refactor(nextcloud): extract inline OAuth2 client PHP into standalone script

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/b35a7dbb-ff0a-483c-9bc7-1cf43a192e92 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
nc entrypoint: improve Windmill OAuth failure diagnostic message
2026-06-10 08:37:02 +00:00 · 2026-04-28 16:37:23 +00:00 · 2026-04-28 12:31:37 +00:00 · 2026-04-28 12:29:43 +00:00 · 2026-04-28 12:04:58 +00:00 · 2026-04-28 12:03:44 +00:00
194 changed files with 1623 additions and 2237 deletions
@@ -1,20 +0,0 @@
-# https://editorconfig.org
-
-# Tip: to find files violating the rules set out here, run `docker run --rm --volume=$PWD:/check mstruebing/editorconfig-checker`
-
-root = true
-
-[*]
-charset = utf-8
-end_of_line = lf
-indent_size = 4
-indent_style = space
-insert_final_newline = true
-trim_trailing_whitespace = true
-
-[*.yaml]
-indent_size = 2
-
-
-[*.yml]
-indent_size = 2
@@ -31,12 +31,12 @@ updates:
    - "/Containers/collabora"
    - "/Containers/docker-socket-proxy"
    - "/Containers/domaincheck"
-    - "/Containers/eurooffice"
    - "/Containers/fulltextsearch"
    - "/Containers/imaginary"
    - "/Containers/mastercontainer"
    - "/Containers/nextcloud"
    - "/Containers/notify-push"
+    - "/Containers/onlyoffice"
    - "/Containers/postgresql"
    - "/Containers/redis"
    - "/Containers/talk"
@@ -3,8 +3,3 @@
  -
  - Before sending a pull request that fixes a security issue please report it via our HackerOne page (https://hackerone.com/nextcloud) following our security policy (https://nextcloud.com/security/). This allows us to coordinate the fix and release without potentially exposing all Nextcloud servers and users in the meantime.
 -->
-
-<!-- Please check the below checkmarks if applicable -->
-
- [ ] The PR was tested and verified that it works locally
- [ ] The PR was completely or partially created with AI
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Check spelling
        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2
        with:
@@ -10,7 +10,7 @@ jobs:
    name: update collabora
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run collabora-profile-update
      run: |
        rm -f php/cool-seccomp-profile.json
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Validate structure
        run: |
          CONTAINERS="$(find ./community-containers -mindepth 1 -maxdepth 1 -type d)"
@@ -10,7 +10,7 @@ jobs:
    name: Run dependency update script
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
      with:
        php-version: 8.5
@@ -25,7 +25,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Install hadolint
        run: |
@@ -10,16 +10,13 @@ on:

 jobs:
  release:
-    # Do not run this workflow on forked repositories, as they might not have the `gh-pages` branch created, or might
-    # want to use it for other purposes than publishing helm charts
-    if: github.repository == 'nextcloud/all-in-one'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Turnstyle
-        uses: softprops/turnstyle@e15e934b3f69ee283ba389ea05c8886baa656d93 # v2
+        uses: softprops/turnstyle@e565d2d86403c5d23533937e95980570545e5586 # v2
        with:
          continue-after-seconds: 180
        env:
@@ -10,7 +10,7 @@ jobs:
    name: update to latest imaginary commit on master branch
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run imaginary-update
      run: |
        # Imaginary
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Validate Json
        run: |
          sudo apt-get update
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

@@ -36,7 +36,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@@ -24,7 +24,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.1
        with:
          persist-credentials: false

@@ -14,7 +14,7 @@ jobs:
  action:
    runs-on: ubuntu-latest
    steps:
-      - uses: dessant/lock-threads@89ae32b08ed1a541efecbab17912962a5e38981c # v5
+      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v5
        with: 
          issue-inactive-days: '14'
          process-only: 'issues'
@@ -11,7 +11,7 @@ jobs:
    name: Run nextcloud-update script
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run nextcloud-update script
      run: |
        # Inspired by https://github.com/nextcloud/docker/blob/master/update.sh
@@ -16,7 +16,7 @@ jobs:
    name: PHP Deprecation Detector
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up php
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
        with:
@@ -5,14 +5,12 @@ on:
    paths:
      - 'php/**'
      - 'Containers/mastercontainer/*.Caddyfile'
-      - 'Containers/mastercontainer/start.sh'
  push:
    branches:
      - main
    paths:
      - 'php/**'
      - 'Containers/mastercontainer/*.Caddyfile'
-      - 'Containers/mastercontainer/start.sh'

 concurrency:
  group: playwright-${{ github.head_ref || github.run_id }}
@@ -28,11 +26,11 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
-          node-version: 24.15.0
+          node-version: lts/*

      - name: Install dependencies
        run: cd php/tests && npm ci
@@ -57,7 +55,7 @@ jobs:
          rm -r ./session
          composer install --no-dev
          composer clear-cache
-          sudo chmod 777 -R ../
+          sudo chmod 777 -R ./

      - name: Start fresh development server
        run: |
@@ -74,7 +72,6 @@ jobs:
            --volume ./php:/var/www/docker-aio/php \
            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
-            --volume ./Containers/mastercontainer/start.sh:/start.sh \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=true \
            --env APACHE_PORT=11000 \
@@ -106,7 +103,6 @@ jobs:
            --volume ./php:/var/www/docker-aio/php \
            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
-            --volume ./Containers/mastercontainer/start.sh:/start.sh \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=false \
            --env APACHE_PORT=11000 \
@@ -13,11 +13,11 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
-          node-version: 24.15.0
+          node-version: lts/*

      - name: Install dependencies
        run: cd php/tests && npm ci
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set up php
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
@@ -32,7 +32,7 @@ jobs:
    name: static-psalm-analysis
    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

@@ -15,7 +15,7 @@ jobs:
    name: Check Shell
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run Shellcheck
      uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
      with:
@@ -42,14 +42,14 @@ jobs:
          require: admin

      - name: Checkout workflow repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          path: source
          repository: nextcloud/.github

      - name: Checkout app
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          path: target
@@ -10,7 +10,7 @@ jobs:
    name: update talk
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run talk-container-update
      run: |
        # Recording
@@ -24,7 +24,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set up php ${{ matrix.php-versions }}
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
@@ -8,4 +8,4 @@ jobs:
    name: update copyright
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: update helm chart
        run: |
          set -x
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: update yaml files
        run: |
          sudo bash manual-install/update-yaml.sh
@@ -10,7 +10,7 @@ jobs:
    name: update watchtower
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run watchtower-container-update
      run: |
        # Watchtower
@@ -47,14 +47,7 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
        uri strip_prefix /onlyoffice
        reverse_proxy {$ONLYOFFICE_HOST}:80 {
            header_up X-Forwarded-Host {http.request.hostport}/onlyoffice
-        }
-    }
-
-    # EuroOffice
-    route /eurooffice/* {
-        uri strip_prefix /eurooffice
-        reverse_proxy {$EUROOFFICE_HOST}:80 {
-            header_up X-Forwarded-Host {http.request.hostport}/eurooffice
+            header_up X-Forwarded-Proto https
        }
    }

@@ -70,6 +63,12 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
        reverse_proxy {$WHITEBOARD_HOST}:3002
    }

+    # Windmill
+    route /windmill/* {
+        uri strip_prefix /windmill
+        reverse_proxy {$WINDMILL_HOST}:8000
+    }
+
    # HaRP (ExApps)
    route /exapps/* {
        reverse_proxy {$HARP_HOST}:8780
@@ -85,7 +84,7 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
    # TLS options
    tls {
        issuer acme {
-            profile tlsserver
+            profile shortlived
            # Disable HTTP challenge because that would require port 80, which we don't get (it's exposed to the mastercontainer).
            # This container by default only exposes port 443 if not configured otherwise via APACHE_PORT.
            disable_http_challenge
@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:latest
-FROM caddy:2.11.4-alpine AS caddy
+FROM caddy:2.11.2-alpine AS caddy

 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.68-alpine3.23
+FROM httpd:2.4.66-alpine3.23

 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy

@@ -103,7 +103,6 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="Apache and Caddy for Nextcloud AIO" \
    org.opencontainers.image.description="Apache HTTP server with Caddy for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
 nc -z 127.0.0.1 8000 || exit 1
 nc -z 127.0.0.1 "$APACHE_PORT" || exit 1
@@ -7,7 +7,35 @@ Listen 8000
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
    ErrorLog /proc/self/fd/2
    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
-    LogLevel ${AIO_LOG_LEVEL}
+    LogLevel warn
+
+    # KeepAlive On: allow the same TCP connection to carry multiple HTTP requests.
+    # Without this each asset (JS, CSS, image) would require a full TCP handshake,
+    # which is especially expensive on TLS connections and noticeably slows down
+    # Nextcloud's login page and file manager that load dozens of resources at once.
+    KeepAlive On
+    # KeepAliveTimeout: close an idle keep-alive connection after 5 seconds.
+    # A short timeout frees Apache worker threads quickly so they are available
+    # for new requests; 5 s is long enough to cover the gap between requests
+    # that a browser issues while rendering a page (typically < 1 s), yet short
+    # enough to avoid holding threads open for idle or slow clients.
+    KeepAliveTimeout 5
+    # MaxKeepAliveRequests: allow at most 500 requests per persistent connection.
+    # 100 (the Apache default) is too low for Nextcloud: the desktop and mobile
+    # sync clients issue many small API calls (PROPFIND, GET, PUT, checksums …)
+    # per sync cycle and routinely exceed 100 requests on a single connection.
+    # Hitting the limit forces a new TCP/TLS handshake, adding latency and CPU
+    # overhead. 500 gives sync clients enough headroom while still periodically
+    # recycling threads to contain per-process memory growth.
+    MaxKeepAliveRequests 500
+
+    # sendfile(2) is disabled because it bypasses Apache's output-filter chain: with
+    # it enabled, mod_brotli is silently skipped for static files (JS, CSS, SVG),
+    # negating the compression configured below.  MMAP is also
+    # disabled because files can be replaced by Nextcloud at any time and mmap'd
+    # pages could serve stale data.
+    EnableSendfile Off
+    EnableMMAP Off

