talk-recording: adjust listen address back to 0.0.0.0 as talk-recording listen address does not officially support ipv6 yet (#8246 )

talk-recording: adjust listen address back to 0.0.0.0 as talk-recording listen address does not officially support ipv6 yet
Signed-off-by: Simon L. <szaimen@e.mail.de>
2026-06-10 08:37:02 +00:00 · 2026-06-03 13:34:42 +02:00 · 2026-06-03 13:32:04 +02:00 · 2026-06-03 12:59:57 +02:00 · 2026-06-03 12:42:21 +02:00 · 2026-06-03 12:38:50 +02:00
178 changed files with 2489 additions and 1113 deletions
@@ -0,0 +1,20 @@
 # https://editorconfig.org
 # Tip: to find files violating the rules set out here, run `docker run --rm --volume=$PWD:/check mstruebing/editorconfig-checker`
 root = true
 [*]
 charset = utf-8
 end_of_line = lf
 indent_size = 4
 indent_style = space
 insert_final_newline = true
 trim_trailing_whitespace = true
 [*.yaml]
 indent_size = 2
 [*.yml]
 indent_size = 2
@@ -3,3 +3,8 @@
  -
  - Before sending a pull request that fixes a security issue please report it via our HackerOne page (https://hackerone.com/nextcloud) following our security policy (https://nextcloud.com/security/). This allows us to coordinate the fix and release without potentially exposing all Nextcloud servers and users in the meantime.
 -->
 <!-- Please check the below checkmarks if applicable -->
 - [ ] The PR was tested and verified that it works locally
 - [ ] The PR was completely or partially created with AI
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: "Check latest published release isn't a prerelease"
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v6
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v6
        with:
          script: |
            const tags = await github.rest.repos.listTags({
@@ -10,13 +10,16 @@ on:
 jobs:
  release:
    # Do not run this workflow on forked repositories, as they might not have the `gh-pages` branch created, or might
    # want to use it for other purposes than publishing helm charts
    if: github.repository == 'nextcloud/all-in-one'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Turnstyle
-        uses: softprops/turnstyle@e565d2d86403c5d23533937e95980570545e5586 # v2
+        uses: softprops/turnstyle@e15e934b3f69ee283ba389ea05c8886baa656d93 # v2
        with:
          continue-after-seconds: 180
        env:
@@ -32,7 +35,7 @@ jobs:
      # See https://github.com/helm/chart-releaser-action/issues/6
      - name: Set up Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
        with:
          version: v3.6.3
@@ -16,7 +16,7 @@ jobs:
          fetch-depth: 0
      - name: Install Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
        with:
          version: v3.11.1
@@ -36,7 +36,7 @@ jobs:
            line-length: warning
      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
      - name: Check GitHub actions
        run: uvx zizmor --min-severity medium .github/workflows/*.yml
@@ -14,7 +14,7 @@ jobs:
  action:
    runs-on: ubuntu-latest
    steps:
-      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v5
+      - uses: dessant/lock-threads@89ae32b08ed1a541efecbab17912962a5e38981c # v5
        with: 
          issue-inactive-days: '14'
          process-only: 'issues'
@@ -5,12 +5,14 @@ on:
    paths:
      - 'php/**'
      - 'Containers/mastercontainer/*.Caddyfile'
      - 'Containers/mastercontainer/start.sh'
  push:
    branches:
      - main
    paths:
      - 'php/**'
      - 'Containers/mastercontainer/*.Caddyfile'
      - 'Containers/mastercontainer/start.sh'
 concurrency:
  group: playwright-${{ github.head_ref || github.run_id }}
@@ -28,9 +30,9 @@ jobs:
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
-          node-version: lts/*
+          node-version: 24.15.0
      - name: Install dependencies
        run: cd php/tests && npm ci
@@ -55,7 +57,7 @@ jobs:
          rm -r ./session
          composer install --no-dev
          composer clear-cache
-          sudo chmod 777 -R ./
+          sudo chmod 777 -R ../
      - name: Start fresh development server
        run: |
@@ -72,6 +74,7 @@ jobs:
            --volume ./php:/var/www/docker-aio/php \
            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
            --volume ./Containers/mastercontainer/start.sh:/start.sh \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=true \
            --env APACHE_PORT=11000 \
@@ -103,6 +106,7 @@ jobs:
            --volume ./php:/var/www/docker-aio/php \
            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
            --volume ./Containers/mastercontainer/start.sh:/start.sh \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=false \
            --env APACHE_PORT=11000 \
@@ -15,9 +15,9 @@ jobs:
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
-          node-version: lts/*
+          node-version: 24.15.0
      - name: Install dependencies
        run: cd php/tests && npm ci
@@ -4,9 +4,9 @@ FROM alpine:3.23.4
 RUN set -ex; \
    apk upgrade --no-cache -a
-LABEL org.opencontainers.image.title="Alpine for Nextcloud AIO" 
+LABEL org.opencontainers.image.title="Alpine for Nextcloud AIO" \
-    org.opencontainers.image.description="Minimal Alpine Linux base image for Nextcloud All-in-One" 
+    org.opencontainers.image.description="Minimal Alpine Linux image for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" 
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" 
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" 
+    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -78,7 +78,7 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
    # TLS options
    tls {
        issuer acme {
-            profile shortlived
+            profile tlsserver
            # Disable HTTP challenge because that would require port 80, which we don't get (it's exposed to the mastercontainer).
            # This container by default only exposes port 443 if not configured otherwise via APACHE_PORT.
            disable_http_challenge
@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:latest
-FROM caddy:2.11.2-alpine AS caddy
+FROM caddy:2.11.3-alpine AS caddy
 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.66-alpine3.23
+FROM httpd:2.4.67-alpine3.23
 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
@@ -60,6 +60,19 @@ RUN set -ex; \
    grep -q '<IfModule mpm_event_module>' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # ServerLimit needs to be set to MaxRequestWorkers divided by ThreadsPerChild which is set to 25 by default
    sed -i '/<IfModule mpm_event_module>/a\ \ \ \ ServerLimit 200' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # Pin ThreadsPerChild so the value is deterministic regardless of the httpd base-image
 # defaults; 25 threads per process balances concurrency against per-process memory use.
    sed -i 's|ThreadsPerChild.*|ThreadsPerChild 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # Start two server processes on boot to absorb the first requests without spawning
 # new processes on the critical path, while avoiding unnecessary memory overhead.
    sed -i 's|StartServers.*|StartServers 2|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # Keep at least 25 idle threads (one full process worth) so traffic bursts can be
 # absorbed immediately without triggering new process creation.
    sed -i 's|MinSpareThreads.*|MinSpareThreads 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # Retire idle threads above 50 to reclaim memory during quiet periods. 50 is the
 # minimum valid value (MinSpareThreads + ThreadsPerChild = 25 + 25) and is enough
 # to absorb typical bursts without respawning a new process.
    sed -i 's|MaxSpareThreads.*|MaxSpareThreads 50|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
    \
    rm -rf /usr/local/apache2/conf/original /var/www; \
    mkdir -p /var/www; \
@@ -90,6 +103,7 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Apache and Caddy for Nextcloud AIO" \
    org.opencontainers.image.description="Apache HTTP server with Caddy for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,5 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
 nc -z 127.0.0.1 8000 || exit 1
 nc -z 127.0.0.1 "$APACHE_PORT" || exit 1
@@ -7,7 +7,7 @@ Listen 8000
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
    ErrorLog /proc/self/fd/2
    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
-    LogLevel warn
+    LogLevel ${AIO_LOG_LEVEL}
    # PHP match
    <FilesMatch "\.php$">
@@ -17,7 +17,9 @@ Listen 8000
    <Proxy "fcgi://${NEXTCLOUD_HOST}:9000" flushpackets=on>
    </Proxy>
-    # Enable Brotli compression for js, css and svg files - other plain files are compressed by Nextcloud by default
+    # Compress JS, CSS and SVG responses with Brotli.
    # Other plain-text files are already compressed by Nextcloud itself.
    # Desktop and mobile sync clients never request JS/CSS/SVG assets.
    <IfModule mod_brotli.c>
        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
        BrotliCompressionQuality 0
@@ -26,11 +28,9 @@ Listen 8000
    # Nextcloud dir
    DocumentRoot /var/www/html/
    <Directory /var/www/html/>
-        Options Indexes FollowSymLinks
+        Options FollowSymLinks MultiViews
        Require all granted
        AllowOverride All
        Options FollowSymLinks MultiViews
        Satisfy Any
        <IfModule mod_dav.c>
            Dav off
        </IfModule>
@@ -1,10 +1,20 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [ -z "$NC_DOMAIN" ]; then
    echo "NC_DOMAIN and NEXTCLOUD_HOST need to be provided. Exiting!"
    exit 1
 fi
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    export SUPERVISORD_STDOUT=/dev/stdout
 else
    export SUPERVISORD_STDOUT=NONE
 fi
 # Need write access to /mnt/data
 if ! [ -w /mnt/data ]; then
    echo "Cannot write to /mnt/data"
@@ -1,19 +1,18 @@
 [supervisord]
 nodaemon=true
 nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=error
+loglevel=%(ENV_AIO_LOG_LEVEL)s
 [program:apache]
 # Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=NONE
+stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=apachectl -DFOREGROUND
+command=httpd -DFOREGROUND
 [program:caddy]
 stdout_logfile=/dev/stdout
@@ -25,10 +25,12 @@ USER root
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Borgbackup for Nextcloud AIO" \
    org.opencontainers.image.description="BorgBackup-based backup service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
+ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6" \
    AIO_LOG_LEVEL="warn"
@@ -1,5 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 # Functions
 get_start_time(){
    START_TIME=$(date +%s)
@@ -40,7 +44,7 @@ if [ -z "$BORG_REMOTE_REPO" ] && ! mountpoint -q "$MOUNT_DIR"; then
 fi
 # Check if repo is uninitialized
-if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! borg info > /dev/null; then
+if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
    if [ -n "$BORG_REMOTE_REPO" ]; then
        echo "The repository is uninitialized or cannot connect to remote. Cannot perform check or restore."
    else
@@ -123,7 +127,7 @@ if [ "$BORG_MODE" = backup ]; then
    fi
    # Initialize the repository if can't get info from target
-    if ! borg info > /dev/null; then
+    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
        # Don't initialize if already initialized
        if [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
            if [ -n "$BORG_REMOTE_REPO" ]; then
@@ -140,14 +144,14 @@ if [ "$BORG_MODE" = backup ]; then
        echo "Initializing repository..."
