Apply suggestion from @Zoey2936

Signed-off-by: Zoey <zoey@z0ey.de>

.github/pull_request_template.md

@@ -0,0 +1,5 @@
+<!--
+  - 🚨 SECURITY INFO
+  -
+  - Before sending a pull request that fixes a security issue please report it via our HackerOne page (https://hackerone.com/nextcloud) following our security policy (https://nextcloud.com/security/). This allows us to coordinate the fix and release without potentially exposing all Nextcloud servers and users in the meantime.
+-->

.github/workflows/collabora.yml

@@ -18,7 +18,7 @@ jobs:
         mv cool-seccomp-profile.json php/
         
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
       with:
         commit-message: collabora-seccomp-update automated change
         signoff: true

.github/workflows/dependency-updates.yml

@@ -13,7 +13,7 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
       with:
-        php-version: 8.4
+        php-version: 8.5
         extensions: apcu
     - name: Run dependency update script
       run: |
@@ -44,7 +44,7 @@ jobs:
         )"
         sed -i "s|pecl install APCu.*\;|pecl install APCu-$apcu_version\;|" ./Containers/mastercontainer/Dockerfile
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
       with:
         commit-message: php dependency updates
         signoff: true

.github/workflows/fail-on-prerelease.yml

@@ -0,0 +1,50 @@
+name: Block if prerelease is present
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  check-latest-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Check latest published release isn't a prerelease"
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v6
+        with:
+          script: |
+            const tags = await github.rest.repos.listTags({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              per_page: 1
+            });
+
+            if (!tags.data || tags.data.length === 0) {
+              core.info('No tags found for this repository; skipping prerelease check.');
+              return;
+            }
+
+            const latestTag = tags.data[0].name;
+            core.info(`Latest tag found: ${latestTag}`);
+
+            try {
+              const { data } = await github.rest.repos.getReleaseByTag({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                tag: latestTag
+              });
+
+              if (data.prerelease) {
+                core.setFailed(`Release for tag ${latestTag} (${data.tag_name}) is a prerelease. Blocking merges to main as we need to wait for the prerelease to become stable.`);
+              } else {
+                core.info(`Release for tag ${latestTag} (${data.tag_name}) is not a prerelease.`);
+              }
+
+            } catch (err) {
+              if (err.status === 404) {
+                core.info(`No release found for tag ${latestTag}; skipping prerelease check.`);
+              } else {
+                throw err;
+              }
+            }

.github/workflows/imaginary-update.yml

@@ -22,7 +22,7 @@ jobs:
         sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH=$imaginary_version|" ./Containers/imaginary/Dockerfile
         
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
       with:
         commit-message: imaginary-update automated change
         signoff: true

.github/workflows/lint-php.yml

@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        php-versions: [ "8.4" ]
+        php-versions: [ "8.5" ]
 
     name: php-lint
 

.github/workflows/lint-yaml.yml

@@ -36,7 +36,7 @@ jobs:
             line-length: warning
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
+        uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
 
       - name: Check GitHub actions
         run: uvx zizmor --min-severity medium .github/workflows/*.yml

.github/workflows/nextcloud-update.yml

@@ -79,7 +79,7 @@ jobs:
         fi
 
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
       with:
         commit-message: nextcloud-update automated change
         signoff: true

.github/workflows/php-deprecation-detector.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Set up php
         uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
         with:
-          php-version: 8.4
+          php-version: 8.5
           extensions: apcu
           coverage: none
 

.github/workflows/playwright-on-push.yml

@@ -36,11 +36,11 @@ jobs:
       - name: Install Playwright Browsers
         run: cd php/tests && npx playwright install --with-deps chromium
 
-      - name: Set up php 8.4
+      - name: Set up php 8.5
         uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
         with:
           extensions: apcu
-          php-version: 8.4
+          php-version: 8.5
           coverage: none
           ini-file: development
         env:
@@ -114,7 +114,7 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: ${{ !cancelled() }}
         with:
           name: playwright-report

.github/workflows/playwright-on-workflow-dispatch.yml

@@ -82,7 +82,7 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: ${{ !cancelled() }}
         with:
           name: playwright-report

.github/workflows/psalm-update-baseline.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Set up php
         uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
         with:
-          php-version: 8.4
+          php-version: 8.5
           extensions: apcu
           coverage: none
 
@@ -30,7 +30,7 @@ jobs:
         continue-on-error: true
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}
           commit-message: Update psalm baseline

.github/workflows/psalm.yml

@@ -39,7 +39,7 @@ jobs:
       - name: Set up php
         uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
         with:
-          php-version: 8.4
+          php-version: 8.5
           extensions: apcu
           coverage: none
           ini-file: development

.github/workflows/talk.yml

@@ -45,7 +45,7 @@ jobs:
         sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
         
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
       with:
         commit-message: talk-update automated change
         signoff: true

.github/workflows/twig-lint.yml

@@ -29,7 +29,7 @@ jobs:
       - name: Set up php ${{ matrix.php-versions }}
         uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
         with:
-          php-version: 8.4
+          php-version: 8.5
           extensions: apcu
           coverage: none
 

.github/workflows/update-helm.yml

@@ -23,7 +23,7 @@ jobs:
             sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"
           fi
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         with:
           commit-message: Helm Chart updates
           signoff: true

.github/workflows/update-yaml.yml

@@ -16,7 +16,7 @@ jobs:
         run: |
           sudo bash manual-install/update-yaml.sh
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         with:
           commit-message: Yaml updates
           signoff: true

.github/workflows/watchtower-update.yml

@@ -26,7 +26,7 @@ jobs:
         sed -i "s|\$WATCHTOWER_COMMIT_HASH.*$|\$WATCHTOWER_COMMIT_HASH # $watchtower_version|" ./Containers/watchtower/Dockerfile
         
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
       with:
         commit-message: watchtower-update automated change
         signoff: true

Containers/alpine/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.2
+FROM alpine:3.23.3
 
 RUN set -ex; \
     apk upgrade --no-cache -a

Containers/apache/Caddyfile

@@ -58,6 +58,11 @@ http://{$APACHE_HOST}:23973, # For Collabora callback and WOPI requests, see con
         reverse_proxy {$WHITEBOARD_HOST}:3002
     }
 
+    # HaRP (ExApps)
+    route /exapps/* {
+        reverse_proxy {$HARP_HOST}:8780
+    }
+
     # Nextcloud
     route {
         header Strict-Transport-Security max-age=31536000;

Containers/apache/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM caddy:2.10.2-alpine AS caddy
+FROM caddy:2.11.1-alpine AS caddy
 
 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
 FROM httpd:2.4.66-alpine3.23
@@ -79,7 +79,8 @@ RUN set -ex; \
     chmod 777 -R /usr/local/apache2/logs; \
     rm -rf /usr/local/apache2/cgi-bin/; \
     \
-    echo "root:$(openssl rand -base64 12)" | chpasswd
+    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    apk --no-cache del openssl
 
 USER 33
 

Containers/borgbackup/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.2
+FROM alpine:3.23.3
 
 RUN set -ex; \
     \

Containers/borgbackup/backupscript.sh

@@ -77,6 +77,10 @@ if [ "$BORG_MODE" = backup ]; then
     if ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" ]; then
         echo "configuration.json not present. Cannot perform the backup!"
         exit 1
+    elif ! grep -q '"domain"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" \
+    || ! grep -q '"wasStartButtonClicked"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json"; then
+        echo "It seems like the configuration.json setup was not done correctly. Something is wrong! (Most likely the provided configuration.json is invalid)"
+        exit 1
     elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/config/config.php" ]; then
         echo "config.php is missing. Cannot perform backup!"
         exit 1
@@ -514,6 +518,10 @@ if [ "$BORG_MODE" = restore ]; then
 
     if [ "$RESTORE_FAILED" = 1 ]; then
         exit 1
+    elif ! grep -q '"domain"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" \
+    || ! grep -q '"wasStartButtonClicked"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json"; then
+        echo "It seems like the restore of the configuration.json was not done correctly. Something is wrong! (Most likely is the restore archive already incorrect)!"
+        exit 1
     fi
 
     # Inform user

Containers/clamav/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.2
+FROM alpine:3.23.3
 
 RUN set -ex; \
     apk upgrade --no-cache -a; \

Containers/collabora/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile
-FROM collabora/code:25.04.8.1.1
+FROM collabora/code:25.04.8.3.1
 
 USER root
 ARG DEBIAN_FRONTEND=noninteractive

Containers/docker-socket-proxy/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.3.1-alpine
+FROM haproxy:3.3.4-alpine
 
 # hadolint ignore=DL3002
 USER root

Containers/domaincheck/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.2
+FROM alpine:3.23.3
 RUN set -ex; \
     apk upgrade --no-cache -a; \
     apk add --no-cache bash lighttpd netcat-openbsd; \

Containers/fulltextsearch/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:8.19.10
+FROM elasticsearch:8.19.11
 
 USER root
 

Containers/imaginary/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.25.6-alpine3.23 AS go
+FROM golang:1.26.0-alpine3.23 AS go
 
 ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
 
@@ -14,7 +14,7 @@ RUN set -ex; \
         build-base; \
     go install github.com/h2non/imaginary@"$IMAGINARY_HASH";
 
-FROM alpine:3.23.2
+FROM alpine:3.23.3
 RUN set -ex; \
     apk upgrade --no-cache -a; \
     apk add --no-cache \

Containers/mastercontainer/Dockerfile

@@ -1,12 +1,12 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.2.0-cli AS docker
+FROM docker:29.2.1-cli AS docker
 
 # Caddy is a requirement
-FROM caddy:2.10.2-alpine AS caddy
+FROM caddy:2.11.1-alpine AS caddy
 
-# From https://github.com/docker-library/php/blob/master/8.4/alpine3.23/fpm/Dockerfile
-FROM php:8.4.17-fpm-alpine3.23
+# From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
+FROM php:8.5.3-fpm-alpine3.23
 
 EXPOSE 80
 EXPOSE 8080

Containers/mastercontainer/daily-backup.sh

@@ -4,7 +4,7 @@ echo "Daily backup script has started"
 
 # Check if initial configuration has been done, otherwise this script should do nothing.
 CONFIG_FILE=/mnt/docker-aio-config/data/configuration.json
-if ! [ -f "$CONFIG_FILE" ] || ! grep -q "wasStartButtonClicked.*1" "$CONFIG_FILE"; then
+if ! [ -f "$CONFIG_FILE" ] || (! grep -q "wasStartButtonClicked.*1" "$CONFIG_FILE" && ! grep -q "wasStartButtonClicked.*true" "$CONFIG_FILE"); then
     echo "Initial configuration via AIO interface not done yet. Exiting..."
     exit 0
 fi

Containers/mastercontainer/mastercontainer.conf

@@ -21,6 +21,11 @@ Listen 8080 https
     <FilesMatch "\.php$">
         SetHandler "proxy:fcgi://127.0.0.1:9000"
     </FilesMatch>
+
+    # Disable output buffering to enable streaming responses.
+    <Proxy "fcgi://127.0.0.1:9000/" flushpackets=on>
+    </Proxy>
+
     # Master dir
     DocumentRoot /var/www/docker-aio/php/public/
     <Directory /var/www/docker-aio/php/public/>

Containers/mastercontainer/start.sh

@@ -162,11 +162,14 @@ if ! sudo -E -u www-data docker ps --format "{{.Names}}" | grep -q "^nextcloud-a
 Using a different name is not supported since mastercontainer updates will not work in that case!
 If you are on docker swarm and try to run AIO, see https://github.com/nextcloud/all-in-one#can-i-run-this-with-docker-swarm"
     exit 1
+elif sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer --format "{{.Config.Image}}" | grep -q '@'; then
+    print_red "It seems like you used a hash for the mastercontainer image tag. This is not supported!"
+    exit 1
 elif ! sudo -E -u www-data docker volume ls --format "{{.Name}}" | grep -q "^nextcloud_aio_mastercontainer$"; then
     print_red "It seems like you did not give the mastercontainer volume the correct name? (The 'nextcloud_aio_mastercontainer' volume was not found.)
 Using a different name is not supported since the built-in backup solution will not work in that case!"
     exit 1
-elif ! sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer --format '{{.Mounts}}' | grep -q " nextcloud_aio_mastercontainer "; then
+elif ! sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer | grep -q "nextcloud_aio_mastercontainer"; then
     print_red "It seems like you did not attach the 'nextcloud_aio_mastercontainer' volume to the mastercontainer?
 This is not supported since the built-in backup solution will not work in that case!"
     exit 1

Containers/nextcloud/Dockerfile

@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0
 
 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=32.0.5
+ENV NEXTCLOUD_VERSION=32.0.6
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!