    # PHP match
    <FilesMatch "\.php$">
@@ -17,12 +45,17 @@ Listen 8000
    <Proxy "fcgi://${NEXTCLOUD_HOST}:9000" flushpackets=on>
    </Proxy>

-    # Compress JS, CSS and SVG responses with Brotli.
+    # Compress JS, CSS and SVG responses with Brotli (quality 4 gives good
+    # compression with reasonable CPU cost; the default of 0 barely compresses).
    # Other plain-text files are already compressed by Nextcloud itself.
+    # No deflate fallback is needed: every browser that Nextcloud supports
+    # (Chrome 49+, Firefox 44+, Safari 11+, Edge 15+ — all from 2016-2017)
+    # supports Brotli. Internet Explorer, the only browser that never gained
+    # Brotli support, was dropped by Nextcloud with NC15 (2019).
    # Desktop and mobile sync clients never request JS/CSS/SVG assets.
    <IfModule mod_brotli.c>
        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
-        BrotliCompressionQuality 0
+        BrotliCompressionQuality 4
    </IfModule>

    # Nextcloud dir
@@ -1,20 +1,10 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -z "$NC_DOMAIN" ]; then
    echo "NC_DOMAIN and NEXTCLOUD_HOST need to be provided. Exiting!"
    exit 1
 fi

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    export SUPERVISORD_STDOUT=/dev/stdout
-else
-    export SUPERVISORD_STDOUT=NONE
-fi
-
 # Need write access to /mnt/data
 if ! [ -w /mnt/data ]; then
    echo "Cannot write to /mnt/data"
@@ -5,14 +5,14 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error

 [program:apache]
 # Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
+stdout_logfile=NONE
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=httpd -DFOREGROUND
+command=apachectl -DFOREGROUND

 [program:caddy]
 stdout_logfile=/dev/stdout
@@ -25,12 +25,10 @@ USER root

 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="Borgbackup for Nextcloud AIO" \
    org.opencontainers.image.description="BorgBackup-based backup service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6" \
-    AIO_LOG_LEVEL="warn"
+ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Functions
 get_start_time(){
    START_TIME=$(date +%s)
@@ -44,7 +40,7 @@ if [ -z "$BORG_REMOTE_REPO" ] && ! mountpoint -q "$MOUNT_DIR"; then
 fi

 # Check if repo is uninitialized
-if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! borg info > /dev/null; then
    if [ -n "$BORG_REMOTE_REPO" ]; then
        echo "The repository is uninitialized or cannot connect to remote. Cannot perform check or restore."
    else
@@ -127,7 +123,7 @@ if [ "$BORG_MODE" = backup ]; then
    fi

    # Initialize the repository if can't get info from target
-    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+    if ! borg info > /dev/null; then
        # Don't initialize if already initialized
        if [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
            if [ -n "$BORG_REMOTE_REPO" ]; then
@@ -144,14 +140,14 @@ if [ "$BORG_MODE" = backup ]; then

        echo "Initializing repository..."
        NEW_REPOSITORY=1
-        if ! borg "$BORG_LOG_LEVEL_FLAG" init --encryption=repokey-blake2; then
+        if ! borg init --debug --encryption=repokey-blake2; then
            echo "Could not initialize borg repository."
            exit 1
        fi

        if [ -z "$BORG_REMOTE_REPO" ]; then
            # borg config only works for local repos; it's up to the remote to ensure the disk isn't full
-            borg "$BORG_LOG_LEVEL_FLAG" config :: additional_free_space 2G
+            borg config :: additional_free_space 2G

            # Fix too large Borg cache
            # https://borgbackup.readthedocs.io/en/stable/faq.html#the-borg-cache-eats-way-too-much-disk-space-what-can-i-do
@@ -160,7 +156,7 @@ if [ "$BORG_MODE" = backup ]; then
            touch "/root/.cache/borg/$BORG_ID/chunks.archive.d"
        fi

-        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+        if ! borg info > /dev/null; then
            echo "Borg can't get info from the repo it created. Something is wrong."
            exit 1
        fi
@@ -220,9 +216,9 @@ if [ "$BORG_MODE" = backup ]; then
    # Create the backup
    echo "Starting the backup..."
    get_start_time
-    if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
+    if ! borg create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
        echo "Deleting the failed backup archive..."
-        borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-nextcloud-aio"
+        borg delete --stats "::$CURRENT_DATE-nextcloud-aio"
        echo "Backup failed!"
        echo "You might want to check the backup integrity via the AIO interface."
        if [ "$NEW_REPOSITORY" = 1 ]; then
@@ -241,14 +237,14 @@ if [ "$BORG_MODE" = backup ]; then

    # Prune archives
    echo "Pruning the archives..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
+    if ! borg prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
        echo "Failed to prune archives!"
        exit 1
    fi

    # Compact archives
    echo "Compacting the archives..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+    if ! borg compact; then
        echo "Failed to compact archives!"
        exit 1
    fi
@@ -265,19 +261,19 @@ if [ "$BORG_MODE" = backup ]; then
                fi
            done
            echo "Starting the backup for additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
+            if ! borg create "${BORG_OPTS[@]}" "::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
                echo "Deleting the failed backup archive..."
-                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-docker-volumes"
+                borg delete --stats "::$CURRENT_DATE-additional-docker-volumes"
                echo "Backup of additional docker-volumes failed!"
                exit 1
            fi
            echo "Pruning additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
                echo "Failed to prune additional docker-volumes archives!"
                exit 1
            fi
            echo "Compacting additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+            if ! borg compact; then
                echo "Failed to compact additional docker-volume archives!"
                exit 1
            fi
@@ -295,19 +291,19 @@ if [ "$BORG_MODE" = backup ]; then
                EXCLUDE_DIRS+=(--exclude "/host_mounts/$directory/")
            done
            echo "Starting the backup for additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
+            if ! borg create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
                echo "Deleting the failed backup archive..."
-                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-host-mounts"
+                borg delete --stats "::$CURRENT_DATE-additional-host-mounts"
                echo "Backup of additional host-mounts failed!"
                exit 1
            fi
            echo "Pruning additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
                echo "Failed to prune additional host-mount archives!"
                exit 1
            fi
            echo "Compacting additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+            if ! borg compact; then
                echo "Failed to compact additional host-mount archives!"
                exit 1
            fi
@@ -389,7 +385,7 @@ if [ "$BORG_MODE" = restore ]; then

    if [ -z "$BORG_REMOTE_REPO" ]; then
        mkdir -p /tmp/borg
-        if ! borg "$BORG_LOG_LEVEL_FLAG" mount "::$SELECTED_ARCHIVE" /tmp/borg; then
+        if ! borg mount "::$SELECTED_ARCHIVE" /tmp/borg; then
            echo "Could not mount the backup!"
            exit 1
        fi
@@ -436,7 +432,7 @@ if [ "$BORG_MODE" = restore ]; then
        #
        # Older backups may still contain files we've since excluded, so we have to exclude on extract as well.
        cd /  # borg extract has no destination arg and extracts to CWD
-        if ! borg "$BORG_LOG_LEVEL_FLAG" extract "::$SELECTED_ARCHIVE" --progress --exclude-from /borg_excludes "${ADDITIONAL_BORG_EXCLUDES[@]}" --pattern '+nextcloud_aio_volumes/**'
+        if ! borg extract "::$SELECTED_ARCHIVE" --progress --exclude-from /borg_excludes "${ADDITIONAL_BORG_EXCLUDES[@]}" --pattern '+nextcloud_aio_volumes/**'
        then
            RESTORE_FAILED=1
            echo "Failed to extract backup archive."
@@ -468,7 +464,7 @@ if [ "$BORG_MODE" = restore ]; then
                    \) \
                    | LC_ALL=C sort \
                    | LC_ALL=C comm -23 - \
-                        <(borg "$BORG_LOG_LEVEL_FLAG" list "::$SELECTED_ARCHIVE" --short --exclude-from /borg_excludes  --pattern '+nextcloud_aio_volumes/**' | LC_ALL=C sort) \
+                        <(borg list "::$SELECTED_ARCHIVE" --short --exclude-from /borg_excludes  --pattern '+nextcloud_aio_volumes/**' | LC_ALL=C sort) \
                    > /tmp/local_files_not_in_backup
            then
                RESTORE_FAILED=1
@@ -556,7 +552,7 @@ if [ "$BORG_MODE" = check ]; then
    echo "Checking the backup integrity..."

