Restore backup_volumes and fix secrets declarations in MySQL DB containers

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com> Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/729f8a52-a9df-49b9-b95f-20103c416d52
Add Bahmni Lite community container with caddy/fail2ban integration
2026-05-21 10:50:10 +00:00 · 2026-03-24 16:50:46 +00:00 · 2026-03-24 16:45:11 +00:00 · 2026-03-24 15:39:35 +01:00 · 2026-03-24 12:06:03 +00:00 · 2026-03-23 08:43:13 +01:00
180 changed files with 3458 additions and 1958 deletions
--- a/.github/ISSUE_TEMPLATE/Bug_report.md
+++ b/.github/ISSUE_TEMPLATE/Bug_report.md
@@ -37,5 +37,3 @@ labels: 0. Needs triage
 #### Output of `sudo docker ps -a`

 #### Other valuable info <!--- (like additional logs, screenshots & Co.) -->
-
-#### A picture of a cute animal <!--- (not mandatory but encouraged) -->
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -10,6 +10,8 @@ updates:
  labels:
  - 3. to review
  - dependencies
+  cooldown:
+    default-days: 7
 - package-ecosystem: composer
  directory: "/php/"
  schedule:
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -0,0 +1,5 @@
+<!--
+  - 🚨 SECURITY INFO
+  -
+  - Before sending a pull request that fixes a security issue please report it via our HackerOne page (https://hackerone.com/nextcloud) following our security policy (https://nextcloud.com/security/). This allows us to coordinate the fix and release without potentially exposing all Nextcloud servers and users in the meantime.
+-->
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Check spelling
        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2
        with:
--- a/.github/workflows/collabora.yml
+++ b/.github/workflows/collabora.yml
@@ -10,7 +10,7 @@ jobs:
    name: update collabora
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run collabora-profile-update
      run: |
        rm -f php/cool-seccomp-profile.json
@@ -18,8 +18,9 @@ jobs:
        mv cool-seccomp-profile.json php/
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: collabora-seccomp-update automated change
        signoff: true
        title: collabora seccomp update
--- a/.github/workflows/community-containers.yml
+++ b/.github/workflows/community-containers.yml
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Validate structure
        run: |
          CONTAINERS="$(find ./community-containers -mindepth 1 -maxdepth 1 -type d)"
--- a/.github/workflows/dependency-updates.yml
+++ b/.github/workflows/dependency-updates.yml
@@ -10,10 +10,10 @@ jobs:
    name: Run dependency update script
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
      with:
-        php-version: 8.4
+        php-version: 8.5
        extensions: apcu
    - name: Run dependency update script
      run: |
@@ -43,9 +43,19 @@ jobs:
            | tail -1
        )"
        sed -i "s|pecl install APCu.*\;|pecl install APCu-$apcu_version\;|" ./Containers/mastercontainer/Dockerfile
+
+        # CADDY_REMOTE_HOST_HASH
+        CADDY_REMOTE_HOST_HASH="$(
+          git ls-remote https://github.com/muety/caddy-remote-host master \
+            | cut -f1 \
+            | tail -1
+        )"
+        sed -i "s|^ARG CADDY_REMOTE_HOST_HASH.*$|ARG CADDY_REMOTE_HOST_HASH=$CADDY_REMOTE_HOST_HASH|" ./Containers/mastercontainer/Dockerfile
+
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: php dependency updates
        signoff: true
        title: PHP dependency updates
--- a/.github/workflows/docker-lint.yml
+++ b/.github/workflows/docker-lint.yml
@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install hadolint
        run: |
--- a/.github/workflows/fail-on-prerelease.yml
+++ b/.github/workflows/fail-on-prerelease.yml
@@ -0,0 +1,50 @@
+name: Block if prerelease is present
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  check-latest-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Check latest published release isn't a prerelease"
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v6
+        with:
+          script: |
+            const tags = await github.rest.repos.listTags({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              per_page: 1
+            });
+
+            if (!tags.data || tags.data.length === 0) {
+              core.info('No tags found for this repository; skipping prerelease check.');
+              return;
+            }
+
+            const latestTag = tags.data[0].name;
+            core.info(`Latest tag found: ${latestTag}`);
+
+            try {
+              const { data } = await github.rest.repos.getReleaseByTag({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                tag: latestTag
+              });
+
+              if (data.prerelease) {
+                core.setFailed(`Release for tag ${latestTag} (${data.tag_name}) is a prerelease. Blocking merges to main as we need to wait for the prerelease to become stable.`);
+              } else {
+                core.info(`Release for tag ${latestTag} (${data.tag_name}) is not a prerelease.`);
+              }
+
+            } catch (err) {
+              if (err.status === 404) {
+                core.info(`No release found for tag ${latestTag}; skipping prerelease check.`);
+              } else {
+                throw err;
+              }
+            }
--- a/.github/workflows/helm-release.yml
+++ b/.github/workflows/helm-release.yml
@@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Turnstyle
        uses: softprops/turnstyle@e565d2d86403c5d23533937e95980570545e5586 # v2
--- a/.github/workflows/imaginary-update.yml
+++ b/.github/workflows/imaginary-update.yml
@@ -10,7 +10,7 @@ jobs:
    name: update to latest imaginary commit on master branch
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run imaginary-update
      run: |
        # Imaginary
@@ -22,8 +22,9 @@ jobs:
        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH=$imaginary_version|" ./Containers/imaginary/Dockerfile
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: imaginary-update automated change
        signoff: true
        title: Imaginary update
--- a/.github/workflows/json-validator.yml
+++ b/.github/workflows/json-validator.yml
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Validate Json
        run: |
          sudo apt-get update
--- a/.github/workflows/lint-helm.yml
+++ b/.github/workflows/lint-helm.yml
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

--- a/.github/workflows/lint-php.yml
+++ b/.github/workflows/lint-php.yml
@@ -30,13 +30,13 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        php-versions: [ "8.4" ]
+        php-versions: [ "8.5" ]

    name: php-lint

    steps:
      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

--- a/.github/workflows/lint-yaml.yml
+++ b/.github/workflows/lint-yaml.yml
@@ -24,7 +24,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.1
        with:
          persist-credentials: false

@@ -36,7 +36,7 @@ jobs:
            line-length: warning

      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0

      - name: Check GitHub actions
        run: uvx zizmor --min-severity medium .github/workflows/*.yml
--- a/.github/workflows/nextcloud-update.yml
+++ b/.github/workflows/nextcloud-update.yml
@@ -11,7 +11,7 @@ jobs:
    name: Run nextcloud-update script
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run nextcloud-update script
      run: |
        # Inspired by https://github.com/nextcloud/docker/blob/master/update.sh
@@ -79,8 +79,9 @@ jobs:
        fi

    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: nextcloud-update automated change
        signoff: true
        title: Nextcloud dependency update
--- a/.github/workflows/php-deprecation-detector.yml
+++ b/.github/workflows/php-deprecation-detector.yml
@@ -16,11 +16,11 @@ jobs:
    name: PHP Deprecation Detector
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up php
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
        with:
-          php-version: 8.4
+          php-version: 8.5
          extensions: apcu
          coverage: none

--- a/.github/workflows/playwright-on-push.yml
+++ b/.github/workflows/playwright-on-push.yml
@@ -24,9 +24,9 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: lts/*

@@ -36,11 +36,11 @@ jobs:
      - name: Install Playwright Browsers
        run: cd php/tests && npx playwright install --with-deps chromium

-      - name: Set up php 8.4
+      - name: Set up php 8.5
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
        with:
          extensions: apcu
-          php-version: 8.4
+          php-version: 8.5
          coverage: none
          ini-file: development
        env:
@@ -114,7 +114,7 @@ jobs:
            exit 1
          fi

-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        if: ${{ !cancelled() }}
        with:
          name: playwright-report
--- a/.github/workflows/playwright-on-workflow-dispatch.yml
+++ b/.github/workflows/playwright-on-workflow-dispatch.yml
@@ -13,9 +13,9 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: lts/*

@@ -82,7 +82,7 @@ jobs:
            exit 1
          fi

-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        if: ${{ !cancelled() }}
        with:
          name: playwright-report
--- a/.github/workflows/psalm-update-baseline.yml
+++ b/.github/workflows/psalm-update-baseline.yml
@@ -10,14 +10,15 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set up php
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
        with:
-          php-version: 8.4
+          php-version: 8.5
          extensions: apcu
          coverage: none
+          ini-file: development

      - name: Run script
        run: |
@@ -30,9 +31,9 @@ jobs:
        continue-on-error: true

      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
-          token: ${{ secrets.COMMAND_BOT_PAT }}
+          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: Update psalm baseline
          committer: GitHub <noreply@github.com>
          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
--- a/.github/workflows/psalm.yml
+++ b/.github/workflows/psalm.yml
@@ -32,19 +32,18 @@ jobs:
    name: static-psalm-analysis
    steps:
      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Set up php
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
        with:
-          php-version: 8.4
+          php-version: 8.5
          extensions: apcu
          coverage: none
          ini-file: development
-          # Temporary workaround for missing pcntl_* in PHP 8.3
-          ini-values: disable_functions=
+
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -15,7 +15,7 @@ jobs:
    name: Check Shell
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run Shellcheck
      uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
      with:
--- a/.github/workflows/talk.yml
+++ b/.github/workflows/talk.yml
@@ -10,7 +10,7 @@ jobs:
    name: update talk
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run talk-container-update
      run: |
        # Recording
@@ -45,8 +45,9 @@ jobs:
        sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: talk-update automated change
        signoff: true
        title: talk container update
--- a/.github/workflows/twig-lint.yml
+++ b/.github/workflows/twig-lint.yml
@@ -24,12 +24,12 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set up php ${{ matrix.php-versions }}
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
        with:
-          php-version: 8.4
+          php-version: 8.5
          extensions: apcu
          coverage: none

--- a/.github/workflows/update-copyright.yml
+++ b/.github/workflows/update-copyright.yml
@@ -8,4 +8,4 @@ jobs:
    name: update copyright
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
--- a/.github/workflows/update-helm.yml
+++ b/.github/workflows/update-helm.yml
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: update helm chart
        run: |
          set -x
@@ -23,7 +23,7 @@ jobs:
            sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"
          fi
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          commit-message: Helm Chart updates
          signoff: true
--- a/.github/workflows/update-yaml.yml
+++ b/.github/workflows/update-yaml.yml
@@ -11,12 +11,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: update yaml files
        run: |
          sudo bash manual-install/update-yaml.sh
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          commit-message: Yaml updates
          signoff: true
--- a/.github/workflows/watchtower-update.yml
+++ b/.github/workflows/watchtower-update.yml
@@ -10,7 +10,7 @@ jobs:
    name: update watchtower
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run watchtower-container-update
      run: |
        # Watchtower
@@ -26,8 +26,9 @@ jobs:
        sed -i "s|\$WATCHTOWER_COMMIT_HASH.*$|\$WATCHTOWER_COMMIT_HASH # $watchtower_version|" ./Containers/watchtower/Dockerfile
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: watchtower-update automated change
        signoff: true
        title: watchtower container update
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,13 @@
+<!--
+ - SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors
+ - SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+In the Nextcloud community, participants from all over the world come together to create Free Software for a free internet. This is made possible by the support, hard work and enthusiasm of thousands of people, including those who create and use Nextcloud software.
+
+Our code of conduct offers some guidance to ensure Nextcloud participants can cooperate effectively in a positive and inspiring atmosphere, and to explain how together we can strengthen and support each other.
+
+The Code of Conduct is shared by all contributors and users who engage with the Nextcloud team and its community services. It presents a summary of the shared values and “common sense” thinking in our community.
+
+You can find our full code of conduct on our website: https://nextcloud.com/code-of-conduct/
+
+Please, keep our CoC in mind when you contribute! That way, everyone can be a part of our community in a productive, positive, creative and fun way.
--- a/Containers/alpine/Dockerfile
+++ b/Containers/alpine/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.2
+FROM alpine:3.23.3

 RUN set -ex; \
    apk upgrade --no-cache -a
--- a/Containers/apache/Caddyfile
+++ b/Containers/apache/Caddyfile
@@ -15,7 +15,7 @@
 }

 https://{$ADDITIONAL_TRUSTED_DOMAIN}:443,
-http://{$APACHE_HOST}:23973, # For Collabora callback and WOPI requests, see containers.json
+http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI requests, see containers.json
 {$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} {
    header -Server
    header -X-Powered-By
@@ -58,6 +58,11 @@ http://{$APACHE_HOST}:23973, # For Collabora callback and WOPI requests, see con
        reverse_proxy {$WHITEBOARD_HOST}:3002
    }