Containers/nextcloud/config/redis.config.php

@@ -1,14 +1,18 @@
 <?php
-if (getenv('REDIS_HOST')) {
+if (getenv('REDIS_MODE') !== 'rediscluster') {
   $CONFIG = array(
     'memcache.distributed' => '\OC\Memcache\Redis',
     'memcache.locking' => '\OC\Memcache\Redis',
-    'redis' => array(
-      'host' => getenv('REDIS_HOST'),
-      'password' => (string) getenv('REDIS_HOST_PASSWORD'),
-    ),
   );
 
+  if (getenv('REDIS_HOST')) {
+    $CONFIG['redis']['host'] = (string) getenv('REDIS_HOST');
+  }
+
+  if (getenv('REDIS_HOST_PASSWORD')) {
+    $CONFIG['redis']['password'] = (string) getenv('REDIS_HOST_PASSWORD');
+  }
+
   if (getenv('REDIS_PORT')) {
     $CONFIG['redis']['port'] = (int) getenv('REDIS_PORT');
   }
@@ -17,7 +21,36 @@ if (getenv('REDIS_HOST')) {
     $CONFIG['redis']['dbindex'] = (int) getenv('REDIS_DB_INDEX');
   }
 
-  if (getenv('REDIS_USER_AUTH') !== false) {
+  if (getenv('REDIS_USER_AUTH')) {
     $CONFIG['redis']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
   }
+} else {
+  $CONFIG = array(
+    'memcache.distributed' => '\OC\Memcache\Redis',
+    'memcache.locking' => '\OC\Memcache\Redis',
+    'redis.cluster' => array(
+      'timeout' => 0.0,
+      'read_timeout' => 0.0,
+      'failover_mode' => \RedisCluster::FAILOVER_ERROR,
+      'seeds' => array_values(array_filter(array(
+        (getenv('REDIS_HOST') && getenv('REDIS_PORT')) ? (getenv('REDIS_HOST') . ':' . (string)getenv('REDIS_PORT')) : null,
+        (getenv('REDIS_HOST_2') && getenv('REDIS_PORT_2')) ? (getenv('REDIS_HOST_2') . ':' . (string)getenv('REDIS_PORT_2')) : null,
+        (getenv('REDIS_HOST_3') && getenv('REDIS_PORT_3')) ? (getenv('REDIS_HOST_3') . ':' . (string)getenv('REDIS_PORT_3')) : null,
+        (getenv('REDIS_HOST_4') && getenv('REDIS_PORT_4')) ? (getenv('REDIS_HOST_4') . ':' . (string)getenv('REDIS_PORT_4')) : null,
+        (getenv('REDIS_HOST_5') && getenv('REDIS_PORT_5')) ? (getenv('REDIS_HOST_5') . ':' . (string)getenv('REDIS_PORT_5')) : null,
+        (getenv('REDIS_HOST_6') && getenv('REDIS_PORT_6')) ? (getenv('REDIS_HOST_6') . ':' . (string)getenv('REDIS_PORT_6')) : null,
+        (getenv('REDIS_HOST_7') && getenv('REDIS_PORT_7')) ? (getenv('REDIS_HOST_7') . ':' . (string)getenv('REDIS_PORT_7')) : null,
+        (getenv('REDIS_HOST_8') && getenv('REDIS_PORT_8')) ? (getenv('REDIS_HOST_8') . ':' . (string)getenv('REDIS_PORT_8')) : null,
+        (getenv('REDIS_HOST_9') && getenv('REDIS_PORT_9')) ? (getenv('REDIS_HOST_9') . ':' . (string)getenv('REDIS_PORT_9')) : null,
+      ))),
+    ),
+  );
+
+  if (getenv('REDIS_HOST_PASSWORD')) {
+    $CONFIG['redis.cluster']['password'] = (string) getenv('REDIS_HOST_PASSWORD');
+  }
+
+  if (getenv('REDIS_USER_AUTH')) {
+    $CONFIG['redis.cluster']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
+  }
 }

Containers/nextcloud/config/s3.config.php

@@ -34,4 +34,14 @@ if (getenv('OBJECTSTORE_S3_BUCKET')) {
   if ($sse_c_key) {
     $CONFIG['objectstore']['arguments']['sse_c_key'] = $sse_c_key;
   }
+
+  $requestChecksumValidation = getenv('OBJECTSTORE_S3_REQUEST_CHECKSUM_VALIDATION');
+  if ($requestChecksumValidation) {
+    $CONFIG['objectstore']['arguments']['request_checksum_calculation'] = $requestChecksumValidation;
+  }
+
+  $responseChecksumValidation = getenv('OBJECTSTORE_S3_RESPONSE_CHECKSUM_VALIDATION');
+  if ($responseChecksumValidation) {
+    $CONFIG['objectstore']['arguments']['response_checksum_validation'] = $responseChecksumValidation;
+  }
 }

Containers/nextcloud/entrypoint.sh

@@ -182,8 +182,11 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
             curl -fsSL -o nextcloud.tar.bz2.asc "https://download.nextcloud.com/server/releases/latest-${NEXT_MAJOR}.tar.bz2.asc"
             GNUPGHOME="$(mktemp -d)"
             export GNUPGHOME
-            # gpg key from https://nextcloud.com/nextcloud.asc
-            gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 28806A878AE423A28372792ED75899B9A724937A
+            if ! gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 28806A878AE423A28372792ED75899B9A724937A; then
+                if ! gpg --batch --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 28806A878AE423A28372792ED75899B9A724937A; then
+                    curl -sSL https://nextcloud.com/nextcloud.asc | gpg --import
+                fi
+            fi
             gpg --batch --verify nextcloud.tar.bz2.asc nextcloud.tar.bz2
             mkdir -p /usr/src/tmp
             tar -xjf nextcloud.tar.bz2 -C /usr/src/tmp/
@@ -666,8 +669,12 @@ php /var/www/html/occ config:system:set documentation_url.server_logs --value="h
 php /var/www/html/occ config:system:set htaccess.RewriteBase --value="/"
 php /var/www/html/occ maintenance:update:htaccess
 
-# Revert dbpersistent setting to check if it fixes too many db connections
-php /var/www/html/occ config:system:set dbpersistent --value=false --type=bool
+# Handle db persistent settings
+if [ "$NEXTCLOUD_PERSIST_DATABASE_CONNECTIONS" = "yes" ]; then
+    php /var/www/html/occ config:system:set dbpersistent --value=true --type=bool
+else
+    php /var/www/html/occ config:system:set dbpersistent --value=false --type=bool
+fi
 
 if [ "$DISABLE_BRUTEFORCE_PROTECTION" = yes ]; then
     php /var/www/html/occ config:system:set auth.bruteforce.protection.enabled --type=bool --value=false
@@ -1022,13 +1029,13 @@ else
     fi
 fi
 
-# Docker socket proxy
+# Docker socket proxy / HaRP
 # app_api is a shipped app
 if [ -d "/var/www/html/custom_apps/app_api" ]; then
     php /var/www/html/occ app:disable app_api
     rm -r "/var/www/html/custom_apps/app_api"
 fi
-if [ "$DOCKER_SOCKET_PROXY_ENABLED" = 'yes' ]; then
+if [ "$DOCKER_SOCKET_PROXY_ENABLED" = 'yes' ] || [ "$HARP_ENABLED" = 'yes' ]; then
     if [ "$(php /var/www/html/occ config:app:get app_api enabled)" != "yes" ]; then
         php /var/www/html/occ app:enable app_api
     fi

Containers/notify-push/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.2
+FROM alpine:3.23.3
 
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -11,7 +11,6 @@ RUN set -ex; \
         netcat-openbsd \
         tzdata \
         bash \
-        jq \
         openssl; \
 # Give root a random password
     echo "root:$(openssl rand -base64 12)" | chpasswd; \

Containers/notify-push/start.sh

@@ -3,12 +3,6 @@
 if [ -z "$NEXTCLOUD_HOST" ]; then
     echo "NEXTCLOUD_HOST needs to be provided. Exiting!"
     exit 1
-elif [ -z "$POSTGRES_HOST" ]; then
-    echo "POSTGRES_HOST needs to be provided. Exiting!"
-    exit 1
-elif [ -z "$REDIS_HOST" ]; then
-    echo "REDIS_HOST needs to be provided. Exiting!"
-    exit 1
 fi
 
 # Only start container if nextcloud is accessible
@@ -28,7 +22,7 @@ elif [ "$CPU_ARCH" != "x86_64" ]; then
 fi
 
 # Add warning
-if ! [ -f /nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
+if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
     echo "The notify_push binary was not found."
     echo "Most likely is DNS resolution not working correctly."
     echo "You can try to fix this by configuring a DNS server globally in dockers daemon.json."
@@ -44,52 +38,9 @@ fi
 
 echo "notify-push was started"
 
-# Set a default value for POSTGRES_PORT
-if [ -z "$POSTGRES_PORT" ]; then
-    POSTGRES_PORT=5432
-fi
-# Set a default for redis db index
-if [ -z "$REDIS_DB_INDEX" ]; then
-    REDIS_DB_INDEX=0
-fi
-# Set a default value for REDIS_PORT
-if [ -z "$REDIS_PORT" ]; then
-    REDIS_PORT=6379
-fi
-# Set a default for db type
-if [ -z "$DATABASE_TYPE" ]; then
-    DATABASE_TYPE=postgres
-elif [ "$DATABASE_TYPE" != postgres ] && [ "$DATABASE_TYPE" != mysql ]; then
-    echo "DB type must be either postgres or mysql"
-    exit 1
-fi
-
-# Use the correct Postgres username
-if [ "$POSTGRES_USER" = nextcloud ]; then
-    POSTGRES_USER="oc_$POSTGRES_USER"
-    export POSTGRES_USER
-fi
-
-# URL-encode passwords
-POSTGRES_PASSWORD="$(jq -rn --arg v "$POSTGRES_PASSWORD" '$v|@uri')"
-REDIS_HOST_PASSWORD="$(jq -rn --arg v "$REDIS_HOST_PASSWORD" '$v|@uri')"
-
-# Postgres root cert
-if [ -f "/nextcloud/data/certificates/POSTGRES" ]; then
-    CERT_OPTIONS="?sslmode=verify-ca&sslrootcert=/nextcloud/data/certificates/ca-bundle.crt"
-# Mysql root cert
-elif [ -f "/nextcloud/data/certificates/MYSQL" ]; then
-    CERT_OPTIONS="?sslmode=verify-ca&ssl-ca=/nextcloud/data/certificates/ca-bundle.crt"
-fi
-
-# Set sensitive values as env
-export DATABASE_URL="$DATABASE_TYPE://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB$CERT_OPTIONS"
-export REDIS_URL="redis://$REDIS_USER:$REDIS_HOST_PASSWORD@$REDIS_HOST:$REDIS_PORT/$REDIS_DB_INDEX"
-
 # Run it
-/nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
-    --database-prefix="oc_" \
-    --nextcloud-url "https://$NC_DOMAIN" \
-    --port 7867
+/var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
+    --port 7867 \
+    /var/www/html/config/config.php
 
 exec "$@"

Containers/onlyoffice/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:9.2.1.1
+FROM onlyoffice/documentserver:9.3.0.1
 
 # USER root is probably used
 

Containers/postgresql/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/docker-library/postgres/blob/master/17/alpine3.23/Dockerfile
-FROM postgres:17.7-alpine
+FROM postgres:17.8-alpine
 
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

Containers/redis/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/redis/docker-library-redis/blob/release/8.2/alpine/Dockerfile
-FROM redis:8.2.3-alpine
+FROM redis:8.6.1-alpine
 
 COPY --chmod=775 start.sh /start.sh
 
@@ -10,6 +10,7 @@ RUN set -ex; \
     \
 # Give root a random password
     echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    apk --no-cache del openssl; \
     \
 # Get rid of unused binaries
     rm -f /usr/local/bin/gosu;

Containers/talk-recording/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM python:3.14.2-alpine3.23
+FROM python:3.14.3-alpine3.23
 
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

Containers/talk/Dockerfile

@@ -1,10 +1,10 @@
 # syntax=docker/dockerfile:latest
 FROM nats:2.12.4-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
-FROM strukturag/nextcloud-spreed-signaling:2.0.4 AS signaling
-FROM alpine:3.23.2 AS janus
+FROM strukturag/nextcloud-spreed-signaling:2.1.0 AS signaling
+FROM alpine:3.23.3 AS janus
 
-ARG JANUS_VERSION=v1.3.3
+ARG JANUS_VERSION=v1.4.0
 WORKDIR /src
 RUN set -ex; \
     apk upgrade --no-cache -a; \
@@ -35,7 +35,7 @@ RUN set -ex; \
     make configs; \
     rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
 
-FROM alpine:3.23.2
+FROM alpine:3.23.3
 ENV ETURNAL_ETC_DIR="/conf"
 ENV SKIP_CERT_VERIFY=false
 COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local

Containers/talk/server.conf.in

@@ -25,7 +25,9 @@ certificate = /etc/nginx/ssl/server.crt
 key = /etc/nginx/ssl/server.key
 
 [app]
-# Set to "true" to install pprof debug handlers.
+# Set to "true" to install pprof debug handlers. Access will only be possible
+# from IPs allowed through the "allowed_ips" option below.
+#
 # See "https://golang.org/pkg/net/http/pprof/" for further information.
 debug = false
 
@@ -270,8 +272,9 @@ connectionsperhost = 8
 #SA = NA
 
 [stats]
-# Comma-separated list of IP addresses that are allowed to access the stats
-# endpoint. Leave empty (or commented) to only allow access from "127.0.0.1".
+# Comma-separated list of IP addresses that are allowed to access the debug,
+# stats and metrics endpoints.
+# Leave empty (or commented) to only allow access from localhost.
 #allowed_ips =
 
 [etcd]

Containers/watchtower/Dockerfile

@@ -1,15 +1,15 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.25.6-alpine3.23 AS go
+FROM golang:1.26.0-alpine3.23 AS go
 
-ENV WATCHTOWER_COMMIT_HASH=f522ce27e1fbe4618da54833025a95be62aa838a	
+ENV WATCHTOWER_COMMIT_HASH=943098a670cb78a620af6499fb94b3ee2c940cf0	
 
 RUN set -ex; \
     apk upgrade --no-cache -a; \
     apk add --no-cache \
         build-base; \
-    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.14.0
+    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.14.2
 
-FROM alpine:3.23.2
+FROM alpine:3.23.3
 
 RUN set -ex; \
     apk upgrade --no-cache -a; \

Containers/whiteboard/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from this file: https://github.com/nextcloud/whiteboard/blob/main/Dockerfile
-FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.3
+FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.6
 
 USER root
 RUN set -ex; \

app/lib/Settings/Admin.php

@@ -55,7 +55,12 @@ class Admin implements ISettings {
 		$lastUpdateCheckTimestamp = $this->config->getAppValue('core', 'lastupdatedat');
 		$lastUpdateCheck = $this->dateTimeFormatter->formatDateTime($lastUpdateCheckTimestamp);
 
-		$token = urlencode(getenv('AIO_TOKEN'));
+		$privateKeyBase64 = getenv('AIO_TOKEN');
+		$privateKeyBin = sodium_base642bin($privateKeyBase64, SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
+		$timestamp = (string) time();
+		$tokenBin = sodium_crypto_sign($timestamp, $privateKeyBin);
+		$token = sodium_bin2base64($tokenBin, SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
+
 		$params = [
 			'AIOLoginUrl' => 'https://' . getenv('AIO_URL') . '/api/auth/getlogin' . '?token=' . $token,
 		];

community-containers/caddy/readme.md

@@ -1,5 +1,5 @@
 ## Caddy with geoblocking
-This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [jellyseerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed.
+This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed. It also covers [LocalAI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai) by listening on `ai.$NC_DOMAIN`, if installed.
 