        NEW_REPOSITORY=1
-        if ! borg init --debug --encryption=repokey-blake2; then
+        if ! borg "$BORG_LOG_LEVEL_FLAG" init --encryption=repokey-blake2; then
            echo "Could not initialize borg repository."
            exit 1
        fi
        if [ -z "$BORG_REMOTE_REPO" ]; then
            # borg config only works for local repos; it's up to the remote to ensure the disk isn't full
-            borg config :: additional_free_space 2G
+            borg "$BORG_LOG_LEVEL_FLAG" config :: additional_free_space 2G
            # Fix too large Borg cache
            # https://borgbackup.readthedocs.io/en/stable/faq.html#the-borg-cache-eats-way-too-much-disk-space-what-can-i-do
@@ -156,7 +160,7 @@ if [ "$BORG_MODE" = backup ]; then
            touch "/root/.cache/borg/$BORG_ID/chunks.archive.d"
        fi
-        if ! borg info > /dev/null; then
+        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
            echo "Borg can't get info from the repo it created. Something is wrong."
            exit 1
        fi
@@ -216,9 +220,9 @@ if [ "$BORG_MODE" = backup ]; then
    # Create the backup
    echo "Starting the backup..."
    get_start_time
-    if ! borg create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
+    if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
        echo "Deleting the failed backup archive..."
-        borg delete --stats "::$CURRENT_DATE-nextcloud-aio"
+        borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-nextcloud-aio"
        echo "Backup failed!"
        echo "You might want to check the backup integrity via the AIO interface."
        if [ "$NEW_REPOSITORY" = 1 ]; then
@@ -237,14 +241,14 @@ if [ "$BORG_MODE" = backup ]; then
    # Prune archives
    echo "Pruning the archives..."
-    if ! borg prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
+    if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
        echo "Failed to prune archives!"
        exit 1
    fi
    # Compact archives
    echo "Compacting the archives..."
-    if ! borg compact; then
+    if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
        echo "Failed to compact archives!"
        exit 1
    fi
@@ -261,19 +265,19 @@ if [ "$BORG_MODE" = backup ]; then
                fi
            done
            echo "Starting the backup for additional volumes..."
-            if ! borg create "${BORG_OPTS[@]}" "::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
+            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
                echo "Deleting the failed backup archive..."
-                borg delete --stats "::$CURRENT_DATE-additional-docker-volumes"
+                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-docker-volumes"
                echo "Backup of additional docker-volumes failed!"
                exit 1
            fi
            echo "Pruning additional volumes..."
-            if ! borg prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
                echo "Failed to prune additional docker-volumes archives!"
                exit 1
            fi
            echo "Compacting additional volumes..."
-            if ! borg compact; then
+            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
                echo "Failed to compact additional docker-volume archives!"
                exit 1
            fi
@@ -291,19 +295,19 @@ if [ "$BORG_MODE" = backup ]; then
                EXCLUDE_DIRS+=(--exclude "/host_mounts/$directory/")
            done
            echo "Starting the backup for additional host mounts..."
-            if ! borg create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
+            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
                echo "Deleting the failed backup archive..."
-                borg delete --stats "::$CURRENT_DATE-additional-host-mounts"
+                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-host-mounts"
                echo "Backup of additional host-mounts failed!"
                exit 1
            fi
            echo "Pruning additional host mounts..."
-            if ! borg prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
                echo "Failed to prune additional host-mount archives!"
                exit 1
            fi
            echo "Compacting additional host mounts..."
-            if ! borg compact; then
+            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
                echo "Failed to compact additional host-mount archives!"
                exit 1
            fi
@@ -385,7 +389,7 @@ if [ "$BORG_MODE" = restore ]; then
    if [ -z "$BORG_REMOTE_REPO" ]; then
        mkdir -p /tmp/borg
-        if ! borg mount "::$SELECTED_ARCHIVE" /tmp/borg; then
+        if ! borg "$BORG_LOG_LEVEL_FLAG" mount "::$SELECTED_ARCHIVE" /tmp/borg; then
            echo "Could not mount the backup!"
            exit 1
        fi
@@ -432,7 +436,7 @@ if [ "$BORG_MODE" = restore ]; then
        #
        # Older backups may still contain files we've since excluded, so we have to exclude on extract as well.
        cd /  # borg extract has no destination arg and extracts to CWD
-        if ! borg extract "::$SELECTED_ARCHIVE" --progress --exclude-from /borg_excludes "${ADDITIONAL_BORG_EXCLUDES[@]}" --pattern '+nextcloud_aio_volumes/**'
+        if ! borg "$BORG_LOG_LEVEL_FLAG" extract "::$SELECTED_ARCHIVE" --progress --exclude-from /borg_excludes "${ADDITIONAL_BORG_EXCLUDES[@]}" --pattern '+nextcloud_aio_volumes/**'
        then
            RESTORE_FAILED=1
            echo "Failed to extract backup archive."
@@ -464,7 +468,7 @@ if [ "$BORG_MODE" = restore ]; then
                    \) \
                    | LC_ALL=C sort \
                    | LC_ALL=C comm -23 - \
-                        <(borg list "::$SELECTED_ARCHIVE" --short --exclude-from /borg_excludes  --pattern '+nextcloud_aio_volumes/**' | LC_ALL=C sort) \
+                        <(borg "$BORG_LOG_LEVEL_FLAG" list "::$SELECTED_ARCHIVE" --short --exclude-from /borg_excludes  --pattern '+nextcloud_aio_volumes/**' | LC_ALL=C sort) \
                    > /tmp/local_files_not_in_backup
            then
                RESTORE_FAILED=1
@@ -552,7 +556,7 @@ if [ "$BORG_MODE" = check ]; then
    echo "Checking the backup integrity..."
    # Perform the check
-    if ! borg check -v --verify-data; then
+    if ! borg "$BORG_LOG_LEVEL_FLAG" check -v --verify-data; then
        echo "Some errors were found while checking the backup integrity!"
        echo "Check the AIO interface for advice on how to proceed now!"
        exit 1
@@ -570,7 +574,7 @@ if [ "$BORG_MODE" = "check-repair" ]; then
    echo "Checking the backup integrity and repairing it..."
    # Perform the check-repair
-    if ! echo YES | borg check -v --repair; then
+    if ! echo YES | borg "$BORG_LOG_LEVEL_FLAG" check -v --repair; then
        echo "Some errors were found while checking and repairing the backup integrity!"
        exit 1
    fi
@@ -584,7 +588,7 @@ fi
 # Do the backup test
 if [ "$BORG_MODE" = test ]; then
    if [ -n "$BORG_REMOTE_REPO" ]; then
-        if ! borg info > /dev/null; then
+        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
            echo "Borg could not get info from the remote repo."
            echo "See the above borg info output for details."
            exit 1
@@ -605,12 +609,12 @@ if [ "$BORG_MODE" = test ]; then
        fi
    fi
-    if ! borg list >/dev/null; then
+    if ! borg "$BORG_LOG_LEVEL_FLAG" list >/dev/null; then
        echo "The entered path seems to be valid but could not open the backup archive."
        echo "Most likely the entered password was wrong so please adjust it accordingly!"
        exit 1
    else
-        if ! borg list | grep "nextcloud-aio"; then
+        if ! borg "$BORG_LOG_LEVEL_FLAG" list | grep "nextcloud-aio"; then
            echo "The backup archive does not contain a valid Nextcloud AIO backup."
            echo "Most likely was the archive not created via Nextcloud AIO."
            exit 1
@@ -623,7 +627,7 @@ fi
 if [ "$BORG_MODE" = list ]; then
    echo "Updating backup list..."
-    if ! borg info > /dev/null; then
+    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
        echo "Could not update the backup list."
        exit 1
    fi
@@ -1,5 +1,16 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [ "$AIO_LOG_LEVEL" = "warn" ]; then
    BORG_LOG_LEVEL_FLAG="--warning"
 else
    BORG_LOG_LEVEL_FLAG="--$AIO_LOG_LEVEL"
 fi
 export BORG_LOG_LEVEL_FLAG
 # Variables
 export MOUNT_DIR="/mnt/borgbackup"
 export BORG_BACKUP_DIRECTORY="$MOUNT_DIR/borg"  # necessary even when remote to store the aio-lockfile
@@ -48,7 +59,7 @@ fi
 rm -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/backup-is-running"
 # Get a list of all available borg archives
-if borg list &>/dev/null; then
+if borg "$BORG_LOG_LEVEL_FLAG" list &>/dev/null; then
    borg list | grep "nextcloud-aio" | awk -F " " '{print $1","$3,$4}' > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
 else
    echo "" > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
@@ -13,6 +13,15 @@ RUN set -ex; \
    sed -i "s|#\?PCREMaxFileSize.*|PCREMaxFileSize 2000M|g" /etc/clamav/clamd.conf; \
 # StreamMaxLength must be synced with av_stream_max_length inside the Nextcloud files_antivirus plugin
    sed -i "s|#\?StreamMaxLength.*|StreamMaxLength 2000M|g" /etc/clamav/clamd.conf; \
 # By default clamd keeps the old signature database in RAM while loading the new one,
 # briefly doubling memory usage (~1 GB extra) during each freshclam update cycle.
 # Setting ConcurrentDatabaseReload to "no" makes clamd unload the old database first,
 # eliminating that transient peak and significantly reducing maximum RAM consumption.
    sed -i "s|#\?ConcurrentDatabaseReload.*|ConcurrentDatabaseReload no|g" /etc/clamav/clamd.conf; \
 # The default thread pool is 10-12 threads, each reserving its own stack and scan buffers.
 # The Nextcloud antivirus plugin sends one file at a time, so 2 threads are sufficient
 # and avoids the idle per-thread memory overhead of the larger default pool.
    sed -i "s|#\?MaxThreads.*|MaxThreads 2|g" /etc/clamav/clamd.conf; \
    sed -i "s|#\?TCPSocket|TCPSocket|g" /etc/clamav/clamd.conf; \
    sed -i "s|^LocalSocket .*|LocalSocket /tmp/clamd.sock|g" /etc/clamav/clamd.conf; \
    sed -i "s|Example| |g" /etc/clamav/clamav-milter.conf; \
@@ -34,6 +43,7 @@ ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="ClamAV for Nextcloud AIO" \
    org.opencontainers.image.description="ClamAV antivirus scanner for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,5 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [ "$(echo "PING" | nc 127.0.0.1 3310)" != "PONG" ]; then
 	echo "ERROR: Unable to contact server"
 	exit 1
@@ -1,5 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
 	set -x
 fi
 # Print out clamav version for compliance reasons
 clamscan --version
@@ -1,12 +1,11 @@
 [supervisord]
 nodaemon=true
 nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=error
+loglevel=%(ENV_AIO_LOG_LEVEL)s
 [program:freshclam]
 stdout_logfile=/dev/stdout
@@ -13,6 +13,7 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Collabora Online for Nextcloud AIO" \
    org.opencontainers.image.description="Collabora Online document editor from upstream for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,10 +1,11 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile
-FROM collabora/code:25.04.9.4.1
+FROM collabora/code:25.04.10.3.1
 USER root
 ARG DEBIAN_FRONTEND=noninteractive
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
 USER 1001
@@ -12,9 +13,12 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Collabora for Nextcloud AIO" \
    org.opencontainers.image.description="Collabora CODE document editor for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 ENTRYPOINT ["/start.sh"]
@@ -0,0 +1,19 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [ "$AIO_LOG_LEVEL" = "warn" ]; then
    COLLABORA_LOG_LEVEL="warning"
 elif [ "$AIO_LOG_LEVEL" = "info" ]; then
    COLLABORA_LOG_LEVEL="notice"
 else
    COLLABORA_LOG_LEVEL="$AIO_LOG_LEVEL"
 fi
 # Replace the hardcoded log level in extra_params with the translated one
 extra_params+=" --o:logging.level=$COLLABORA_LOG_LEVEL --o:logging.level_startup=$COLLABORA_LOG_LEVEL"
 export extra_params
 exec /start-collabora-online.sh "$@"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.3.6-alpine
+FROM haproxy:3.3.10-alpine
 # hadolint ignore=DL3002
 USER root
@@ -20,6 +20,7 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Docker Socket Proxy for Nextcloud AIO" \
    org.opencontainers.image.description="HAProxy-based Docker socket proxy for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,4 +1,8 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 nc -z "$NEXTCLOUD_HOST" 9001 || exit 0
 nc -z 127.0.0.1 2375 || exit 1
@@ -1,5 +1,9 @@
 #!/bin/sh
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 # Only start container if nextcloud is accessible
 while ! nc -z "$NEXTCLOUD_HOST" 9001; do
    echo "Waiting for Nextcloud to start..."
