See the above borg info output for details."
-            exit 1
-        fi
-    else
-        if ! [ -d "$BORG_BACKUP_DIRECTORY" ]; then
-            echo "No 'borg' directory in the given backup directory found!"
-            echo "Only the files/folders below have been found in the given directory."
-            ls -a "$MOUNT_DIR"
-            echo "Please adjust the directory so that the borg archive is positioned in a folder named 'borg' inside the given directory!"
-            exit 1
-        elif ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
-            echo "A 'borg' directory was found but could not find the borg archive."
-            echo "Only the files/folders below have been found in the borg directory."
-            ls -a "$BORG_BACKUP_DIRECTORY"
-            echo "The archive and most importantly the config file must be positioned directly in the 'borg' subfolder."
-            exit 1
-        fi
-    fi
-
-    if ! borg "$BORG_LOG_LEVEL_FLAG" list >/dev/null; then
+    if ! [ -d "$BORG_BACKUP_DIRECTORY" ]; then
+        echo "No 'borg' directory in the given backup directory found!"
+        echo "Only the files/folders below have been found in the given directory."
+        ls -a "$MOUNT_DIR"
+        echo "Please adjust the directory so that the borg archive is positioned in a folder named 'borg' inside the given directory!"
+        exit 1
+    elif ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
+        echo "A 'borg' directory was found but could not find the borg archive."
+        echo "Only the files/folders below have been found in the borg directory."
+        ls -a "$BORG_BACKUP_DIRECTORY"
+        echo "The archive and most importantly the config file must be positioned directly in the 'borg' subfolder."
+        exit 1
+    elif ! borg list "$BORG_BACKUP_DIRECTORY"; then
         echo "The entered path seems to be valid but could not open the backup archive."
         echo "Most likely the entered password was wrong so please adjust it accordingly!"
         exit 1
     else
-        if ! borg "$BORG_LOG_LEVEL_FLAG" list | grep "nextcloud-aio"; then
-            echo "The backup archive does not contain a valid Nextcloud AIO backup."
-            echo "Most likely was the archive not created via Nextcloud AIO."
-            exit 1
-        else
-            echo "Everything looks fine so feel free to continue!"
-            exit 0
-        fi
+        echo "Everything looks fine so feel free to continue!"
+        exit 0
     fi
 fi
-
-if [ "$BORG_MODE" = list ]; then
-    echo "Updating backup list..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
-        echo "Could not update the backup list."
-        exit 1
-    fi
-    # The update gets done automatically in the wrapper start.sh script.
-fi

Containers/borgbackup/borg_excludes

@@ -1,11 +0,0 @@
-# These patterns need to be kept in sync with rsync and find excludes in backupscript.sh,
-# which use a different syntax (patterns appear in 3 places in total)
-nextcloud_aio_volumes/nextcloud_aio_apache/caddy/
-nextcloud_aio_volumes/nextcloud_aio_mastercontainer/caddy/
-nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/nextcloud.log*
-nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/audit.log
-nextcloud_aio_volumes/nextcloud_aio_mastercontainer/certs/
-nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/daily_backup_running
-nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/session_date_file
-nextcloud_aio_volumes/nextcloud_aio_mastercontainer/session/
-nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/id_borg*

Containers/borgbackup/start.sh

@@ -1,19 +1,8 @@
 #!/bin/bash
 
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-if [ "$AIO_LOG_LEVEL" = "warn" ]; then
-    BORG_LOG_LEVEL_FLAG="--warning"
-else
-    BORG_LOG_LEVEL_FLAG="--$AIO_LOG_LEVEL"
-fi
-export BORG_LOG_LEVEL_FLAG
-
 # Variables
 export MOUNT_DIR="/mnt/borgbackup"
-export BORG_BACKUP_DIRECTORY="$MOUNT_DIR/borg"  # necessary even when remote to store the aio-lockfile
+export BORG_BACKUP_DIRECTORY="$MOUNT_DIR/borg"
 
 # Validate BORG_PASSWORD
 if [ -z "$BORG_PASSWORD" ] && [ -z "$BACKUP_RESTORE_PASSWORD" ]; then
@@ -29,22 +18,10 @@ else
 fi
 export BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes
 export BORG_RELOCATED_REPO_ACCESS_IS_OK=yes
-if [ -n "$BORG_REMOTE_REPO" ]; then
-    export BORG_REPO="$BORG_REMOTE_REPO"
-
-    # Location to create the borg ssh pub/priv key
-    export BORGBACKUP_KEY="/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/id_borg"
-
-    # Accept any host key the first time connecting to the remote. Strictly speaking should be provided by user but you'd
-    # have to be very unlucky to get MitM'ed on your first connection.
-    export BORG_RSH="ssh -o StrictHostKeyChecking=accept-new -i $BORGBACKUP_KEY"
-else
-    export BORG_REPO="$BORG_BACKUP_DIRECTORY"
-fi
 
 # Validate BORG_MODE
-if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != restore ] && [ "$BORG_MODE" != check ] && [ "$BORG_MODE" != "check-repair" ] && [ "$BORG_MODE" != "test" ] && [ "$BORG_MODE" != "list" ]; then
-    echo "No correct BORG_MODE mode applied. Valid are 'backup', 'check', 'restore', 'test' and 'list'."
+if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != restore ] && [ "$BORG_MODE" != check ] && [ "$BORG_MODE" != "check-repair" ] && [ "$BORG_MODE" != test ]; then
+    echo "No correct BORG_MODE mode applied. Valid are 'backup', 'check', 'restore' and 'test'."
     exit 1
 fi
 
@@ -59,8 +36,8 @@ fi
 rm -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/backup-is-running"
 
 # Get a list of all available borg archives
-if borg "$BORG_LOG_LEVEL_FLAG" list &>/dev/null; then
-    borg list | grep "nextcloud-aio" | awk -F " " '{print $1","$3,$4}' > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
+if borg list "$BORG_BACKUP_DIRECTORY" &>/dev/null; then
+    borg list "$BORG_BACKUP_DIRECTORY" | grep "nextcloud-aio" | awk -F " " '{print $1","$3,$4}' > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
 else
     echo "" > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
 fi

Containers/clamav/Dockerfile

@@ -1,52 +1,7 @@
-# syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+# Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/0.105/alpine/Dockerfile
+FROM clamav/clamav:1.0.1-1
 
-RUN set -ex; \
-    apk upgrade --no-cache -a; \
-    apk add --no-cache tzdata clamav clamav-milter supervisor bash; \
-    mkdir -p /tmp /var/lib/clamav /run/clamav /var/log/supervisord /var/run/supervisord; \
-    chmod 777 -R /tmp /run/clamav /var/log/clamav /var/log/supervisord /var/run/supervisord; \
-    chown -R 100:100 /var/lib/clamav; \
-    sed -i "s|#\?MaxDirectoryRecursion.*|MaxDirectoryRecursion 30|g" /etc/clamav/clamd.conf; \
-    sed -i "s|#\?MaxScanSize.*|MaxScanSize 2000M|g" /etc/clamav/clamd.conf; \
-    sed -i "s|#\?MaxFileSize.*|MaxFileSize 2000M|g" /etc/clamav/clamd.conf; \
-    sed -i "s|#\?PCREMaxFileSize.*|PCREMaxFileSize 2000M|g" /etc/clamav/clamd.conf; \
-# StreamMaxLength must be synced with av_stream_max_length inside the Nextcloud files_antivirus plugin
-    sed -i "s|#\?StreamMaxLength.*|StreamMaxLength 2000M|g" /etc/clamav/clamd.conf; \
-# By default clamd keeps the old signature database in RAM while loading the new one,
-# briefly doubling memory usage (~1 GB extra) during each freshclam update cycle.
-# Setting ConcurrentDatabaseReload to "no" makes clamd unload the old database first,
-# eliminating that transient peak and significantly reducing maximum RAM consumption.
-    sed -i "s|#\?ConcurrentDatabaseReload.*|ConcurrentDatabaseReload no|g" /etc/clamav/clamd.conf; \
-# The default thread pool is 10-12 threads, each reserving its own stack and scan buffers.
-# The Nextcloud antivirus plugin sends one file at a time, so 2 threads are sufficient
-# and avoids the idle per-thread memory overhead of the larger default pool.
-    sed -i "s|#\?MaxThreads.*|MaxThreads 2|g" /etc/clamav/clamd.conf; \
-    sed -i "s|#\?TCPSocket|TCPSocket|g" /etc/clamav/clamd.conf; \
-    sed -i "s|^LocalSocket .*|LocalSocket /tmp/clamd.sock|g" /etc/clamav/clamd.conf; \
-    sed -i "s|Example| |g" /etc/clamav/clamav-milter.conf; \
-    sed -i "s|#\?MilterSocket inet:7357|MilterSocket inet:7357|g" /etc/clamav/clamav-milter.conf; \
-    sed -i "s|#\?ClamdSocket unix:/run/clamav/clamd.sock|ClamdSocket unix:/tmp/clamd.sock|g" /etc/clamav/clamav-milter.conf; \
-    sed -i "s|#\?OnInfected Quarantine|OnInfected Reject|g" /etc/clamav/clamav-milter.conf; \
-    sed -i "s|#\?AddHeader Replace|AddHeader Add|g" /etc/clamav/clamav-milter.conf; \
-    sed -i "s|#\?Foreground yes|Foreground yes|g" /etc/clamav/clamav-milter.conf
-
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
-COPY --chmod=664 supervisord.conf /supervisord.conf
-
-USER 100
-RUN set -ex; \
-    freshclam --foreground --stdout
-VOLUME /var/lib/clamav
-ENTRYPOINT ["/start.sh"]
-CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
-LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
-    org.opencontainers.image.title="ClamAV for Nextcloud AIO" \
-    org.opencontainers.image.description="ClamAV antivirus scanner for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
+RUN apk add --no-cache tzdata
+COPY clamav.conf /tmp/
+RUN cat /tmp/clamav.conf >> /etc/clamav/clamd.conf
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/clamav/clamav.conf

@@ -0,0 +1,4 @@
+MaxDirectoryRecursion 30
+MaxFileSize 100M
+PCREMaxFileSize 100M
+StreamMaxLength 100M

Containers/clamav/healthcheck.sh

@@ -1,13 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-if [ "$(echo "PING" | nc 127.0.0.1 3310)" != "PONG" ]; then
-	echo "ERROR: Unable to contact server"
-	exit 1
-fi
-
-echo "Clamd is up"
-exit 0

Containers/clamav/start.sh

@@ -1,12 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-	set -x
-fi
-
-# Print out clamav version for compliance reasons
-clamscan --version
-
-echo "Clamav started"
-
-exec "$@"

Containers/clamav/supervisord.conf

@@ -1,29 +0,0 @@
-[supervisord]
-nodaemon=true
-logfile=/var/log/supervisord/supervisord.log
-pidfile=/var/run/supervisord/supervisord.pid
-childlogdir=/var/log/supervisord/
-logfile_maxbytes=50MB                           
-logfile_backups=10                              
-loglevel=%(ENV_AIO_LOG_LEVEL)s
-
-[program:freshclam]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=freshclam --foreground --stdout --daemon --daemon-notify=/etc/clamav/clamd.conf
-
-[program:clamd]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=clamd --foreground --config-file=/etc/clamav/clamd.conf
-
-[program:milter]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=clamav-milter --config-file=/etc/clamav/clamav-milter.conf

Containers/collabora-online/Dockerfile

@@ -1,21 +0,0 @@
-# syntax=docker/dockerfile:latest
-# From https://gitlab.collabora.com/collabora-online/docker
-# hadolint ignore=DL3007
-FROM registry.gitlab.collabora.com/collabora-online/docker:latest
-
-USER root
-ARG DEBIAN_FRONTEND=noninteractive
-
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
-
-USER 1001
-
-HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
-    org.opencontainers.image.title="Collabora Online for Nextcloud AIO" \
-    org.opencontainers.image.description="Collabora Online document editor from upstream for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/collabora-online/healthcheck.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-
-# Unfortunately, no curl and no nc is installed in the container 
-# and packages can also not be added as the package list is broken.
-# So always exiting 0 for now.
-# nc http://127.0.0.1:9980 || exit 1
-exit 0

Containers/collabora/Dockerfile

@@ -1,23 +1,19 @@
-# syntax=docker/dockerfile:latest
-# From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile
-FROM collabora/code:25.04.9.4.1
+# From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
+FROM collabora/code:22.05.12.2.1
 
 USER root
-ARG DEBIAN_FRONTEND=noninteractive
 
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
+RUN set -ex; \
+    \
+    apt-get update; \
+    export DEBIAN_FRONTEND=noninteractive; \
+    apt-get install -y --no-install-recommends \
+        tzdata \
+        netcat \
+    ; \
+    rm -rf /var/lib/apt/lists/*
 
-USER 1001
+USER 104
 
-HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
-    org.opencontainers.image.title="Collabora for Nextcloud AIO" \
-    org.opencontainers.image.description="Collabora CODE document editor for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-
-ENTRYPOINT ["/start.sh"]
+HEALTHCHECK CMD nc -z localhost 9980 || exit 1
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/collabora/healthcheck.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-
-# Unfortunately, no curl and no nc is installed in the container 
-# and packages can also not be added as the package list is broken.
-# So always exiting 0 for now.
-# nc http://127.0.0.1:9980 || exit 1
-exit 0