 ### Notes
 - This container is incompatible with the [npmplus](https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus) community container. So make sure that you do not enable both at the same time!
@@ -12,8 +12,9 @@ This container bundles caddy and auto-configures it for you. It also covers [vau
 - If you want to use this with [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin), make sure that you point `media.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for jellyfin.
 - If you want to use this with [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap), make sure that you point `ldap.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for lldap.
 - If you want to use this with [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb), make sure that you point `tables.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nocodb.
-- If you want to use this with [jellyseerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr), make sure that you point `requests.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for jellyseerr.
+- If you want to use this with [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr), make sure that you point `requests.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for seerr.
 - If you want to use this with [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter), make sure that you point `metrics.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nextcloud-exporter.
+- If you want to use this with [local AI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai), make sure that you point `ai.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for local AI.
 - After the container was started the first time, you should see a new `nextcloud-aio-caddy` folder and inside there an `allowed-countries.txt` file when you open the files app with the default `admin` user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. `IT FR` would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the `GeoLite2-Country.mmdb` and upload it with this exact name into the `nextcloud-aio-caddy` folder. Afterwards restart all containers from the AIO interface and your new config should be active!
 - You can add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack

community-containers/jellyseerr/jellyseerr.json

@@ -2,13 +2,13 @@
     "aio_services_v1": [
         {
             "container_name": "nextcloud-aio-jellyseerr",
-            "display_name": "Jellyseerr",
+            "display_name": "Seerr",
             "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr",
-            "image": "fallenbagel/jellyseerr",
+            "image": "ghcr.io/seerr-team/seerr",
             "image_tag": "latest",
             "internal_port": "5055",
             "restart": "unless-stopped",
-            "init": false,
+            "init": true,
             "ports": [
                 {
                     "ip_binding": "%APACHE_IP_BINDING%",

community-containers/jellyseerr/readme.md

@@ -1,16 +1,17 @@
-## Jellyseerr
-This container bundles Jellyseerr and auto-configures it for you.
+## Seerr
+This container bundles Seerr and auto-configures it for you.
 
 ### Notes
+- **Migration from Jellyseerr**: Jellyseer previously ran as the root user. With the migration to Seerr, the container now runs rootless with userid 1000, meaning that if you previously used Jellyseerr, Seerr will not be able to access the config files generated by the old Jellyseerr container. To migrate, execute the following steps: 1. stop all containers using the AIO-interface, 2. run `sudo docker run --rm -v nextcloud_aio_jellyseerr:/data alpine chown -R 1000:1000 /data`
 - This container is only intended to be used inside home networks as it uses http for its management page by default.
-- After adding and starting the container, you can directly visit `http://ip.address.of.server:5055` and access your new Jellyseerr instance, which can be used to manage Plex, Jellyfin, and Emby.
-- In order to access your Jellyseerr outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md) and [Jellyseerr's reverse proxy documentation.](https://docs.jellyseerr.dev/extending-jellyseerr/reverse-proxy), OR use the Caddy community container that will automatically configure requests.$NC_DOMAIN to redirect to your Jellyseerr. Note that it is recommended to [enable CSRF protection in Jellyseerr](https://docs.jellyseerr.dev/using-jellyseerr/settings/general#enable-csrf-protection) for added security if you plan to use Jellyseerr outside the local network, but make sure to read up on it and understand the caveats first.
-- If you want to secure the installation with fail2ban, you might want to check out https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban. Note that [enabling the proxy support option in Jellyseerr](https://docs.jellyseerr.dev/using-jellyseerr/settings/general#enable-proxy-support) is required for this to work properly.
-- The config of Jellyseerr will be automatically included in AIO's backup solution!
+- After adding and starting the container, you can directly visit `http://ip.address.of.server:5055` and access your new Seerr instance, which can be used to manage Plex, Jellyfin, and Emby.
+- In order to access your Seerr outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md) and [Seerr's reverse proxy documentation.](https://docs.seerr.dev/extending-Seerr/reverse-proxy), OR use the Caddy community container that will automatically configure requests.$NC_DOMAIN to redirect to your Seerr. Note that it is recommended to [enable CSRF protection in Seerr](https://docs.seerr.dev/using-Seerr/settings/general#enable-csrf-protection) for added security if you plan to use Seerr outside the local network, but make sure to read up on it and understand the caveats first.
+- If you want to secure the installation with fail2ban, you might want to check out https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban. Note that [enabling the proxy support option in Seerr](https://docs.seerr.dev/using-Seerr/settings/general#enable-proxy-support) is required for this to work properly.
+- The config of Seerr will be automatically included in AIO's backup solution!
 - See [here](https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers) how to add it to the AIO stack.
 
 ### Repository
-https://github.com/Fallenbagel/jellyseerr
+https://github.com/seerr-team/seerr
 
 ### Maintainer
 https://github.com/Anvil5465

community-containers/local-ai/local-ai.json

@@ -4,42 +4,59 @@
             "container_name": "nextcloud-aio-local-ai",
             "display_name": "Local AI",
             "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai",
-            "image": "ghcr.io/szaimen/aio-local-ai",
-            "image_tag": "v2",
-            "internal_port": "8080",
+            "image": "ghcr.io/docjyj/aio-local-ai-vulkan",
+            "image_tag": "v1",
+            "internal_port": "10078",
             "restart": "unless-stopped",
             "environment": [
                 "TZ=%TIMEZONE%",
-                "MODELS_PATH=/models"
+                "LOCALAI_API_KEY=%LOCALAI_API_KEY%",
+                "LOCALAI_ADDRESS=:10078",
+                "LOCALAI_CONFIG_DIR=/configuration",
+                "LOCALAI_MODEL_PATH=/models",
+                "LOCALAI_BACKEND_PATH=/backends"
+            ],
+            "ports": [
+                {
+                  "ip_binding": "%APACHE_IP_BINDING%",
+                  "port_number": "10078",
+                  "protocol": "tcp"
+                }
             ],
             "volumes": [
+                {
+                  "source": "nextcloud_aio_localai_configuration",
+                  "destination": "/configuration",
+                  "writeable": true
+                },
                 {
                     "source": "nextcloud_aio_localai_models",
                     "destination": "/models",
                     "writeable": true
                 },
                 {
-                    "source": "nextcloud_aio_localai_images",
-                    "destination": "/tmp/generated/images/",
+                    "source": "nextcloud_aio_localai_backends",
+                    "destination": "/backends",
                     "writeable": true
-                },
-                {
-                    "source": "%NEXTCLOUD_DATADIR%",
-                    "destination": "/nextcloud",
-                    "writeable": false
                 }
             ],
-            "enable_nvidia_gpu": false,
+            "secrets": [
+                "LOCALAI_API_KEY"
+            ],
+            "ui_secret": "LOCALAI_API_KEY",
+            "devices": [
+                "/dev/dri"
+            ],
             "nextcloud_exec_commands": [
-                "mkdir '/mnt/ncdata/admin/files/nextcloud-aio-local-ai'",
-                "touch '/mnt/ncdata/admin/files/nextcloud-aio-local-ai/models.yaml'",
-                "echo 'Scanning nextcloud-aio-local-ai folder for admin user...'",
-                "php /var/www/html/occ files:scan --path='/admin/files/nextcloud-aio-local-ai'",
                 "php /var/www/html/occ app:install integration_openai",
                 "php /var/www/html/occ app:enable integration_openai",
-                "php /var/www/html/occ config:app:set integration_openai url --value http://nextcloud-aio-local-ai:8080",
+                "php /var/www/html/occ config:app:set integration_openai url --value http://nextcloud-aio-local-ai:10078",
+                "php /var/www/html/occ config:app:set integration_openai api_key --value %LOCALAI_API_KEY%",
                 "php /var/www/html/occ app:install assistant",
                 "php /var/www/html/occ app:enable assistant"
+            ],
+            "backup_volumes": [
+              "nextcloud_aio_localai_configuration"
             ]
         }
     ]

community-containers/local-ai/readme.md

@@ -1,21 +1,16 @@
 ## Local AI
-This container bundles Local AI and auto-configures it for you.
+This container bundles Local AI and auto-configures it for you. It support hardware acceleration with Vulkan.
 
 ### Notes
-- Make sure to have enough storage space available. This container alone needs ~7GB storage. Every model that you add to `models.yaml` will of course use additional space which adds up quite fast.
-- After the container was started the first time, you should see a new `nextcloud-aio-local-ai` folder when you open the files app with the default `admin` user. In there you should see a `models.yaml` config file. You can now add models in there. Please refer [here](https://github.com/mudler/LocalAI/blob/master/gallery/index.yaml) where you can get further urls that you can put in there. Afterwards restart all containers from the AIO interface and the models should automatically get downloaded by the local-ai container and activated.
-- Example for content of `models.yaml` (if you add all of them, it takes around 10GB additional space):
-```yaml
-# Stable Diffusion in NCNN with c++, supported txt2img and img2img 
-- url: github:mudler/LocalAI/blob/master/gallery/stablediffusion.yaml
-  name: Stable_diffusion
-```
--  To make it work, you first need to browse `https://your-nc-domain.com/settings/admin/ai` and enable or disable specific features for your models in the openAI settings. Afterwards using the Nextcloud Assistant should work.
+Documentation is available on the container repository. This documentation is regularly updated and is intended to be as simple and detailed as possible. Thanks for all your feedback!
+
+- See https://github.com/docjyJ/aio-local-ai-vulkan#getting-started for getting start with this container.
 - See [this guide](https://github.com/nextcloud/all-in-one/discussions/5430) for how to improve AI task pickup speed
+- Note that Nextcloud supports only one server for AI queries, so this container cannot be used at the same time as other AI containers.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 
 ### Repository
-https://github.com/szaimen/aio-local-ai
+https://github.com/docjyJ/aio-local-ai-vulkan
 
 ### Maintainer
-https://github.com/szaimen
+https://github.com/docjyJ

develop.md

@@ -33,6 +33,7 @@ There is a testing-VM available for the maintainer of AIO that allows for some f
 Additionally, there are now E2E tests available that can be run via https://github.com/nextcloud/all-in-one/actions/workflows/playwright.yml
 
 ## How to promote builds from develop to beta
+1. Verify that GitHub Services are running correctly: https://www.githubstatus.com/
 1. Verify that no job is running here: https://github.com/nextcloud-releases/all-in-one/actions/workflows/build_images.yml
 2. Go to https://github.com/nextcloud-releases/all-in-one/actions/workflows/promote-to-beta.yml, click on `Run workflow`.
 

manual-install/readme.md

@@ -12,7 +12,7 @@ You can run the containers that are build for AIO with docker-compose. This come
 - You lose the AIO interface
 - You lose update notifications and automatic updates
 - You lose all AIO backup and restore features
-- You lose the built-in [Docker Socket Proxy container](https://github.com/nextcloud/docker-socket-proxy#readme) (needed for [Nextcloud App API](https://github.com/nextcloud/app_api#nextcloud-appapi))
+- You lose the built-in [Docker Socket Proxy container](https://github.com/nextcloud/docker-socket-proxy#readme) and [HaRP container](https://github.com/nextcloud/HaRP) (needed for [Nextcloud App API](https://github.com/nextcloud/app_api#nextcloud-appapi))
 - You lose all community containers: https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers
 - **You need to know what you are doing, especially when modifying the compose.yaml file**
 - For updating, you need to strictly follow the at the bottom described update routine

manual-install/update-yaml.sh

@@ -27,6 +27,8 @@ OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "next
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-borgbackup"))')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-docker-socket-proxy"))')"
 OUTPUT="$(echo "$OUTPUT" | jq '.services[] |= if has("depends_on") then .depends_on |= if contains(["nextcloud-aio-docker-socket-proxy"]) then del(.[index("nextcloud-aio-docker-socket-proxy")]) else . end else . end')"
+OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-harp"))')"
+OUTPUT="$(echo "$OUTPUT" | jq '.services[] |= if has("depends_on") then .depends_on |= if contains(["nextcloud-aio-harp"]) then del(.[index("nextcloud-aio-harp")]) else . end else . end')"
 OUTPUT="$(echo "$OUTPUT" | jq '.services[] |= if has("depends_on") then .depends_on |= map({ (.): { "condition": "service_started", "required": false } }) else . end' | jq '.services[] |= if has("depends_on") then .depends_on |= reduce .[] as $item ({}; . + $item) else . end')"
 
 sudo snap install yq
@@ -45,8 +47,11 @@ sed -i 's|- ip_binding: |- |' containers.yml
 sed -i '/AIO_TOKEN/d' containers.yml
 sed -i '/AIO_URL/d' containers.yml
 sed -i '/DOCKER_SOCKET_PROXY_ENABLED/d' containers.yml
+sed -i '/HARP_ENABLED/d' containers.yml
+sed -i '/HP_SHARED_KEY/d' containers.yml
 sed -i '/ADDITIONAL_TRUSTED_PROXY/d' containers.yml
 sed -i '/TURN_DOMAIN/d' containers.yml
+sed -i '/NC_AIO_VERSION/d' containers.yml
 
