increase to 6.4.0

Signed-off-by: Simon L <szaimen@e.mail.de>
also add it to libusrtctp to normal container
2026-05-21 10:50:10 +00:00 · 2023-07-21 00:45:43 +02:00 · 2023-07-20 18:11:31 +02:00 · 2023-07-20 17:52:30 +02:00 · 2023-07-20 16:44:24 +02:00 · 2023-07-20 16:10:59 +02:00
165 changed files with 4125 additions and 1648 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -108,6 +108,15 @@ updates:
  labels:
  - 3. to review
  - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/talk-recording"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies
 - package-ecosystem: "docker"
  directory: "/Containers/watchtower"
  schedule:
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -0,0 +1,20 @@
+name: 'Codespell'
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  codespell:
+    name: Check spelling
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+      - name: Check spelling
+        uses: codespell-project/actions-codespell@v2
+        with:
+          check_filenames: true
+          check_hidden: true
--- a/.github/workflows/command-rebase.yml
+++ b/.github/workflows/command-rebase.yml
@@ -23,7 +23,7 @@ jobs:

    steps:
      - name: Add reaction on start
-        uses: peter-evans/create-or-update-comment@v2
+        uses: peter-evans/create-or-update-comment@c6c9a1a66007646a28c153e2a8580a5bad27bcfa # v3.0.2
        with:
          token: ${{ secrets.COMMAND_BOT_PAT }}
          repository: ${{ github.event.repository.full_name }}
@@ -31,18 +31,18 @@ jobs:
          reaction-type: "+1"

      - name: Checkout the latest code
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
        with:
          fetch-depth: 0
          token: ${{ secrets.COMMAND_BOT_PAT }}

      - name: Automatic Rebase
-        uses: cirrus-actions/rebase@1.8
+        uses: cirrus-actions/rebase@b87d48154a87a85666003575337e27b8cd65f691 # 1.8
        env:
          GITHUB_TOKEN: ${{ secrets.COMMAND_BOT_PAT }}

