refactor(nextcloud): extract inline OAuth2 client PHP into standalone script

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/b35a7dbb-ff0a-483c-9bc7-1cf43a192e92

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>

.github/workflows/fail-on-prerelease.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Check latest published release isn't a prerelease"
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v6
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v6
         with:
           script: |
             const tags = await github.rest.repos.listTags({

.github/workflows/helm-release.yml

@@ -32,7 +32,7 @@ jobs:
 
       # See https://github.com/helm/chart-releaser-action/issues/6
       - name: Set up Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
         with:
           version: v3.6.3
 

.github/workflows/lint-helm.yml

@@ -16,7 +16,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
         with:
           version: v3.11.1
 

.github/workflows/lint-yaml.yml

@@ -36,7 +36,7 @@ jobs:
             line-length: warning
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
 
       - name: Check GitHub actions
         run: uvx zizmor --min-severity medium .github/workflows/*.yml

Containers/apache/Caddyfile

@@ -63,6 +63,12 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
         reverse_proxy {$WHITEBOARD_HOST}:3002
     }
 
+    # Windmill
+    route /windmill/* {
+        uri strip_prefix /windmill
+        reverse_proxy {$WINDMILL_HOST}:8000
+    }
+
     # HaRP (ExApps)
     route /exapps/* {
         reverse_proxy {$HARP_HOST}:8780

Containers/clamav/Dockerfile

@@ -13,6 +13,15 @@ RUN set -ex; \
     sed -i "s|#\?PCREMaxFileSize.*|PCREMaxFileSize 2000M|g" /etc/clamav/clamd.conf; \
 # StreamMaxLength must be synced with av_stream_max_length inside the Nextcloud files_antivirus plugin
     sed -i "s|#\?StreamMaxLength.*|StreamMaxLength 2000M|g" /etc/clamav/clamd.conf; \
+# By default clamd keeps the old signature database in RAM while loading the new one,
+# briefly doubling memory usage (~1 GB extra) during each freshclam update cycle.
+# Setting ConcurrentDatabaseReload to "no" makes clamd unload the old database first,
+# eliminating that transient peak and significantly reducing maximum RAM consumption.
+    sed -i "s|#\?ConcurrentDatabaseReload.*|ConcurrentDatabaseReload no|g" /etc/clamav/clamd.conf; \
+# The default thread pool is 10-12 threads, each reserving its own stack and scan buffers.
+# The Nextcloud antivirus plugin sends one file at a time, so 2 threads are sufficient
+# and avoids the idle per-thread memory overhead of the larger default pool.
+    sed -i "s|#\?MaxThreads.*|MaxThreads 2|g" /etc/clamav/clamd.conf; \
     sed -i "s|#\?TCPSocket|TCPSocket|g" /etc/clamav/clamd.conf; \
     sed -i "s|^LocalSocket .*|LocalSocket /tmp/clamd.sock|g" /etc/clamav/clamd.conf; \
     sed -i "s|Example| |g" /etc/clamav/clamav-milter.conf; \

Containers/clamav/supervisord.conf

@@ -1,6 +1,5 @@
 [supervisord]
 nodaemon=true
-nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/

Containers/imaginary/healthcheck.sh

@@ -1,3 +1,3 @@
 #!/bin/bash
 
-wget -q -O /dev/null "http://127.0.0.1:${PORT}/health" || exit 1
+nc -z 127.0.0.1 "$PORT" || exit 1

Containers/imaginary/start.sh

@@ -8,4 +8,4 @@ if [ -n "$IMAGINARY_SECRET" ]; then
     IMAGINARY_ARGS+=(-key "$IMAGINARY_SECRET")
 fi
 
-imaginary "${IMAGINARY_ARGS[@]}" "$@"
+exec imaginary "${IMAGINARY_ARGS[@]}" "$@"

Containers/mastercontainer/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.4.0-cli AS docker
+FROM docker:29.4.1-cli AS docker
 
 ARG CADDY_REMOTE_HOST_HASH=b21775afa730ffb52a24ddff310c8a6d1fd37276
 
@@ -56,14 +56,13 @@ RUN set -ex; \
     { \
         echo 'apc.shm_size=32M'; \
     } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
-    docker-php-ext-install -j "$(nproc)" opcache; \
     { \
         echo 'opcache.enable=1'; \
         echo 'opcache.memory_consumption=32'; \
         echo 'opcache.interned_strings_buffer=8'; \
         echo 'opcache.max_accelerated_files=4000'; \
         echo 'opcache.validate_timestamps=0'; \
-    } >> /usr/local/etc/php/conf.d/docker-php-ext-opcache.ini; \
+    } > /usr/local/etc/php/conf.d/docker-php-ext-opcache.ini; \
     rm -r /tmp/pear; \
     runDeps="$( \
         scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \

Containers/mastercontainer/headers.Caddyfile

@@ -23,7 +23,7 @@ header {
     Cross-Origin-Resource-Policy "same-origin"; # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
 
     # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
-    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), language-detector=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), summarizer=(), translator=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
+    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), local-network=(), local-network-access=(), loopback-network=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), summarizer=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
 
     -Server
     -X-Powered-By

Containers/nextcloud/Dockerfile

@@ -142,7 +142,7 @@ RUN set -ex; \
     \
     { \
         echo 'session.save_handler = redis'; \
-        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}"'; \
+        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}&timeout=3.0&read_timeout=10.0"'; \
         echo 'redis.session.locking_enabled = 1'; \
         echo 'redis.session.lock_retries = -1'; \
         echo '; 100ms in microseconds - prevents timeout on long requests such as large file uploads'; \
@@ -244,27 +244,12 @@ RUN set -ex; \
         imagemagick-tiff \
         coreutils; \
     \
-# Use dynamic pm mode: spare workers stay alive between requests so every request is served immediately
-# without waiting for a new process to spawn (unlike ondemand which forks on every request when idle).
-# pm.max_children: upper bound on worker processes; synced with max DB connections and MaxRequestWorkers.
-# Set high so users never hit an artificial limit under peak load — spare-server bounds keep idle memory usage low.
+    grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \
+    sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
+# Sync this with max db connections and MaxRequestWorkers
+# We don't actually expect so many children but don't want to limit it artificially because people will report issues otherwise.
+# Also children will usually be terminated again after the process is done due to the ondemand setting
     sed -i 's/^pm.max_children =.*/pm.max_children = 5000/' /usr/local/etc/php-fpm.d/www.conf; \
-# pm.start_servers: number of workers pre-forked at container startup.
-# Having 2 workers ready immediately means the first requests after boot are served without any spawn delay.
-    sed -i '/^;pm.start_servers/s/^;//' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's/^pm.start_servers =.*/pm.start_servers = 2/' /usr/local/etc/php-fpm.d/www.conf; \
-# pm.min_spare_servers: floor of idle workers kept alive at all times.
-# Guarantees at least 1 ready worker so a sudden burst of requests is handled without any fork wait.
-    sed -i '/^;pm.min_spare_servers/s/^;//' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's/^pm.min_spare_servers =.*/pm.min_spare_servers = 1/' /usr/local/etc/php-fpm.d/www.conf; \
-# pm.max_spare_servers: ceiling of idle workers kept alive during quiet periods.
-# Capping at 3 limits idle memory consumption while still keeping a small ready pool.
-    sed -i '/^;pm.max_spare_servers/s/^;//' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's/^pm.max_spare_servers =.*/pm.max_spare_servers = 3/' /usr/local/etc/php-fpm.d/www.conf; \
-# pm.max_requests: recycle each worker after handling 500 requests.
-# PHP extensions and apps can leak memory over time; recycling prevents those leaks from accumulating indefinitely.
-    sed -i '/^;pm.max_requests/s/^;//' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's/^pm.max_requests =.*/pm.max_requests = 500/' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
     \
     echo "[ -n \"\$TERM\" ] && [ -f /root.motd ] && cat /root.motd" >> /root/.bashrc; \
@@ -278,6 +263,8 @@ RUN set -ex; \
     mkdir -p /nc-updater; \
     chmod -R 777 /nc-updater
 
+COPY --chmod=775 Containers/nextcloud/create-oauth2-client.php /create-oauth2-client.php
+
 # hadolint ignore=DL3002
 USER root
 ENTRYPOINT ["/start.sh"]

Containers/nextcloud/config/apps.config.php

@@ -16,6 +16,12 @@ $CONFIG = array (
 if (getenv('APPS_ALLOWLIST')) {
     $CONFIG['appsallowlist'] = explode(" ", getenv('APPS_ALLOWLIST'));
 }
-if (getenv('NEXTCLOUD_APP_STORE_URL')) {
-    $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
+
+$appStoreUrl = getenv('NEXTCLOUD_APP_STORE_URL');
+if ($appStoreUrl) {
+    if ($appStoreUrl === 'no') {
+        $CONFIG['appstoreenabled '] = false;
+    } else {
+        $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
+    }
 }

Containers/nextcloud/config/redis.config.php

@@ -7,8 +7,8 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
 
   if (getenv('REDIS_HOST')) {
     $CONFIG['redis']['host'] = (string) getenv('REDIS_HOST');
-    $CONFIG['redis']['timeout'] = 1.5;
-    $CONFIG['redis']['read_timeout'] = 1.5;
+    $CONFIG['redis']['timeout'] = 3.0;
+    $CONFIG['redis']['read_timeout'] = 10.0;
   }
 
   if (getenv('REDIS_HOST_PASSWORD')) {
@@ -23,6 +23,10 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
     $CONFIG['redis']['dbindex'] = (int) getenv('REDIS_DB_INDEX');
   }
 
+  if (getenv('REDIS_PREFIX')) {
+    $CONFIG['redis']['memcache_customprefix'] = getenv('REDIS_PREFIX');
+  }
+
   if (getenv('REDIS_USER_AUTH')) {
     $CONFIG['redis']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
   }
@@ -60,6 +64,10 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
     $CONFIG['redis.cluster']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
   }
 
+  if (getenv('REDIS_PREFIX')) {
+    $CONFIG['redis.cluster']['memcache_customprefix'] = getenv('REDIS_PREFIX');
+  }
+
   if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) {
     $CONFIG['redis.cluster']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt';
   }