Containers/collabora/start.sh

@@ -1,19 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-if [ "$AIO_LOG_LEVEL" = "warn" ]; then
-    COLLABORA_LOG_LEVEL="warning"
-elif [ "$AIO_LOG_LEVEL" = "info" ]; then
-    COLLABORA_LOG_LEVEL="notice"
-else
-    COLLABORA_LOG_LEVEL="$AIO_LOG_LEVEL"
-fi
-
-# Replace the hardcoded log level in extra_params with the translated one
-extra_params+=" --o:logging.level=$COLLABORA_LOG_LEVEL --o:logging.level_startup=$COLLABORA_LOG_LEVEL"
-export extra_params
-
-exec /start-collabora-online.sh "$@"

Containers/docker-socket-proxy/Dockerfile

@@ -1,28 +0,0 @@
-# syntax=docker/dockerfile:latest
-FROM haproxy:3.3.10-alpine
-
-# hadolint ignore=DL3002
-USER root
-ENV NEXTCLOUD_HOST=nextcloud-aio-nextcloud
-RUN set -ex; \
-    apk upgrade --no-cache -a; \
-    apk add --no-cache \
-        ca-certificates \
-        tzdata \
-        bash \
-        bind-tools; \
-    chmod -R 777 /tmp
-
-COPY --chmod=775 *.sh /
-COPY --chmod=664 haproxy.cfg /haproxy.cfg
-
-ENTRYPOINT ["/start.sh"]
-HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
-    org.opencontainers.image.title="Docker Socket Proxy for Nextcloud AIO" \
-    org.opencontainers.image.description="HAProxy-based Docker socket proxy for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/docker-socket-proxy/haproxy.cfg

@@ -1,68 +0,0 @@
-# Inspiration: https://github.com/Tecnativa/docker-socket-proxy/blob/master/haproxy.cfg
-
-global
-    maxconn 10
-
-defaults
-    timeout connect 30s
-    timeout client 30s
-    timeout server 1800s
-
-frontend http
-    mode http
-    bind :::2375 v4v6
-    http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src NC_IPV4_PLACEHOLDER } || { src NC_IPV6_PLACEHOLDER }
-    # docker system _ping
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping$ } METH_GET
-    # docker inspect image: GET images/%s/json
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/.*/json } METH_GET
-    # container inspect: GET containers/%s/json
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET
-    # container inspect: GET containers/%s/logs
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/logs } METH_GET
-    # container start/stop: POST containers/%s/start containers/%s/stop
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((start)|(stop)) } METH_POST
-    # container rm: DELETE containers/%s
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE
-    # container update/exec: POST containers/%s/update containers/%s/exec
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((update)|(exec)) } METH_POST
-    # container put: PUT containers/%s/archive
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/archive } METH_PUT
-    # run exec instance: POST exec/%s
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec/[a-zA-Z0-9_.-]+/start } METH_POST
-
-    # container create: POST containers/create?name=%s
-    # ACL to restrict container name to nc_app_[a-zA-Z0-9_.-]+
-    acl nc_app_container_name url_param(name) -m reg -i "^nc_app_[a-zA-Z0-9_.-]+"
-
-    # ACL to restrict the number of Mounts to 1
-    acl one_mount_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*(?:(?!\"Mounts\"\s*:\s*\[)[^}]*)}[^}]*\]"
-    # ACL to deny if there are any binds
-    acl binds_present req.body -m reg -i "\"HostConfig\"\s*:.*\"Binds\"\s*:"
-    # ACL to restrict the type of Mounts to volume
-    acl type_not_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[[^\]]*(\"Type\"\s*:\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST
-
-    # ACL to restrict container creation, that it has HostConfig.Privileged(by searching for "Privileged" word in all payload)
-    acl no_privileged_flag req.body -m reg -i "\"Privileged\""
-    # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data
-    acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*{[^}]*\"Source\"\s*:\s*\"nc_app_[a-zA-Z0-9_.-]+_data\""
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !no_privileged_flag nc_app_volume_data_only METH_POST
-    # end of container create
-
-    # volume create: POST volumes/create
-    # restrict name
-    acl nc_app_volume_data req.body -m reg -i "\"Name\"\s*:\s*\"nc_app_[a-zA-Z0-9_.-]+_data\""
-    # do not allow to use "device" word e.g., "--opt device=:/path/to/dir"
-    acl volume_no_device req.body -m reg -i "\"device\""
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data !volume_no_device METH_POST
-    # volume rm: DELETE volumes/%s
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/nc_app_[a-zA-Z0-9_.-]+_data } METH_DELETE
-    # image pull: POST images/create?fromImage=%s
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/create } METH_POST
-    http-request deny
-    default_backend dockerbackend
-
-backend dockerbackend
-    mode http
-    server dockersocket /var/run/docker.sock

Containers/docker-socket-proxy/healthcheck.sh

@@ -1,8 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-nc -z "$NEXTCLOUD_HOST" 9001 || exit 0
-nc -z 127.0.0.1 2375 || exit 1

Containers/docker-socket-proxy/start.sh

@@ -1,29 +0,0 @@
-#!/bin/sh
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-# Only start container if nextcloud is accessible
-while ! nc -z "$NEXTCLOUD_HOST" 9001; do
-    echo "Waiting for Nextcloud to start..."
-    sleep 5
-done
-
-set -x
-IPv4_ADDRESS_NC="$(dig nextcloud-aio-nextcloud IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
-HAPROXYFILE="$(sed "s|NC_IPV4_PLACEHOLDER|$IPv4_ADDRESS_NC|" /haproxy.cfg)" 
-echo "$HAPROXYFILE" > /tmp/haproxy.cfg
-
-IPv6_ADDRESS_NC="$(dig nextcloud-aio-nextcloud AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
-if [ -n "$IPv6_ADDRESS_NC" ]; then
-    HAPROXYFILE="$(sed "s|NC_IPV6_PLACEHOLDER|$IPv6_ADDRESS_NC|" /tmp/haproxy.cfg)"
-else
-    HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
-fi
-echo "$HAPROXYFILE" > /tmp/haproxy.cfg
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
-
-haproxy -f /tmp/haproxy.cfg -db

Containers/domaincheck/Dockerfile

@@ -1,27 +1,19 @@
-# syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
-RUN set -ex; \
-    apk upgrade --no-cache -a; \
-    apk add --no-cache bash lighttpd netcat-openbsd; \
-    adduser -S www-data -G www-data; \
-    rm -rf /etc/lighttpd/lighttpd.conf; \
-    chmod 777 -R /etc/lighttpd; \
-    mkdir -p /var/www/domaincheck; \
-    chown www-data:www-data -R /var/www; \
-    chmod 777 -R /var/www/domaincheck
-COPY --chown=www-data:www-data lighttpd.conf /lighttpd.conf
+FROM alpine:3.17.2
+RUN apk add --no-cache lighttpd bash netcat-openbsd
 
-COPY --chmod=775 start.sh /start.sh
+RUN adduser -S www-data -G www-data
+RUN rm -rf /etc/lighttpd/lighttpd.conf
+COPY lighttpd.conf /etc/lighttpd/lighttpd.conf
+RUN chmod +r -R /etc/lighttpd && \
+    chown www-data:www-data -R /var/www && \
+    chown www-data:www-data /etc/lighttpd/lighttpd.conf
+
+COPY start.sh /
+RUN chmod +x /start.sh
 
 USER www-data
+RUN mkdir -p /var/www/domaincheck/
 ENTRYPOINT ["/start.sh"]
 
-HEALTHCHECK CMD nc -z 127.0.0.1 $APACHE_PORT || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
-    org.opencontainers.image.title="Domain Check for Nextcloud AIO" \
-    org.opencontainers.image.description="Domain validation service for Nextcloud All-in-One setup" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+HEALTHCHECK CMD nc -z localhost $APACHE_PORT || exit 1
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/domaincheck/start.sh

@@ -1,9 +1,5 @@
 #!/bin/bash
 
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -z "$INSTANCE_ID" ]; then
     echo "You need to provide an instance id."
     exit 1
@@ -15,23 +11,9 @@ if [ -z "$APACHE_PORT" ]; then
     export APACHE_PORT="443"
 fi
 
-CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /lighttpd.conf)"
+CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /etc/lighttpd/lighttpd.conf)"
 echo "$CONF_FILE" > /etc/lighttpd/lighttpd.conf
 
-# shellcheck disable=SC2235
-if ([ "$AIO_LOG_LEVEL" = 'debug' ] || [ "$AIO_LOG_LEVEL" = 'info' ]) && ! grep -q debug.log-request-handling /etc/lighttpd/lighttpd.conf; then
-    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
-debug.log-request-handling = "enable"
-CONF_FILE
-fi
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ] && ! grep -q debug.log-request-header /etc/lighttpd/lighttpd.conf; then
-    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
-debug.log-request-header = "enable"
-debug.log-response-header = "enable"
-CONF_FILE
-fi
-
 # Check config file
 lighttpd -tt -f /etc/lighttpd/lighttpd.conf
 

Containers/fulltextsearch/Dockerfile

@@ -1,32 +1,15 @@
-# syntax=docker/dockerfile:latest
-# Probably from here https://github.com/elastic/dockerfiles/blob/9.3/elasticsearch/Dockerfile
-FROM elasticsearch:9.4.1
+# Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
+FROM elasticsearch:7.17.9
 
-USER root
+RUN elasticsearch-plugin install --batch ingest-attachment
 
-# hadolint ignore=DL3041
 RUN set -ex; \
     \
-    microdnf update -y; \
-    microdnf install -y --setopt=tsflags=nodocs \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
         tzdata \
     ; \
-    microdnf clean all;
+    rm -rf /var/lib/apt/lists/*
 
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
-
-USER 1000:0
-
-HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
-    org.opencontainers.image.title="Full Text Search for Nextcloud AIO" \
-    org.opencontainers.image.description="Elasticsearch-based full-text search for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-ENV ES_JAVA_OPTS="-Xms512M -Xmx512M"
-
-ENTRYPOINT ["/start.sh"]
+HEALTHCHECK CMD nc -z localhost 9200 || exit 1
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/fulltextsearch/healthcheck.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-curl -fs "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1

Containers/fulltextsearch/start.sh

@@ -1,9 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-ELASTIC_LOG_LEVEL="$(echo "$AIO_LOG_LEVEL" | tr '[:lower:]' '[:upper:]')"
-
-exec env "logger.level=$ELASTIC_LOG_LEVEL" /usr/local/bin/docker-entrypoint.sh "$@"

Containers/imaginary/Dockerfile

@@ -1,53 +1,29 @@
-# syntax=docker/dockerfile:latest
-FROM golang:1.26.3-alpine3.23 AS go
-
-ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
+# From https://github.com/h2non/imaginary/blob/master/Dockerfile
+FROM nextcloud/imaginary:20230301
 
+USER root
 RUN set -ex; \
-    apk upgrade --no-cache -a; \
-    apk add --no-cache \
-        vips-dev \
-        vips-magick \
-        vips-heif \
-        vips-jxl \
-        vips-poppler \
-        build-base; \
-    go install github.com/h2non/imaginary@"$IMAGINARY_HASH";
+    \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        netcat \
+    ; \
+    echo "deb http://deb.debian.org/debian bookworm main" > /etc/apt/sources.list.d/bookworm.list; \
+    apt-get update; \
+    apt-get install -t bookworm -y --no-install-recommends \
+        libheif1 \
+        libde265-0 \
+        libx265-199 \
+        libvips \
+    ; \
+    rm /etc/apt/sources.list.d/bookworm.list; \
+    rm -rf /var/lib/apt/lists/*
+USER nobody
 
-FROM alpine:3.23.4
-RUN set -ex; \
-    apk upgrade --no-cache -a; \
-    apk add --no-cache \
-        tzdata \
-        ca-certificates \
-        netcat-openbsd \
-        vips \
-        vips-magick \
-        vips-heif \
-        vips-jxl \
-        vips-poppler \
-        ttf-dejavu \
-        bash
+ENTRYPOINT ["/usr/local/bin/imaginary", "-return-size", "-max-allowed-resolution", "222.2"]
 
-COPY --from=go /go/bin/imaginary /usr/local/bin/imaginary
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
-
-ENV PORT=9000 \
-    AIO_LOG_LEVEL=warn
-
-USER 65534
+HEALTHCHECK CMD nc -z localhost 9000 || exit 1
+LABEL com.centurylinklabs.watchtower.monitor-only="true"
 
 # https://github.com/h2non/imaginary#memory-issues
 ENV MALLOC_ARENA_MAX=2
-ENTRYPOINT ["/start.sh"]
-
-HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
-    org.opencontainers.image.title="Imaginary for Nextcloud AIO" \
-    org.opencontainers.image.description="High-performance image processing service for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/imaginary/healthcheck.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-nc -z 127.0.0.1 "$PORT" || exit 1

Containers/imaginary/start.sh

@@ -1,26 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-GOLANG_LOG="$(case "$AIO_LOG_LEVEL" in
-    debug) printf 'info' ;;
-    info) printf 'info' ;;
-    warn) printf 'warning' ;;
-    error) printf 'error' ;;
-esac)"
-export GOLANG_LOG
-if [ "$AIO_LOG_LEVEL" = "debug" ]; then
-    export DEBUG='*'
-fi
-
-echo "Imaginary has started"
-
-IMAGINARY_ARGS=(-return-size -max-allowed-resolution 222.2)
-
-if [ -n "$IMAGINARY_SECRET" ]; then
-    IMAGINARY_ARGS+=(-key "$IMAGINARY_SECRET")
-fi
-
-exec imaginary "${IMAGINARY_ARGS[@]}" "$@"