+    # HaRP (ExApps)
+    route /exapps/* {
+        reverse_proxy {$HARP_HOST}:8780
+    }
+
    # Nextcloud
    route {
        header Strict-Transport-Security max-age=31536000;
--- a/Containers/apache/Dockerfile
+++ b/Containers/apache/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM caddy:2.10.2-alpine AS caddy
+FROM caddy:2.11.2-alpine AS caddy

 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
 FROM httpd:2.4.66-alpine3.23
@@ -79,7 +79,8 @@ RUN set -ex; \
    chmod 777 -R /usr/local/apache2/logs; \
    rm -rf /usr/local/apache2/cgi-bin/; \
    \
-    echo "root:$(openssl rand -base64 12)" | chpasswd
+    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    apk --no-cache del openssl

 USER 33

@@ -88,4 +89,5 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
--- a/Containers/borgbackup/Dockerfile
+++ b/Containers/borgbackup/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.2
+FROM alpine:3.23.3

 RUN set -ex; \
    \
@@ -24,5 +24,6 @@ ENTRYPOINT ["/start.sh"]
 USER root

 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
 ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
--- a/Containers/borgbackup/backupscript.sh
+++ b/Containers/borgbackup/backupscript.sh
@@ -77,6 +77,10 @@ if [ "$BORG_MODE" = backup ]; then
    if ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" ]; then
        echo "configuration.json not present. Cannot perform the backup!"
        exit 1
+    elif ! grep -q '"domain"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" \
+    || ! grep -q '"wasStartButtonClicked"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json"; then
+        echo "It seems like the configuration.json setup was not done correctly. Something is wrong! (Most likely the provided configuration.json is invalid)"
+        exit 1
    elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/config/config.php" ]; then
        echo "config.php is missing. Cannot perform backup!"
        exit 1
@@ -514,6 +518,10 @@ if [ "$BORG_MODE" = restore ]; then

    if [ "$RESTORE_FAILED" = 1 ]; then
        exit 1
+    elif ! grep -q '"domain"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" \
+    || ! grep -q '"wasStartButtonClicked"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json"; then
+        echo "It seems like the restore of the configuration.json was not done correctly. Something is wrong! (Most likely is the restore archive already incorrect)!"
+        exit 1
    fi

    # Inform user
--- a/Containers/clamav/Dockerfile
+++ b/Containers/clamav/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.2
+FROM alpine:3.23.3

 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -33,5 +33,6 @@ VOLUME /var/lib/clamav
 ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
--- a/Containers/collabora-online/Dockerfile
+++ b/Containers/collabora-online/Dockerfile
@@ -12,4 +12,5 @@ USER 1001

 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
--- a/Containers/collabora/Dockerfile
+++ b/Containers/collabora/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile
-FROM collabora/code:25.04.8.1.1
+FROM collabora/code:25.04.9.4.1

 USER root
 ARG DEBIAN_FRONTEND=noninteractive
@@ -11,4 +11,5 @@ USER 1001

 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
--- a/Containers/docker-socket-proxy/Dockerfile
+++ b/Containers/docker-socket-proxy/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.3.1-alpine
+FROM haproxy:3.3.6-alpine

 # hadolint ignore=DL3002
 USER root
@@ -19,4 +19,5 @@ COPY --chmod=664 haproxy.cfg /haproxy.cfg
 ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
--- a/Containers/domaincheck/Dockerfile
+++ b/Containers/domaincheck/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.2
+FROM alpine:3.23.3
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache bash lighttpd netcat-openbsd; \
@@ -18,4 +18,5 @@ ENTRYPOINT ["/start.sh"]

 HEALTHCHECK CMD nc -z 127.0.0.1 $APACHE_PORT || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
--- a/Containers/fulltextsearch/Dockerfile
+++ b/Containers/fulltextsearch/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:8.19.10
+FROM elasticsearch:8.19.13

 USER root

@@ -22,5 +22,6 @@ USER 1000:0

 HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
 ENV ES_JAVA_OPTS="-Xms512M -Xmx512M"
--- a/Containers/imaginary/Dockerfile
+++ b/Containers/imaginary/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.25.5-alpine3.23 AS go
+FROM golang:1.26.1-alpine3.23 AS go

 ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee

@@ -14,7 +14,7 @@ RUN set -ex; \
        build-base; \
    go install github.com/h2non/imaginary@"$IMAGINARY_HASH";

-FROM alpine:3.23.2
+FROM alpine:3.23.3
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache \
@@ -43,4 +43,5 @@ ENTRYPOINT ["/start.sh"]

 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
--- a/Containers/mastercontainer/Caddyfile
+++ b/Containers/mastercontainer/Caddyfile
@@ -1,37 +0,0 @@
-{
-    # auto_https will create redirects for https://{host}:8443 instead of https://{host}
-    # https redirects are added manually in the http://:80 block
-    auto_https disable_redirects
-
-    storage file_system {
-        root /mnt/docker-aio-config/caddy/
-    }
-
-    log {
-        level ERROR
-    }
-
-    servers {
-        protocols h1 h2 h2c
-    }
-
-    on_demand_tls {
-        ask http://127.0.0.1:9876/
-    }
-}
-
-http://:80 {
-    redir https://{host}{uri} permanent
-}
-
-https://:8443 {
-
-    reverse_proxy 127.0.0.1:8000
-
-    tls {
-        on_demand
-        issuer acme {
-            disable_tlsalpn_challenge
-        }
-    }
-}
--- a/Containers/mastercontainer/Dockerfile
+++ b/Containers/mastercontainer/Dockerfile
@@ -1,12 +1,17 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.1.4-cli AS docker
+FROM docker:29.3.0-cli AS docker
+
+ARG CADDY_REMOTE_HOST_HASH=b21775afa730ffb52a24ddff310c8a6d1fd37276

 # Caddy is a requirement
-FROM caddy:2.10.2-alpine AS caddy
+FROM caddy:2.11.2-builder-alpine AS caddy
+RUN set -ex; \
+    xcaddy build --with github.com/muety/caddy-remote-host@"$CADDY_REMOTE_HOST_HASH"; \
+    /usr/bin/caddy list-modules

-# From https://github.com/docker-library/php/blob/master/8.4/alpine3.23/fpm/Dockerfile
-FROM php:8.4.16-fpm-alpine3.23
+# From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
+FROM php:8.5.4-fpm-alpine3.23

 EXPOSE 80
 EXPOSE 8080
@@ -21,9 +26,8 @@ COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker
 COPY community-containers /var/www/docker-aio/community-containers
 COPY php /var/www/docker-aio/php
 COPY --chmod=775 Containers/mastercontainer/*.sh /
-COPY --chmod=664 Containers/mastercontainer/Caddyfile /Caddyfile
+COPY --chmod=664 Containers/mastercontainer/*.Caddyfile /
 COPY --chmod=664 Containers/mastercontainer/supervisord.conf /supervisord.conf
-COPY Containers/mastercontainer/mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf

 WORKDIR /var/www/docker-aio

@@ -37,13 +41,8 @@ RUN set -ex; \
    apk add --no-cache \
        util-linux-misc \
        ca-certificates \
-        wget \
        bash \
-        apache2 \
-        apache2-proxy \
-        apache2-ssl \
        supervisor \
-        openssl \
        sudo \
        netcat-openbsd \
        curl \
@@ -67,11 +66,12 @@ RUN set -ex; \
    sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
-    grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \
+    grep -q '^listen =' /usr/local/etc/php-fpm.d/docker.conf; \
+    sed -i 's|listen =.*|listen = /run/php.sock|' /usr/local/etc/php-fpm.d/docker.conf; \
+    echo "listen.owner = www-data" | tee -a /usr/local/etc/php-fpm.d/docker.conf; \
    \
    apk add --no-cache git; \
-    wget https://getcomposer.org/installer -O - | php -- --install-dir=/usr/local/bin --filename=composer; \
+    curl https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer; \
    chmod +x /usr/local/bin/composer; \
    cd /var/www/docker-aio; \
    rm -r ./php/tests; \
@@ -86,47 +86,12 @@ RUN set -ex; \
    rm -r php/data; \
    rm -r php/session; \
    \
-    mkdir -p /etc/apache2/certs; \
-    cd /etc/apache2/certs; \
-    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout /etc/apache2/certs/ssl.key -out /etc/apache2/certs/ssl.crt; \
-    \
-    sed -i \
-            -e '/^Listen /d' \
-            -e 's/^LogLevel .*/LogLevel error/' \
-            -e 's|^ErrorLog .*|ErrorLog /proc/self/fd/2|' \
-            -e 's/User apache/User www-data/g' \
-            -e 's/Group apache/Group www-data/g' \
-            -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
-            -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
-            -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
-            -e 's/\(ScriptAlias \)/#\1/' \
-        /etc/apache2/httpd.conf; \
-        mkdir -p /etc/apache2/logs; \
-        rm /etc/apache2/conf.d/ssl.conf; \
-        echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \
-        grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \
-        sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \
-        echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \
-        echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \
-        echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \
-        echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \
-    \
-    rm -f /etc/apache2/conf.d/default.conf \
-          /etc/apache2/conf.d/userdir.conf \
-          /etc/apache2/conf.d/info.conf; \
-    \
-    rm -rf /var/www/localhost/cgi-bin/; \
    mkdir /var/log/supervisord; \
    mkdir /var/run/supervisord;

 # hadolint ignore=DL3048
 LABEL org.label-schema.vendor="Nextcloud" \
+    wud.watch="false" \
    com.docker.compose.project="nextcloud-aio"

 # hadolint ignore=DL3002
--- a/Containers/mastercontainer/README.md
+++ b/Containers/mastercontainer/README.md
@@ -12,8 +12,8 @@ The mastercontainer acts as the central orchestration service for the deployment
 of all other containers in the Nextcloud All-in-One stack. It hosts:

 - A dedicated PHP SAPI/backend (php-fpm) for AIO itself (not Nextcloud Server)
- An Apache service for accessing the AIO interface via a self-signed HTTPS VirtualHost on 8080/tcp
- A Caddy reverse proxy service enabling HTTPS access to the AIO frontend on port 8443/tcp.
+- A Caddy server enabling self-signed HTTPS access to the AIO frontend on port 8080/tcp.
+- A Caddy server enabling trusted HTTPS access to the AIO frontend on port 8443/tcp.
  - Caddy will automatically issue a Let's Encrypt issued certificate if port 80 and 8443
    is open/forwarded and a domain pointer is in place; then, simply open the Nextcloud AIO interface using the
    domain (`https://your-domain-that-points-to-this-server.tld:8443`). The Let's Encrypt certificate request will
--- a/Containers/mastercontainer/acme.Caddyfile
+++ b/Containers/mastercontainer/acme.Caddyfile
@@ -0,0 +1,52 @@
+{
+	admin off
+
+	# auto_https will create redirects for https://{host}:8443 instead of https://{host}
+	# https redirects are added manually in the http://:80 block
+	auto_https disable_redirects
+
+	storage file_system {
+		root /mnt/docker-aio-config/caddy/
+	}
+
+	log {
+		level ERROR
+		# We need to exclude the remote-host plugin from logging as it would spam the logs
+		# See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 
+		exclude http.matchers.remote_host
+	}
+
+	servers {
+		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
+		protocols h1
+	}
+
+	on_demand_tls {
+		ask http://127.0.0.1:9876/
+	}
+
+	skip_install_trust
+}
+
+http://:80 {
+	redir https://{host}{uri} permanent
+}
+
+https://:8443 {
+	@denied {
+		path /api/auth/login /api/auth/getlogin
+		remote_host nextcloud-aio-nextcloud
+	}
+	abort @denied
+
+	root * /var/www/docker-aio/php/public
+	php_fastcgi unix//run/php.sock
+	file_server
+
+	tls {
+		on_demand
+		issuer acme {
+			disable_tlsalpn_challenge
+		}
+	}
+}
--- a/Containers/mastercontainer/daily-backup.sh
+++ b/Containers/mastercontainer/daily-backup.sh
@@ -4,7 +4,7 @@ echo "Daily backup script has started"

 # Check if initial configuration has been done, otherwise this script should do nothing.
 CONFIG_FILE=/mnt/docker-aio-config/data/configuration.json
-if ! [ -f "$CONFIG_FILE" ] || ! grep -q "wasStartButtonClicked.*1" "$CONFIG_FILE"; then
+if ! [ -f "$CONFIG_FILE" ] || (! grep -q "wasStartButtonClicked.*1" "$CONFIG_FILE" && ! grep -q "wasStartButtonClicked.*true" "$CONFIG_FILE"); then
    echo "Initial configuration via AIO interface not done yet. Exiting..."
    exit 0
 fi
--- a/Containers/mastercontainer/healthcheck.sh
+++ b/Containers/mastercontainer/healthcheck.sh
@@ -2,9 +2,8 @@