Containers/nextcloud/create-oauth2-client.php

@@ -0,0 +1,60 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Creates a Nextcloud OAuth2 client and prints its credentials to stdout.
+ *
+ * Usage: php create-oauth2-client.php <name> <redirect-uri>
+ *
+ * Output (two lines):
+ *   <client_id>
+ *   <client_secret>
+ *
+ * Any existing client with the same name is deleted first so that the
+ * operation is idempotent (stale clients whose secret has been lost are
+ * replaced by a fresh one).
+ */
+
+if ($argc !== 3) {
+    fwrite(STDERR, "Usage: php create-oauth2-client.php <name> <redirect-uri>\n");
+    exit(1);
+}
+
+$name = $argv[1];
+$redirectUri = $argv[2];
+
+define('OC_CONSOLE', 1);
+require_once '/var/www/html/lib/base.php';
+
+\OC_App::loadApp('oauth2');
+
+$container = \OC::getContainer();
+/** @var \OCA\OAuth2\Db\ClientMapper $mapper */
+$mapper = $container->get(\OCA\OAuth2\Db\ClientMapper::class);
+/** @var \OCP\Security\ICrypto $crypto */
+$crypto = $container->get(\OCP\Security\ICrypto::class);
+/** @var \OCP\Security\ISecureRandom $random */
+$random = $container->get(\OCP\Security\ISecureRandom::class);
+
+// Delete any stale client with the same name that might have lost its secret.
+foreach ($mapper->getClients() as $existing) {
+    if ($existing->getName() === $name) {
+        $mapper->delete($existing);
+    }
+}
+
+$client = new \OCA\OAuth2\Db\Client();
+$client->setName($name);
+$client->setRedirectUri($redirectUri);
+
+$secret = $random->generate(64, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789');
+$client->setSecret(bin2hex($crypto->calculateHMAC($secret)));
+
+$clientId = $random->generate(64, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789');
+$client->setClientIdentifier($clientId);
+
+$mapper->insert($client);
+
+echo $clientId . "\n";
+echo $secret . "\n";

Containers/nextcloud/entrypoint.sh

@@ -115,6 +115,11 @@ rm -f "$test_file"
 if [ -f /var/www/html/version.php ]; then
     # shellcheck disable=SC2016
     installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+    if [ -z "$installed_version" ]; then
+        echo "Could not determine the installed Nextcloud version via php -r. The PHP installation might be broken."
+        echo "Please check the container logs and your PHP installation."
+        exit 1
+    fi
 else
     installed_version="0.0.0.0"
 fi
@@ -438,11 +443,19 @@ EOF
             echo "Applying default settings..."
             mkdir -p /var/www/html/data
             php /var/www/html/occ config:system:set loglevel --value="2" --type=integer
-            php /var/www/html/occ config:system:set log_type --value="file"
-            php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
+            if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
+                php /var/www/html/occ config:system:set log_type --value="errorlog"
+                php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
+                php /var/www/html/occ app:disable logreader
+            else
+                php /var/www/html/occ config:system:set log_type --value="file"
+                php /var/www/html/occ config:system:set log_type_audit --value="file"
+                php /var/www/html/occ app:enable logreader
+                php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
+                php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
+            fi
             php /var/www/html/occ config:system:set log_rotate_size --value="10485760" --type=integer
             php /var/www/html/occ app:enable admin_audit
-            php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
             php /var/www/html/occ config:system:set log.condition apps 0 --value="admin_audit"
 
             # Apply preview settings
@@ -640,8 +653,17 @@ fi
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
 php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
-php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
-php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
+if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
+    php /var/www/html/occ config:system:set log_type --value="errorlog"
+    php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
+    php /var/www/html/occ app:disable logreader
+else
+    php /var/www/html/occ config:system:set log_type --value="file"
+    php /var/www/html/occ config:system:set log_type_audit --value="file"
+    php /var/www/html/occ app:enable logreader
+    php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
+    php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
+fi
 php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
 if [ -n "$NEXTCLOUD_SKELETON_DIRECTORY" ]; then
     if [ "$NEXTCLOUD_SKELETON_DIRECTORY" = "empty" ]; then
@@ -1068,5 +1090,41 @@ else
     fi
 fi
 
+# Windmill app
+if [ "$WINDMILL_ENABLED" = 'yes' ]; then
+    if ! [ -d "/var/www/html/custom_apps/windmill" ]; then
+        php /var/www/html/occ app:install windmill
+    elif [ "$(php /var/www/html/occ config:app:get windmill enabled)" != "yes" ]; then
+        php /var/www/html/occ app:enable windmill
+    elif [ "$SKIP_UPDATE" != 1 ]; then
+        php /var/www/html/occ app:update windmill
+    fi
+    php /var/www/html/occ config:app:set windmill windmill_url --value="https://$NC_DOMAIN/windmill"
+    php /var/www/html/occ config:app:set windmill windmill_instance_url --value="http://$WINDMILL_HOST:8000"
+    # Create an NC OAuth2 client for Windmill (idempotent: reuse stored credentials if already created)
+    WINDMILL_NC_OAUTH_CLIENT_ID="$(php /var/www/html/occ config:app:get windmill nc_oauth_client_id 2>/dev/null)"
+    WINDMILL_NC_OAUTH_CLIENT_SECRET="$(php /var/www/html/occ config:app:get windmill nc_oauth_client_secret 2>/dev/null)"
+    if [ -z "$WINDMILL_NC_OAUTH_CLIENT_ID" ] || [ -z "$WINDMILL_NC_OAUTH_CLIENT_SECRET" ]; then
+        WINDMILL_NC_REDIRECT_URI="https://$NC_DOMAIN/windmill/user/login_callback/nextcloud"
+        WINDMILL_OAUTH_OUTPUT="$(php /create-oauth2-client.php "Windmill" "$WINDMILL_NC_REDIRECT_URI" 2>/dev/null)"
+        WINDMILL_NC_OAUTH_CLIENT_ID="$(printf '%s' "$WINDMILL_OAUTH_OUTPUT" | head -1)"
+        WINDMILL_NC_OAUTH_CLIENT_SECRET="$(printf '%s' "$WINDMILL_OAUTH_OUTPUT" | tail -1)"
+        php /var/www/html/occ config:app:set windmill nc_oauth_client_id --value="$WINDMILL_NC_OAUTH_CLIENT_ID"
+        php /var/www/html/occ config:app:set windmill nc_oauth_client_secret --value="$WINDMILL_NC_OAUTH_CLIENT_SECRET"
+    fi
+    # Configure Windmill to use NC as OAuth SSO provider
+    WINDMILL_OAUTH_BODY="{\"value\":{\"nextcloud\":{\"id\":\"$WINDMILL_NC_OAUTH_CLIENT_ID\",\"secret\":\"$WINDMILL_NC_OAUTH_CLIENT_SECRET\",\"login_config\":{\"auth_url\":\"https://$NC_DOMAIN/apps/oauth2/authorize\",\"token_url\":\"https://$NC_DOMAIN/apps/oauth2/api/v1/token\",\"userinfo_url\":\"https://$NC_DOMAIN/ocs/v2.php/cloud/user?format=json\",\"scopes\":[]}}}}"
+    WINDMILL_OAUTH_RESPONSE="$(curl -s -w '\n%{http_code}' -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $WINDMILL_SECRET" -d "$WINDMILL_OAUTH_BODY" "http://$WINDMILL_HOST:8000/api/settings/global/oauths")"
+    WINDMILL_OAUTH_STATUS="$(echo "$WINDMILL_OAUTH_RESPONSE" | tail -1)"
+    if [ "$WINDMILL_OAUTH_STATUS" != "200" ]; then
+        echo "Failed to configure Windmill OAuth against http://$WINDMILL_HOST:8000 (HTTP $WINDMILL_OAUTH_STATUS). Response: $(echo "$WINDMILL_OAUTH_RESPONSE" | head -1). Exiting!"
+        exit 1
+    fi
+else
+    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/windmill" ]; then
+        php /var/www/html/occ app:remove windmill
+    fi
+fi
+
 # Remove the update skip file always
 rm -f "$NEXTCLOUD_DATA_DIR"/skip.update

Containers/nextcloud/start.sh

@@ -25,7 +25,7 @@ fi
 # Fix false database connection on old instances
 if [ -f "/var/www/html/config/config.php" ]; then
     sleep 2
-    while ! sudo -E -u www-data psql -d "postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB" -c "select now()"; do
+    while ! sudo -E -u www-data env PGPASSWORD="$POSTGRES_PASSWORD" psql -h "$POSTGRES_HOST" -p "$POSTGRES_PORT" -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
         echo "Waiting for the database to start..."
         sleep 5
     done

Containers/nextcloud/supervisord.conf

@@ -25,6 +25,14 @@ stderr_logfile_maxbytes=0
 command=/cron.sh
 user=www-data
 
+[program:taskprocessing-worker]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=php /var/www/html/occ taskprocessing:worker --timeout 300
+user=www-data
+
 [program:run-exec-commands]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0

Containers/notify-push/start.sh

@@ -39,8 +39,6 @@ fi
 echo "notify-push was started"
 
 # Run it
-/var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
+exec /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
     --port 7867 \
     /var/www/html/config/config.php
-
-exec "$@"

Containers/postgresql/healthcheck.sh

@@ -2,6 +2,6 @@
 
 test -f "/mnt/data/backup-is-running" && exit 0
 
-psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()" && exit 0
+PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" && exit 0
 
-psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:5432/$POSTGRES_DB" -c "select now()" || exit 1
+PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 5432 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" || exit 1

Containers/postgresql/init-user-db.sh

@@ -3,8 +3,9 @@ set -ex
 
 touch "$DUMP_DIR/initialization.failed"
 
-psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \
+	-v "pg_new_password=$POSTGRES_PASSWORD" <<-EOSQL
+	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD :'pg_new_password' CREATEDB;
 	ALTER DATABASE "$POSTGRES_DB" OWNER TO "oc_$POSTGRES_USER";
 	GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "oc_$POSTGRES_USER";
 	GRANT ALL PRIVILEGES ON SCHEMA public TO "oc_$POSTGRES_USER";

Containers/postgresql/start.sh

@@ -85,7 +85,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
     exec docker-entrypoint.sh postgres &
 
     # Wait for creation
-    while ! psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()"; do
+    while ! psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
         echo "Waiting for the database to start."
         sleep 5
     done
@@ -107,8 +107,9 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
         exit 1
     elif [ "$DB_OWNER" != "oc_$POSTGRES_USER" ]; then
         DIFFERENT_DB_OWNER=1
-        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-            CREATE USER "$DB_OWNER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
+        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \
+            -v "pg_new_password=$POSTGRES_PASSWORD" <<-EOSQL
+            CREATE USER "$DB_OWNER" WITH PASSWORD :'pg_new_password' CREATEDB;
             ALTER DATABASE "$POSTGRES_DB" OWNER TO "$DB_OWNER";
             GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "$DB_OWNER";
             GRANT ALL PRIVILEGES ON SCHEMA public TO "$DB_OWNER";