Containers/mastercontainer/.idea/.gitignore

@@ -0,0 +1,8 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml
+# Editor-based HTTP Client requests
+/httpRequests/

Containers/mastercontainer/.idea/mastercontainer.iml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="JAVA_MODULE" version="4">
+  <component name="NewModuleRootManager" inherit-compiler-output="true">
+    <exclude-output />
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+</module>

Containers/mastercontainer/.idea/misc.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectRootManager">
+    <output url="file://$PROJECT_DIR$/out" />
+  </component>
+</project>

Containers/mastercontainer/.idea/modules.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/mastercontainer.iml" filepath="$PROJECT_DIR$/.idea/mastercontainer.iml" />
+    </modules>
+  </component>
+</project>

Containers/mastercontainer/.idea/vcs.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$/../.." vcs="Git" />
+  </component>
+</project>

Containers/mastercontainer/Caddyfile

@@ -0,0 +1,34 @@
+{
+    # auto_https will create redirects for https://{host}:8443 instead of https://{host}
+    # https redirects are added manually in the http://:80 block
+    auto_https disable_redirects
+
+    storage file_system {
+        root /mnt/docker-aio-config/caddy/
+    }
+
+    log {
+        level ERROR
+    }
+}
+
+http://:80 {
+  redir https://{host}{uri}
+}
+
+# Match only host names and not ip-addresses:
+https://*.*:8443,
+https://*.*.*:8443,
+https://*.*.*.*:8443,
+https://*.*.*.*.*:8443,
+https://*.*.*.*.*.*:8443 {
+
+    reverse_proxy localhost:8000
+
+    tls {
+        on_demand
+        issuer acme {
+            disable_tlsalpn_challenge
+        }
+    }
+}

Containers/mastercontainer/Dockerfile

@@ -1,117 +1,141 @@
-# syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.4.3-cli AS docker
-
-ARG CADDY_REMOTE_HOST_HASH=e80a9931765a8dbcbb47db415863387f0df0e1b3
+FROM docker:23.0.1-dind as dind
 
 # Caddy is a requirement
-FROM caddy:2.11.3-builder-alpine AS caddy
-RUN set -ex; \
-    xcaddy build --with github.com/muety/caddy-remote-host@"$CADDY_REMOTE_HOST_HASH"; \
-    /usr/bin/caddy list-modules
+FROM caddy:2.6.4-alpine as caddy
 
-# From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
-FROM php:8.5.6-fpm-alpine3.23
+# From https://github.com/docker-library/php/blob/master/8.1/alpine3.17/fpm/Dockerfile
+FROM php:8.1.17-fpm-alpine3.17
+
+RUN set -ex; \
+    apk add --no-cache shadow; \
+    groupmod -g 333 xfs; \
+    usermod -u 333 -g 333 xfs; \
+    groupmod -g 33 www-data; \
+    usermod -u 33 -g 33 www-data
 
 EXPOSE 80
 EXPOSE 8080
 EXPOSE 8443
 
-# Overwrite home variable for subservices
-ENV HOME=/var/www
-
-COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
-COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker
-
-COPY community-containers /var/www/docker-aio/community-containers
-COPY php /var/www/docker-aio/php
-COPY --chmod=775 Containers/mastercontainer/*.sh /
-COPY --chmod=664 Containers/mastercontainer/*.Caddyfile /
-COPY --chmod=664 Containers/mastercontainer/supervisord.conf /supervisord.conf
+RUN mkdir -p /var/www/docker-aio;
 
 WORKDIR /var/www/docker-aio
 
-# hadolint ignore=SC2086,DL3047,DL3003,DL3004
 RUN set -ex; \
-    apk upgrade --no-cache -a; \
-    apk add --no-cache shadow; \
-    groupmod -g 33 www-data; \
-    usermod -u 33 -g 33 www-data; \
-    \
     apk add --no-cache \
         util-linux-misc \
         ca-certificates \
+        wget \
         bash \
+        apache2 \
+        apache2-proxy \
+        apache2-ssl \
         supervisor \
+        openssl \
         sudo \
         netcat-openbsd \
         curl \
-        grep; \
-    \
+        grep
+
+RUN set -ex; \
     apk add --no-cache --virtual .build-deps \
         autoconf \
         build-base; \
-    pecl install APCu-5.1.28; \
+    pecl install APCu-5.1.22; \
     docker-php-ext-enable apcu; \
-    { \
-        echo 'apc.shm_size=32M'; \
-    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
-    { \
-        echo 'opcache.enable=1'; \
-        echo 'opcache.memory_consumption=32'; \
-        echo 'opcache.interned_strings_buffer=8'; \
-        echo 'opcache.max_accelerated_files=4000'; \
-        echo 'opcache.validate_timestamps=0'; \
-    } > /usr/local/etc/php/conf.d/docker-php-ext-opcache.ini; \
     rm -r /tmp/pear; \
+    \
     runDeps="$( \
         scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
             | tr ',' '\n' \
             | sort -u \
             | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
     )"; \
-    apk add --no-cache --virtual .nextcloud-aio-rundeps $runDeps; \
+    apk add --virtual .nextcloud-aio-rundeps $runDeps; \
     apk del .build-deps; \
     grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
-    grep -q '^listen =' /usr/local/etc/php-fpm.d/docker.conf; \
-    sed -i 's|listen =.*|listen = /run/php.sock|' /usr/local/etc/php-fpm.d/docker.conf; \
-    echo "listen.owner = www-data" | tee -a /usr/local/etc/php-fpm.d/docker.conf; \
-    \
+    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf
+
+COPY --from=caddy /usr/bin/caddy /usr/bin/
+RUN chmod +x /usr/bin/caddy
+
+COPY --from=dind /usr/local/bin/docker /usr/local/bin/
+RUN chmod +x /usr/local/bin/docker
+
+RUN set -e && \
     apk add --no-cache git; \
-    curl https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer; \
+    wget https://getcomposer.org/installer -O - | php -- --install-dir=/usr/local/bin --filename=composer; \
     chmod +x /usr/local/bin/composer; \
     cd /var/www/docker-aio; \
-    rm -r ./php/tests; \
-    chown www-data:www-data -R /var/www/docker-aio; \
+    git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
     cd php; \
-    sudo -E -u www-data composer install --no-dev; \
-    sudo -E -u www-data composer clear-cache; \
+    composer install --no-dev; \
+    composer clearcache; \
     cd ..; \
     rm -f /usr/local/bin/composer; \
-    chmod -R 770 /var/www/docker-aio; \
-    chown -R www-data:www-data /var/www; \
-    rm -r php/data; \
-    rm -r php/session; \
-    \
-    mkdir /var/log/supervisord; \
+    chmod 770 -R ./; \
+    chown www-data:www-data -R /var/www; \
+    rm -r ./php/data; \
+    rm -r ./php/session; \
+    apk del --no-cache git
+
+RUN mkdir -p /etc/apache2/certs && \
+    cd /etc/apache2/certs && \
+    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt;
+
+COPY mastercontainer.conf /etc/apache2/sites-available/
+
+RUN sed -i \
+            -e '/^Listen /d' \
+            -e 's/User apache/User www-data/g' \
+            -e 's/Group apache/Group www-data/g' \
+            -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
+            -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
+            -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
+        /etc/apache2/httpd.conf; \
+        mkdir -p /etc/apache2/logs; \
+        rm /etc/apache2/conf.d/ssl.conf; \
+        echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \
+        echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \
+        echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \
+        echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf
+
+RUN set -ex; \
+    rm -f /etc/apache2/conf.d/default.conf \
+          /etc/apache2/conf.d/userdir.conf \
+          /etc/apache2/conf.d/info.conf
+
+RUN mkdir /var/log/supervisord; \
     mkdir /var/run/supervisord;
 
-# hadolint ignore=DL3048
-LABEL org.opencontainers.image.title="Nextcloud All-in-One Mastercontainer" \
-    org.opencontainers.image.description="Easy deployment and maintenance of a Nextcloud server with all dependencies and optional services" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md" \
-    wud.watch="false" \
-    com.docker.compose.project="nextcloud-aio"
+COPY Caddyfile /
+COPY start.sh /usr/bin/
+COPY backup-time-file-watcher.sh /
+COPY session-deduplicator.sh /
+COPY cron.sh /
+COPY daily-backup.sh /
+COPY supervisord.conf /
+COPY healthcheck.sh /
+RUN chmod +x /usr/bin/start.sh; \
+    chmod +x /cron.sh; \
+    chmod +x /session-deduplicator.sh; \
+    chmod +x /backup-time-file-watcher.sh; \
+    chmod +x /daily-backup.sh; \
+    chmod a+r /Caddyfile; \
+    chmod +x /healthcheck.sh
 
-# hadolint ignore=DL3002
 USER root
 
-ENTRYPOINT ["/start.sh"]
+ENTRYPOINT ["start.sh"]
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 
 HEALTHCHECK CMD /healthcheck.sh

Containers/mastercontainer/README.md

@@ -1,69 +0,0 @@
-# Nextcloud All-in-One `mastercontainer`
-
-This folder contains the OCI/Docker container definition, along with associated resources and
-configuration files, for building the `mastercontainer` as part of the Nextcloud All-in-One
-project. This container hosts [the Nextcloud AIO interface](
-https://github.com/nextcloud/all-in-one/tree/main/php)[^app], and a dedicated PHP environment
-for it (which is completely independent of the Nextcloud Server).
-
-## Overview
-
-The mastercontainer acts as the central orchestration service for the deployment and management
-of all other containers in the Nextcloud All-in-One stack. It hosts:
-
-- A dedicated PHP SAPI/backend (php-fpm) for AIO itself (not Nextcloud Server)
-- A Caddy server enabling self-signed HTTPS access to the AIO frontend on port 8080/tcp.
-- A Caddy server enabling trusted HTTPS access to the AIO frontend on port 8443/tcp.
-  - Caddy will automatically issue a Let's Encrypt issued certificate if port 80 and 8443
-    is open/forwarded and a domain pointer is in place; then, simply open the Nextcloud AIO interface using the
-    domain (`https://your-domain-that-points-to-this-server.tld:8443`). The Let's Encrypt certificate request will
-    use an [ACME HTTP-01](https://letsencrypt.org/docs/challenge-types/#http-01-challenge) challenge.
-- Miscellaneous support services specific to AIO (backup management, health checks, etc.)
-
-## Key Responsibilities
-
-- Orchestrates the deployment and lifecycle of all Nextcloud service containers
-- Handles initial setup and container configuration
-- Coordinates image updates
-- Monitors general system health
-
-It triggers the initial installation and ensures the smooth operation of the Nextcloud
-All-in-One stack.
-
-## Contents
-
-- **Dockerfile**: Instructions for building the mastercontainer image.
-- **Entrypoint script**: The `start.sh` script is used for container initialization and runtime
-  configuration before starting supervisord.
-- [**Nextcloud All-in-One Controller App**](https://github.com/nextcloud/all-in-one/tree/main/php): The
-  core AIO orchestrator that handles configuration and settings for the containers.
-- **Supervisor**: The `supervisord.conf` file defines the long-running services hosted within
-  the container (php-fpm, cron, etc.)
-
-## Usage
-
-This container should be used as the trigger image when deploying the Nextcloud All-in-One
-stack in a Docker or other OCI-compliant container environment. For detailed deployment
-instructions, refer to the [project documentation](
-https://github.com/nextcloud/all-in-one).
-
-## Related Resources
-
-- [Main Repository](https://github.com/nextcloud/all-in-one)
-- [Documentation](https://github.com/nextcloud/all-in-one#readme)
-
-## Contributing
-
-Contributions are welcome! Please follow the Nextcloud project's guidelines and submit pull
-requests or issues via the main repository.
-
-## License
-
-This folder and its contents are licensed under the
-[GNU AGPLv3](https://www.gnu.org/licenses/agpl-3.0.html), in line with the rest of Nextcloud
-All-in-One.
-
-[^app]: The Nextcloud All-in-One interface allows users to install, configure, and
-manage their Nextcloud instance and related containers via a secure web interface and API.
-It automates and simplifies complex tasks such as container orchestration, backups, updates,
-and service management for users deploying Nextcloud in Docker environments.