 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
    nc -z 127.0.0.1 80 || exit 1
-    nc -z 127.0.0.1 8000 || exit 1
    nc -z 127.0.0.1 8080 || exit 1
    nc -z 127.0.0.1 8443 || exit 1
-    nc -z 127.0.0.1 9000 || exit 1
+    test -S /run/php.sock || exit 1
    nc -z 127.0.0.1 9876 || exit 1
 fi
--- a/Containers/mastercontainer/internal.Caddyfile
+++ b/Containers/mastercontainer/internal.Caddyfile
@@ -0,0 +1,38 @@
+{
+	admin off
+
+	storage file_system {
+		root /mnt/docker-aio-config/caddy/
+	}
+
+	log {
+		level ERROR
+		# We need to exclude the remote-host plugin from logging as it would spam the logs
+		# See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 
+		exclude http.matchers.remote_host
+	}
+
+	servers {
+		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
+		protocols h1
+	}
+
+	skip_install_trust
+}
+
+https://:8080 {
+	@denied {
+		path /api/auth/login /api/auth/getlogin
+		remote_host nextcloud-aio-nextcloud
+	}
+	abort @denied
+
+	root * /var/www/docker-aio/php/public
+	php_fastcgi unix//run/php.sock
+	file_server
+
+	tls {
+		on_demand
+		issuer internal
+	}
+}
--- a/Containers/mastercontainer/mastercontainer.conf
+++ b/Containers/mastercontainer/mastercontainer.conf
@@ -1,62 +0,0 @@
-Listen 127.0.0.1:8000
-Listen 8080 https
-
-# Deny access to .ht files
-<Files ".ht*">
-    Require all denied
-</Files>
-
-# Http host
-<VirtualHost 127.0.0.1:8000>
-    ServerName 127.0.0.1
-
-    # Add error log
-    CustomLog /proc/self/fd/1 proxy
-    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
-    ErrorLog /proc/self/fd/2
-    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
-    LogLevel warn
-
-    # PHP match
-    <FilesMatch "\.php$">
-        SetHandler "proxy:fcgi://127.0.0.1:9000"
-    </FilesMatch>
-    # Master dir
-    DocumentRoot /var/www/docker-aio/php/public/
-    <Directory /var/www/docker-aio/php/public/>
-        RewriteEngine On
-        RewriteCond %{REQUEST_FILENAME} !-f
-        RewriteRule ^ index.php [QSA,L]
-        Options Indexes FollowSymLinks
-        Require all granted
-        AllowOverride All
-        Options FollowSymLinks MultiViews
-        Satisfy Any
-        <IfModule mod_dav.c>
-            Dav off
-        </IfModule>
-    </Directory>
-</VirtualHost>
-
-# Https host
-<VirtualHost *:8080>
-    # Proxy to https
-    ProxyPass / http://127.0.0.1:8000/
-    ProxyPassReverse / http://127.0.0.1:8000/
-    ProxyPreserveHost On
-    # SSL
-    SSLCertificateKeyFile /etc/apache2/certs/ssl.key
-    SSLCertificateFile /etc/apache2/certs/ssl.crt
-    SSLEngine               on
-    SSLProtocol             -all +TLSv1.2 +TLSv1.3
-    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
-    SSLHonorCipherOrder     off
-    SSLSessionTickets       off
-</VirtualHost>
-
-# Increase timeout in case e.g. the initial download takes a long time
-Timeout 7200
-ProxyTimeout 7200
-
-# See https://httpd.apache.org/docs/trunk/mod/core.html#traceenable
-TraceEnable Off
--- a/Containers/mastercontainer/start.sh
+++ b/Containers/mastercontainer/start.sh
@@ -162,6 +162,9 @@ if ! sudo -E -u www-data docker ps --format "{{.Names}}" | grep -q "^nextcloud-a
 Using a different name is not supported since mastercontainer updates will not work in that case!
 If you are on docker swarm and try to run AIO, see https://github.com/nextcloud/all-in-one#can-i-run-this-with-docker-swarm"
    exit 1
+elif sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer --format "{{.Config.Image}}" | grep -q '@'; then
+    print_red "It seems like you used a hash for the mastercontainer image tag. This is not supported!"
+    exit 1
 elif ! sudo -E -u www-data docker volume ls --format "{{.Name}}" | grep -q "^nextcloud_aio_mastercontainer$"; then
    print_red "It seems like you did not give the mastercontainer volume the correct name? (The 'nextcloud_aio_mastercontainer' volume was not found.)
 Using a different name is not supported since the built-in backup solution will not work in that case!"
@@ -361,7 +364,6 @@ fi
 mkdir -p /mnt/docker-aio-config/data/
 mkdir -p /mnt/docker-aio-config/session/
 mkdir -p /mnt/docker-aio-config/caddy/
-mkdir -p /mnt/docker-aio-config/certs/ 

 # Adjust permissions for all instances
 chmod 770 -R /mnt/docker-aio-config
@@ -369,37 +371,6 @@ chmod 777 /mnt/docker-aio-config
 chown www-data:www-data -R /mnt/docker-aio-config/data/
 chown www-data:www-data -R /mnt/docker-aio-config/session/
 chown www-data:www-data -R /mnt/docker-aio-config/caddy/
-chown root:root -R /mnt/docker-aio-config/certs/
-
-# Don't allow access to the AIO interface from the Nextcloud container
-# Probably more cosmetic than anything but at least an attempt
-if ! grep -q '# nextcloud-aio-block' /etc/apache2/httpd.conf; then
-    cat << APACHE_CONF >> /etc/apache2/httpd.conf
-# nextcloud-aio-block-start
-<Location />
-order allow,deny
-deny from nextcloud-aio-nextcloud.nextcloud-aio
-allow from all
-</Location>
-# nextcloud-aio-block-end
-APACHE_CONF
-fi
-
-# Adjust certs
-GENERATED_CERTS="/mnt/docker-aio-config/certs"
-TMP_CERTS="/etc/apache2/certs"
-mkdir -p "$GENERATED_CERTS"
-cd "$GENERATED_CERTS" || exit 1
-if ! [ -f ./ssl.crt ] && ! [ -f ./ssl.key ]; then
-    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt
-fi
-if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then
-    cd "$TMP_CERTS" || exit 1
-    rm ./ssl.crt
-    rm ./ssl.key
-    cp "$GENERATED_CERTS/ssl.crt" ./
-    cp "$GENERATED_CERTS/ssl.key" ./
-fi

 print_green "Initial startup of Nextcloud All-in-One complete!
 You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
@@ -412,8 +383,11 @@ https://your-domain-that-points-to-this-server.tld:8443"
 # Set the timezone to Etc/UTC
 export TZ=Etc/UTC

-# Fix apache startup
-rm -f /var/run/apache2/httpd.pid
+# Remove unused certs
+rm -vrf /mnt/docker-aio-config/certs
+
+# Remove the php socket as safeguard
+rm -vf /run/php.sock

 # Fix caddy startup
 if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then
@@ -421,7 +395,8 @@ if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then
 fi

 # Fix the Caddyfile format
-caddy fmt --overwrite /Caddyfile
+caddy fmt --overwrite /acme.Caddyfile
+caddy fmt --overwrite /internal.Caddyfile

 # Fix caddy log 
 chmod 777 /root
--- a/Containers/mastercontainer/supervisord.conf
+++ b/Containers/mastercontainer/supervisord.conf
@@ -16,20 +16,20 @@ stderr_logfile_maxbytes=0
 command=php-fpm
 user=root

-[program:apache]
-# Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=NONE
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=httpd -DFOREGROUND
-user=root
-
-[program:caddy]
+[program:caddy-internal]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /Caddyfile
+command=/usr/bin/caddy run --config /internal.Caddyfile
+user=www-data
+
+[program:caddy-acme]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=/usr/bin/caddy run --config /acme.Caddyfile
 user=www-data

 [program:cron]
--- a/Containers/nextcloud/Dockerfile
+++ b/Containers/nextcloud/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM php:8.3.29-fpm-alpine3.23
+FROM php:8.3.30-fpm-alpine3.23

 ENV PHP_MEMORY_LIMIT=512M
 ENV PHP_UPLOAD_LIMIT=16G
@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0

 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=32.0.3
+ENV NEXTCLOUD_VERSION=32.0.6
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!
@@ -264,4 +264,5 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
--- a/Containers/nextcloud/config/postgres.config.php
+++ b/Containers/nextcloud/config/postgres.config.php
@@ -10,7 +10,7 @@ if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_POSTGRES')) {
 if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_MYSQL')) {
  $CONFIG = array(
    'dbdriveroptions' => array(
-      'PDO::MYSQL_ATTR_SSL_CA' => '/var/www/html/data/certificates/ca-bundle.crt',
+      PDO::MYSQL_ATTR_SSL_CA => '/var/www/html/data/certificates/ca-bundle.crt',
    ),
  );
 }
--- a/Containers/nextcloud/config/redis.config.php
+++ b/Containers/nextcloud/config/redis.config.php
@@ -1,14 +1,18 @@
 <?php
-if (getenv('REDIS_HOST')) {
+if (getenv('REDIS_MODE') !== 'rediscluster') {
  $CONFIG = array(
    'memcache.distributed' => '\OC\Memcache\Redis',
    'memcache.locking' => '\OC\Memcache\Redis',
-    'redis' => array(
-      'host' => getenv('REDIS_HOST'),
-      'password' => (string) getenv('REDIS_HOST_PASSWORD'),
-    ),
  );

+  if (getenv('REDIS_HOST')) {
+    $CONFIG['redis']['host'] = (string) getenv('REDIS_HOST');
+  }
+
+  if (getenv('REDIS_HOST_PASSWORD')) {
+    $CONFIG['redis']['password'] = (string) getenv('REDIS_HOST_PASSWORD');
+  }
+
  if (getenv('REDIS_PORT')) {
    $CONFIG['redis']['port'] = (int) getenv('REDIS_PORT');
  }
@@ -17,7 +21,44 @@ if (getenv('REDIS_HOST')) {
    $CONFIG['redis']['dbindex'] = (int) getenv('REDIS_DB_INDEX');
  }

