wip

build(deps-dev): bump vimeo/psalm from 6.15.1 to 6.16.0 in /php
Bumps [vimeo/psalm](https://github.com/vimeo/psalm) from 6.15.1 to 6.16.0. - [Release notes](https://github.com/vimeo/psalm/releases) - [Commits](https://github.com/vimeo/psalm/compare/6.15.1...6.16.0) --- updated-dependencies: - dependency-name: vimeo/psalm dependency-version: 6.16.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Simon L. <szaimen@e.mail.de>
2026-06-10 16:38:18 +00:00 · 2026-03-18 18:27:05 +01:00 · 2026-03-18 18:05:51 +01:00
237 changed files with 1423 additions and 4264 deletions
@@ -1,20 +0,0 @@
-# https://editorconfig.org
-
-# Tip: to find files violating the rules set out here, run `docker run --rm --volume=$PWD:/check mstruebing/editorconfig-checker`
-
-root = true
-
-[*]
-charset = utf-8
-end_of_line = lf
-indent_size = 4
-indent_style = space
-insert_final_newline = true
-trim_trailing_whitespace = true
-
-[*.yaml]
-indent_size = 2
-
-
-[*.yml]
-indent_size = 2
@@ -31,12 +31,12 @@ updates:
    - "/Containers/collabora"
    - "/Containers/docker-socket-proxy"
    - "/Containers/domaincheck"
-    - "/Containers/eurooffice"
    - "/Containers/fulltextsearch"
    - "/Containers/imaginary"
    - "/Containers/mastercontainer"
    - "/Containers/nextcloud"
    - "/Containers/notify-push"
+    - "/Containers/onlyoffice"
    - "/Containers/postgresql"
    - "/Containers/redis"
    - "/Containers/talk"
@@ -3,8 +3,3 @@
  -
  - Before sending a pull request that fixes a security issue please report it via our HackerOne page (https://hackerone.com/nextcloud) following our security policy (https://nextcloud.com/security/). This allows us to coordinate the fix and release without potentially exposing all Nextcloud servers and users in the meantime.
 -->
-
-<!-- Please check the below checkmarks if applicable -->
-
- [ ] The PR was tested and verified that it works locally
- [ ] The PR was completely or partially created with AI
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Check spelling
        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2
        with:
@@ -10,7 +10,7 @@ jobs:
    name: update collabora
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run collabora-profile-update
      run: |
        rm -f php/cool-seccomp-profile.json
@@ -18,7 +18,7 @@ jobs:
        mv cool-seccomp-profile.json php/
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: collabora-seccomp-update automated change
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Validate structure
        run: |
          CONTAINERS="$(find ./community-containers -mindepth 1 -maxdepth 1 -type d)"
@@ -10,7 +10,7 @@ jobs:
    name: Run dependency update script
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
      with:
        php-version: 8.5
@@ -53,7 +53,7 @@ jobs:
        sed -i "s|^ARG CADDY_REMOTE_HOST_HASH.*$|ARG CADDY_REMOTE_HOST_HASH=$CADDY_REMOTE_HOST_HASH|" ./Containers/mastercontainer/Dockerfile

    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: php dependency updates
@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install hadolint
        run: |
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: "Check latest published release isn't a prerelease"
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v6
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v6
        with:
          script: |
            const tags = await github.rest.repos.listTags({
@@ -10,16 +10,13 @@ on:

 jobs:
  release:
-    # Do not run this workflow on forked repositories, as they might not have the `gh-pages` branch created, or might
-    # want to use it for other purposes than publishing helm charts
-    if: github.repository == 'nextcloud/all-in-one'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Turnstyle
-        uses: softprops/turnstyle@e15e934b3f69ee283ba389ea05c8886baa656d93 # v2
+        uses: softprops/turnstyle@e565d2d86403c5d23533937e95980570545e5586 # v2
        with:
          continue-after-seconds: 180
        env:
@@ -35,7 +32,7 @@ jobs:

      # See https://github.com/helm/chart-releaser-action/issues/6
      - name: Set up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
        with:
          version: v3.6.3

@@ -10,7 +10,7 @@ jobs:
    name: update to latest imaginary commit on master branch
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run imaginary-update
      run: |
        # Imaginary
@@ -22,7 +22,7 @@ jobs:
        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH=$imaginary_version|" ./Containers/imaginary/Dockerfile
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: imaginary-update automated change
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Validate Json
        run: |
          sudo apt-get update
@@ -11,12 +11,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

      - name: Install Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
        with:
          version: v3.11.1

@@ -36,12 +36,12 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
        with:
          php-version: ${{ matrix.php-versions }}
          coverage: none
@@ -24,7 +24,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.1
        with:
          persist-credentials: false

@@ -36,7 +36,7 @@ jobs:
            line-length: warning

      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1

      - name: Check GitHub actions
        run: uvx zizmor --min-severity medium .github/workflows/*.yml
@@ -14,7 +14,7 @@ jobs:
  action:
    runs-on: ubuntu-latest
    steps:
-      - uses: dessant/lock-threads@89ae32b08ed1a541efecbab17912962a5e38981c # v5
+      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v5
        with: 
          issue-inactive-days: '14'
          process-only: 'issues'
@@ -11,7 +11,7 @@ jobs:
    name: Run nextcloud-update script
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run nextcloud-update script
      run: |
        # Inspired by https://github.com/nextcloud/docker/blob/master/update.sh
@@ -79,7 +79,7 @@ jobs:
        fi

    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: nextcloud-update automated change
@@ -16,7 +16,7 @@ jobs:
    name: PHP Deprecation Detector
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up php
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
        with:
@@ -4,15 +4,11 @@ on:
  pull_request:
    paths:
      - 'php/**'
-      - 'Containers/mastercontainer/*.Caddyfile'
-      - 'Containers/mastercontainer/start.sh'
  push:
    branches:
      - main
    paths:
      - 'php/**'
-      - 'Containers/mastercontainer/*.Caddyfile'
-      - 'Containers/mastercontainer/start.sh'

 concurrency:
  group: playwright-${{ github.head_ref || github.run_id }}
@@ -28,11 +24,11 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
-          node-version: 24.15.0
+          node-version: lts/*

      - name: Install dependencies
        run: cd php/tests && npm ci
@@ -41,7 +37,7 @@ jobs:
        run: cd php/tests && npx playwright install --with-deps chromium

      - name: Set up php 8.5
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
        with:
          extensions: apcu
          php-version: 8.5
@@ -57,7 +53,7 @@ jobs:
          rm -r ./session
          composer install --no-dev
          composer clear-cache
-          sudo chmod 777 -R ../
+          sudo chmod 777 -R ./

      - name: Start fresh development server
        run: |
@@ -72,9 +68,6 @@ jobs:
            --publish 8080:8080 \
            --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
            --volume ./php:/var/www/docker-aio/php \
-            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
-            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
-            --volume ./Containers/mastercontainer/start.sh:/start.sh \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=true \
            --env APACHE_PORT=11000 \
@@ -104,9 +97,6 @@ jobs:
            --publish 8080:8080 \
            --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
            --volume ./php:/var/www/docker-aio/php \
-            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
-            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
-            --volume ./Containers/mastercontainer/start.sh:/start.sh \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=false \
            --env APACHE_PORT=11000 \
@@ -124,7 +114,7 @@ jobs:
            exit 1
          fi

-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        if: ${{ !cancelled() }}
        with:
          name: playwright-report
@@ -13,11 +13,11 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
-          node-version: 24.15.0
+          node-version: lts/*

      - name: Install dependencies
        run: cd php/tests && npm ci
@@ -82,7 +82,7 @@ jobs:
            exit 1
          fi

-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        if: ${{ !cancelled() }}
        with:
          name: playwright-report
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set up php
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
@@ -19,6 +19,10 @@ jobs:
          extensions: apcu
          coverage: none
          ini-file: development
+          jit: false
+          ini_values: |
+            opcache.jit=0
+            opcache.jit_buffer_size=0

      - name: Run script
        run: |
@@ -31,7 +35,7 @@ jobs:
        continue-on-error: true

      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: Update psalm baseline
@@ -32,17 +32,21 @@ jobs:
    name: static-psalm-analysis
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Set up php
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
        with:
          php-version: 8.5
          extensions: apcu
          coverage: none
          ini-file: development
+          jit: false
+          ini_values: |
+            opcache.jit=0
+            opcache.jit_buffer_size=0