Containers/windmill/Dockerfile

@@ -0,0 +1,116 @@
+# syntax=docker/dockerfile:latest
+# Stage 1: Current PostgreSQL server – version is pinned to a full patch
+# release so builds are reproducible and the exact version is auditable.
+# (matches the Debian bookworm base used by windmill-labs/windmill)
+FROM postgres:17.9-bookworm AS postgres-base
+
+# Final stage: derive from the official Windmill image and bundle PostgreSQL
+FROM ghcr.io/windmill-labs/windmill:1.691.1
+
+USER root
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+# Copy PostgreSQL server binaries, libraries, and utilities from the postgres stage
+COPY --from=postgres-base /usr/lib/postgresql /usr/lib/postgresql
+COPY --from=postgres-base /usr/share/postgresql /usr/share/postgresql
+COPY --from=postgres-base /usr/bin/pg_dump \
+                          /usr/bin/pg_dumpall \
+                          /usr/bin/pg_restore \
+                          /usr/bin/
+
+# Install supervisor from standard Debian repos (remove broken external sources first)
+# hadolint ignore=DL3008
+RUN set -ex; \
+    rm -f \
+        /etc/apt/sources.list.d/nodesource.sources \
+        /etc/apt/sources.list.d/pgdg.list; \
+    apt-get update; \
+    apt-get upgrade -y; \
+    apt-get install -y --no-install-recommends \
+        ca-certificates \
+        supervisor \
+        tzdata \
+        netcat-openbsd; \
+    rm -rf /var/lib/apt/lists/*; \
+    update-ca-certificates; \
+    # Copy the CA bundle to a world-readable path so uid=1000 can access it.
+    # /etc/ssl/certs/ is persistently mode 700 in the base image's layer and
+    # cannot be chmod'd in a derived image, so we copy the regenerated bundle.
+    cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/ca-bundle.crt; \
+    chmod 644 /etc/ssl/ca-bundle.crt; \
+    \
+    # The base image already ships a 'windmill' user/group at uid/gid 1000.
+    # Create the directories our services need and hand them to that user.
+    # /tmp/windmill/cache is intentionally excluded: the base image pre-creates
+    # it as 777 so any UID can write to it; a recursive chown on ~340 MB of
+    # pre-installed runtimes would create a huge and unnecessary image layer.
+    mkdir -p \
+        /var/lib/postgresql/data \
+        /var/lib/windmill-dump \
+        /var/run/postgresql \
+        /var/log/supervisord \
+        /var/run/supervisord; \
+    chown -R windmill:windmill \
+        /var/lib/postgresql \
+        /var/lib/windmill-dump \
+        /var/run/postgresql \
+        /var/log/supervisord \
+        /var/run/supervisord; \
+    chmod 1777 \
+        /var/run/postgresql \
+        /var/log/supervisord \
+        /var/run/supervisord; \
+    \
+    # Create symlinks so postgres tools are on PATH
+    ln -sf /usr/lib/postgresql/17/bin/postgres    /usr/local/bin/postgres; \
+    ln -sf /usr/lib/postgresql/17/bin/initdb      /usr/local/bin/initdb; \
+    ln -sf /usr/lib/postgresql/17/bin/pg_ctl      /usr/local/bin/pg_ctl; \
+    ln -sf /usr/lib/postgresql/17/bin/pg_isready  /usr/local/bin/pg_isready; \
+    \
+    # Record the current PostgreSQL major version so start.sh can detect when
+    # the bundled major version has changed and trigger an automatic dump/restore upgrade.
+    echo "17" > /etc/postgres-major-version; \
+    \
+    # Write a build-time marker so start.sh can detect image updates and
+    # clear the cache volume when a new image version is deployed.
+    date -u +%s > /etc/windmill-image-build-epoch
+
+COPY --chmod=775 start.sh /start.sh
+COPY --chmod=775 healthcheck.sh /healthcheck.sh
+COPY --chmod=775 windmill-start.sh /windmill-start.sh
+COPY --chmod=664 supervisord.conf /supervisord.conf
+
+# Redirect writable tool dirs to the persistent cache volume so the
+# container can run with a read-only root filesystem.
+# HOME is already correct (/home/windmill) for the pre-existing uid=1000 user.
+# WINDMILL_DIR is set to the cache volume so Windmill's logs/worker dirs
+# are inside the volume and writable (Docker creates the volume mount-point
+# parent /tmp/windmill as root:root, making /tmp/windmill/logs inaccessible
+# for uid=1000 when /tmp is a tmpfs).
+ENV UV_TOOL_BIN_DIR=/tmp/windmill/cache/uv/bin \
+    UV_TOOL_DIR=/tmp/windmill/cache/uv/tools \
+    WINDMILL_DIR=/tmp/windmill/cache \
+    SSL_CERT_FILE=/etc/ssl/ca-bundle.crt \
+    CURL_CA_BUNDLE=/etc/ssl/ca-bundle.crt \
+    REQUESTS_CA_BUNDLE=/etc/ssl/ca-bundle.crt \
+    NODE_EXTRA_CA_CERTS=/etc/ssl/ca-bundle.crt
+
+VOLUME ["/var/lib/postgresql/data", "/var/lib/windmill-dump", "/tmp/windmill/cache"]
+
+# Use the pre-existing windmill user (uid=1000) from the base image
+USER 1000
+
+EXPOSE 8000
+
+ENTRYPOINT ["/start.sh"]
+
+HEALTHCHECK CMD /healthcheck.sh
+LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
+    org.opencontainers.image.title="Windmill for Nextcloud AIO" \
+    org.opencontainers.image.description="Windmill workflow engine with bundled PostgreSQL for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/windmill/healthcheck.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Check if PostgreSQL is accepting connections on the Unix socket
+if ! pg_isready -h /var/run/postgresql -q 2>/dev/null; then
+    exit 1
+fi
+
+# Check if Windmill is accepting connections on port 8000
+if ! nc -z localhost 8000; then
+    exit 1
+fi

Containers/windmill/start.sh

@@ -0,0 +1,202 @@
+#!/bin/bash
+set -e
+
+# Validate required environment variables
+if [ -z "$BASE_URL" ]; then
+    echo "BASE_URL must be provided. Exiting!"
+    exit 1
+fi
+
+export TZ="${TZ:-Etc/UTC}"
+
+# Clear the cache volume when the image has been updated.
+# /etc/windmill-image-build-epoch is written at image build time.
+# A copy is stored in the cache volume after first start.
+# If the two differ the image was updated and any stale cached artefacts
+# (uv tools, worker dirs) should be removed so Windmill starts clean.
+IMAGE_EPOCH_FILE="/etc/windmill-image-build-epoch"
+CACHE_EPOCH_FILE="/tmp/windmill/cache/.image-build-epoch"
+if [ -f "$IMAGE_EPOCH_FILE" ]; then
+    IMAGE_EPOCH="$(cat "$IMAGE_EPOCH_FILE")"
+    if [ -f "$CACHE_EPOCH_FILE" ]; then
+        CACHE_EPOCH="$(cat "$CACHE_EPOCH_FILE")"
+        if [ "$IMAGE_EPOCH" != "$CACHE_EPOCH" ]; then
+            echo "Windmill image updated (was $CACHE_EPOCH, now $IMAGE_EPOCH). Clearing cache..."
+            find /tmp/windmill/cache -mindepth 1 -maxdepth 1 ! -name '.image-build-epoch' -exec rm -rf {} +
+        fi
+    fi
+    echo "$IMAGE_EPOCH" > "$CACHE_EPOCH_FILE"
+fi
+
+PGDATA="/var/lib/postgresql/data"
+
+# The dump and its sentinel/log files live on a dedicated Docker volume that is
+# separate from the postgres data directory.  This means the dump survives a
+# complete PGDATA wipe (which happens during a major-version upgrade) and there
+# is no need for a staging subdirectory or complex file exclusion logic.
+DUMP_DIR="/var/lib/windmill-dump"
+DUMP_FILE="$DUMP_DIR/windmill-db-dump.sql"
+
+# Current PG major version as shipped in this image
+CURRENT_PG_MAJOR=$(cat /etc/postgres-major-version 2>/dev/null)
+
+# ── Don't start if previous import failed ────────────────────────────────────
+if [ -f "$DUMP_DIR/import.failed" ]; then
+    echo "The database import failed the last time. Please restore a backup and try again."
+    echo "For further clues on what went wrong, look at the logs above."
+    exit 1
+fi
+
+# ── Don't start if previous export failed ────────────────────────────────────
+if [ -f "$DUMP_DIR/export.failed" ]; then
+    echo "Database export failed the last time. Most likely was the export time not high enough."
+    echo "Please report this to https://github.com/nextcloud/all-in-one/issues. Thanks!"
+    exit 1
+fi
+
+# Write the standard pg_hba.conf and listen_addresses settings into a data directory.
+configure_pg() {
+    local datadir="$1"
+    cat > "$datadir/pg_hba.conf" << 'HBAEOF'
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+local   all             all                                     trust
+HBAEOF
+    # Disable TCP entirely; all communication uses the Unix socket.
+    echo "listen_addresses = ''" >> "$datadir/postgresql.conf"
+}
+
+# ── PostgreSQL major-version upgrade via dump/restore ────────────────────────
+if [ -f "$PGDATA/PG_VERSION" ]; then
+    DATA_PG_MAJOR=$(cat "$PGDATA/PG_VERSION")
+
+    if [ "$DATA_PG_MAJOR" -gt "$CURRENT_PG_MAJOR" ]; then
+        echo "ERROR: Data directory was created by PostgreSQL $DATA_PG_MAJOR but this image ships $CURRENT_PG_MAJOR."
+        echo "Downgrade is not supported. Please use a newer image version."
+        exit 1
+    fi
+
+    if [ "$DATA_PG_MAJOR" -lt "$CURRENT_PG_MAJOR" ]; then
+        echo "PostgreSQL major-version upgrade required: $DATA_PG_MAJOR → $CURRENT_PG_MAJOR"
+
+        if ! [ -f "$DUMP_FILE" ]; then
+            echo "Unable to upgrade because the database dump is missing."
+            echo "Please restore a backup and try again."
+            exit 1
+        fi
+
+        # Write output to logfile so the import can be inspected later
+        exec > >(tee -i "$DUMP_DIR/database-import.log")
+        exec 2>&1
+
+        echo "Restoring database from dump into new PostgreSQL $CURRENT_PG_MAJOR cluster."
+
+        # Set the sentinel BEFORE any destructive operation so that a crash at
+        # any point leaves the guard in place and blocks the next start.
+        # The sentinel lives on the dump volume and therefore survives the PGDATA wipe.
+        touch "$DUMP_DIR/import.failed"
+
+        set -ex
+
+        # Wipe the old cluster and initialise a fresh one.
+        # The dump file is on a separate volume and is not affected.
+        rm -rf "${PGDATA:?}/"*
+
+        initdb -D "$PGDATA" \
+            --username=windmill \
+            --auth-local=trust \
+            --auth-host=trust \
+            --no-instructions
+
+        configure_pg "$PGDATA"
+
+        # Start postgres temporarily on a socket in /tmp so we can import.
+        # No TCP port is needed since we connect via the socket.
+        postgres -D "$PGDATA" -k /tmp -h "" &
+        TEMP_PG_PID=$!
+
+        # Wait until postgres accepts connections
+        while ! psql -h /tmp -U windmill -d postgres -c "select now()" > /dev/null 2>&1; do
+            echo "Waiting for the temporary database to start..."
+            sleep 5
+        done
+
+        # Create the windmill database
+        psql -h /tmp -U windmill -d postgres \
+            -c "CREATE DATABASE windmill OWNER windmill;"
+
+        # Restore from dump
+        echo "Restoring the database from dump..."
+        psql -h /tmp -U windmill -d windmill < "$DUMP_FILE"
+
+        # Stop the temporary postgres cleanly
+        pg_ctl -D "$PGDATA" stop -m smart -t 1800
+        wait "$TEMP_PG_PID" 2>/dev/null || true
+
+        set +ex
+
+        # Remove the sentinel only after the restore has fully completed
+        rm "$DUMP_DIR/import.failed"
+        echo "PostgreSQL upgrade to $CURRENT_PG_MAJOR complete."
+    fi
+fi
+# ── End of major-version upgrade section ─────────────────────────────────────
+
+# ── Initialize PostgreSQL data directory on first run ────────────────────────
+if [ -z "$(ls -A "$PGDATA" 2>/dev/null)" ]; then
+    echo "Initializing PostgreSQL database for Windmill..."
+
+    initdb -D "$PGDATA" \
+        --username=windmill \
+        --auth-local=trust \
+        --auth-host=trust \
+        --no-instructions
+
+    configure_pg "$PGDATA"
+
+    # Start PostgreSQL temporarily to create the windmill database, then stop it.
+    # supervisord will restart it properly afterward.
+    pg_ctl -D "$PGDATA" start -w -o "-k /var/run/postgresql"
+    psql -h /var/run/postgresql -U windmill postgres \
+        -c "CREATE DATABASE windmill OWNER windmill;"
+    pg_ctl -D "$PGDATA" stop -w
+
+    echo "PostgreSQL initialization complete."
+fi
+
+# ── Dump database and shut down on container stop ────────────────────────────
+do_database_dump() {
+    # pg_dump uses a consistent transaction snapshot, so it is safe to run
+    # while Windmill is still connected — no need to stop it beforehand.
+
+    # Verify postgres is still accepting connections before attempting the dump.
+    if ! pg_isready -h /var/run/postgresql -U windmill -q; then
+        echo "WARNING: postgres is not ready; skipping dump."
+        kill "$SUPERVISORD_PID" 2>/dev/null || true
+        wait "$SUPERVISORD_PID" 2>/dev/null || true
+        return
+    fi
+
+    set -x
+    touch "$DUMP_DIR/export.failed"
+    rm -f "$DUMP_FILE.temp"
+    if pg_dump -h /var/run/postgresql -U windmill windmill > "$DUMP_FILE.temp"; then
+        mv "$DUMP_FILE.temp" "$DUMP_FILE"
+        rm "$DUMP_DIR/export.failed"
+        echo "Database dump successful!"
+    else
+        rm -f "$DUMP_FILE.temp"
+        echo "Database dump unsuccessful!"
+    fi
+    set +x
+
+    # Stop supervisord (which stops postgres and windmill)
+    kill "$SUPERVISORD_PID" 2>/dev/null || true
+    wait "$SUPERVISORD_PID" 2>/dev/null || true
+}
+
+trap do_database_dump SIGTERM SIGINT
+
+# ── Start services ────────────────────────────────────────────────────────────
+supervisord -c /supervisord.conf &
+SUPERVISORD_PID=$!
+wait "$SUPERVISORD_PID"