      - name: Add reaction on failure
-        uses: peter-evans/create-or-update-comment@v2
+        uses: peter-evans/create-or-update-comment@c6c9a1a66007646a28c153e2a8580a5bad27bcfa # v3.0.2
        if: failure()
        with:
          token: ${{ secrets.COMMAND_BOT_PAT }}
--- a/.github/workflows/create-psalm-container.yml
+++ b/.github/workflows/create-psalm-container.yml
@@ -1,54 +0,0 @@
-name: Create Psalm Container
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '5 4 * * *'
-
-jobs:
-  push_to_registry:
-    runs-on: ubuntu-latest
-
-    name: Create Psalm Container
-
-    permissions:
-      packages: write
-      contents: read
-
-    steps:
-      - name: Check out the repo
-        run: |
-          git clone https://github.com/psalm/psalm-github-actions.git
-      
-      - name: Modify the Dockerfile
-        run: |
-          set -x
-          sed -i 's|FROM php:7.4-alpine|FROM php:8.1-alpine|' "psalm-github-actions/Dockerfile"
-          cat << APCU >> "psalm-github-actions/Dockerfile"
-          RUN mkdir -p /usr/src/php/ext/apcu && \
-            curl -fsSL https://pecl.php.net/get/apcu | tar xvz -C "/usr/src/php/ext/apcu" --strip 1 && \
-            docker-php-ext-install apcu
-          APCU
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v2
-        with:
-          registry: docker.pkg.github.com
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build container image
-        uses: docker/build-push-action@v4
-        with:
-          push: true
-          context: 'psalm-github-actions'
-          file: 'psalm-github-actions/Dockerfile'
-          tags: |
-            ghcr.io/nextcloud/all-in-one-psalm:latest
--- a/.github/workflows/dependency-updates.yml
+++ b/.github/workflows/dependency-updates.yml
@@ -13,23 +13,24 @@ jobs:
    - uses: actions/checkout@v3
    - uses: shivammathur/setup-php@v2
      with:
-        php-version: 8.1
+        php-version: 8.2
        extensions: apcu
    - name: Run dependency update script
      run: |
        set -x
        cd ./php
-        composer update
-        set +e
-        ALL_LINES="$(composer outdated | grep -v "^$\|Direct dependencies\|Everything up to date\|Transitive dependencies")"
-        set -e
-        while [ -n "$ALL_LINES" ]; do
-          CURRENT_LINE="$(echo "$ALL_LINES" | head -1)"
-          composer require "$(echo "$CURRENT_LINE" | awk '{print $1}')" "^$(echo "$CURRENT_LINE" | awk '{print $4}')" --with-all-dependencies
-          ALL_LINES="$(echo "$ALL_LINES" | sed '1d')"
-        done
-        echo "outdated dependencies:
-        $(composer outdated)"
+        composer update --with-all-dependencies
+        # Disable dependency updates for now
+        # set +e
+        # ALL_LINES="$(composer outdated | grep -v "^$\|Direct dependencies\|Everything up to date\|Transitive dependencies")"
+        # set -e
+        # while [ -n "$ALL_LINES" ]; do
+        #   CURRENT_LINE="$(echo "$ALL_LINES" | head -1)"
+        #   composer require "$(echo "$CURRENT_LINE" | awk '{print $1}')" "^$(echo "$CURRENT_LINE" | awk '{print $4}')" --with-all-dependencies
+        #   ALL_LINES="$(echo "$ALL_LINES" | sed '1d')"
+        # done
+        # echo "outdated dependencies:
+        # $(composer outdated)"
    - name: Update apcu
      run: |
        # APCU
@@ -43,12 +44,12 @@ jobs:
        )"
        sed -i "s|pecl install APCu.*\;|pecl install APCu-$apcu_version\;|" ./Containers/mastercontainer/Dockerfile
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v4
+      uses: peter-evans/create-pull-request@v5
      with:
        commit-message: dependency updates
        signoff: true
        title: Dependency updates
        body: Automated dependency updates since dependabot does not support grouped updates
-        labels: dependencies, enhancement
+        labels: dependencies, 3. to review
        milestone: next
        branch: aio-dependency-update
--- a/.github/workflows/docker-lint.yml
+++ b/.github/workflows/docker-lint.yml
@@ -0,0 +1,54 @@
+name: Docker Lint
+
+on:
+  pull_request:
+    paths:
+      - 'Containers/**'
+  push:
+    branches:
+      - main
+    paths:
+      - 'Containers/**'
+
+permissions:
+  contents: read
+
+concurrency: 
+  group: docker-lint-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  docker-lint:
+    runs-on: ubuntu-latest
+
+    name: docker-lint
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Install npm and dockerfilelint
+        run: |
+          sudo apt-get update
+          sudo apt-get install nodejs npm -y --no-install-recommends
+          npm install -g dockerfilelint
+          wget https://github.com/replicatedhq/dockerfilelint/pull/184.patch -O /usr/local/lib/node_modules/dockerfilelint/184.patch
+          CURRENT_DIR=$PWD
+          cd /usr/local/lib/node_modules/dockerfilelint/
+          git apply 184.patch
+          cd $CURRENT_DIR
+          cat << RULES > ./.dockerfilelintrc
+          rules:
+            sudo_usage: off
+          RULES
+
+      - name: run lint
+        run: |
+          DOCKERFILES="$(find ./Containers -name Dockerfile)"
+          mapfile -t DOCKERFILES <<< "$DOCKERFILES"
+          for file in "${DOCKERFILES[@]}"; do
+            dockerfilelint "$file" --config ./ | tee -a ./dockerfilelint.log
+          done
+          if grep "^Issues: [0-9]" ./dockerfilelint.log; then
+            exit 1
+          fi
--- a/.github/workflows/helm-release.yml
+++ b/.github/workflows/helm-release.yml
@@ -6,7 +6,7 @@ on:
    branches:
      - main
    paths:
-      - 'helm-chart/**'
+      - 'nextcloud-aio-helm-chart/**'