Containers/mastercontainer/acme.Caddyfile

@@ -1,56 +0,0 @@
-{
-	admin off
-
-	# auto_https will create redirects for https://{host}:8443 instead of https://{host}
-	# https redirects are added manually in the http://:80 block
-	auto_https disable_redirects
-
-	storage file_system {
-		root /mnt/docker-aio-config/caddy/
-	}
-
-	log {
-		level ERROR
-		# We need to exclude the remote-host plugin from logging as it would spam the logs
-		# See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 
-		exclude http.matchers.remote_host
-	}
-
-	servers {
-		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
-		protocols h1
-	}
-
-	on_demand_tls {
-		ask http://127.0.0.1:9876/
-	}
-
-	skip_install_trust
-}
-
-http://:80 {
-	redir https://{host}{uri} permanent
-}
-
-https://:8443 {
-    import headers.Caddyfile
-    header Strict-Transport-Security max-age=31536000;
-
-	@denied {
-		path /api/auth/login /api/auth/getlogin
-		remote_host nextcloud-aio-nextcloud
-	}
-	abort @denied
-
-	root * /var/www/docker-aio/php/public
-	php_fastcgi unix//run/php.sock
-	file_server
-
-	tls {
-		on_demand
-		issuer acme {
-            profile shortlived
-			disable_tlsalpn_challenge
-		}
-	}
-}

Containers/mastercontainer/backup-time-file-watcher.sh

@@ -1,9 +1,5 @@
 #!/bin/bash
 
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 restart_process() {
     echo "Restarting cron.sh because daily backup time was set, changed or unset."
     pkill cron.sh

Containers/mastercontainer/cron.sh

@@ -1,9 +1,5 @@
 #!/bin/bash
 
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 while true; do
     if [ -f "/mnt/docker-aio-config/data/daily_backup_time" ]; then
         set -x
@@ -16,14 +12,7 @@ while true; do
             export AUTOMATIC_UPDATES=0
             export START_CONTAINERS=1
         fi
-        if [ "$(sed -n '3p' "/mnt/docker-aio-config/data/daily_backup_time")" != 'successNotificationsAreNotEnabled' ]; then
-            export SEND_SUCCESS_NOTIFICATIONS=1
-        else
-            export SEND_SUCCESS_NOTIFICATIONS=0
-        fi
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-            set +x
-        fi
+        set +x
         if [ -f "/mnt/docker-aio-config/data/daily_backup_running" ]; then
             export LOCK_FILE_PRESENT=1
         else
@@ -51,31 +40,22 @@ while true; do
 
     # Check for updates and send notification if yes on saturdays
     if [ "$(date +%u)" = 6 ]; then
-        sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/UpdateNotification.php
+        sudo -u www-data php /var/www/docker-aio/php/src/Cron/UpdateNotification.php
     fi
 
     # Check if AIO is outdated
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/OutdatedNotification.php
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/OutdatedNotification.php
 
     # Remove sessions older than 24h
     find "/mnt/docker-aio-config/session/" -mindepth 1 -mmin +1440 -delete
 
     # Remove nextcloud-aio-domaincheck container
-    if sudo -E -u www-data docker ps --format "{{.Names}}" --filter "status=exited" | grep -q "^nextcloud-aio-domaincheck$"; then
-        sudo -E -u www-data docker container remove nextcloud-aio-domaincheck
+    if sudo -u www-data docker ps --format "{{.Names}}" --filter "status=exited" | grep -q "^nextcloud-aio-domaincheck$"; then
+        sudo -u www-data docker container remove nextcloud-aio-domaincheck
     fi
 
-    # Remove dangling images (support both deprecated label-schema and OCI standard vendor label)
-    sudo -E -u www-data docker image prune --filter "label=org.label-schema.vendor=Nextcloud" --force
-    sudo -E -u www-data docker image prune --filter "label=org.opencontainers.image.vendor=Nextcloud" --force
-
-    # Check for available free space
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/CheckFreeDiskSpace.php
-
-    # Remove mastercontainer from default bridge network
-    if sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer  --format "{{.NetworkSettings.Networks}}" | grep -q "bridge"; then
-        sudo -E -u www-data docker network disconnect bridge nextcloud-aio-mastercontainer
-    fi
+    # Remove dangling images
+    sudo -u www-data docker image prune --force
 
     # Wait 60s so that the whole loop will not be executed again
     sleep 60

Containers/mastercontainer/daily-backup.sh

@@ -1,18 +1,7 @@
 #!/bin/bash
 
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 echo "Daily backup script has started"
 
-# Check if initial configuration has been done, otherwise this script should do nothing.
-CONFIG_FILE=/mnt/docker-aio-config/data/configuration.json
-if ! [ -f "$CONFIG_FILE" ] || (! grep -q "wasStartButtonClicked.*1" "$CONFIG_FILE" && ! grep -q "wasStartButtonClicked.*true" "$CONFIG_FILE"); then
-    echo "Initial configuration via AIO interface not done yet. Exiting..."
-    exit 0
-fi
-
 # Daily backup and backup check cannot be run at the same time
 if [ "$DAILY_BACKUP" = 1 ] && [ "$CHECK_BACKUP" = 1 ]; then
     echo "Daily backup and backup check cannot be run at the same time. Exiting..."
@@ -24,23 +13,14 @@ fi
 if [ "$LOCK_FILE_PRESENT" = 0 ] || ! [ -f "/mnt/docker-aio-config/data/daily_backup_running" ]; then
     find "/mnt/docker-aio-config/session/" -mindepth 1 -delete
 fi
-sudo -E -u www-data touch "/mnt/docker-aio-config/data/daily_backup_running"
+sudo -u www-data touch "/mnt/docker-aio-config/data/daily_backup_running"
 
 # Check if apache is running/stopped, watchtower is stopped and backupcontainer is stopped
-LOCAL_APACHE_PORT="$(docker inspect nextcloud-aio-apache --format "{{.Config.Env}}" | grep -o 'APACHE_PORT=[0-9]\+' | grep -o '[0-9]\+' | head -1)"
-if [ -z "$LOCAL_APACHE_PORT" ]; then
-    echo "APACHE_PORT is not set which is not expected..."
-else
-    # Connect mastercontainer to nextcloud-aio network to make sure that nextcloud-aio-apache is reachable
-    # Prevent issues like https://github.com/nextcloud/all-in-one/discussions/5222
-    docker network connect nextcloud-aio nextcloud-aio-mastercontainer &>/dev/null
-
-    # Wait for apache to start
-    while docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-apache$" && ! nc -z nextcloud-aio-apache "$LOCAL_APACHE_PORT"; do
-        echo "Waiting for apache to become available"
-        sleep 30
-    done
-fi
+APACHE_PORT="$(docker inspect nextcloud-aio-apache --format "{{.HostConfig.PortBindings}}" | grep -oP '[0-9]+' | head -1)"
+while docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-apache$" && ! nc -z nextcloud-aio-apache "$APACHE_PORT"; do
+    echo "Waiting for apache to become available"
+    sleep 30
+done
 while docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-watchtower$"; do
     echo "Waiting for watchtower to stop"
     sleep 30
@@ -54,7 +34,7 @@ done
 if [ "$AUTOMATIC_UPDATES" = 1 ]; then
     echo "Starting mastercontainer update..." 
     echo "(The script might get exited due to that. In order to update all the other containers correctly, you need to run this script with the same settings a second time.)"
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/UpdateMastercontainer.php
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/UpdateMastercontainer.php
 fi
 
 # Wait for watchtower to stop
@@ -68,23 +48,17 @@ if [ "$AUTOMATIC_UPDATES" = 1 ]; then
     done
 fi
 
-# Update container images to reduce downtime later on
-if [ "$AUTOMATIC_UPDATES" = 1 ]; then
-    echo "Updating container images..."
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/PullContainerImages.php
-fi
-
 # Stop containers if required
 # shellcheck disable=SC2235
 if [ "$CHECK_BACKUP" != 1 ] && ([ "$DAILY_BACKUP" != 1 ] || [ "$STOP_CONTAINERS" = 1 ]); then
     echo "Stopping containers..."
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/StopContainers.php
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/StopContainers.php
 fi
 
 # Execute the backup itself and some related tasks (also stops the containers)
 if [ "$DAILY_BACKUP" = 1 ]; then
     echo "Creating daily backup..."
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/CreateBackup.php
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/CreateBackup.php
     if ! docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-borgbackup$"; then
         echo "Something seems to be wrong: the borg container should be started at this step."
     fi
@@ -97,17 +71,17 @@ fi
 # Execute backup check
 if [ "$CHECK_BACKUP" = 1 ]; then
     echo "Starting backup check..."
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/CheckBackup.php
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/CheckBackup.php
 fi
 
 # Start and/or update containers
 if [ "$AUTOMATIC_UPDATES" = 1 ]; then
     echo "Starting and updating containers..."
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/StartAndUpdateContainers.php
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/StartAndUpdateContainers.php
 else
     if [ "$START_CONTAINERS" = 1 ]; then
         echo "Starting containers without updating them..."
-        sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/StartContainers.php
+        sudo -u www-data php /var/www/docker-aio/php/src/Cron/StartContainers.php
     fi
 fi
 
@@ -131,7 +105,7 @@ if [ "$DAILY_BACKUP" = 1 ] && ([ "$AUTOMATIC_UPDATES" = 1 ] || [ "$START_CONTAIN
         done
     fi
     echo "Sending backup notification..."
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/BackupNotification.php
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/BackupNotification.php
 fi
 
 echo "Daily backup script has finished"

Containers/mastercontainer/headers.Caddyfile

@@ -1,31 +0,0 @@
-header {
-    # CSP limits which features can be used. By default we allow nothing and only allow required options. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy
-    # default-src 'none'; Allow nothing by default
-    # script-src-elem/style-src-elem 'self'; Only allow loading css/js files from same origin (AIO itself) while blocking all inline css/js
-    # img-src 'self'; Only allow loading images from same origin (from AIO itself)
-    # connect-src 'self'; Allow fetch to only connect same origin (to AIO itself)
-    # frame-src 'self'; Allow AIO to only embed itself "what can be embedded"
-    # base-uri 'none'; This does not fallback to default-src, AIO does not use the html base tag
-    # form-action 'self'; Html forms are only allowed to submit to AIO and not cross origin
-    # frame-ancestors 'self'; Only allow AIO itself to embed it self "who can embed"
-    # upgrade-insecure-requests; Upgrade all http embedings to https
-    # require-trusted-types-for 'script'; trusted-types 'none'; Blocks DOM changes via js
-    Content-Security-Policy "default-src 'none'; script-src-elem 'self'; style-src-elem 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests; require-trusted-types-for 'script'; trusted-types 'none';"
-    X-Content-Type-Options "nosniff" # This forces the browser to use the MIME type of the Content-Type header. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options
-    X-Frame-Options "SAMEORIGIN" # Only allow AIO itself to embed itself, this is also enforced as part of the CSP frame-ancestors. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Frame-Options
-    X-Permitted-Cross-Domain-Policies "none" # We block all cross origin request, including ones from Adobe Acrobat or Microsoft Silverlight and Adobe Flash Player. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Permitted-Cross-Domain-Policies
-    X-DNS-Prefetch-Control "off" # Tells the browser to not pre-fetch the DNS of linked pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-DNS-Prefetch-Control
-    Referrer-Policy "no-referrer" # Tells the browser to never sent a Referer header. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Referrer-Policy
-    X-Robots-Tag "noindex, nofollow" # Tells web crawlers to not index this page. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Robots-Tag
-    Origin-Agent-Cluster "?1" # Isolates AIO from other same site pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin-Agent-Cluster
-    Cross-Origin-Opener-Policy "same-origin" # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
-    Cross-Origin-Embedder-Policy "require-corp" # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
-    Cross-Origin-Resource-Policy "same-origin" # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
-
-    # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
-    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), local-network=(), local-network-access=(), loopback-network=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), summarizer=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
-
-    -Server
-    -X-Powered-By
-    -Via
-}

Containers/mastercontainer/healthcheck.sh

@@ -1,13 +1,5 @@
 #!/bin/bash
 
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
-    nc -z 127.0.0.1 80 || exit 1
-    nc -z 127.0.0.1 8080 || exit 1
-    nc -z 127.0.0.1 8443 || exit 1
-    test -S /run/php.sock || exit 1
-    nc -z 127.0.0.1 9876 || exit 1
+    nc -z localhost 8080 || exit 1
 fi

Containers/mastercontainer/internal.Caddyfile

@@ -1,43 +0,0 @@
-{
-	admin off
-
-	# auto_https will be handled manually in acme.Caddyfile
-	auto_https disable_redirects
-
-	storage file_system {
-		root /mnt/docker-aio-config/caddy-internal/
-	}
-
-	log {
-		level ERROR
-		# We need to exclude the remote-host plugin from logging as it would spam the logs
-		# See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 
-		exclude http.matchers.remote_host
-	}
-
-	servers {
-		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
-		protocols h1
-	}
-
-	skip_install_trust
-}
-
-https://:8080 {
-    import headers.Caddyfile
-
-	@denied {
-		path /api/auth/login /api/auth/getlogin
-		remote_host nextcloud-aio-nextcloud
-	}
-	abort @denied
-
-	root * /var/www/docker-aio/php/public
-	php_fastcgi unix//run/php.sock
-	file_server
-
-	tls {
-		on_demand
-		issuer internal
-	}
-}