 TCP="$(grep -oP '[%A-Z0-9_]+/tcp' containers.yml | sort -u)"
 mapfile -t TCP <<< "$TCP"

nextcloud-aio-helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 12.5.0
+version: 12.7.0
 apiVersion: v2
 keywords:
   - latest

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml

@@ -47,6 +47,8 @@ spec:
               value: "{{ .Values.APACHE_PORT }}"
             - name: COLLABORA_HOST
               value: nextcloud-aio-collabora
+            - name: HARP_HOST
+              value: nextcloud-aio-harp
             - name: NC_DOMAIN
               value: "{{ .Values.NC_DOMAIN }}"
             - name: NEXTCLOUD_HOST
@@ -61,7 +63,7 @@ spec:
               value: "{{ .Values.TIMEZONE }}"
             - name: WHITEBOARD_HOST
               value: nextcloud-aio-whiteboard
-          image: ghcr.io/nextcloud-releases/aio-apache:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-apache:20260218_123804
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml

@@ -36,7 +36,7 @@ spec:
         {{- end }}
       initContainers:
         - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260218_123804
           command:
             - mkdir
             - "-p"
@@ -59,7 +59,7 @@ spec:
               value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-clamav:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-clamav:20260218_123804
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml

@@ -36,9 +36,9 @@ spec:
             - name: server_name
               value: "{{ .Values.NC_DOMAIN }}"
           {{- if contains "--o:support_key=" (join " " (.Values.ADDITIONAL_COLLABORA_OPTIONS | default list)) }}
-          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260218_123804
           {{- else }}
-          image: ghcr.io/nextcloud-releases/aio-collabora:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-collabora:20260218_123804
           {{- end }}
           readinessProbe:
             exec:

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml

@@ -35,7 +35,7 @@ spec:
         {{- end }}
       initContainers:
         - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260218_123804
           command:
             - mkdir
             - "-p"
@@ -64,7 +64,7 @@ spec:
               value: nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-postgresql:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-postgresql:20260218_123804
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260218_123804
           command:
             - chmod
             - "777"
@@ -54,7 +54,7 @@ spec:
               value: basic
             - name: xpack.security.enabled
               value: "false"
-          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260218_123804
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml

@@ -38,7 +38,7 @@ spec:
               value: "{{ .Values.IMAGINARY_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-imaginary:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-imaginary:20260218_123804
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml

@@ -38,7 +38,7 @@ spec:
 # AIO settings start # Do not remove or change this line!
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260218_123804
           command:
             - chmod
             - "777"
@@ -190,7 +190,7 @@ spec:
               value: "{{ .Values.WHITEBOARD_ENABLED }}"
             - name: WHITEBOARD_SECRET
               value: "{{ .Values.WHITEBOARD_SECRET }}"
-          image: ghcr.io/nextcloud-releases/aio-nextcloud:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-nextcloud:20260218_123804
           {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment!
           securityContext:
             # The items below only work in container context

nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml

@@ -35,29 +35,11 @@ spec:
         {{- end }}
       containers:
         - env:
-            - name: NC_DOMAIN
-              value: "{{ .Values.NC_DOMAIN }}"
             - name: NEXTCLOUD_HOST
               value: nextcloud-aio-nextcloud
-            - name: POSTGRES_DB
-              value: nextcloud_database
-            - name: POSTGRES_HOST
-              value: nextcloud-aio-database
-            - name: POSTGRES_PASSWORD
-              value: "{{ .Values.DATABASE_PASSWORD }}"
-            - name: POSTGRES_PORT
-              value: "5432"
-            - name: POSTGRES_USER
-              value: nextcloud
-            - name: REDIS_HOST
-              value: nextcloud-aio-redis
-            - name: REDIS_HOST_PASSWORD
-              value: "{{ .Values.REDIS_PASSWORD }}"
-            - name: REDIS_PORT
-              value: "6379"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-notify-push:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-notify-push:20260218_123804
           readinessProbe:
             exec:
               command:
@@ -86,7 +68,7 @@ spec:
               drop: ["NET_RAW"]
               {{- end }}
           volumeMounts:
-            - mountPath: /nextcloud
+            - mountPath: /var/www/html
               name: nextcloud-aio-nextcloud
               readOnly: true
       volumes:

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260218_123804
           command:
             - chmod
             - "777"
@@ -42,7 +42,7 @@ spec:
               value: "{{ .Values.ONLYOFFICE_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260218_123804
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml

@@ -39,7 +39,7 @@ spec:
               value: "{{ .Values.REDIS_PASSWORD }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-redis:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-redis:20260218_123804
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml

@@ -52,7 +52,7 @@ spec:
               value: "{{ .Values.TURN_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-talk:20260218_123804
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml

@@ -44,7 +44,7 @@ spec:
               value: "{{ .Values.RECORDING_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk-recording:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-talk-recording:20260218_123804
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml

@@ -50,7 +50,7 @@ spec:
               value: redis
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-whiteboard:20260122_105751
+          image: ghcr.io/nextcloud-releases/aio-whiteboard:20260218_123804
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/update-helm.sh

@@ -407,7 +407,7 @@ rm latest.yml
 mv latest.yml.backup latest.yml
 
 # Get version of AIO
-AIO_VERSION="$(grep 'Nextcloud AIO ' ../php/templates/includes/aio-version.twig | grep -oP '[0-9]+.[0-9]+.[0-9]+')"
+AIO_VERSION="$(grep -oP '[0-9]+.[0-9]+.[0-9]+' ../php/templates/includes/aio-version.twig)"
 sed -i "s|^version:.*|version: $AIO_VERSION|" ../helm-chart/Chart.yaml
 
 # Conversion of sample.conf
@@ -418,8 +418,9 @@ sed -i 's|= |: |' /tmp/sample.conf
 sed -i '/^NEXTCLOUD_DATADIR/d' /tmp/sample.conf
 sed -i '/^APACHE_IP_BINDING/d' /tmp/sample.conf
 sed -i '/^NEXTCLOUD_MOUNT/d' /tmp/sample.conf
-sed -i '/_ENABLED.*/s/ yes / "yes" /' /tmp/sample.conf
-sed -i '/_ENABLED.*/s/ no / "no" /' /tmp/sample.conf
+sed -i 's/ yes / "yes" /' /tmp/sample.conf
+sed -i 's/ no / "no" /' /tmp/sample.conf
+sed -i 's/"no" authentication/no authentication/' /tmp/sample.conf
 sed -i 's|^NEXTCLOUD_TRUSTED_CACERTS_DIR: .*|NEXTCLOUD_TRUSTED_CACERTS_DIR:        # Setting this to any value allows to automatically import root certificates into the Nextcloud container|' /tmp/sample.conf
 sed -i 's|17179869184|"17179869184"|' /tmp/sample.conf
 # shellcheck disable=SC2129

nextcloud-aio-helm-chart/values.yaml

@@ -26,7 +26,7 @@ APACHE_PORT: 443          # Changing this to a different value than 443 will all
 ADDITIONAL_COLLABORA_OPTIONS: ['--o:security.seccomp=true']          # You can add additional collabora options here by using the array syntax.
 COLLABORA_DICTIONARIES: de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru        # You can change this in order to enable other dictionaries for collabora
 FULLTEXTSEARCH_JAVA_OPTIONS: -Xms512M -Xmx512M          # Allows to adjust the fulltextsearch java options.
-INSTALL_LATEST_MAJOR: no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation
+INSTALL_LATEST_MAJOR: "no"        # Setting this to "yes" will install the latest Major Nextcloud version upon the first installation
 NEXTCLOUD_ADDITIONAL_APKS: imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.
 NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick        # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value.
 NEXTCLOUD_MAX_TIME: 3600          # This allows to change the upload time limit of the Nextcloud container
@@ -34,9 +34,9 @@ NEXTCLOUD_MEMORY_LIMIT: 512M          # This allows to change the PHP memory lim
 NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time
 NEXTCLOUD_TRUSTED_CACERTS_DIR:        # Setting this to any value allows to automatically import root certificates into the Nextcloud container
 NEXTCLOUD_UPLOAD_LIMIT: 16G          # This allows to change the upload limit of the Nextcloud container
-REMOVE_DISABLED_APPS: yes        # Setting this to no keep Nextcloud apps that are disabled via their switch and not uninstall them if they should be installed in Nextcloud.
+REMOVE_DISABLED_APPS: "yes"        # Setting this to "no" keep Nextcloud apps that are disabled via their switch and not uninstall them if they should be installed in Nextcloud.
 TALK_PORT: 3478          # This allows to adjust the port that the talk container is using. It should be set to something higher than 1024! Otherwise it might not work!
-UPDATE_NEXTCLOUD_APPS: no          # When setting to yes (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.
+UPDATE_NEXTCLOUD_APPS: "no"          # When setting to "yes" (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.
 
 STORAGE_CLASS:        # By setting this, you can adjust the storage class for your volumes. This should be a fast storage like SSD backed storage! This storage class must provide RWX and RWO volumes (ReadWriteMany and ReadWriteOnce).
 STORAGE_CLASS_DATA:        # Allows to set a dedicated storage class for the Nextcloud data volume. This can be a bit slower storage than the one above. This storage class must provide RWX volumes (ReadWriteMany). ⚠️ Warning: only set this for new installations, not existing ones!

php/composer.json

@@ -5,7 +5,7 @@
 		}
 	},
 	"require": {
-		"php": "8.4.*",
+		"php": "8.5.*",
 		"ext-json": "*",
 		"ext-sodium": "*",
 		"ext-curl": "*",
@@ -16,7 +16,8 @@
 		"http-interop/http-factory-guzzle": "^1.2",
 		"slim/twig-view": "^3.3",
 		"slim/csrf": "^1.3",
-		"ext-apcu": "*"
+		"ext-apcu": "*",
+		"slim/psr7": "^1.8"
 	},
 	"require-dev": {
 		"sserbin/twig-linter": "@dev",
@@ -33,6 +34,6 @@
 		"psalm:strict": "psalm --threads=1 --show-info=true",
 		"lint": "php -l src/*.php src/**/*.php public/index.php",
 		"lint:twig": "twig-linter lint ./templates",
-		"php-deprecation-detector": "phpdd scan -n -t 8.4 src/*.php src/**/*.php public/index.php"
+		"php-deprecation-detector": "phpdd scan -n -t 8.5 src/*.php src/**/*.php public/index.php"
 	}
 }