Containers/windmill/supervisord.conf

@@ -0,0 +1,29 @@
+[supervisord]
+nodaemon=true
+logfile=/var/log/supervisord/supervisord.log
+pidfile=/var/run/supervisord/supervisord.pid
+childlogdir=/var/log/supervisord/
+logfile_maxbytes=50MB
+logfile_backups=10
+loglevel=error
+
+[program:postgresql]
+command=postgres -D /var/lib/postgresql/data -k /var/run/postgresql
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+# Start first: Windmill depends on PostgreSQL being ready
+priority=10
+autorestart=true
+startsecs=5
+
+[program:windmill]
+command=/windmill-start.sh
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+priority=20
+autorestart=true
+startsecs=10

Containers/windmill/windmill-start.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Wait for PostgreSQL to accept connections
+until pg_isready -h /var/run/postgresql -q 2>/dev/null; do
+    echo "Waiting for PostgreSQL to be ready..."
+    sleep 2
+done
+
+# Start Windmill
+exec windmill

community-containers/local-ai/readme.md

@@ -5,7 +5,6 @@ This container bundles Local AI and auto-configures it for you. It support hardw
 Documentation is available on the container repository. This documentation is regularly updated and is intended to be as simple and detailed as possible. Thanks for all your feedback!
 
 - See https://github.com/docjyJ/aio-local-ai-vulkan#getting-started for getting start with this container.
-- See [this guide](https://github.com/nextcloud/all-in-one/discussions/5430) for how to improve AI task pickup speed
 - Note that Nextcloud supports only one server for AI queries, so this container cannot be used at the same time as other AI containers.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 

community-containers/readme.md

@@ -4,9 +4,65 @@ This directory features containers that are built for AIO which allows to add ad
 ## Disclaimers
 All containers that are in this directory are community maintained so the responsibility is on the community to keep them updated and secure. There is no guarantee that this will be the case in the future.
 
+## Overview
+
+```mermaid
+flowchart TD
+    %% ── Styles ───────────────────────────────────────────────────────────────────
+    classDef community fill:#FDEBD0,stroke:#E67E22,color:#222
+    classDef group     fill:#FEF9E7,stroke:#F39C12,color:#333
+
+    subgraph COMM_AI["🤖 AI & Language"]
+        LAI(["🧠  Local AI\nPrivate AI assistant"]):::community
+        LT(["✏️  LanguageTool\nSpell & grammar check"]):::community
+        LTRANS(["🌐  LibreTranslate\nTranslation engine"]):::community
+        FACE(["🙂  FaceRecognition\nPhoto AI processor"]):::community
+    end
+
+    subgraph COMM_BACKUP["💾 Backup & Storage"]
+        BV(["📦  Borgbackup Viewer\nBrowse backups"]):::community
+        CALB(["📅  CalCardBackup\nCalendar/Contacts backup"]):::community
+        MINIO(["🗃️  MinIO\nS3-compatible storage"]):::community
+        SMB(["📂  SMB Server\nWindows file sharing"]):::community
+    end
+
+    subgraph COMM_EXTRA["🌟 Extra Services"]
+        HA(["🏠  Home Assistant\nHome automation"]):::community
+        STLW(["📧  Stalwart\nMail server"]):::community
+        NOCO(["🗂️  NocoDB\nNo-code database"]):::community
+        JSER(["🎯  Jellyseerr\nMedia request manager"]):::community
+        NOTIF(["📣  Notifications\nExternal push notify"]):::community
+    end
+
+    subgraph COMM_MEDIA["🎬 Media"]
+        PLEX(["🎞️  Plex\nMedia Server"]):::community
+        JELLY(["🎬  Jellyfin\nMedia Server"]):::community
+        DLNA(["📡  DLNA\nMedia Streaming"]):::community
+        MEMTR(["📸  Memories\nVideo Transcoder"]):::community
+        MKV(["💿  MakeMKV\nBlu-ray / DVD rip"]):::community
+    end
+
+    subgraph COMM_MONITOR["📊 Monitoring & Infra"]
+        GLAN(["📈  Glances\nSystem monitoring"]):::community
+        EXP(["📊  Nextcloud Exporter\nPrometheus metrics"]):::community
+        SCRU(["💽  Scrutiny\nDisk health (S.M.A.R.T.)"]):::community
+        CMGMT(["🐳  Container Mgmt\nDocker web console"]):::community
+    end
+
+    subgraph COMM_SEC["🔒 Security & Network"]
+        F2B(["🚫  Fail2ban\nBrute-force protection"]):::community
+        PIH(["🕳️  Pi-hole\nAd & DNS blocker"]):::community
+        VW(["🔐  Vaultwarden\nPassword Manager"]):::community
+        LDAP(["👥  LLDAP\nLight LDAP / Users"]):::community
+        CADDY(["🌐  Caddy\nReverse Proxy + Geoblocking"]):::community
+        NPMPLUS(["🌐  NPMplus\nNginx Proxy Manager"]):::community
+    end
+```
+
 ## How to use this?
 Starting with v11 of AIO, the management of Community Containers is done via the AIO interface (it is the last section in the AIO interface, so only visible if you scroll down). 
-⚠️⚠️⚠️ Please review the folder for documentation on each of the containers before adding them! Not reviewing the documentation for each of them first might break starting the AIO containers because e.g. fail2ban only works on Linux and not on Docker Desktop! **Hint:** If the containers where running already, in order to actually start the added container, you need to click on `Stop containers` and the `Update and start containers` in order to actually start it.
+
+⚠️⚠️⚠️ Please review the folder for documentation on each of the containers before adding them! Not reviewing the documentation for each of them first might break starting the AIO containers because some containers are not compatible with each other and more.
 