    # Perform the check
-    if ! borg "$BORG_LOG_LEVEL_FLAG" check -v --verify-data; then
+    if ! borg check -v --verify-data; then
        echo "Some errors were found while checking the backup integrity!"
        echo "Check the AIO interface for advice on how to proceed now!"
        exit 1
@@ -574,7 +570,7 @@ if [ "$BORG_MODE" = "check-repair" ]; then
    echo "Checking the backup integrity and repairing it..."

    # Perform the check-repair
-    if ! echo YES | borg "$BORG_LOG_LEVEL_FLAG" check -v --repair; then
+    if ! echo YES | borg check -v --repair; then
        echo "Some errors were found while checking and repairing the backup integrity!"
        exit 1
    fi
@@ -588,7 +584,7 @@ fi
 # Do the backup test
 if [ "$BORG_MODE" = test ]; then
    if [ -n "$BORG_REMOTE_REPO" ]; then
-        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+        if ! borg info > /dev/null; then
            echo "Borg could not get info from the remote repo."
            echo "See the above borg info output for details."
            exit 1
@@ -609,12 +605,12 @@ if [ "$BORG_MODE" = test ]; then
        fi
    fi

-    if ! borg "$BORG_LOG_LEVEL_FLAG" list >/dev/null; then
+    if ! borg list >/dev/null; then
        echo "The entered path seems to be valid but could not open the backup archive."
        echo "Most likely the entered password was wrong so please adjust it accordingly!"
        exit 1
    else
-        if ! borg "$BORG_LOG_LEVEL_FLAG" list | grep "nextcloud-aio"; then
+        if ! borg list | grep "nextcloud-aio"; then
            echo "The backup archive does not contain a valid Nextcloud AIO backup."
            echo "Most likely was the archive not created via Nextcloud AIO."
            exit 1
@@ -627,7 +623,7 @@ fi

 if [ "$BORG_MODE" = list ]; then
    echo "Updating backup list..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+    if ! borg info > /dev/null; then
        echo "Could not update the backup list."
        exit 1
    fi
@@ -1,16 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-if [ "$AIO_LOG_LEVEL" = "warn" ]; then
-    BORG_LOG_LEVEL_FLAG="--warning"
-else
-    BORG_LOG_LEVEL_FLAG="--$AIO_LOG_LEVEL"
-fi
-export BORG_LOG_LEVEL_FLAG
-
 # Variables
 export MOUNT_DIR="/mnt/borgbackup"
 export BORG_BACKUP_DIRECTORY="$MOUNT_DIR/borg"  # necessary even when remote to store the aio-lockfile
@@ -59,7 +48,7 @@ fi
 rm -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/backup-is-running"

 # Get a list of all available borg archives
-if borg "$BORG_LOG_LEVEL_FLAG" list &>/dev/null; then
+if borg list &>/dev/null; then
    borg list | grep "nextcloud-aio" | awk -F " " '{print $1","$3,$4}' > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
 else
    echo "" > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
@@ -43,7 +43,6 @@ ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="ClamAV for Nextcloud AIO" \
    org.opencontainers.image.description="ClamAV antivirus scanner for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ "$(echo "PING" | nc 127.0.0.1 3310)" != "PONG" ]; then
 	echo "ERROR: Unable to contact server"
 	exit 1
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-	set -x
-fi
-
 # Print out clamav version for compliance reasons
 clamscan --version

@@ -5,7 +5,7 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error

 [program:freshclam]
 stdout_logfile=/dev/stdout
@@ -13,7 +13,6 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="Collabora Online for Nextcloud AIO" \
    org.opencontainers.image.description="Collabora Online document editor from upstream for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,11 +1,10 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile
-FROM collabora/code:26.04.1.4.1
+FROM collabora/code:25.04.9.4.1

 USER root
 ARG DEBIAN_FRONTEND=noninteractive

-COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

 USER 1001
@@ -13,12 +12,9 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="Collabora for Nextcloud AIO" \
    org.opencontainers.image.description="Collabora CODE document editor for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-
-ENTRYPOINT ["/start.sh"]
@@ -1,19 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-if [ "$AIO_LOG_LEVEL" = "warn" ]; then
-    COLLABORA_LOG_LEVEL="warning"
-elif [ "$AIO_LOG_LEVEL" = "info" ]; then
-    COLLABORA_LOG_LEVEL="notice"
-else
-    COLLABORA_LOG_LEVEL="$AIO_LOG_LEVEL"
-fi
-
-# Replace the hardcoded log level in extra_params with the translated one
-extra_params+=" --o:logging.level=$COLLABORA_LOG_LEVEL --o:logging.level_startup=$COLLABORA_LOG_LEVEL"
-export extra_params
-
-exec /start-collabora-online.sh "$@"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.4.0-alpine
+FROM haproxy:3.3.6-alpine

 # hadolint ignore=DL3002
 USER root
@@ -20,7 +20,6 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="Docker Socket Proxy for Nextcloud AIO" \
    org.opencontainers.image.description="HAProxy-based Docker socket proxy for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,8 +1,4 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z "$NEXTCLOUD_HOST" 9001 || exit 0
 nc -z 127.0.0.1 2375 || exit 1
@@ -1,9 +1,5 @@
 #!/bin/sh

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Only start container if nextcloud is accessible
 while ! nc -z "$NEXTCLOUD_HOST" 9001; do
    echo "Waiting for Nextcloud to start..."
@@ -22,8 +18,6 @@ else
    HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
 fi
 echo "$HAPROXYFILE" > /tmp/haproxy.cfg
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 haproxy -f /tmp/haproxy.cfg -db
@@ -19,7 +19,6 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD nc -z 127.0.0.1 $APACHE_PORT || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="Domain Check for Nextcloud AIO" \
    org.opencontainers.image.description="Domain validation service for Nextcloud All-in-One setup" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -z "$INSTANCE_ID" ]; then
    echo "You need to provide an instance id."
    exit 1
@@ -18,20 +14,6 @@ fi
 CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /lighttpd.conf)"
 echo "$CONF_FILE" > /etc/lighttpd/lighttpd.conf

-# shellcheck disable=SC2235
-if ([ "$AIO_LOG_LEVEL" = 'debug' ] || [ "$AIO_LOG_LEVEL" = 'info' ]) && ! grep -q debug.log-request-handling /etc/lighttpd/lighttpd.conf; then
-    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
-debug.log-request-handling = "enable"
-CONF_FILE
-fi
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ] && ! grep -q debug.log-request-header /etc/lighttpd/lighttpd.conf; then
-    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
-debug.log-request-header = "enable"
-debug.log-response-header = "enable"
-CONF_FILE
-fi
-
 # Check config file
 lighttpd -tt -f /etc/lighttpd/lighttpd.conf

@@ -1,17 +0,0 @@
-# syntax=docker/dockerfile:latest
-FROM ghcr.io/euro-office/documentserver:v9.3.1-beta.1
-
-# USER root is probably used
-
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
-
-HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="EuroOffice for Nextcloud AIO" \
-    org.opencontainers.image.description="EuroOffice Document Server for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,7 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-nc -z 127.0.0.1 80 || exit 1
@@ -1,19 +1,21 @@
 # syntax=docker/dockerfile:latest
-# Probably from here https://github.com/elastic/dockerfiles/blob/9.3/elasticsearch/Dockerfile
-FROM elasticsearch:9.4.2
+# Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
+FROM elasticsearch:8.19.14

 USER root

-# hadolint ignore=DL3041
+ARG DEBIAN_FRONTEND=noninteractive
+
+# hadolint ignore=DL3008
 RUN set -ex; \
    \
-    microdnf update -y; \
-    microdnf install -y --setopt=tsflags=nodocs \
+    apt-get update; \
+    apt-get upgrade -y; \
+    apt-get install -y --no-install-recommends \
        tzdata \
    ; \
-    microdnf clean all;
+    rm -rf /var/lib/apt/lists/*;

-COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

 USER 1000:0
@@ -21,7 +23,6 @@ USER 1000:0
 HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="Full Text Search for Nextcloud AIO" \
    org.opencontainers.image.description="Elasticsearch-based full-text search for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -29,5 +30,3 @@ LABEL com.centurylinklabs.watchtower.enable="false" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 ENV ES_JAVA_OPTS="-Xms512M -Xmx512M"
-
-ENTRYPOINT ["/start.sh"]
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-curl -fs -u "elastic:$ELASTIC_PASSWORD" "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1
+curl -fs "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-ELASTIC_LOG_LEVEL="$(echo "$AIO_LOG_LEVEL" | tr '[:lower:]' '[:upper:]')"
-
-exec env "logger.level=$ELASTIC_LOG_LEVEL" /usr/local/bin/docker-entrypoint.sh "$@"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.4-alpine3.23 AS go
+FROM golang:1.26.2-alpine3.23 AS go

 ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee

@@ -33,8 +33,7 @@ COPY --from=go /go/bin/imaginary /usr/local/bin/imaginary
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