 jobs:
  release:
@@ -40,9 +40,8 @@ jobs:
        # TODO: switch back @main to a specific version like @v1.5.1 or higher
        uses: helm/chart-releaser-action@main
        with:
-          charts_repo_url: https://nextcloud.github.io/all-in-one
-          charts_dir: helm-chart
          mark_as_latest: false
+          charts_dir: .
        env:
          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"
--- a/.github/workflows/imaginary-update.yml
+++ b/.github/workflows/imaginary-update.yml
@@ -0,0 +1,33 @@
+name: imaginary-update
+
+on:
+  workflow_dispatch:
+  schedule:
+  - cron:  '00 12 * * *'
+
+jobs:
+  run_update:
+    name: update to latest imaginary commit on master branch
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Run imaginary-update
+      run: |
+        # Imaginary
+        imaginary_version="$(
+          git ls-remote https://github.com/h2non/imaginary master \
+            | cut -f1 \
+            | tail -1
+        )"
+        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH $imaginary_version|" ./Containers/imaginary/Dockerfile
+        
+    - name: Create Pull Request
+      uses: peter-evans/create-pull-request@v5
+      with:
+        commit-message: imaginary-update automated change
+        signoff: true
+        title: Imaginary update
+        body: Automated Imaginary container update
+        labels: dependencies, 3. to review
+        milestone: next
+        branch: imaginary-container-update
--- a/.github/workflows/json-validator.yml
+++ b/.github/workflows/json-validator.yml
@@ -2,12 +2,16 @@ name: Json Validator

 on:
  pull_request:
+    paths:
+      - '**.json'
  push:
    branches:
      - main
+    paths:
+      - '**.json'

 jobs:
-  psalm:
+  json-validator:
    name: Json Validator
    runs-on: ubuntu-latest
    steps:
@@ -15,6 +19,7 @@ jobs:
        uses: actions/checkout@v3
      - name: Validate Json
        run: |
-          sudo apt install python3-pip --no-install-recommends
+          sudo apt-get update
+          sudo apt-get install python3-pip -y --no-install-recommends
          sudo pip3 install json-spec
          json validate --schema-file=php/containers-schema.json --document-file=php/containers.json
--- a/.github/workflows/lint-php.yml
+++ b/.github/workflows/lint-php.yml
@@ -3,18 +3,22 @@
 # https://github.com/nextcloud/.github
 # https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization

-name: Lint
+name: Lint php

 on:
  pull_request:
+    paths:
+      - 'php/**'
  push:
    branches:
      - main
+    paths:
+      - 'php/**'

 permissions:
  contents: read

-concurrency: 
+concurrency:
  group: lint-php-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

@@ -23,24 +27,27 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        php-versions: ["8.1"]
+        php-versions: [ "8.2" ]

    name: php-lint

    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@c5fc0d8281aba02c7fda07d3a70cc5371548067d # v2
        with:
          php-version: ${{ matrix.php-versions }}
          coverage: none
+          ini-file: development
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Lint
        run: cd php && composer run lint

-  summary:
+  php-lint-summary:
    permissions:
      contents: none
    runs-on: ubuntu-latest
--- a/.github/workflows/nextcloud-update.yml
+++ b/.github/workflows/nextcloud-update.yml
@@ -66,12 +66,12 @@ jobs:
        sed -i "s|^ENV NEXTCLOUD_VERSION.*|ENV NEXTCLOUD_VERSION $NCVERSION|" ./Containers/nextcloud/Dockerfile

    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v4
+      uses: peter-evans/create-pull-request@v5
      with:
        commit-message: nextcloud-update automated change
        signoff: true
        title: Nextcloud update
        body: Automated Nextcloud container update
-        labels: dependencies, enhancement
+        labels: dependencies, 3. to review
        milestone: next
        branch: nextcloud-container-update
--- a/.github/workflows/php-deprecation-detector.yml
+++ b/.github/workflows/php-deprecation-detector.yml
@@ -3,20 +3,24 @@ name: PHP Deprecation Detector

 on:
  pull_request:
+    paths:
+      - 'php/**'
  push:
    branches:
      - main
+    paths:
+      - 'php/**'

 jobs:
-  psalm:
+  phpdd:
    name: PHP Deprecation Detector
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - name: Set up php8.1
+      - name: Set up php8.2
        uses: shivammathur/setup-php@v2
        with:
-          php-version: 8.1
+          php-version: 8.2
          extensions: apcu
          coverage: none