@@ -18,6 +22,8 @@ else
    HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
 fi
 echo "$HAPROXYFILE" > /tmp/haproxy.cfg
-set +x
+if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
    set +x
 fi
 haproxy -f /tmp/haproxy.cfg -db
@@ -19,6 +19,7 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD nc -z 127.0.0.1 $APACHE_PORT || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Domain Check for Nextcloud AIO" \
    org.opencontainers.image.description="Domain validation service for Nextcloud All-in-One setup" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,5 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [ -z "$INSTANCE_ID" ]; then
    echo "You need to provide an instance id."
    exit 1
@@ -14,6 +18,20 @@ fi
 CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /lighttpd.conf)"
 echo "$CONF_FILE" > /etc/lighttpd/lighttpd.conf
 # shellcheck disable=SC2235
 if ([ "$AIO_LOG_LEVEL" = 'debug' ] || [ "$AIO_LOG_LEVEL" = 'info' ]) && ! grep -q debug.log-request-handling /etc/lighttpd/lighttpd.conf; then
    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
 debug.log-request-handling = "enable"
 CONF_FILE
 fi
 if [ "$AIO_LOG_LEVEL" = 'debug' ] && ! grep -q debug.log-request-header /etc/lighttpd/lighttpd.conf; then
    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
 debug.log-request-header = "enable"
 debug.log-response-header = "enable"
 CONF_FILE
 fi
 # Check config file
 lighttpd -tt -f /etc/lighttpd/lighttpd.conf
@@ -1,21 +1,19 @@
 # syntax=docker/dockerfile:latest
-# Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
+# Probably from here https://github.com/elastic/dockerfiles/blob/9.3/elasticsearch/Dockerfile
-FROM elasticsearch:8.19.14
+FROM elasticsearch:9.4.2
 USER root
-ARG DEBIAN_FRONTEND=noninteractive
+# hadolint ignore=DL3041
 # hadolint ignore=DL3008
 RUN set -ex; \
    \
-    apt-get update; \
+    microdnf update -y; \
-    apt-get upgrade -y; \
+    microdnf install -y --setopt=tsflags=nodocs \
    apt-get install -y --no-install-recommends \
        tzdata \
    ; \
-    rm -rf /var/lib/apt/lists/*;
+    microdnf clean all;
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
 USER 1000:0
@@ -23,6 +21,7 @@ USER 1000:0
 HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Full Text Search for Nextcloud AIO" \
    org.opencontainers.image.description="Elasticsearch-based full-text search for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -30,3 +29,5 @@ LABEL com.centurylinklabs.watchtower.enable="false" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 ENV ES_JAVA_OPTS="-Xms512M -Xmx512M"
 ENTRYPOINT ["/start.sh"]
@@ -1,3 +1,7 @@
 #!/bin/bash
-nc -z 127.0.0.1 9200 || exit 1
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 curl -fs -u "elastic:$FULLTEXTSEARCH_PASSWORD" "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1
@@ -0,0 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 ELASTIC_LOG_LEVEL="$(echo "$AIO_LOG_LEVEL" | tr '[:lower:]' '[:upper:]')"
 exec env "logger.level=$ELASTIC_LOG_LEVEL" /usr/local/bin/docker-entrypoint.sh "$@"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.2-alpine3.23 AS go
+FROM golang:1.26.3-alpine3.23 AS go
 ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
@@ -33,7 +33,8 @@ COPY --from=go /go/bin/imaginary /usr/local/bin/imaginary
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
-ENV PORT=9000
+ENV PORT=9000 \
    AIO_LOG_LEVEL=warn
 USER 65534
@@ -44,6 +45,7 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Imaginary for Nextcloud AIO" \
    org.opencontainers.image.description="High-performance image processing service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,3 +1,7 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 nc -z 127.0.0.1 "$PORT" || exit 1
@@ -1,8 +1,26 @@
 #!/bin/bash
-echo "Imaginary has started"
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-if [ -z "$IMAGINARY_SECRET" ]; then
+    set -x
    imaginary -return-size -max-allowed-resolution 222.2 "$@"
 else
    imaginary -return-size -max-allowed-resolution 222.2 -key "$IMAGINARY_SECRET" "$@"
 fi
 GOLANG_LOG="$(case "$AIO_LOG_LEVEL" in
    debug) printf 'info' ;;
    info) printf 'info' ;;
    warn) printf 'warning' ;;
    error) printf 'error' ;;
 esac)"
 export GOLANG_LOG
 if [ "$AIO_LOG_LEVEL" = "debug" ]; then
    export DEBUG='*'
 fi
 echo "Imaginary has started"
 IMAGINARY_ARGS=(-return-size -max-allowed-resolution 222.2)
 if [ -n "$IMAGINARY_SECRET" ]; then
    IMAGINARY_ARGS+=(-key "$IMAGINARY_SECRET")
 fi
 exec imaginary "${IMAGINARY_ARGS[@]}" "$@"
@@ -1,17 +1,17 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.4.0-cli AS docker
+FROM docker:29.5.2-cli AS docker
-ARG CADDY_REMOTE_HOST_HASH=b21775afa730ffb52a24ddff310c8a6d1fd37276
+ARG CADDY_REMOTE_HOST_HASH=e80a9931765a8dbcbb47db415863387f0df0e1b3
 # Caddy is a requirement
-FROM caddy:2.11.2-builder-alpine AS caddy
+FROM caddy:2.11.3-builder-alpine AS caddy
 RUN set -ex; \
    xcaddy build --with github.com/muety/caddy-remote-host@"$CADDY_REMOTE_HOST_HASH"; \
    /usr/bin/caddy list-modules
 # From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
-FROM php:8.5.5-fpm-alpine3.23
+FROM php:8.5.6-fpm-alpine3.23
 EXPOSE 80
 EXPOSE 8080
@@ -53,6 +53,16 @@ RUN set -ex; \
        build-base; \
    pecl install APCu-5.1.28; \
    docker-php-ext-enable apcu; \
    { \
        echo 'apc.shm_size=32M'; \
    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
    { \
        echo 'opcache.enable=1'; \
        echo 'opcache.memory_consumption=32'; \
        echo 'opcache.interned_strings_buffer=8'; \
        echo 'opcache.max_accelerated_files=4000'; \
        echo 'opcache.validate_timestamps=0'; \
    } > /usr/local/etc/php/conf.d/docker-php-ext-opcache.ini; \
    rm -r /tmp/pear; \
    runDeps="$( \
        scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
@@ -97,6 +107,7 @@ LABEL org.opencontainers.image.title="Nextcloud All-in-One Mastercontainer" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md" \
    wud.watch="false" \
    dockhand.update="false" \
    com.docker.compose.project="nextcloud-aio"
 # hadolint ignore=DL3002
@@ -1,5 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 restart_process() {
    echo "Restarting cron.sh because daily backup time was set, changed or unset."
    pkill cron.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 while true; do
    if [ -f "/mnt/docker-aio-config/data/daily_backup_time" ]; then
        set -x
@@ -17,7 +21,9 @@ while true; do
        else
            export SEND_SUCCESS_NOTIFICATIONS=0
        fi
-        set +x
+        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
            set +x
        fi
        if [ -f "/mnt/docker-aio-config/data/daily_backup_running" ]; then
            export LOCK_FILE_PRESENT=1
        else
@@ -1,5 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 echo "Daily backup script has started"
 # Check if initial configuration has been done, otherwise this script should do nothing.
@@ -18,12 +18,12 @@ header {
    Referrer-Policy "no-referrer" # Tells the browser to never sent a Referer header. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Referrer-Policy
    X-Robots-Tag "noindex, nofollow" # Tells web crawlers to not index this page. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Robots-Tag
    Origin-Agent-Cluster "?1" # Isolates AIO from other same site pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin-Agent-Cluster
-    Cross-Origin-Opener-Policy "same-origin"; # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
+    Cross-Origin-Opener-Policy "same-origin" # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
-    Cross-Origin-Embedder-Policy "require-corp"; # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
+    Cross-Origin-Embedder-Policy "require-corp" # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
-    Cross-Origin-Resource-Policy "same-origin"; # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
+    Cross-Origin-Resource-Policy "same-origin" # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
    # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
-    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
+    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), local-network=(), local-network-access=(), loopback-network=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), summarizer=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
    -Server
    -X-Powered-By
@@ -1,5 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
    nc -z 127.0.0.1 80 || exit 1
    nc -z 127.0.0.1 8080 || exit 1
@@ -16,6 +16,10 @@ compare_times() {
    fi
 }
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 while true; do
    compare_times
    sleep 2
@@ -20,6 +20,10 @@ case "${1}" in
 esac
 }
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 # Check if running as root user
 if [ "$EUID" != "0" ]; then
    print_red "Container does not run as root user. This is not supported."
@@ -333,6 +337,22 @@ else
    export NEXTCLOUD_DRI_GID=""
 fi
 # Log level logics
 if [ -n "$AIO_LOG_LEVEL" ] && ! echo "$AIO_LOG_LEVEL" | grep -q "^debug$\|^info$\|^warn$\|^error$"; then
    print_red "AIO_LOG_LEVEL must be one of 'debug', 'info', 'warn' or 'error'.