-ENV PORT=9000 \
-    AIO_LOG_LEVEL=warn
+ENV PORT=9000

 USER 65534

@@ -45,7 +44,6 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="Imaginary for Nextcloud AIO" \
    org.opencontainers.image.description="High-performance image processing service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z 127.0.0.1 "$PORT" || exit 1
@@ -1,20 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-GOLANG_LOG="$(case "$AIO_LOG_LEVEL" in
-    debug) printf 'info' ;;
-    info) printf 'info' ;;
-    warn) printf 'warning' ;;
-    error) printf 'error' ;;
-esac)"
-export GOLANG_LOG
-if [ "$AIO_LOG_LEVEL" = "debug" ]; then
-    export DEBUG='*'
-fi
-
 echo "Imaginary has started"

 IMAGINARY_ARGS=(-return-size -max-allowed-resolution 222.2)
@@ -1,17 +1,17 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.5.3-cli AS docker
+FROM docker:29.4.1-cli AS docker

-ARG CADDY_REMOTE_HOST_HASH=e80a9931765a8dbcbb47db415863387f0df0e1b3
+ARG CADDY_REMOTE_HOST_HASH=b21775afa730ffb52a24ddff310c8a6d1fd37276

 # Caddy is a requirement
-FROM caddy:2.11.4-builder-alpine AS caddy
+FROM caddy:2.11.2-builder-alpine AS caddy
 RUN set -ex; \
    xcaddy build --with github.com/muety/caddy-remote-host@"$CADDY_REMOTE_HOST_HASH"; \
    /usr/bin/caddy list-modules

 # From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
-FROM php:8.5.7-fpm-alpine3.23
+FROM php:8.5.5-fpm-alpine3.23

 EXPOSE 80
 EXPOSE 8080
@@ -107,7 +107,6 @@ LABEL org.opencontainers.image.title="Nextcloud All-in-One Mastercontainer" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md" \
    wud.watch="false" \
-    dockhand.update="false" \
    com.docker.compose.project="nextcloud-aio"

 # hadolint ignore=DL3002
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 restart_process() {
    echo "Restarting cron.sh because daily backup time was set, changed or unset."
    pkill cron.sh
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 while true; do
    if [ -f "/mnt/docker-aio-config/data/daily_backup_time" ]; then
        set -x
@@ -21,9 +17,7 @@ while true; do
        else
            export SEND_SUCCESS_NOTIFICATIONS=0
        fi
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-            set +x
-        fi
+        set +x
        if [ -f "/mnt/docker-aio-config/data/daily_backup_running" ]; then
            export LOCK_FILE_PRESENT=1
        else
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 echo "Daily backup script has started"

 # Check if initial configuration has been done, otherwise this script should do nothing.
@@ -18,9 +18,9 @@ header {
    Referrer-Policy "no-referrer" # Tells the browser to never sent a Referer header. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Referrer-Policy
    X-Robots-Tag "noindex, nofollow" # Tells web crawlers to not index this page. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Robots-Tag
    Origin-Agent-Cluster "?1" # Isolates AIO from other same site pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin-Agent-Cluster
-    Cross-Origin-Opener-Policy "same-origin" # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
-    Cross-Origin-Embedder-Policy "require-corp" # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
-    Cross-Origin-Resource-Policy "same-origin" # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
+    Cross-Origin-Opener-Policy "same-origin"; # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
+    Cross-Origin-Embedder-Policy "require-corp"; # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
+    Cross-Origin-Resource-Policy "same-origin"; # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy

    # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), local-network=(), local-network-access=(), loopback-network=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), summarizer=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
    nc -z 127.0.0.1 80 || exit 1
    nc -z 127.0.0.1 8080 || exit 1
@@ -16,10 +16,6 @@ compare_times() {
    fi
 }

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 while true; do
    compare_times
    sleep 2
@@ -20,10 +20,6 @@ case "${1}" in
 esac
 }

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Check if running as root user
 if [ "$EUID" != "0" ]; then
    print_red "Container does not run as root user. This is not supported."
@@ -337,22 +333,6 @@ else
    export NEXTCLOUD_DRI_GID=""
 fi

-# Log level logics
-if [ -n "$AIO_LOG_LEVEL" ] && ! echo "$AIO_LOG_LEVEL" | grep -q "^debug$\|^info$\|^warn$\|^error$"; then
-    print_red "AIO_LOG_LEVEL must be one of 'debug', 'info', 'warn' or 'error'.
-It is set to '$AIO_LOG_LEVEL'".
-    exit 1
-fi
-if [ -z "$AIO_LOG_LEVEL" ]; then
-    export AIO_LOG_LEVEL="warn"
-fi
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    export SUPERVISORD_STDOUT=/dev/stdout
-else
-    export SUPERVISORD_STDOUT=NONE
-fi
-
 # Check if ghcr.io is reachable
 # Solves issues like https://github.com/nextcloud/all-in-one/discussions/5268
 if ! curl --no-progress-meter https://ghcr.io/v2/ >/dev/null; then
@@ -5,12 +5,12 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                 
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error
 user=root

 [program:php-fpm]
 # Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
+stdout_logfile=NONE
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=php-fpm
@@ -54,11 +54,11 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/session-deduplicator.sh
-user=www-data
+user=root

 [program:domain-validator]
 # Logging is disabled as otherwise all attempts will be logged which spams the logs
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
-stderr_logfile=%(ENV_SUPERVISORD_STDOUT)s
+stdout_logfile=NONE
+stderr_logfile=NONE
 command=php -S 127.0.0.1:9876 /var/www/docker-aio/php/domain-validator.php
 user=www-data
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM php:8.3.31-fpm-alpine3.23
+FROM php:8.3.30-fpm-alpine3.23

 ENV PHP_MEMORY_LIMIT=512M
 ENV PHP_UPLOAD_LIMIT=16G
@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0

 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=33.0.5
+ENV NEXTCLOUD_VERSION=33.0.2
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!
@@ -250,21 +250,6 @@ RUN set -ex; \
 # We don't actually expect so many children but don't want to limit it artificially because people will report issues otherwise.
 # Also children will usually be terminated again after the process is done due to the ondemand setting
    sed -i 's/^pm.max_children =.*/pm.max_children = 5000/' /usr/local/etc/php-fpm.d/www.conf; \
-# With pm = ondemand, workers are killed after pm.process_idle_timeout seconds
-# of inactivity.  The upstream default is 10 s, which is aggressive: after a
-# brief quiet period (e.g. desktop-sync clients polling every few seconds), all
-# workers are reaped and the next request burst must wait for fresh forks.  On
-# a loaded host that spawn latency can push Apache past its FastCGI timeout and
-# produce a 502.  300 s (5 min) keeps a warm pool through normal sync-client
-# polling cycles while still reclaiming memory during genuinely idle periods.
-    sed -i 's/^;*pm.process_idle_timeout\s*=.*/pm.process_idle_timeout = 300s/' /usr/local/etc/php-fpm.d/www.conf; \
-# Set request_terminate_timeout so that PHP-FPM forcibly kills workers that
-# exceed the wall-clock limit.  Without this (default = 0 = disabled) a worker
-# stuck on a slow DB query, a stalled Redis connection, or a hung syscall is
-# never reaped.  Over time these zombies fill up pm.max_children, leaving no
-# free slots for legitimate requests and causing Apache to return 502 Bad
-# Gateway upstream.
-    sed -i "s|^;*request_terminate_timeout = .*|request_terminate_timeout = \${PHP_MAX_TIME}|" /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
    \
    echo "[ -n \"\$TERM\" ] && [ -f /root.motd ] && cat /root.motd" >> /root/.bashrc; \
@@ -278,6 +263,8 @@ RUN set -ex; \
    mkdir -p /nc-updater; \
    chmod -R 777 /nc-updater