-  if (getenv('REDIS_USER_AUTH') !== false) {
+  if (getenv('REDIS_USER_AUTH')) {
    $CONFIG['redis']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
  }
+
+  if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) {
+    $CONFIG['redis']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt';
+  }
+} else {
+  $CONFIG = array(
+    'memcache.distributed' => '\OC\Memcache\Redis',
+    'memcache.locking' => '\OC\Memcache\Redis',
+    'redis.cluster' => array(
+      'timeout' => 0.0,
+      'read_timeout' => 0.0,
+      'failover_mode' => \RedisCluster::FAILOVER_ERROR,
+      'seeds' => array_values(array_filter(array(
+        (getenv('REDIS_HOST') && getenv('REDIS_PORT')) ? (getenv('REDIS_HOST') . ':' . (string)getenv('REDIS_PORT')) : null,
+        (getenv('REDIS_HOST_2') && getenv('REDIS_PORT_2')) ? (getenv('REDIS_HOST_2') . ':' . (string)getenv('REDIS_PORT_2')) : null,
+        (getenv('REDIS_HOST_3') && getenv('REDIS_PORT_3')) ? (getenv('REDIS_HOST_3') . ':' . (string)getenv('REDIS_PORT_3')) : null,
+        (getenv('REDIS_HOST_4') && getenv('REDIS_PORT_4')) ? (getenv('REDIS_HOST_4') . ':' . (string)getenv('REDIS_PORT_4')) : null,
+        (getenv('REDIS_HOST_5') && getenv('REDIS_PORT_5')) ? (getenv('REDIS_HOST_5') . ':' . (string)getenv('REDIS_PORT_5')) : null,
+        (getenv('REDIS_HOST_6') && getenv('REDIS_PORT_6')) ? (getenv('REDIS_HOST_6') . ':' . (string)getenv('REDIS_PORT_6')) : null,
+        (getenv('REDIS_HOST_7') && getenv('REDIS_PORT_7')) ? (getenv('REDIS_HOST_7') . ':' . (string)getenv('REDIS_PORT_7')) : null,
+        (getenv('REDIS_HOST_8') && getenv('REDIS_PORT_8')) ? (getenv('REDIS_HOST_8') . ':' . (string)getenv('REDIS_PORT_8')) : null,
+        (getenv('REDIS_HOST_9') && getenv('REDIS_PORT_9')) ? (getenv('REDIS_HOST_9') . ':' . (string)getenv('REDIS_PORT_9')) : null,
+      ))),
+    ),
+  );
+
+  if (getenv('REDIS_HOST_PASSWORD')) {
+    $CONFIG['redis.cluster']['password'] = (string) getenv('REDIS_HOST_PASSWORD');
+  }
+
+  if (getenv('REDIS_USER_AUTH')) {
+    $CONFIG['redis.cluster']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
+  }
+
+  if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) {
+    $CONFIG['redis.cluster']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt';
+  }
 }
--- a/Containers/nextcloud/config/s3.config.php
+++ b/Containers/nextcloud/config/s3.config.php
@@ -34,4 +34,14 @@ if (getenv('OBJECTSTORE_S3_BUCKET')) {
  if ($sse_c_key) {
    $CONFIG['objectstore']['arguments']['sse_c_key'] = $sse_c_key;
  }
+
+  $requestChecksumValidation = getenv('OBJECTSTORE_S3_REQUEST_CHECKSUM_VALIDATION');
+  if ($requestChecksumValidation) {
+    $CONFIG['objectstore']['arguments']['request_checksum_calculation'] = $requestChecksumValidation;
+  }
+
+  $responseChecksumValidation = getenv('OBJECTSTORE_S3_RESPONSE_CHECKSUM_VALIDATION');
+  if ($responseChecksumValidation) {
+    $CONFIG['objectstore']['arguments']['response_checksum_validation'] = $responseChecksumValidation;
+  }
 }
--- a/Containers/nextcloud/entrypoint.sh
+++ b/Containers/nextcloud/entrypoint.sh
@@ -182,8 +182,11 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
            curl -fsSL -o nextcloud.tar.bz2.asc "https://download.nextcloud.com/server/releases/latest-${NEXT_MAJOR}.tar.bz2.asc"
            GNUPGHOME="$(mktemp -d)"
            export GNUPGHOME
-            # gpg key from https://nextcloud.com/nextcloud.asc
-            gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 28806A878AE423A28372792ED75899B9A724937A
+            if ! gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 28806A878AE423A28372792ED75899B9A724937A; then
+                if ! gpg --batch --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 28806A878AE423A28372792ED75899B9A724937A; then
+                    curl -sSL https://nextcloud.com/nextcloud.asc | gpg --import
+                fi
+            fi
            gpg --batch --verify nextcloud.tar.bz2.asc nextcloud.tar.bz2
            mkdir -p /usr/src/tmp
            tar -xjf nextcloud.tar.bz2 -C /usr/src/tmp/
@@ -666,8 +669,12 @@ php /var/www/html/occ config:system:set documentation_url.server_logs --value="h
 php /var/www/html/occ config:system:set htaccess.RewriteBase --value="/"
 php /var/www/html/occ maintenance:update:htaccess

-# Revert dbpersistent setting to check if it fixes too many db connections
-php /var/www/html/occ config:system:set dbpersistent --value=false --type=bool
+# Handle db persistent settings
+if [ "$NEXTCLOUD_PERSIST_DATABASE_CONNECTIONS" = "yes" ]; then
+    php /var/www/html/occ config:system:set dbpersistent --value=true --type=bool
+else
+    php /var/www/html/occ config:system:set dbpersistent --value=false --type=bool
+fi

 if [ "$DISABLE_BRUTEFORCE_PROTECTION" = yes ]; then
    php /var/www/html/occ config:system:set auth.bruteforce.protection.enabled --type=bool --value=false
@@ -894,7 +901,9 @@ if [ -d "/var/www/html/custom_apps/spreed" ]; then
        RECORDING_SERVERS_STRING="{\"servers\":[{\"server\":\"http://$TALK_RECORDING_HOST:1234/\",\"verify\":true}],\"secret\":\"$RECORDING_SECRET\"}"
        php /var/www/html/occ config:app:set spreed recording_servers --value="$RECORDING_SERVERS_STRING"
    else
-        php /var/www/html/occ config:app:delete spreed recording_servers
+        if [ "$REMOVE_DISABLED_APPS" = yes ]; then
+            php /var/www/html/occ config:app:delete spreed recording_servers
+        fi
    fi
 fi

@@ -1020,13 +1029,13 @@ else
    fi
 fi

-# Docker socket proxy
+# Docker socket proxy / HaRP
 # app_api is a shipped app
 if [ -d "/var/www/html/custom_apps/app_api" ]; then
    php /var/www/html/occ app:disable app_api
    rm -r "/var/www/html/custom_apps/app_api"
 fi
-if [ "$DOCKER_SOCKET_PROXY_ENABLED" = 'yes' ]; then
+if [ "$DOCKER_SOCKET_PROXY_ENABLED" = 'yes' ] || [ "$HARP_ENABLED" = 'yes' ]; then
    if [ "$(php /var/www/html/occ config:app:get app_api enabled)" != "yes" ]; then
        php /var/www/html/occ app:enable app_api
    fi
--- a/Containers/nextcloud/upgrade.exclude
+++ b/Containers/nextcloud/upgrade.exclude
@@ -3,3 +3,4 @@
 /custom_apps/
 /themes/
 /version.php
+/lost+found
--- a/Containers/notify-push/Dockerfile
+++ b/Containers/notify-push/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.2
+FROM alpine:3.23.3

 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -11,7 +11,6 @@ RUN set -ex; \
        netcat-openbsd \
        tzdata \
        bash \
-        jq \
        openssl; \
 # Give root a random password
    echo "root:$(openssl rand -base64 12)" | chpasswd; \
@@ -23,4 +22,5 @@ ENTRYPOINT ["/start.sh"]

 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
--- a/Containers/notify-push/start.sh
+++ b/Containers/notify-push/start.sh
@@ -3,12 +3,6 @@
 if [ -z "$NEXTCLOUD_HOST" ]; then
    echo "NEXTCLOUD_HOST needs to be provided. Exiting!"
    exit 1
-elif [ -z "$POSTGRES_HOST" ]; then
-    echo "POSTGRES_HOST needs to be provided. Exiting!"
-    exit 1
-elif [ -z "$REDIS_HOST" ]; then
-    echo "REDIS_HOST needs to be provided. Exiting!"
-    exit 1
 fi

 # Only start container if nextcloud is accessible
@@ -28,7 +22,7 @@ elif [ "$CPU_ARCH" != "x86_64" ]; then
 fi

 # Add warning
-if ! [ -f /nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
+if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
    echo "The notify_push binary was not found."
    echo "Most likely is DNS resolution not working correctly."
    echo "You can try to fix this by configuring a DNS server globally in dockers daemon.json."
@@ -44,52 +38,9 @@ fi

 echo "notify-push was started"

-# Set a default value for POSTGRES_PORT
-if [ -z "$POSTGRES_PORT" ]; then
-    POSTGRES_PORT=5432
-fi
-# Set a default for redis db index
-if [ -z "$REDIS_DB_INDEX" ]; then
-    REDIS_DB_INDEX=0
-fi
-# Set a default value for REDIS_PORT
-if [ -z "$REDIS_PORT" ]; then
-    REDIS_PORT=6379
-fi
-# Set a default for db type
-if [ -z "$DATABASE_TYPE" ]; then
-    DATABASE_TYPE=postgres
-elif [ "$DATABASE_TYPE" != postgres ] && [ "$DATABASE_TYPE" != mysql ]; then
-    echo "DB type must be either postgres or mysql"
-    exit 1
-fi
-
-# Use the correct Postgres username
-if [ "$POSTGRES_USER" = nextcloud ]; then
-    POSTGRES_USER="oc_$POSTGRES_USER"
-    export POSTGRES_USER
-fi
-
-# URL-encode passwords
-POSTGRES_PASSWORD="$(jq -rn --arg v "$POSTGRES_PASSWORD" '$v|@uri')"
-REDIS_HOST_PASSWORD="$(jq -rn --arg v "$REDIS_HOST_PASSWORD" '$v|@uri')"
-
-# Postgres root cert
-if [ -f "/nextcloud/data/certificates/POSTGRES" ]; then
-    CERT_OPTIONS="?sslmode=verify-ca&sslrootcert=/nextcloud/data/certificates/ca-bundle.crt"
-# Mysql root cert
-elif [ -f "/nextcloud/data/certificates/MYSQL" ]; then
-    CERT_OPTIONS="?sslmode=verify-ca&ssl-ca=/nextcloud/data/certificates/ca-bundle.crt"
-fi
-
-# Set sensitive values as env
-export DATABASE_URL="$DATABASE_TYPE://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB$CERT_OPTIONS"
-export REDIS_URL="redis://$REDIS_USER:$REDIS_HOST_PASSWORD@$REDIS_HOST:$REDIS_PORT/$REDIS_DB_INDEX"
-
 # Run it
-/nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
-    --database-prefix="oc_" \
-    --nextcloud-url "https://$NC_DOMAIN" \
-    --port 7867
+/var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
+    --port 7867 \
+    /var/www/html/config/config.php

 exec "$@"
--- a/Containers/onlyoffice/Dockerfile
+++ b/Containers/onlyoffice/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:9.2.1.1
+FROM onlyoffice/documentserver:9.3.1.2

 # USER root is probably used

@@ -8,4 +8,5 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh

 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
--- a/Containers/postgresql/Dockerfile
+++ b/Containers/postgresql/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/docker-library/postgres/blob/master/17/alpine3.23/Dockerfile
-FROM postgres:17.7-alpine
+FROM postgres:17.9-alpine

 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -44,4 +44,5 @@ ENTRYPOINT ["/start.sh"]

 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
--- a/Containers/redis/Dockerfile
+++ b/Containers/redis/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/redis/docker-library-redis/blob/release/8.2/alpine/Dockerfile
-FROM redis:8.2.3-alpine
+FROM redis:8.6.1-alpine

 COPY --chmod=775 start.sh /start.sh

@@ -10,6 +10,7 @@ RUN set -ex; \
    \
 # Give root a random password
    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    apk --no-cache del openssl; \
    \
 # Get rid of unused binaries
    rm -f /usr/local/bin/gosu;
@@ -21,4 +22,5 @@ ENTRYPOINT ["/start.sh"]

 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
--- a/Containers/talk-recording/Dockerfile
+++ b/Containers/talk-recording/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM python:3.14.2-alpine3.23
+FROM python:3.14.3-alpine3.23

 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -20,6 +20,9 @@ RUN set -ex; \
        xvfb \
        ffmpeg \
        firefox \
+        font-noto-all \
+        font-noto-cjk \
+        font-noto-cjk-extra \
        bind-tools \
        netcat-openbsd \
        git \
@@ -58,4 +61,5 @@ CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.co

 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
--- a/Containers/talk/Dockerfile
+++ b/Containers/talk/Dockerfile
@@ -1,10 +1,10 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.12.3-scratch AS nats
+FROM nats:2.12.5-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
-FROM strukturag/nextcloud-spreed-signaling:2.0.4 AS signaling
-FROM alpine:3.23.2 AS janus
+FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
+FROM alpine:3.23.3 AS janus

-ARG JANUS_VERSION=v1.3.3
+ARG JANUS_VERSION=v1.4.0
 WORKDIR /src
 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -35,7 +35,7 @@ RUN set -ex; \
    make configs; \
    rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample

-FROM alpine:3.23.2
+FROM alpine:3.23.3
 ENV ETURNAL_ETC_DIR="/conf"
 ENV SKIP_CERT_VERIFY=false
 COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
@@ -70,7 +70,8 @@ RUN set -ex; \
        libwebsockets \
        \
        shadow \
-        grep; \
+        grep \
+        util-linux-misc; \
    useradd --system -u 1000 eturnal; \
    apk del --no-cache \
        shadow; \
@@ -107,4 +108,5 @@ CMD ["supervisord", "-c", "/supervisord.conf"]

 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
--- a/Containers/talk/server.conf.in
+++ b/Containers/talk/server.conf.in
@@ -25,7 +25,9 @@ certificate = /etc/nginx/ssl/server.crt
 key = /etc/nginx/ssl/server.key

 [app]
-# Set to "true" to install pprof debug handlers.
+# Set to "true" to install pprof debug handlers. Access will only be possible
+# from IPs allowed through the "allowed_ips" option below.
+#
 # See "https://golang.org/pkg/net/http/pprof/" for further information.
 debug = false

@@ -270,8 +272,9 @@ connectionsperhost = 8
 #SA = NA

 [stats]
-# Comma-separated list of IP addresses that are allowed to access the stats
-# endpoint. Leave empty (or commented) to only allow access from "127.0.0.1".
+# Comma-separated list of IP addresses that are allowed to access the debug,
+# stats and metrics endpoints.
+# Leave empty (or commented) to only allow access from localhost.
 #allowed_ips =