 It is set to '$AIO_LOG_LEVEL'".
    exit 1
 fi
 if [ -z "$AIO_LOG_LEVEL" ]; then
    export AIO_LOG_LEVEL="warn"
 fi
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    export SUPERVISORD_STDOUT=/dev/stdout
 else
    export SUPERVISORD_STDOUT=NONE
 fi
 # Check if ghcr.io is reachable
 # Solves issues like https://github.com/nextcloud/all-in-one/discussions/5268
 if ! curl --no-progress-meter https://ghcr.io/v2/ >/dev/null; then
@@ -423,5 +443,11 @@ caddy fmt --overwrite /internal.Caddyfile
 # Fix caddy log 
 chmod 777 /root
 # Create Twig template cache directory (path must match TWIG_CACHE_PATH in php/public/index.php)
 mkdir -p /tmp/twig-cache
 rm -rf /tmp/twig-cache/*
 chown www-data:www-data /tmp/twig-cache
 chmod 770 /tmp/twig-cache
 # Start supervisord
 exec /usr/bin/supervisord -c /supervisord.conf
@@ -5,12 +5,12 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                 
-loglevel=error
+loglevel=%(ENV_AIO_LOG_LEVEL)s
 user=root
 [program:php-fpm]
 # Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=NONE
+stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=php-fpm
@@ -54,11 +54,11 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/session-deduplicator.sh
-user=root
+user=www-data
 [program:domain-validator]
 # Logging is disabled as otherwise all attempts will be logged which spams the logs
-stdout_logfile=NONE
+stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
-stderr_logfile=NONE
+stderr_logfile=%(ENV_SUPERVISORD_STDOUT)s
 command=php -S 127.0.0.1:9876 /var/www/docker-aio/php/domain-validator.php
 user=www-data
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM php:8.3.30-fpm-alpine3.23
+FROM php:8.3.31-fpm-alpine3.23
 ENV PHP_MEMORY_LIMIT=512M
 ENV PHP_UPLOAD_LIMIT=16G
@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0
 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=33.0.2
+ENV NEXTCLOUD_VERSION=33.0.5
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!
@@ -114,18 +114,18 @@ RUN set -ex; \
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/installation/server_tuning.html#enable-php-opcache and below
    { \
-        echo 'opcache.max_accelerated_files=10000'; \
+        echo 'opcache.max_accelerated_files=20000'; \
        echo 'opcache.memory_consumption=256'; \
        echo 'opcache.interned_strings_buffer=64'; \
        echo 'opcache.save_comments=1'; \
        echo 'opcache.revalidate_freq=60'; \
        echo 'opcache.jit=1255'; \
-        echo 'opcache.jit_buffer_size=8M'; \
+        echo 'opcache.jit_buffer_size=128M'; \
    } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
    \
    { \
        echo 'apc.enable_cli=1'; \
-        echo 'apc.shm_size=64M'; \
+        echo 'apc.shm_size=128M'; \
    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
    \
    { \
@@ -135,14 +135,20 @@ RUN set -ex; \
        echo 'max_execution_time=${PHP_MAX_TIME}'; \
        echo 'max_input_time=-1'; \
        echo 'default_socket_timeout=${PHP_MAX_TIME}'; \
        echo 'output_buffering=0'; \
        echo 'realpath_cache_size=8M'; \
        echo 'realpath_cache_ttl=600'; \
    } > /usr/local/etc/php/conf.d/nextcloud.ini; \
    \
    { \
        echo 'session.save_handler = redis'; \
-        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}"'; \
+        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}&timeout=3.0&read_timeout=10.0"'; \
        echo 'redis.session.locking_enabled = 1'; \
        echo 'redis.session.lock_retries = -1'; \
-        echo 'redis.session.lock_wait_time = 10000'; \
+        echo '; 100ms in microseconds - prevents timeout on long requests such as large file uploads'; \
        echo 'redis.session.lock_wait_time = 100000'; \
        echo '; prevents stale locks from crashed workers (seconds)'; \
        echo 'redis.session.lock_expire = 60'; \
        echo 'session.gc_maxlifetime = 86400'; \
    } > /usr/local/etc/php/conf.d/redis-session.ini; \
    \
@@ -244,6 +250,21 @@ RUN set -ex; \
 # We don't actually expect so many children but don't want to limit it artificially because people will report issues otherwise.
 # Also children will usually be terminated again after the process is done due to the ondemand setting
    sed -i 's/^pm.max_children =.*/pm.max_children = 5000/' /usr/local/etc/php-fpm.d/www.conf; \
 # With pm = ondemand, workers are killed after pm.process_idle_timeout seconds
 # of inactivity.  The upstream default is 10 s, which is aggressive: after a
 # brief quiet period (e.g. desktop-sync clients polling every few seconds), all
 # workers are reaped and the next request burst must wait for fresh forks.  On
 # a loaded host that spawn latency can push Apache past its FastCGI timeout and
 # produce a 502.  300 s (5 min) keeps a warm pool through normal sync-client
 # polling cycles while still reclaiming memory during genuinely idle periods.
    sed -i 's/^;*pm.process_idle_timeout\s*=.*/pm.process_idle_timeout = 300s/' /usr/local/etc/php-fpm.d/www.conf; \
 # Set request_terminate_timeout so that PHP-FPM forcibly kills workers that
 # exceed the wall-clock limit.  Without this (default = 0 = disabled) a worker
 # stuck on a slow DB query, a stalled Redis connection, or a hung syscall is
 # never reaped.  Over time these zombies fill up pm.max_children, leaving no
 # free slots for legitimate requests and causing Apache to return 502 Bad
 # Gateway upstream.
    sed -i "s|^;*request_terminate_timeout = .*|request_terminate_timeout = \${PHP_MAX_TIME}|" /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
    \
    echo "[ -n \"\$TERM\" ] && [ -f /root.motd ] && cat /root.motd" >> /root/.bashrc; \
@@ -265,6 +286,7 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Nextcloud for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud server with all required PHP extensions for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -2,4 +2,5 @@
 $CONFIG = array (
  'one-click-instance' => true,
  'one-click-instance.user-limit' => 100,
  'update_channel' => 'stable',
 );
@@ -16,6 +16,12 @@ $CONFIG = array (
 if (getenv('APPS_ALLOWLIST')) {
    $CONFIG['appsallowlist'] = explode(" ", getenv('APPS_ALLOWLIST'));
 }
-if (getenv('NEXTCLOUD_APP_STORE_URL')) {
+
-    $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
+$appStoreUrl = getenv('NEXTCLOUD_APP_STORE_URL');
 if ($appStoreUrl) {
    if ($appStoreUrl === 'no') {
        $CONFIG['appstoreenabled '] = false;
    } else {
        $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
    }
 }
@@ -7,6 +7,8 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
  if (getenv('REDIS_HOST')) {
    $CONFIG['redis']['host'] = (string) getenv('REDIS_HOST');
    $CONFIG['redis']['timeout'] = 3.0;
    $CONFIG['redis']['read_timeout'] = 10.0;
  }
  if (getenv('REDIS_HOST_PASSWORD')) {
@@ -21,6 +23,10 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
    $CONFIG['redis']['dbindex'] = (int) getenv('REDIS_DB_INDEX');
  }
  if (getenv('REDIS_PREFIX')) {
    $CONFIG['redis']['memcache_customprefix'] = getenv('REDIS_PREFIX');
  }
  if (getenv('REDIS_USER_AUTH')) {
    $CONFIG['redis']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
  }
@@ -58,6 +64,10 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
    $CONFIG['redis.cluster']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
  }
  if (getenv('REDIS_PREFIX')) {
    $CONFIG['redis.cluster']['memcache_customprefix'] = getenv('REDIS_PREFIX');
  }
  if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) {
    $CONFIG['redis.cluster']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt';
  }
@@ -1,4 +1,4 @@
 <?php
 $CONFIG = array (
-  'serverid' => crc32(gethostname()) % 512,
+  'serverid' => hexdec(hash('xxh32', gethostname())) & 0x1FF,
 );
@@ -1,4 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 wait_for_cron() {
    set -x
    while [ -n "$(pgrep -f /var/www/html/cron.php)" ]; do
@@ -10,6 +10,10 @@ directory_empty() {
    [ -z "$(ls -A "$1/")" ]
 }
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 run_upgrade_if_needed_due_to_app_update() {
    if php /var/www/html/occ status | grep maintenance | grep -q true; then
        php /var/www/html/occ maintenance:mode --off
@@ -20,6 +24,14 @@ run_upgrade_if_needed_due_to_app_update() {
    fi
 }
 NEXTCLOUD_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
    debug) printf '0' ;;
    info) printf '1' ;;
    warn) printf '2' ;;
    error) printf '3' ;;
 esac)"
 export NEXTCLOUD_LOG_LEVEL
 # Create cert bundle
 if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then
@@ -75,7 +87,9 @@ if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then
    cat "$CERTIFICATE_BUNDLE"
    # Disable debug mode
-    set +x
+    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
        set +x
    fi
 fi
 # Adjust DATABASE_TYPE to by Nextcloud supported value
@@ -115,6 +129,11 @@ rm -f "$test_file"
 if [ -f /var/www/html/version.php ]; then
    # shellcheck disable=SC2016
    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
    if [ -z "$installed_version" ]; then
        echo "Could not determine the installed Nextcloud version via php -r. The PHP installation might be broken."
        echo "Please check the container logs and your PHP installation."
        exit 1
    fi
 else
    installed_version="0.0.0.0"
 fi
@@ -217,7 +236,9 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                if grep -q appstoreurl /var/www/html/config/config.php; then
                    set -x
                    APPSTORE_URL="$(grep appstoreurl /var/www/html/config/config.php | grep -oP 'https://.*v[0-9]+')"
-                    set +x
+                    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
                        set +x
                    fi
                fi
                # Default appstoreurl parameter in config.php defaults to 'https://apps.nextcloud.com/api/v1' so we check for the apps.json file stored in there
                CURL_STATUS="$(curl -LI "$APPSTORE_URL"/apps.json -o /dev/null -w '%{http_code}\n' -s)"
@@ -284,7 +305,9 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                    "$SOURCE_LOCATION/custom_apps/" \
                    /var/www/html/custom_apps/
            done
-            set +x
+            if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
                set +x
            fi
        fi
        # Copy these from Nextcloud archive if they don't exist yet (i.e. new install)
@@ -396,53 +419,32 @@ EOF
 # AIO update to latest start # Do not remove or change this line!
            if [ "$INSTALL_LATEST_MAJOR" = yes ]; then
-                php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
+                if ! bash /upgrade-latest-major.sh; then
-                INSTALLED_AT="$(php /var/www/html/occ config:app:get core installedat)"
+                    echo "Upgrade to latest major version failed! Check the output above for details."
                if [ -n "${INSTALLED_AT}" ]; then
                    # Set the installdat to 00 which will allow to skip staging and install the next major directly
                    # shellcheck disable=SC2001
                    INSTALLED_AT="$(echo "${INSTALLED_AT}" | sed "s|[0-9][0-9]$|00|")"
                    php /var/www/html/occ config:app:set core installedat --value="${INSTALLED_AT}" 
                fi
                php /var/www/html/updater/updater.phar --no-interaction --no-backup
                if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
                    echo "Installation of Nextcloud failed!"
                    touch "$NEXTCLOUD_DATA_DIR/install.failed"
                    exit 1
                fi
                # shellcheck disable=SC2016
                installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
                INSTALLED_MAJOR="${installed_version%%.*}"
                IMAGE_MAJOR="${image_version%%.*}"
                # If a valid upgrade path, trigger the Nextcloud built-in Updater
                if ! [ "$INSTALLED_MAJOR" -gt "$IMAGE_MAJOR" ]; then
                    php /var/www/html/updater/updater.phar --no-interaction --no-backup
                    if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
                        echo "Installation of Nextcloud failed!"