php/composer.lock

@@ -4,8 +4,64 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "19598625395cc28e64f15d2719f8f98f",
+    "content-hash": "e49cef2ac29c2198aececcb842fce2fe",
     "packages": [
+        {
+            "name": "fig/http-message-util",
+            "version": "1.1.5",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-message-util.git",
+                "reference": "9d94dc0154230ac39e5bf89398b324a86f63f765"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-message-util/zipball/9d94dc0154230ac39e5bf89398b324a86f63f765",
+                "reference": "9d94dc0154230ac39e5bf89398b324a86f63f765",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^5.3 || ^7.0 || ^8.0"
+            },
+            "suggest": {
+                "psr/http-message": "The package containing the PSR-7 interfaces"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.1.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Fig\\Http\\Message\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "https://www.php-fig.org/"
+                }
+            ],
+            "description": "Utility classes and constants for use with PSR-7 (psr/http-message)",
+            "keywords": [
+                "http",
+                "http-message",
+                "psr",
+                "psr-7",
+                "request",
+                "response"
+            ],
+            "support": {
+                "issues": "https://github.com/php-fig/http-message-util/issues",
+                "source": "https://github.com/php-fig/http-message-util/tree/1.1.5"
+            },
+            "time": "2020-11-24T22:02:12+00:00"
+        },
         {
             "name": "guzzlehttp/guzzle",
             "version": "7.10.0",
@@ -391,27 +447,27 @@
         },
         {
             "name": "laravel/serializable-closure",
-            "version": "v2.0.8",
+            "version": "v2.0.10",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/serializable-closure.git",
-                "reference": "7581a4407012f5f53365e11bafc520fd7f36bc9b"
+                "reference": "870fc81d2f879903dfc5b60bf8a0f94a1609e669"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/7581a4407012f5f53365e11bafc520fd7f36bc9b",
-                "reference": "7581a4407012f5f53365e11bafc520fd7f36bc9b",
+                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/870fc81d2f879903dfc5b60bf8a0f94a1609e669",
+                "reference": "870fc81d2f879903dfc5b60bf8a0f94a1609e669",
                 "shasum": ""
             },
             "require": {
                 "php": "^8.1"
             },
             "require-dev": {
-                "illuminate/support": "^10.0|^11.0|^12.0",
+                "illuminate/support": "^10.0|^11.0|^12.0|^13.0",
                 "nesbot/carbon": "^2.67|^3.0",
                 "pestphp/pest": "^2.36|^3.0|^4.0",
                 "phpstan/phpstan": "^2.0",
-                "symfony/var-dumper": "^6.2.0|^7.0.0"
+                "symfony/var-dumper": "^6.2.0|^7.0.0|^8.0.0"
             },
             "type": "library",
             "extra": {
@@ -448,7 +504,7 @@
                 "issues": "https://github.com/laravel/serializable-closure/issues",
                 "source": "https://github.com/laravel/serializable-closure"
             },
-            "time": "2026-01-08T16:22:46+00:00"
+            "time": "2026-02-20T19:59:49+00:00"
         },
         {
             "name": "nikic/fast-route",
@@ -1146,6 +1202,85 @@
             },
             "time": "2025-11-02T14:58:28+00:00"
         },
+        {
+            "name": "slim/psr7",
+            "version": "1.8.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/slimphp/Slim-Psr7.git",
+                "reference": "76e7e3b1cdfd583e9035c4c966c08e01e45ce959"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/slimphp/Slim-Psr7/zipball/76e7e3b1cdfd583e9035c4c966c08e01e45ce959",
+                "reference": "76e7e3b1cdfd583e9035c4c966c08e01e45ce959",
+                "shasum": ""
+            },
+            "require": {
+                "fig/http-message-util": "^1.1.5",
+                "php": "^8.0",
+                "psr/http-factory": "^1.1",
+                "psr/http-message": "^1.0 || ^2.0",
+                "ralouphie/getallheaders": "^3.0"
+            },
+            "provide": {
+                "psr/http-factory-implementation": "^1.0",
+                "psr/http-message-implementation": "^1.0 || ^2.0"
+            },
+            "require-dev": {
+                "adriansuter/php-autoload-override": "^1.5|| ^2.0",
+                "ext-json": "*",
+                "http-interop/http-factory-tests": "^1.0 || ^2.0",
+                "php-http/psr7-integration-tests": "^1.5",
+                "phpstan/phpstan": "^2.1",
+                "phpunit/phpunit": "^9.6 || ^10",
+                "squizlabs/php_codesniffer": "^3.13"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Slim\\Psr7\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Josh Lockhart",
+                    "email": "hello@joshlockhart.com",
+                    "homepage": "https://joshlockhart.com"
+                },
+                {
+                    "name": "Andrew Smith",
+                    "email": "a.smith@silentworks.co.uk",
+                    "homepage": "https://silentworks.co.uk"
+                },
+                {
+                    "name": "Rob Allen",
+                    "email": "rob@akrabat.com",
+                    "homepage": "https://akrabat.com"
+                },
+                {
+                    "name": "Pierre Berube",
+                    "email": "pierre@lgse.com",
+                    "homepage": "https://www.lgse.com"
+                }
+            ],
+            "description": "Strict PSR-7 implementation",
+            "homepage": "https://www.slimframework.com",
+            "keywords": [
+                "http",
+                "psr-7",
+                "psr7"
+            ],
+            "support": {
+                "issues": "https://github.com/slimphp/Slim-Psr7/issues",
+                "source": "https://github.com/slimphp/Slim-Psr7/tree/1.8.0"
+            },
+            "time": "2025-11-02T17:51:19+00:00"
+        },
         {
             "name": "slim/slim",
             "version": "4.15.1",
@@ -2888,29 +3023,29 @@
         },
         {
             "name": "doctrine/deprecations",
-            "version": "1.1.5",
+            "version": "1.1.6",
             "source": {
                 "type": "git",
                 "url": "https://github.com/doctrine/deprecations.git",
-                "reference": "459c2f5dd3d6a4633d3b5f46ee2b1c40f57d3f38"
+                "reference": "d4fe3e6fd9bb9e72557a19674f44d8ac7db4c6ca"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/doctrine/deprecations/zipball/459c2f5dd3d6a4633d3b5f46ee2b1c40f57d3f38",
-                "reference": "459c2f5dd3d6a4633d3b5f46ee2b1c40f57d3f38",
+                "url": "https://api.github.com/repos/doctrine/deprecations/zipball/d4fe3e6fd9bb9e72557a19674f44d8ac7db4c6ca",
+                "reference": "d4fe3e6fd9bb9e72557a19674f44d8ac7db4c6ca",
                 "shasum": ""
             },
             "require": {
                 "php": "^7.1 || ^8.0"
             },
             "conflict": {
-                "phpunit/phpunit": "<=7.5 || >=13"
+                "phpunit/phpunit": "<=7.5 || >=14"
             },
             "require-dev": {
-                "doctrine/coding-standard": "^9 || ^12 || ^13",
-                "phpstan/phpstan": "1.4.10 || 2.1.11",
+                "doctrine/coding-standard": "^9 || ^12 || ^14",
+                "phpstan/phpstan": "1.4.10 || 2.1.30",
                 "phpstan/phpstan-phpunit": "^1.0 || ^2",
-                "phpunit/phpunit": "^7.5 || ^8.5 || ^9.6 || ^10.5 || ^11.5 || ^12",
+                "phpunit/phpunit": "^7.5 || ^8.5 || ^9.6 || ^10.5 || ^11.5 || ^12.4 || ^13.0",
                 "psr/log": "^1 || ^2 || ^3"
             },
             "suggest": {
@@ -2930,9 +3065,9 @@
             "homepage": "https://www.doctrine-project.org/",
             "support": {
                 "issues": "https://github.com/doctrine/deprecations/issues",
-                "source": "https://github.com/doctrine/deprecations/tree/1.1.5"
+                "source": "https://github.com/doctrine/deprecations/tree/1.1.6"
             },
-            "time": "2025-04-07T20:06:18+00:00"
+            "time": "2026-02-07T07:09:04+00:00"
         },
         {
             "name": "felixfbecker/language-server-protocol",
@@ -3293,16 +3428,16 @@
         },
         {
             "name": "netresearch/jsonmapper",
-            "version": "v5.0.0",
+            "version": "v5.0.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/cweiske/jsonmapper.git",
-                "reference": "8c64d8d444a5d764c641ebe97e0e3bc72b25bf6c"
+                "reference": "980674efdda65913492d29a8fd51c82270dd37bb"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/cweiske/jsonmapper/zipball/8c64d8d444a5d764c641ebe97e0e3bc72b25bf6c",
-                "reference": "8c64d8d444a5d764c641ebe97e0e3bc72b25bf6c",
+                "url": "https://api.github.com/repos/cweiske/jsonmapper/zipball/980674efdda65913492d29a8fd51c82270dd37bb",
+                "reference": "980674efdda65913492d29a8fd51c82270dd37bb",
                 "shasum": ""
             },
             "require": {
@@ -3338,9 +3473,9 @@
             "support": {
                 "email": "cweiske@cweiske.de",
                 "issues": "https://github.com/cweiske/jsonmapper/issues",
-                "source": "https://github.com/cweiske/jsonmapper/tree/v5.0.0"
+                "source": "https://github.com/cweiske/jsonmapper/tree/v5.0.1"
             },
-            "time": "2024-09-08T10:20:00+00:00"
+            "time": "2026-02-22T16:28:03+00:00"
         },
         {
             "name": "nikic/php-parser",
@@ -3697,29 +3832,29 @@
         },
         {
             "name": "sebastian/diff",
-            "version": "7.0.0",
+            "version": "8.0.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/sebastianbergmann/diff.git",
-                "reference": "7ab1ea946c012266ca32390913653d844ecd085f"
+                "reference": "a2b6d09d7729ee87d605a439469f9dcc39be5ea3"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/diff/zipball/7ab1ea946c012266ca32390913653d844ecd085f",
-                "reference": "7ab1ea946c012266ca32390913653d844ecd085f",
+                "url": "https://api.github.com/repos/sebastianbergmann/diff/zipball/a2b6d09d7729ee87d605a439469f9dcc39be5ea3",
+                "reference": "a2b6d09d7729ee87d605a439469f9dcc39be5ea3",
                 "shasum": ""
             },
             "require": {
-                "php": ">=8.3"
+                "php": ">=8.4"
             },
             "require-dev": {
-                "phpunit/phpunit": "^12.0",
+                "phpunit/phpunit": "^13.0",
                 "symfony/process": "^7.2"
             },
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "7.0-dev"
+                    "dev-main": "8.0-dev"
                 }
             },
             "autoload": {
@@ -3752,15 +3887,27 @@
             "support": {
                 "issues": "https://github.com/sebastianbergmann/diff/issues",
                 "security": "https://github.com/sebastianbergmann/diff/security/policy",
-                "source": "https://github.com/sebastianbergmann/diff/tree/7.0.0"
+                "source": "https://github.com/sebastianbergmann/diff/tree/8.0.0"
             },
             "funding": [
                 {
                     "url": "https://github.com/sebastianbergmann",
                     "type": "github"
+                },
+                {
+                    "url": "https://liberapay.com/sebastianbergmann",
+                    "type": "liberapay"
+                },
+                {
+                    "url": "https://thanks.dev/u/gh/sebastianbergmann",
+                    "type": "thanks_dev"
+                },
+                {
+                    "url": "https://tidelift.com/funding/github/packagist/sebastian/diff",
+                    "type": "tidelift"
                 }
             ],
-            "time": "2025-02-07T04:55:46+00:00"
+            "time": "2026-02-06T04:42:27+00:00"
         },
         {
             "name": "spatie/array-to-xml",
@@ -4551,16 +4698,16 @@
         },
         {
             "name": "vimeo/psalm",
-            "version": "6.14.3",
+            "version": "6.15.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/vimeo/psalm.git",
-                "reference": "d0b040a91f280f071c1abcb1b77ce3822058725a"
+                "reference": "28dc127af1b5aecd52314f6f645bafc10d0e11f9"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/vimeo/psalm/zipball/d0b040a91f280f071c1abcb1b77ce3822058725a",
-                "reference": "d0b040a91f280f071c1abcb1b77ce3822058725a",
+                "url": "https://api.github.com/repos/vimeo/psalm/zipball/28dc127af1b5aecd52314f6f645bafc10d0e11f9",
+                "reference": "28dc127af1b5aecd52314f6f645bafc10d0e11f9",
                 "shasum": ""
             },
             "require": {
@@ -4584,7 +4731,7 @@
                 "netresearch/jsonmapper": "^5.0",
                 "nikic/php-parser": "^5.0.0",
                 "php": "~8.1.31 || ~8.2.27 || ~8.3.16 || ~8.4.3 || ~8.5.0",
-                "sebastian/diff": "^4.0 || ^5.0 || ^6.0 || ^7.0",
+                "sebastian/diff": "^4.0 || ^5.0 || ^6.0 || ^7.0 || ^8.0",
                 "spatie/array-to-xml": "^2.17.0 || ^3.0",
                 "symfony/console": "^6.0 || ^7.0 || ^8.0",
                 "symfony/filesystem": "~6.3.12 || ~6.4.3 || ^7.0.3 || ^8.0",
@@ -4665,7 +4812,7 @@
                 "issues": "https://github.com/vimeo/psalm/issues",
                 "source": "https://github.com/vimeo/psalm"
             },
-            "time": "2025-12-23T15:36:48+00:00"
+            "time": "2026-02-07T19:27:16+00:00"
         },
         {
             "name": "wapmorgan/php-deprecation-detector",
@@ -4736,16 +4883,16 @@
         },
         {
             "name": "webmozart/assert",
-            "version": "2.1.2",
+            "version": "2.1.5",
             "source": {
                 "type": "git",
                 "url": "https://github.com/webmozarts/assert.git",
-                "reference": "ce6a2f100c404b2d32a1dd1270f9b59ad4f57649"
+                "reference": "79155f94852fa27e2f73b459f6503f5e87e2c188"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/webmozarts/assert/zipball/ce6a2f100c404b2d32a1dd1270f9b59ad4f57649",
-                "reference": "ce6a2f100c404b2d32a1dd1270f9b59ad4f57649",
+                "url": "https://api.github.com/repos/webmozarts/assert/zipball/79155f94852fa27e2f73b459f6503f5e87e2c188",
+                "reference": "79155f94852fa27e2f73b459f6503f5e87e2c188",
                 "shasum": ""
             },
             "require": {
@@ -4792,9 +4939,9 @@
             ],
             "support": {
                 "issues": "https://github.com/webmozarts/assert/issues",
-                "source": "https://github.com/webmozarts/assert/tree/2.1.2"
+                "source": "https://github.com/webmozarts/assert/tree/2.1.5"
             },
-            "time": "2026-01-13T14:02:24+00:00"
+            "time": "2026-02-18T14:09:36+00:00"
         }
     ],
     "aliases": [],
@@ -4806,7 +4953,7 @@
     "prefer-stable": false,
     "prefer-lowest": false,
     "platform": {
-        "php": "8.4.*",
+        "php": "8.5.*",
         "ext-json": "*",
         "ext-sodium": "*",
         "ext-curl": "*",

php/containers-schema.json

@@ -47,7 +47,7 @@
 					},
 					"display_name": {
 						"type": "string",
-						"pattern": "^[()A-Za-z 0-9-]+$"
+						"pattern": "^[()A-Za-z &0-9-]+$"
 					},
 					"environment": {
 						"type": "array",