 ## How to add containers?
 Simply submit a PR by creating a new folder in this directory: https://github.com/nextcloud/all-in-one/tree/main/community-containers with the name of your container. It must include a json file with the same name and with correct syntax and a readme.md with additional information. You might get inspired by caddy, fail2ban, local-ai, libretranslate, plex, pi-hole or vaultwarden (subfolders in this directory). For a full-blown example of the json file, see https://github.com/nextcloud/all-in-one/blob/main/php/containers.json. The json-schema that it validates against can be found here: https://github.com/nextcloud/all-in-one/blob/main/php/containers-schema.json.

local-instance.md

@@ -3,15 +3,23 @@ It is possible due to several reasons that you do not want or cannot open Nextcl
 
 ### Content
 - [1. Tailscale](#1-tailscale)
-- [2. The normal way](#2-the-normal-way)
-- [3. Use the ACME DNS-challenge](#3-use-the-acme-dns-challenge)
-- [4. Use Cloudflare](#4-use-cloudflare)
-- [5. Buy a certificate and use that](#5-buy-a-certificate-and-use-that)
+- [2. Pangolin](#2-pangolin)
+- [3. The normal way](#3-the-normal-way)
+- [4. Use the ACME DNS-challenge](#4-use-the-acme-dns-challenge)
+- [5. Use Cloudflare](#5-use-cloudflare)
+- [6. Buy a certificate and use that](#6-buy-a-certificate-and-use-that)
 
 ## 1. Tailscale
 This is the recommended way. For a reverse proxy example guide for Tailscale, see this guide by [@Perseus333](https://github.com/Perseus333): https://github.com/nextcloud/all-in-one/discussions/6817
 
-## 2. The normal way
+## 2. Pangolin
+[Pangolin](https://pangolin.net/) is an open-source, WireGuard-based remote access platform similar in concept to Tailscale. It uses the **Newt** connector to create outbound-only encrypted tunnels — no inbound ports need to be opened on your firewall. Pangolin handles TLS automatically, providing a valid certificate for your Nextcloud domain.
+
+You can use either [Pangolin Cloud](https://app.pangolin.net/) (free tier available) or [self-host your own Pangolin server](https://docs.pangolin.net/self-host/quick-install) on a VPS. For private/local-only access, self-hosting Pangolin on a machine within your local network means that Nextcloud never needs to be exposed to the public internet.
+
+For the reverse proxy configuration details and a step-by-step setup guide, see the [Pangolin section in the reverse proxy documentation](./reverse-proxy.md#pangolin).
+
+## 3. The normal way
 The normal way is the following:
 1. Set up your domain correctly to point to your home network
 1. Set up a reverse proxy by following the [reverse proxy documentation](./reverse-proxy.md) but only open port 80 (which is needed for the ACME challenge to work - however no real traffic will use this port).
@@ -21,12 +29,12 @@ The normal way is the following:
 
 **Hint:** You may have a look at [this video](https://youtu.be/zk-y2wVkY4c) for a more complete but possibly outdated example.
 
-## 3. Use the ACME DNS-challenge
+## 4. Use the ACME DNS-challenge
 You can alternatively use the ACME DNS-challenge to get a valid certificate for Nextcloud. Here is described how to set it up using an external caddy reverse proxy: https://github.com/nextcloud/all-in-one#how-to-get-nextcloud-running-using-the-acme-dns-challenge
 
-## 4. Use Cloudflare
+## 5. Use Cloudflare
 If you do not have any control over the network, you may think about using Cloudflare Tunnel to get a valid certificate for your Nextcloud. However it will be opened to the public internet then. See https://github.com/nextcloud/all-in-one#how-to-run-nextcloud-behind-a-cloudflare-tunnel how to set this up.
 
-## 5. Buy a certificate and use that
+## 6. Buy a certificate and use that
 If none of the above ways work for you, you may simply buy a certificate from an issuer for your domain. You then download the certificate onto your server, configure AIO in [reverse proxy mode](./reverse-proxy.md) and use the certificate for your domain in your reverse proxy config.
 

manual-install/latest.yml

@@ -186,6 +186,7 @@ services:
       - WHITEBOARD_ENABLED
     stop_grace_period: 600s
     restart: unless-stopped
+    shm_size: 134217728
     cap_drop:
       - NET_RAW
 

manual-install/sample.conf

@@ -34,7 +34,7 @@ NEXTCLOUD_DATADIR=nextcloud_aio_nextcloud_data          # You can change this to
 NEXTCLOUD_MAX_TIME=3600          # This allows to change the upload time limit of the Nextcloud container
 NEXTCLOUD_MEMORY_LIMIT=512M          # This allows to change the PHP memory limit of the Nextcloud container
 NEXTCLOUD_MOUNT=/mnt/          # This allows the Nextcloud container to access directories on the host. It must never be equal to the value of NEXTCLOUD_DATADIR!
-NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time
+NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. You can also disable apps by using a hyphen in front of them. E.g. "-app_api"
 NEXTCLOUD_TRUSTED_CACERTS_DIR=/usr/local/share/ca-certificates/my-custom-ca          # Nextcloud container will trust all the Certification Authorities, whose certificates are included in the given directory.
 NEXTCLOUD_UPLOAD_LIMIT=16G          # This allows to change the upload limit of the Nextcloud container
 REMOVE_DISABLED_APPS=yes        # Setting this to no keep Nextcloud apps that are disabled via their switch and not uninstall them if they should be installed in Nextcloud.

manual-install/update-yaml.sh

@@ -101,7 +101,7 @@ sed -i 's|NEXTCLOUD_PASSWORD=|NEXTCLOUD_PASSWORD=          # TODO! This is the p
 sed -i 's|TIMEZONE=|TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.|' sample.conf
 sed -i 's|COLLABORA_SECCOMP_POLICY=|COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.|' sample.conf
 sed -i 's|FULLTEXTSEARCH_JAVA_OPTIONS=|FULLTEXTSEARCH_JAVA_OPTIONS="-Xms512M -Xmx512M"          # Allows to adjust the fulltextsearch java options.|' sample.conf
-sed -i 's|NEXTCLOUD_STARTUP_APPS=|NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time|' sample.conf
+sed -i 's|NEXTCLOUD_STARTUP_APPS=|NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. You can also disable apps by using a hyphen in front of them. E.g. "-app_api"|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_APKS=|NEXTCLOUD_ADDITIONAL_APKS=imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=|NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick        # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value.|' sample.conf
 sed -i 's|INSTALL_LATEST_MAJOR=|INSTALL_LATEST_MAJOR=no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation|' sample.conf

migration.md

@@ -3,7 +3,7 @@
 There are basically three ways how to migrate from an already existing Nextcloud installation to Nextcloud AIO (if you ran AIO on the former installation already, you can follow [these steps](https://github.com/nextcloud/all-in-one#how-to-migrate-from-aio-to-aio)):
 
 1. Migrate only the files which is the easiest way (this excludes all calendar data for example)
-1. Migrate the files and the database which is much more complicated (and doesn't work on former snap installations)
+1. Migrate the files and the database which is much more complicated (with special handling required for former snap installations, see [below](#migrating-from-a-snap-installation))
 1. Use the user_migration app that allows to migrate some of the user's data from a former instance to a new instance but needs to be done manually for each user
 
 ## Migrate only the files 
@@ -21,7 +21,7 @@ The procedure for migrating only the files works like this:
 1. If the restored data is older than any clients you want to continue to sync, for example if the server was down for a period of time during migration, you may want to take a look at [Synchronising with clients after migration](/migration.md#synchronising-with-clients-after-migration) below.
 
 ## Migrate the files and the database
-**Please note**: this is much more complicated than migrating only the files and also not as failproof so be warned! Also, this will not work on former snap installations as the snap is read-only and thus you cannot install the necessary `pdo_pgsql` PHP extension. So if migrating from snap, you will need to use one of the other methods. However you could try to ask if the snaps maintainer could add this one small PHP extension to the snap here: https://github.com/nextcloud-snap/nextcloud-snap/issues which would allow for an easy migration.
+**Please note**: this is much more complicated than migrating only the files and also not as failproof so be warned! If you are migrating from a snap installation, please first follow the [dedicated snap migration steps](#migrating-from-a-snap-installation) below, which show you how to perform the database conversion using a temporary Docker container. Once done, you can continue from step 5 of this guide.
 
 The procedure for migrating the files and the database works like this:
 1. Make sure that your old instance is on exactly the same version like the version used in Nextcloud AIO. (e.g. 23.0.0) You can find the used version here: [click here](https://github.com/nextcloud/all-in-one/search?l=Dockerfile&q=NEXTCLOUD_VERSION&type=). If not, simply upgrade your former installation to that version or wait until the version used in Nextcloud AIO got updated to the same version of your former installation or the other way around.
@@ -87,6 +87,130 @@ If not, feel free to restore the AIO instance from backup and start at step 8 ag
 
 If the restored data is older than any clients you want to continue to sync, for example if the server was down for a period of time during migration, you may want to take a look at [Synchronising with clients after migration](/migration.md#synchronising-with-clients-after-migration) below.
 