                        # TODO: Add a hint here about what to do / where to look / updater.log? 
                        touch "$NEXTCLOUD_DATA_DIR/install.failed"
                        exit 1
                    fi
                    # shellcheck disable=SC2016
                    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
                fi
                php /var/www/html/occ config:system:set updatechecker --type=bool --value=true
                php /var/www/html/occ app:enable nextcloud-aio --force
                php /var/www/html/occ db:add-missing-columns
                php /var/www/html/occ db:add-missing-primary-keys
                yes | php /var/www/html/occ db:convert-filecache-bigint
            fi
 # AIO update to latest end # Do not remove or change this line!
            # Apply log settings
            echo "Applying default settings..."
            mkdir -p /var/www/html/data
-            php /var/www/html/occ config:system:set loglevel --value="2" --type=integer
+            php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
-            php /var/www/html/occ config:system:set log_type --value="file"
+            if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
-            php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
+                php /var/www/html/occ config:system:set log_type --value="errorlog"
                php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
                php /var/www/html/occ app:disable logreader
            else
                php /var/www/html/occ config:system:set log_type --value="file"
                php /var/www/html/occ config:system:set log_type_audit --value="file"
                php /var/www/html/occ app:enable logreader
                php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
                php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
            fi
            php /var/www/html/occ config:system:set log_rotate_size --value="10485760" --type=integer
            php /var/www/html/occ app:enable admin_audit
            php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
            php /var/www/html/occ config:system:set log.condition apps 0 --value="admin_audit"
            # Apply preview settings
@@ -640,8 +642,18 @@ fi
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
 php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
-php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
+php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
-php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
+if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
    php /var/www/html/occ config:system:set log_type --value="errorlog"
    php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
    php /var/www/html/occ app:disable logreader
 else
    php /var/www/html/occ config:system:set log_type --value="file"
    php /var/www/html/occ config:system:set log_type_audit --value="file"
    php /var/www/html/occ app:enable logreader
    php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
    php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
 fi
 php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
 if [ -n "$NEXTCLOUD_SKELETON_DIRECTORY" ]; then
    if [ "$NEXTCLOUD_SKELETON_DIRECTORY" = "empty" ]; then
@@ -742,7 +754,9 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
    if echo "$COLLABORA_HOST" | grep -q "nextcloud-.*-collabora"; then
        COLLABORA_HOST="$NC_DOMAIN"
    fi
-    set +x
+    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
        set +x
    fi
    # Remove richdcoumentscode if it should be incorrectly installed
    if [ -d "/var/www/html/custom_apps/richdocumentscode" ]; then
        php /var/www/html/occ app:remove richdocumentscode
@@ -863,7 +877,9 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
    if [ -z "$TURN_DOMAIN" ]; then
        TURN_DOMAIN="$TALK_HOST"
    fi
-    set +x
+    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
        set +x
    fi
    if ! [ -d "/var/www/html/custom_apps/spreed" ]; then
        php /var/www/html/occ app:install spreed
    elif [ "$(php /var/www/html/occ config:app:get spreed enabled)" != "yes" ]; then
@@ -1,5 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
    POSTGRES_PORT=5432
@@ -1,5 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [[ "$EUID" = 0 ]]; then
    COMMAND=(sudo -E -u www-data php /var/www/html/occ)
 else
@@ -1,5 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [[ "$EUID" = 0 ]]; then
    COMMAND=(sudo -E -u www-data php /var/www/html/occ)
 else
@@ -1,5 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 # Wait until the apache container is ready
 while ! nc -z "$APACHE_HOST" "$APACHE_PORT"; do
    echo "Waiting for $APACHE_HOST to become available..."
@@ -1,5 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
    POSTGRES_PORT=5432
@@ -25,7 +29,7 @@ fi
 # Fix false database connection on old instances
 if [ -f "/var/www/html/config/config.php" ]; then
    sleep 2
-    while ! sudo -E -u www-data psql -d "postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB" -c "select now()"; do
+    while ! sudo -E -u www-data env PGPASSWORD="$POSTGRES_PASSWORD" psql -h "$POSTGRES_HOST" -p "$POSTGRES_PORT" -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
        echo "Waiting for the database to start..."
        sleep 5
    done
@@ -53,7 +57,9 @@ if ! [ -f "/dev-dri-group-was-added" ] && [ -n "$(find /dev -maxdepth 1 -mindept
    usermod -aG "$GROUP" www-data
    touch "/dev-dri-group-was-added"
 fi
-set +x
+if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
    set +x
 fi
 # Check datadir permissions
 sudo -E -u www-data touch "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" &>/dev/null
@@ -170,6 +176,8 @@ if [ "$THIS_IS_AIO" = "true" ] && [ "$APACHE_PORT" = 443 ]; then
    sed -i "/^listen.allowed_clients/s/,$//" /usr/local/etc/php-fpm.d/www.conf
    grep listen.allowed_clients /usr/local/etc/php-fpm.d/www.conf
 fi
-set +x
+if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
    set +x
 fi
 exec "$@"
@@ -6,7 +6,7 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
 logfile_backups=10                              ; number of backed up logfiles
-loglevel=error
+loglevel=%(ENV_AIO_LOG_LEVEL)s
 user=root
 [program:php-fpm]
@@ -25,6 +25,14 @@ stderr_logfile_maxbytes=0
 command=/cron.sh
 user=www-data
 [program:taskprocessing-worker]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=php /var/www/html/occ taskprocessing:worker --timeout 300
 user=www-data
 [program:run-exec-commands]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
@@ -0,0 +1,43 @@
 #!/bin/bash
 PHP_CLI="php"
 if [[ "$EUID" = 0 ]]; then
    PHP_CLI="sudo -u www-data -E $PHP_CLI"
 fi
 # shellcheck disable=SC2016
 image_version="$($PHP_CLI -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
 export IMAGE_MAJOR="${image_version%%.*}"
 $PHP_CLI /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
 INSTALLED_AT="$($PHP_CLI /var/www/html/occ config:app:get core installedat)"
 if [ -n "${INSTALLED_AT}" ]; then
    # Set the installedat to 00 which will allow to skip staging and install the next major directly
    # shellcheck disable=SC2001
    INSTALLED_AT="$(echo "${INSTALLED_AT}" | sed "s|[0-9][0-9]$|00|")"
    $PHP_CLI /var/www/html/occ config:app:set core installedat --value="${INSTALLED_AT}"
 fi
 $PHP_CLI /var/www/html/updater/updater.phar --no-interaction --no-backup
 if ! $PHP_CLI /var/www/html/occ -V || $PHP_CLI /var/www/html/occ status | grep maintenance | grep -q 'true'; then
    echo "Installation of Nextcloud failed!"
    touch "$NEXTCLOUD_DATA_DIR/install.failed"
    exit 1
 fi
 # shellcheck disable=SC2016
 installed_version="$($PHP_CLI -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
 export INSTALLED_MAJOR="${installed_version%%.*}"
 # If a valid upgrade path, trigger the Nextcloud built-in Updater
 if ! $PHP_CLI -r "version_compare(getenv('INSTALLED_MAJOR'), getenv('IMAGE_MAJOR'), '>') || exit(1);"; then
    $PHP_CLI /var/www/html/updater/updater.phar --no-interaction --no-backup
    if ! $PHP_CLI /var/www/html/occ -V || $PHP_CLI /var/www/html/occ status | grep maintenance | grep -q 'true'; then
        echo "Installation of Nextcloud failed!"
        # TODO: Add a hint here about what to do / where to look / updater.log?
        touch "$NEXTCLOUD_DATA_DIR/install.failed"
        exit 1
    fi
 fi
 $PHP_CLI /var/www/html/occ config:system:set updatechecker --type=bool --value=true
 $PHP_CLI /var/www/html/occ app:enable nextcloud-aio --force
 $PHP_CLI /var/www/html/occ db:add-missing-columns
 $PHP_CLI /var/www/html/occ db:add-missing-primary-keys
 yes | $PHP_CLI /var/www/html/occ db:convert-filecache-bigint
@@ -23,6 +23,7 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Notify Push for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud notify_push high-performance backend for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,5 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if ! nc -z "$NEXTCLOUD_HOST" 9001; then
    exit 0
 fi
@@ -1,5 +1,11 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 export RUST_LOG="$AIO_LOG_LEVEL"
 if [ -z "$NEXTCLOUD_HOST" ]; then
    echo "NEXTCLOUD_HOST needs to be provided. Exiting!"
    exit 1
@@ -22,7 +28,7 @@ elif [ "$CPU_ARCH" != "x86_64" ]; then
 fi
 # Add warning
-if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
+if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ] && ! [ -f /var/www/html/apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
    echo "The notify_push binary was not found."
    echo "Most likely is DNS resolution not working correctly."
    echo "You can try to fix this by configuring a DNS server globally in dockers daemon.json."