php/containers.json

@@ -10,9 +10,10 @@
         "nextcloud-aio-talk",
         "nextcloud-aio-notify-push",
         "nextcloud-aio-whiteboard",
+        "nextcloud-aio-harp",
         "nextcloud-aio-nextcloud"
       ],
-      "display_name": "Apache",
+      "display_name": "Apache & Caddy",
       "image": "ghcr.io/nextcloud-releases/aio-apache",
       "user": "33",
       "init": true,
@@ -49,7 +50,8 @@
         "APACHE_MAX_SIZE=%APACHE_MAX_SIZE%",
         "APACHE_MAX_TIME=%NEXTCLOUD_MAX_TIME%",
         "NOTIFY_PUSH_HOST=nextcloud-aio-notify-push",
-        "WHITEBOARD_HOST=nextcloud-aio-whiteboard"
+        "WHITEBOARD_HOST=nextcloud-aio-whiteboard",
+        "HARP_HOST=nextcloud-aio-harp"
       ],
       "volumes": [
         {
@@ -83,7 +85,7 @@
     {
       "container_name": "nextcloud-aio-database",
       "image_tag": "%AIO_CHANNEL%",
-      "display_name": "Database",
+      "display_name": "PostgreSQL",
       "image": "ghcr.io/nextcloud-releases/aio-postgresql",
       "user": "999",
       "init": true,
@@ -172,7 +174,8 @@
         "SIGNALING_SECRET",
         "FULLTEXTSEARCH_PASSWORD",
         "IMAGINARY_SECRET",
-        "WHITEBOARD_SECRET"
+        "WHITEBOARD_SECRET",
+        "HP_SHARED_KEY"
       ],
       "volumes": [
         {
@@ -219,6 +222,7 @@
         "SIGNALING_SECRET=%SIGNALING_SECRET%",
         "ONLYOFFICE_SECRET=%ONLYOFFICE_SECRET%",
         "AIO_URL=%AIO_URL%",
+        "NC_AIO_VERSION=v%AIO_VERSION%",
         "NEXTCLOUD_MOUNT=%NEXTCLOUD_MOUNT%",
         "CLAMAV_ENABLED=%CLAMAV_ENABLED%",
         "CLAMAV_HOST=nextcloud-aio-clamav",
@@ -257,7 +261,9 @@
         "THIS_IS_AIO=true",
         "IMAGINARY_SECRET=%IMAGINARY_SECRET%",
         "WHITEBOARD_SECRET=%WHITEBOARD_SECRET%",
-        "WHITEBOARD_ENABLED=%WHITEBOARD_ENABLED%"
+        "WHITEBOARD_ENABLED=%WHITEBOARD_ENABLED%",
+        "HARP_ENABLED=%HARP_ENABLED%",
+        "HP_SHARED_KEY=%HP_SHARED_KEY%"
       ],
       "stop_grace_period": 600,
       "restart": "unless-stopped",
@@ -275,7 +281,7 @@
     {
       "container_name": "nextcloud-aio-notify-push",
       "image_tag": "%AIO_CHANNEL%",
-      "display_name": "Notify Push",
+      "display_name": "Client Push",
       "image": "ghcr.io/nextcloud-releases/aio-notify-push",
       "user": "33",
       "init": true,
@@ -298,22 +304,13 @@
       "volumes": [
         {
           "source": "nextcloud_aio_nextcloud",
-          "destination": "/nextcloud",
+          "destination": "/var/www/html",
           "writeable": false
         }
       ],
       "environment": [
-        "NC_DOMAIN=%NC_DOMAIN%",
         "NEXTCLOUD_HOST=nextcloud-aio-nextcloud",
-        "TZ=%TIMEZONE%",
-        "REDIS_HOST=nextcloud-aio-redis",
-        "REDIS_PORT=6379",
-        "REDIS_HOST_PASSWORD=%REDIS_PASSWORD%",
-        "POSTGRES_HOST=nextcloud-aio-database",
-        "POSTGRES_PORT=5432",
-        "POSTGRES_PASSWORD=%DATABASE_PASSWORD%",
-        "POSTGRES_DB=nextcloud_database",
-        "POSTGRES_USER=nextcloud"
+        "TZ=%TIMEZONE%"
       ],
       "restart": "unless-stopped",
       "read_only": true,
@@ -366,7 +363,7 @@
       "container_name": "nextcloud-aio-collabora",
       "image_tag": "%AIO_CHANNEL%",
       "documentation": "https://github.com/nextcloud/all-in-one/discussions/1358",
-      "display_name": "Collabora",
+      "display_name": "Nextcloud Office",
       "image": "ghcr.io/nextcloud-releases/aio-collabora",
       "init": true,
       "healthcheck": {
@@ -412,7 +409,7 @@
       "container_name": "nextcloud-aio-talk",
       "image_tag": "%AIO_CHANNEL%",
       "documentation": "https://github.com/nextcloud/all-in-one/discussions/1358",
-      "display_name": "Talk",
+      "display_name": "Nextcloud Talk",
       "image": "ghcr.io/nextcloud-releases/aio-talk",
       "user": "1000",
       "init": true,
@@ -474,7 +471,7 @@
     {
       "container_name": "nextcloud-aio-talk-recording",
       "image_tag": "%AIO_CHANNEL%",
-      "display_name": "Talk Recording",
+      "display_name": "Nextcloud Talk Recording",
       "image": "ghcr.io/nextcloud-releases/aio-talk-recording",
       "user": "122",
       "init": true,
@@ -823,7 +820,7 @@
     {
       "container_name": "nextcloud-aio-docker-socket-proxy",
       "image_tag": "%AIO_CHANNEL%",
-      "display_name": "Docker Socket Proxy",
+      "display_name": "Docker Socket Proxy (deprecated)",
       "image": "ghcr.io/nextcloud-releases/aio-docker-socket-proxy",
       "init": true,
       "internal_port": "2375",
@@ -846,10 +843,52 @@
         "NET_RAW"
       ]
     },
+    {
+      "container_name": "nextcloud-aio-harp",
+      "image_tag": "release",
+      "display_name": "HaRP",
+      "image": "ghcr.io/nextcloud/nextcloud-appapi-harp",
+      "init": true,
+      "internal_port": "8780",
+      "expose": [
+        "8780"
+      ],
+      "environment": [
+        "HP_SHARED_KEY=%HP_SHARED_KEY%",
+        "NC_INSTANCE_URL=https://%NC_DOMAIN%",
+        "HP_LOG_LEVEL=warning",
+        "HP_FRP_DISABLE_TLS=true",
+        "TZ=%TIMEZONE%"
+      ],
+      "secrets": [
+        "HP_SHARED_KEY"
+      ],
+      "volumes": [
+        {
+          "source": "%WATCHTOWER_DOCKER_SOCKET_PATH%",
+          "destination": "/var/run/docker.sock",
+          "writeable": false
+        },
+        {
+          "source": "nextcloud_aio_harp",
+          "destination": "/certs",
+          "writeable": true
+        }
+      ],
+      "restart": "unless-stopped",
+      "read_only": true,
+      "tmpfs": [
+        "/tmp",
+        "/run/harp"
+      ],
+      "cap_drop": [
+        "NET_RAW"
+      ]
+    },
     {
       "container_name": "nextcloud-aio-whiteboard",
       "image_tag": "%AIO_CHANNEL%",
-      "display_name": "Whiteboard",
+      "display_name": "Nextcloud Whiteboard",
       "image": "ghcr.io/nextcloud-releases/aio-whiteboard",
       "user": "65534",
       "init": true,

php/domain-validator.php

@@ -1,6 +1,10 @@
 <?php
+declare(strict_types=1);
 
-$domain = $_GET['domain'] ?? '';
+$domain = '';
+if (isset($_GET['domain']) && is_string($_GET['domain'])) {
+    $domain = $_GET['domain'];
+}
 
 if (!str_contains($domain, '.')) { 
     http_response_code(400); 

php/psalm-baseline.xml

@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<files psalm-version="6.14.3@d0b040a91f280f071c1abcb1b77ce3822058725a"/>
+<files psalm-version="6.15.1@28dc127af1b5aecd52314f6f645bafc10d0e11f9"/>

php/public/containers-form-submit.js

@@ -1,4 +1,9 @@
 document.addEventListener("DOMContentLoaded", function () {
+    // Don't run if the expected form isn't present.
+    if (document.getElementById('options-form') === null) {
+        return;
+    }
+
     // Hide submit button initially
     const optionsFormSubmit = document.querySelectorAll(".options-form-submit");
     optionsFormSubmit.forEach(element => {
@@ -116,13 +121,26 @@ document.addEventListener("DOMContentLoaded", function () {
 
     function handleDockerSocketProxyWarning() {
         if (document.getElementById("docker-socket-proxy").checked) {
+            // TODO: remove the line below and uncomment the lines further down once https://github.com/nextcloud/app_api/pull/800 is included
             alert('⚠️ Warning! Enabling this container comes with possible Security problems since you are exposing the docker socket and all its privileges to the Nextcloud container. Enable this only if you are sure what you are doing!');
+            // alert('⚠️ The docker socket proxy container is deprecated. Please use the HaRP (High-availability Reverse Proxy for Nextcloud ExApps) instead!');
+            // document.getElementById("docker-socket-proxy").checked = false
+        }
+    }
+
+    function handleHarpWarning() {
+        if (document.getElementById("harp").checked) {
+            alert('⚠️ Warning! Enabling this container comes with possible Security problems since you are exposing the docker socket and all its privileges to the HaRP container. Enable this only if you are sure what you are doing!');
+            document.getElementById("docker-socket-proxy").checked = false
         }
     }
 
     // Initialize event listeners for specific behaviors
     document.getElementById("talk").addEventListener('change', handleTalkVisibility);
     document.getElementById("docker-socket-proxy").addEventListener('change', handleDockerSocketProxyWarning);
+    if (document.getElementById("harp")) {
+        document.getElementById("harp").addEventListener('change', handleHarpWarning);
+    }
 
     // Initialize talk-recording visibility on page load
     handleTalkVisibility();  // Ensure talk-recording is correctly initialized

php/public/disable-harp.js

@@ -0,0 +1,7 @@
+document.addEventListener("DOMContentLoaded", function(event) {
+    // HaRP
+    let harp = document.getElementById("harp");
+    if (harp) {
+        harp.disabled = true;
+    }
+});

php/public/forms.js

@@ -70,15 +70,24 @@ function showPassword(id) {
     }
 
     form.onsubmit = submit;
-    console.info(form);
   }
 
   function initForms() {
     const forms = document.querySelectorAll('form.xhr')
-    console.info("Making " + forms.length + " form(s) use XHR.");
     for (const form of forms) {
       initForm(form);
     }
+    const overlayLogForms = document.querySelectorAll('form[target="overlay-log"]')
+    for (const form of overlayLogForms) {
+        form.onsubmit = function() {
+            enableSpinner();
+            document.getElementById('overlay-log')?.classList.add('visible');
+            // Reload the page after the response was fully loaded into the iframe.
+            document.querySelector('iframe[name="overlay-log"]').addEventListener('load', () => {
+                location.reload();
+            });
+        };
+    }
   }
 
   if (document.readyState === 'loading') {

php/public/index.php

@@ -11,6 +11,7 @@ ini_set('max_execution_time', '7200');
 ini_set('log_errors_max_len', '0');
 
 use DI\Container;
+use DI\NotFoundException;
 use Slim\Csrf\Guard;
 use Slim\Factory\AppFactory;
 use Slim\Views\Twig;
@@ -95,10 +96,10 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'apache_port' => $configurationManager->apachePort,
         'borg_backup_host_location' => $configurationManager->borgBackupHostLocation,
         'borg_remote_repo' => $configurationManager->borgRemoteRepo,
-        'borg_public_key' => $configurationManager->GetBorgPublicKey(),
-        'nextcloud_password' => $configurationManager->GetAndGenerateSecret('NEXTCLOUD_PASSWORD'),
+        'borg_public_key' => $configurationManager->getBorgPublicKey(),
+        'nextcloud_password' => $configurationManager->getAndGenerateSecret('NEXTCLOUD_PASSWORD'),
         'containers' => (new \AIO\ContainerDefinitionFetcher($container->get(\AIO\Data\ConfigurationManager::class), $container))->FetchDefinition(),
-        'borgbackup_password' => $configurationManager->GetAndGenerateSecret('BORGBACKUP_PASSWORD'),
+        'borgbackup_password' => $configurationManager->getAndGenerateSecret('BORGBACKUP_PASSWORD'),
         'is_mastercontainer_update_available' => ( $bypass_mastercontainer_update ? false : $dockerActionManager->IsMastercontainerUpdateAvailable() ),
         'has_backup_run_once' => $configurationManager->hasBackupRunOnce(),
         'is_backup_container_running' => $dockerActionManager->isBackupContainerRunning(),
@@ -107,15 +108,15 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'borg_backup_mode' => $configurationManager->backupMode,
         'was_start_button_clicked' => $configurationManager->wasStartButtonClicked,
         'has_update_available' => $dockerActionManager->isAnyUpdateAvailable(),
-        'last_backup_time' => $configurationManager->GetLastBackupTime(),
-        'backup_times' => $configurationManager->GetBackupTimes(),
+        'last_backup_time' => $configurationManager->getLastBackupTime(),
+        'backup_times' => $configurationManager->getBackupTimes(),
         'current_channel' => $dockerActionManager->GetCurrentChannel(),
         'is_clamav_enabled' => $configurationManager->isClamavEnabled,
         'is_onlyoffice_enabled' => $configurationManager->isOnlyofficeEnabled,
         'is_collabora_enabled' => $configurationManager->isCollaboraEnabled,
         'is_talk_enabled' => $configurationManager->isTalkEnabled,
         'borg_restore_password' => $configurationManager->borgRestorePassword,
-        'daily_backup_time' => $configurationManager->GetDailyBackupTime(),
+        'daily_backup_time' => $configurationManager->getDailyBackupTime(),
         'is_daily_backup_running' => $configurationManager->isDailyBackupRunning(),
         'timezone' => $configurationManager->timezone,
         'skip_domain_validation' => $configurationManager->shouldDomainValidationBeSkipped($skip_domain_validation),
@@ -126,7 +127,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'is_backup_section_enabled' => !$configurationManager->disableBackupSection,
         'is_imaginary_enabled' => $configurationManager->isImaginaryEnabled,
         'is_fulltextsearch_enabled' => $configurationManager->isFulltextsearchEnabled,
-        'additional_backup_directories' => $configurationManager->GetAdditionalBackupDirectoriesString(),
+        'additional_backup_directories' => $configurationManager->getAdditionalBackupDirectoriesString(),
         'nextcloud_datadir' => $configurationManager->nextcloudDatadirMount,
         'nextcloud_mount' => $configurationManager->nextcloudMount,
         'nextcloud_upload_limit' => $configurationManager->nextcloudUploadLimit,
@@ -136,6 +137,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'is_nvidia_gpu_enabled' => $configurationManager->enableNvidiaGpu,
         'is_talk_recording_enabled' => $configurationManager->isTalkRecordingEnabled,
         'is_docker_socket_proxy_enabled' => $configurationManager->isDockerSocketProxyEnabled,
+        'is_harp_enabled' => $configurationManager->isHarpEnabled,
         'is_whiteboard_enabled' => $configurationManager->isWhiteboardEnabled,
         'community_containers' => $configurationManager->listAvailableCommunityContainers(),
         'community_containers_enabled' => $configurationManager->aioCommunityContainers,
@@ -170,6 +172,15 @@ $app->get('/setup', function (Request $request, Response $response, array $args)
         ]
     );
 });
+$app->get('/log', function (Request $request, Response $response, array $args) use ($container) {
+    $params = $request->getQueryParams();
+    $id = $params['id'] ?? '';
+    if (!str_starts_with($id, 'nextcloud-aio-')) {
+        throw new DI\NotFoundException();
+    }
+    $view = Twig::fromRequest($request);
+    return $view->render($response, 'log.twig', ['id' => $id]);
+});
 