+### Migrating from a snap installation
+
+**Disclaimer:** it might be possible that the guide below is not working 100% correctly, yet. Improvements to it are very welcome!
+
+Since the Nextcloud snap is read-only, it is not possible to install the `pdo_pgsql` PHP extension inside the snap to perform the MySQL-to-PostgreSQL database conversion required by AIO. As a workaround, a temporary [nextcloud/docker](https://github.com/nextcloud/docker) container can be used as an intermediate environment that already includes `pdo_pgsql` and can convert the snap's MySQL database to PostgreSQL for you.
+
+This procedure covers steps 1–3 of the regular migration above (version matching, app updates, and database conversion) and also produces the `database-dump.sql` needed for step 4. Once finished, continue from step 5 of the [Migrate the files and the database](#migrate-the-files-and-the-database) procedure above.
+
+1. **Create a backup of the snap before doing anything else**, so you can restore the snap to its current state if anything goes wrong:
+    ```
+    sudo snap save nextcloud
+    ```
+    This creates a snapshot that can be restored later with `sudo snap restore <snapshot-id>`. The snapshot ID is shown in the output of `snap save`. You can also list existing snapshots with `snap saved`.
+1. Note the exact Nextcloud version of your snap installation:
+    ```
+    sudo nextcloud.occ -V
+    ```
+1. Make sure that this version matches exactly the version used in Nextcloud AIO. You can find the AIO version here: [click here](https://github.com/nextcloud/all-in-one/search?l=Dockerfile&q=NEXTCLOUD_VERSION&type=). If they do not match, upgrade your snap with `sudo snap refresh nextcloud --channel=<major-version>/stable` or wait for AIO to be updated to the same version.
+1. Update all installed Nextcloud apps to their latest versions:
+    ```
+    sudo nextcloud.occ app:update --all
+    ```
+1. Retrieve the necessary configuration values from the snap using `nextcloud.occ` and store them in environment variables. Do this **before** stopping the snap, as `nextcloud.occ` requires the snap services to be running:
+    ```
+    export INSTANCEID=$(sudo nextcloud.occ config:system:get instanceid)
+    export PASSWORDSALT=$(sudo nextcloud.occ config:system:get passwordsalt)
+    export SECRET=$(sudo nextcloud.occ config:system:get secret)
+    export TABLE_PREFIX=$(sudo nextcloud.occ config:system:get dbtableprefix || echo "oc_")
+    export SNAP_DATA=$(sudo nextcloud.occ config:system:get datadirectory)
+    # Note down SNAP_DATA — you will need it later when copying files
+    echo "Snap data directory: $SNAP_DATA"
+    ```
+1. Export a dump of the snap's MySQL database:
+    ```
+    sudo nextcloud.mysqldump > ~/mysql-dump.sql
+    ```
+1. Stop the snap to prevent further writes during the migration:
+    ```
+    sudo snap stop nextcloud
+    ```
+1. Set up environment variables for the temporary containers (adjust the version and passwords as needed):
+    ```
+    export NEXTCLOUD_VERSION="29.0.0"  # Replace with the exact version from step 2
+    export MYSQL_PASSWORD="mysql-temp-password"
+    export PG_USER="ncadmin"
+    export PG_PASSWORD="my-temporary-pg-password"
+    export PG_DATABASE="nextcloud_db"
+    ```
+1. Create a Docker network for the temporary migration containers:
+    ```
+    docker network create nextcloud-migration
+    ```
+1. Start a temporary MySQL container and import the snap database dump into it:
+    ```
+    docker run -d \
+      --name mysql-migration \
+      --network nextcloud-migration \
+      -e MYSQL_ROOT_PASSWORD="mysql-root-temp" \
+      -e MYSQL_DATABASE="nextcloud" \
+      -e MYSQL_USER="nextcloud" \
+      -e MYSQL_PASSWORD="$MYSQL_PASSWORD" \
+      mysql:8
+    # Wait for MySQL to finish starting up before importing
+    until docker exec mysql-migration mysqladmin ping -h localhost --silent 2>/dev/null; do sleep 1; done
+    docker exec -i mysql-migration mysql -u nextcloud -p"$MYSQL_PASSWORD" nextcloud < ~/mysql-dump.sql
+    ```
+1. Start a temporary PostgreSQL container as the migration target:
+    ```
+    docker run -d \
+      --name postgres-migration \
+      --network nextcloud-migration \
+      -e POSTGRES_USER="$PG_USER" \
+      -e POSTGRES_PASSWORD="$PG_PASSWORD" \
+      -e POSTGRES_DB="$PG_DATABASE" \
+      postgres:16
+    ```
+1. Create a temporary config file for the migration container using the values retrieved in step 5:
+    ```
+    cat > /tmp/migration-config.php << EOF
+    <?php
+    \$CONFIG = array(
+      'instanceid' => '$INSTANCEID',
+      'passwordsalt' => '$PASSWORDSALT',
+      'secret' => '$SECRET',
+      'dbtype' => 'mysql',
+      'dbname' => 'nextcloud',
+      'dbhost' => 'mysql-migration',
+      'dbport' => '',
+      'dbtableprefix' => '$TABLE_PREFIX',
+      'dbuser' => 'nextcloud',
+      'dbpassword' => '$MYSQL_PASSWORD',
+      'datadirectory' => '$SNAP_DATA',
+      'installed' => true,
+    );
+    EOF
+    ```
+1. Run a temporary nextcloud/docker container to convert the MySQL database to PostgreSQL. Note that the container image version must match the Nextcloud version you noted in step 2, and that `pdo_pgsql` is already included in the `nextcloud` Docker image:
+    ```
+    docker run --rm \
+      --network nextcloud-migration \
+      --entrypoint bash \
+      -v /tmp/migration-config.php:/var/www/html/config/config.php:rw \
+      -v "${SNAP_DATA}:${SNAP_DATA}:ro" \
+      nextcloud:${NEXTCLOUD_VERSION}-apache \
+      -c "php /var/www/html/occ db:convert-type --all-apps --password '$PG_PASSWORD' pgsql '$PG_USER' postgres-migration '$PG_DATABASE'"
+    ```
+    **Please note:** The `occ` command may print a warning about being run as root — this can be safely ignored for this migration step.
+1. Export the converted PostgreSQL database:
+    ```
+    docker exec postgres-migration pg_dump -U "$PG_USER" "$PG_DATABASE" > ~/database-dump.sql
+    ```
+    **Please note:** The exact name of the database export file is important! (`database-dump.sql`)
+1. Clean up the temporary containers and network:
+    ```
+    docker rm -f mysql-migration postgres-migration
+    docker network rm nextcloud-migration
+    ```
+1. You now have a `~/database-dump.sql`. Continue from step 5 of the [Migrate the files and the database](#migrate-the-files-and-the-database) procedure above. When those steps ask for your old data directory path, use the `$SNAP_DATA` value noted in step 5 (typically `/var/snap/nextcloud/common`). If you have opened a new shell session since then, you can retrieve it again with `sudo nextcloud.occ config:system:get datadirectory` (requires the snap to be running) or read it directly from `/var/snap/nextcloud/current/nextcloud/config/config.php`.
+1. Once you have verified that the migration to AIO was successful and everything is working correctly, you can permanently remove the Nextcloud snap from your system:
+    ```
+    sudo snap remove --purge nextcloud
+    ```
+    The `--purge` flag removes the snap along with all its saved snapshots and data. Omit it if you want to keep the snap snapshots as a fallback. **Only do this after you are fully satisfied that your AIO instance is working correctly**, as this action cannot be undone.
+
 ## Use the user_migration app
 A new way since the Nextcloud update to 24 is to use the new [user_migration app](https://apps.nextcloud.com/apps/user_migration#app-gallery). It allows to export the most important data on one instance and import it on a different Nextcloud instance. For that, you need to install and enable the user_migration app on your old instance, trigger the export for the user, create the user on the new instance, log in with that user and import the archive that was created during the export. This then needs to be done for each user that you want to migrate.
 

php/containers.json

@@ -11,6 +11,7 @@
         "nextcloud-aio-notify-push",
         "nextcloud-aio-whiteboard",
         "nextcloud-aio-harp",
+        "nextcloud-aio-windmill",
         "nextcloud-aio-nextcloud"
       ],
       "display_name": "Apache & Caddy",
@@ -51,7 +52,8 @@
         "APACHE_MAX_TIME=%NEXTCLOUD_MAX_TIME%",
         "NOTIFY_PUSH_HOST=nextcloud-aio-notify-push",
         "WHITEBOARD_HOST=nextcloud-aio-whiteboard",
-        "HARP_HOST=nextcloud-aio-harp"
+        "HARP_HOST=nextcloud-aio-harp",
+        "WINDMILL_HOST=nextcloud-aio-windmill"
       ],
       "volumes": [
         {
@@ -148,7 +150,8 @@
         "nextcloud-aio-fulltextsearch",
         "nextcloud-aio-talk-recording",
         "nextcloud-aio-imaginary",
-        "nextcloud-aio-docker-socket-proxy"
+        "nextcloud-aio-docker-socket-proxy",
+        "nextcloud-aio-windmill"
       ],
       "display_name": "Nextcloud",
       "image": "ghcr.io/nextcloud-releases/aio-nextcloud",
@@ -175,7 +178,8 @@
         "FULLTEXTSEARCH_PASSWORD",
         "IMAGINARY_SECRET",
         "WHITEBOARD_SECRET",
-        "HP_SHARED_KEY"
+        "HP_SHARED_KEY",
+        "WINDMILL_SECRET"
       ],
       "volumes": [
         {
@@ -263,7 +267,10 @@
         "WHITEBOARD_SECRET=%WHITEBOARD_SECRET%",
         "WHITEBOARD_ENABLED=%WHITEBOARD_ENABLED%",
         "HARP_ENABLED=%HARP_ENABLED%",
-        "HP_SHARED_KEY=%HP_SHARED_KEY%"
+        "HP_SHARED_KEY=%HP_SHARED_KEY%",
+        "WINDMILL_ENABLED=%WINDMILL_ENABLED%",
+        "WINDMILL_HOST=nextcloud-aio-windmill",
+        "WINDMILL_SECRET=%WINDMILL_SECRET%"
       ],
       "stop_grace_period": 600,
       "restart": "unless-stopped",
@@ -949,6 +956,74 @@
       "cap_drop": [
         "NET_RAW"
       ]
+    },
+    {
+      "container_name": "nextcloud-aio-windmill",
+      "image_tag": "%AIO_CHANNEL%",
+      "display_name": "Windmill",
+      "image": "ghcr.io/nextcloud-releases/aio-windmill",
+      "user": "1000",
+      "init": true,
+      "internal_port": "8000",
+      "expose": [
+        "8000"
+      ],
+      "healthcheck": {
+        "start_period": "0s",
+        "test": "/healthcheck.sh",
+        "interval": "30s",
+        "timeout": "30s",
+        "start_interval": "5s",
+        "retries": 3
+      },
+      "environment": [
+        "BASE_URL=https://%NC_DOMAIN%/windmill",
+        "TZ=%TIMEZONE%",
+        "NUM_WORKERS=1",
+        "MODE=standalone",
+        "DISABLE_NSJAIL=true",
+        "DATABASE_URL=postgresql://windmill@localhost/windmill?host=/var/run/postgresql",
+        "SUPERADMIN_SECRET=%WINDMILL_SECRET%"
+      ],
+      "secrets": [
+        "WINDMILL_SECRET"
+      ],
+      "volumes": [
+        {
+          "source": "nextcloud_aio_windmill_db",
+          "destination": "/var/lib/postgresql/data",
+          "writeable": true
+        },
+        {
+          "source": "nextcloud_aio_windmill_dump",
+          "destination": "/var/lib/windmill-dump",
+          "writeable": true
+        },
+        {
+          "source": "nextcloud_aio_windmill_cache",
+          "destination": "/tmp/windmill/cache",
+          "writeable": true
+        }
+      ],
+      "backup_volumes": [
+        "nextcloud_aio_windmill_db",
+        "nextcloud_aio_windmill_dump"
+      ],
+      "restart": "unless-stopped",
+      "stop_grace_period": 1800,
+      "read_only": true,
+      "tmpfs": [
+        "/tmp",
+        "/var/run/postgresql",
+        "/var/log/supervisord",
+        "/var/run/supervisord"
+      ],
+      "profiles": [
+        "windmill"
+      ],
+      "cap_drop": [
+        "NET_RAW"
+      ]
     }
   ]
 }

php/public/disable-containers.js

@@ -41,4 +41,10 @@ document.addEventListener("DOMContentLoaded", function(event) {
     // Whiteboard
     let whiteboard = document.getElementById("whiteboard");
     whiteboard.disabled = true;
+
+    // Windmill
+    let windmill = document.getElementById("windmill");
+    if (windmill) {
+        windmill.disabled = true;
+    }
 });

php/public/index.php

@@ -45,12 +45,16 @@ $container->set(Guard::class, function () use ($responseFactory) {
 // This is needed because the session cookie was renamed in a previous release. Without this,
 // users that were logged in before the update would be logged out after the container restarts.
 $wasAuthenticated = false;
+$oldSessionTimestamp = null;
 if (!isset($_COOKIE['__Host-Http-PHPSESSID']) && isset($_COOKIE['PHPSESSID'])) {
     session_name('PHPSESSID');
     if (session_start(['save_path' => $dataConst->GetSessionDirectory(), 'use_strict_mode' => true])) {
         $wasAuthenticated = isset($_SESSION[\AIO\Auth\AuthManager::SESSION_KEY]) && $_SESSION[\AIO\Auth\AuthManager::SESSION_KEY] === true;
-        session_unset();
-        session_destroy();
+        $oldSessionTimestamp = isset($_SESSION['date_time']) ? (int)$_SESSION['date_time'] : null;
+        // Do not destroy the old session: if the response carrying the new __Host-Http-PHPSESSID
+        // cookie is lost (e.g., due to a 502 during a mastercontainer update), the client can
+        // retry with the old PHPSESSID cookie and still be authenticated.
+        session_write_close();
     }
 }
 