--- a/.github/workflows/psalm-analysis.yml
+++ b/.github/workflows/psalm-analysis.yml
@@ -1,28 +0,0 @@
-name: Psalm Analysis
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-
-jobs:
-  psalm:
-    name: Psalm
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - name: Set up php8.1
-        uses: shivammathur/setup-php@v2
-        with:
-          php-version: 8.1
-          extensions: apcu
-          coverage: none
-
-      - name: Run script
-        run: |
-          set -x
-          cd php
-          composer global require vimeo/psalm --prefer-dist --no-progress --dev
-          composer install
-          composer run psalm
--- a/.github/workflows/psalm-security.yml
+++ b/.github/workflows/psalm-security.yml
@@ -1,25 +0,0 @@
-name: Psalm Security Analysis
-
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-  psalm:
-    name: Psalm
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Psalm
-        uses: docker://ghcr.io/nextcloud/all-in-one-psalm
-        with:
-          relative_dir: php
-          security_analysis: true
-          composer_ignore_platform_reqs: false
-          report_file: results.sarif
-      - name: Upload Security Analysis results to GitHub
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: php/results.sarif
--- a/.github/workflows/psalm-update-baseline.yml
+++ b/.github/workflows/psalm-update-baseline.yml
@@ -12,10 +12,10 @@ jobs:
    steps:
      - uses: actions/checkout@v3

-      - name: Set up php8.1
+      - name: Set up php8.2
        uses: shivammathur/setup-php@v2
        with:
-          php-version: 8.1
+          php-version: 8.2
          extensions: apcu
          coverage: none

@@ -31,7 +31,7 @@ jobs:
        continue-on-error: true

      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v5
        with:
          token: ${{ secrets.COMMAND_BOT_PAT }}
          commit-message: Update psalm baseline
@@ -42,7 +42,8 @@ jobs:
          # Make sure we can open multiple PRs
          branch-suffix: timestamp
          title: '[Automated] Update psalm-baseline.xml'
+          milestone: next
          body: |
            Auto-generated update psalm-baseline.xml with fixed psalm warnings
          labels: |
-            3. to review
+            3. to review, dependencies
--- a/.github/workflows/psalm.yml
+++ b/.github/workflows/psalm.yml
@@ -0,0 +1,47 @@
+# This workflow is provided via the organization template repository
+#
+# https://github.com/nextcloud/.github
+# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
+
+name: Static analysis
+
+on:
+  pull_request:
+    paths:
+      - 'php/**'
+  push:
+    branches:
+      - main
+    paths:
+      - 'php/**'
+
+concurrency:
+  group: psalm-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  static-analysis:
+    runs-on: ubuntu-latest
+
+    name: Nextcloud
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+
+      - name: Set up php
+        uses: shivammathur/setup-php@c5fc0d8281aba02c7fda07d3a70cc5371548067d # v2
+        with:
+          php-version: 8.2
+          extensions: apcu
+          coverage: none
+          ini-file: development
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install dependencies and run psalm
+        run: |
+          set -x
+          cd php
+          composer global require vimeo/psalm --prefer-dist --no-progress --dev
+          composer install
+          composer run psalm
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -2,9 +2,13 @@ name: Shellcheck

 on:
  pull_request:
+    paths:
+      - '**.sh'
  push:
    branches:
      - main
+    paths:
+      - '**.sh'