        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -15,7 +15,7 @@ jobs:
    name: Check Shell
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run Shellcheck
      uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
      with:
@@ -1,140 +0,0 @@
-# This workflow is provided via the organization template repository
-#
-# https://github.com/nextcloud/.github
-# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
-#
-# SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
-# SPDX-License-Identifier: MIT
-
-# This workflow will update all workflow templates
-# Additionally it will reapply `workflow.yml.patch` files after syncing and only then commit the result
-name: Update workflows
-on:
-  workflow_dispatch:
-  schedule:
-      - cron: "5 2 * * 0"
-
-permissions:
-  contents: read
-
-jobs:
-  dispatch:
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-      matrix:
-        branches:
-          - ${{ github.event.repository.default_branch }}
-          - 'stable33'
-          - 'stable32'
-
-    name: Update workflows in ${{ matrix.branches }}
-
-    permissions:
-      contents: write
-      pull-requests: write
-
-    steps:
-      - name: Check actor permission
-        uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0
-        with:
-          require: admin
-
-      - name: Checkout workflow repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-        with:
-          persist-credentials: false
-          path: source
-          repository: nextcloud/.github
-
-      - name: Checkout app
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-        with:
-          persist-credentials: false
-          path: target
-          ref: ${{ matrix.branches }}
-
-      - name: Copy all workflow templates
-        run: |
-          echo 'SUMMARY<<EOF' >> $GITHUB_ENV
-          draft_only=0
-          for workflow in ./source/workflow-templates/*.yml; do
-            echo "❓ Looking for $workflow"
-            if [ -f "$workflow" ]; then
-              filename=$(basename "$workflow")
-              target_file="./target/.github/workflows/$filename"
-
-              # Only copy if the file exists in the target repository
-              if [ -f "$target_file" ]; then
-                if [ -f "./target/.github/actions-lock.txt" ]; then
-                  locked_version=$(grep " $filename" ./target/.github/actions-lock.txt | cat)
-                else
-                  echo "# SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors" >> ./target/.github/actions-lock.txt
-                  echo "# SPDX-License""-Identifier: MIT" >> ./target/.github/actions-lock.txt
-                  locked_version=""
-                fi
-                locked_version=$(echo $locked_version | cut -f 1 -d " ")
-                new_version=$(md5sum $workflow | cut -f 1 -d " ")
-
-                # Only update if the action changes
-                if [[ "$locked_version" != "$new_version" ]]; then
-                  echo "ℹ️ Locked version: $locked_version"
-                  echo "ℹ️ Current version: $new_version"
-                  echo "🆙 Updating existing workflow: $filename"
-                  echo "- 🆙 Updated [$filename](https://github.com/nextcloud/.github/commits/master/workflow-templates/$filename)" >> $GITHUB_ENV
-
-                  cp "$workflow" "$target_file"
-
-                  # Apply patch if one exists
-                  if [ -f "$target_file.patch" ]; then
-                    echo "🩹 Applying patch"
-                    cd ./target
-                    set +e
-                    patch -p1 < ".github/workflows/$filename.patch"
-                    patch_worked=$?
-                    set -e
-                    cd -
-                    if [[ "$patch_worked" == "0" ]]; then
-                      echo "  - Patch applied" >> $GITHUB_ENV
-                    else
-                      echo "  - [ ] ❌ Patch failed" >> $GITHUB_ENV
-                      draft_only=1
-                    fi
-                  fi
-
-                  if [[ "$locked_version" != "" ]]; then
-                    sed -i "s/$locked_version $filename/$new_version $filename/" ./target/.github/actions-lock.txt
-                  else
-                    echo "$new_version $filename" >> ./target/.github/actions-lock.txt
-                  fi
-                else
-                  echo "✅ Skipping $filename: already up to date"
-                fi
-              else
-                echo "⏭️ Skipping $filename: does not exist in target repository"
-              fi
-            fi
-          done
-          echo 'EOF' >> $GITHUB_ENV
-          echo "DRAFT_ONLY=${draft_only}" >> $GITHUB_ENV
-
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
-        with:
-          token: ${{ secrets.COMMAND_BOT_WORKFLOWS }} # zizmor: ignore[secrets-outside-env]
-          commit-message: 'ci(actions): Update workflow templates from organization template repository'
-          committer: GitHub <noreply@github.com>
-          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
-          path: target
-          signoff: true
-          branch: 'automated/noid/${{ matrix.branches }}-update-workflows'
-          title: '[${{ matrix.branches }}] ci(actions): Update workflow templates from organization template repository'
-          draft: ${{ env.DRAFT_ONLY == 1 }}
-          add-paths: .github/workflows/*.yml,.github/actions-lock.txt
-          body: |
-            Automated update of all workflow templates from [nextcloud/.github](https://github.com/nextcloud/.github)
-            ${{ env.SUMMARY }}
-          labels: |
-            dependencies
-            3. to review
@@ -10,7 +10,7 @@ jobs:
    name: update talk
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run talk-container-update
      run: |
        # Recording
@@ -45,7 +45,7 @@ jobs:
        sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: talk-update automated change
@@ -24,7 +24,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set up php ${{ matrix.php-versions }}
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
@@ -8,4 +8,4 @@ jobs:
    name: update copyright
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: update helm chart
        run: |
          set -x
@@ -23,7 +23,7 @@ jobs:
            sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"
          fi
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          commit-message: Helm Chart updates
          signoff: true
@@ -11,12 +11,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: update yaml files
        run: |
          sudo bash manual-install/update-yaml.sh
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          commit-message: Yaml updates
          signoff: true
@@ -10,7 +10,7 @@ jobs:
    name: update watchtower
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run watchtower-container-update
      run: |
        # Watchtower
@@ -26,7 +26,7 @@ jobs:
        sed -i "s|\$WATCHTOWER_COMMIT_HASH.*$|\$WATCHTOWER_COMMIT_HASH # $watchtower_version|" ./Containers/watchtower/Dockerfile
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: watchtower-update automated change
@@ -1,112 +0,0 @@
-<!--
-  - SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
-  - SPDX-License-Identifier: AGPL-3.0-or-later
-->
-
-# Agent Guidelines for Nextcloud All-in-one
-
-This file provides instructions for AI coding agents (Claude Code, GitHub Copilot, Cursor, Windsurf, and others) operating on this repository. Read it before generating any code, commits, or pull requests.
-
---
-
-## Nextcloud Contribution Policy
-
-All contributions generated or assisted by this agent must fully comply with:
-
- **[AI Contribution Policy](https://github.com/nextcloud/.github/blob/master/AI_POLICY.md)** - the primary reference for AI-specific rules, covering disclosure, author accountability, communication, security, licensing, code quality, and autonomous agent behavior.
- **[Contribution Guidelines](https://github.com/nextcloud/.github/blob/master/CONTRIBUTING.md)** - covering testing requirements, the Developer Certificate of Origin (DCO), license headers, conventional commits, and translations. These apply in full to all contributions regardless of how they were produced.
-
-### What this agent must always do
-
- Add an `Assisted-by: AGENT_NAME:MODEL_VERSION` git trailer to every commit containing AI-assisted content.
- Ensure every pull request includes a disclosure of AI tool use in the PR description.
- Produce focused, scoped pull requests that address exactly one concern. Do not touch unrelated files or introduce incidental refactors.
- Verify all dependencies against actual package registries before suggesting them. Do not use hallucinated or unverified package names.
- Explicitly inform the contributor when any action they are about to take, or have taken, would violate the AI Contribution Policy or the Contribution Guidelines. Do not silently proceed. State which rule is at risk and what the contributor should do instead.
- Warn the contributor if a pull request is growing too large. A PR approaching several thousand lines of changed code is a signal that it should be split into smaller, focused PRs. Suggest a logical split before the PR is opened, not after.
- Recommend opening a ticket for discussion before starting implementation whenever a feature or change is sufficiently complex - for example when it touches multiple subsystems, requires architectural decisions, or the right approach is not yet clear. A ticket allows maintainers and the contributor to align on direction before code is written, avoiding wasted effort on a PR that may be rejected or require fundamental rework.
-
-### What this agent must never do
-
- Open issues, submit pull requests, post review comments, or send security reports autonomously. Every contribution must be reviewed and submitted by a human.
- Add `Signed-off-by` tags to commits. Only the human contributor can certify the Developer Certificate of Origin.
- Generate or submit security reports without independent human verification. Report verified vulnerabilities via [HackerOne](https://hackerone.com/nextcloud), not as GitHub issues.
- Write PR descriptions, review comments, or issue reports on behalf of the contributor. These must be in the contributor's own words.
- Submit code that has not been reviewed and cleaned up by the contributor. Dead code, redundant logic, excessive comments, and unrelated changes must be removed before submission.
-
---
-
-## Repository-Specific Requirements
-
-### Commit format
-
-Use [Conventional Commits](https://www.conventionalcommits.org) for all commit messages:
-
-```
-<type>(<scope>): <short description>
-
-[optional body]
-
-Assisted-by: AGENT_NAME:MODEL_VERSION
-```
-
-Common types: `feat`, `fix`, `refactor`, `test`, `docs`, `chore`, `perf`, `build`, `ci`.  
-The scope should match the affected component or app (e.g. `files_sharing`, `core`, `encryption`).
-
-Example:
-```
-feat(files_sharing): allow sharing with contacts
-
-Assisted-by: ClaudeCode:claude-sonnet-4-6
-```
-
-### Tests
-
- Every changed or added code segment must be covered by unit tests. Pull requests without tests for new or modified logic will not be accepted.
- In areas where unit testing is currently difficult, refactoring to enable testability is encouraged alongside the bug fix.
- New features must be manually tested on a live Nextcloud instance by the human contributor before submission. Providing test steps for an agent to execute is not a substitute.
-
-### Developer Certificate of Origin (DCO)
-
-The project uses the DCO as an additional safeguard. Only the human contributor may add the `Signed-off-by` trailer - agents must not add it:
-
-```
-Signed-off-by: Random J Developer <random@developer.example.org>
-```
-
-Contributors can sign automatically with `git commit -s` after configuring `user.name` and `user.email`.
-
-### License headers
-
-Every new file must include the correct SPDX license header. For AGPL-3.0-or-later (the default for this repository):
-
-```php
-/**
- * SPDX-FileCopyrightText: <year> <name>
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
-```
-
-See [HowToApplyALicense.md](https://github.com/nextcloud/server/blob/master/contribute/HowToApplyALicense.md) for details on per-language formats. AI-generated code must not include material from sources incompatible with AGPL-3.0-or-later.
-
-### Security
-
- Do not open GitHub issues for potential vulnerabilities. Report them via [HackerOne](https://hackerone.com/nextcloud) following the [security policy](https://nextcloud.com/security/).
- AI-generated security reports must be independently verified by the human contributor before submission.
- Manually verify all access control logic, authentication patterns, and dependency names - AI tools are known to hallucinate package names and reproduce vulnerable patterns.
-
-### Scope of this repository
-
-This repository covers the Nextcloud all-in-one and all its included containers and features. Issues and changes for other components belong in their respective repositories under the [Nextcloud GitHub organization](https://github.com/nextcloud/).
-
---
-
-## Further Reading
-
- [Local CONTRIBUTING.md](CONTRIBUTING.md)
- [Nextcloud Contribution Guidelines](https://github.com/nextcloud/all-in-one/blob/main/CONTRIBUTING.md)
- [AI Contribution Policy](https://github.com/nextcloud/all-in-one/blob/main/AI_POLICY.md)
- [Developer Certificate of Origin](https://github.com/nextcloud/server/blob/master/contribute/developer-certificate-of-origin)
- [How to Apply a License](https://github.com/nextcloud/server/blob/master/contribute/HowToApplyALicense.md)
- [Developer Manual](https://github.com/nextcloud/all-in-one/blob/main/develop.md)
- [Security Vulnerability Reporting (HackerOne)](https://hackerone.com/nextcloud)
@@ -1,91 +0,0 @@
-<!--
-  - SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
-  - SPDX-License-Identifier: MIT
-->
-
-# AI Contribution Policy
-
-This document provides guidance for AI tools and developers using AI assistance when contributing to Nextcloud. It applies to all repositories under the [Nextcloud GitHub organization](https://github.com/nextcloud/), including the server, clients, apps, and the community app ecosystem.
-
-This policy complements the existing [Contribution Guidelines](CONTRIBUTING.md). The requirements around testing, the Developer Certificate of Origin, license headers, and security reporting described there continue to apply in full - this document addresses how they extend to AI-assisted contributions.
-
---
-
-## Requirements
-
-### Disclosure
-
-Every pull request containing AI-assisted code, documentation, or tests must declare this in the PR description. PRs found to have undisclosed AI use might be closed.
-
-For full traceability at the commit level, each commit containing AI-assisted content must include an `Assisted-by:` git trailer:
-
-```
-Assisted-by: AGENT_NAME:MODEL_VERSION
-```
-
-The agent name and model version identify the AI tool. Basic development tools such as git, compilers, editors, and static analyzers are not listed - these are standard parts of any development workflow regardless of AI involvement.
-
-The PR description disclosure explains how AI was used; the commit trailer ensures that provenance is permanently recorded in version history and available to future contributors, auditors, and tooling.
-
-Examples:
-
-```
-Assisted-by: Devstral:devstral-small-2507
-Assisted-by: ClaudeCode:claude-sonnet-4-6
-Assisted-by: Qwen:qwen3-coder-32b
-Assisted-by: Copilot:gpt-4o
-```
-
-### Author Accountability
-
-The contributor is the legal and moral author of every line they submit. If a reviewer asks "why does this work this way?" and the answer is "the AI wrote it," the PR will be closed. This applies to code, comments, documentation, and tests alike. You must be able to explain, defend, and modify any content you submit.
-
-### Human-Written Communication
-
-Issues, PR descriptions, and review comments must be in the contributor's own words. Translation assistance and grammar/spelling help are acceptable exceptions and do not need to be disclosed - the intent of this rule is to ensure that the ideas, reasoning, and decisions in community communication come from the contributor.
-
-This requirement extends through the entire review process. Contributors must respond to reviewer questions and implement requested changes themselves. Passing maintainer feedback into an AI and posting whatever comes out is not an acceptable substitute for genuine engagement. If a contributor cannot explain or implement a requested change because they do not understand their own submission, the PR will be closed.
-
-### Security and Dependency Scrutiny
-
-AI tools hallucinate package names, produce subtly broken access controls, and may reproduce vulnerable patterns from their training data. Contributors must manually verify all dependencies, access control logic, authentication patterns, and security implications in AI-generated code before submitting - the risk of undetected errors is higher than with hand-written code and warrants extra care.
-
-For general security requirements applicable to all contributions, see the [Contribution Guidelines](CONTRIBUTING.md). Security vulnerabilities must be reported via [HackerOne](https://hackerone.com/nextcloud) following Nextcloud's [security policy](https://nextcloud.com/security/), not via public issues. AI-generated security reports must be independently verified before submission; unverified reports might be closed without response.
-
-### No Autonomous Agent Submissions
-
-AI agents must not open issues, submit pull requests, post review comments, or send security reports autonomously. Every contribution must be composed, reviewed, and submitted by a human. This includes agentic workflows where an AI browses the codebase, plans changes across multiple files, and generates commits - the human contributor remains responsible for reviewing all output before anything is submitted.
-
-AI agents must not add `Signed-off-by` tags: only humans can legally certify the [Developer Certificate of Origin](https://github.com/nextcloud/server/blob/master/contribute/developer-certificate-of-origin).
-
-### Licensing and Copyright Compliance
-
-Contributors must ensure AI-generated code contains no material from sources incompatible with the license of the repository or app they are contributing to. Each Nextcloud repository and app carries its own license - contributors are responsible for knowing which applies. For guidance on license headers, see [HowToApplyALicense.md](https://github.com/nextcloud/server/blob/master/contribute/HowToApplyALicense.md).
-
-The applicable test has three parts: the AI tool's terms must permit open-source use of its output; no third-party copyrighted material may be reproduced; and any included material must use a compatible open-source license. If generated code appears identical or suspiciously similar to code from an incompatible source, it must be removed or replaced with an original implementation. Ignorance of AI-generated provenance is not a defense.
-
-### Code Quality and Cleanup
-
-AI output must be cleaned before submission. Dead code, redundant logic, excessive comments, inconsistent style, unused variables, structural drift, and unrelated file changes must all be removed. Submitting large AI code blobs without meaningful oversight - sometimes called "vibe coding" or "prompt dumping" - is prohibited.
-
-Signs of a disallowed submission include: large unreviewed AI blobs; obvious mechanical mistakes a human would fix in minutes; code that has clearly never been executed; and pull requests that shift debugging and cleanup work onto maintainers rather than the contributor. As required by the [Contribution Guidelines](CONTRIBUTING.md), all changed and added code must be unit tested - AI-generated code is not exempt from this requirement.
-
-New features must be tested on a live Nextcloud instance by the contributor before submission. Providing test instructions for an AI agent to execute is not a substitute for human testing.
-
---
-
-## Guidelines
-
-### Focused and Scoped Pull Requests
-
-A pull request should address exactly one thing. AI-generated code frequently drifts in scope due to imprecise prompting, touching unrelated files or introducing incidental refactors. If a PR description does not match its diff, that is a signal the contributor did not review their own changes. Large changes must be broken into multiple focused commits or separate PRs.
-
-### Maintainer Discretion
-
-Maintainers have unreviewable authority to close AI-assisted contributions for quality, complexity, scope, or community-fit reasons. A contribution that costs reviewers more time than it returns value to the project is extractive and will be closed, regardless of how many rounds of review it has already received. The golden rule applies: a contribution should be worth more to the project than the time it takes to review.
-
---
-
-## Scope and Updates
-
-This policy applies to all contributions to repositories and apps under the Nextcloud GitHub organization, by all contributors. It will be reviewed and updated as AI tooling, open-source best practices, and applicable law evolve. Suggested changes are welcome via pull requests.
@@ -1,76 +0,0 @@
-<!--
-SPDX-FileCopyrightText: 2021-2024 Nextcloud GmbH and Nextcloud contributors
-SPDX-License-Identifier: MIT
-->
-
-## Submitting issues
-
-If you have questions about how to install or use Nextcloud, please direct these to our [forum][forum].
-
-### Guidelines
-* Please search the existing issues first, it's likely that your issue was already reported or even fixed.
-  - Go to one of the repositories, click "issues" and type any word in the top search/command bar.
-  - More info on [search syntax within github](https://help.github.com/articles/searching-issues)
-* __SECURITY__: Report any potential security bug to us via [our HackerOne page](https://hackerone.com/nextcloud) following our [security policy](https://nextcloud.com/security/) instead of filing an issue in our bug tracker.
-* The issues in other components should be reported in their respective repositories: You will find them in our [GitHub Organization](https://github.com/nextcloud/)
-* Report the issue using one of our templates, they include all the information we need to track down the issue.
-
-Help us to maximize the effort we can spend fixing issues and adding new features, by not reporting duplicate issues.
-
-[forum]: https://help.nextcloud.com/
-
-## Contributing to Source Code
-
-Thanks for wanting to contribute source code to Nextcloud. That's great!
-
-Please read the [Developer Manuals][devmanual] to learn how to create your first application or how to test the Nextcloud code.
-
-### AI-assisted contributions
-
-Nextcloud allows contributions made with the help of AI tools. You are the author of everything you submit - AI assistance does not change that responsibility.
-
-* **Disclosure:** Declare AI tool use in the PR description and add an `Assisted-by: AGENT_NAME:MODEL_VERSION` git trailer to each affected commit.
-
-* **Accountability:** You must be able to explain, defend, and modify every line you submit. If a reviewer asks why something works a certain way, "the AI wrote it" is not an answer.
-
-* **Communication:** PR descriptions, review comments, and issue reports must be written in your own words. This applies throughout the review process - passing reviewer feedback to an AI and posting whatever comes out is not acceptable.
-
-* **Quality:** AI output must be quality assured by the human, i.e. reviewed, cleaned up, and tested before submission. New features must be tested on a live instance by you, not by an agent. Code that has never been executed, or that shifts debugging work onto maintainers, will not be accepted.
-
-* **Licensing:** Ensure AI-generated code contains no material incompatible with the license of the repository you are contributing to.
-
-For the full policy including autonomous agent rules, security reports, and beginner issues, read the [AI Contribution Policy][aipolicy].
-
-### Tests
-
-In order to constantly increase the quality of our software we can no longer accept pull request which submit un-tested code.
-It is a must have that changed and added code segments are unit tested.
-In some areas unit testing is hard (aka almost impossible) as of today - in these areas refactoring WHILE fixing a bug is encouraged to enable unit testing.
-
-### Sign your work
-
-We use the Developer Certificate of Origin (DCO) as a additional safeguard
-for the Nextcloud project. This is a well established and widely used
-mechanism to assure contributors have confirmed their right to license
-their contribution under the project's license.
-Please read [contribute/developer-certificate-of-origin][dcofile].
-If you can certify it, then just add a line to every git commit message:
-
-````
-  Signed-off-by: Random J Developer <random@developer.example.org>
-````
-
-Use your real name (sorry, no pseudonyms or anonymous contributions).
-If you set your `user.name` and `user.email` git configs, you can sign your
-commit automatically with `git commit -s`. You can also use git [aliases](https://git-scm.com/book/tr/v2/Git-Basics-Git-Aliases)
-like `git config --global alias.ci 'commit -s'`. Now you can commit with
-`git ci` and the commit will be signed.
-
-### Apply a license
-
-In case you are not sure how to add or update the license header correctly please have a look at [contribute/HowToApplyALicense.md][applyalicense]
-
-[devmanual]: https://github.com/nextcloud/all-in-one/blob/main/develop.md
-[dcofile]: https://github.com/nextcloud/server/blob/master/contribute/developer-certificate-of-origin
-[applyalicense]: https://github.com/nextcloud/server/blob/master/contribute/HowToApplyALicense.md
-[aipolicy]: https://github.com/nextcloud/all-in-one/blob/main/AI_POLICY.md
@@ -1,12 +1,7 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.23.3