 // Auth Redirector
 $app->get('/', function (\Psr\Http\Message\RequestInterface $request, Response $response, array $args) use ($container) {
@@ -197,4 +208,13 @@ $app->get('/', function (\Psr\Http\Message\RequestInterface $request, Response $
 
 $errorMiddleware = $app->addErrorMiddleware(false, true, true);
 
+// Set a custom Not Found handler, which doesn't pollute the app output with 404 errors.
+$errorMiddleware->setErrorHandler(
+    \Slim\Exception\HttpNotFoundException::class,
+    function (Request $request, Throwable $exception, bool $displayErrorDetails) use ($app) {
+        $response = $app->getResponseFactory()->createResponse();
+        $response->getBody()->write('Not Found');
+        return $response->withStatus(404);
+    });
+
 $app->run();

php/public/log-view.js

@@ -0,0 +1,142 @@
+class LogViewer {
+    // Configure the interval in seconds for autoloading log data.
+    autoloadIntervalSec = 5;
+    // Set to true to see some debug log statements in the browser console.
+    debugLog = false;
+
+    // Don't touch these, please.
+    containerId;
+    apiBaseUrl = 'api/docker/logs';
+    autoloadIntervalId = null;
+    logElem;
+    lastLogTimestamp = '';
+    autoloadingDisabledFromButton = false;
+    loaderElem;
+    dataLoadingLock;
+
+    constructor() {
+        const id = document.body.dataset.containerId;
+        if (typeof(id) !== 'string' || !id.startsWith('nextcloud-aio-')) {
+            throw new Exception('Invalid container ID');
+        }
+        this.containerId = id;
+        this.logElem = document.querySelector('pre');
+        this.loaderElem = document.querySelector('.loader');
+        this.initAutoloadingControls();
+        // Enable automatic log data loading.
+        this.startAutoloading();
+    }
+
+    startAutoloading() {
+        // Load log data immediately.
+        this.loadAndAppendLogData();
+        // Load new log data repeatedly.
+        this.debug("Starting autoloading");
+        this.autoloadIntervalId = setInterval(() => {
+            if (this.isAutoloadingEnabled()) {
+                this.loadAndAppendLogData();
+            }
+        }, 5000);
+    }
+
+    stopAutoloading() {
+        this.debug("Stopping autoloading");
+        clearInterval(this.autoloadIntervalId);
+        this.autoloadIntervalId = null;
+    }
+
+    isAutoloadingEnabled() {
+        return !!this.autoloadIntervalId;
+    }
+
+    getUrl() {
+        return `${this.apiBaseUrl}?id=${this.containerId}&since=${this.lastLogTimestamp}`;
+    }
+
+    debug(...args) {
+        if (this.debugLog) {
+            console.debug('LogViewer:', ...args);
+        }
+    }
+
+    // Load log data and append it to the DOM.
+    loadAndAppendLogData() {
+        if (this.dataLoadingLock) {
+            this.debug("Another log data loading request is still running, cancelling this request");
+            return;
+        }
+        this.debug("Loading new log data");
+        this.dataLoadingLock = true;
+        this.loaderElem.classList.remove('hidden');
+        fetch(this.getUrl())
+            .then((response) => {
+                if (!response.ok) {
+                    throw new Error("Error while fetching log data!");
+                }
+                return response;
+            })
+            .then((response) => response.text())
+            .then((text) => {
+                text = text.trim();
+                if (text.length === 0) {
+                    this.debug("Received no new log data from server");
+                    return;
+                }
+                this.debug("Received", Math.round(text.length / 1024), "KB of new log data from server");
+                this.logElem.append(text + "\n");
+                this.scrollToBottom();
+                this.lastLogTimestamp = text.split("\n").at(-1)?.split(' ')[0] ?? '';
+            })
+            .finally(() => {
+                this.dataLoadingLock = false;
+                this.loaderElem.classList.add('hidden');
+                this.debug("Finished log data loading");
+            })
+            .catch((err) => console.error(err));
+    }
+
+    scrollToBottom() {
+        window.scrollTo(0, document.body.scrollHeight);
+    }
+
+    initAutoloadingControls() {
+        // Provide a button that allows to manually disable the autoloading.
+        const button = document.getElementById('autoloading-control');
+        const statusElem = document.getElementById('autoloading-status');
+        if (!button) {
+            return;
+        }
+        button.addEventListener('click', (event) => {
+            event.preventDefault();
+            if (this.isAutoloadingEnabled()) {
+                this.stopAutoloading();
+                statusElem.textContent = 'disabled';
+                button.textContent = 'Enable';
+                this.autoloadingDisabledFromButton = true;
+            } else {
+                this.startAutoloading();
+                statusElem.textContent = 'enabled';
+                button.textContent = 'Disable';
+                this.autoloadingDisabledFromButton = false;
+            }
+        });
+
+        // Load new data immediately if the window gets visible to the user again (unless autoloading has been
+        // disabled).
+        document.addEventListener('visibilitychange', () => {
+            if (document.visibilityState === 'visible') {
+                this.debug("Window became visible");
+                if (!this.autoloadingDisabledFromButton) {
+                    this.startAutoloading();
+                }
+            } else {
+                this.debug("Window became hidden");
+                this.stopAutoloading();
+            }
+        });
+    }
+}
+
+document.addEventListener("DOMContentLoaded", () => {
+    new LogViewer();
+});

php/public/style.css

@@ -468,7 +468,29 @@ input[type="checkbox"]:disabled:not(:checked) + label {
 }
 
 #overlay.loading {
-    display: block;
+    display: grid;
+    justify-items: center;
+    row-gap: 2rem;
+}
+
+#overlay #overlay-log.visible {
+    visibility: visible;
+    opacity: 1;
+    transition: opacity 1s ease-in;
+}
+
+#overlay #overlay-log {
+    visibility: hidden;
+    opacity: 0;
+    align-self: start;
+    width: 20%;
+    height: 7rem;
+    border-radius: var(--border-radius-large);
+    border: solid thin rgb(192, 192, 192);
+}
+
+.overlay-iframe {
+    padding: 1rem;
 }
 
 .loader {
@@ -479,9 +501,7 @@ input[type="checkbox"]:disabled:not(:checked) + label {
     height: 120px;
     -webkit-animation: spin 2s linear infinite; /* Safari */
     animation: spin 2s linear infinite;
-    position: absolute;
-    top: calc(50% - 60px);
-    left: calc(50% - 60px);
+    align-self: end;
 }
 
 /* Safari */
@@ -705,4 +725,4 @@ input[type="checkbox"]:disabled:not(:checked) + label {
     .office-suite-cards {
         grid-template-columns: 1fr;
     }
-}
+}

php/public/toggle-dark-mode.js

@@ -2,28 +2,26 @@
 function toggleTheme() {
     const currentTheme = document.documentElement.getAttribute('data-theme');
     const newTheme = (currentTheme === 'dark') ? '' : 'dark'; // Toggle between no theme and dark theme
-    document.documentElement.setAttribute('data-theme', newTheme);
+    setThemeToDOM(newTheme);
     localStorage.setItem('theme', newTheme);
 
     // Change the icon based on the current theme
-    const themeIcon = document.getElementById('theme-icon');
-    themeIcon.textContent = newTheme === 'dark' ? '☀️' : '🌙'; // Switch between moon and sun icons
+    setThemeIcon(newTheme);
 }
 
-// Function to immediately apply saved theme without icon update
-function applySavedThemeImmediately() {
-    const savedTheme = localStorage.getItem('theme');
-    if (savedTheme === 'dark') {
-        document.documentElement.setAttribute('data-theme', 'dark');
-    } else {
-        document.documentElement.removeAttribute('data-theme'); // Default to light theme
-    }
+function setThemeToDOM(value) {
+    // Set the theme to the root document and all possible iframe documents (so they can adapt their styling, too).
+    const documents = [document, Array.from(document.querySelectorAll('iframe')).map((iframe) => iframe.contentDocument)].flat()
+    documents.forEach((doc) => doc.documentElement.setAttribute('data-theme', value));
+}
+
+function getSavedTheme() {
+    return localStorage.getItem('theme') ?? '';
 }
 
 // Function to apply theme-icon update
-function setThemeIcon() {
-    const savedTheme = localStorage.getItem('theme');
-    if (savedTheme === 'dark') {
+function setThemeIcon(theme) {
+    if (theme === 'dark') {
         document.getElementById('theme-icon').textContent = '☀️'; // Sun icon for dark mode
     } else {
         document.getElementById('theme-icon').textContent = '🌙'; // Moon icon for light mode
@@ -31,7 +29,7 @@ function setThemeIcon() {
 }
 
 // Immediately apply the saved theme to avoid flickering
-applySavedThemeImmediately();
+setThemeToDOM(getSavedTheme());
 
 // Apply theme when the page loads
-document.addEventListener('DOMContentLoaded', setThemeIcon);
+document.addEventListener('DOMContentLoaded', () => setThemeIcon(getSavedTheme()));

php/src/Auth/AuthManager.php

@@ -1,4 +1,5 @@
 <?php
+declare(strict_types=1);
 
 namespace AIO\Auth;
 
@@ -19,7 +20,38 @@ readonly class AuthManager {
     }
 
     public function CheckToken(string $token) : bool {
-        return hash_equals($this->configurationManager->aioToken, $token);
+        $publicKeyBase64 = $this->configurationManager->aioPublicKey;
+        if ($publicKeyBase64 === '' || $token === '') {
+            return false;
+        }
+
+        try {
+            $publicKeyBin = sodium_base642bin($publicKeyBase64, SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
+            $tokenBin = sodium_base642bin($token, SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
+        } catch (\SodiumException) {
+            return false;
+        }
+
+        $timestamp = sodium_crypto_sign_open($tokenBin, $publicKeyBin);
+
+        if ($timestamp === false) {
+            return false;
+        }
+
+        $timeElapsed = time() - (int) $timestamp;
+        if ($timeElapsed > 60 || $timeElapsed < 0) {
+            return false;
+        }
+
+        // Prevent token replay: reject tokens that have already been used
+        $tokenHash = hash('sha256', $token);
+        $cacheKey = 'used_token_' . $tokenHash;
+        if (apcu_fetch($cacheKey) !== false) {
+            return false;
+        }
+        apcu_add($cacheKey, true, 60);
+
+        return true;
     }
 
     public function SetAuthState(bool $isLoggedIn) : void {

php/src/Auth/PasswordGenerator.php

@@ -1,4 +1,5 @@
 <?php
+declare(strict_types=1);
 
 namespace AIO\Auth;
 

php/src/Container/AioVariables.php

@@ -1,4 +1,5 @@
 <?php
+declare(strict_types=1);
 
 namespace AIO\Container;
 

php/src/Container/Container.php

@@ -1,4 +1,5 @@
 <?php
+declare(strict_types=1);
 
 namespace AIO\Container;
 

php/src/Container/ContainerEnvironmentVariables.php

@@ -1,4 +1,5 @@
 <?php
+declare(strict_types=1);
 
 namespace AIO\Container;
 

php/src/Container/ContainerPort.php

@@ -1,4 +1,5 @@
 <?php
+declare(strict_types=1);
 
 namespace AIO\Container;
 

php/src/Container/ContainerPorts.php

@@ -1,4 +1,5 @@
 <?php
+declare(strict_types=1);
 
 namespace AIO\Container;
 

php/src/Container/ContainerState.php

@@ -1,4 +1,5 @@
 <?php
+declare(strict_types=1);
 
 namespace AIO\Container;
 

php/src/Container/ContainerVolume.php

@@ -1,4 +1,5 @@
 <?php
+declare(strict_types=1);
 
 namespace AIO\Container;
 

php/src/Container/ContainerVolumes.php

@@ -1,4 +1,5 @@
 <?php
+declare(strict_types=1);
 
 namespace AIO\Container;
 

php/src/Container/VersionState.php

@@ -1,4 +1,5 @@
 <?php
+declare(strict_types=1);
 
 namespace AIO\Container;
 

php/src/ContainerDefinitionFetcher.php

@@ -1,4 +1,5 @@
 <?php
+declare(strict_types=1);
 
 namespace AIO;
 