+COPY --chmod=775 Containers/nextcloud/create-oauth2-client.php /create-oauth2-client.php
+
 # hadolint ignore=DL3002
 USER root
 ENTRYPOINT ["/start.sh"]
@@ -286,7 +273,6 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="Nextcloud for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud server with all required PHP extensions for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -2,5 +2,4 @@
 $CONFIG = array (
  'one-click-instance' => true,
  'one-click-instance.user-limit' => 100,
-  'update_channel' => 'stable',
 );
@@ -1,4 +1,4 @@
 <?php
 $CONFIG = array (
-  'serverid' => hexdec(hash('xxh32', gethostname())) & 0x1FF,
+  'serverid' => crc32(gethostname()) % 512,
 );
@@ -0,0 +1,60 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Creates a Nextcloud OAuth2 client and prints its credentials to stdout.
+ *
+ * Usage: php create-oauth2-client.php <name> <redirect-uri>
+ *
+ * Output (two lines):
+ *   <client_id>
+ *   <client_secret>
+ *
+ * Any existing client with the same name is deleted first so that the
+ * operation is idempotent (stale clients whose secret has been lost are
+ * replaced by a fresh one).
+ */
+
+if ($argc !== 3) {
+    fwrite(STDERR, "Usage: php create-oauth2-client.php <name> <redirect-uri>\n");
+    exit(1);
+}
+
+$name = $argv[1];
+$redirectUri = $argv[2];
+
+define('OC_CONSOLE', 1);
+require_once '/var/www/html/lib/base.php';
+
+\OC_App::loadApp('oauth2');
+
+$container = \OC::getContainer();
+/** @var \OCA\OAuth2\Db\ClientMapper $mapper */
+$mapper = $container->get(\OCA\OAuth2\Db\ClientMapper::class);
+/** @var \OCP\Security\ICrypto $crypto */
+$crypto = $container->get(\OCP\Security\ICrypto::class);
+/** @var \OCP\Security\ISecureRandom $random */
+$random = $container->get(\OCP\Security\ISecureRandom::class);
+
+// Delete any stale client with the same name that might have lost its secret.
+foreach ($mapper->getClients() as $existing) {
+    if ($existing->getName() === $name) {
+        $mapper->delete($existing);
+    }
+}
+
+$client = new \OCA\OAuth2\Db\Client();
+$client->setName($name);
+$client->setRedirectUri($redirectUri);
+
+$secret = $random->generate(64, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789');
+$client->setSecret(bin2hex($crypto->calculateHMAC($secret)));
+
+$clientId = $random->generate(64, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789');
+$client->setClientIdentifier($clientId);
+
+$mapper->insert($client);
+
+echo $clientId . "\n";
+echo $secret . "\n";
@@ -1,9 +1,4 @@
 #!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 wait_for_cron() {
    set -x
    while [ -n "$(pgrep -f /var/www/html/cron.php)" ]; do
@@ -10,10 +10,6 @@ directory_empty() {
    [ -z "$(ls -A "$1/")" ]
 }

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 run_upgrade_if_needed_due_to_app_update() {
    if php /var/www/html/occ status | grep maintenance | grep -q true; then
        php /var/www/html/occ maintenance:mode --off
@@ -24,14 +20,6 @@ run_upgrade_if_needed_due_to_app_update() {
    fi
 }

-NEXTCLOUD_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
-    debug) printf '0' ;;
-    info) printf '1' ;;
-    warn) printf '2' ;;
-    error) printf '3' ;;
-esac)"
-export NEXTCLOUD_LOG_LEVEL
-
 # Create cert bundle
 if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then

@@ -87,9 +75,7 @@ if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then
    cat "$CERTIFICATE_BUNDLE"

    # Disable debug mode
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
 fi

 # Adjust DATABASE_TYPE to by Nextcloud supported value
@@ -236,9 +222,7 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                if grep -q appstoreurl /var/www/html/config/config.php; then
                    set -x
                    APPSTORE_URL="$(grep appstoreurl /var/www/html/config/config.php | grep -oP 'https://.*v[0-9]+')"
-                    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-                        set +x
-                    fi
+                    set +x
                fi
                # Default appstoreurl parameter in config.php defaults to 'https://apps.nextcloud.com/api/v1' so we check for the apps.json file stored in there
                CURL_STATUS="$(curl -LI "$APPSTORE_URL"/apps.json -o /dev/null -w '%{http_code}\n' -s)"
@@ -305,9 +289,7 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                    "$SOURCE_LOCATION/custom_apps/" \
                    /var/www/html/custom_apps/
            done
-            if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-                set +x
-            fi
+            set +x
        fi

        # Copy these from Nextcloud archive if they don't exist yet (i.e. new install)
@@ -419,19 +401,48 @@ EOF

 # AIO update to latest start # Do not remove or change this line!
            if [ "$INSTALL_LATEST_MAJOR" = yes ]; then
-                if ! bash /upgrade-latest-major.sh; then
-                    echo "Upgrade to latest major version failed! Check the output above for details."
+                php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
+                INSTALLED_AT="$(php /var/www/html/occ config:app:get core installedat)"
+                if [ -n "${INSTALLED_AT}" ]; then
+                    # Set the installdat to 00 which will allow to skip staging and install the next major directly
+                    # shellcheck disable=SC2001
+                    INSTALLED_AT="$(echo "${INSTALLED_AT}" | sed "s|[0-9][0-9]$|00|")"
+                    php /var/www/html/occ config:app:set core installedat --value="${INSTALLED_AT}" 
+                fi
+                php /var/www/html/updater/updater.phar --no-interaction --no-backup
+                if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
+                    echo "Installation of Nextcloud failed!"
+                    touch "$NEXTCLOUD_DATA_DIR/install.failed"
                    exit 1
                fi
                # shellcheck disable=SC2016
                installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+                INSTALLED_MAJOR="${installed_version%%.*}"
+                IMAGE_MAJOR="${image_version%%.*}"
+                # If a valid upgrade path, trigger the Nextcloud built-in Updater
+                if ! [ "$INSTALLED_MAJOR" -gt "$IMAGE_MAJOR" ]; then
+                    php /var/www/html/updater/updater.phar --no-interaction --no-backup
+                    if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
+                        echo "Installation of Nextcloud failed!"
+                        # TODO: Add a hint here about what to do / where to look / updater.log? 
+                        touch "$NEXTCLOUD_DATA_DIR/install.failed"
+                        exit 1
+                    fi
+                    # shellcheck disable=SC2016
+                    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+                fi
+                php /var/www/html/occ config:system:set updatechecker --type=bool --value=true
+                php /var/www/html/occ app:enable nextcloud-aio --force
+                php /var/www/html/occ db:add-missing-columns
+                php /var/www/html/occ db:add-missing-primary-keys
+                yes | php /var/www/html/occ db:convert-filecache-bigint
            fi
 # AIO update to latest end # Do not remove or change this line!

            # Apply log settings
            echo "Applying default settings..."
            mkdir -p /var/www/html/data
-            php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
+            php /var/www/html/occ config:system:set loglevel --value="2" --type=integer
            if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
                php /var/www/html/occ config:system:set log_type --value="errorlog"
                php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
@@ -642,7 +653,6 @@ fi
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
 php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
-php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
 if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
    php /var/www/html/occ config:system:set log_type --value="errorlog"
    php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
@@ -754,9 +764,7 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
    if echo "$COLLABORA_HOST" | grep -q "nextcloud-.*-collabora"; then
        COLLABORA_HOST="$NC_DOMAIN"
    fi
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
    # Remove richdcoumentscode if it should be incorrectly installed
    if [ -d "/var/www/html/custom_apps/richdocumentscode" ]; then
        php /var/www/html/occ app:remove richdocumentscode
@@ -867,58 +875,6 @@ else
    fi
 fi

-# EuroOffice
-if [ "$EUROOFFICE_ENABLED" = 'yes' ]; then
-    # Determine EuroOffice port based on host pattern
-    if echo "$EUROOFFICE_HOST" | grep -q "nextcloud-.*-eurooffice"; then
-        EUROOFFICE_PORT=80
-    else
-        EUROOFFICE_PORT=443
-    fi
-
-    count=0
-    while ! nc -z "$EUROOFFICE_HOST" "$EUROOFFICE_PORT" && [ "$count" -lt 90 ]; do
-        echo "Waiting for EuroOffice to become available..."
-        count=$((count+5))
-        sleep 5
-    done
-    if [ "$count" -ge 90 ]; then
-        bash /notify.sh "EuroOffice did not start in time!" "Skipping initialization and disabling eurooffice app."
-        php /var/www/html/occ app:disable eurooffice
-    else
-        # Install or enable EuroOffice app as needed
-        if ! [ -d "/var/www/html/custom_apps/eurooffice" ]; then
-            php /var/www/html/occ app:install eurooffice
-        elif [ "$(php /var/www/html/occ config:app:get eurooffice enabled)" != "yes" ]; then
-            php /var/www/html/occ app:enable eurooffice
-        elif [ "$SKIP_UPDATE" != 1 ]; then
-            php /var/www/html/occ app:update eurooffice
-        fi
-
-        # Set EuroOffice configuration
-        php /var/www/html/occ config:system:set eurooffice editors_check_interval --value="0" --type=integer 
-        php /var/www/html/occ config:system:set eurooffice jwt_secret --value="$EUROOFFICE_SECRET"
-        php /var/www/html/occ config:app:set eurooffice jwt_secret --value="$EUROOFFICE_SECRET"
-        php /var/www/html/occ config:system:set eurooffice jwt_header --value="AuthorizationJwt"
-
-        # Adjust the EuroOffice host if using internal pattern
-        if echo "$EUROOFFICE_HOST" | grep -q "nextcloud-.*-eurooffice"; then
-            EUROOFFICE_HOST="$NC_DOMAIN/eurooffice"
-            export EUROOFFICE_HOST
-        fi
-
-        php /var/www/html/occ config:app:set eurooffice DocumentServerUrl --value="https://$EUROOFFICE_HOST"
-    fi
-else
-    # Remove EuroOffice app if disabled and removal is requested
-    if [ "$REMOVE_DISABLED_APPS" = yes ] && \
-       [ -d "/var/www/html/custom_apps/eurooffice" ] && \
-       [ -n "$EUROOFFICE_SECRET" ] && \
-       [ "$(php /var/www/html/occ config:system:get eurooffice jwt_secret)" = "$EUROOFFICE_SECRET" ]; then
-        php /var/www/html/occ app:remove eurooffice
-    fi
-fi
-
 # Talk
 if [ "$TALK_ENABLED" = 'yes' ]; then
    set -x
@@ -929,9 +885,7 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
    if [ -z "$TURN_DOMAIN" ]; then
        TURN_DOMAIN="$TALK_HOST"
    fi
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
    if ! [ -d "/var/www/html/custom_apps/spreed" ]; then
        php /var/www/html/occ app:install spreed
    elif [ "$(php /var/www/html/occ config:app:get spreed enabled)" != "yes" ]; then
@@ -1136,5 +1090,41 @@ else
    fi
 fi