 jobs:
  shellcheck:
--- a/.github/workflows/spellcheck.yml
+++ b/.github/workflows/spellcheck.yml
@@ -1,23 +0,0 @@
-name: 'Spellcheck'
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-
-jobs:
-  spellcheck:
-    name: Check spelling
-    runs-on: ubuntu-latest
-    steps:
-      - name: spelling or typos
-        uses: actions/checkout@v3
-      - name: fix permission for reviewdog
-        run: sudo chown -R root:root $GITHUB_WORKSPACE
-      - name: misspell
-        uses: reviewdog/action-misspell@v1
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          locale: "US"
-          fail_on_error: true
--- a/.github/workflows/talk.yml
+++ b/.github/workflows/talk.yml
@@ -0,0 +1,56 @@
+name: talk-update
+
+on:
+  workflow_dispatch:
+  schedule:
+  - cron:  '00 12 * * *'
+
+jobs:
+  talk-update:
+    name: update talk
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Run talk-update
+      run: |
+        # Spreed
+        spreed_version="$(
+          git ls-remote https://github.com/nextcloud/spreed v*.*.* \
+            | cut -d/ -f3 \
+            | sort -V \
+            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
+            | tail -1
+        )"
+        sed -i "s|^ENV RECORDING_VERSION.*$|ENV RECORDING_VERSION $spreed_version|" ./Containers/talk-recording/Dockerfile
+        curl -L "https://raw.githubusercontent.com/nextcloud/spreed/$spreed_version/recording/server.conf.in" -o Containers/talk-recording/recording.conf
+        
+        # Signaling
+        signaling_version="$(
+          git ls-remote https://github.com/strukturag/nextcloud-spreed-signaling v*.*.* \
+            | cut -d/ -f3 \
+            | sort -V \
+            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
+            | tail -1
+        )"
+        curl -L "https://raw.githubusercontent.com/strukturag/nextcloud-spreed-signaling/$signaling_version/server.conf.in" -o Containers/talk/server.conf.in
+        
+        # Janus
+        janus_version="$(
+          git ls-remote https://github.com/meetecho/janus-gateway v0.*.* \
+            | cut -d/ -f3 \
+            | sort -V \
+            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
+            | tail -1
+        )"
+        sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
+        
+    - name: Create Pull Request
+      uses: peter-evans/create-pull-request@v5
+      with:
+        commit-message: talk-update automated change
+        signoff: true
+        title: talk update
+        body: Automated talk container update
+        labels: dependencies, 3. to review
+        milestone: next
+        branch: talk-container-update
--- a/.github/workflows/twig-lint.yml
+++ b/.github/workflows/twig-lint.yml
@@ -0,0 +1,42 @@
+name: Twig Lint
+
+on:
+  pull_request:
+    paths:
+      - '**.twig'
+  push:
+    branches:
+      - main
+    paths:
+      - '**.twig'
+
+permissions:
+  contents: read
+
+concurrency: 
+  group: lint-twig-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  twig-lint:
+    runs-on: ubuntu-latest
+    name: twig-lint
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up php ${{ matrix.php-versions }}
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 8.2
+          extensions: apcu
+          coverage: none
+
+      - name: twig lint
+        run: |
+          cd php
+          composer require sserbin/twig-linter:@dev --no-progress --dev
+          composer install
+          chmod +x ./vendor/bin/twig-linter
+          ./vendor/bin/twig-linter lint ./templates
--- a/.github/workflows/update-helm.yml
+++ b/.github/workflows/update-helm.yml
@@ -6,7 +6,7 @@ on:
  - cron:  '00 12 * * *'

 jobs:
-  psalm:
+  update-helm:
    name: update helm chart
    runs-on: ubuntu-latest
    steps:
@@ -17,17 +17,17 @@ jobs:
          DOCKER_TAG="$(curl -L -s 'https://registry.hub.docker.com/v2/repositories/nextcloud/all-in-one/tags?page_size=1024' | jq '."results"[]["name"]' | sed 's|"||g' | grep '^20' | sort -r | head -1)"
          DOCKER_TAG="${DOCKER_TAG%%-latest*}"
          export DOCKER_TAG
-          if [ -n "$DOCKER_TAG" ] && ! grep -q "$DOCKER_TAG" ./helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml; then
-            sudo bash helm-chart/update-helm.sh "$DOCKER_TAG"
+          if [ -n "$DOCKER_TAG" ] && ! grep -q "$DOCKER_TAG" ./nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml; then
+            sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"
          fi
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v5
        with:
          commit-message: Helm Chart updates
          signoff: true
          title: Helm Chart updates
          body: Automated Helm Chart updates for the yaml files. It can be merged if it looks good at any time which will automatically trigger a new release of the helm chart.
-          labels: dependencies
+          labels: dependencies, 3. to review
          milestone: next
          branch: aio-helm-update
          token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/update-yaml.yml
+++ b/.github/workflows/update-yaml.yml
@@ -6,7 +6,7 @@ on:
  - cron:  '00 12 * * *'