Containers/mastercontainer/mastercontainer.conf

@@ -0,0 +1,53 @@
+Listen 8000
+Listen 8080
+
+# Deny access to .ht files
+<Files ".ht*">
+    Require all denied
+</Files>
+
+# Http host
+<VirtualHost *:8000>
+    ServerName localhost
+
+    # Add error log
+    CustomLog /proc/self/fd/1 combined
+    ErrorLog /proc/self/fd/2
+
+    # PHP match
+    <FilesMatch "\.php$">
+        SetHandler "proxy:fcgi://localhost:9000"
+    </FilesMatch>
+    # Master dir
+    DocumentRoot /var/www/docker-aio/php/public/
+    <Directory /var/www/docker-aio/php/public/>
+        RewriteEngine On
+        RewriteCond %{REQUEST_FILENAME} !-f
+        RewriteRule ^ index.php [QSA,L]
+        Options Indexes FollowSymLinks
+        Require all granted
+        AllowOverride All
+        Options FollowSymLinks MultiViews
+        Satisfy Any
+        <IfModule mod_dav.c>
+            Dav off
+        </IfModule>
+    </Directory>
+</VirtualHost>
+
+# Https host
+<VirtualHost *:8080>
+    # Proxy to https
+    ProxyPass / http://localhost:8000/
+    ProxyPassReverse / http://localhost:8000/
+    ProxyPreserveHost On
+    # SSL
+    SSLCertificateKeyFile /etc/apache2/certs/ssl.key
+    SSLCertificateFile /etc/apache2/certs/ssl.crt
+    SSLEngine               on
+    SSLProtocol             -all +TLSv1.2 +TLSv1.3
+</VirtualHost>
+
+# Increase timeout in case e.g. the initial download takes a long time
+Timeout 7200
+ProxyTimeout 7200

Containers/mastercontainer/session-deduplicator.sh

@@ -16,10 +16,6 @@ compare_times() {
     fi
 }
 
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 while true; do
     compare_times
     sleep 2

Containers/mastercontainer/start.sh

@@ -6,12 +6,6 @@ print_green() {
     printf "%b%s%b\n" "\e[0;92m" "$TEXT" "\e[0m"
 }
 
-# Function to show text in red
-print_red() {
-    local TEXT="$1"
-    printf "%b%s%b\n" "\e[0;31m" "$TEXT" "\e[0m"
-}
-
 # Function to check if number was provided
 check_if_number() {
 case "${1}" in
@@ -20,46 +14,18 @@ case "${1}" in
 esac
 }
 
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-# Check if running as root user
-if [ "$EUID" != "0" ]; then
-    print_red "Container does not run as root user. This is not supported."
-    exit 1
-fi
-
-# Check that the CMD is not overwritten nor set
-if [ "$*" != "" ]; then
-    print_red "Docker run command for AIO is incorrect as a CMD option was given which is not expected."
-    exit 1
-fi
-
 # Check if socket is available and readable
-if ! [ -e "/var/run/docker.sock" ]; then
-    print_red "Docker socket is not available. Cannot continue."
-    echo "Please make sure to mount the docker socket into /var/run/docker.sock inside the container!"
-    echo "If you did this by purpose because you don't want the container to have access to the docker socket, see https://github.com/nextcloud/all-in-one/tree/main/manual-install."
-    echo "And https://github.com/nextcloud/all-in-one/blob/main/manual-install/latest.yml"
+if ! [ -a "/var/run/docker.sock" ]; then
+    echo "Docker socket is not available. Cannot continue."
     exit 1
 elif ! mountpoint -q "/mnt/docker-aio-config"; then
-    print_red "/mnt/docker-aio-config is not a mountpoint. Cannot proceed!"
-    echo "Please make sure to mount the nextcloud_aio_mastercontainer docker volume into /mnt/docker-aio-config inside the container!"
-    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
+    echo "/mnt/docker-aio-config is not a mountpoint. Cannot proceed!"
     exit 1
-elif mountpoint -q /var/www/docker-aio/php/containers.json; then
-    print_red "/var/www/docker-aio/php/containers.json is a mountpoint. Cannot proceed!"
-    echo "This is a not-supported customization of the mastercontainer!"
-    echo "Please remove this bind-mount from the mastercontainer."
-    echo "If you need to customize things, feel free to use https://github.com/nextcloud/all-in-one/tree/main/manual-install"
-    echo "See https://github.com/nextcloud/all-in-one/blob/main/manual-install/latest.yml"
-    exit 1
-elif ! sudo -E -u www-data test -r /var/run/docker.sock; then
+elif ! sudo -u www-data test -r /var/run/docker.sock; then
     echo "Trying to fix docker.sock permissions internally..."
     DOCKER_GROUP=$(stat -c '%G' /var/run/docker.sock)
     DOCKER_GROUP_ID=$(stat -c '%g' /var/run/docker.sock)
-    # Check if a group with the same group name of /var/run/docker.socket already exists in the container
+    # Check if a group with the same group id of /var/run/docker.socket already exists in the container
     if grep -q "^$DOCKER_GROUP:" /etc/group; then
         # If yes, add www-data to that group
         echo "Adding internal www-data to group $DOCKER_GROUP"
@@ -73,68 +39,25 @@ elif ! sudo -E -u www-data test -r /var/run/docker.sock; then
         groupadd -g "$DOCKER_GROUP_ID" docker
         usermod -aG docker www-data
     fi
-    if ! sudo -E -u www-data test -r /var/run/docker.sock; then
-        print_red "Docker socket is not readable by the www-data user. Cannot continue."
+    if ! sudo -u www-data test -r /var/run/docker.sock; then
+        echo "Docker socket is not readable by the www-data user. Cannot continue."
         exit 1
     fi
 fi
 
-# Get default docker api version
-API_VERSION_FILE="$(find ./ -name DockerActionManager.php | head -1)"
-API_VERSION="$(grep -oP 'const string API_VERSION.*\;' "$API_VERSION_FILE" | grep -oP '[0-9]+.[0-9]+' | head -1)"
-if [ -z "$API_VERSION" ]; then
-    print_red "Could not get API_VERSION. Something is wrong!"
+# Check if api version is supported
+if ! sudo -u www-data docker info &>/dev/null; then
+    echo "Cannot connect to the docker socket. Cannot proceed."
     exit 1
 fi
-
-# Check if DOCKER_API_VERSION is set globally
-if [ -n "$DOCKER_API_VERSION" ]; then
-    if ! echo "$DOCKER_API_VERSION" | grep -q '^[0-9].[0-9]\+$'; then
-        print_red "You've set DOCKER_API_VERSION but not to an allowed value.
-The string must be a version number like e.g. '1.44'.
-It is set to '$DOCKER_API_VERSION'."
-        exit 1
-    fi
-    print_red "DOCKER_API_VERSION was found to be set to '$DOCKER_API_VERSION'."
-    print_red "Please note that only v$API_VERSION is officially supported and tested by the maintainers of Nextcloud AIO."
-    print_red "So you run on your own risk and things might break without warning."
-else
-    # Export docker api version to use it everywhere
-    export DOCKER_API_VERSION="$API_VERSION"
-fi
-
-# Set a fallback docker api version. Needed for api version check. 
-# The check will not work otherwise on old docker versions
-FALLBACK_DOCKER_API_VERSION="1.41"
-
-# Check if docker info can be used
-if ! sudo -E -u www-data docker info &>/dev/null; then
-    if ! sudo -E -u www-data DOCKER_API_VERSION="$FALLBACK_DOCKER_API_VERSION" docker info &>/dev/null; then
-        print_red "Cannot connect to the docker socket. Cannot proceed."
-        echo "Did you maybe remove group read permissions for the docker socket? AIO needs them in order to access the docker socket."
-        echo "If SELinux is enabled on your host, see https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled"
-        echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
-        echo "On macOS, see https://github.com/nextcloud/all-in-one#how-to-run-aio-on-macos"
-        echo "Another possibility might be that Docker api v$API_VERSION is not supported by your docker daemon."
-        echo "In that case, you should report this to https://github.com/nextcloud/all-in-one/issues"
-        echo ""
-        exit 1
-    fi
-fi
-
-# Docker api version check
+API_VERSION_FILE="$(find ./ -name DockerActionManager.php | head -1)"
+API_VERSION="$(grep -oP 'const API_VERSION.*\;' "$API_VERSION_FILE" | grep -oP '[0-9]+.[0-9]+' | head -1)"
 # shellcheck disable=SC2001
-API_VERSION_NUMB="$(echo "$DOCKER_API_VERSION" | sed 's/\.//')"
-LOCAL_API_VERSION_NUMB="$(sudo -E -u www-data docker version | grep -i "api version" | grep -oP '[0-9]+.[0-9]+' | head -1 | sed 's/\.//')"
-if [ -z "$LOCAL_API_VERSION_NUMB" ]; then
-    LOCAL_API_VERSION_NUMB="$(sudo -E -u www-data DOCKER_API_VERSION="$FALLBACK_DOCKER_API_VERSION" docker version | grep -i "api version" | grep -oP '[0-9]+.[0-9]+' | head -1 | sed 's/\.//')"
-fi
+API_VERSION_NUMB="$(echo "$API_VERSION" | sed 's/\.//')"
+LOCAL_API_VERSION_NUMB="$(sudo -u www-data docker version | grep -i "api version" | grep -oP '[0-9]+.[0-9]+' | head -1 | sed 's/\.//')"
 if [ -n "$LOCAL_API_VERSION_NUMB" ] && [ -n "$API_VERSION_NUMB" ]; then
     if ! [ "$LOCAL_API_VERSION_NUMB" -ge "$API_VERSION_NUMB" ]; then
-        print_red "Docker API v$DOCKER_API_VERSION is not supported by your docker engine. Cannot proceed. Please upgrade your docker engine if you want to run Nextcloud AIO!"
-        echo "Alternatively, set the DOCKER_API_VERSION environmental variable to a compatible version."
-        echo "However please note that only v$API_VERSION is officially supported and tested by the maintainers of Nextcloud AIO."
-        echo "See https://github.com/nextcloud/all-in-one#how-to-adjust-the-internally-used-docker-api-version"
+        echo "Docker API v$API_VERSION is not supported by your docker engine. Cannot proceed. Please upgrade your docker engine if you want to run Nextcloud AIO!"
         exit 1
     fi
 else
@@ -143,38 +66,28 @@ else
 fi
 
 # Check Storage drivers
-STORAGE_DRIVER="$(sudo -E -u www-data docker info | grep "Storage Driver")"
+STORAGE_DRIVER="$(docker info | grep "Storage Driver")"
 # Check if vfs is used: https://github.com/nextcloud/all-in-one/discussions/1467
 if echo "$STORAGE_DRIVER" | grep -q vfs; then
     echo "$STORAGE_DRIVER"
-    print_red "Warning: It seems like the storage driver vfs is used. This will lead to problems with disk space and performance and is disrecommended!"
+    echo "Warning: It seems like the storage driver vfs is used. This will lead to problems with disk space and performance and is disrecommended!"
 elif echo "$STORAGE_DRIVER" | grep -q fuse-overlayfs; then
     echo "$STORAGE_DRIVER"
-    print_red "Warning: It seems like the storage driver fuse-overlayfs is used. Please check if you can switch to overlay2 instead."
-fi
-
-# Check if snap install
-if sudo -E -u www-data docker info | grep "Docker Root Dir" | grep "/var/snap/docker/"; then
-    print_red "Warning: It looks like your installation uses docker installed via snap."
-    print_red "This comes with some limitations and is disrecommended by the docker maintainers."
-    print_red "See for example https://github.com/nextcloud/all-in-one/discussions/4890#discussioncomment-10386752"
+    echo "Warning: It seems like the storage driver fuse-overlayfs is used. Please check if you can switch to overlay2 instead."
 fi
 