+# Windmill app
+if [ "$WINDMILL_ENABLED" = 'yes' ]; then
+    if ! [ -d "/var/www/html/custom_apps/windmill" ]; then
+        php /var/www/html/occ app:install windmill
+    elif [ "$(php /var/www/html/occ config:app:get windmill enabled)" != "yes" ]; then
+        php /var/www/html/occ app:enable windmill
+    elif [ "$SKIP_UPDATE" != 1 ]; then
+        php /var/www/html/occ app:update windmill
+    fi
+    php /var/www/html/occ config:app:set windmill windmill_url --value="https://$NC_DOMAIN/windmill"
+    php /var/www/html/occ config:app:set windmill windmill_instance_url --value="http://$WINDMILL_HOST:8000"
+    # Create an NC OAuth2 client for Windmill (idempotent: reuse stored credentials if already created)
+    WINDMILL_NC_OAUTH_CLIENT_ID="$(php /var/www/html/occ config:app:get windmill nc_oauth_client_id 2>/dev/null)"
+    WINDMILL_NC_OAUTH_CLIENT_SECRET="$(php /var/www/html/occ config:app:get windmill nc_oauth_client_secret 2>/dev/null)"
+    if [ -z "$WINDMILL_NC_OAUTH_CLIENT_ID" ] || [ -z "$WINDMILL_NC_OAUTH_CLIENT_SECRET" ]; then
+        WINDMILL_NC_REDIRECT_URI="https://$NC_DOMAIN/windmill/user/login_callback/nextcloud"
+        WINDMILL_OAUTH_OUTPUT="$(php /create-oauth2-client.php "Windmill" "$WINDMILL_NC_REDIRECT_URI" 2>/dev/null)"
+        WINDMILL_NC_OAUTH_CLIENT_ID="$(printf '%s' "$WINDMILL_OAUTH_OUTPUT" | head -1)"
+        WINDMILL_NC_OAUTH_CLIENT_SECRET="$(printf '%s' "$WINDMILL_OAUTH_OUTPUT" | tail -1)"
+        php /var/www/html/occ config:app:set windmill nc_oauth_client_id --value="$WINDMILL_NC_OAUTH_CLIENT_ID"
+        php /var/www/html/occ config:app:set windmill nc_oauth_client_secret --value="$WINDMILL_NC_OAUTH_CLIENT_SECRET"
+    fi
+    # Configure Windmill to use NC as OAuth SSO provider
+    WINDMILL_OAUTH_BODY="{\"value\":{\"nextcloud\":{\"id\":\"$WINDMILL_NC_OAUTH_CLIENT_ID\",\"secret\":\"$WINDMILL_NC_OAUTH_CLIENT_SECRET\",\"login_config\":{\"auth_url\":\"https://$NC_DOMAIN/apps/oauth2/authorize\",\"token_url\":\"https://$NC_DOMAIN/apps/oauth2/api/v1/token\",\"userinfo_url\":\"https://$NC_DOMAIN/ocs/v2.php/cloud/user?format=json\",\"scopes\":[]}}}}"
+    WINDMILL_OAUTH_RESPONSE="$(curl -s -w '\n%{http_code}' -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $WINDMILL_SECRET" -d "$WINDMILL_OAUTH_BODY" "http://$WINDMILL_HOST:8000/api/settings/global/oauths")"
+    WINDMILL_OAUTH_STATUS="$(echo "$WINDMILL_OAUTH_RESPONSE" | tail -1)"
+    if [ "$WINDMILL_OAUTH_STATUS" != "200" ]; then
+        echo "Failed to configure Windmill OAuth against http://$WINDMILL_HOST:8000 (HTTP $WINDMILL_OAUTH_STATUS). Response: $(echo "$WINDMILL_OAUTH_RESPONSE" | head -1). Exiting!"
+        exit 1
+    fi
+else
+    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/windmill" ]; then
+        php /var/www/html/occ app:remove windmill
+    fi
+fi
+
 # Remove the update skip file always
 rm -f "$NEXTCLOUD_DATA_DIR"/skip.update
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
    POSTGRES_PORT=5432
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [[ "$EUID" = 0 ]]; then
    COMMAND=(sudo -E -u www-data php /var/www/html/occ)
 else
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [[ "$EUID" = 0 ]]; then
    COMMAND=(sudo -E -u www-data php /var/www/html/occ)
 else
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Wait until the apache container is ready
 while ! nc -z "$APACHE_HOST" "$APACHE_PORT"; do
    echo "Waiting for $APACHE_HOST to become available..."
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
    POSTGRES_PORT=5432
@@ -57,9 +53,7 @@ if ! [ -f "/dev-dri-group-was-added" ] && [ -n "$(find /dev -maxdepth 1 -mindept
    usermod -aG "$GROUP" www-data
    touch "/dev-dri-group-was-added"
 fi
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 # Check datadir permissions
 sudo -E -u www-data touch "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" &>/dev/null
@@ -176,8 +170,6 @@ if [ "$THIS_IS_AIO" = "true" ] && [ "$APACHE_PORT" = 443 ]; then
    sed -i "/^listen.allowed_clients/s/,$//" /usr/local/etc/php-fpm.d/www.conf
    grep listen.allowed_clients /usr/local/etc/php-fpm.d/www.conf
 fi
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 exec "$@"
@@ -6,7 +6,7 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
 logfile_backups=10                              ; number of backed up logfiles
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error
 user=root

 [program:php-fpm]
@@ -1,43 +0,0 @@
-#!/bin/bash
-
-PHP_CLI="php"
-if [[ "$EUID" = 0 ]]; then
-    PHP_CLI="sudo -u www-data -E $PHP_CLI"
-fi
-
-# shellcheck disable=SC2016
-image_version="$($PHP_CLI -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-export IMAGE_MAJOR="${image_version%%.*}"
-
-$PHP_CLI /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
-INSTALLED_AT="$($PHP_CLI /var/www/html/occ config:app:get core installedat)"
-if [ -n "${INSTALLED_AT}" ]; then
-    # Set the installedat to 00 which will allow to skip staging and install the next major directly
-    # shellcheck disable=SC2001
-    INSTALLED_AT="$(echo "${INSTALLED_AT}" | sed "s|[0-9][0-9]$|00|")"
-    $PHP_CLI /var/www/html/occ config:app:set core installedat --value="${INSTALLED_AT}"
-fi
-$PHP_CLI /var/www/html/updater/updater.phar --no-interaction --no-backup
-if ! $PHP_CLI /var/www/html/occ -V || $PHP_CLI /var/www/html/occ status | grep maintenance | grep -q 'true'; then
-    echo "Installation of Nextcloud failed!"
-    touch "$NEXTCLOUD_DATA_DIR/install.failed"
-    exit 1
-fi
-# shellcheck disable=SC2016
-installed_version="$($PHP_CLI -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-export INSTALLED_MAJOR="${installed_version%%.*}"
-# If a valid upgrade path, trigger the Nextcloud built-in Updater
-if ! $PHP_CLI -r "version_compare(getenv('INSTALLED_MAJOR'), getenv('IMAGE_MAJOR'), '>') || exit(1);"; then
-    $PHP_CLI /var/www/html/updater/updater.phar --no-interaction --no-backup
-    if ! $PHP_CLI /var/www/html/occ -V || $PHP_CLI /var/www/html/occ status | grep maintenance | grep -q 'true'; then
-        echo "Installation of Nextcloud failed!"
-        # TODO: Add a hint here about what to do / where to look / updater.log?
-        touch "$NEXTCLOUD_DATA_DIR/install.failed"
-        exit 1
-    fi
-fi
-$PHP_CLI /var/www/html/occ config:system:set updatechecker --type=bool --value=true
-$PHP_CLI /var/www/html/occ app:enable nextcloud-aio --force
-$PHP_CLI /var/www/html/occ db:add-missing-columns
-$PHP_CLI /var/www/html/occ db:add-missing-primary-keys
-yes | $PHP_CLI /var/www/html/occ db:convert-filecache-bigint
@@ -23,7 +23,6 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="Notify Push for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud notify_push high-performance backend for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if ! nc -z "$NEXTCLOUD_HOST" 9001; then
    exit 0
 fi
@@ -1,11 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-export RUST_LOG="$AIO_LOG_LEVEL"
-
 if [ -z "$NEXTCLOUD_HOST" ]; then
    echo "NEXTCLOUD_HOST needs to be provided. Exiting!"
    exit 1
@@ -28,7 +22,7 @@ elif [ "$CPU_ARCH" != "x86_64" ]; then
 fi