 jobs:
-  psalm:
+  update-yaml:
    name: update yaml files
    runs-on: ubuntu-latest
    steps:
@@ -16,13 +16,13 @@ jobs:
        run: |
          sudo bash manual-install/update-yaml.sh
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v5
        with:
          commit-message: Yaml updates
          signoff: true
          title: Yaml updates
          body: Automated yaml updates for the docker-compose files. Should only be merged shortly before the next latest release.
-          labels: dependencies
+          labels: dependencies, 3. to review
          milestone: next
          branch: aio-yaml-update
          token: ${{ secrets.GITHUB_TOKEN }}
--- a/.gitignore
+++ b/.gitignore
@@ -6,4 +6,5 @@
 /manual-install/*.conf
 !/manual-install/sample.conf
 /manual-install/docker-compose.yml
+/manual-install/compose.yaml
 /manual-install/.env
--- a/Containers/apache/Caddyfile
+++ b/Containers/apache/Caddyfile
@@ -5,6 +5,10 @@
        root /mnt/data/caddy
    }

+    servers {
+        # trusted_proxies placeholder
+    }
+
    log {
        level ERROR
    }
@@ -12,37 +16,21 @@

 {$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} {

+    # Collabora
+    route /browser/* {
+        reverse_proxy {$COLLABORA_HOST}:9980
+    }
+    route /hosting/* {
+        reverse_proxy {$COLLABORA_HOST}:9980
+    }
+    route /cool/* {
+        reverse_proxy {$COLLABORA_HOST}:9980
+    }
+
    # Notify Push
    route /push/* {
        uri strip_prefix /push
-        reverse_proxy {$NEXTCLOUD_HOST}:7867 {
-            # trusted_proxies placeholder
-        }
-    }
-
-    # Talk
-    route /standalone-signaling/* {
-        uri strip_prefix /standalone-signaling
-        reverse_proxy {$TALK_HOST}:8081 {
-            # trusted_proxies placeholder
-        }
-    }
-
-    # Collabora
-    route /browser/* {
-        reverse_proxy {$COLLABORA_HOST}:9980 {
-            # trusted_proxies placeholder
-        }
-    }
-    route /hosting/* {
-        reverse_proxy {$COLLABORA_HOST}:9980 {
-            # trusted_proxies placeholder
-        }
-    }
-    route /cool/* {
-        reverse_proxy {$COLLABORA_HOST}:9980 {
-            # trusted_proxies placeholder
-        }
+        reverse_proxy {$NOTIFY_PUSH_HOST}:7867
    }

    # Onlyoffice
@@ -51,19 +39,24 @@
        reverse_proxy {$ONLYOFFICE_HOST}:80 {
            header_up X-Forwarded-Host {http.request.host}/onlyoffice
            header_up X-Forwarded-Proto https
-            # trusted_proxies placeholder
        }
    }

+    # Talk
+    route /standalone-signaling/* {
+        uri strip_prefix /standalone-signaling
+        reverse_proxy {$TALK_HOST}:8081
+    }
+
+    # Others
+    import /mnt/data/caddy-imports/*
+
    # Nextcloud
    route {
        rewrite /.well-known/carddav /remote.php/dav
        rewrite /.well-known/caldav /remote.php/dav
        header Strict-Transport-Security max-age=31536000;
-        reverse_proxy localhost:8000 {
-            # See https://github.com/nextcloud/all-in-one/issues/828
-            # trusted_proxies placeholder
-        }
+        reverse_proxy localhost:8000
    }