@@ -68,7 +72,15 @@ session_start([
 ]);
 
 if ($wasAuthenticated) {
-    $container->get(\AIO\Auth\AuthManager::class)->SetAuthState(true);
+    if ($oldSessionTimestamp !== null) {
+        // Use MigrateAuthState to preserve the original login timestamp. This prevents the
+        // session deduplicator from running and keeps the old PHPSESSID session file alive,
+        // so the client can retry with the old cookie if the 502 response causes the new
+        // __Host-Http-PHPSESSID cookie to not be received.
+        $container->get(\AIO\Auth\AuthManager::class)->MigrateAuthState($oldSessionTimestamp);
+    } else {
+        $container->get(\AIO\Auth\AuthManager::class)->SetAuthState(true);
+    }
 }
 $app->add(Guard::class);
 
@@ -165,6 +177,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'is_docker_socket_proxy_enabled' => $configurationManager->isDockerSocketProxyEnabled,
         'is_harp_enabled' => $configurationManager->isHarpEnabled,
         'is_whiteboard_enabled' => $configurationManager->isWhiteboardEnabled,
+        'is_windmill_enabled' => $configurationManager->isWindmillEnabled,
         'community_containers' => $configurationManager->listAvailableCommunityContainers(),
         'community_containers_enabled' => $configurationManager->aioCommunityContainers,
         'bypass_container_update' => $bypass_container_update,

php/src/Auth/AuthManager.php

@@ -42,6 +42,18 @@ readonly class AuthManager {
         $_SESSION[self::SESSION_KEY] = $isLoggedIn;
     }
 
+    /**
+     * Migrates the authenticated state from an old session (different cookie name) to the new session.
+     * Unlike SetAuthState, this method preserves the original login timestamp and does not update
+     * the session_date_file, so the session deduplicator is not triggered. This keeps the old session
+     * file alive in case the response carrying the new cookie is lost (e.g., due to a 502 error during
+     * a mastercontainer update), allowing the client to retry with the old cookie.
+     */
+    public function MigrateAuthState(int $oldTimestamp) : void {
+        $_SESSION[self::SESSION_KEY] = true;
+        $_SESSION['date_time'] = $oldTimestamp;
+    }
+
     public function IsAuthenticated() : bool {
         return isset($_SESSION[self::SESSION_KEY]) && $_SESSION[self::SESSION_KEY] === true;
     }

php/src/ContainerDefinitionFetcher.php

@@ -109,6 +109,10 @@ readonly class ContainerDefinitionFetcher {
                 if (!$this->configurationManager->isWhiteboardEnabled) {
                     continue;
                 }
+            } elseif ($entry['container_name'] === 'nextcloud-aio-windmill') {
+                if (!$this->configurationManager->isWindmillEnabled) {
+                    continue;
+                }
             }
 
             $ports = new ContainerPorts();
@@ -222,6 +226,10 @@ readonly class ContainerDefinitionFetcher {
                         if (!$this->configurationManager->isWhiteboardEnabled) {
                             continue;
                         }
+                    } elseif ($value === 'nextcloud-aio-windmill') {
+                        if (!$this->configurationManager->isWindmillEnabled) {
+                            continue;
+                        }
                     } else {
                         // Skip dependencies on community containers that are not currently enabled.
                         // Only apply this when the current entry is itself a community container,

php/src/Controller/ConfigurationController.php

@@ -98,6 +98,7 @@ readonly class ConfigurationController {
                 $this->configurationManager->isDockerSocketProxyEnabled = isset($request->getParsedBody()['docker-socket-proxy']);
                 $this->configurationManager->isHarpEnabled = isset($request->getParsedBody()['harp']);
                 $this->configurationManager->isWhiteboardEnabled = isset($request->getParsedBody()['whiteboard']);
+                $this->configurationManager->isWindmillEnabled = isset($request->getParsedBody()['windmill']);
             }
 
             if (isset($request->getParsedBody()['community-form'])) {

php/src/Data/ConfigurationManager.php

@@ -45,6 +45,12 @@ class ConfigurationManager
         set { $this->set('isWhiteboardEnabled', $value); }
     }
 
+    public bool $isWindmillEnabled {
+        // Type-cast because old configs could have 1/0 for this key.
+        get => (bool) $this->get('isWindmillEnabled', false);
+        set { $this->set('isWindmillEnabled', $value); }
+    }
+
     public bool $restoreExcludePreviews {
         // Type-cast because old configs could have '1'/'' for this key.
         get => (bool) $this->get('restore-exclude-previews', false);
@@ -302,6 +308,9 @@ class ConfigurationManager
         if ($this->config === [] && file_exists(DataConst::GetConfigFile()))
         {
             $configContent = (string)file_get_contents(DataConst::GetConfigFile());
+            if ($configContent === '') {
+                throw new \RuntimeException("The config file " . DataConst::GetConfigFile() . " is empty. It may have been truncated due to low disk space. Please restore it from a backup.");
+            }
             $this->config = json_decode($configContent, true, 512, JSON_THROW_ON_ERROR);
         }
 
@@ -360,7 +369,7 @@ class ConfigurationManager
     }
 
     public function getRegisteredSecret(string $secretId) : string {
-        if ($this->secrets[$secretId]) {
+        if (isset($this->secrets[$secretId])) {
             return $this->getAndGenerateSecret($secretId);
         }
         throw new \Exception("The secret " . $secretId . " was not registered. Please check if it is defined in secrets of containers.json.");
@@ -560,7 +569,6 @@ class ConfigurationManager
         $this->set('domain', $domain);
         // Reset the borg restore password when setting the domain
         $this->borgRestorePassword = '';
-        $this->startTransaction();
         $this->commitTransaction();
     }
 
@@ -702,7 +710,21 @@ class ConfigurationManager
         if ($df !== false && (int)$df < $size) {
             throw new InvalidSettingConfigurationException(DataConst::GetDataDirectory() . " does not have enough space for writing the config file! Not writing it back!");
         }
-        file_put_contents(DataConst::GetConfigFile(), $content);
+        // Write to a temp file first to avoid truncating the config file if the
+        // disk fills up mid-write. rename() is atomic on POSIX filesystems, so the
+        // original config is never touched until the new content is fully on disk.
+        $tempFile = DataConst::GetConfigFile() . '.tmp';
+        if (file_put_contents($tempFile, $content) === false) {
+            // The file probably wasn't created, but better check nonetheless.
+            if (file_exists($tempFile)) {
+                unlink($tempFile);
+            }
+            throw new InvalidSettingConfigurationException("Failed to write temporary config file: " . $tempFile);
+        }
+        if (!rename($tempFile, DataConst::GetConfigFile())) {
+            unlink($tempFile);
+            throw new InvalidSettingConfigurationException("Failed to rename " . $tempFile . " to " . DataConst::GetConfigFile());
+        }
         $this->config = [];
     }
 
@@ -1092,6 +1114,7 @@ class ConfigurationManager
             // Allow to get local ip-address of caddy container and add it to trusted proxies automatically
             'CADDY_IP_ADDRESS' => in_array('caddy', $this->aioCommunityContainers, true) ? gethostbyname('nextcloud-aio-caddy') : '',
             'WHITEBOARD_ENABLED' => $this->isWhiteboardEnabled ? 'yes' : '',
+            'WINDMILL_ENABLED' => $this->isWindmillEnabled ? 'yes' : '',
             'AIO_VERSION' => $this->getAioVersion(),
             default => $this->getRegisteredSecret($placeholder),
         };

php/src/Docker/DockerActionManager.php

@@ -157,11 +157,12 @@ readonly class DockerActionManager {
         $response = "";
         $separator = "\r\n";
         $line = strtok($responseBody, $separator);
-        $response = substr((string)$line, 8) . $separator;
+        if ($line !== false) {
+            $response = substr($line, 8) . $separator;
+        }
 
-        while ($line !== false) {
-            $line = strtok($separator);
-            $response .= substr((string)$line, 8) . $separator;
+        while (($line = strtok($separator)) !== false) {
+            $response .= substr($line, 8) . $separator;
         }
 
         return $response;
@@ -187,7 +188,7 @@ readonly class DockerActionManager {
             ];
 
             if ($volume->name === 'nextcloud_aio_nextcloud_datadir' || $volume->name === 'nextcloud_aio_backupdir') {
-                return;
+                continue;
             }
 
             $firstChar = substr($volume->name, 0, 1);

php/templates/includes/optional-containers.twig

@@ -220,6 +220,20 @@
         >
         <label for="whiteboard">Whiteboard</label>
     </p>
+    <p>
+        <input
+            type="checkbox"
+            id="windmill"
+            name="windmill"
+            {% if is_windmill_enabled == true %}
+                checked="checked"
+                data-initial-state="true"
+            {% else %}
+                data-initial-state="false"
+            {% endif %}
+        >
+        <label for="windmill">Windmill (workflow automation. Access the Windmill UI at <code>https://{{ domain }}/windmill</code>)</label>
+    </p>
     <input class="options-form-submit" type="submit" value="Save changes" />
 </form>
 <p><strong>Minimal system requirements:</strong> When any optional container is enabled, at least 2GB RAM, a dual-core CPU and 40GB system storage are required. When enabling ClamAV,  Nextcloud Talk Recording-server or Fulltextsearch, at least 3GB RAM are required. For Talk Recording-server additional 2 vCPUs are required. When enabling everything, at least 5GB RAM and a quad-core CPU are required. Recommended are at least 1GB more RAM than the minimal requirement. For further advice and recommendations see <strong><a target="_blank" href="https://github.com/nextcloud/all-in-one/discussions/1335">this documentation</a></strong></p>

readme.md

@@ -87,6 +87,70 @@ Included are:
 |---|---|
 | ![image](https://github.com/user-attachments/assets/6ef5d7b5-86f2-402c-bc6c-b633af2ca7dd) | ![image](https://github.com/user-attachments/assets/939d0fdf-436f-433d-82d3-27548263a040) |
 