 # Add warning
-if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ] && ! [ -f /var/www/html/apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
+if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
    echo "The notify_push binary was not found."
    echo "Most likely is DNS resolution not working correctly."
    echo "You can try to fix this by configuring a DNS server globally in dockers daemon.json."
@@ -42,24 +36,9 @@ if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ] &&
    exit 1
 fi

-# Logic for ipv6 disabled servers
-BIND="::"
-if grep -q "1" /sys/module/ipv6/parameters/disable \
-|| grep -q "1" /proc/sys/net/ipv6/conf/all/disable_ipv6 \
-|| grep -q "1" /proc/sys/net/ipv6/conf/default/disable_ipv6; then
-    BIND="0.0.0.0"
-fi
-export BIND
-
 echo "notify-push was started"

-
-if [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
-    PUSH_PATH="/var/www/html/custom_apps/notify_push/bin/$CPU_ARCH/notify_push"
-else
-    PUSH_PATH="/var/www/html/apps/notify_push/bin/$CPU_ARCH/notify_push"
-fi
 # Run it
-exec "$PUSH_PATH" \
+exec /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
    --port 7867 \
    /var/www/html/config/config.php
@@ -9,7 +9,6 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="OnlyOffice for Nextcloud AIO" \
    org.opencontainers.image.description="OnlyOffice Document Server for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z 127.0.0.1 80 || exit 1
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/docker-library/postgres/blob/master/18/alpine3.23/Dockerfile
-FROM postgres:18.4-alpine
+FROM postgres:18.3-alpine

 ENV PGDATA=/var/lib/postgresql/data

@@ -14,7 +14,6 @@ RUN set -ex; \
        bash \
        openssl \
        shadow \
-        netcat-openbsd \
        grep; \
    \
 # We need to use the same gid and uid as on old installations
@@ -49,7 +48,6 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="PostgreSQL for Nextcloud AIO" \
    org.opencontainers.image.description="PostgreSQL database for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,14 +1,7 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 test -f "/mnt/data/backup-is-running" && exit 0

-# If database import is running, do not continue with the health check
-if nc -z 127.0.0.1 11000; then
-    exit 0
-fi
+PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" && exit 0

 PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 5432 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" || exit 1
@@ -1,9 +1,4 @@
 #!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 set -ex

 touch "$DUMP_DIR/initialization.failed"
@@ -1,20 +1,6 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-POSTGRES_LOG_MIN_MESSAGES="$(case "$AIO_LOG_LEVEL" in
-    debug) printf 'debug1' ;;
-    info) printf 'info' ;;
-    warn) printf 'warning' ;;
-    error) printf 'error' ;;
-esac)"
-export POSTGRES_LOG_MIN_MESSAGES
-
 # Variables
-GREP_STRING='Name: oc_appconfig; Type: TABLE; Schema: public; Owner:'
-export GREP_STRING
 DATADIR="/var/lib/postgresql/data"
 export DUMP_DIR="/mnt/data"
 DUMP_FILE="$DUMP_DIR/database-dump.sql"
@@ -105,6 +91,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
    done

    # Check if the line we grep for later on is there
+    GREP_STRING='Name: oc_appconfig; Type: TABLE; Schema: public; Owner:'
    if ! grep -qa "$GREP_STRING" "$DUMP_FILE"; then
        echo "The needed oc_appconfig line is not there which is unexpected."
        echo "Please report this to https://github.com/nextcloud/all-in-one/issues. Thanks!"
@@ -179,12 +166,6 @@ if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' "$PGCONF"
    fi

-    if grep -q "^#\?log_min_messages" /var/lib/postgresql/data/postgresql.conf; then
-        sed -i "s|^#\?log_min_messages.*|log_min_messages = $POSTGRES_LOG_MIN_MESSAGES|" /var/lib/postgresql/data/postgresql.conf
-    else
-        echo "log_min_messages = $POSTGRES_LOG_MIN_MESSAGES" >> /var/lib/postgresql/data/postgresql.conf
-    fi
-
    # Closing idling connections automatically seems to break any logic so was reverted again to default where it is disabled
    if grep -q "^idle_session_timeout" "$PGCONF"; then
        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' "$PGCONF"
@@ -240,24 +221,14 @@ do_database_dump() {
        rm -f "$DUMP_FILE"
        mv "$DUMP_FILE.temp" "$DUMP_FILE"
        pg_ctl stop -m fast
-        if ! grep -qa "$GREP_STRING" "$DUMP_FILE"; then
-            echo "Database dump was successful but the expected grep string does not exist."
-            echo "This is not expected!"
-            echo "Please report this to https://github.com/nextcloud/all-in-one/issues."
-            exit 1
-        fi
        rm "$DUMP_DIR/export.failed"
        echo 'Database dump successful!'
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-            set +x
-        fi
+        set +x
        exit 0
    else
        pg_ctl stop -m fast
        echo "Database dump unsuccessful!"
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-            set +x
-        fi
+        set +x
        exit 1
    fi
 }
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/redis/docker-library-redis/blob/release/8.2/alpine/Dockerfile
-FROM redis:8.6.3-alpine
+FROM redis:8.6.2-alpine

 COPY --chmod=775 start.sh /start.sh

@@ -23,7 +23,6 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="Redis for Nextcloud AIO" \
    org.opencontainers.image.description="Redis cache server for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 redis-cli -a "$REDIS_HOST_PASSWORD" PING || exit 1
@@ -1,19 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-# Redis only supports [debug, verbose, notice, warning, nothing] as log level
-if [ "$AIO_LOG_LEVEL" = "warn" ] || [ "$AIO_LOG_LEVEL" = "error" ]; then
-    REDIS_LOG_LEVEL="warning"
-elif [ "$AIO_LOG_LEVEL" = "info" ]; then
-    REDIS_LOG_LEVEL="notice"
-else
-    REDIS_LOG_LEVEL="$AIO_LOG_LEVEL"
-fi
-export REDIS_LOG_LEVEL
-
 # Show wiki if vm.overcommit is disabled
 if [ "$(sysctl -n vm.overcommit_memory)" != "1" ]; then
    echo "Memory overcommit is disabled but necessary for safe operation"
@@ -30,7 +16,7 @@ fi

 # Build the redis-server argument list.
 REDIS_ARGS=(
-    --loglevel "$REDIS_LOG_LEVEL"
+    --loglevel warning
    --save "" # Disable RDB persistence (Redis is used as a pure cache/lock store)
    --maxmemory-policy allkeys-lru # Evict least-recently-used keys when memory is full
    --lazyfree-lazy-eviction yes # Perform evictions in a background thread
@@ -1,16 +1,15 @@
 # syntax=docker/dockerfile:latest
-FROM python:3.14.5-alpine3.23
+FROM python:3.14.3-alpine3.23

 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

 ENV RECORDING_VERSION=v0.2.1
-ENV ALLOW_ALL=false \
-    HPB_PROTOCOL=https \
-    NC_PROTOCOL=https \
-    SKIP_VERIFY=false \
-    HPB_PATH=/standalone-signaling/ \
-    AIO_LOG_LEVEL=warn
+ENV ALLOW_ALL=false
+ENV HPB_PROTOCOL=https
+ENV NC_PROTOCOL=https
+ENV SKIP_VERIFY=false
+ENV HPB_PATH=/standalone-signaling/

 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -35,9 +34,6 @@ RUN set -ex; \
        build-base \
        linux-headers \
        geckodriver; \
-    if [ "$(apk --print-arch)" = "x86_64" ]; then \
-        apk add --no-cache intel-media-driver; \
-    fi; \
    useradd -d /tmp --system recording -u 122; \
 # Give root a random password
    echo "root:$(openssl rand -base64 12)" | chpasswd; \
@@ -67,7 +63,6 @@ CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.co
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="Talk Recording for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud Talk recording service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z 127.0.0.1 1234 || exit 1
@@ -1,17 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-TALK_RECORDING_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
-    debug) printf '10' ;;
-    info) printf '20' ;;
-    warn) printf '30' ;;
-    error) printf '40' ;;
-esac)"
-export TALK_RECORDING_LOG_LEVEL
-
 # Variables
 if [ -z "$NC_DOMAIN" ]; then
    echo "You need to provide the NC_DOMAIN."
@@ -61,7 +49,7 @@ fi
 cat << RECORDING_CONF > "/conf/recording.conf"
 [logs]
 # 30 means Warning
-level = ${TALK_RECORDING_LOG_LEVEL}
+level = 30

 [http]
 listen = 0.0.0.0:1234
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.14.2-scratch AS nats
+FROM nats:2.12.7-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
 FROM alpine:3.23.4 AS janus
@@ -37,8 +37,7 @@ RUN set -ex; \