@@ -36,11 +42,24 @@ if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; t
    exit 1
 fi
 # Logic for ipv6 disabled servers
 BIND="::"
 if grep -q "1" /sys/module/ipv6/parameters/disable \
 || grep -q "1" /proc/sys/net/ipv6/conf/all/disable_ipv6 \
 || grep -q "1" /proc/sys/net/ipv6/conf/default/disable_ipv6; then
    BIND="0.0.0.0"
 fi
 export BIND
 echo "notify-push was started"
 if [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
    PUSH_PATH="/var/www/html/custom_apps/notify_push/bin/$CPU_ARCH/notify_push"
 else
    PUSH_PATH="/var/www/html/apps/notify_push/bin/$CPU_ARCH/notify_push"
 fi
 # Run it
-/var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
+exec "$PUSH_PATH" \
    --port 7867 \
    /var/www/html/config/config.php
 exec "$@"
@@ -9,6 +9,7 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="OnlyOffice for Nextcloud AIO" \
    org.opencontainers.image.description="OnlyOffice Document Server for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,3 +1,7 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 nc -z 127.0.0.1 80 || exit 1
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/docker-library/postgres/blob/master/18/alpine3.23/Dockerfile
-FROM postgres:18.3-alpine
+FROM postgres:18.4-alpine
 ENV PGDATA=/var/lib/postgresql/data
@@ -14,6 +14,7 @@ RUN set -ex; \
        bash \
        openssl \
        shadow \
        netcat-openbsd \
        grep; \
    \
 # We need to use the same gid and uid as on old installations
@@ -48,6 +49,7 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="PostgreSQL for Nextcloud AIO" \
    org.opencontainers.image.description="PostgreSQL database for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,7 +1,14 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 test -f "/mnt/data/backup-is-running" && exit 0
-psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()" && exit 0
+# If database import is running, do not continue with the health check
 if nc -z 127.0.0.1 11000; then
    exit 0
 fi
-psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:5432/$POSTGRES_DB" -c "select now()" || exit 1
+PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 5432 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" || exit 1
@@ -1,10 +1,16 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 set -ex
 touch "$DUMP_DIR/initialization.failed"
-psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \
-	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
+	-v "pg_new_password=$POSTGRES_PASSWORD" <<-EOSQL
 	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD :'pg_new_password' CREATEDB;
 	ALTER DATABASE "$POSTGRES_DB" OWNER TO "oc_$POSTGRES_USER";
 	GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "oc_$POSTGRES_USER";
 	GRANT ALL PRIVILEGES ON SCHEMA public TO "oc_$POSTGRES_USER";
@@ -1,5 +1,17 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 POSTGRES_LOG_MIN_MESSAGES="$(case "$AIO_LOG_LEVEL" in
    debug) printf 'debug1' ;;
    info) printf 'info' ;;
    warn) printf 'warning' ;;
    error) printf 'error' ;;
 esac)"
 export POSTGRES_LOG_MIN_MESSAGES
 # Variables
 DATADIR="/var/lib/postgresql/data"
 export DUMP_DIR="/mnt/data"
@@ -85,7 +97,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
    exec docker-entrypoint.sh postgres &
    # Wait for creation
-    while ! psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()"; do
+    while ! psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
        echo "Waiting for the database to start."
        sleep 5
    done
@@ -107,8 +119,9 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
        exit 1
    elif [ "$DB_OWNER" != "oc_$POSTGRES_USER" ]; then
        DIFFERENT_DB_OWNER=1
-        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \
-            CREATE USER "$DB_OWNER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
+            -v "pg_new_password=$POSTGRES_PASSWORD" <<-EOSQL
            CREATE USER "$DB_OWNER" WITH PASSWORD :'pg_new_password' CREATEDB;
            ALTER DATABASE "$POSTGRES_DB" OWNER TO "$DB_OWNER";
            GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "$DB_OWNER";
            GRANT ALL PRIVILEGES ON SCHEMA public TO "$DB_OWNER";
@@ -151,23 +164,71 @@ fi
 # Modify postgresql.conf
 if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
    echo "Setting postgres values..."
    PGCONF="/var/lib/postgresql/data/postgresql.conf"
    # Sync this with max pm.max_children and MaxRequestWorkers
    # 5000 connections is apparently the highest possible value with postgres so set it to that so that we don't run into a limit here.
    # We don't actually expect so many connections but don't want to limit it artificially because people will report issues otherwise
    # Also connections should usually be closed again after the process is done
    # If we should actually exceed this limit, it is definitely a bug in Nextcloud server or some of its apps that does not close connections correctly and not a bug in AIO
-    sed -i "s|^max_connections =.*|max_connections = 5000|" "/var/lib/postgresql/data/postgresql.conf"
+    sed -i "s|^max_connections =.*|max_connections = 5000|" "$PGCONF"
    # Do not log checkpoints
-    if grep -q "#log_checkpoints" /var/lib/postgresql/data/postgresql.conf; then
+    if grep -q "#log_checkpoints" "$PGCONF"; then
-        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' /var/lib/postgresql/data/postgresql.conf
+        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' "$PGCONF"
    fi
    if grep -q "^#\?log_min_messages" /var/lib/postgresql/data/postgresql.conf; then
        sed -i "s|^#\?log_min_messages.*|log_min_messages = $POSTGRES_LOG_MIN_MESSAGES|" /var/lib/postgresql/data/postgresql.conf
    else
        echo "log_min_messages = $POSTGRES_LOG_MIN_MESSAGES" >> /var/lib/postgresql/data/postgresql.conf
    fi
    # Closing idling connections automatically seems to break any logic so was reverted again to default where it is disabled
-    if grep -q "^idle_session_timeout" /var/lib/postgresql/data/postgresql.conf; then
+    if grep -q "^idle_session_timeout" "$PGCONF"; then
-        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' /var/lib/postgresql/data/postgresql.conf
+        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' "$PGCONF"
    fi
    # Increase shared_buffers from the 128MB default for better data caching
    sed -i "s|^#shared_buffers = .*|shared_buffers = 256MB|" "$PGCONF"
    sed -i "s|^shared_buffers = .*|shared_buffers = 256MB|" "$PGCONF"
    # Hint to the query planner about available OS page cache (does not allocate memory)
    sed -i "s|^#effective_cache_size = .*|effective_cache_size = 1GB|" "$PGCONF"
    sed -i "s|^effective_cache_size = .*|effective_cache_size = 1GB|" "$PGCONF"
    # Increase per-operation sort/hash memory to reduce disk spills for file listing and share queries.
    # Note: this is allocated per sort/hash operation, not per connection, so the theoretical worst-case
    # (max_connections × work_mem) is rarely approached in practice.
    sed -i "s|^#work_mem = .*|work_mem = 16MB|" "$PGCONF"
    sed -i "s|^work_mem = .*|work_mem = 16MB|" "$PGCONF"
    # Increase memory for VACUUM, CREATE INDEX, and other maintenance operations
    sed -i "s|^#maintenance_work_mem = .*|maintenance_work_mem = 256MB|" "$PGCONF"
    sed -i "s|^maintenance_work_mem = .*|maintenance_work_mem = 256MB|" "$PGCONF"
    # Increase WAL buffers to reduce WAL write latency under concurrent write load
    sed -i "s|^#wal_buffers = .*|wal_buffers = 16MB|" "$PGCONF"
    sed -i "s|^wal_buffers = .*|wal_buffers = 16MB|" "$PGCONF"
    # Spread checkpoint I/O over a longer window to reduce spikes
    sed -i "s|^#checkpoint_timeout = .*|checkpoint_timeout = 15min|" "$PGCONF"
    sed -i "s|^checkpoint_timeout = .*|checkpoint_timeout = 15min|" "$PGCONF"
    # Tune for SSD storage: random reads are nearly as fast as sequential reads
    sed -i "s|^#random_page_cost = .*|random_page_cost = 1.1|" "$PGCONF"
    sed -i "s|^random_page_cost = .*|random_page_cost = 1.1|" "$PGCONF"
    # Allow the kernel to issue more concurrent I/O prefetch requests (suitable for SSDs)
    sed -i "s|^#effective_io_concurrency = .*|effective_io_concurrency = 200|" "$PGCONF"
    sed -i "s|^effective_io_concurrency = .*|effective_io_concurrency = 200|" "$PGCONF"
    # Trigger autovacuum earlier on large Nextcloud tables (e.g. oc_filecache, oc_activity)
    # to prevent table bloat accumulating before the default 20% threshold is reached
    sed -i "s|^#autovacuum_vacuum_scale_factor = .*|autovacuum_vacuum_scale_factor = 0.05|" "$PGCONF"
    sed -i "s|^autovacuum_vacuum_scale_factor = .*|autovacuum_vacuum_scale_factor = 0.05|" "$PGCONF"
    sed -i "s|^#autovacuum_analyze_scale_factor = .*|autovacuum_analyze_scale_factor = 0.02|" "$PGCONF"
    sed -i "s|^autovacuum_analyze_scale_factor = .*|autovacuum_analyze_scale_factor = 0.02|" "$PGCONF"
 fi
 do_database_dump() {
@@ -180,12 +241,16 @@ do_database_dump() {
        pg_ctl stop -m fast
        rm "$DUMP_DIR/export.failed"
        echo 'Database dump successful!'
-        set +x
+        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
            set +x
        fi
        exit 0
    else
        pg_ctl stop -m fast
        echo "Database dump unsuccessful!"
-        set +x
+        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
            set +x
        fi
        exit 1
    fi
 }
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/redis/docker-library-redis/blob/release/8.2/alpine/Dockerfile
-FROM redis:8.6.2-alpine
+FROM redis:8.6.3-alpine
 COPY --chmod=775 start.sh /start.sh
@@ -23,6 +23,7 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Redis for Nextcloud AIO" \
    org.opencontainers.image.description="Redis cache server for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,3 +1,7 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 redis-cli -a "$REDIS_HOST_PASSWORD" PING || exit 1
@@ -1,17 +1,50 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 # Redis only supports [debug, verbose, notice, warning, nothing] as log level
 if [ "$AIO_LOG_LEVEL" = "warn" ] || [ "$AIO_LOG_LEVEL" = "error" ]; then
    REDIS_LOG_LEVEL="warning"
 elif [ "$AIO_LOG_LEVEL" = "info" ]; then
    REDIS_LOG_LEVEL="notice"
 else
    REDIS_LOG_LEVEL="$AIO_LOG_LEVEL"
 fi
 export REDIS_LOG_LEVEL
 # Show wiki if vm.overcommit is disabled
 if [ "$(sysctl -n vm.overcommit_memory)" != "1" ]; then
    echo "Memory overcommit is disabled but necessary for safe operation"
    echo "See https://github.com/nextcloud/all-in-one/discussions/1731 how to enable overcommit"
 fi
-# Run redis with a password if provided
+# Warn if Transparent Huge Pages are enabled (causes latency spikes)
-echo "Redis has started"
+if [ -f /sys/kernel/mm/transparent_hugepage/enabled ]; then
-if [ -n "$REDIS_HOST_PASSWORD" ]; then
+    if grep -q '\[always\]' /sys/kernel/mm/transparent_hugepage/enabled; then
-    exec redis-server --requirepass "$REDIS_HOST_PASSWORD" --loglevel warning
+        echo "WARNING: Transparent Huge Pages (THP) are enabled. This can cause latency and memory issues with Redis."
-else
+        echo "Consider disabling THP by running: echo never > /sys/kernel/mm/transparent_hugepage/enabled"
-    exec redis-server --loglevel warning
+    fi
 fi
-exec "$@"
+# Build the redis-server argument list.