 [etcd]
--- a/Containers/talk/start.sh
+++ b/Containers/talk/start.sh
@@ -18,6 +18,22 @@ elif [ -z "$INTERNAL_SECRET" ]; then
    exit 1
 fi

+# Trust additional CA certificates, if the user provided NEXTCLOUD_TRUSTED_CACERTS_DIR
+# The container is read-only, so we build a custom bundle in /tmp (tmpfs) and
+# point Go's TLS stack to it via SSL_CERT_FILE.
+if mountpoint -q /usr/local/share/ca-certificates; then
+    echo "Trusting additional CA certificates..."
+    set -x
+    cp /etc/ssl/certs/ca-certificates.crt /tmp/ca-certificates.crt
+    for cert in /usr/local/share/ca-certificates/*; do
+        if [ -f "$cert" ]; then
+            cat "$cert" >> /tmp/ca-certificates.crt
+        fi
+    done
+    export SSL_CERT_FILE=/tmp/ca-certificates.crt
+    set +x
+fi
+
 set -x
 IPv4_ADDRESS_TALK_RELAY="$(hostname -i | grep -oP '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -1)"
 # shellcheck disable=SC2153
--- a/Containers/watchtower/Dockerfile
+++ b/Containers/watchtower/Dockerfile
@@ -1,15 +1,15 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.25.5-alpine3.23 AS go
+FROM golang:1.26.1-alpine3.23 AS go

-ENV WATCHTOWER_COMMIT_HASH=f6a7b29c312bec5f389a4fb52259919f0678800b	
+ENV WATCHTOWER_COMMIT_HASH=5a33e3c0aa3b2770c648a114b4a9d32e0a5b55ba	

 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache \
        build-base; \
-    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.13.1
+    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.14.4

-FROM alpine:3.23.2
+FROM alpine:3.23.3

 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -24,4 +24,5 @@ USER root

 ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
--- a/Containers/whiteboard/Dockerfile
+++ b/Containers/whiteboard/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from this file: https://github.com/nextcloud/whiteboard/blob/main/Dockerfile
-FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.1
+FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.7

 USER root
 RUN set -ex; \
@@ -23,4 +23,5 @@ WORKDIR /tmp
 ENTRYPOINT ["/start.sh"]

 LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
    org.label-schema.vendor="Nextcloud"
--- a/community-containers/bahmni-lite/bahmni-lite.json
+++ b/community-containers/bahmni-lite/bahmni-lite.json
@@ -0,0 +1,460 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-bahmni-openmrs",
+            "display_name": "Bahmni Lite",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/bahmni-lite",
+            "image": "bahmni/openmrs",
+            "image_tag": "latest",
+            "internal_port": "8080",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "OMRS_DB_NAME=openmrs",
+                "OMRS_DB_HOSTNAME=nextcloud-aio-bahmni-openmrsdb",
+                "OMRS_DB_USERNAME=openmrs-user",
+                "OMRS_DB_PASSWORD=%BAHMNI_OPENMRS_DB_PASSWORD%",
+                "OMRS_CREATE_TABLES=false",
+                "OMRS_AUTO_UPDATE_DATABASE=true",
+                "OMRS_MODULE_WEB_ADMIN=false",
+                "OMRS_JAVA_SERVER_OPTS=",
+                "OMRS_JAVA_MEMORY_OPTS=",
+                "SEND_MAIL=false",
+                "MAIL_TRANSPORT_PROTOCOL=smtps",
+                "MAIL_SMTP_AUTH=true",
+                "MAIL_SMTP_STARTTLS_ENABLE=true",
+                "MAIL_SMTP_SSL_ENABLE=true",
+                "MAIL_DEBUG=false",
+                "MAIL_FROM=",
+                "MAIL_USER=",
+                "MAIL_PASSWORD=",
+                "MAIL_SMTP_HOST=",
+                "MAIL_SMTP_PORT=",
+                "OMRS_DOCKER_ENV=true",
+                "OMRS_C3P0_MAX_SIZE=50",
+                "LUCENE_MATCH_TYPE=START",
+                "DOCUMENT_MAX_SIZE_MB=7",
+                "WEIGHT_CONCEPT_UUID=5089AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+                "HEIGHT_CONCEPT_UUID=5090AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+            ],
+            "secrets": [
+                "BAHMNI_OPENMRS_DB_PASSWORD"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_bahmni_config",
+                    "destination": "/etc/bahmni_config/",
+                    "writeable": false
+                },
+                {
+                    "source": "nextcloud_aio_bahmni_lab_results",
+                    "destination": "/home/bahmni/uploaded_results",
+                    "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_bahmni_uploaded_files",
+                    "destination": "/home/bahmni/uploaded-files",
+                    "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_bahmni_patient_images",
+                    "destination": "/home/bahmni/patient_images",
+                    "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_bahmni_document_images",
+                    "destination": "/home/bahmni/document_images",
+                    "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_bahmni_clinical_forms",
+                    "destination": "/home/bahmni/clinical_forms",
+                    "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_bahmni_configuration_checksums",
+                    "destination": "/openmrs/data/configuration_checksums",
+                    "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_bahmni_openmrs_logs",
+                    "destination": "/openmrs/data/logs",
+                    "writeable": true
+                }
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_bahmni_patient_images",
+                "nextcloud_aio_bahmni_document_images",
+                "nextcloud_aio_bahmni_clinical_forms",
+                "nextcloud_aio_bahmni_lab_results",
+                "nextcloud_aio_bahmni_uploaded_files",
+                "nextcloud_aio_bahmni_configuration_checksums",
+                "nextcloud_aio_bahmni_openmrs_logs"
+            ],
+            "depends_on": [
+                "nextcloud-aio-bahmni-openmrsdb",
+                "nextcloud-aio-bahmni-config"
+            ]
+        },
+        {
+            "container_name": "nextcloud-aio-bahmni-openmrsdb",
+            "image": "bahmni/openmrs-db",
+            "image_tag": "1.0.0-lite-mysql5.6",
+            "internal_port": "3306",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "MYSQL_ROOT_PASSWORD=%BAHMNI_MYSQL_ROOT_PASSWORD%",
+                "MYSQL_DATABASE=openmrs",
+                "MYSQL_USER=openmrs-user",
+                "MYSQL_PASSWORD=%BAHMNI_OPENMRS_DB_PASSWORD%"
+            ],
+            "secrets": [
+                "BAHMNI_MYSQL_ROOT_PASSWORD",
+                "BAHMNI_OPENMRS_DB_PASSWORD"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_bahmni_openmrsdb",
+                    "destination": "/var/lib/mysql",
+                    "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_bahmni_configuration_checksums",
+                    "destination": "/configuration_checksums",
+                    "writeable": true
+                }
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_bahmni_openmrsdb"
+            ]
+        },
+        {
+            "container_name": "nextcloud-aio-bahmni-config",
+            "image": "bahmni/clinic-config",
+            "image_tag": "latest",
+            "internal_port": "80",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_bahmni_config",
+                    "destination": "/usr/local/bahmni_config",
+                    "writeable": true
+                }
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_bahmni_config"
+            ]
+        },
+        {
+            "container_name": "nextcloud-aio-bahmni-web",
+            "image": "bahmni/bahmni-web",
+            "image_tag": "latest",
+            "internal_port": "80",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_bahmni_config",
+                    "destination": "/usr/local/apache2/htdocs/bahmni_config/",
+                    "writeable": false
+                }
+            ],
+            "depends_on": [
+                "nextcloud-aio-bahmni-openmrs"
+            ]
+        },
+        {
+            "container_name": "nextcloud-aio-bahmni-apps-frontend",
+            "image": "bahmni/bahmni-apps-frontend",
+            "image_tag": "latest",
+            "internal_port": "80",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%"
+            ]
+        },
+        {
+            "container_name": "nextcloud-aio-bahmni-lab",
+            "image": "bahmni/bahmni-lab",
+            "image_tag": "latest",
+            "internal_port": "80",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%"
+            ]
+        },
+        {
+            "container_name": "nextcloud-aio-bahmni-implementer-interface",
+            "image": "bahmni/implementer-interface",
+            "image_tag": "latest",
+            "internal_port": "80",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%"
+            ],
+            "depends_on": [
+                "nextcloud-aio-bahmni-openmrs"
+            ]
+        },
+        {
+            "container_name": "nextcloud-aio-bahmni-reportsdb",
+            "image": "mysql",
+            "image_tag": "8.0",
+            "internal_port": "3306",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "MYSQL_ROOT_PASSWORD=%BAHMNI_MYSQL_ROOT_PASSWORD%",
+                "MYSQL_DATABASE=bahmni-reports",
+                "MYSQL_USER=reports-user",
+                "MYSQL_PASSWORD=%BAHMNI_REPORTS_DB_PASSWORD%"
+            ],
+            "secrets": [
+                "BAHMNI_MYSQL_ROOT_PASSWORD",
+                "BAHMNI_REPORTS_DB_PASSWORD"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_bahmni_reportsdb",
+                    "destination": "/var/lib/mysql",
+                    "writeable": true
+                }
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_bahmni_reportsdb"
+            ]
+        },
+        {
+            "container_name": "nextcloud-aio-bahmni-reports",
+            "image": "bahmni/reports",
+            "image_tag": "latest",
+            "internal_port": "8080",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "OPENMRS_DB_HOST=nextcloud-aio-bahmni-openmrsdb",
+                "OPENMRS_DB_NAME=openmrs",
+                "OPENMRS_DB_USERNAME=openmrs-user",
+                "OPENMRS_DB_PASSWORD=%BAHMNI_OPENMRS_DB_PASSWORD%",
+                "OPENMRS_HOST=nextcloud-aio-bahmni-openmrs",
+                "OPENMRS_PORT=8080",
+                "REPORTS_DB_SERVER=nextcloud-aio-bahmni-reportsdb",
+                "REPORTS_DB_NAME=bahmni-reports",
+                "REPORTS_DB_USERNAME=reports-user",
+                "REPORTS_DB_PASSWORD=%BAHMNI_REPORTS_DB_PASSWORD%"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_bahmni_config",
+                    "destination": "/etc/bahmni_config/",
+                    "writeable": false
+                },
+                {
+                    "source": "nextcloud_aio_bahmni_queued_reports",
+                    "destination": "/home/bahmni/reports",
+                    "writeable": true
+                }
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_bahmni_queued_reports"
+            ],
+            "depends_on": [
+                "nextcloud-aio-bahmni-reportsdb",
+                "nextcloud-aio-bahmni-openmrs"
+            ]
+        },
+        {
+            "container_name": "nextcloud-aio-bahmni-patient-documents",
+            "image": "bahmni/patient-documents",
+            "image_tag": "latest",
+            "internal_port": "80",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "OPENMRS_HOST=nextcloud-aio-bahmni-openmrs"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_bahmni_document_images",
+                    "destination": "/usr/share/nginx/html/document_images",
+                    "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_bahmni_lab_results",
+                    "destination": "/usr/share/nginx/html/uploaded_results",
+                    "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_bahmni_uploaded_files",
+                    "destination": "/usr/share/nginx/html/uploaded-files",
+                    "writeable": true
+                }
+            ],
+            "depends_on": [
+                "nextcloud-aio-bahmni-openmrs"
+            ]
+        },
+        {
+            "container_name": "nextcloud-aio-bahmni-appointments",
+            "image": "bahmni/appointments",
+            "image_tag": "latest",
+            "internal_port": "80",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%"
+            ]
+        },
+        {
+            "container_name": "nextcloud-aio-bahmni-craterdb",
+            "image": "mysql",
+            "image_tag": "8.0",
+            "internal_port": "3306",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "MYSQL_ROOT_PASSWORD=%BAHMNI_MYSQL_ROOT_PASSWORD%",
+                "MYSQL_DATABASE=crater",
+                "MYSQL_USER=crater",
+                "MYSQL_PASSWORD=%BAHMNI_CRATER_DB_PASSWORD%"
+            ],
+            "secrets": [
+                "BAHMNI_MYSQL_ROOT_PASSWORD",
+                "BAHMNI_CRATER_DB_PASSWORD"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_bahmni_craterdb",
+                    "destination": "/var/lib/mysql",
+                    "writeable": true
+                }
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_bahmni_craterdb"
+            ]
+        },
+        {
+            "container_name": "nextcloud-aio-bahmni-crater-php",
+            "image": "bahmni/crater-php",
+            "image_tag": "latest",
+            "internal_port": "9000",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "APP_URL=http://nextcloud-aio-bahmni-crater-nginx",
+                "DB_HOST=nextcloud-aio-bahmni-craterdb",
+                "DB_PORT=3306",
+                "DB_DATABASE=crater",
+                "DB_USERNAME=crater",
+                "DB_PASSWORD=%BAHMNI_CRATER_DB_PASSWORD%",
+                "SANCTUM_STATEFUL_DOMAINS=nextcloud-aio-bahmni-crater-nginx",
+                "SESSION_DOMAIN=nextcloud-aio-bahmni-crater-nginx",
+                "AUTO_INSTALL=true",
+                "ADMIN_NAME=Super Admin",
+                "ADMIN_EMAIL=admin@bahmni.org",
+                "ADMIN_PASSWORD=%BAHMNI_CRATER_ADMIN_PASSWORD%",
+                "COMPANY_NAME=Bahmni",
+                "COMPANY_SLUG=bahmni",
+                "COUNTRY_ID=101",
+                "CRATER_DEFAULT_CURRENCY=USD",
+                "APP_DEBUG=false"
+            ],
+            "secrets": [
+                "BAHMNI_CRATER_ADMIN_PASSWORD"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_bahmni_crater_app",
+                    "destination": "/var/www/storage/app/public",
+                    "writeable": true
+                }
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_bahmni_crater_app"
+            ],
+            "depends_on": [
+                "nextcloud-aio-bahmni-craterdb"
+            ]
+        },
+        {
+            "container_name": "nextcloud-aio-bahmni-crater-nginx",
+            "image": "bahmni/crater-nginx",
+            "image_tag": "latest",
+            "internal_port": "80",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_bahmni_crater_app",
+                    "destination": "/var/www/public/storage",
+                    "writeable": true
+                }
+            ],
+            "depends_on": [
+                "nextcloud-aio-bahmni-crater-php"
+            ]
+        },
+        {
+            "container_name": "nextcloud-aio-bahmni-crater-atomfeed-db",
+            "image": "mysql",
+            "image_tag": "8.0",
+            "internal_port": "3306",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "MYSQL_ROOT_PASSWORD=%BAHMNI_MYSQL_ROOT_PASSWORD%",
+                "MYSQL_DATABASE=crater-atomfeed",
+                "MYSQL_USER=crater-atomfeed-user",
+                "MYSQL_PASSWORD=%BAHMNI_CRATER_ATOMFEED_DB_PASSWORD%"
+            ],
+            "secrets": [
+                "BAHMNI_MYSQL_ROOT_PASSWORD",
+                "BAHMNI_CRATER_ATOMFEED_DB_PASSWORD"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_bahmni_crater_atomfeed_db",
+                    "destination": "/var/lib/mysql",
+                    "writeable": true
+                }
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_bahmni_crater_atomfeed_db"
+            ]
+        },
+        {
+            "container_name": "nextcloud-aio-bahmni-crater-atomfeed",
+            "image": "bahmni/crater-atomfeed",
+            "image_tag": "latest",
+            "internal_port": "8080",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "OPENMRS_HOST=nextcloud-aio-bahmni-openmrs",
+                "OPENMRS_PORT=8080",
+                "OPENMRS_ATOMFEED_USER=admin",
+                "OPENMRS_ATOMFEED_PASSWORD=Admin123",
+                "CRATER_ATOMFEED_DB_HOST=nextcloud-aio-bahmni-crater-atomfeed-db",
+                "CRATER_ATOMFEED_DB_PORT=3306",
+                "CRATER_USERNAME=admin@bahmni.org",
+                "CRATER_PASSWORD=%BAHMNI_CRATER_ADMIN_PASSWORD%",
+                "CRATER_ATOMFEED_DB_USERNAME=crater-atomfeed-user",
+                "CRATER_ATOMFEED_DB_PASSWORD=%BAHMNI_CRATER_ATOMFEED_DB_PASSWORD%",
+                "CRATER_ATOMFEED_DB_NAME=crater-atomfeed",
+                "CRATER_URL=http://nextcloud-aio-bahmni-crater-nginx"
+            ],
+            "depends_on": [
+                "nextcloud-aio-bahmni-openmrs",
+                "nextcloud-aio-bahmni-crater-nginx",
+                "nextcloud-aio-bahmni-crater-atomfeed-db"
+            ]
+        }
+    ]
+}
--- a/community-containers/bahmni-lite/readme.md
+++ b/community-containers/bahmni-lite/readme.md
@@ -0,0 +1,40 @@
+## Bahmni Lite
+This container bundle sets up [Bahmni Lite](https://www.bahmni.org/), an open-source Electronic Medical Record (EMR) and hospital management system, and auto-configures it for you.
+
+Bahmni Lite includes the following services:
+- **OpenMRS** – core EMR application
+- **OpenMRS Database** – pre-seeded MySQL database (Bahmni Lite schema)
+- **Bahmni Config** – clinic configuration (init container)
+- **Bahmni Web** – classic Bahmni EMR frontend (AngularJS)
+- **Bahmni Apps Frontend** – new React-based Bahmni frontend
+- **Bahmni Lab** – lab results module
+- **Implementer Interface** – form/concept builder
+- **Reports** + **Reports DB** – reporting service and its database
+- **Patient Documents** – document storage and serving
+- **Appointments** – appointments module
+- **Crater** (PHP + Nginx + DB) – billing/invoicing system
+- **Crater Atomfeed** + **Crater Atomfeed DB** – OpenMRS ↔ Crater sync service
+
+### Notes
+- You need to configure a reverse proxy in order to use this container bundle, since Bahmni needs a dedicated (sub)domain! The easiest way is to install the [Caddy community container](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy), which auto-configures `bahmni.your-nc-domain.com` for you — just point a CNAME record for `bahmni.your-nc-domain.com` at your server before enabling Caddy. Caddy will automatically route all Bahmni paths (`/openmrs/`, `/bahmni/`, `/bahmni-new/`, `/bahmni-lab/`, `/implementer-interface/`, `/document_images/`, `/uploaded_results/`, `/uploaded-files/`, `/appointments/`, `/reports/`) to the correct backend containers. Alternatively, you can follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md and configure your own reverse proxy manually using the path-to-container mapping documented below.
+- The core Bahmni EMR is accessible at `/openmrs/` on the OpenMRS container (`nextcloud-aio-bahmni-openmrs`, port `8080`). After starting, visit `http://<your-domain>/openmrs/` and log in with the default credentials: username `admin`, password `Admin123`. **⚠️ Change the default OpenMRS admin password immediately after first login.** The Bahmni database image ships with this well-known default — leaving it in place is a serious security risk. Note: after changing the OpenMRS admin password, you must also update `OPENMRS_ATOMFEED_PASSWORD` in the `nextcloud-aio-bahmni-crater-atomfeed` container to match the new password, otherwise the Crater billing sync will stop working.
+- For the full Bahmni UI experience (Bahmni Web, Bahmni Apps Frontend etc.), a reverse proxy must be set up to route the following paths to the correct containers:
+  - `/openmrs/` → `nextcloud-aio-bahmni-openmrs:8080`
+  - `/bahmni/` → `nextcloud-aio-bahmni-web:80`
+  - `/bahmni-new/` → `nextcloud-aio-bahmni-apps-frontend:80`
+  - `/bahmni-lab/` → `nextcloud-aio-bahmni-lab:80`
+  - `/implementer-interface/` → `nextcloud-aio-bahmni-implementer-interface:80`
+  - `/document_images/`, `/uploaded_results/`, `/uploaded-files/` → `nextcloud-aio-bahmni-patient-documents:80`
+  - `/appointments/` → `nextcloud-aio-bahmni-appointments:80`
+  - `/reports/` → `nextcloud-aio-bahmni-reports:8080`
+- The Crater billing system can be reached at `nextcloud-aio-bahmni-crater-nginx:80`. The Crater admin email is `admin@bahmni.org` and the password is shown next to the container in the AIO interface.
+- All Bahmni data (patient images, documents, clinical forms, databases) will be automatically included in AIOs backup solution!
+- The [Fail2ban community container](https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban) auto-configures brute-force protection for Bahmni/OpenMRS login attempts when both containers are enabled.
+- This container bundle requires significant system resources. A minimum of **4 GB RAM** and **2 CPU cores** is recommended; **8 GB RAM** is preferred for production use.
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack.
+
+### Repository
+https://github.com/Bahmni/bahmni-docker
+
+### Maintainer
+https://github.com/Bahmni
--- a/community-containers/caddy/readme.md
+++ b/community-containers/caddy/readme.md
@@ -1,5 +1,5 @@
 ## Caddy with geoblocking
-This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [jellyseerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed.
+This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed. It also covers [LocalAI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai) by listening on `ai.$NC_DOMAIN`, if installed. It also covers [Bahmni Lite](https://github.com/nextcloud/all-in-one/tree/main/community-containers/bahmni-lite) by listening on `bahmni.$NC_DOMAIN`, if installed.