 RUN set -ex; \
    apk upgrade --no-cache -a

-LABEL org.opencontainers.image.title="Alpine for Nextcloud AIO" \
-    org.opencontainers.image.description="Minimal Alpine Linux image for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+LABEL org.label-schema.vendor="Nextcloud"
@@ -15,15 +15,10 @@
 }

 https://{$ADDITIONAL_TRUSTED_DOMAIN}:443,
-http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI requests, see containers.json
+http://{$APACHE_HOST}:23973, # For Collabora callback and WOPI requests, see containers.json
 {$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} {
-    header {
-        Strict-Transport-Security max-age=31536000;
-
-        -Server
-        -X-Powered-By
-        -Via
-    }
+    header -Server
+    header -X-Powered-By

    # Collabora
    route /browser/* {
@@ -47,14 +42,7 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
        uri strip_prefix /onlyoffice
        reverse_proxy {$ONLYOFFICE_HOST}:80 {
            header_up X-Forwarded-Host {http.request.hostport}/onlyoffice
-        }
-    }
-
-    # EuroOffice
-    route /eurooffice/* {
-        uri strip_prefix /eurooffice
-        reverse_proxy {$EUROOFFICE_HOST}:80 {
-            header_up X-Forwarded-Prefix /eurooffice
+            header_up X-Forwarded-Proto https
        }
    }

@@ -77,6 +65,7 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req

    # Nextcloud
    route {
+        header Strict-Transport-Security max-age=31536000;
        reverse_proxy 127.0.0.1:8000
    }
    redir /.well-known/carddav /remote.php/dav/ 301
@@ -85,9 +74,6 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
    # TLS options
    tls {
        issuer acme {
-            profile tlsserver
-            # Disable HTTP challenge because that would require port 80, which we don't get (it's exposed to the mastercontainer).
-            # This container by default only exposes port 443 if not configured otherwise via APACHE_PORT.
            disable_http_challenge
        }
    }
@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:latest
-FROM caddy:2.11.4-alpine AS caddy
+FROM caddy:2.11.2-alpine AS caddy

 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.68-alpine3.23
+FROM httpd:2.4.66-alpine3.23

 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy

@@ -60,19 +60,6 @@ RUN set -ex; \
    grep -q '<IfModule mpm_event_module>' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # ServerLimit needs to be set to MaxRequestWorkers divided by ThreadsPerChild which is set to 25 by default
    sed -i '/<IfModule mpm_event_module>/a\ \ \ \ ServerLimit 200' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# Pin ThreadsPerChild so the value is deterministic regardless of the httpd base-image
-# defaults; 25 threads per process balances concurrency against per-process memory use.
-    sed -i 's|ThreadsPerChild.*|ThreadsPerChild 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# Start two server processes on boot to absorb the first requests without spawning
-# new processes on the critical path, while avoiding unnecessary memory overhead.
-    sed -i 's|StartServers.*|StartServers 2|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# Keep at least 25 idle threads (one full process worth) so traffic bursts can be
-# absorbed immediately without triggering new process creation.
-    sed -i 's|MinSpareThreads.*|MinSpareThreads 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# Retire idle threads above 50 to reclaim memory during quiet periods. 50 is the
-# minimum valid value (MinSpareThreads + ThreadsPerChild = 25 + 25) and is enough
-# to absorb typical bursts without respawning a new process.
-    sed -i 's|MaxSpareThreads.*|MaxSpareThreads 50|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
    \
    rm -rf /usr/local/apache2/conf/original /var/www; \
    mkdir -p /var/www; \
@@ -103,10 +90,4 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Apache and Caddy for Nextcloud AIO" \
-    org.opencontainers.image.description="Apache HTTP server with Caddy for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
 nc -z 127.0.0.1 8000 || exit 1
 nc -z 127.0.0.1 "$APACHE_PORT" || exit 1
@@ -7,7 +7,7 @@ Listen 8000
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
    ErrorLog /proc/self/fd/2
    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
-    LogLevel ${AIO_LOG_LEVEL}
+    LogLevel warn

    # PHP match
    <FilesMatch "\.php$">
@@ -17,9 +17,7 @@ Listen 8000
    <Proxy "fcgi://${NEXTCLOUD_HOST}:9000" flushpackets=on>
    </Proxy>

-    # Compress JS, CSS and SVG responses with Brotli.
-    # Other plain-text files are already compressed by Nextcloud itself.
-    # Desktop and mobile sync clients never request JS/CSS/SVG assets.
+    # Enable Brotli compression for js, css and svg files - other plain files are compressed by Nextcloud by default
    <IfModule mod_brotli.c>
        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
        BrotliCompressionQuality 0
@@ -28,9 +26,11 @@ Listen 8000
    # Nextcloud dir
    DocumentRoot /var/www/html/
    <Directory /var/www/html/>
-        Options FollowSymLinks MultiViews
+        Options Indexes FollowSymLinks
        Require all granted
        AllowOverride All
+        Options FollowSymLinks MultiViews
+        Satisfy Any
        <IfModule mod_dav.c>
            Dav off
        </IfModule>
@@ -1,20 +1,10 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -z "$NC_DOMAIN" ]; then
    echo "NC_DOMAIN and NEXTCLOUD_HOST need to be provided. Exiting!"
    exit 1
 fi

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    export SUPERVISORD_STDOUT=/dev/stdout
-else
-    export SUPERVISORD_STDOUT=NONE
-fi
-
 # Need write access to /mnt/data
 if ! [ -w /mnt/data ]; then
    echo "Cannot write to /mnt/data"
@@ -1,18 +1,19 @@
 [supervisord]
 nodaemon=true
+nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error

 [program:apache]
 # Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
+stdout_logfile=NONE
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=httpd -DFOREGROUND
+command=apachectl -DFOREGROUND

 [program:caddy]
 stdout_logfile=/dev/stdout
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.23.3

 RUN set -ex; \
    \
@@ -25,12 +25,5 @@ USER root

 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Borgbackup for Nextcloud AIO" \
-    org.opencontainers.image.description="BorgBackup-based backup service for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6" \
-    AIO_LOG_LEVEL="warn"
+    org.label-schema.vendor="Nextcloud"
+ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Functions
 get_start_time(){
    START_TIME=$(date +%s)
@@ -44,7 +40,7 @@ if [ -z "$BORG_REMOTE_REPO" ] && ! mountpoint -q "$MOUNT_DIR"; then
 fi

 # Check if repo is uninitialized
-if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! borg info > /dev/null; then
    if [ -n "$BORG_REMOTE_REPO" ]; then
        echo "The repository is uninitialized or cannot connect to remote. Cannot perform check or restore."
    else
@@ -127,7 +123,7 @@ if [ "$BORG_MODE" = backup ]; then
    fi

    # Initialize the repository if can't get info from target
-    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+    if ! borg info > /dev/null; then
        # Don't initialize if already initialized
        if [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
            if [ -n "$BORG_REMOTE_REPO" ]; then
@@ -144,14 +140,14 @@ if [ "$BORG_MODE" = backup ]; then

        echo "Initializing repository..."
        NEW_REPOSITORY=1
-        if ! borg "$BORG_LOG_LEVEL_FLAG" init --encryption=repokey-blake2; then
+        if ! borg init --debug --encryption=repokey-blake2; then
            echo "Could not initialize borg repository."
            exit 1
        fi

        if [ -z "$BORG_REMOTE_REPO" ]; then
            # borg config only works for local repos; it's up to the remote to ensure the disk isn't full
-            borg "$BORG_LOG_LEVEL_FLAG" config :: additional_free_space 2G
+            borg config :: additional_free_space 2G

            # Fix too large Borg cache
            # https://borgbackup.readthedocs.io/en/stable/faq.html#the-borg-cache-eats-way-too-much-disk-space-what-can-i-do
@@ -160,7 +156,7 @@ if [ "$BORG_MODE" = backup ]; then
            touch "/root/.cache/borg/$BORG_ID/chunks.archive.d"
        fi

-        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+        if ! borg info > /dev/null; then
            echo "Borg can't get info from the repo it created. Something is wrong."
            exit 1
        fi
@@ -220,9 +216,9 @@ if [ "$BORG_MODE" = backup ]; then
    # Create the backup
    echo "Starting the backup..."
    get_start_time
-    if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
+    if ! borg create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
        echo "Deleting the failed backup archive..."
-        borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-nextcloud-aio"
+        borg delete --stats "::$CURRENT_DATE-nextcloud-aio"
        echo "Backup failed!"
        echo "You might want to check the backup integrity via the AIO interface."
        if [ "$NEW_REPOSITORY" = 1 ]; then
@@ -241,14 +237,14 @@ if [ "$BORG_MODE" = backup ]; then

    # Prune archives
    echo "Pruning the archives..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
+    if ! borg prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
        echo "Failed to prune archives!"
        exit 1
    fi