 # Check if startup command was executed correctly
-if ! sudo -E -u www-data docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-mastercontainer$"; then
-    print_red "It seems like you did not give the mastercontainer the correct name? (The 'nextcloud-aio-mastercontainer' container was not found.)
+if ! sudo -u www-data docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-mastercontainer$"; then
+    echo "It seems like you did not give the mastercontainer the correct name? (The 'nextcloud-aio-mastercontainer' container was not found.)
 Using a different name is not supported since mastercontainer updates will not work in that case!
 If you are on docker swarm and try to run AIO, see https://github.com/nextcloud/all-in-one#can-i-run-this-with-docker-swarm"
     exit 1
-elif sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer --format "{{.Config.Image}}" | grep -q '@'; then
-    print_red "It seems like you used a hash for the mastercontainer image tag. This is not supported!"
-    exit 1
-elif ! sudo -E -u www-data docker volume ls --format "{{.Name}}" | grep -q "^nextcloud_aio_mastercontainer$"; then
-    print_red "It seems like you did not give the mastercontainer volume the correct name? (The 'nextcloud_aio_mastercontainer' volume was not found.)
+elif ! sudo -u www-data docker volume ls --format "{{.Name}}" | grep -q "^nextcloud_aio_mastercontainer$"; then
+    echo "It seems like you did not give the mastercontainer volume the correct name? (The 'nextcloud_aio_mastercontainer' volume was not found.)
 Using a different name is not supported since the built-in backup solution will not work in that case!"
     exit 1
-elif ! sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer --format '{{.Mounts}}' | grep -q " nextcloud_aio_mastercontainer "; then
-    print_red "It seems like you did not attach the 'nextcloud_aio_mastercontainer' volume to the mastercontainer?
+elif ! sudo -u www-data docker inspect nextcloud-aio-mastercontainer | grep -q "nextcloud_aio_mastercontainer"; then
+    echo "It seems like you did not attach the 'nextcloud_aio_mastercontainer' volume to the mastercontainer?
 This is not supported since the built-in backup solution will not work in that case!"
     exit 1
 fi
@@ -182,34 +95,34 @@ fi
 # Check for other options
 if [ -n "$NEXTCLOUD_DATADIR" ]; then
     if [ "$NEXTCLOUD_DATADIR" = "nextcloud_aio_nextcloud_datadir" ]; then
-        sleep 1
+        echo "NEXTCLOUD_DATADIR is set to $NEXTCLOUD_DATADIR"
     elif ! echo "$NEXTCLOUD_DATADIR" | grep -q "^/" || [ "$NEXTCLOUD_DATADIR" = "/" ]; then
-        print_red "You've set NEXTCLOUD_DATADIR but not to an allowed value.
-The string must start with '/' and must not be equal to '/'. Also allowed is 'nextcloud_aio_nextcloud_datadir'.
+        echo "You've set NEXTCLOUD_DATADIR but not to an allowed value.
+The string must start with '/' and must not be equal to '/'.
 It is set to '$NEXTCLOUD_DATADIR'."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_MOUNT" ]; then
     if ! echo "$NEXTCLOUD_MOUNT" | grep -q "^/" || [ "$NEXTCLOUD_MOUNT" = "/" ]; then
-        print_red "You've set NEXTCLOUD_MOUNT but not to an allowed value.
+        echo "You've set NEXCLOUD_MOUNT but not to an allowed value.
 The string must start with '/' and must not be equal to '/'.
 It is set to '$NEXTCLOUD_MOUNT'."
         exit 1
     elif [ "$NEXTCLOUD_MOUNT" = "/mnt/ncdata" ] || echo "$NEXTCLOUD_MOUNT" | grep -q "^/mnt/ncdata/"; then
-        print_red "'/mnt/ncdata' and '/mnt/ncdata/' are not allowed as values for NEXTCLOUD_MOUNT."
+        echo "'/mnt/ncdata' and '/mnt/ncdata/' are not allowed as values for NEXTCLOUD_MOUNT."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_DATADIR" ] && [ -n "$NEXTCLOUD_MOUNT" ]; then
     if [ "$NEXTCLOUD_DATADIR" = "$NEXTCLOUD_MOUNT" ]; then
-        print_red "NEXTCLOUD_DATADIR and NEXTCLOUD_MOUNT are not allowed to be equal."
+        echo "NEXTCLOUD_DATADIR and NEXTCLOUD_MOUNT are not allowed to be equal."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_UPLOAD_LIMIT" ]; then
     if ! echo "$NEXTCLOUD_UPLOAD_LIMIT" | grep -q '^[0-9]\+G$'; then
-        print_red "You've set NEXTCLOUD_UPLOAD_LIMIT but not to an allowed value.
+        echo "You've set NEXTCLOUD_UPLOAD_LIMIT but not to an allowed value.
 The string must start with a number and end with 'G'.
 It is set to '$NEXTCLOUD_UPLOAD_LIMIT'."
         exit 1
@@ -217,7 +130,7 @@ It is set to '$NEXTCLOUD_UPLOAD_LIMIT'."
 fi
 if [ -n "$NEXTCLOUD_MAX_TIME" ]; then
     if ! echo "$NEXTCLOUD_MAX_TIME" | grep -q '^[0-9]\+$'; then
-        print_red "You've set NEXTCLOUD_MAX_TIME but not to an allowed value.
+        echo "You've set NEXTCLOUD_MAX_TIME but not to an allowed value.
 The string must be a number. E.g. '3600'.
 It is set to '$NEXTCLOUD_MAX_TIME'."
         exit 1
@@ -225,7 +138,7 @@ It is set to '$NEXTCLOUD_MAX_TIME'."
 fi
 if [ -n "$NEXTCLOUD_MEMORY_LIMIT" ]; then
     if ! echo "$NEXTCLOUD_MEMORY_LIMIT" | grep -q '^[0-9]\+M$'; then
-        print_red "You've set NEXTCLOUD_MEMORY_LIMIT but not to an allowed value.
+        echo "You've set NEXTCLOUD_MEMORY_LIMIT but not to an allowed value.
 The string must start with a number and end with 'M'.
 It is set to '$NEXTCLOUD_MEMORY_LIMIT'."
         exit 1
@@ -233,72 +146,64 @@ It is set to '$NEXTCLOUD_MEMORY_LIMIT'."
 fi
 if [ -n "$APACHE_PORT" ]; then
     if ! check_if_number "$APACHE_PORT"; then
-        print_red "You provided an Apache port but did not only use numbers.
+        echo "You provided an Apache port but did not only use numbers.
 It is set to '$APACHE_PORT'."
         exit 1
     elif ! [ "$APACHE_PORT" -le 65535 ] || ! [ "$APACHE_PORT" -ge 1 ]; then
-        print_red "The provided Apache port is invalid. It must be between 1 and 65535"
+        echo "The provided Apache port is invalid. It must be between 1 and 65535"
         exit 1
     fi
 fi
 if [ -n "$APACHE_IP_BINDING" ]; then
-    if ! echo "$APACHE_IP_BINDING" | grep -q '^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$\|^[0-9a-f:]\+$\|^@INTERNAL$'; then
-        print_red "You provided an ip-address for the apache container's ip-binding but it was not a valid ip-address.
+    if ! echo "$APACHE_IP_BINDING" | grep -q '^[0-9.]\+$'; then
+        echo "You provided an ip-address for the apache container's ip-binding but it was not a valid ip-address.
 It is set to '$APACHE_IP_BINDING'."
         exit 1
     fi
 fi
-if [ -n "$APACHE_ADDITIONAL_NETWORK" ]; then
-    if ! echo "$APACHE_ADDITIONAL_NETWORK" | grep -q "^[a-zA-Z0-9._-]\+$"; then
-        print_red "You've set APACHE_ADDITIONAL_NETWORK but not to an allowed value.
-It needs to be a string with letters, numbers, hyphens and underscores.
-It is set to '$APACHE_ADDITIONAL_NETWORK'."
-        exit 1
-    fi
-fi
 if [ -n "$TALK_PORT" ]; then
     if ! check_if_number "$TALK_PORT"; then
-        print_red "You provided an Talk port but did not only use numbers.
+        echo "You provided an Talk port but did not only use numbers.
 It is set to '$TALK_PORT'."
         exit 1
     elif ! [ "$TALK_PORT" -le 65535 ] || ! [ "$TALK_PORT" -ge 1 ]; then
-        print_red "The provided Talk port is invalid. It must be between 1 and 65535"
+        echo "The provided Talk port is invalid. It must be between 1 and 65535"
         exit 1
     fi
 fi
 if [ -n "$APACHE_PORT" ] && [ -n "$TALK_PORT" ]; then
     if [ "$APACHE_PORT" = "$TALK_PORT" ]; then
-        print_red "APACHE_PORT and TALK_PORT are not allowed to be equal."
+        echo "APACHE_PORT and TALK_PORT are not allowed to be equal."
         exit 1
     fi
 fi
-if [ -n "$WATCHTOWER_DOCKER_SOCKET_PATH" ]; then
-    if ! echo "$WATCHTOWER_DOCKER_SOCKET_PATH" | grep -q "^/" || echo "$WATCHTOWER_DOCKER_SOCKET_PATH" | grep -q "/$"; then
-        print_red "You've set WATCHTOWER_DOCKER_SOCKET_PATH but not to an allowed value.
+if [ -n "$DOCKER_SOCKET_PATH" ]; then
+    if ! echo "$DOCKER_SOCKET_PATH" | grep -q "^/" || echo "$DOCKER_SOCKET_PATH" | grep -q "/$"; then
+        echo "You've set DOCKER_SOCKET_PATH but not to an allowed value.
 The string must start with '/' and must not end with '/'.
-It is set to '$WATCHTOWER_DOCKER_SOCKET_PATH'."
+It is set to '$DOCKER_SOCKET_PATH'."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_TRUSTED_CACERTS_DIR" ]; then
     if ! echo "$NEXTCLOUD_TRUSTED_CACERTS_DIR" | grep -q "^/" || echo "$NEXTCLOUD_TRUSTED_CACERTS_DIR" | grep -q "/$"; then
-        print_red "You've set NEXTCLOUD_TRUSTED_CACERTS_DIR but not to an allowed value.
+        echo "You've set NEXTCLOUD_TRUSTED_CACERTS_DIR but not to an allowed value.
 It should be an absolute path to a directory that starts with '/' but not end with '/'.
 It is set to '$NEXTCLOUD_TRUSTED_CACERTS_DIR '."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_STARTUP_APPS" ]; then
-    if ! echo "$NEXTCLOUD_STARTUP_APPS" | grep -q "^[a-z0-9 _-]\+$"; then
-        print_red "You've set NEXTCLOUD_STARTUP_APPS but not to an allowed value.
-It needs to be a string. Allowed are small letters a-z, 0-9, spaces, hyphens and '_'.
+    if ! echo "$NEXTCLOUD_STARTUP_APPS" | grep -q "^[a-z _-]\+$"; then
+        echo "You've set NEXTCLOUD_STARTUP_APPS but not to an allowed value.
+It needs to be a string. Allowed are small letters a-z, spaces, hyphens and '_'.
 It is set to '$NEXTCLOUD_STARTUP_APPS'."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_ADDITIONAL_APKS" ]; then
     if ! echo "$NEXTCLOUD_ADDITIONAL_APKS" | grep -q "^[a-z0-9 ._-]\+$"; then
-        print_red "You've set NEXTCLOUD_ADDITIONAL_APKS but not to an allowed value.
+        echo "You've set NEXTCLOUD_ADDITIONAL_APKS but not to an allowed value.
 It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens, dots and '_'.
 It is set to '$NEXTCLOUD_ADDITIONAL_APKS'."
         exit 1
@@ -306,105 +211,29 @@ It is set to '$NEXTCLOUD_ADDITIONAL_APKS'."
 fi
 if [ -n "$NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS" ]; then
     if ! echo "$NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS" | grep -q "^[a-z0-9 ._-]\+$"; then
-        print_red "You've set NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS but not to an allowed value.
+        echo "You've set NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS but not to an allowed value.
 It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens, dots and '_'.
 It is set to '$NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS'."
         exit 1
     fi
 fi
-if [ -n "$AIO_COMMUNITY_CONTAINERS" ]; then
-    print_red "You've set AIO_COMMUNITY_CONTAINERS but the option was removed.
-The community containers get managed via the AIO interface now."
-fi
-if [ -n "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
-    print_red "The environmental variable NEXTCLOUD_ENABLE_DRI_DEVICE is deprecated. Please mount the /dev/dri device into the mastercontainer instead and remove NEXTCLOUD_ENABLE_DRI_DEVICE. It will then be set automatically."
-fi
 
-# Automatically enable the /dev/dri device if it is mounted into the mastercontainer
-if [ -d "/dev/dri" ]; then
-    export NEXTCLOUD_ENABLE_DRI_DEVICE="true"
-    if [ -e "/dev/dri/renderD128" ]; then
-        NEXTCLOUD_DRI_GID="$(stat -c '%g' /dev/dri/renderD128)"
-        export NEXTCLOUD_DRI_GID
-    else
-        export NEXTCLOUD_DRI_GID=""
-    fi
-else
-    if [ -z "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
-        # Force the unset of the env if it was not externally overwritten already
-        export NEXTCLOUD_ENABLE_DRI_DEVICE="false"
-    fi
-    export NEXTCLOUD_DRI_GID=""
-fi
-
-# Log level logics
-if [ -n "$AIO_LOG_LEVEL" ] && ! echo "$AIO_LOG_LEVEL" | grep -q "^debug$\|^info$\|^warn$\|^error$"; then
-    print_red "AIO_LOG_LEVEL must be one of 'debug', 'info', 'warn' or 'error'.
-It is set to '$AIO_LOG_LEVEL'".
-    exit 1
-fi
-if [ -z "$AIO_LOG_LEVEL" ]; then
-    export AIO_LOG_LEVEL="warn"
-fi
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    export SUPERVISORD_STDOUT=/dev/stdout
-else
-    export SUPERVISORD_STDOUT=NONE
-fi
-
-# Check if ghcr.io is reachable
-# Solves issues like https://github.com/nextcloud/all-in-one/discussions/5268
-if ! curl --no-progress-meter https://ghcr.io/v2/ >/dev/null; then
-    print_red "Could not reach https://ghcr.io."
-    echo "Most likely is something blocking access to it."
+# Check DNS resolution
+# Prevents issues like https://github.com/nextcloud/all-in-one/discussions/565
+curl https://nextcloud.com &>/dev/null
+if [ "$?" = 6 ]; then
+    echo "Could not resolve the host nextcloud.com."
+    echo "Most likely the DNS resolving does not work."
     echo "You should be able to fix this by following https://dockerlabs.collabnix.com/intermediate/networking/Configuring_DNS.html"
-    echo "Another solution is using https://github.com/nextcloud/all-in-one/tree/main/manual-install"
-    echo "See https://github.com/nextcloud/all-in-one/blob/main/manual-install/latest.yml"
+    echo "Apart from that, there has been this: https://github.com/nextcloud/all-in-one/discussions/2065"
     exit 1
 fi
 