 ### Notes
 - This container is incompatible with the [npmplus](https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus) community container. So make sure that you do not enable both at the same time!
@@ -12,8 +12,10 @@ This container bundles caddy and auto-configures it for you. It also covers [vau
 - If you want to use this with [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin), make sure that you point `media.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for jellyfin.
 - If you want to use this with [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap), make sure that you point `ldap.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for lldap.
 - If you want to use this with [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb), make sure that you point `tables.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nocodb.
- If you want to use this with [jellyseerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr), make sure that you point `requests.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for jellyseerr.
+- If you want to use this with [seerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr), make sure that you point `requests.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for seerr.
 - If you want to use this with [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter), make sure that you point `metrics.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nextcloud-exporter.
+- If you want to use this with [local AI](https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai), make sure that you point `ai.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for local AI.
+- If you want to use this with [Bahmni Lite](https://github.com/nextcloud/all-in-one/tree/main/community-containers/bahmni-lite), make sure that you point `bahmni.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for Bahmni Lite.
 - After the container was started the first time, you should see a new `nextcloud-aio-caddy` folder and inside there an `allowed-countries.txt` file when you open the files app with the default `admin` user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. `IT FR` would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the `GeoLite2-Country.mmdb` and upload it with this exact name into the `nextcloud-aio-caddy` folder. Afterwards restart all containers from the AIO interface and your new config should be active!
 - You can add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
--- a/community-containers/fail2ban/fail2ban.json
+++ b/community-containers/fail2ban/fail2ban.json
@@ -35,6 +35,11 @@
                    "source": "nextcloud_aio_jellyseerr",
                    "destination": "/jellyseerr",
                    "writeable": false
+                },
+                {
+                    "source": "nextcloud_aio_bahmni_openmrs_logs",
+                    "destination": "/bahmni-openmrs",
+                    "writeable": false
                }
            ]
        }
--- a/community-containers/fail2ban/readme.md
+++ b/community-containers/fail2ban/readme.md
@@ -1,5 +1,5 @@
 ## Fail2ban
-This container bundles fail2ban and auto-configures it for you in order to block ip-addresses automatically. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin, and https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr, if installed.
+This container bundles fail2ban and auto-configures it for you in order to block ip-addresses automatically. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr, and https://github.com/nextcloud/all-in-one/tree/main/community-containers/bahmni-lite, if installed.

 ### Notes
 - If you get an error like `"ip6tables v1.8.9 (legacy): can't initialize ip6tables table filter': Table does not exist (do you need to insmod?)"`, you need to enable ip6tables on your host via `sudo modprobe ip6table_filter`.
--- a/community-containers/glances/glances.json
+++ b/community-containers/glances/glances.json
@@ -0,0 +1,38 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-glances",
+            "display_name": "Glances",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/glances",
+            "image": "nicolargo/glances",
+            "image_tag": "latest-full",
+            "internal_port": "61208",
+            "restart": "unless-stopped",
+            "ports": [
+                {
+                  "ip_binding": "",
+                  "port_number": "61208",
+                  "protocol": "tcp"
+                }
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_glances",
+                    "destination": "/etc/glances",
+                    "writeable": true
+                },
+                {
+                    "source": "%WATCHTOWER_DOCKER_SOCKET_PATH%",
+                    "destination": "/var/run/docker.sock",
+                    "writeable": false
+                }
+            ],
+            "environment": [
+                "GLANCES_OPT=-w"
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_glances"
+            ]
+        }
+    ]
+}
--- a/community-containers/glances/readme.md
+++ b/community-containers/glances/readme.md
@@ -0,0 +1,18 @@
+## Glances
+This container starts Glances, a web-based info-board, and auto-configures it for you.
+
+> [!CAUTION]
+> This container mounts the docker-socket from the host-system.
+
+### Notes
+- After adding and starting the container, you can directly visit http://ip.address.of.server:61208/ and access your new Glances instance!
+- It is recommended to start this container only in home networks, because there is no built-in authentication. But you can do a http-auth with your proxy.
+- In order to access your Glances outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md).
+- The data of Glances will be automatically included in AIO's backup solution!
+- See [here](https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers) how to add it to the AIO stack.
+
+### Repository
+https://github.com/nicolargo/glances
+
+### Maintainer
+https://github.com/pi-farm
--- a/community-containers/jellyseerr/jellyseerr.json
+++ b/community-containers/jellyseerr/jellyseerr.json
@@ -2,13 +2,13 @@
    "aio_services_v1": [
        {
            "container_name": "nextcloud-aio-jellyseerr",
-            "display_name": "Jellyseerr",
+            "display_name": "Seerr",
            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr",
-            "image": "fallenbagel/jellyseerr",
+            "image": "ghcr.io/seerr-team/seerr",
            "image_tag": "latest",
            "internal_port": "5055",
            "restart": "unless-stopped",
-            "init": false,
+            "init": true,
            "ports": [
                {
                    "ip_binding": "%APACHE_IP_BINDING%",
--- a/community-containers/jellyseerr/readme.md
+++ b/community-containers/jellyseerr/readme.md
@@ -1,16 +1,17 @@
-## Jellyseerr
-This container bundles Jellyseerr and auto-configures it for you.
+## Seerr
+This container bundles Seerr and auto-configures it for you.