    # Compact archives
    echo "Compacting the archives..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+    if ! borg compact; then
        echo "Failed to compact archives!"
        exit 1
    fi
@@ -265,19 +261,19 @@ if [ "$BORG_MODE" = backup ]; then
                fi
            done
            echo "Starting the backup for additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
+            if ! borg create "${BORG_OPTS[@]}" "::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
                echo "Deleting the failed backup archive..."
-                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-docker-volumes"
+                borg delete --stats "::$CURRENT_DATE-additional-docker-volumes"
                echo "Backup of additional docker-volumes failed!"
                exit 1
            fi
            echo "Pruning additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
                echo "Failed to prune additional docker-volumes archives!"
                exit 1
            fi
            echo "Compacting additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+            if ! borg compact; then
                echo "Failed to compact additional docker-volume archives!"
                exit 1
            fi
@@ -295,19 +291,19 @@ if [ "$BORG_MODE" = backup ]; then
                EXCLUDE_DIRS+=(--exclude "/host_mounts/$directory/")
            done
            echo "Starting the backup for additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
+            if ! borg create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
                echo "Deleting the failed backup archive..."
-                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-host-mounts"
+                borg delete --stats "::$CURRENT_DATE-additional-host-mounts"
                echo "Backup of additional host-mounts failed!"
                exit 1
            fi
            echo "Pruning additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
                echo "Failed to prune additional host-mount archives!"
                exit 1
            fi
            echo "Compacting additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+            if ! borg compact; then
                echo "Failed to compact additional host-mount archives!"
                exit 1
            fi
@@ -389,7 +385,7 @@ if [ "$BORG_MODE" = restore ]; then

    if [ -z "$BORG_REMOTE_REPO" ]; then
        mkdir -p /tmp/borg
-        if ! borg "$BORG_LOG_LEVEL_FLAG" mount "::$SELECTED_ARCHIVE" /tmp/borg; then
+        if ! borg mount "::$SELECTED_ARCHIVE" /tmp/borg; then
            echo "Could not mount the backup!"
            exit 1
        fi
@@ -436,7 +432,7 @@ if [ "$BORG_MODE" = restore ]; then
        #
        # Older backups may still contain files we've since excluded, so we have to exclude on extract as well.
        cd /  # borg extract has no destination arg and extracts to CWD
-        if ! borg "$BORG_LOG_LEVEL_FLAG" extract "::$SELECTED_ARCHIVE" --progress --exclude-from /borg_excludes "${ADDITIONAL_BORG_EXCLUDES[@]}" --pattern '+nextcloud_aio_volumes/**'
+        if ! borg extract "::$SELECTED_ARCHIVE" --progress --exclude-from /borg_excludes "${ADDITIONAL_BORG_EXCLUDES[@]}" --pattern '+nextcloud_aio_volumes/**'
        then
            RESTORE_FAILED=1
            echo "Failed to extract backup archive."
@@ -468,7 +464,7 @@ if [ "$BORG_MODE" = restore ]; then
                    \) \
                    | LC_ALL=C sort \
                    | LC_ALL=C comm -23 - \
-                        <(borg "$BORG_LOG_LEVEL_FLAG" list "::$SELECTED_ARCHIVE" --short --exclude-from /borg_excludes  --pattern '+nextcloud_aio_volumes/**' | LC_ALL=C sort) \
+                        <(borg list "::$SELECTED_ARCHIVE" --short --exclude-from /borg_excludes  --pattern '+nextcloud_aio_volumes/**' | LC_ALL=C sort) \
                    > /tmp/local_files_not_in_backup
            then
                RESTORE_FAILED=1
@@ -556,7 +552,7 @@ if [ "$BORG_MODE" = check ]; then
    echo "Checking the backup integrity..."

    # Perform the check
-    if ! borg "$BORG_LOG_LEVEL_FLAG" check -v --verify-data; then
+    if ! borg check -v --verify-data; then
        echo "Some errors were found while checking the backup integrity!"
        echo "Check the AIO interface for advice on how to proceed now!"
        exit 1
@@ -574,7 +570,7 @@ if [ "$BORG_MODE" = "check-repair" ]; then
    echo "Checking the backup integrity and repairing it..."

    # Perform the check-repair
-    if ! echo YES | borg "$BORG_LOG_LEVEL_FLAG" check -v --repair; then
+    if ! echo YES | borg check -v --repair; then
        echo "Some errors were found while checking and repairing the backup integrity!"
        exit 1
    fi
@@ -588,7 +584,7 @@ fi
 # Do the backup test
 if [ "$BORG_MODE" = test ]; then
    if [ -n "$BORG_REMOTE_REPO" ]; then
-        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+        if ! borg info > /dev/null; then
            echo "Borg could not get info from the remote repo."
            echo "See the above borg info output for details."
            exit 1
@@ -609,12 +605,12 @@ if [ "$BORG_MODE" = test ]; then
        fi
    fi

-    if ! borg "$BORG_LOG_LEVEL_FLAG" list >/dev/null; then
+    if ! borg list >/dev/null; then
        echo "The entered path seems to be valid but could not open the backup archive."
        echo "Most likely the entered password was wrong so please adjust it accordingly!"
        exit 1
    else
-        if ! borg "$BORG_LOG_LEVEL_FLAG" list | grep "nextcloud-aio"; then
+        if ! borg list | grep "nextcloud-aio"; then
            echo "The backup archive does not contain a valid Nextcloud AIO backup."
            echo "Most likely was the archive not created via Nextcloud AIO."
            exit 1
@@ -627,7 +623,7 @@ fi

 if [ "$BORG_MODE" = list ]; then
    echo "Updating backup list..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+    if ! borg info > /dev/null; then
        echo "Could not update the backup list."
        exit 1
    fi
@@ -1,16 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-if [ "$AIO_LOG_LEVEL" = "warn" ]; then
-    BORG_LOG_LEVEL_FLAG="--warning"
-else
-    BORG_LOG_LEVEL_FLAG="--$AIO_LOG_LEVEL"
-fi
-export BORG_LOG_LEVEL_FLAG
-
 # Variables
 export MOUNT_DIR="/mnt/borgbackup"
 export BORG_BACKUP_DIRECTORY="$MOUNT_DIR/borg"  # necessary even when remote to store the aio-lockfile
@@ -59,7 +48,7 @@ fi
 rm -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/backup-is-running"

 # Get a list of all available borg archives
-if borg "$BORG_LOG_LEVEL_FLAG" list &>/dev/null; then
+if borg list &>/dev/null; then
    borg list | grep "nextcloud-aio" | awk -F " " '{print $1","$3,$4}' > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
 else
    echo "" > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.23.3

 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -13,15 +13,6 @@ RUN set -ex; \
    sed -i "s|#\?PCREMaxFileSize.*|PCREMaxFileSize 2000M|g" /etc/clamav/clamd.conf; \
 # StreamMaxLength must be synced with av_stream_max_length inside the Nextcloud files_antivirus plugin
    sed -i "s|#\?StreamMaxLength.*|StreamMaxLength 2000M|g" /etc/clamav/clamd.conf; \
-# By default clamd keeps the old signature database in RAM while loading the new one,
-# briefly doubling memory usage (~1 GB extra) during each freshclam update cycle.
-# Setting ConcurrentDatabaseReload to "no" makes clamd unload the old database first,
-# eliminating that transient peak and significantly reducing maximum RAM consumption.
-    sed -i "s|#\?ConcurrentDatabaseReload.*|ConcurrentDatabaseReload no|g" /etc/clamav/clamd.conf; \
-# The default thread pool is 10-12 threads, each reserving its own stack and scan buffers.
-# The Nextcloud antivirus plugin sends one file at a time, so 2 threads are sufficient
-# and avoids the idle per-thread memory overhead of the larger default pool.
-    sed -i "s|#\?MaxThreads.*|MaxThreads 2|g" /etc/clamav/clamd.conf; \
    sed -i "s|#\?TCPSocket|TCPSocket|g" /etc/clamav/clamd.conf; \
    sed -i "s|^LocalSocket .*|LocalSocket /tmp/clamd.sock|g" /etc/clamav/clamd.conf; \
    sed -i "s|Example| |g" /etc/clamav/clamav-milter.conf; \
@@ -43,11 +34,5 @@ ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="ClamAV for Nextcloud AIO" \
-    org.opencontainers.image.description="ClamAV antivirus scanner for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ "$(echo "PING" | nc 127.0.0.1 3310)" != "PONG" ]; then
 	echo "ERROR: Unable to contact server"
 	exit 1
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-	set -x
-fi
-
 # Print out clamav version for compliance reasons
 clamscan --version

@@ -1,11 +1,12 @@
 [supervisord]
 nodaemon=true
+nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error

 [program:freshclam]
 stdout_logfile=/dev/stdout
@@ -13,10 +13,4 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Collabora Online for Nextcloud AIO" \
-    org.opencontainers.image.description="Collabora Online document editor from upstream for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,11 +1,10 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile
-FROM collabora/code:26.04.1.4.1
+FROM collabora/code:25.04.9.3.1

 USER root
 ARG DEBIAN_FRONTEND=noninteractive

-COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

 USER 1001
@@ -13,12 +12,4 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Collabora for Nextcloud AIO" \
-    org.opencontainers.image.description="Collabora CODE document editor for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-
-ENTRYPOINT ["/start.sh"]
+    org.label-schema.vendor="Nextcloud"
@@ -1,19 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-if [ "$AIO_LOG_LEVEL" = "warn" ]; then
-    COLLABORA_LOG_LEVEL="warning"
-elif [ "$AIO_LOG_LEVEL" = "info" ]; then
-    COLLABORA_LOG_LEVEL="notice"
-else
-    COLLABORA_LOG_LEVEL="$AIO_LOG_LEVEL"
-fi
-
-# Replace the hardcoded log level in extra_params with the translated one
-extra_params+=" --o:logging.level=$COLLABORA_LOG_LEVEL --o:logging.level_startup=$COLLABORA_LOG_LEVEL"
-export extra_params
-
-exec /start-collabora-online.sh "$@"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.4.0-alpine
+FROM haproxy:3.3.5-alpine

 # hadolint ignore=DL3002
 USER root
@@ -20,10 +20,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Docker Socket Proxy for Nextcloud AIO" \
-    org.opencontainers.image.description="HAProxy-based Docker socket proxy for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,8 +1,4 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z "$NEXTCLOUD_HOST" 9001 || exit 0
 nc -z 127.0.0.1 2375 || exit 1
@@ -1,9 +1,5 @@
 #!/bin/sh

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Only start container if nextcloud is accessible
 while ! nc -z "$NEXTCLOUD_HOST" 9001; do
    echo "Waiting for Nextcloud to start..."
@@ -22,8 +18,6 @@ else
    HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
 fi
 echo "$HAPROXYFILE" > /tmp/haproxy.cfg
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 haproxy -f /tmp/haproxy.cfg -db
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.23.3
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache bash lighttpd netcat-openbsd; \
@@ -19,10 +19,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD nc -z 127.0.0.1 $APACHE_PORT || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Domain Check for Nextcloud AIO" \
-    org.opencontainers.image.description="Domain validation service for Nextcloud All-in-One setup" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -z "$INSTANCE_ID" ]; then
    echo "You need to provide an instance id."
    exit 1
@@ -18,20 +14,6 @@ fi
 CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /lighttpd.conf)"
 echo "$CONF_FILE" > /etc/lighttpd/lighttpd.conf

-# shellcheck disable=SC2235
-if ([ "$AIO_LOG_LEVEL" = 'debug' ] || [ "$AIO_LOG_LEVEL" = 'info' ]) && ! grep -q debug.log-request-handling /etc/lighttpd/lighttpd.conf; then
-    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
-debug.log-request-handling = "enable"
-CONF_FILE
-fi
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ] && ! grep -q debug.log-request-header /etc/lighttpd/lighttpd.conf; then
-    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
-debug.log-request-header = "enable"
-debug.log-response-header = "enable"
-CONF_FILE
-fi
-
 # Check config file
 lighttpd -tt -f /etc/lighttpd/lighttpd.conf

@@ -1,17 +0,0 @@
-# syntax=docker/dockerfile:latest
-FROM ghcr.io/euro-office/documentserver:v9.3.1-beta.1
-
-# USER root is probably used
-
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
-
-HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="EuroOffice for Nextcloud AIO" \
-    org.opencontainers.image.description="EuroOffice Document Server for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,7 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-nc -z 127.0.0.1 80 || exit 1
@@ -1,19 +1,21 @@
 # syntax=docker/dockerfile:latest
-# Probably from here https://github.com/elastic/dockerfiles/blob/9.3/elasticsearch/Dockerfile
-FROM elasticsearch:9.4.2
+# Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
+FROM elasticsearch:8.19.12

 USER root

-# hadolint ignore=DL3041
+ARG DEBIAN_FRONTEND=noninteractive
+
+# hadolint ignore=DL3008
 RUN set -ex; \
    \
-    microdnf update -y; \
-    microdnf install -y --setopt=tsflags=nodocs \
+    apt-get update; \
+    apt-get upgrade -y; \
+    apt-get install -y --no-install-recommends \
        tzdata \
    ; \
-    microdnf clean all;
+    rm -rf /var/lib/apt/lists/*;

-COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

 USER 1000:0
@@ -21,13 +23,5 @@ USER 1000:0
 HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Full Text Search for Nextcloud AIO" \
-    org.opencontainers.image.description="Elasticsearch-based full-text search for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
 ENV ES_JAVA_OPTS="-Xms512M -Xmx512M"
-
-ENTRYPOINT ["/start.sh"]
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-curl -fs -u "elastic:$ELASTIC_PASSWORD" "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1
+nc -z 127.0.0.1 9200 || exit 1
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-ELASTIC_LOG_LEVEL="$(echo "$AIO_LOG_LEVEL" | tr '[:lower:]' '[:upper:]')"
-
-exec env "logger.level=$ELASTIC_LOG_LEVEL" /usr/local/bin/docker-entrypoint.sh "$@"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.4-alpine3.23 AS go
+FROM golang:1.26.1-alpine3.23 AS go

 ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee

@@ -14,7 +14,7 @@ RUN set -ex; \
        build-base; \
    go install github.com/h2non/imaginary@"$IMAGINARY_HASH";

-FROM alpine:3.23.4
+FROM alpine:3.23.3
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache \
@@ -33,8 +33,7 @@ COPY --from=go /go/bin/imaginary /usr/local/bin/imaginary
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

-ENV PORT=9000 \
-    AIO_LOG_LEVEL=warn
+ENV PORT=9000

 USER 65534

@@ -45,10 +44,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Imaginary for Nextcloud AIO" \
-    org.opencontainers.image.description="High-performance image processing service for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z 127.0.0.1 "$PORT" || exit 1
@@ -1,26 +1,8 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-GOLANG_LOG="$(case "$AIO_LOG_LEVEL" in
-    debug) printf 'info' ;;
-    info) printf 'info' ;;
-    warn) printf 'warning' ;;
-    error) printf 'error' ;;
-esac)"
-export GOLANG_LOG
-if [ "$AIO_LOG_LEVEL" = "debug" ]; then
-    export DEBUG='*'
-fi
-
 echo "Imaginary has started"
-
-IMAGINARY_ARGS=(-return-size -max-allowed-resolution 222.2)
-
-if [ -n "$IMAGINARY_SECRET" ]; then
-    IMAGINARY_ARGS+=(-key "$IMAGINARY_SECRET")
+if [ -z "$IMAGINARY_SECRET" ]; then
+    imaginary -return-size -max-allowed-resolution 222.2 "$@"
+else
+    imaginary -return-size -max-allowed-resolution 222.2 -key "$IMAGINARY_SECRET" "$@"
 fi
-
-exec imaginary "${IMAGINARY_ARGS[@]}" "$@"
@@ -1,17 +1,17 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.5.3-cli AS docker
+FROM docker:29.3.0-cli AS docker

-ARG CADDY_REMOTE_HOST_HASH=e80a9931765a8dbcbb47db415863387f0df0e1b3
+ARG CADDY_REMOTE_HOST_HASH=b21775afa730ffb52a24ddff310c8a6d1fd37276

 # Caddy is a requirement
-FROM caddy:2.11.4-builder-alpine AS caddy
+FROM caddy:2.11.2-builder-alpine AS caddy
 RUN set -ex; \
    xcaddy build --with github.com/muety/caddy-remote-host@"$CADDY_REMOTE_HOST_HASH"; \
    /usr/bin/caddy list-modules

 # From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
-FROM php:8.5.7-fpm-alpine3.23
+FROM php:8.5.4-fpm-alpine3.23

 EXPOSE 80
 EXPOSE 8080
@@ -53,16 +53,6 @@ RUN set -ex; \
        build-base; \
    pecl install APCu-5.1.28; \
    docker-php-ext-enable apcu; \
-    { \
-        echo 'apc.shm_size=32M'; \
-    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
-    { \
-        echo 'opcache.enable=1'; \
-        echo 'opcache.memory_consumption=32'; \
-        echo 'opcache.interned_strings_buffer=8'; \
-        echo 'opcache.max_accelerated_files=4000'; \
-        echo 'opcache.validate_timestamps=0'; \
-    } > /usr/local/etc/php/conf.d/docker-php-ext-opcache.ini; \
    rm -r /tmp/pear; \
    runDeps="$( \
        scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
@@ -100,14 +90,8 @@ RUN set -ex; \
    mkdir /var/run/supervisord;

 # hadolint ignore=DL3048
-LABEL org.opencontainers.image.title="Nextcloud All-in-One Mastercontainer" \
-    org.opencontainers.image.description="Easy deployment and maintenance of a Nextcloud server with all dependencies and optional services" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md" \
+LABEL org.label-schema.vendor="Nextcloud" \
    wud.watch="false" \
-    dockhand.update="false" \
    com.docker.compose.project="nextcloud-aio"

 # hadolint ignore=DL3002
@@ -17,8 +17,7 @@
 	}

 	servers {
-		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
-		protocols h1
+		protocols h1 h2 h2c
 	}

 	on_demand_tls {
@@ -33,23 +32,17 @@ http://:80 {
 }

 https://:8443 {
-    import headers.Caddyfile
-    header Strict-Transport-Security max-age=31536000;
-
-	@denied {
-		path /api/auth/login /api/auth/getlogin
-		remote_host nextcloud-aio-nextcloud
-	}
+	@denied remote_host nextcloud-aio-nextcloud
 	abort @denied

 	root * /var/www/docker-aio/php/public
+	encode
 	php_fastcgi unix//run/php.sock
 	file_server

 	tls {
 		on_demand
 		issuer acme {
-            profile shortlived
 			disable_tlsalpn_challenge
 		}
 	}
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 restart_process() {
    echo "Restarting cron.sh because daily backup time was set, changed or unset."
    pkill cron.sh
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 while true; do
    if [ -f "/mnt/docker-aio-config/data/daily_backup_time" ]; then
        set -x
@@ -21,9 +17,7 @@ while true; do
        else
            export SEND_SUCCESS_NOTIFICATIONS=0
        fi
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-            set +x
-        fi
+        set +x
        if [ -f "/mnt/docker-aio-config/data/daily_backup_running" ]; then
            export LOCK_FILE_PRESENT=1
        else
@@ -65,9 +59,8 @@ while true; do
        sudo -E -u www-data docker container remove nextcloud-aio-domaincheck
    fi

-    # Remove dangling images (support both deprecated label-schema and OCI standard vendor label)
+    # Remove dangling images
    sudo -E -u www-data docker image prune --filter "label=org.label-schema.vendor=Nextcloud" --force
-    sudo -E -u www-data docker image prune --filter "label=org.opencontainers.image.vendor=Nextcloud" --force

    # Check for available free space
    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/CheckFreeDiskSpace.php
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 echo "Daily backup script has started"

 # Check if initial configuration has been done, otherwise this script should do nothing.
@@ -1,31 +0,0 @@
-header {
-    # CSP limits which features can be used. By default we allow nothing and only allow required options. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy
-    # default-src 'none'; Allow nothing by default
-    # script-src-elem/style-src-elem 'self'; Only allow loading css/js files from same origin (AIO itself) while blocking all inline css/js
-    # img-src 'self'; Only allow loading images from same origin (from AIO itself)
-    # connect-src 'self'; Allow fetch to only connect same origin (to AIO itself)
-    # frame-src 'self'; Allow AIO to only embed itself "what can be embedded"
-    # base-uri 'none'; This does not fallback to default-src, AIO does not use the html base tag
-    # form-action 'self'; Html forms are only allowed to submit to AIO and not cross origin
-    # frame-ancestors 'self'; Only allow AIO itself to embed it self "who can embed"
-    # upgrade-insecure-requests; Upgrade all http embedings to https
-    # require-trusted-types-for 'script'; trusted-types 'none'; Blocks DOM changes via js
-    Content-Security-Policy "default-src 'none'; script-src-elem 'self'; style-src-elem 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests; require-trusted-types-for 'script'; trusted-types 'none';"
-    X-Content-Type-Options "nosniff" # This forces the browser to use the MIME type of the Content-Type header. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options
-    X-Frame-Options "SAMEORIGIN" # Only allow AIO itself to embed itself, this is also enforced as part of the CSP frame-ancestors. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Frame-Options
-    X-Permitted-Cross-Domain-Policies "none" # We block all cross origin request, including ones from Adobe Acrobat or Microsoft Silverlight and Adobe Flash Player. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Permitted-Cross-Domain-Policies
-    X-DNS-Prefetch-Control "off" # Tells the browser to not pre-fetch the DNS of linked pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-DNS-Prefetch-Control
-    Referrer-Policy "no-referrer" # Tells the browser to never sent a Referer header. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Referrer-Policy
-    X-Robots-Tag "noindex, nofollow" # Tells web crawlers to not index this page. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Robots-Tag
-    Origin-Agent-Cluster "?1" # Isolates AIO from other same site pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin-Agent-Cluster
-    Cross-Origin-Opener-Policy "same-origin" # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
-    Cross-Origin-Embedder-Policy "require-corp" # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
-    Cross-Origin-Resource-Policy "same-origin" # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
-
-    # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
-    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), local-network=(), local-network-access=(), loopback-network=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), summarizer=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
-
-    -Server
-    -X-Powered-By
-    -Via
-}
@@ -1,13 +1,9 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
    nc -z 127.0.0.1 80 || exit 1
    nc -z 127.0.0.1 8080 || exit 1
    nc -z 127.0.0.1 8443 || exit 1
-    test -S /run/php.sock || exit 1
+    [ -f /run/php.sock ] || exit 1
    nc -z 127.0.0.1 9876 || exit 1
 fi
@@ -1,11 +1,8 @@
 {
 	admin off

-	# auto_https will be handled manually in acme.Caddyfile
-	auto_https disable_redirects
-
 	storage file_system {
-		root /mnt/docker-aio-config/caddy-internal/
+		root /mnt/docker-aio-config/caddy/
 	}

 	log {
@@ -16,23 +13,18 @@
 	}

 	servers {
-		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
-		protocols h1
+		protocols h1 h2
 	}

 	skip_install_trust
 }

 https://:8080 {
-    import headers.Caddyfile
-
-	@denied {
-		path /api/auth/login /api/auth/getlogin
-		remote_host nextcloud-aio-nextcloud
-	}
+	@denied remote_host nextcloud-aio-nextcloud
 	abort @denied

 	root * /var/www/docker-aio/php/public
+	encode
 	php_fastcgi unix//run/php.sock
 	file_server

@@ -16,10 +16,6 @@ compare_times() {
    fi
 }

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 while true; do
    compare_times
    sleep 2
@@ -20,10 +20,6 @@ case "${1}" in
 esac
 }

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Check if running as root user
 if [ "$EUID" != "0" ]; then
    print_red "Container does not run as root user. This is not supported."
@@ -173,7 +169,7 @@ elif ! sudo -E -u www-data docker volume ls --format "{{.Name}}" | grep -q "^nex
    print_red "It seems like you did not give the mastercontainer volume the correct name? (The 'nextcloud_aio_mastercontainer' volume was not found.)
 Using a different name is not supported since the built-in backup solution will not work in that case!"
    exit 1
-elif ! sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer --format '{{.Mounts}}' | grep -q " nextcloud_aio_mastercontainer "; then
+elif ! sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer | grep -q "nextcloud_aio_mastercontainer"; then
    print_red "It seems like you did not attach the 'nextcloud_aio_mastercontainer' volume to the mastercontainer?
 This is not supported since the built-in backup solution will not work in that case!"
    exit 1
@@ -316,42 +312,6 @@ if [ -n "$AIO_COMMUNITY_CONTAINERS" ]; then
    print_red "You've set AIO_COMMUNITY_CONTAINERS but the option was removed.
 The community containers get managed via the AIO interface now."
 fi
-if [ -n "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
-    print_red "The environmental variable NEXTCLOUD_ENABLE_DRI_DEVICE is deprecated. Please mount the /dev/dri device into the mastercontainer instead and remove NEXTCLOUD_ENABLE_DRI_DEVICE. It will then be set automatically."
-fi
-
-# Automatically enable the /dev/dri device if it is mounted into the mastercontainer
-if [ -d "/dev/dri" ]; then
-    export NEXTCLOUD_ENABLE_DRI_DEVICE="true"
-    if [ -e "/dev/dri/renderD128" ]; then
-        NEXTCLOUD_DRI_GID="$(stat -c '%g' /dev/dri/renderD128)"
-        export NEXTCLOUD_DRI_GID
-    else
-        export NEXTCLOUD_DRI_GID=""
-    fi
-else
-    if [ -z "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
-        # Force the unset of the env if it was not externally overwritten already
-        export NEXTCLOUD_ENABLE_DRI_DEVICE="false"
-    fi
-    export NEXTCLOUD_DRI_GID=""
-fi
-
-# Log level logics
-if [ -n "$AIO_LOG_LEVEL" ] && ! echo "$AIO_LOG_LEVEL" | grep -q "^debug$\|^info$\|^warn$\|^error$"; then
-    print_red "AIO_LOG_LEVEL must be one of 'debug', 'info', 'warn' or 'error'.
-It is set to '$AIO_LOG_LEVEL'".
-    exit 1
-fi
-if [ -z "$AIO_LOG_LEVEL" ]; then
-    export AIO_LOG_LEVEL="warn"
-fi
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    export SUPERVISORD_STDOUT=/dev/stdout
-else
-    export SUPERVISORD_STDOUT=NONE
-fi

 # Check if ghcr.io is reachable
 # Solves issues like https://github.com/nextcloud/all-in-one/discussions/5268
@@ -404,7 +364,6 @@ fi
 mkdir -p /mnt/docker-aio-config/data/
 mkdir -p /mnt/docker-aio-config/session/
 mkdir -p /mnt/docker-aio-config/caddy/
-mkdir -p /mnt/docker-aio-config/caddy-internal/