+## Architecture overview
+
+```mermaid
+flowchart TB
+    %% ── Styles ───────────────────────────────────────────────────────────────────
+    classDef user      fill:#FFF3CD,stroke:#F0AD4E,color:#333
+    classDef master    fill:#E8D5F5,stroke:#9B59B6,color:#222
+    classDef core      fill:#D6EAF8,stroke:#2E86C1,color:#222
+    classDef opt       fill:#D5F5E3,stroke:#27AE60,color:#222
+    classDef community fill:#FDEBD0,stroke:#E67E22,color:#222
+    classDef access    fill:#EAFAF1,stroke:#1E8449,color:#222
+
+    %% ── Top row: people ─────────────────────────────────────────────────────────
+    YOU(["🧑‍💻 Admin\n(You)"]):::user
+    ENDUSER(["🧑‍🤝‍🧑 Users\n(family / team)"]):::user
+
+    %% ── Everything that runs inside AIO ─────────────────────────────────────────
+    subgraph AIO["  🐳  Nextcloud AIO  "]
+        MC(["🧠 Mastercontainer\n─────────────────────────\n▸ AIO interface :8080 / :8443\n▸ Manages & updates containers\n▸ Handles backups"]):::master
+
+        subgraph CORE["  📦  Core Stack  (auto-started)  "]
+            PROXY(["🔀 Apache\nProxy & HTTPS"]):::core
+            NC(["☁️ Nextcloud\nApp Server"]):::core
+            DB(["🗄️ PostgreSQL\nDatabase"]):::core
+            CACHE(["⚡ Redis\nCache"]):::core
+            PUSH(["🔔 Notify Push\nReal-time sync"]):::core
+        end
+
+        subgraph OPT["  🧩  Optional Built-in Containers  (enable in AIO interface)  "]
+            COLLA(["📄 Nextcloud Office"]):::opt
+            OO(["📄 OnlyOffice\nDocument Server"]):::opt
+            TALK(["🎙️ Talk\nVideo & Voice calls"]):::opt
+            TALKREC(["🎬 Talk Recording"]):::opt
+            FTS(["🔎 Full-text Search\n(Elasticsearch)"]):::opt
+            IMAG(["🖼️ Imaginary\nImage previews"]):::opt
+            CLAM(["🦠 ClamAV\nAntivirus"]):::opt
+            WB(["🖊️ Whiteboard"]):::opt
+        end
+
+        COMM(["🌍 Community Containers\n──────────────────────\n30+ optional add-ons\nSee community-containers/"]):::community
+        click COMM "https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers" "Browse community containers"
+    end
+
+    %% ── Result node (outside AIO) ────────────────────────────────────────────────
+    NC_URL(["🌐 https://your-domain.com\n✅ Nextcloud — ready to use!"]):::access
+
+    %% ── Flows ────────────────────────────────────────────────────────────────────
+    YOU -->|"① open :8080 or :8443 in browser"| MC
+    MC -->|"② auto-starts & wires up"| CORE
+    MC -. "③ enable in AIO interface" .-> OPT
+    MC -. "④ add via AIO interface" .-> COMM
+
+    PROXY --> NC
+    NC --- DB
+    NC --- CACHE
+    NC --- PUSH
+    OPT -->|"integrate with"| NC
+    COMM -.->|"integrate with"| NC
+
+    CORE -->|"⑤ stack is ready!"| NC_URL
+    ENDUSER -->|"⑥ browser / app"| NC_URL
+    YOU -->|"⑥ use normally"| NC_URL
+```
+
 ## How to use this?
 
 The steps below are written for Linux. For platform-specific guidance see:

reverse-proxy.md

@@ -6,7 +6,7 @@ This guide explains how to connect to Nextcloud AIO securely via HTTPS (TLS) usi
 
 - **Integrated**: AIO's built-in reverse proxy with automatic HTTPS
 - **External**: An external reverse proxy (such as Caddy or Nginx or Cloudflare Proxy)
-- **Secure tunnel**: Tunneling services for private network access or public access without port forwarding (such as Tailscale Serve or Cloudflare Tunnel)
+- **Secure tunnel**: Tunneling services for private network access or public access without port forwarding (such as Tailscale Serve, Cloudflare Tunnel, or Pangolin)
 
 ## Choosing Your Approach
 
@@ -23,6 +23,7 @@ This guide explains how to connect to Nextcloud AIO securely via HTTPS (TLS) usi
 | **Integrated** | Simple setups, single service on port 443 | Public IP, dedicated port 443 | Yes (443) |
 | **External Reverse Proxy** (including Cloudflare Proxy) | Multiple services, existing web server, or users wanting DDoS protection | Existing reverse proxy, willingness to set one up, or Cloudflare account | Yes (443) |
 | **Cloudflare Tunnel** | No port forwarding possible/desired, public access | Cloudflare account | No |
+| **Pangolin** | No port forwarding possible/desired, public or private access, self-hostable tunnel | Pangolin Cloud account or self-hosted Pangolin server | No |
 | **Tailscale Serve** | Private access (tailnet only) | Tailscale account | No |
 | **Tailscale Funnel** | Public access via Tailscale | Tailscale account | No |
 
@@ -68,29 +69,32 @@ Using an existing external reverse proxy is required in particular if port `443/
 > [!NOTE]
 > An external reverse proxy can also facilitate other routing approaches, but Nextcloud AIO only supports having its own dedicated hostname (e.g., `cloud.example.com`). You cannot run it in a subfolder like `example.com/nextcloud/`.[^shared]
 
-### Secure tunnel: Using AIO with a secure tunneling service (*Tailscale, Cloudflare*)
+### Secure tunnel: Using AIO with a secure tunneling service (*Tailscale, Cloudflare, Pangolin*)
 
-Cloudflare and Tailscale offer secure tunneling services that let you access your Nextcloud without opening ports on your firewall. 
+Cloudflare, Tailscale, and Pangolin offer secure tunneling services that let you access your Nextcloud without opening ports on your firewall. 
 
 #### Private network access
 
 For Nextcloud AIO, you can use:
 - **Cloudflare Tunnel (`cloudflared`)** - Secure outbound-only tunnels that don't require exposing ports
 - **Tailscale Serve** - Expose services privately on your Tailscale network (tailnet only)
+- **Pangolin** - WireGuard-based outbound tunnels using the Newt connector; can be used for both private and public access
 
-Both options provide private network access to your Nextcloud AIO instance.
+All three options provide private network access to your Nextcloud AIO instance.
 
 #### Public Internet access (without port forwarding)
 
 To make your Nextcloud AIO instance accessible from the public Internet (not just your private network), you can use:
 - **Cloudflare Tunnel** with public routes enabled (which combines Cloudflare Tunnel with Cloudflare's proxy features)
 - **Tailscale Funnel** - Expose services to the public Internet via Tailscale's infrastructure
+- **Pangolin** - Expose services publicly via Pangolin Cloud or a self-hosted Pangolin server
 
-**Comparison of Cloudflare and Tailscale options:**
+**Comparison of Cloudflare, Tailscale, and Pangolin options:**
 
 | Feature | Access Scope | Inbound Ports Required | Use Case |
 |---------|--------------|----------------|----------|
 | **Cloudflare Tunnel** | Public Internet | None | Public access without port forwarding |
+| **Pangolin** | Public Internet or private | None | Public or private access; self-hostable |
 | **Tailscale Serve** | Your Tailscale network only | None | Private access for you and invited users |
 | **Tailscale Funnel** | Public Internet | None | Public access through Tailscale |
 
@@ -737,6 +741,48 @@ httpServer.on('upgrade', (req, socket, head) => {
 
 </details>
 
+##### Pangolin
+
+<details>
+
+<summary>click here to expand</summary>
+
+[Pangolin](https://pangolin.net/) is an open-source, identity-based remote access platform built on WireGuard that enables secure connectivity to private resources without opening inbound firewall ports. It uses the **Newt** connector as an outbound-only WireGuard tunnel client that runs alongside AIO on your server and connects to a Pangolin server (either Pangolin Cloud or your own self-hosted instance). From AIO's perspective, Pangolin works like a reverse proxy: Pangolin handles TLS and routes public traffic through the tunnel to AIO.
+
+**Requirements:**
+- A [Pangolin Cloud](https://app.pangolin.net/) account **or** a [self-hosted Pangolin server](https://docs.pangolin.net/self-host/quick-install)
+- No open inbound ports required
+
+**Setup:**
+
+1. **Set up Pangolin**: Either sign up for a free [Pangolin Cloud](https://app.pangolin.net/) account, or [self-host Pangolin](https://docs.pangolin.net/self-host/quick-install) on a VPS with a public IP address.
+
+1. **Create a site**: In the Pangolin dashboard, create a new site for the machine that will run AIO. Follow the instructions to generate a **Newt ID** and **Newt secret** for the site.
+
+1. **Deploy Newt on the AIO host**: Run the Newt connector on the same machine as AIO. You can deploy it as a Docker container alongside AIO:
+
+    ```yaml
+    services:
+      newt:
+        image: fosrl/newt
+        restart: unless-stopped
+        environment:
+          - PANGOLIN_ENDPOINT=https://app.pangolin.net  # For Pangolin Cloud; replace with your self-hosted server URL if self-hosting
+          - NEWT_ID=<your-newt-id>
+          - NEWT_SECRET=<your-newt-secret>
+    ```
+
+    Or as a standalone binary — see the [Newt documentation](https://github.com/fosrl/newt) for details.
+
+1. **Create a resource**: In the Pangolin dashboard, create a new resource for the site. Set the target to `http://private.ip.address.of.server:11000`.<br>
+    ⚠️ **Please note:** look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the port and address to match your `APACHE_PORT` and `APACHE_IP_BINDING` settings.
+
+1. **Configure AIO**: When starting AIO, add `--env SKIP_DOMAIN_VALIDATION=true` to disable domain validation (domain validation is known to not work through Pangolin tunnels). Use the domain assigned by Pangolin as your Nextcloud domain when opening the AIO interface.
+
+1. Now continue with [point 2](#2-use-this-startup-command).
+
+</details>
+
 ##### Synology Reverse Proxy
 
 <details>