 ### Notes
+- **Migration from Jellyseerr**: Jellyseer previously ran as the root user. With the migration to Seerr, the container now runs rootless with userid 1000, meaning that if you previously used Jellyseerr, Seerr will not be able to access the config files generated by the old Jellyseerr container. To migrate, execute the following steps: 1. stop all containers using the AIO-interface, 2. run `sudo docker run --rm -v nextcloud_aio_jellyseerr:/data alpine chown -R 1000:1000 /data`
 - This container is only intended to be used inside home networks as it uses http for its management page by default.
- After adding and starting the container, you can directly visit `http://ip.address.of.server:5055` and access your new Jellyseerr instance, which can be used to manage Plex, Jellyfin, and Emby.
- In order to access your Jellyseerr outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md) and [Jellyseerr's reverse proxy documentation.](https://docs.jellyseerr.dev/extending-jellyseerr/reverse-proxy), OR use the Caddy community container that will automatically configure requests.$NC_DOMAIN to redirect to your Jellyseerr. Note that it is recommended to [enable CSRF protection in Jellyseerr](https://docs.jellyseerr.dev/using-jellyseerr/settings/general#enable-csrf-protection) for added security if you plan to use Jellyseerr outside the local network, but make sure to read up on it and understand the caveats first.
- If you want to secure the installation with fail2ban, you might want to check out https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban. Note that [enabling the proxy support option in Jellyseerr](https://docs.jellyseerr.dev/using-jellyseerr/settings/general#enable-proxy-support) is required for this to work properly.
- The config of Jellyseerr will be automatically included in AIO's backup solution!
+- After adding and starting the container, you can directly visit `http://ip.address.of.server:5055` and access your new Seerr instance, which can be used to manage Plex, Jellyfin, and Emby.
+- In order to access your Seerr outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md) and [Seerr's reverse proxy documentation.](https://docs.seerr.dev/extending-Seerr/reverse-proxy), OR use the Caddy community container that will automatically configure requests.$NC_DOMAIN to redirect to your Seerr. Note that it is recommended to [enable CSRF protection in Seerr](https://docs.seerr.dev/using-Seerr/settings/general#enable-csrf-protection) for added security if you plan to use Seerr outside the local network, but make sure to read up on it and understand the caveats first.
+- If you want to secure the installation with fail2ban, you might want to check out https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban. Note that [enabling the proxy support option in Seerr](https://docs.seerr.dev/using-Seerr/settings/general#enable-proxy-support) is required for this to work properly.
+- The config of Seerr will be automatically included in AIO's backup solution!
 - See [here](https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers) how to add it to the AIO stack.

 ### Repository
-https://github.com/Fallenbagel/jellyseerr
+https://github.com/seerr-team/seerr

 ### Maintainer
 https://github.com/Anvil5465
--- a/community-containers/languagetool/readme.md
+++ b/community-containers/languagetool/readme.md
@@ -1,9 +1,9 @@
-## LanguageTool for Collabora
-This container bundles a LanguageTool for Collabora which adds spell checking functionality to Collabora.
+## LanguageTool for Nextcloud Office
+This container bundles a LanguageTool for Nextcloud Office which adds spell checking functionality to Nextcloud Office.

 ### Notes
- Make sure to have collabora enabled via the AIO interface
- After adding this container via the AIO Interface, while all containers are still stopped, you need to scroll down to the `Additional Collabora options` section and enter `--o:languagetool.enabled=true --o:languagetool.base_url=http://nextcloud-aio-languagetool:8010/v2`.
+- Make sure to have Nextcloud Office enabled via the AIO interface
+- After adding this container via the AIO Interface, while all containers are still stopped, you need to scroll down to the `Additional Nextcloud Office options` section and enter `--o:languagetool.enabled=true --o:languagetool.base_url=http://nextcloud-aio-languagetool:8010/v2`.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack

 ### Repository
--- a/community-containers/local-ai/local-ai.json
+++ b/community-containers/local-ai/local-ai.json
@@ -4,42 +4,59 @@
            "container_name": "nextcloud-aio-local-ai",
            "display_name": "Local AI",
            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai",
-            "image": "ghcr.io/szaimen/aio-local-ai",
-            "image_tag": "v2",
-            "internal_port": "8080",
+            "image": "ghcr.io/docjyj/aio-local-ai-vulkan",
+            "image_tag": "v1",
+            "internal_port": "10078",
            "restart": "unless-stopped",
            "environment": [
                "TZ=%TIMEZONE%",
-                "MODELS_PATH=/models"
+                "LOCALAI_API_KEY=%LOCALAI_API_KEY%",
+                "LOCALAI_ADDRESS=:10078",
+                "LOCALAI_CONFIG_DIR=/configuration",
+                "LOCALAI_MODEL_PATH=/models",
+                "LOCALAI_BACKEND_PATH=/backends"
+            ],
+            "ports": [
+                {
+                  "ip_binding": "%APACHE_IP_BINDING%",
+                  "port_number": "10078",
+                  "protocol": "tcp"
+                }
            ],
            "volumes": [
+                {
+                  "source": "nextcloud_aio_localai_configuration",
+                  "destination": "/configuration",
+                  "writeable": true
+                },
                {
                    "source": "nextcloud_aio_localai_models",
                    "destination": "/models",
                    "writeable": true
                },
                {
-                    "source": "nextcloud_aio_localai_images",
-                    "destination": "/tmp/generated/images/",
+                    "source": "nextcloud_aio_localai_backends",
+                    "destination": "/backends",
                    "writeable": true
-                },
-                {
-                    "source": "%NEXTCLOUD_DATADIR%",
-                    "destination": "/nextcloud",
-                    "writeable": false
                }
            ],
-            "enable_nvidia_gpu": false,
+            "secrets": [
+                "LOCALAI_API_KEY"
+            ],
+            "ui_secret": "LOCALAI_API_KEY",
+            "devices": [
+                "/dev/dri"
+            ],
            "nextcloud_exec_commands": [
-                "mkdir '/mnt/ncdata/admin/files/nextcloud-aio-local-ai'",
-                "touch '/mnt/ncdata/admin/files/nextcloud-aio-local-ai/models.yaml'",
-                "echo 'Scanning nextcloud-aio-local-ai folder for admin user...'",
-                "php /var/www/html/occ files:scan --path='/admin/files/nextcloud-aio-local-ai'",
                "php /var/www/html/occ app:install integration_openai",
                "php /var/www/html/occ app:enable integration_openai",
-                "php /var/www/html/occ config:app:set integration_openai url --value http://nextcloud-aio-local-ai:8080",
+                "php /var/www/html/occ config:app:set integration_openai url --value http://nextcloud-aio-local-ai:10078",
+                "php /var/www/html/occ config:app:set integration_openai api_key --value %LOCALAI_API_KEY%",
                "php /var/www/html/occ app:install assistant",
                "php /var/www/html/occ app:enable assistant"
+            ],
+            "backup_volumes": [
+              "nextcloud_aio_localai_configuration"
            ]
        }
    ]
--- a/community-containers/local-ai/readme.md
+++ b/community-containers/local-ai/readme.md
@@ -1,21 +1,16 @@
 ## Local AI
-This container bundles Local AI and auto-configures it for you.
+This container bundles Local AI and auto-configures it for you. It support hardware acceleration with Vulkan.

 ### Notes
- Make sure to have enough storage space available. This container alone needs ~7GB storage. Every model that you add to `models.yaml` will of course use additional space which adds up quite fast.
- After the container was started the first time, you should see a new `nextcloud-aio-local-ai` folder when you open the files app with the default `admin` user. In there you should see a `models.yaml` config file. You can now add models in there. Please refer [here](https://github.com/mudler/LocalAI/blob/master/gallery/index.yaml) where you can get further urls that you can put in there. Afterwards restart all containers from the AIO interface and the models should automatically get downloaded by the local-ai container and activated.
- Example for content of `models.yaml` (if you add all of them, it takes around 10GB additional space):
-```yaml
-# Stable Diffusion in NCNN with c++, supported txt2img and img2img 
- url: github:mudler/LocalAI/blob/master/gallery/stablediffusion.yaml
-  name: Stable_diffusion
-```
-  To make it work, you first need to browse `https://your-nc-domain.com/settings/admin/ai` and enable or disable specific features for your models in the openAI settings. Afterwards using the Nextcloud Assistant should work.
+Documentation is available on the container repository. This documentation is regularly updated and is intended to be as simple and detailed as possible. Thanks for all your feedback!
+
+- See https://github.com/docjyJ/aio-local-ai-vulkan#getting-started for getting start with this container.
 - See [this guide](https://github.com/nextcloud/all-in-one/discussions/5430) for how to improve AI task pickup speed
+- Note that Nextcloud supports only one server for AI queries, so this container cannot be used at the same time as other AI containers.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack

 ### Repository
-https://github.com/szaimen/aio-local-ai
+https://github.com/docjyJ/aio-local-ai-vulkan

 ### Maintainer
-https://github.com/szaimen
+https://github.com/docjyJ
--- a/community-containers/nocodb/nocodb.json
+++ b/community-containers/nocodb/nocodb.json
@@ -2,7 +2,7 @@
    "aio_services_v1": [
        {
            "container_name": "nextcloud-aio-nocodb",
-            "display_name": "NocoDB",
+            "display_name": "NocoDB (deprecated)",
            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb",
            "image": "nocodb/nocodb",
            "image_tag": "latest",
--- a/community-containers/nocodb/readme.md
+++ b/community-containers/nocodb/readme.md
@@ -1,3 +1,8 @@
+> [!CAUTION]
+> NocoDB is licensed under a non-free license.
+> 
+> And is no longer maintained.
+
 > [!NOTE]
 > This container is there to compensate for the lack of functionality in Nextcloud Tables.
 >
--- a/compose.yaml
+++ b/compose.yaml
@@ -11,9 +11,9 @@ services:
    network_mode: bridge # This adds the container to the same network as docker run would do. Comment this line and uncomment the line below and the networks section at the end of the file if you want to define a custom MTU size for the docker network
    # networks: ["nextcloud-aio"]
    ports:
-      - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-      - 8080:8080 # This is the AIO interface, served via https and self-signed certificate. See https://github.com/nextcloud/all-in-one#explanation-of-used-ports
-      - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      - "80:80" # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      - "8080:8080" # This is the AIO interface, served via https and self-signed certificate. See https://github.com/nextcloud/all-in-one#explanation-of-used-ports
+      - "8443:8443" # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
    # security_opt: ["label:disable"] # Is needed when using SELinux. See https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled
    # environment: # Is needed when using any of the options below
      # AIO_DISABLE_BACKUP_SECTION: false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
--- a/develop.md
+++ b/develop.md
@@ -33,6 +33,7 @@ There is a testing-VM available for the maintainer of AIO that allows for some f
 Additionally, there are now E2E tests available that can be run via https://github.com/nextcloud/all-in-one/actions/workflows/playwright.yml

 ## How to promote builds from develop to beta
+1. Verify that GitHub Services are running correctly: https://www.githubstatus.com/
 1. Verify that no job is running here: https://github.com/nextcloud-releases/all-in-one/actions/workflows/build_images.yml
 2. Go to https://github.com/nextcloud-releases/all-in-one/actions/workflows/promote-to-beta.yml, click on `Run workflow`.