@@ -90,6 +91,10 @@ readonly class ContainerDefinitionFetcher {
                 if (!$this->configurationManager->isDockerSocketProxyEnabled) {
                     continue;
                 }
+            } elseif ($entry['container_name'] === 'nextcloud-aio-harp') {
+                if (!$this->configurationManager->isHarpEnabled) {
+                    continue;
+                }
             } elseif ($entry['container_name'] === 'nextcloud-aio-whiteboard') {
                 if (!$this->configurationManager->isWhiteboardEnabled) {
                     continue;
@@ -199,6 +204,10 @@ readonly class ContainerDefinitionFetcher {
                         if (!$this->configurationManager->isDockerSocketProxyEnabled) {
                             continue;
                         }
+                    } elseif ($value === 'nextcloud-aio-harp') {
+                        if (!$this->configurationManager->isHarpEnabled) {
+                            continue;
+                        }
                     } elseif ($value === 'nextcloud-aio-whiteboard') {
                         if (!$this->configurationManager->isWhiteboardEnabled) {
                             continue;
@@ -246,7 +255,7 @@ readonly class ContainerDefinitionFetcher {
                 // All secrets are registered with the configuration when they 
                 // are discovered so they can be later generated at time-of-use.
                 foreach ($entry['secrets'] as $secret) {
-                    $this->configurationManager->RegisterSecret($secret);
+                    $this->configurationManager->registerSecret($secret);
                 }
             }
 

php/src/Controller/ConfigurationController.php

@@ -1,4 +1,5 @@
 <?php
+declare(strict_types=1);
 
 namespace AIO\Controller;
 
@@ -17,29 +18,30 @@ readonly class ConfigurationController {
 
     public function SetConfig(Request $request, Response $response, array $args): Response {
         try {
+            $this->configurationManager->startTransaction();
             if (isset($request->getParsedBody()['domain'])) {
                 $domain = $request->getParsedBody()['domain'] ?? '';
                 $skipDomainValidation = isset($request->getParsedBody()['skip_domain_validation']);
-                $this->configurationManager->SetDomain($domain, $skipDomainValidation);
+                $this->configurationManager->setDomain($domain, $skipDomainValidation);
             }
 
             if (isset($request->getParsedBody()['current-master-password']) || isset($request->getParsedBody()['new-master-password'])) {
                 $currentMasterPassword = $request->getParsedBody()['current-master-password'] ?? '';
                 $newMasterPassword = $request->getParsedBody()['new-master-password'] ?? '';
-                $this->configurationManager->ChangeMasterPassword($currentMasterPassword, $newMasterPassword);
+                $this->configurationManager->changeMasterPassword($currentMasterPassword, $newMasterPassword);
             }
 
             if (isset($request->getParsedBody()['borg_backup_host_location']) || isset($request->getParsedBody()['borg_remote_repo'])) {
                 $location = $request->getParsedBody()['borg_backup_host_location'] ?? '';
                 $borgRemoteRepo = $request->getParsedBody()['borg_remote_repo'] ?? '';
-                $this->configurationManager->SetBorgLocationVars($location, $borgRemoteRepo);
+                $this->configurationManager->setBorgLocationVars($location, $borgRemoteRepo);
             }
 
             if (isset($request->getParsedBody()['borg_restore_host_location']) || isset($request->getParsedBody()['borg_restore_remote_repo']) || isset($request->getParsedBody()['borg_restore_password'])) {
                 $restoreLocation = $request->getParsedBody()['borg_restore_host_location'] ?? '';
                 $borgRemoteRepo = $request->getParsedBody()['borg_restore_remote_repo'] ?? '';
                 $borgPassword = $request->getParsedBody()['borg_restore_password'] ?? '';
-                $this->configurationManager->SetBorgRestoreLocationVarsAndPassword($restoreLocation, $borgRemoteRepo, $borgPassword);
+                $this->configurationManager->setBorgRestoreLocationVarsAndPassword($restoreLocation, $borgRemoteRepo, $borgPassword);
             }
 
             if (isset($request->getParsedBody()['daily_backup_time'])) {
@@ -54,16 +56,16 @@ readonly class ConfigurationController {
                     $successNotification = false;
                 }
                 $dailyBackupTime = $request->getParsedBody()['daily_backup_time'] ?? '';
-                $this->configurationManager->SetDailyBackupTime($dailyBackupTime, $enableAutomaticUpdates, $successNotification);
+                $this->configurationManager->setDailyBackupTime($dailyBackupTime, $enableAutomaticUpdates, $successNotification);
             }
 
             if (isset($request->getParsedBody()['delete_daily_backup_time'])) {
-                $this->configurationManager->DeleteDailyBackupTime();
+                $this->configurationManager->deleteDailyBackupTime();
             }
 
             if (isset($request->getParsedBody()['additional_backup_directories'])) {
                 $additionalBackupDirectories = $request->getParsedBody()['additional_backup_directories'] ?? '';
-                $this->configurationManager->SetAdditionalBackupDirectories($additionalBackupDirectories);
+                $this->configurationManager->setAdditionalBackupDirectories($additionalBackupDirectories);
             }
 
             if (isset($request->getParsedBody()['delete_timezone'])) {
@@ -94,6 +96,7 @@ readonly class ConfigurationController {
                 $this->configurationManager->isImaginaryEnabled = isset($request->getParsedBody()['imaginary']);
                 $this->configurationManager->isFulltextsearchEnabled = isset($request->getParsedBody()['fulltextsearch']);
                 $this->configurationManager->isDockerSocketProxyEnabled = isset($request->getParsedBody()['docker-socket-proxy']);
+                $this->configurationManager->isHarpEnabled = isset($request->getParsedBody()['harp']);
                 $this->configurationManager->isWhiteboardEnabled = isset($request->getParsedBody()['whiteboard']);
             }
 
@@ -112,7 +115,7 @@ readonly class ConfigurationController {
             }
 
             if (isset($request->getParsedBody()['delete_collabora_dictionaries'])) {
-                $this->configurationManager->DeleteCollaboraDictionaries();
+                $this->configurationManager->deleteCollaboraDictionaries();
             }
 
             if (isset($request->getParsedBody()['collabora_dictionaries'])) {
@@ -130,13 +133,15 @@ readonly class ConfigurationController {
             }
 
             if (isset($request->getParsedBody()['delete_borg_backup_location_vars'])) {
-                $this->configurationManager->DeleteBorgBackupLocationItems();
+                $this->configurationManager->deleteBorgBackupLocationItems();
             }
 
             return $response->withStatus(201)->withHeader('Location', '.');
         } catch (InvalidSettingConfigurationException $ex) {
             $response->getBody()->write($ex->getMessage());
             return $response->withStatus(422);
+        } finally {
+            $this->configurationManager->commitTransaction();
         }
     }
 }

php/src/Controller/DockerController.php

@@ -1,13 +1,16 @@
 <?php
+declare(strict_types=1);
 
 namespace AIO\Controller;
 
+use AIO\Container\Container;
 use AIO\Container\ContainerState;
 use AIO\ContainerDefinitionFetcher;
 use AIO\Docker\DockerActionManager;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use AIO\Data\ConfigurationManager;
+use Slim\Psr7\NonBufferedBody;
 
 readonly class DockerController {
     private const string TOP_CONTAINER = 'nextcloud-aio-apache';
@@ -19,12 +22,12 @@ readonly class DockerController {
     ) {
     }
 
-    private function PerformRecursiveContainerStart(string $id, bool $pullImage = true) : void {
+    private function PerformRecursiveContainerStart(string $id, bool $pullImage = true, ?\Closure $addToStreamingResponseBody = null) : void {
         $container = $this->containerDefinitionFetcher->GetContainerById($id);
 
         // Start all dependencies first and then itself
         foreach($container->dependsOn as $dependency) {
-            $this->PerformRecursiveContainerStart($dependency, $pullImage);
+            $this->PerformRecursiveContainerStart($dependency, $pullImage, $addToStreamingResponseBody);
         }
 
         // Don't start if container is already running
@@ -36,9 +39,9 @@ readonly class DockerController {
 
         $this->dockerActionManager->DeleteContainer($container);
         $this->dockerActionManager->CreateVolumes($container);
-        $this->dockerActionManager->PullImage($container, $pullImage);
+        $this->dockerActionManager->PullImage($container, $pullImage, $addToStreamingResponseBody);
         $this->dockerActionManager->CreateContainer($container);
-        $this->dockerActionManager->StartContainer($container);
+        $this->dockerActionManager->StartContainer($container, $addToStreamingResponseBody);
         $this->dockerActionManager->ConnectContainerToNetwork($container);
     }
 
@@ -68,7 +71,8 @@ readonly class DockerController {
             $id = $requestParams['id'];
         }
         if (str_starts_with($id, 'nextcloud-aio-')) {
-            $logs = $this->dockerActionManager->GetLogs($id);
+            $since = $this->getTimestampForDockerLogsApiSince($requestParams['since'] ?? '');
+            $logs = $this->dockerActionManager->GetLogs($id, $since);
         } else {
             $logs = 'Container not found.';
         }
@@ -178,7 +182,7 @@ readonly class DockerController {
         }
 
         if (isset($request->getParsedBody()['install_latest_major'])) {
-            $installLatestMajor = '32';
+            $installLatestMajor = '33';
         } else {
             $installLatestMajor = '';
         }
@@ -197,25 +201,54 @@ readonly class DockerController {
         if ($pullImage === false) {
             error_log('WARNING: Not pulling container images. Instead, using local ones.');
         }
+        
+        $nonbufResp = $response
+            ->withBody(new NonBufferedBody())
+            ->withHeader('Content-Type', 'text/html; charset=utf-8')
+            ->withHeader('X-Accel-Buffering', 'no')
+            ->withHeader('Cache-Control', 'no-cache');
+            
+        // Text written into this body is immediately sent to the client, without waiting for later content.
+        $streamingResponseBody = $nonbufResp->getBody();
+        
+        $streamingResponseBody->write($this->getStreamingResponseHtmlStart());
+        
+        // Create a closure to pass around to the code, which should to the logging (because it e.g. decides
+        // if it'll actually pull an image), but which should not need to know anything about the
+        // wanted markup or formatting.
+        $addToStreamingResponseBody = function (Container $container, string $message) use ($streamingResponseBody) : void {
+            $streamingResponseBody->write("<div>{$container->displayName}: {$message}</div>");
+        };
+        
         // Start container
-        $this->startTopContainer($pullImage);
+        $this->startTopContainer($pullImage, $addToStreamingResponseBody);
 
         // Clear apcu cache in order to check if container updates are available
         // Temporarily disabled as it leads much faster to docker rate limits
         // apcu_clear_cache();
 
-        return $response->withStatus(201)->withHeader('Location', '.');
+        $streamingResponseBody->write($this->getStreamingResponseHtmlEnd());
+        return $nonbufResp;
     }
 
-    public function startTopContainer(bool $pullImage) : void {
-        $this->configurationManager->aioToken = bin2hex(random_bytes(24));
+    public function startTopContainer(bool $pullImage, ?\Closure $addToStreamingResponseBody = null) : void {
+        $keypair = sodium_crypto_sign_keypair();
+
+        $privateKeyBin = sodium_crypto_sign_secretkey($keypair);
+        $publicKeyBin = sodium_crypto_sign_publickey($keypair);
+
+        $privateKeyBase64 = sodium_bin2base64($privateKeyBin, SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
+        $publicKeyBase64 = sodium_bin2base64($publicKeyBin, SODIUM_BASE64_VARIANT_URLSAFE_NO_PADDING);
+
+        $this->configurationManager->aioPublicKey = $publicKeyBase64;
+        $this->configurationManager->aioPrivateKey = $privateKeyBase64;
 
         // Stop domaincheck since apache would not be able to start otherwise
         $this->StopDomaincheckContainer();
 
         $id = self::TOP_CONTAINER;
 
-        $this->PerformRecursiveContainerStart($id, $pullImage);
+        $this->PerformRecursiveContainerStart($id, $pullImage, $addToStreamingResponseBody);
     }
 
     public function StartWatchtowerContainer(Request $request, Response $response, array $args) : Response {
@@ -307,4 +340,65 @@ readonly class DockerController {
         $id = 'nextcloud-aio-domaincheck';
         $this->PerformRecursiveContainerStop($id);
     }
+
+    private function getStreamingResponseHtmlStart() : string {
+        return <<<END
+        <!DOCTYPE html>
+        <html lang="en" class="overlay-iframe">
+            <head>
+                <link rel="stylesheet" href="../../style.css?v8" media="all" />
+                <script>
+                    const observer = new MutationObserver((records) => {
+                        const node = records[0]?.addedNodes[0];
+                        // Text nodes also appear here but can't be scrolled to, so we have to check for the
+                        // function being present.
+                        if (node && typeof(node.scrollIntoView) === 'function') {
+                            node.scrollIntoView();
+                        }
+                    });
+                    observer.observe(document, {childList: true, subtree: true});
+                </script>
+            </head>
+            <body>
+            
+        END;
+    }
+    
+    private function getStreamingResponseHtmlEnd() : string {
+        return "\n  </body>\n</html>";
+    }
+
+    private function getTimestampForDockerLogsApiSince(string $input) : string
+    {
+        if ($input === '') {
+            return '';
+        }
+
+        // We expect an RFC3339Nano string with Timezone UTC here, as docker will put out.
+        // Unfortunately PHP doesn't support this format with nanoseconds, so we have to help
+        // ourselves a little bit.
+        // First we split off the nanoseconds.
+        preg_match('/^(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})\.(\d{9}).*/', $input, $match);
+        if (count($match) !== 3) {
+            // The input doesn't match our expectations, it might be manipulated, we ignore it.
+            return '';
+        }
+
+        $datetime = \DateTimeImmutable::createFromFormat("Y-m-d\\TH:i:s", $match[1]);
+        $nanoseconds = $match[2];
+
+        if ($datetime === false) {
+            // Input was not parseable, it might be manipulated, we ignore it.
+            return '';
+        }
+
+        // Format the datetime as unix timestamp.
+        $timestamp = $datetime->format('U');
+
+        // Increase the nanoseconds by 1, so we don't get the line with exactly the original datetime again.
+        $nanoseconds = strval(intval($nanoseconds) + 1);
+
+        // Now append the nanoseconds to the timestamp-string.
+        return "{$timestamp}.{$nanoseconds}";
+    }
 }

php/src/Controller/LoginController.php

@@ -1,4 +1,5 @@
 <?php
+declare(strict_types=1);
 
 namespace AIO\Controller;