    # TLS options
--- a/Containers/apache/Dockerfile
+++ b/Containers/apache/Dockerfile
@@ -1,7 +1,16 @@
-# Caddy is a requirement
 FROM caddy:2.6.4-alpine as caddy

-FROM httpd:2.4.56-alpine3.17
+FROM httpd:2.4.57-alpine3.18
+
+COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
+
+COPY --chown=33:33 Caddyfile /Caddyfile
+COPY --chmod=664 nextcloud.conf /usr/local/apache2/conf/nextcloud.conf
+COPY --chmod=664 supervisord.conf /supervisord.conf
+COPY --chmod=775 start.sh /start.sh
+COPY --chmod=775 healthcheck.sh /healthcheck.sh
+
+VOLUME /mnt/data

 RUN set -ex; \
    apk add --no-cache shadow; \
@@ -9,77 +18,65 @@ RUN set -ex; \
    usermod -u 333 -g 333 xfs; \
    groupmod -g 33 www-data; \
    usermod -u 33 -g 33 www-data; \
-    apk del --no-cache shadow
-
-RUN mkdir -p /mnt/data; \
-    chown www-data:www-data /mnt/data;
-
-VOLUME /mnt/data
-
-RUN set -ex; \
+    apk del --no-cache shadow; \
+    \
+    mkdir -p /mnt/data; \
+    chown -R www-data:www-data /mnt/data; \
+    chown -R 777 /tmp; \
+    \
    apk add --no-cache \
        bash \
        supervisor \
-        wget \
        tzdata \
        ca-certificates \
        openssl \
-        netcat-openbsd
-
-COPY --from=caddy /usr/bin/caddy /usr/bin/
-RUN chmod +x /usr/bin/caddy
-
-RUN sed -i \
-                -e '/^Listen /d' \
-                -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
-                -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \
-                -e 's/^#\(LoadModule .*mod_proxy.so\)/\1/' \
-                -e 's/^#\(LoadModule .*mod_proxy_fcgi.so\)/\1/' \
-                -e 's/^#\(LoadModule .*mod_setenvif.so\)/\1/' \
-                -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \
-                -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \
-                -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \
-                -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \
-                -e 's/^#\(LoadModule .*mod_alias.so\)/\1/' \
-                -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
-                -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
-                -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
-                conf/httpd.conf; \
-		echo "Include conf/nextcloud.conf" | tee -a conf/httpd.conf; \
-                echo "ServerName localhost" | tee -a conf/httpd.conf
-		
-COPY nextcloud.conf conf
-
-RUN set -ex; \
-    rm -rf conf/original conf/original && \
-    rm -rf /var/www/html/* && \
-    mkdir /var/www && \
-    chown -R www-data:www-data /var/www;
-
-RUN mkdir /var/log/supervisord; \
+        netcat-openbsd; \
+    \
+    sed -i \
+            -e '/^Listen /d' \
+            -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_proxy.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_proxy_fcgi.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_setenvif.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_alias.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_brotli.so\)/\1/' \
+            -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
+            -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
+            -e 's/\(ScriptAlias \)/#\1/' \
+        /usr/local/apache2/conf/httpd.conf; \
+    echo "Include conf/nextcloud.conf" | tee -a /usr/local/apache2/conf/httpd.conf; \
+    echo "ServerName localhost" | tee -a /usr/local/apache2/conf/httpd.conf; \
+    \
+    rm -rf /usr/local/apache2/conf/original /var/www; \
+    mkdir -p /var/www; \
+    chown -R www-data:www-data /var/www; \
+    \
+    mkdir /var/log/supervisord; \
    mkdir /var/run/supervisord; \
    chown www-data:www-data /var/run/supervisord; \
-    chown www-data:www-data /var/log/supervisord;
-
-COPY Caddyfile /
-
-COPY start.sh /usr/bin/
-COPY healthcheck.sh /usr/bin/
-COPY supervisord.conf /
-RUN chmod +x /usr/bin/start.sh; \
-    chmod +x /usr/bin/healthcheck.sh; \
-    chmod +r /supervisord.conf; \
-    chown www-data:www-data /Caddyfile; \
+    chown www-data:www-data /var/log/supervisord; \
+    chmod 777 /var/run/supervisord; \
+    chmod 777 /var/log/supervisord; \
+    \
    chown -R www-data:www-data /usr/local/apache2; \
-    chmod +r -R /usr/local/apache2
-
-# Give root a random password
-RUN echo "root:$(openssl rand -base64 12)" | chpasswd
+    chmod +r -R /usr/local/apache2; \
+    mkdir -p /usr/local/apache2/logs; \
+    chmod 777 -R /home/www-data; \
+    chmod 777 -R /usr/local/apache2/logs; \
+    rm -rf /usr/local/apache2/cgi-bin/; \
+    \
+    echo "root:$(openssl rand -base64 12)" | chpasswd