--- a/local-instance.md
+++ b/local-instance.md
@@ -22,10 +22,11 @@ The normal way is the following:
 **Hint:** You may have a look at [this video](https://youtu.be/zk-y2wVkY4c) for a more complete but possibly outdated example.

 ## 3. Use the ACME DNS-challenge
-You can alternatively use the ACME DNS-challenge to get a valid certificate for Nextcloud. Here is described how to set it up: https://github.com/nextcloud/all-in-one#how-to-get-nextcloud-running-using-the-acme-dns-challenge
+You can alternatively use the ACME DNS-challenge to get a valid certificate for Nextcloud. Here is described how to set it up using an external caddy reverse proxy: https://github.com/nextcloud/all-in-one#how-to-get-nextcloud-running-using-the-acme-dns-challenge

 ## 4. Use Cloudflare
 If you do not have any control over the network, you may think about using Cloudflare Tunnel to get a valid certificate for your Nextcloud. However it will be opened to the public internet then. See https://github.com/nextcloud/all-in-one#how-to-run-nextcloud-behind-a-cloudflare-tunnel how to set this up.

 ## 5. Buy a certificate and use that
 If none of the above ways work for you, you may simply buy a certificate from an issuer for your domain. You then download the certificate onto your server, configure AIO in [reverse proxy mode](./reverse-proxy.md) and use the certificate for your domain in your reverse proxy config.
+
--- a/manual-install/latest.yml
+++ b/manual-install/latest.yml
@@ -45,6 +45,7 @@ services:
      - APACHE_MAX_TIME=${NEXTCLOUD_MAX_TIME}
      - NOTIFY_PUSH_HOST=nextcloud-aio-notify-push
      - WHITEBOARD_HOST=nextcloud-aio-whiteboard
+      - HARP_HOST=nextcloud-aio-harp
    volumes:
      - nextcloud_aio_nextcloud:/var/www/html:ro
      - nextcloud_aio_apache:/mnt/data:rw
@@ -202,19 +203,10 @@ services:
    expose:
      - "7867"
    volumes:
-      - nextcloud_aio_nextcloud:/nextcloud:ro
+      - nextcloud_aio_nextcloud:/var/www/html:ro
    environment:
-      - NC_DOMAIN
      - NEXTCLOUD_HOST=nextcloud-aio-nextcloud
      - TZ=${TIMEZONE}
-      - REDIS_HOST=nextcloud-aio-redis
-      - REDIS_PORT=6379
-      - REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
-      - POSTGRES_HOST=nextcloud-aio-database
-      - POSTGRES_PORT=5432
-      - POSTGRES_PASSWORD=${DATABASE_PASSWORD}
-      - POSTGRES_DB=nextcloud_database
-      - POSTGRES_USER=nextcloud
    restart: unless-stopped
    read_only: true
    cap_drop:
--- a/manual-install/readme.md
+++ b/manual-install/readme.md
@@ -12,7 +12,7 @@ You can run the containers that are build for AIO with docker-compose. This come
 - You lose the AIO interface
 - You lose update notifications and automatic updates
 - You lose all AIO backup and restore features
- You lose the built-in [Docker Socket Proxy container](https://github.com/nextcloud/docker-socket-proxy#readme) (needed for [Nextcloud App API](https://github.com/nextcloud/app_api#nextcloud-appapi))
+- You lose the built-in [Docker Socket Proxy container](https://github.com/nextcloud/docker-socket-proxy#readme) and [HaRP container](https://github.com/nextcloud/HaRP) (needed for [Nextcloud App API](https://github.com/nextcloud/app_api#nextcloud-appapi))
 - You lose all community containers: https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers
 - **You need to know what you are doing, especially when modifying the compose.yaml file**
 - For updating, you need to strictly follow the at the bottom described update routine
--- a/manual-install/update-yaml.sh
+++ b/manual-install/update-yaml.sh
@@ -27,6 +27,8 @@ OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "next
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-borgbackup"))')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-docker-socket-proxy"))')"
 OUTPUT="$(echo "$OUTPUT" | jq '.services[] |= if has("depends_on") then .depends_on |= if contains(["nextcloud-aio-docker-socket-proxy"]) then del(.[index("nextcloud-aio-docker-socket-proxy")]) else . end else . end')"
+OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-harp"))')"
+OUTPUT="$(echo "$OUTPUT" | jq '.services[] |= if has("depends_on") then .depends_on |= if contains(["nextcloud-aio-harp"]) then del(.[index("nextcloud-aio-harp")]) else . end else . end')"
 OUTPUT="$(echo "$OUTPUT" | jq '.services[] |= if has("depends_on") then .depends_on |= map({ (.): { "condition": "service_started", "required": false } }) else . end' | jq '.services[] |= if has("depends_on") then .depends_on |= reduce .[] as $item ({}; . + $item) else . end')"

 sudo snap install yq
@@ -45,8 +47,11 @@ sed -i 's|- ip_binding: |- |' containers.yml
 sed -i '/AIO_TOKEN/d' containers.yml
 sed -i '/AIO_URL/d' containers.yml
 sed -i '/DOCKER_SOCKET_PROXY_ENABLED/d' containers.yml
+sed -i '/HARP_ENABLED/d' containers.yml
+sed -i '/HP_SHARED_KEY/d' containers.yml
 sed -i '/ADDITIONAL_TRUSTED_PROXY/d' containers.yml
 sed -i '/TURN_DOMAIN/d' containers.yml
+sed -i '/NC_AIO_VERSION/d' containers.yml

 TCP="$(grep -oP '[%A-Z0-9_]+/tcp' containers.yml | sort -u)"
 mapfile -t TCP <<< "$TCP"
--- a/multiple-instances.md
+++ b/multiple-instances.md
@@ -180,6 +180,7 @@ apt install --no-install-recommends qemu-system qemu-utils libvirt-clients libvi
    # Virtual machine #1 - "example1-com"
    https://[DOMAIN_NAME_1]:8443 {
        reverse_proxy https://[IP_ADDRESS_1]:8080 {
+            header_up Host {host}
            transport http {
                tls_insecure_skip_verify
            }
@@ -192,6 +193,7 @@ apt install --no-install-recommends qemu-system qemu-utils libvirt-clients libvi
    # Virtual machine #2 - "example2-com"
    https://[DOMAIN_NAME_2]:8443 {
        reverse_proxy https://[IP_ADDRESS_2]:8080 {
+            header_up Host {host}
            transport http {
                tls_insecure_skip_verify
            }
--- a/nextcloud-aio-helm-chart/Chart.yaml
+++ b/nextcloud-aio-helm-chart/Chart.yaml
@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 12.4.0
+version: 12.8.0
 apiVersion: v2
 keywords:
  - latest
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml
@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.version: 1.37.0 (fb0539e64)
+    kompose.version: 1.38.0 (a8f5d1cbd)
  labels:
    io.kompose.service: nextcloud-aio-apache
  name: nextcloud-aio-apache
@@ -17,7 +17,7 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.version: 1.37.0 (fb0539e64)
+        kompose.version: 1.38.0 (a8f5d1cbd)
      labels:
        io.kompose.service: nextcloud-aio-apache
    spec:
@@ -47,6 +47,8 @@ spec:
              value: "{{ .Values.APACHE_PORT }}"
            - name: COLLABORA_HOST
              value: nextcloud-aio-collabora
+            - name: HARP_HOST
+              value: nextcloud-aio-harp
            - name: NC_DOMAIN
              value: "{{ .Values.NC_DOMAIN }}"
            - name: NEXTCLOUD_HOST
@@ -61,7 +63,7 @@ spec:
              value: "{{ .Values.TIMEZONE }}"
            - name: WHITEBOARD_HOST
              value: nextcloud-aio-whiteboard
-          image: ghcr.io/nextcloud-releases/aio-apache:20260114_114729
+          image: ghcr.io/nextcloud-releases/aio-apache:20260306_081319
          readinessProbe:
            exec:
              command:
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-service.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.version: 1.37.0 (fb0539e64)
+    kompose.version: 1.38.0 (a8f5d1cbd)
  labels:
    io.kompose.service: nextcloud-aio-apache
  name: nextcloud-aio-apache
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml
@@ -3,7 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.version: 1.37.0 (fb0539e64)
+    kompose.version: 1.38.0 (a8f5d1cbd)
  labels:
    io.kompose.service: nextcloud-aio-clamav
  name: nextcloud-aio-clamav
@@ -18,7 +18,7 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.version: 1.37.0 (fb0539e64)
+        kompose.version: 1.38.0 (a8f5d1cbd)
      labels:
        io.kompose.service: nextcloud-aio-clamav
    spec:
@@ -36,7 +36,7 @@ spec:
        {{- end }}
      initContainers:
        - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260114_114729
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
          command:
            - mkdir
            - "-p"
@@ -59,7 +59,7 @@ spec:
              value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-clamav:20260114_114729
+          image: ghcr.io/nextcloud-releases/aio-clamav:20260306_081319
          readinessProbe:
            exec:
              command:
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-service.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.version: 1.37.0 (fb0539e64)
+    kompose.version: 1.38.0 (a8f5d1cbd)
  labels:
    io.kompose.service: nextcloud-aio-clamav
  name: nextcloud-aio-clamav
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml
@@ -3,7 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.version: 1.37.0 (fb0539e64)
+    kompose.version: 1.38.0 (a8f5d1cbd)
  labels:
    io.kompose.service: nextcloud-aio-collabora
  name: nextcloud-aio-collabora
@@ -16,7 +16,7 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.version: 1.37.0 (fb0539e64)
+        kompose.version: 1.38.0 (a8f5d1cbd)
      labels:
        io.kompose.service: nextcloud-aio-collabora
    spec:
@@ -36,9 +36,9 @@ spec:
            - name: server_name
              value: "{{ .Values.NC_DOMAIN }}"
          {{- if contains "--o:support_key=" (join " " (.Values.ADDITIONAL_COLLABORA_OPTIONS | default list)) }}
-          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260114_114729
+          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260306_081319
          {{- else }}
-          image: ghcr.io/nextcloud-releases/aio-collabora:20260114_114729
+          image: ghcr.io/nextcloud-releases/aio-collabora:20260306_081319
          {{- end }}
          readinessProbe:
            exec:
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-service.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.version: 1.37.0 (fb0539e64)
+    kompose.version: 1.38.0 (a8f5d1cbd)
  labels:
    io.kompose.service: nextcloud-aio-collabora
  name: nextcloud-aio-collabora
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml
@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.version: 1.37.0 (fb0539e64)
+    kompose.version: 1.38.0 (a8f5d1cbd)
  labels:
    io.kompose.service: nextcloud-aio-database
  name: nextcloud-aio-database
@@ -17,7 +17,7 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.version: 1.37.0 (fb0539e64)
+        kompose.version: 1.38.0 (a8f5d1cbd)
      labels:
        io.kompose.service: nextcloud-aio-database
    spec:
@@ -35,7 +35,7 @@ spec:
        {{- end }}
      initContainers:
        - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260114_114729
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
          command:
            - mkdir
            - "-p"
@@ -64,7 +64,7 @@ spec:
              value: nextcloud
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-postgresql:20260114_114729
+          image: ghcr.io/nextcloud-releases/aio-postgresql:20260306_081319
          readinessProbe:
            exec:
              command:
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-service.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.version: 1.37.0 (fb0539e64)
+    kompose.version: 1.38.0 (a8f5d1cbd)
  labels:
    io.kompose.service: nextcloud-aio-database
  name: nextcloud-aio-database
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml
@@ -3,7 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.version: 1.37.0 (fb0539e64)
+    kompose.version: 1.38.0 (a8f5d1cbd)
  labels:
    io.kompose.service: nextcloud-aio-fulltextsearch
  name: nextcloud-aio-fulltextsearch
@@ -18,13 +18,13 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.version: 1.37.0 (fb0539e64)
+        kompose.version: 1.38.0 (a8f5d1cbd)
      labels:
        io.kompose.service: nextcloud-aio-fulltextsearch
    spec:
      initContainers:
        - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260114_114729
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
          command:
            - chmod
            - "777"
@@ -54,7 +54,7 @@ spec:
              value: basic
            - name: xpack.security.enabled
              value: "false"
-          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260114_114729
+          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260306_081319
          readinessProbe:
            exec:
              command:
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-service.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.version: 1.37.0 (fb0539e64)
+    kompose.version: 1.38.0 (a8f5d1cbd)
  labels:
    io.kompose.service: nextcloud-aio-fulltextsearch
  name: nextcloud-aio-fulltextsearch
--- a/Show More
+++ b/Show More