 # Adjust permissions for all instances
 chmod 770 -R /mnt/docker-aio-config
@@ -412,7 +371,6 @@ chmod 777 /mnt/docker-aio-config
 chown www-data:www-data -R /mnt/docker-aio-config/data/
 chown www-data:www-data -R /mnt/docker-aio-config/session/
 chown www-data:www-data -R /mnt/docker-aio-config/caddy/
-chown www-data:www-data -R /mnt/docker-aio-config/caddy-internal/

 print_green "Initial startup of Nextcloud All-in-One complete!
 You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
@@ -443,11 +401,5 @@ caddy fmt --overwrite /internal.Caddyfile
 # Fix caddy log 
 chmod 777 /root

-# Create Twig template cache directory (path must match TWIG_CACHE_PATH in php/public/index.php)
-mkdir -p /tmp/twig-cache
-rm -rf /tmp/twig-cache/*
-chown www-data:www-data /tmp/twig-cache
-chmod 770 /tmp/twig-cache
-
 # Start supervisord
 exec /usr/bin/supervisord -c /supervisord.conf
@@ -5,12 +5,12 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                 
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error
 user=root

 [program:php-fpm]
 # Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
+stdout_logfile=NONE
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=php-fpm
@@ -54,11 +54,11 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/session-deduplicator.sh
-user=www-data
+user=root

 [program:domain-validator]
 # Logging is disabled as otherwise all attempts will be logged which spams the logs
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
-stderr_logfile=%(ENV_SUPERVISORD_STDOUT)s
+stdout_logfile=NONE
+stderr_logfile=NONE
 command=php -S 127.0.0.1:9876 /var/www/docker-aio/php/domain-validator.php
 user=www-data
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM php:8.3.31-fpm-alpine3.23
+FROM php:8.3.30-fpm-alpine3.23

 ENV PHP_MEMORY_LIMIT=512M
 ENV PHP_UPLOAD_LIMIT=16G
@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0

 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=33.0.5
+ENV NEXTCLOUD_VERSION=32.0.6
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!
@@ -114,18 +114,18 @@ RUN set -ex; \
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/installation/server_tuning.html#enable-php-opcache and below
    { \
-        echo 'opcache.max_accelerated_files=20000'; \
+        echo 'opcache.max_accelerated_files=10000'; \
        echo 'opcache.memory_consumption=256'; \
        echo 'opcache.interned_strings_buffer=64'; \
        echo 'opcache.save_comments=1'; \
        echo 'opcache.revalidate_freq=60'; \
        echo 'opcache.jit=1255'; \
-        echo 'opcache.jit_buffer_size=128M'; \
+        echo 'opcache.jit_buffer_size=8M'; \
    } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
    \
    { \
        echo 'apc.enable_cli=1'; \
-        echo 'apc.shm_size=128M'; \
+        echo 'apc.shm_size=64M'; \
    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
    \
    { \
@@ -135,20 +135,14 @@ RUN set -ex; \
        echo 'max_execution_time=${PHP_MAX_TIME}'; \
        echo 'max_input_time=-1'; \
        echo 'default_socket_timeout=${PHP_MAX_TIME}'; \
-        echo 'output_buffering=0'; \
-        echo 'realpath_cache_size=8M'; \
-        echo 'realpath_cache_ttl=600'; \
    } > /usr/local/etc/php/conf.d/nextcloud.ini; \
    \
    { \
        echo 'session.save_handler = redis'; \
-        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}&timeout=3.0&read_timeout=10.0"'; \
+        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}"'; \
        echo 'redis.session.locking_enabled = 1'; \
        echo 'redis.session.lock_retries = -1'; \
-        echo '; 100ms in microseconds - prevents timeout on long requests such as large file uploads'; \
-        echo 'redis.session.lock_wait_time = 100000'; \
-        echo '; prevents stale locks from crashed workers (seconds)'; \
-        echo 'redis.session.lock_expire = 60'; \
+        echo 'redis.session.lock_wait_time = 10000'; \
        echo 'session.gc_maxlifetime = 86400'; \
    } > /usr/local/etc/php/conf.d/redis-session.ini; \
    \
@@ -250,21 +244,6 @@ RUN set -ex; \
 # We don't actually expect so many children but don't want to limit it artificially because people will report issues otherwise.
 # Also children will usually be terminated again after the process is done due to the ondemand setting
    sed -i 's/^pm.max_children =.*/pm.max_children = 5000/' /usr/local/etc/php-fpm.d/www.conf; \
-# With pm = ondemand, workers are killed after pm.process_idle_timeout seconds
-# of inactivity.  The upstream default is 10 s, which is aggressive: after a
-# brief quiet period (e.g. desktop-sync clients polling every few seconds), all
-# workers are reaped and the next request burst must wait for fresh forks.  On
-# a loaded host that spawn latency can push Apache past its FastCGI timeout and
-# produce a 502.  300 s (5 min) keeps a warm pool through normal sync-client
-# polling cycles while still reclaiming memory during genuinely idle periods.
-    sed -i 's/^;*pm.process_idle_timeout\s*=.*/pm.process_idle_timeout = 300s/' /usr/local/etc/php-fpm.d/www.conf; \
-# Set request_terminate_timeout so that PHP-FPM forcibly kills workers that
-# exceed the wall-clock limit.  Without this (default = 0 = disabled) a worker
-# stuck on a slow DB query, a stalled Redis connection, or a hung syscall is
-# never reaped.  Over time these zombies fill up pm.max_children, leaving no
-# free slots for legitimate requests and causing Apache to return 502 Bad
-# Gateway upstream.
-    sed -i "s|^;*request_terminate_timeout = .*|request_terminate_timeout = \${PHP_MAX_TIME}|" /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
    \
    echo "[ -n \"\$TERM\" ] && [ -f /root.motd ] && cat /root.motd" >> /root/.bashrc; \
@@ -286,10 +265,4 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Nextcloud for Nextcloud AIO" \
-    org.opencontainers.image.description="Nextcloud server with all required PHP extensions for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -2,5 +2,4 @@
 $CONFIG = array (
  'one-click-instance' => true,
  'one-click-instance.user-limit' => 100,
-  'update_channel' => 'stable',
 );
@@ -16,12 +16,6 @@ $CONFIG = array (
 if (getenv('APPS_ALLOWLIST')) {
    $CONFIG['appsallowlist'] = explode(" ", getenv('APPS_ALLOWLIST'));
 }
-
-$appStoreUrl = getenv('NEXTCLOUD_APP_STORE_URL');
-if ($appStoreUrl) {
-    if ($appStoreUrl === 'no') {
-        $CONFIG['appstoreenabled '] = false;
-    } else {
-        $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
-    }
+if (getenv('NEXTCLOUD_APP_STORE_URL')) {
+    $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
 }
@@ -7,8 +7,6 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {

  if (getenv('REDIS_HOST')) {
    $CONFIG['redis']['host'] = (string) getenv('REDIS_HOST');
-    $CONFIG['redis']['timeout'] = 3.0;
-    $CONFIG['redis']['read_timeout'] = 10.0;
  }

  if (getenv('REDIS_HOST_PASSWORD')) {
@@ -23,10 +21,6 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
    $CONFIG['redis']['dbindex'] = (int) getenv('REDIS_DB_INDEX');
  }

-  if (getenv('REDIS_PREFIX')) {
-    $CONFIG['redis']['memcache_customprefix'] = getenv('REDIS_PREFIX');
-  }
-
  if (getenv('REDIS_USER_AUTH')) {
    $CONFIG['redis']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
  }
@@ -64,10 +58,6 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
    $CONFIG['redis.cluster']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
  }

-  if (getenv('REDIS_PREFIX')) {
-    $CONFIG['redis.cluster']['memcache_customprefix'] = getenv('REDIS_PREFIX');
-  }
-
  if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) {
    $CONFIG['redis.cluster']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt';
  }
@@ -1,4 +0,0 @@
-<?php
-$CONFIG = array (
-  'serverid' => hexdec(hash('xxh32', gethostname())) & 0x1FF,
-);
@@ -1,9 +1,4 @@
 #!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 wait_for_cron() {
    set -x
    while [ -n "$(pgrep -f /var/www/html/cron.php)" ]; do
@@ -10,10 +10,6 @@ directory_empty() {
    [ -z "$(ls -A "$1/")" ]
 }

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 run_upgrade_if_needed_due_to_app_update() {
    if php /var/www/html/occ status | grep maintenance | grep -q true; then
        php /var/www/html/occ maintenance:mode --off
@@ -24,14 +20,6 @@ run_upgrade_if_needed_due_to_app_update() {
    fi
 }

-NEXTCLOUD_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
-    debug) printf '0' ;;
-    info) printf '1' ;;
-    warn) printf '2' ;;
-    error) printf '3' ;;
-esac)"
-export NEXTCLOUD_LOG_LEVEL
-
 # Create cert bundle
 if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then

@@ -87,9 +75,7 @@ if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then
    cat "$CERTIFICATE_BUNDLE"

    # Disable debug mode
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
 fi

 # Adjust DATABASE_TYPE to by Nextcloud supported value
@@ -129,11 +115,6 @@ rm -f "$test_file"
 if [ -f /var/www/html/version.php ]; then
    # shellcheck disable=SC2016
    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-    if [ -z "$installed_version" ]; then
-        echo "Could not determine the installed Nextcloud version via php -r. The PHP installation might be broken."
-        echo "Please check the container logs and your PHP installation."
-        exit 1
-    fi
 else
    installed_version="0.0.0.0"
 fi
@@ -236,9 +217,7 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                if grep -q appstoreurl /var/www/html/config/config.php; then
                    set -x
                    APPSTORE_URL="$(grep appstoreurl /var/www/html/config/config.php | grep -oP 'https://.*v[0-9]+')"
-                    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-                        set +x
-                    fi
+                    set +x
                fi
                # Default appstoreurl parameter in config.php defaults to 'https://apps.nextcloud.com/api/v1' so we check for the apps.json file stored in there
                CURL_STATUS="$(curl -LI "$APPSTORE_URL"/apps.json -o /dev/null -w '%{http_code}\n' -s)"
@@ -305,9 +284,7 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                    "$SOURCE_LOCATION/custom_apps/" \
                    /var/www/html/custom_apps/
            done
-            if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-                set +x
-            fi
+            set +x
        fi

        # Copy these from Nextcloud archive if they don't exist yet (i.e. new install)
@@ -419,32 +396,53 @@ EOF

 # AIO update to latest start # Do not remove or change this line!
            if [ "$INSTALL_LATEST_MAJOR" = yes ]; then
-                if ! bash /upgrade-latest-major.sh; then
-                    echo "Upgrade to latest major version failed! Check the output above for details."
+                php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
+                INSTALLED_AT="$(php /var/www/html/occ config:app:get core installedat)"
+                if [ -n "${INSTALLED_AT}" ]; then
+                    # Set the installdat to 00 which will allow to skip staging and install the next major directly
+                    # shellcheck disable=SC2001
+                    INSTALLED_AT="$(echo "${INSTALLED_AT}" | sed "s|[0-9][0-9]$|00|")"
+                    php /var/www/html/occ config:app:set core installedat --value="${INSTALLED_AT}" 
+                fi
+                php /var/www/html/updater/updater.phar --no-interaction --no-backup
+                if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
+                    echo "Installation of Nextcloud failed!"
+                    touch "$NEXTCLOUD_DATA_DIR/install.failed"
                    exit 1
                fi
                # shellcheck disable=SC2016
                installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+                INSTALLED_MAJOR="${installed_version%%.*}"
+                IMAGE_MAJOR="${image_version%%.*}"
+                # If a valid upgrade path, trigger the Nextcloud built-in Updater
+                if ! [ "$INSTALLED_MAJOR" -gt "$IMAGE_MAJOR" ]; then
+                    php /var/www/html/updater/updater.phar --no-interaction --no-backup
+                    if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
+                        echo "Installation of Nextcloud failed!"
+                        # TODO: Add a hint here about what to do / where to look / updater.log? 
+                        touch "$NEXTCLOUD_DATA_DIR/install.failed"
+                        exit 1
+                    fi
+                    # shellcheck disable=SC2016
+                    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+                fi
+                php /var/www/html/occ config:system:set updatechecker --type=bool --value=true
+                php /var/www/html/occ app:enable nextcloud-aio --force
+                php /var/www/html/occ db:add-missing-columns
+                php /var/www/html/occ db:add-missing-primary-keys
+                yes | php /var/www/html/occ db:convert-filecache-bigint
            fi
 # AIO update to latest end # Do not remove or change this line!