 REDIS_ARGS=(
    --loglevel "$REDIS_LOG_LEVEL"
    --save "" # Disable RDB persistence (Redis is used as a pure cache/lock store)
    --maxmemory-policy allkeys-lru # Evict least-recently-used keys when memory is full
    --lazyfree-lazy-eviction yes # Perform evictions in a background thread
    --lazyfree-lazy-expire yes # Expire keys in a background thread
    --lazyfree-lazy-server-del yes # DEL/UNLINK in background thread
    --replica-lazy-flush yes # Flush replica dataset in background thread
    --activedefrag yes # Reclaim fragmented memory without restart
    --hz 15 # Run background tasks 15×/s (default 10) for faster key expiry
 )
 if [ -n "$REDIS_HOST_PASSWORD" ]; then
    REDIS_ARGS+=(--requirepass "$REDIS_HOST_PASSWORD")
 fi
 # Run redis with a password if provided
 echo "Redis has started"
 exec redis-server "${REDIS_ARGS[@]}"
@@ -1,15 +1,16 @@
 # syntax=docker/dockerfile:latest
-FROM python:3.14.3-alpine3.23
+FROM python:3.14.5-alpine3.23
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
 ENV RECORDING_VERSION=v0.2.1
-ENV ALLOW_ALL=false
+ENV ALLOW_ALL=false \
-ENV HPB_PROTOCOL=https
+    HPB_PROTOCOL=https \
-ENV NC_PROTOCOL=https
+    NC_PROTOCOL=https \
-ENV SKIP_VERIFY=false
+    SKIP_VERIFY=false \
-ENV HPB_PATH=/standalone-signaling/
+    HPB_PATH=/standalone-signaling/ \
    AIO_LOG_LEVEL=warn
 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -34,6 +35,9 @@ RUN set -ex; \
        build-base \
        linux-headers \
        geckodriver; \
    if [ "$(apk --print-arch)" = "x86_64" ]; then \
        apk add --no-cache intel-media-driver; \
    fi; \
    useradd -d /tmp --system recording -u 122; \
 # Give root a random password
    echo "root:$(openssl rand -base64 12)" | chpasswd; \
@@ -63,6 +67,7 @@ CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.co
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Talk Recording for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud Talk recording service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,3 +1,7 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 nc -z 127.0.0.1 1234 || exit 1
@@ -1,5 +1,17 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 TALK_RECORDING_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
    debug) printf '10' ;;
    info) printf '20' ;;
    warn) printf '30' ;;
    error) printf '40' ;;
 esac)"
 export TALK_RECORDING_LOG_LEVEL
 # Variables
 if [ -z "$NC_DOMAIN" ]; then
    echo "You need to provide the NC_DOMAIN."
@@ -49,7 +61,7 @@ fi
 cat << RECORDING_CONF > "/conf/recording.conf"
 [logs]
 # 30 means Warning
-level = 30
+level = ${TALK_RECORDING_LOG_LEVEL}
 [http]
 listen = 0.0.0.0:1234
@@ -1,10 +1,10 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.12.7-scratch AS nats
+FROM nats:2.14.1-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
 FROM alpine:3.23.4 AS janus
-ARG JANUS_VERSION=v1.4.0
+ARG JANUS_VERSION=v1.4.1
 WORKDIR /src
 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -37,7 +37,8 @@ RUN set -ex; \
 FROM alpine:3.23.4
 ENV ETURNAL_ETC_DIR="/conf"
-ENV SKIP_CERT_VERIFY=false
+ENV SKIP_CERT_VERIFY=false \
    AIO_LOG_LEVEL=warn
 COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
 COPY --from=eturnal   --chmod=777 --chown=1000:1000 /opt/eturnal                        /opt/eturnal
 COPY --from=nats      --chmod=777 --chown=1000:1000 /nats-server                        /usr/local/bin/nats-server
@@ -82,7 +83,9 @@ RUN set -ex; \
    touch \
        /etc/nats.conf \
        /etc/eturnal.yml; \
-    echo "listen: 127.0.0.1:4222" | tee /etc/nats.conf; \
+# write_deadline: "10s" — without a write deadline, a lagging subscriber can stall the broker indefinitely, blocking all other signaling messages.
 # max_payload: 8MB — the default is 1 MB; signaling payloads in large meetings (many participants, ICE candidates) can exceed this, causing dropped messages.
    printf 'listen: 127.0.0.1:4222\nwrite_deadline: "10s"\nmax_payload: 8MB\n' | tee /etc/nats.conf; \
    mkdir -p \
        /var/tmp \
        /conf \
@@ -109,6 +112,7 @@ CMD ["supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Talk for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud Talk with NATS, Janus, eturnal, and signaling server for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,7 +1,16 @@
 #!/bin/bash
-nc -z 127.0.0.1 8081 || exit 1
+if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 nc -z 127.0.0.1 8081 || nc -z ::1 8081 || exit 1
 nc -z 127.0.0.1 8188 || exit 1
 nc -z 127.0.0.1 4222 || exit 1
-nc -z 127.0.0.1 "$TALK_PORT" || exit 1
+nc -z 127.0.0.1 "$TALK_PORT" || nc -z ::1 "$TALK_PORT" || exit 1
 eturnalctl status || exit 1
 # Verify that the signaling server is actually serving requests, not just
 # listening on the TCP port (which nc -z above only tests for open port).
 # SC2102: [::1] is an IPv6 address literal in a URL, not a character-range glob.
 # shellcheck disable=SC2102
 wget -q -O /dev/null http://127.0.0.1:8081/api/v1/stats || wget -q -O /dev/null http://[::1]:8081/api/v1/stats || exit 1
@@ -1,5 +1,23 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [ "$AIO_LOG_LEVEL" = "warn" ]; then
    ETURNAL_LOG_LEVEL="warning"
 else
    ETURNAL_LOG_LEVEL="$AIO_LOG_LEVEL"
 fi
 export ETURNAL_LOG_LEVEL
 JANUS_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
    debug) printf '7' ;;
    info) printf '4' ;;
    warn) printf '3' ;;
    error) printf '1' ;;
 esac)"
 export JANUS_LOG_LEVEL
 # Variables
 if [ -z "$NC_DOMAIN" ]; then
    echo "You need to provide the NC_DOMAIN."
@@ -31,7 +49,9 @@ if mountpoint -q /usr/local/share/ca-certificates; then
        fi
    done
    export SSL_CERT_FILE=/tmp/ca-certificates.crt
-    set +x
+    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
        set +x
    fi
 fi
 set -x
@@ -40,7 +60,9 @@ IPv4_ADDRESS_TALK_RELAY="$(hostname -i | grep -oP '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]
 IPv4_ADDRESS_TALK="$(dig "$TALK_HOST" IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
 # shellcheck disable=SC2153
 IPv6_ADDRESS_TALK="$(dig "$TALK_HOST" AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
-set +x
+if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
    set +x
 fi
 if [ -n "$IPv4_ADDRESS_TALK" ] && [ "$IPv4_ADDRESS_TALK_RELAY" = "$IPv4_ADDRESS_TALK" ]; then
    IPv4_ADDRESS_TALK=""
@@ -53,7 +75,16 @@ if grep -q "1" /sys/module/ipv6/parameters/disable \
 || grep -q "1" /proc/sys/net/ipv6/conf/default/disable_ipv6; then
    IP_BINDING="0.0.0.0"
 fi
-set +x
+# Build a listen address suitable for the signaling server's "ip:port" format.
 # IPv6 needs bracket notation: [::]:8081; IPv4 keeps the plain form: 0.0.0.0:8081
 if [ "$IP_BINDING" = "::" ]; then
    SIGNALING_LISTEN="[::]:8081"
 else
    SIGNALING_LISTEN="$IP_BINDING:8081"
 fi
 if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
    set +x
 fi
 # Turn
 cat << TURN_CONF > "/conf/eturnal.yml"
@@ -66,7 +97,7 @@ eturnal:
      port: $TALK_PORT
      transport: tcp
  log_dir: stdout
-  log_level: warning
+  log_level: ${ETURNAL_LOG_LEVEL}
  secret: "$TURN_SECRET"
  relay_ipv4_addr: "$IPv4_ADDRESS_TALK_RELAY"
  relay_ipv6_addr: "$IPv6_ADDRESS_TALK"
@@ -91,10 +122,12 @@ if [ -z "$TALK_MAX_SCREEN_BITRATE" ]; then
    TALK_MAX_SCREEN_BITRATE=2097152
 fi
-# Signling
+# Signaling
 cat << SIGNALING_CONF > "/conf/signaling.conf"
 [http]
-listen = 0.0.0.0:8081
+listen = ${SIGNALING_LISTEN}
 readtimeout = 15
 writetimeout = 30
 [app]
 debug = false
@@ -110,7 +143,9 @@ internalsecret = ${INTERNAL_SECRET}
 backends = backend-1
 allowall = false
 timeout = 10
-connectionsperhost = 8
+# connectionsperhost: This is the HTTP keep-alive connection pool size from the signaling server to the Nextcloud backend. 
 # Under load (many concurrent calls joining/leaving simultaneously) a pool of 8 creates a queue bottleneck for backend authentication and session lookups, thus increasing to 32.
 connectionsperhost = 32
 skipverify = ${SKIP_CERT_VERIFY}
 [backend-1]
@@ -5,14 +5,7 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=error
+loglevel=%(ENV_AIO_LOG_LEVEL)s
 [program:eturnal]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=eturnalctl foreground
 [program:nats-server]
 stdout_logfile=/dev/stdout
@@ -20,14 +13,26 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=nats-server -c /etc/nats.conf
 # Start first: signaling depends on NATS being available
 priority=10
 [program:eturnal]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=eturnalctl foreground
 # Start alongside Janus; independent of signaling
 priority=20
 [program:janus]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-# debug-level 3 means warning
+command=janus --config=/conf/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level %(ENV_JANUS_LOG_LEVEL)s
-command=janus --config=/conf/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
+# Start alongside eturnal; signaling connects to Janus via WebSocket
 priority=20
 [program:signaling]
 stdout_logfile=/dev/stdout
@@ -35,3 +40,5 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=nextcloud-spreed-signaling -config /conf/signaling.conf
 # Start last: depends on NATS (priority=10) and Janus (priority=20) being up
 priority=30
@@ -1,13 +1,13 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.2-alpine3.23 AS go
+FROM golang:1.26.3-alpine3.23 AS go
-ENV WATCHTOWER_COMMIT_HASH=652c89577076f6bc6f2af4465217589641216ee3	
+ENV WATCHTOWER_COMMIT_HASH=9d0048403a7242943084bede951f6f966f7691ba	
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache \
        build-base; \
-    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.16.1
+    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.17.2
 FROM alpine:3.23.4
@@ -22,9 +22,12 @@ COPY --chmod=775 start.sh /start.sh
 # hadolint ignore=DL3002
 USER root
 ENV AIO_LOG_LEVEL="warn"
 ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Watchtower for Nextcloud AIO" \
    org.opencontainers.image.description="Watchtower auto-update service for Nextcloud All-in-One containers" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,5 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 # Check if socket is available and readable
 if ! [ -e "/var/run/docker.sock" ]; then
    echo "Docker socket is not available. Cannot continue."