-# Check that no changes have been made to timezone settings since AIO only supports running in Etc/UTC timezone
-if [ -n "$TZ" ]; then
-    print_red "The environmental variable TZ has been set which is not supported by AIO since it only supports running in the default Etc/UTC timezone!"
-    echo "The correct timezone can be set in the AIO interface later on!"
-    # Disable exit since it seems to be by default set on unraid and we dont want to break these instances
-    # exit 1
-fi
-# Check that http proxy or no_proxy variable is not set which AIO does not support
-if [ -n "$HTTP_PROXY" ] || [ -n "$http_proxy" ] || [ -n "$HTTPS_PROXY" ] || [ -n "$https_proxy" ] || [ -n "$NO_PROXY" ] || [ -n "$no_proxy" ]; then
-    print_red "The environmental variable HTTP_PROXY, http_proxy, HTTPS_PROXY, https_proxy, NO_PROXY or no_proxy has been set which is not supported by AIO."
-    echo "If you need this, then you should use https://github.com/nextcloud/all-in-one/tree/main/manual-install"
-    echo "See https://github.com/nextcloud/all-in-one/blob/main/manual-install/latest.yml"
-    exit 1
-fi
-if mountpoint -q /etc/localtime; then
-    print_red "/etc/localtime has been mounted into the container which is not allowed because AIO only supports running in the default Etc/UTC timezone!"
-    echo "The correct timezone can be set in the AIO interface later on!"
-    exit 1
-fi
-if mountpoint -q /etc/timezone; then
-    print_red "/etc/timezone has been mounted into the container which is not allowed because AIO only supports running in the default Etc/UTC timezone!"
-    echo "The correct timezone can be set in the AIO interface later on!"
-    exit 1
-fi
-
-# Check if unsupported env are set (but don't exit as it would break many instances)
-if [ -n "$APACHE_DISABLE_REWRITE_IP" ]; then
-    print_red "The environmental variable APACHE_DISABLE_REWRITE_IP has been set which is not supported by AIO. Please remove it!"
-fi
-if [ -n "$NEXTCLOUD_TRUSTED_DOMAINS" ]; then
-    print_red "The environmental variable NEXTCLOUD_TRUSTED_DOMAINS has been set which is not supported by AIO. Please remove it!"
-fi
-if [ -n "$TRUSTED_PROXIES" ]; then
-    print_red "The environmental variable TRUSTED_PROXIES has been set which is not supported by AIO. Please remove it!"
-fi
-
 # Add important folders
 mkdir -p /mnt/docker-aio-config/data/
 mkdir -p /mnt/docker-aio-config/session/
 mkdir -p /mnt/docker-aio-config/caddy/
-mkdir -p /mnt/docker-aio-config/caddy-internal/
+mkdir -p /mnt/docker-aio-config/certs/ 
 
 # Adjust permissions for all instances
 chmod 770 -R /mnt/docker-aio-config
@@ -412,42 +241,55 @@ chmod 777 /mnt/docker-aio-config
 chown www-data:www-data -R /mnt/docker-aio-config/data/
 chown www-data:www-data -R /mnt/docker-aio-config/session/
 chown www-data:www-data -R /mnt/docker-aio-config/caddy/
-chown www-data:www-data -R /mnt/docker-aio-config/caddy-internal/
+chown root:root -R /mnt/docker-aio-config/certs/
 
-print_green "Initial startup of Nextcloud All-in-One complete!
+# Don't allow access to the AIO interface from the Nextcloud container
+# Probably more cosmetic than anything but at least an attempt
+if ! grep -q '# nextcloud-aio-block' /etc/apache2/httpd.conf; then
+    cat << APACHE_CONF >> /etc/apache2/httpd.conf
+# nextcloud-aio-block-start
+<Location />
+order allow,deny
+deny from nextcloud-aio-nextcloud.nextcloud-aio
+allow from all
+</Location>
+# nextcloud-aio-block-end
+APACHE_CONF
+fi
+
+# Adjust certs
+GENERATED_CERTS="/mnt/docker-aio-config/certs"
+TMP_CERTS="/etc/apache2/certs"
+mkdir -p "$GENERATED_CERTS"
+cd "$GENERATED_CERTS" || exit 1
+if ! [ -f ./ssl.crt ] && ! [ -f ./ssl.key ]; then
+    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt
+fi
+if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then
+    cd "$TMP_CERTS" || exit 1
+    rm ./ssl.crt
+    rm ./ssl.key
+    cp "$GENERATED_CERTS/ssl.crt" ./
+    cp "$GENERATED_CERTS/ssl.key" ./
+fi
+
+print_green "Initial startup of Nextcloud All In One complete!
 You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
 E.g. https://internal.ip.of.this.server:8080
-⚠️ Important: do always use an ip-address if you access this port and not a domain as HSTS might block access to it later!
 
 If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
 https://your-domain-that-points-to-this-server.tld:8443"
 
-# Set the timezone to Etc/UTC
-export TZ=Etc/UTC
+# Set the timezone to UTC
+export TZ=UTC
 
-# Remove unused certs
-rm -vrf /mnt/docker-aio-config/certs
-
-# Remove the php socket as safeguard
-rm -vf /run/php.sock
-
-# Fix caddy startup
-if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then
-    rm -rf /mnt/docker-aio-config/caddy/locks/*
-fi
+# Fix apache startup
+rm -f /var/run/apache2/httpd.pid
 
 # Fix the Caddyfile format
-caddy fmt --overwrite /acme.Caddyfile
-caddy fmt --overwrite /internal.Caddyfile
+caddy fmt --overwrite /Caddyfile
 
 # Fix caddy log 
 chmod 777 /root
 
-# Create Twig template cache directory (path must match TWIG_CACHE_PATH in php/public/index.php)
-mkdir -p /tmp/twig-cache
-rm -rf /tmp/twig-cache/*
-chown www-data:www-data /tmp/twig-cache
-chmod 770 /tmp/twig-cache
-
-# Start supervisord
-exec /usr/bin/supervisord -c /supervisord.conf
+exec "$@"

Containers/mastercontainer/supervisord.conf

@@ -5,31 +5,31 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                 
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error
 user=root
 
 [program:php-fpm]
-# Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
+# stdout_logfile=/dev/stdout
+# stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=php-fpm
 user=root
 
-[program:caddy-internal]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
+[program:apache]
+# stdout_logfile=/dev/stdout
+# stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /internal.Caddyfile
-user=www-data
+command=httpd -DFOREGROUND
+user=root
 
-[program:caddy-acme]
+[program:caddy]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /acme.Caddyfile
+command=/usr/bin/caddy run --config /Caddyfile
 user=www-data
 
 [program:cron]
@@ -38,7 +38,6 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/cron.sh
-user=root
 
 [program:backup-time-file-watcher]
 stdout_logfile=/dev/stdout
@@ -55,10 +54,3 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/session-deduplicator.sh
 user=root
-
-[program:domain-validator]
-# Logging is disabled as otherwise all attempts will be logged which spams the logs
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
-stderr_logfile=%(ENV_SUPERVISORD_STDOUT)s
-command=php -S 127.0.0.1:9876 /var/www/docker-aio/php/domain-validator.php
-user=www-data

Containers/nextcloud/Dockerfile

@@ -1,99 +1,85 @@
-# syntax=docker/dockerfile:latest
-FROM php:8.3.31-fpm-alpine3.23
-
-ENV PHP_MEMORY_LIMIT=512M
-ENV PHP_UPLOAD_LIMIT=16G
-ENV PHP_MAX_TIME=3600
-ENV SOURCE_LOCATION=/usr/src/nextcloud
-ENV REDIS_DB_INDEX=0
-
-# AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=33.0.3
-ENV AIO_TOKEN=123456
-ENV AIO_URL=localhost
-# AIO settings end # Do not remove or change this line!
-
-COPY --chmod=775 Containers/nextcloud/*.sh /
-COPY --chmod=774 Containers/nextcloud/upgrade.exclude /upgrade.exclude
-COPY Containers/nextcloud/config/*.php /
-COPY Containers/nextcloud/supervisord.conf /supervisord.conf
-
-# AIO cloning start # Do not remove or change this line!
-COPY app /usr/src/nextcloud/apps/nextcloud-aio
-COPY Containers/nextcloud/root.motd /root.motd
-# AIO cloning end # Do not remove or change this line!
-
-VOLUME /mnt/ncdata
-VOLUME /var/www/html
+# From https://github.com/nextcloud/docker/blob/master/23/fpm-alpine/Dockerfile
+FROM php:8.0.28-fpm-alpine3.16
 