            # Apply log settings
            echo "Applying default settings..."
            mkdir -p /var/www/html/data
-            php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
-            if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
-                php /var/www/html/occ config:system:set log_type --value="errorlog"
-                php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
-                php /var/www/html/occ app:disable logreader
-            else
-                php /var/www/html/occ config:system:set log_type --value="file"
-                php /var/www/html/occ config:system:set log_type_audit --value="file"
-                php /var/www/html/occ app:enable logreader
-                php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
-                php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
-            fi
+            php /var/www/html/occ config:system:set loglevel --value="2" --type=integer
+            php /var/www/html/occ config:system:set log_type --value="file"
+            php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
            php /var/www/html/occ config:system:set log_rotate_size --value="10485760" --type=integer
            php /var/www/html/occ app:enable admin_audit
+            php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
            php /var/www/html/occ config:system:set log.condition apps 0 --value="admin_audit"

            # Apply preview settings
@@ -642,18 +640,8 @@ fi
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
 php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
-php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
-if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
-    php /var/www/html/occ config:system:set log_type --value="errorlog"
-    php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
-    php /var/www/html/occ app:disable logreader
-else
-    php /var/www/html/occ config:system:set log_type --value="file"
-    php /var/www/html/occ config:system:set log_type_audit --value="file"
-    php /var/www/html/occ app:enable logreader
-    php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
-    php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
-fi
+php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
+php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
 php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
 if [ -n "$NEXTCLOUD_SKELETON_DIRECTORY" ]; then
    if [ "$NEXTCLOUD_SKELETON_DIRECTORY" = "empty" ]; then
@@ -754,9 +742,7 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
    if echo "$COLLABORA_HOST" | grep -q "nextcloud-.*-collabora"; then
        COLLABORA_HOST="$NC_DOMAIN"
    fi
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
    # Remove richdcoumentscode if it should be incorrectly installed
    if [ -d "/var/www/html/custom_apps/richdocumentscode" ]; then
        php /var/www/html/occ app:remove richdocumentscode
@@ -867,58 +853,6 @@ else
    fi
 fi

-# EuroOffice
-if [ "$EUROOFFICE_ENABLED" = 'yes' ]; then
-    # Determine EuroOffice port based on host pattern
-    if echo "$EUROOFFICE_HOST" | grep -q "nextcloud-.*-eurooffice"; then
-        EUROOFFICE_PORT=80
-    else
-        EUROOFFICE_PORT=443
-    fi
-
-    count=0
-    while ! nc -z "$EUROOFFICE_HOST" "$EUROOFFICE_PORT" && [ "$count" -lt 90 ]; do
-        echo "Waiting for EuroOffice to become available..."
-        count=$((count+5))
-        sleep 5
-    done
-    if [ "$count" -ge 90 ]; then
-        bash /notify.sh "EuroOffice did not start in time!" "Skipping initialization and disabling eurooffice app."
-        php /var/www/html/occ app:disable eurooffice
-    else
-        # Install or enable EuroOffice app as needed
-        if ! [ -d "/var/www/html/custom_apps/eurooffice" ]; then
-            php /var/www/html/occ app:install eurooffice
-        elif [ "$(php /var/www/html/occ config:app:get eurooffice enabled)" != "yes" ]; then
-            php /var/www/html/occ app:enable eurooffice
-        elif [ "$SKIP_UPDATE" != 1 ]; then
-            php /var/www/html/occ app:update eurooffice
-        fi
-
-        # Set EuroOffice configuration
-        php /var/www/html/occ config:system:set eurooffice editors_check_interval --value="0" --type=integer 
-        php /var/www/html/occ config:system:set eurooffice jwt_secret --value="$EUROOFFICE_SECRET"
-        php /var/www/html/occ config:app:set eurooffice jwt_secret --value="$EUROOFFICE_SECRET"
-        php /var/www/html/occ config:system:set eurooffice jwt_header --value="AuthorizationJwt"
-
-        # Adjust the EuroOffice host if using internal pattern
-        if echo "$EUROOFFICE_HOST" | grep -q "nextcloud-.*-eurooffice"; then
-            EUROOFFICE_HOST="$NC_DOMAIN/eurooffice"
-            export EUROOFFICE_HOST
-        fi
-
-        php /var/www/html/occ config:app:set eurooffice DocumentServerUrl --value="https://$EUROOFFICE_HOST"
-    fi
-else
-    # Remove EuroOffice app if disabled and removal is requested
-    if [ "$REMOVE_DISABLED_APPS" = yes ] && \
-       [ -d "/var/www/html/custom_apps/eurooffice" ] && \
-       [ -n "$EUROOFFICE_SECRET" ] && \
-       [ "$(php /var/www/html/occ config:system:get eurooffice jwt_secret)" = "$EUROOFFICE_SECRET" ]; then
-        php /var/www/html/occ app:remove eurooffice
-    fi
-fi
-
 # Talk
 if [ "$TALK_ENABLED" = 'yes' ]; then
    set -x
@@ -929,9 +863,7 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
    if [ -z "$TURN_DOMAIN" ]; then
        TURN_DOMAIN="$TALK_HOST"
    fi
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
    if ! [ -d "/var/www/html/custom_apps/spreed" ]; then
        php /var/www/html/occ app:install spreed
    elif [ "$(php /var/www/html/occ config:app:get spreed enabled)" != "yes" ]; then
@@ -939,20 +871,16 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
    elif [ "$SKIP_UPDATE" != 1 ]; then
        php /var/www/html/occ app:update spreed
    fi
-    # Add turn server
-    # shellcheck disable=SC2153
-    if ! php /var/www/html/occ talk:turn:list --output="plain" | grep server | grep -q " $TURN_DOMAIN:$TALK_PORT"; then
+    # Based on https://github.com/nextcloud/spreed/issues/960#issuecomment-416993435
+    if [ -z "$(php /var/www/html/occ talk:turn:list --output="plain")" ]; then
+        # shellcheck disable=SC2153
        php /var/www/html/occ talk:turn:add turn "$TURN_DOMAIN:$TALK_PORT" "udp,tcp" --secret="$TURN_SECRET"
    fi
-    # Add stun server
    STUN_SERVER="$(php /var/www/html/occ talk:stun:list --output="plain")"
-    if ! echo "$STUN_SERVER" | grep -q " $TURN_DOMAIN:$TALK_PORT"; then
-        php /var/www/html/occ talk:stun:add "$TURN_DOMAIN:$TALK_PORT"
-    fi
    if [ -z "$STUN_SERVER" ] || echo "$STUN_SERVER" | grep -oP '[a-zA-Z.:0-9]+' | grep -q "^stun.nextcloud.com:443$"; then
+        php /var/www/html/occ talk:stun:add "$TURN_DOMAIN:$TALK_PORT"
        php /var/www/html/occ talk:stun:delete "stun.nextcloud.com:443"
    fi
-    # Add HPB
    if ! php /var/www/html/occ talk:signaling:list --output="plain" | grep -q "https://$TALK_HOST$HPB_PATH"; then
        php /var/www/html/occ talk:signaling:add "https://$TALK_HOST$HPB_PATH" "$SIGNALING_SECRET" --verify
    fi
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
    POSTGRES_PORT=5432
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [[ "$EUID" = 0 ]]; then
    COMMAND=(sudo -E -u www-data php /var/www/html/occ)
 else
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [[ "$EUID" = 0 ]]; then
    COMMAND=(sudo -E -u www-data php /var/www/html/occ)
 else
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Wait until the apache container is ready
 while ! nc -z "$APACHE_HOST" "$APACHE_PORT"; do
    echo "Waiting for $APACHE_HOST to become available..."
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
    POSTGRES_PORT=5432
@@ -29,7 +25,7 @@ fi
 # Fix false database connection on old instances
 if [ -f "/var/www/html/config/config.php" ]; then
    sleep 2
-    while ! sudo -E -u www-data env PGPASSWORD="$POSTGRES_PASSWORD" psql -h "$POSTGRES_HOST" -p "$POSTGRES_PORT" -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
+    while ! sudo -E -u www-data psql -d "postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB" -c "select now()"; do
        echo "Waiting for the database to start..."
        sleep 5
    done
@@ -57,9 +53,7 @@ if ! [ -f "/dev-dri-group-was-added" ] && [ -n "$(find /dev -maxdepth 1 -mindept
    usermod -aG "$GROUP" www-data
    touch "/dev-dri-group-was-added"
 fi
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 # Check datadir permissions
 sudo -E -u www-data touch "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" &>/dev/null
@@ -176,8 +170,6 @@ if [ "$THIS_IS_AIO" = "true" ] && [ "$APACHE_PORT" = 443 ]; then
    sed -i "/^listen.allowed_clients/s/,$//" /usr/local/etc/php-fpm.d/www.conf
    grep listen.allowed_clients /usr/local/etc/php-fpm.d/www.conf
 fi
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 exec "$@"
@@ -6,7 +6,7 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
 logfile_backups=10                              ; number of backed up logfiles
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error
 user=root

 [program:php-fpm]
@@ -25,14 +25,6 @@ stderr_logfile_maxbytes=0
 command=/cron.sh
 user=www-data

-[program:taskprocessing-worker]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=php /var/www/html/occ taskprocessing:worker --timeout 300
-user=www-data
-
 [program:run-exec-commands]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
@@ -1,43 +0,0 @@
-#!/bin/bash
-
-PHP_CLI="php"
-if [[ "$EUID" = 0 ]]; then
-    PHP_CLI="sudo -u www-data -E $PHP_CLI"
-fi
-
-# shellcheck disable=SC2016
-image_version="$($PHP_CLI -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-export IMAGE_MAJOR="${image_version%%.*}"
-
-$PHP_CLI /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
-INSTALLED_AT="$($PHP_CLI /var/www/html/occ config:app:get core installedat)"
-if [ -n "${INSTALLED_AT}" ]; then
-    # Set the installedat to 00 which will allow to skip staging and install the next major directly
-    # shellcheck disable=SC2001
-    INSTALLED_AT="$(echo "${INSTALLED_AT}" | sed "s|[0-9][0-9]$|00|")"
-    $PHP_CLI /var/www/html/occ config:app:set core installedat --value="${INSTALLED_AT}"
-fi
-$PHP_CLI /var/www/html/updater/updater.phar --no-interaction --no-backup
-if ! $PHP_CLI /var/www/html/occ -V || $PHP_CLI /var/www/html/occ status | grep maintenance | grep -q 'true'; then
-    echo "Installation of Nextcloud failed!"
-    touch "$NEXTCLOUD_DATA_DIR/install.failed"
-    exit 1
-fi
-# shellcheck disable=SC2016
-installed_version="$($PHP_CLI -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-export INSTALLED_MAJOR="${installed_version%%.*}"
-# If a valid upgrade path, trigger the Nextcloud built-in Updater
-if ! $PHP_CLI -r "version_compare(getenv('INSTALLED_MAJOR'), getenv('IMAGE_MAJOR'), '>') || exit(1);"; then
-    $PHP_CLI /var/www/html/updater/updater.phar --no-interaction --no-backup
-    if ! $PHP_CLI /var/www/html/occ -V || $PHP_CLI /var/www/html/occ status | grep maintenance | grep -q 'true'; then
-        echo "Installation of Nextcloud failed!"
-        # TODO: Add a hint here about what to do / where to look / updater.log?
-        touch "$NEXTCLOUD_DATA_DIR/install.failed"
-        exit 1
-    fi
-fi
-$PHP_CLI /var/www/html/occ config:system:set updatechecker --type=bool --value=true
-$PHP_CLI /var/www/html/occ app:enable nextcloud-aio --force
-$PHP_CLI /var/www/html/occ db:add-missing-columns
-$PHP_CLI /var/www/html/occ db:add-missing-primary-keys
-yes | $PHP_CLI /var/www/html/occ db:convert-filecache-bigint
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.23.3

 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -23,10 +23,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Notify Push for Nextcloud AIO" \
-    org.opencontainers.image.description="Nextcloud notify_push high-performance backend for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if ! nc -z "$NEXTCLOUD_HOST" 9001; then
    exit 0
 fi
@@ -1,11 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-export RUST_LOG="$AIO_LOG_LEVEL"
-
 if [ -z "$NEXTCLOUD_HOST" ]; then
    echo "NEXTCLOUD_HOST needs to be provided. Exiting!"
    exit 1
@@ -28,7 +22,7 @@ elif [ "$CPU_ARCH" != "x86_64" ]; then
 fi

 # Add warning
-if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ] && ! [ -f /var/www/html/apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
+if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
    echo "The notify_push binary was not found."
    echo "Most likely is DNS resolution not working correctly."
    echo "You can try to fix this by configuring a DNS server globally in dockers daemon.json."
@@ -42,24 +36,11 @@ if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ] &&
    exit 1
 fi

-# Logic for ipv6 disabled servers
-BIND="::"
-if grep -q "1" /sys/module/ipv6/parameters/disable \
-|| grep -q "1" /proc/sys/net/ipv6/conf/all/disable_ipv6 \
-|| grep -q "1" /proc/sys/net/ipv6/conf/default/disable_ipv6; then
-    BIND="0.0.0.0"
-fi
-export BIND
-
 echo "notify-push was started"

-
-if [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
-    PUSH_PATH="/var/www/html/custom_apps/notify_push/bin/$CPU_ARCH/notify_push"
-else
-    PUSH_PATH="/var/www/html/apps/notify_push/bin/$CPU_ARCH/notify_push"
-fi
 # Run it
-exec "$PUSH_PATH" \
+/var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
    --port 7867 \
    /var/www/html/config/config.php
+
+exec "$@"
@@ -9,10 +9,4 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="OnlyOffice for Nextcloud AIO" \
-    org.opencontainers.image.description="OnlyOffice Document Server for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z 127.0.0.1 80 || exit 1
@@ -1,8 +1,6 @@
 # syntax=docker/dockerfile:latest
-# From https://github.com/docker-library/postgres/blob/master/18/alpine3.23/Dockerfile
-FROM postgres:18.4-alpine
-
-ENV PGDATA=/var/lib/postgresql/data
+# From https://github.com/docker-library/postgres/blob/master/17/alpine3.23/Dockerfile
+FROM postgres:17.9-alpine