 FROM alpine:3.23.4
 ENV ETURNAL_ETC_DIR="/conf"
-ENV SKIP_CERT_VERIFY=false \
-    AIO_LOG_LEVEL=warn
+ENV SKIP_CERT_VERIFY=false
 COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
 COPY --from=eturnal   --chmod=777 --chown=1000:1000 /opt/eturnal                        /opt/eturnal
 COPY --from=nats      --chmod=777 --chown=1000:1000 /nats-server                        /usr/local/bin/nats-server
@@ -112,7 +111,6 @@ CMD ["supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="Talk for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud Talk with NATS, Janus, eturnal, and signaling server for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
@@ -1,16 +1,10 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-nc -z 127.0.0.1 8081 || nc -z ::1 8081 || exit 1
+nc -z 127.0.0.1 8081 || exit 1
 nc -z 127.0.0.1 8188 || exit 1
 nc -z 127.0.0.1 4222 || exit 1
-nc -z 127.0.0.1 "$TALK_PORT" || nc -z ::1 "$TALK_PORT" || exit 1
+nc -z 127.0.0.1 "$TALK_PORT" || exit 1
 eturnalctl status || exit 1
 # Verify that the signaling server is actually serving requests, not just
 # listening on the TCP port (which nc -z above only tests for open port).
-# SC2102: [::1] is an IPv6 address literal in a URL, not a character-range glob.
-# shellcheck disable=SC2102
-wget -q -O /dev/null http://127.0.0.1:8081/api/v1/stats || wget -q -O /dev/null http://[::1]:8081/api/v1/stats || exit 1
+wget -q -O /dev/null http://127.0.0.1:8081/api/v1/stats || exit 1
@@ -1,23 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-if [ "$AIO_LOG_LEVEL" = "warn" ]; then
-    ETURNAL_LOG_LEVEL="warning"
-else
-    ETURNAL_LOG_LEVEL="$AIO_LOG_LEVEL"
-fi
-export ETURNAL_LOG_LEVEL
-JANUS_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
-    debug) printf '7' ;;
-    info) printf '4' ;;
-    warn) printf '3' ;;
-    error) printf '1' ;;
-esac)"
-export JANUS_LOG_LEVEL
-
 # Variables
 if [ -z "$NC_DOMAIN" ]; then
    echo "You need to provide the NC_DOMAIN."
@@ -49,9 +31,7 @@ if mountpoint -q /usr/local/share/ca-certificates; then
        fi
    done
    export SSL_CERT_FILE=/tmp/ca-certificates.crt
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
 fi

 set -x
@@ -60,9 +40,7 @@ IPv4_ADDRESS_TALK_RELAY="$(hostname -i | grep -oP '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]
 IPv4_ADDRESS_TALK="$(dig "$TALK_HOST" IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
 # shellcheck disable=SC2153
 IPv6_ADDRESS_TALK="$(dig "$TALK_HOST" AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 if [ -n "$IPv4_ADDRESS_TALK" ] && [ "$IPv4_ADDRESS_TALK_RELAY" = "$IPv4_ADDRESS_TALK" ]; then
    IPv4_ADDRESS_TALK=""
@@ -75,16 +53,7 @@ if grep -q "1" /sys/module/ipv6/parameters/disable \
 || grep -q "1" /proc/sys/net/ipv6/conf/default/disable_ipv6; then
    IP_BINDING="0.0.0.0"
 fi
-# Build a listen address suitable for the signaling server's "ip:port" format.
-# IPv6 needs bracket notation: [::]:8081; IPv4 keeps the plain form: 0.0.0.0:8081
-if [ "$IP_BINDING" = "::" ]; then
-    SIGNALING_LISTEN="[::]:8081"
-else
-    SIGNALING_LISTEN="$IP_BINDING:8081"
-fi
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 # Turn
 cat << TURN_CONF > "/conf/eturnal.yml"
@@ -97,7 +66,7 @@ eturnal:
      port: $TALK_PORT
      transport: tcp
  log_dir: stdout
-  log_level: ${ETURNAL_LOG_LEVEL}
+  log_level: warning
  secret: "$TURN_SECRET"
  relay_ipv4_addr: "$IPv4_ADDRESS_TALK_RELAY"
  relay_ipv6_addr: "$IPv6_ADDRESS_TALK"
@@ -125,7 +94,7 @@ fi
 # Signaling
 cat << SIGNALING_CONF > "/conf/signaling.conf"
 [http]
-listen = ${SIGNALING_LISTEN}
+listen = 0.0.0.0:8081
 readtimeout = 15
 writetimeout = 30

@@ -5,7 +5,7 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error

 [program:nats-server]
 stdout_logfile=/dev/stdout
@@ -30,7 +30,8 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=janus --config=/conf/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level %(ENV_JANUS_LOG_LEVEL)s
+# debug-level 3 means warning
+command=janus --config=/conf/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
 # Start alongside eturnal; signaling connects to Janus via WebSocket
 priority=20

@@ -1,13 +1,13 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.4-alpine3.23 AS go
+FROM golang:1.26.2-alpine3.23 AS go

-ENV WATCHTOWER_COMMIT_HASH=9d0048403a7242943084bede951f6f966f7691ba	
+ENV WATCHTOWER_COMMIT_HASH=652c89577076f6bc6f2af4465217589641216ee3	

 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache \
        build-base; \
-    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.17.2
+    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.16.1

 FROM alpine:3.23.4

@@ -22,12 +22,9 @@ COPY --chmod=775 start.sh /start.sh
 # hadolint ignore=DL3002
 USER root

-ENV AIO_LOG_LEVEL="warn"
-
 ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
    org.opencontainers.image.title="Watchtower for Nextcloud AIO" \
    org.opencontainers.image.description="Watchtower auto-update service for Nextcloud All-in-One containers" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
copilot-swe-agent[bot]	e1b13cda63	refactor(nextcloud): extract inline OAuth2 client PHP into standalone script Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/b35a7dbb-ff0a-483c-9bc7-1cf43a192e92 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-28 16:37:23 +00:00
copilot-swe-agent[bot]	8925baf12f	nc entrypoint: improve Windmill OAuth failure diagnostic message Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/ad1489a0-4da0-41fd-b1d0-46da7ef545c3 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-28 12:31:37 +00:00
copilot-swe-agent[bot]	b3f66b4c50	nc entrypoint: replace fake windmill_admin_token with real NC OAuth2 SSO setup Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/ad1489a0-4da0-41fd-b1d0-46da7ef545c3 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-28 12:29:43 +00:00
copilot-swe-agent[bot]	e1e85c5ca9	nc entrypoint: include HTTP status in Windmill auth failure message Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/b977bac7-8311-4877-ba23-92438ed0a4fe Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-28 12:04:58 +00:00
copilot-swe-agent[bot]	1ee3db8195	nc entrypoint: set windmill_admin_token and verify API auth against Windmill Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/b977bac7-8311-4877-ba23-92438ed0a4fe Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-28 12:03:44 +00:00
copilot-swe-agent[bot]	56afde115d	windmill: secret protection, socket-only postgres, volume rename/backup Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/8bfb1fa8-7878-434e-ab4d-1034067e5ad0 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-28 11:30:53 +00:00
copilot-swe-agent[bot]	b205e46976	windmill: move dump to dedicated volume, remove unix_http_server, simplify upgrade path Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d87bac25-9c31-4c46-ad37-1e6426a3af2e Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-28 11:23:20 +00:00
copilot-swe-agent[bot]	e077aea86d	Fix windmill postgres upgrade reliability: persistent-volume staging dir, tighten sentinels, supervisorctl Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/5e1df9cc-b63e-4a5a-9148-38907b6d8db9 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-28 11:15:38 +00:00
copilot-swe-agent[bot]	c60861d79c	Replace pg_upgrade with pg_dump/restore for windmill postgres major-version upgrade Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/58741c1d-7822-425b-a995-deab87e5901c Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-27 14:54:28 +00:00
copilot-swe-agent[bot]	1823336f89	Pin exact postgres/windmill versions, add auto pg_upgrade, extend healthcheck Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/505f902b-a447-4fcc-9203-f11119207409 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-27 14:26:08 +00:00
copilot-swe-agent[bot]	d63f0afc63	Remove WINDMILL_ENABLED from apache start.sh, simplify windmill cert config, add cache invalidation on image update Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/6ba2c0de-f503-4989-9dea-4bc64a51e4f9 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-27 09:45:42 +00:00
copilot-swe-agent[bot]	9f90afbc5e	Add Windmill as optional container, served on /windmill subpath Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/e78b6157-a4ea-4185-bf37-1659a458d4db Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-27 09:41:09 +00:00
copilot-swe-agent[bot]	51124784c2	Serve windmill on /windmill subpath instead of port 3100; add to disable-containers.js Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/3c346202-c2e6-4e97-bf61-a1f5d42670fd Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-27 09:30:29 +00:00
copilot-swe-agent[bot]	f08103ca15	Fix rootless windmill container: use uid=1000, fix tmpfs modes, CA certs, WINDMILL_DIR Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/81d1b5cc-ab2d-4337-801b-25755355183e Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-27 09:16:25 +00:00
copilot-swe-agent[bot]	312acddf27	Changes before error encountered Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/6f198732-63c3-41b7-8b2e-1b5fa565ee21 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-27 02:12:13 +00:00
copilot-swe-agent[bot]	5cbdb00ff4	WIP: windmill derived image builds successfully, adding rootless + read-only Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/6f198732-63c3-41b7-8b2e-1b5fa565ee21 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-27 02:10:58 +00:00
copilot-swe-agent[bot]	4b27d6954f	WIP: implementing windmill container changes Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/6f198732-63c3-41b7-8b2e-1b5fa565ee21 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-04-27 01:58:39 +00:00