 # Custom: change id of www-data user as it needs to be the same like on old installations
-# hadolint ignore=SC2086,DL3003
 RUN set -ex; \
-    apk upgrade --no-cache -a; \
     apk add --no-cache shadow; \
     deluser www-data; \
+    groupmod -g 333 xfs; \
+    usermod -u 333 -g 333 xfs; \
     addgroup -g 33 -S www-data; \
-    adduser -u 33 -D -S -G www-data www-data; \
-    \
+    adduser -u 33 -D -S -G www-data www-data
+
 # entrypoint.sh and cron.sh dependencies
+RUN set -ex; \
+    \
     apk add --no-cache \
         rsync \
-    ; \
+    ;
+
 # install the PHP extensions we need
 # see https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html
+ENV PHP_MEMORY_LIMIT 512M
+ENV PHP_UPLOAD_LIMIT 10G
+ENV PHP_MAX_TIME 3600
+RUN set -ex; \
+    \
     apk add --no-cache --virtual .build-deps \
         $PHPIZE_DEPS \
         autoconf \
+        libtool \
         freetype-dev \
-        gmp-dev \
         icu-dev \
-        imagemagick-dev \
-        imagemagick-svg \
-        imagemagick-heic \
-        imagemagick-tiff \
         libevent-dev \
         libjpeg-turbo-dev \
         libmcrypt-dev \
-        libmemcached-dev \
         libpng-dev \
-        libwebp-dev \
+        libmemcached-dev \
         libxml2-dev \
         libzip-dev \
         openldap-dev \
         pcre-dev \
         postgresql-dev \
+        libwebp-dev \
+        gmp-dev \
+        lcms2-dev \
+        fontconfig-dev \
+        freetype-dev \
+        ghostscript-dev \
+        tiff-dev \
+        zlib-dev \
+        imagemagick-dev \
+        libheif-dev \
+        librsvg-dev \
+        libxext-dev \
+        ghostscript-fonts \
     ; \
     \
     docker-php-ext-configure gd --with-freetype --with-jpeg --with-webp; \
-    docker-php-ext-configure ftp --with-openssl-dir=/usr; \
     docker-php-ext-configure ldap; \
     docker-php-ext-install -j "$(nproc)" \
         bcmath \
         exif \
         gd \
-        gmp \
         intl \
         ldap \
         opcache \
         pcntl \
         pdo_pgsql \
-        sysvsem \
         zip \
+        gmp \
     ; \
     \
 # pecl will claim success even if one install fails, so we need to perform each install separately
-    pecl install -o igbinary-3.2.16; \
-    pecl install APCu-5.1.28; \
-    pecl install -D 'enable-memcached-igbinary="yes"' memcached-3.4.0; \
-    pecl install -oD 'enable-redis-igbinary="yes" enable-redis-zstd="yes" enable-redis-lz4="yes"' redis-6.3.0; \
-   pecl install -o imagick-3.8.1; \
+    pecl install APCu-5.1.22; \
+    pecl install memcached-3.2.0; \
+    pecl install redis-5.3.7; \
+    pecl install imagick-3.7.0; \
     \
     docker-php-ext-enable \
-        igbinary \
         apcu \
         memcached \
         redis \
-        imagick \
     ; \
     rm -r /tmp/pear; \
     \
@@ -103,67 +89,43 @@ RUN set -ex; \
             | sort -u \
             | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
     )"; \
-    apk add --no-cache --virtual .nextcloud-phpext-rundeps $runDeps; \
-    apk del .build-deps; \
-    \
-    { \
-        echo 'apc.serializer=igbinary'; \
-        echo 'session.serialize_handler=igbinary'; \
-    } >> /usr/local/etc/php/conf.d/docker-php-ext-igbinary.ini; \
-    \
+    apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
+    apk del .build-deps
+
 # set recommended PHP.ini settings
-# see https://docs.nextcloud.com/server/stable/admin_manual/installation/server_tuning.html#enable-php-opcache and below
-    { \
-        echo 'opcache.max_accelerated_files=20000'; \
-        echo 'opcache.memory_consumption=256'; \
-        echo 'opcache.interned_strings_buffer=64'; \
+# see https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
+RUN { \
+        echo 'opcache.interned_strings_buffer=32'; \
         echo 'opcache.save_comments=1'; \
         echo 'opcache.revalidate_freq=60'; \
-        echo 'opcache.jit=1255'; \
-        echo 'opcache.jit_buffer_size=128M'; \
     } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
     \
-    { \
-        echo 'apc.enable_cli=1'; \
-        echo 'apc.shm_size=128M'; \
-    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
+    echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
     \
     { \
         echo 'memory_limit=${PHP_MEMORY_LIMIT}'; \
         echo 'upload_max_filesize=${PHP_UPLOAD_LIMIT}'; \
         echo 'post_max_size=${PHP_UPLOAD_LIMIT}'; \
         echo 'max_execution_time=${PHP_MAX_TIME}'; \
-        echo 'max_input_time=-1'; \
-        echo 'default_socket_timeout=${PHP_MAX_TIME}'; \
-        echo 'output_buffering=0'; \
-        echo 'realpath_cache_size=8M'; \
-        echo 'realpath_cache_ttl=600'; \
+        echo 'max_input_time=${PHP_MAX_TIME}'; \
     } > /usr/local/etc/php/conf.d/nextcloud.ini; \
     \
-    { \
-        echo 'session.save_handler = redis'; \
-        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}&timeout=3.0&read_timeout=10.0"'; \
-        echo 'redis.session.locking_enabled = 1'; \
-        echo 'redis.session.lock_retries = -1'; \
-        echo '; 100ms in microseconds - prevents timeout on long requests such as large file uploads'; \
-        echo 'redis.session.lock_wait_time = 100000'; \
-        echo '; prevents stale locks from crashed workers (seconds)'; \
-        echo 'redis.session.lock_expire = 60'; \
-        echo 'session.gc_maxlifetime = 86400'; \
-    } > /usr/local/etc/php/conf.d/redis-session.ini; \
-    \
-    mkdir -p /var/www/data; \
+    mkdir /var/www/data; \
     chown -R www-data:root /var/www; \
-    chmod -R g=u /var/www; \
-    \
-# Download Nextcloud archive start # Do not remove or change this line!
+    chmod -R g=u /var/www
+
+VOLUME /var/www/html
+
+ENV NEXTCLOUD_VERSION 25.0.5
+
+RUN set -ex; \
     apk add --no-cache --virtual .fetch-deps \
         bzip2 \
         gnupg \
     ; \
     \
     curl -fsSL -o nextcloud.tar.bz2 \
-        "https://github.com/nextcloud-releases/server/releases/download/v${NEXTCLOUD_VERSION}/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2"; \
+        "https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2"; \
     curl -fsSL -o nextcloud.tar.bz2.asc \
         "https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2.asc"; \
     export GNUPGHOME="$(mktemp -d)"; \
@@ -176,19 +138,27 @@ RUN set -ex; \
     mkdir -p /usr/src/nextcloud/data; \
     mkdir -p /usr/src/nextcloud/custom_apps; \
     chmod +x /usr/src/nextcloud/occ; \
-    mkdir -p /usr/src/nextcloud/config; \
-    apk del .fetch-deps; \
-# Download Nextcloud archive end # Do not remove or change this line!
-    mv /*.php /usr/src/nextcloud/config/; \
-    \
+    apk del .fetch-deps
+
+COPY *.sh upgrade.exclude /
+COPY config/* /usr/src/nextcloud/config/
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["php-fpm"]
+
 # Template from https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/full/fpm-alpine/Dockerfile
+
+RUN set -ex; \
+    \
     apk add --no-cache \
         ffmpeg \
         procps \
         samba-client \
         supervisor \
 #       libreoffice \
-    ; \
+    ;
+
+RUN set -ex; \
     \
     apk add --no-cache --virtual .build-deps \
         $PHPIZE_DEPS \
@@ -205,7 +175,6 @@ RUN set -ex; \
         bz2 \
         imap \
         pgsql \
-        ftp \
     ; \
     pecl install smbclient; \
     docker-php-ext-enable smbclient; \
@@ -216,15 +185,22 @@ RUN set -ex; \
             | sort -u \
             | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
     )"; \
-    apk add --no-cache --virtual .nextcloud-phpext-rundeps $runDeps; \
-    apk del .build-deps; \
-    \
-    mkdir -p \
+    apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
+    apk del .build-deps
+
+RUN mkdir -p \
     /var/log/supervisord \
     /var/run/supervisord \
-    ; \
-    chmod 777 -R /var/log/supervisord; \
-    chmod 777 -R /var/run/supervisord; \
+;
+
+COPY supervisord.conf /
+
+ENV NEXTCLOUD_UPDATE=1
+
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
+
+# Custom:
+RUN set -ex; \
     \
     apk add --no-cache \
         bash \
@@ -234,61 +210,63 @@ RUN set -ex; \
         git \
         postgresql-client \
         tzdata \
+        mawk \
         sudo \
         grep \
-        nodejs \
-        bind-tools \
-        imagemagick \
-        imagemagick-svg \
-        imagemagick-heic \
-        imagemagick-tiff \
-        coreutils; \
-    \
+        coreutils \
+        libjpeg \
+        librsvg \
+        libheif \
+        libpng \
+        ghostscript-fonts;
+
+RUN set -ex; \
     grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
-# Sync this with max db connections and MaxRequestWorkers
-# We don't actually expect so many children but don't want to limit it artificially because people will report issues otherwise.
-# Also children will usually be terminated again after the process is done due to the ondemand setting
-    sed -i 's/^pm.max_children =.*/pm.max_children = 5000/' /usr/local/etc/php-fpm.d/www.conf; \
-# With pm = ondemand, workers are killed after pm.process_idle_timeout seconds
-# of inactivity.  The upstream default is 10 s, which is aggressive: after a
-# brief quiet period (e.g. desktop-sync clients polling every few seconds), all
-# workers are reaped and the next request burst must wait for fresh forks.  On
-# a loaded host that spawn latency can push Apache past its FastCGI timeout and
-# produce a 502.  300 s (5 min) keeps a warm pool through normal sync-client
-# polling cycles while still reclaiming memory during genuinely idle periods.
-    sed -i 's/^;*pm.process_idle_timeout\s*=.*/pm.process_idle_timeout = 300s/' /usr/local/etc/php-fpm.d/www.conf; \
-# Set request_terminate_timeout so that PHP-FPM forcibly kills workers that
-# exceed the wall-clock limit.  Without this (default = 0 = disabled) a worker
-# stuck on a slow DB query, a stalled Redis connection, or a hung syscall is
-# never reaped.  Over time these zombies fill up pm.max_children, leaving no
-# free slots for legitimate requests and causing Apache to return 502 Bad
-# Gateway upstream.
-    sed -i "s|^;*request_terminate_timeout = .*|request_terminate_timeout = \${PHP_MAX_TIME}|" /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
-    \
-    echo "[ -n \"\$TERM\" ] && [ -f /root.motd ] && cat /root.motd" >> /root/.bashrc; \
-    \
-    chown www-data:root -R /usr/src && \
-    chmod 777 -R /usr/local/etc/php/conf.d && \
-    chmod 777 -R /usr/local/etc/php-fpm.d && \
-    chmod -R 777 /tmp; \
-    chmod -R 777 /etc/openldap; \
-    \
-    mkdir -p /nc-updater; \
-    chmod -R 777 /nc-updater
+    sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
+    sed -i 's/^pm.start_servers =.*/pm.start_servers = 2/' /usr/local/etc/php-fpm.d/www.conf; \
+    sed -i 's/^pm.min_spare_servers =.*/pm.min_spare_servers = 1/' /usr/local/etc/php-fpm.d/www.conf; \
+    sed -i 's/^pm.max_spare_servers =.*/pm.max_spare_servers = 3/' /usr/local/etc/php-fpm.d/www.conf; \
+    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf
+
+RUN set -ex; \
+    rm -rf /tmp/nextcloud-aio && \
+    mkdir -p /tmp/nextcloud-aio && \
+    cd /tmp/nextcloud-aio && \
+    git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
+    mkdir -p /usr/src/nextcloud/apps/nextcloud-aio; \
+    cp -r ./app/* /usr/src/nextcloud/apps/nextcloud-aio/
+
+RUN set -ex; \
+    chown www-data:root -R /usr/src && \
+    chown www-data:root -R /usr/local/etc/php/conf.d && \
+    chown www-data:root -R /usr/local/etc/php-fpm.d && \
+    rm -r /usr/src/nextcloud/apps/updatenotification
+
+COPY start.sh /
+COPY notify.sh /
+COPY notify-all.sh /
+RUN set -ex; \
+    chmod +x /start.sh && \
+    chmod +x /entrypoint.sh && \
+    chmod +r /upgrade.exclude && \
+    chmod +x /cron.sh && \
+    chmod +x /notify.sh && \
+    chmod +x /notify-all.sh && \
+    chmod +x /activate-collabora.sh && \
+    chmod +x /healthcheck.sh
+
+RUN set -ex; \
+    mkdir /mnt/ncdata; \
+    chown www-data:www-data /mnt/ncdata;
+
+VOLUME /mnt/ncdata
+
+# Give root a random password
+RUN echo "root:$(openssl rand -base64 12)" | chpasswd
 
-# hadolint ignore=DL3002
 USER root
 ENTRYPOINT ["/start.sh"]
-CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 
-HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
-    org.opencontainers.image.title="Nextcloud for Nextcloud AIO" \
-    org.opencontainers.image.description="Nextcloud server with all required PHP extensions for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+HEALTHCHECK CMD sudo -E -u www-data bash /healthcheck.sh
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/nextcloud/README.md

@@ -1,35 +0,0 @@
-# Nextcloud All-in-One ``nextcloud`` Container
-
-This folder contains the OCI/Docker container definition, along with associated resources and configuration files, for building the `nextcloud` container as part of the [Nextcloud All-in-One](https://github.com/nextcloud/all-in-one) project. This container hosts PHP and the Nextcloud Server application.
-
-## Overview
-
-The Nextcloud container provides the core Nextcloud application environment, including the necessary dependencies and configuration for seamless integration into the All-in-One stack. The container hosts:
-
-- The PHP SAPI/backend (php-fpm)
-- Nextcloud background jobs and scheduled tasks, which are handled via cron
-- Miscellaneous minor support services specific to AIO's Nextcloud deployment (health and exec)
-
-## Contents
-
-- **Dockerfile**: Instructions for building the Nextcloud container image.
-- **Entrypoint script**: The `start.sh` script is used for container initialization and runtime configuration before starting supervisord.
-- **Nextcloud configuration files**: Specific to running in a containerized setting and/or within AIO.
-- **Supervisor**: The `supervisord.conf` file defines the long-running services hosted within the container (php-fpm, cron, etc.).
-
-## Usage
-
-This container is intended to be used as part of the All-in-One deployment and is not meant to be used on its own. Among other requirements, it needs a web server container (which AIO provides in a dedicated Apache container). It is designed to be orchestrated by the [All-in-One mastercontainer](https://github.com/nextcloud/all-in-one/tree/main/Containers/mastercontainer) or used within an [AIO Manual Installation](https://github.com/nextcloud/all-in-one/tree/main/manual-install) or [AIO Helm chart](https://github.com/nextcloud/all-in-one/tree/main/nextcloud-aio-helm-chart).
-
-## Documentation
-
-- [Nextcloud All-in-One Documentation](https://github.com/nextcloud/all-in-one#readme)
-- [Nextcloud Documentation](https://docs.nextcloud.com/)
-
-## Contributing
-
-Contributions are welcome! Please follow the Nextcloud project's guidelines and submit pull requests or issues via the main repository.
-
-## License
-
-This folder and its contents are licensed under the [GNU AGPLv3](https://www.gnu.org/licenses/agpl-3.0.html), in line with the rest of Nextcloud All-in-One.

Containers/nextcloud/activate-collabora.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+if [ "$COLLABORA_ENABLED" != yes ]; then
+    # Basically sleep for forever if collabora is not enabled
+    sleep inf
+fi
+while ! nc -z "$NC_DOMAIN" 443; do
+    sleep 5
+done
+sleep 10
+echo "Activating collabora config..."
+php /var/www/html/occ richdocuments:activate-config
+sleep inf

Containers/nextcloud/config/aio.config.php

@@ -1,5 +0,0 @@
-<?php
-$CONFIG = array (
-  'one-click-instance' => true,
-  'one-click-instance.user-limit' => 100,
-);

Containers/nextcloud/config/apps.config.php

@@ -2,26 +2,14 @@
 $CONFIG = array (
   'apps_paths' => array (
       0 => array (
-              'path'     => '/var/www/html/apps',
+              'path'     => OC::$SERVERROOT.'/apps',
               'url'      => '/apps',
               'writable' => false,
       ),
       1 => array (
-              'path'     => '/var/www/html/custom_apps',
+              'path'     => OC::$SERVERROOT.'/custom_apps',
               'url'      => '/custom_apps',
               'writable' => true,
       ),
   ),
 );
-if (getenv('APPS_ALLOWLIST')) {
-    $CONFIG['appsallowlist'] = explode(" ", getenv('APPS_ALLOWLIST'));
-}
-
-$appStoreUrl = getenv('NEXTCLOUD_APP_STORE_URL');
-if ($appStoreUrl) {
-    if ($appStoreUrl === 'no') {
-        $CONFIG['appstoreenabled '] = false;
-    } else {
-        $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
-    }
-}

Containers/nextcloud/config/certificates-bundle.config.php

@@ -1,5 +0,0 @@
-<?php
-// Check if NEXTCLOUD_TRUSTED_CERTIFICATES_ are configured
-if (str_contains(implode(' ', array_keys(getenv())), 'NEXTCLOUD_TRUSTED_CERTIFICATES_')) {
-  $CONFIG['default_certificates_bundle_path'] = '/var/www/html/data/certificates/ca-bundle.crt';
-}

Containers/nextcloud/config/postgres.config.php

@@ -1,17 +0,0 @@
-<?php
-if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_POSTGRES')) {
-  $CONFIG = array(
-    'pgsql_ssl' => array(
-      'mode' => 'verify-ca',
-      'rootcert' => '/var/www/html/data/certificates/ca-bundle.crt',
-    ),
-  );
-}
-if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_MYSQL')) {
-  $CONFIG = array(
-    'dbdriveroptions' => array(
-      PDO::MYSQL_ATTR_SSL_CA => '/var/www/html/data/certificates/ca-bundle.crt',
-    ),
-  );
-}
-