 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -14,7 +12,6 @@ RUN set -ex; \
        bash \
        openssl \
        shadow \
-        netcat-openbsd \
        grep; \
    \
 # We need to use the same gid and uid as on old installations
@@ -25,7 +22,6 @@ RUN set -ex; \
    apk del --no-cache shadow; \
    \
 # Fix default permissions
-    mkdir -p /var/lib/postgresql/data; \
    chown -R postgres:postgres /var/lib/postgresql; \
    chown -R postgres:postgres /var/run/postgresql; \
    chmod -R 777 /var/run/postgresql; \
@@ -49,10 +45,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="PostgreSQL for Nextcloud AIO" \
-    org.opencontainers.image.description="PostgreSQL database for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,14 +1,7 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 test -f "/mnt/data/backup-is-running" && exit 0

-# If database import is running, do not continue with the health check
-if nc -z 127.0.0.1 11000; then
-    exit 0
-fi
+psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()" && exit 0

-PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 5432 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" || exit 1
+psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:5432/$POSTGRES_DB" -c "select now()" || exit 1
@@ -1,16 +1,10 @@
 #!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 set -ex

 touch "$DUMP_DIR/initialization.failed"

-psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \
-	-v "pg_new_password=$POSTGRES_PASSWORD" <<-EOSQL
-	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD :'pg_new_password' CREATEDB;
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
 	ALTER DATABASE "$POSTGRES_DB" OWNER TO "oc_$POSTGRES_USER";
 	GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "oc_$POSTGRES_USER";
 	GRANT ALL PRIVILEGES ON SCHEMA public TO "oc_$POSTGRES_USER";
@@ -1,20 +1,6 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-POSTGRES_LOG_MIN_MESSAGES="$(case "$AIO_LOG_LEVEL" in
-    debug) printf 'debug1' ;;
-    info) printf 'info' ;;
-    warn) printf 'warning' ;;
-    error) printf 'error' ;;
-esac)"
-export POSTGRES_LOG_MIN_MESSAGES
-
 # Variables
-GREP_STRING='Name: oc_appconfig; Type: TABLE; Schema: public; Owner:'
-export GREP_STRING
 DATADIR="/var/lib/postgresql/data"
 export DUMP_DIR="/mnt/data"
 DUMP_FILE="$DUMP_DIR/database-dump.sql"
@@ -99,12 +85,13 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
    exec docker-entrypoint.sh postgres &

    # Wait for creation
-    while ! psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
+    while ! psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()"; do
        echo "Waiting for the database to start."
        sleep 5
    done

    # Check if the line we grep for later on is there
+    GREP_STRING='Name: oc_appconfig; Type: TABLE; Schema: public; Owner:'
    if ! grep -qa "$GREP_STRING" "$DUMP_FILE"; then
        echo "The needed oc_appconfig line is not there which is unexpected."
        echo "Please report this to https://github.com/nextcloud/all-in-one/issues. Thanks!"
@@ -120,9 +107,8 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
        exit 1
    elif [ "$DB_OWNER" != "oc_$POSTGRES_USER" ]; then
        DIFFERENT_DB_OWNER=1
-        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \
-            -v "pg_new_password=$POSTGRES_PASSWORD" <<-EOSQL
-            CREATE USER "$DB_OWNER" WITH PASSWORD :'pg_new_password' CREATEDB;
+        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+            CREATE USER "$DB_OWNER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
            ALTER DATABASE "$POSTGRES_DB" OWNER TO "$DB_OWNER";
            GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "$DB_OWNER";
            GRANT ALL PRIVILEGES ON SCHEMA public TO "$DB_OWNER";
@@ -165,71 +151,23 @@ fi
 # Modify postgresql.conf
 if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
    echo "Setting postgres values..."
-    PGCONF="/var/lib/postgresql/data/postgresql.conf"

    # Sync this with max pm.max_children and MaxRequestWorkers
    # 5000 connections is apparently the highest possible value with postgres so set it to that so that we don't run into a limit here.
    # We don't actually expect so many connections but don't want to limit it artificially because people will report issues otherwise
    # Also connections should usually be closed again after the process is done
    # If we should actually exceed this limit, it is definitely a bug in Nextcloud server or some of its apps that does not close connections correctly and not a bug in AIO
-    sed -i "s|^max_connections =.*|max_connections = 5000|" "$PGCONF"
+    sed -i "s|^max_connections =.*|max_connections = 5000|" "/var/lib/postgresql/data/postgresql.conf"

    # Do not log checkpoints
-    if grep -q "#log_checkpoints" "$PGCONF"; then
-        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' "$PGCONF"
-    fi
-
-    if grep -q "^#\?log_min_messages" /var/lib/postgresql/data/postgresql.conf; then
-        sed -i "s|^#\?log_min_messages.*|log_min_messages = $POSTGRES_LOG_MIN_MESSAGES|" /var/lib/postgresql/data/postgresql.conf
-    else
-        echo "log_min_messages = $POSTGRES_LOG_MIN_MESSAGES" >> /var/lib/postgresql/data/postgresql.conf
+    if grep -q "#log_checkpoints" /var/lib/postgresql/data/postgresql.conf; then
+        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' /var/lib/postgresql/data/postgresql.conf
    fi

    # Closing idling connections automatically seems to break any logic so was reverted again to default where it is disabled
-    if grep -q "^idle_session_timeout" "$PGCONF"; then
-        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' "$PGCONF"
+    if grep -q "^idle_session_timeout" /var/lib/postgresql/data/postgresql.conf; then
+        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' /var/lib/postgresql/data/postgresql.conf
    fi
-
-    # Increase shared_buffers from the 128MB default for better data caching
-    sed -i "s|^#shared_buffers = .*|shared_buffers = 256MB|" "$PGCONF"
-    sed -i "s|^shared_buffers = .*|shared_buffers = 256MB|" "$PGCONF"
-
-    # Hint to the query planner about available OS page cache (does not allocate memory)
-    sed -i "s|^#effective_cache_size = .*|effective_cache_size = 1GB|" "$PGCONF"
-    sed -i "s|^effective_cache_size = .*|effective_cache_size = 1GB|" "$PGCONF"
-
-    # Increase per-operation sort/hash memory to reduce disk spills for file listing and share queries.
-    # Note: this is allocated per sort/hash operation, not per connection, so the theoretical worst-case
-    # (max_connections × work_mem) is rarely approached in practice.
-    sed -i "s|^#work_mem = .*|work_mem = 16MB|" "$PGCONF"
-    sed -i "s|^work_mem = .*|work_mem = 16MB|" "$PGCONF"
-
-    # Increase memory for VACUUM, CREATE INDEX, and other maintenance operations
-    sed -i "s|^#maintenance_work_mem = .*|maintenance_work_mem = 256MB|" "$PGCONF"
-    sed -i "s|^maintenance_work_mem = .*|maintenance_work_mem = 256MB|" "$PGCONF"
-
-    # Increase WAL buffers to reduce WAL write latency under concurrent write load
-    sed -i "s|^#wal_buffers = .*|wal_buffers = 16MB|" "$PGCONF"
-    sed -i "s|^wal_buffers = .*|wal_buffers = 16MB|" "$PGCONF"
-
-    # Spread checkpoint I/O over a longer window to reduce spikes
-    sed -i "s|^#checkpoint_timeout = .*|checkpoint_timeout = 15min|" "$PGCONF"
-    sed -i "s|^checkpoint_timeout = .*|checkpoint_timeout = 15min|" "$PGCONF"
-
-    # Tune for SSD storage: random reads are nearly as fast as sequential reads
-    sed -i "s|^#random_page_cost = .*|random_page_cost = 1.1|" "$PGCONF"
-    sed -i "s|^random_page_cost = .*|random_page_cost = 1.1|" "$PGCONF"
-
-    # Allow the kernel to issue more concurrent I/O prefetch requests (suitable for SSDs)
-    sed -i "s|^#effective_io_concurrency = .*|effective_io_concurrency = 200|" "$PGCONF"
-    sed -i "s|^effective_io_concurrency = .*|effective_io_concurrency = 200|" "$PGCONF"
-
-    # Trigger autovacuum earlier on large Nextcloud tables (e.g. oc_filecache, oc_activity)
-    # to prevent table bloat accumulating before the default 20% threshold is reached
-    sed -i "s|^#autovacuum_vacuum_scale_factor = .*|autovacuum_vacuum_scale_factor = 0.05|" "$PGCONF"
-    sed -i "s|^autovacuum_vacuum_scale_factor = .*|autovacuum_vacuum_scale_factor = 0.05|" "$PGCONF"
-    sed -i "s|^#autovacuum_analyze_scale_factor = .*|autovacuum_analyze_scale_factor = 0.02|" "$PGCONF"
-    sed -i "s|^autovacuum_analyze_scale_factor = .*|autovacuum_analyze_scale_factor = 0.02|" "$PGCONF"
 fi

 do_database_dump() {
@@ -240,24 +178,14 @@ do_database_dump() {
        rm -f "$DUMP_FILE"
        mv "$DUMP_FILE.temp" "$DUMP_FILE"
        pg_ctl stop -m fast
-        if ! grep -qa "$GREP_STRING" "$DUMP_FILE"; then
-            echo "Database dump was successful but the expected grep string does not exist."
-            echo "This is not expected!"
-            echo "Please report this to https://github.com/nextcloud/all-in-one/issues."
-            exit 1
-        fi
        rm "$DUMP_DIR/export.failed"
        echo 'Database dump successful!'
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-            set +x
-        fi
+        set +x
        exit 0
    else
        pg_ctl stop -m fast
        echo "Database dump unsuccessful!"
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-            set +x
-        fi
+        set +x
        exit 1
    fi
 }
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/redis/docker-library-redis/blob/release/8.2/alpine/Dockerfile
-FROM redis:8.6.3-alpine
+FROM redis:8.6.1-alpine

 COPY --chmod=775 start.sh /start.sh

@@ -23,10 +23,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Redis for Nextcloud AIO" \
-    org.opencontainers.image.description="Redis cache server for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 redis-cli -a "$REDIS_HOST_PASSWORD" PING || exit 1
@@ -1,50 +1,17 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-# Redis only supports [debug, verbose, notice, warning, nothing] as log level
-if [ "$AIO_LOG_LEVEL" = "warn" ] || [ "$AIO_LOG_LEVEL" = "error" ]; then
-    REDIS_LOG_LEVEL="warning"
-elif [ "$AIO_LOG_LEVEL" = "info" ]; then
-    REDIS_LOG_LEVEL="notice"
-else
-    REDIS_LOG_LEVEL="$AIO_LOG_LEVEL"
-fi
-export REDIS_LOG_LEVEL
-
 # Show wiki if vm.overcommit is disabled
 if [ "$(sysctl -n vm.overcommit_memory)" != "1" ]; then
    echo "Memory overcommit is disabled but necessary for safe operation"
    echo "See https://github.com/nextcloud/all-in-one/discussions/1731 how to enable overcommit"
 fi

-# Warn if Transparent Huge Pages are enabled (causes latency spikes)
-if [ -f /sys/kernel/mm/transparent_hugepage/enabled ]; then
-    if grep -q '\[always\]' /sys/kernel/mm/transparent_hugepage/enabled; then
-        echo "WARNING: Transparent Huge Pages (THP) are enabled. This can cause latency and memory issues with Redis."
-        echo "Consider disabling THP by running: echo never > /sys/kernel/mm/transparent_hugepage/enabled"
-    fi
-fi
-
-# Build the redis-server argument list.
-REDIS_ARGS=(
-    --loglevel "$REDIS_LOG_LEVEL"
-    --save "" # Disable RDB persistence (Redis is used as a pure cache/lock store)
-    --maxmemory-policy allkeys-lru # Evict least-recently-used keys when memory is full
-    --lazyfree-lazy-eviction yes # Perform evictions in a background thread
-    --lazyfree-lazy-expire yes # Expire keys in a background thread
-    --lazyfree-lazy-server-del yes # DEL/UNLINK in background thread
-    --replica-lazy-flush yes # Flush replica dataset in background thread
-    --activedefrag yes # Reclaim fragmented memory without restart
-    --hz 15 # Run background tasks 15×/s (default 10) for faster key expiry
-)
-
-if [ -n "$REDIS_HOST_PASSWORD" ]; then
-    REDIS_ARGS+=(--requirepass "$REDIS_HOST_PASSWORD")
-fi
-
 # Run redis with a password if provided
 echo "Redis has started"
-exec redis-server "${REDIS_ARGS[@]}"
+if [ -n "$REDIS_HOST_PASSWORD" ]; then
+    exec redis-server --requirepass "$REDIS_HOST_PASSWORD" --loglevel warning
+else
+    exec redis-server --loglevel warning
+fi
+
+exec "$@"
--- a/Show More
+++ b/Show More