@@ -17,7 +21,7 @@ if [ -f /run/.containerenv ]; then
 fi
 if [ -n "$CONTAINER_TO_UPDATE" ]; then
-    exec /watchtower --cleanup --debug --run-once "$CONTAINER_TO_UPDATE"
+    exec /watchtower --cleanup --log-level "$AIO_LOG_LEVEL" --run-once "$CONTAINER_TO_UPDATE"
 else
    echo "'CONTAINER_TO_UPDATE' is not set. Cannot update anything."
    exit 1
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from this file: https://github.com/nextcloud/whiteboard/blob/main/Dockerfile
-FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.7
+FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.9
 USER root
 RUN set -ex; \
@@ -24,6 +24,7 @@ ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    dockhand.update="false" \
    org.opencontainers.image.title="Whiteboard for Nextcloud AIO" \
    org.opencontainers.image.description="Collaborative whiteboard service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,4 +1,8 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 nc -z "$REDIS_HOST" "$REDIS_PORT" || exit 0
 nc -z 127.0.0.1 3002 || exit 1
@@ -1,5 +1,11 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 export LOG_LEVEL="$AIO_LOG_LEVEL"
 # Only start container if nextcloud is accessible
 while ! nc -z "$REDIS_HOST" "$REDIS_PORT"; do
    echo "Waiting for redis to start..."
@@ -1,19 +1,12 @@
 # https://editorconfig.org
 # note: the files in ./composer actually use 4 spaces instead of tabs
 root = true
 [*]
 charset = utf-8
 end_of_line = lf
 indent_size = 4
 indent_style = tab
 insert_final_newline = true
 trim_trailing_whitespace = true
 [*.feature]
 indent_size = 2
 indent_style = space
 [*.yml]
 indent_size = 2
 indent_style = space
@@ -13,7 +13,7 @@
 	<category>monitoring</category>
 	<bugs>https://github.com/nextcloud/all-in-one/issues</bugs>
 	<dependencies>
-		<nextcloud min-version="32" max-version="33"/>
+		<nextcloud min-version="33" max-version="34"/>
 	</dependencies>
 	<settings>
@@ -1,7 +1,10 @@
 # AIO app for Nextcloud
 This folder contains a Nextcloud app, which will be automatically installed within the Nextcloud instance.
 It adds a link to the admin settings page that gives access to the AIO interface.
 ## How to develop the app?
-Please note that in order to check if an app is already downloaded
+Please note that in order to check if an app is already downloaded Nextcloud will look for a folder with the same name as the app.
 Nextcloud will look for a folder with the same name as the app.
-Therefore you need to add the app to one of the app directories
+Therefore you need to add the app to one of the app directories naming the directory `nextcloud-aio`.
 naming the directory `nextcloud-aio`.
@@ -1,5 +1,5 @@
 ## Borgbackup Viewer
-This container allows to view the local borg repository in a web session. It also allows you to restore files and folders from the backup by using desktop programs in a web browser.
+This container allows to view the local borg backups repository in a web session. It also allows you to restore files and folders from the backup by using desktop programs in a web browser.
 ### Notes
 - After adding and starting the container, you need to visit `https://ip.address.of.this.server:5801` in order to log in with the user `nextcloud` and the password that you can see next to the container in the AIO interface. (The web page uses a self-signed certificate, so you need to accept the warning).
@@ -14,4 +14,3 @@ https://github.com/szaimen/aio-borgbackup-viewer
 ### Maintainer
 https://github.com/szaimen
@@ -1,5 +1,13 @@
 ## Caddy with geoblocking
-This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed. It also covers [LocalAI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai) by listening on `ai.$NC_DOMAIN`, if installed.
+This container bundles [caddy](https://caddyserver.com/) and auto-configures it for you as a reverse proxy. 
 It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. 
 It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. 
 It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. 
 It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. 
 It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. 
 It also covers [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. 
 It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed. 
 It also covers [LocalAI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai) by listening on `ai.$NC_DOMAIN`, if installed.
 ### Notes
 - This container is incompatible with the [npmplus](https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus) community container. So make sure that you do not enable both at the same time!
@@ -1,5 +1,5 @@
 ## calcardbackup  
-This container packages calcardbackup which is a tool that exports calendars and addressbooks from Nextcloud to .ics and .vcf files and saves them to a compressed file.
+This container packages [calcardbackup](https://codeberg.org/BernieO/calcardbackup), a tool that exports calendars and addressbooks from Nextcloud to .ics and .vcf files and saves them to a compressed file.
 ### Notes  
 - Backups will be created at 00:00 UTC every day. Make sure that this does not conflict with the configured daily backups inside AIO.
@@ -12,4 +12,3 @@ https://github.com/waja/docker-calcardbackup
 ### Maintainer
 https://github.com/pailloM
@@ -1,11 +1,11 @@
 ## Container-Management
-This container allows to manage insides of other containers via a GUI inside a Web session by allowing to run docker commands from inside this container.
+This container allows to manage other containers via a GUI inside a Web session by allowing to run docker commands from inside this container.
 ### Notes
 - After adding and starting the container, you need to visit `https://ip.address.of.this.server:5804` in order to log in with the user `container-management` and the password that you can see next to the container in the AIO interface. (The web page uses a self-signed certificate, so you need to accept the warning).
 - Then, you should see a terminal. There you can use any docker command. ⚠️ Be very carefully while doing that as can break your instance!
- There are also some pre-made scripts that make configuring some of the community containers easier. For example scripts for [LLDAP](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) and [Facerecognition](https://github.com/nextcloud/all-in-one/tree/main/community-containers/facerecognition).
+- There are also some pre-made scripts that make configuring some community containers easier. For example scripts for [LLDAP](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) and [Facerecognition](https://github.com/nextcloud/all-in-one/tree/main/community-containers/facerecognition).
- ⚠️ After you are done doing your operations, remove the container for better security again from the stack: https://github.com/nextcloud/all-in-one/tree/main/community-containers#how-to-remove-containers-from-aios-stack
+- ⚠️ After you are done doing your operations, remove the container from the stack for better security: https://github.com/nextcloud/all-in-one/tree/main/community-containers#how-to-remove-containers-from-aios-stack
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 ### Repository
@@ -1,8 +1,8 @@
 ## DLNA server
-This container bundles DLNA server for your Nextcloud files to be accessible by the clients in your local network. Simply run the container and look for a new media server `nextcloud-aio` in your local network.
+This container bundles a DLNA multimedia streaming server for your Nextcloud files to be accessible by the clients in your local network. Simply run the container and look for a new media server `nextcloud-aio` in your local network.
 ### Notes
- This container will work only if the Nextcloud installation is in your home network, it is not suitable for installations on remote servers.
+- This container will work only if the Nextcloud installation is in your home network, it is not suitable for installations on public servers.
 - If you have a firewall like ufw configured, you might need to open at least port 9999 TCP and 1900 UDP first in order to make it work.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
@@ -11,4 +11,3 @@ https://github.com/thanek/nextcloud-dlna
 ### Maintainer
 https://github.com/thanek
@@ -1,5 +1,5 @@
 ## Facerecognition
-This container bundles the external model of facerecognition and auto-configures it for you.
+This container bundles a basic facial recognition system and auto-configures it for you.
 ### Notes
 - This container needs imaginary in order to analyze modern file format images. Make sure to enable imaginary in the AIO interface before adding this container.
@@ -1,5 +1,6 @@
 ## Fail2ban
-This container bundles fail2ban and auto-configures it for you in order to block ip-addresses automatically. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin, and https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr, if installed.
+This container bundles [fail2ban](https://github.com/fail2ban/fail2ban) and auto-configures it for you in order to block ip-addresses automatically.
 It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin, and https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr, if installed.
 ### Notes
 - If you get an error like `"ip6tables v1.8.9 (legacy): can't initialize ip6tables table filter': Table does not exist (do you need to insmod?)"`, you need to enable ip6tables on your host via `sudo modprobe ip6table_filter`.
@@ -1,5 +1,5 @@
 ## Glances
-This container starts Glances, a web-based info-board, and auto-configures it for you.
+This container starts [Glances](https://nicolargo.github.io/glances/), a web-based system monitoring dashboard, and auto-configures it for you.
 > [!CAUTION]
 > This container mounts the docker-socket from the host-system.
@@ -1,11 +1,13 @@
 ## Home Assistant
-This container bundles Home Assistant and auto-configures it for you.
+This container bundles [Home Assistant](https://www.home-assistant.io/) and auto-configures it for you.
 ### Notes
 - This container should only be run in home networks since Home Assistant is designed for local home automation.
 - After adding and starting the container, you can visit `http://ip.address.of.this.server:8123` in order to set up your Home Assistant instance.
 - The data of Home Assistant will be automatically included in AIOs backup solution!
 - In order to access your Home Assistant outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md).
 - And to allow the traffic from the reverse proxy to be accepted by Home Assistant, follow [these instructions](https://www.home-assistant.io/integrations/http/#reverse-proxies) from the Home Assistant documentation. 
 - Or, to use the Caddy with geoblocking community container, follow the following instruction to add your own Caddyfile, to use it for Home Assistant: https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy#notes
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 ### Repository
@@ -34,6 +34,9 @@
            "enable_nvidia_gpu": true,
            "backup_volumes": [
                "nextcloud_aio_jellyfin"
            ],
            "depends_on": [
                "nextcloud-aio-lldap"
            ]
        }
    ]
@@ -1,5 +1,5 @@
 ## Jellyfin
-This container bundles Jellyfin and auto-configures it for you.
+This container bundles [Jellyfin](https://jellyfin.org/) and auto-configures it for you.
 ### Notes
 - This container is incompatible with the [Plex](https://github.com/nextcloud/all-in-one/tree/main/community-containers/plex) community container. So make sure that you do not enable both at the same time!
@@ -1,5 +1,5 @@
 ## Seerr
-This container bundles Seerr and auto-configures it for you.
+This container bundles [Seerr](https://seerr.dev/) request management and media discovery tool and auto-configures it for you.
 ### Notes
 - **Migration from Jellyseerr**: Jellyseer previously ran as the root user. With the migration to Seerr, the container now runs rootless with userid 1000, meaning that if you previously used Jellyseerr, Seerr will not be able to access the config files generated by the old Jellyseerr container. To migrate, execute the following steps: 1. stop all containers using the AIO-interface, 2. run `sudo docker run --rm -v nextcloud_aio_jellyseerr:/data alpine chown -R 1000:1000 /data`
@@ -1,5 +1,5 @@
 ## LanguageTool for Nextcloud Office
-This container bundles a LanguageTool for Nextcloud Office which adds spell checking functionality to Nextcloud Office.
+This container bundles [LanguageTool](https://github.com/languagetool-org/languagetool) for Nextcloud Office which adds spell checking functionality to Nextcloud Office.
 ### Notes
 - Make sure to have Nextcloud Office enabled via the AIO interface
--- a/Show More
+++ b/Show More