 USER www-data

-ENTRYPOINT ["start.sh"]
+ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

-HEALTHCHECK CMD healthcheck.sh
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+HEALTHCHECK CMD /healthcheck.sh
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/apache/healthcheck.sh
+++ b/Containers/apache/healthcheck.sh
@@ -2,8 +2,5 @@

 nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
 nc -z localhost 8000 || exit 1
-if [ "$APACHE_PORT" != '443' ]; then
-    nc -z localhost "$APACHE_PORT" || exit 1
-else
-    nc -z "$NC_DOMAIN" "$APACHE_PORT" || exit 1
-fi
+nc -z localhost "$APACHE_PORT" || exit 1
+nc -z "$NC_DOMAIN" 443 || exit 1
--- a/Containers/apache/nextcloud.conf
+++ b/Containers/apache/nextcloud.conf
@@ -3,13 +3,23 @@ Listen 8000
    ServerName localhost

    # Add error log
-    CustomLog /proc/self/fd/1 combined
+    CustomLog /proc/self/fd/1 proxy
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
    ErrorLog /proc/self/fd/2
+    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
+    LogLevel warn

    # PHP match
    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://${NEXTCLOUD_HOST}:9000"
    </FilesMatch>
+
+    # Enable Brotli compression for js, css and svg files - other plain files are compressed by Nextcloud by default
+    <IfModule mod_brotli.c>
+        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
+        BrotliCompressionQuality 0
+    </IfModule>
+
    # Nextcloud dir
    DocumentRoot /var/www/html/
    <Directory /var/www/html/>
--- a/Containers/apache/start.sh
+++ b/Containers/apache/start.sh
@@ -35,22 +35,31 @@ if [ "$APACHE_PORT" != '443' ]; then
 else
    CADDYFILE="$(sed 's|auto_https.*|auto_https disable_redirects|' /Caddyfile)"
 fi
-echo "$CADDYFILE" > /Caddyfile
+echo "$CADDYFILE" > /tmp/Caddyfile

 # Change the trusted_proxies in case of reverse proxies
 if [ "$APACHE_PORT" != '443' ]; then
-    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies private_ranges|' /Caddyfile)"
+    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies static private_ranges|' /tmp/Caddyfile)"
 else
-    CADDYFILE="$(sed 's|trusted_proxies private_ranges|# trusted_proxies placeholder|' /Caddyfile)"
+    CADDYFILE="$(sed 's|trusted_proxies.*private_ranges|# trusted_proxies placeholder|' /tmp/Caddyfile)"
 fi
-echo "$CADDYFILE" > /Caddyfile
+echo "$CADDYFILE" > /tmp/Caddyfile

 # Fix the Caddyfile format
-caddy fmt --overwrite /Caddyfile
+caddy fmt --overwrite /tmp/Caddyfile

 # Add caddy path
 mkdir -p /mnt/data/caddy/

+# Add caddy import path
+mkdir -p /mnt/data/caddy-imports
+
+# Remove falsely added Nextcloud conf
+rm -f /mnt/data/caddy-imports/nextcloud
+
+# Makre sure that the caddy-imports dir is not empty
+echo "# empty file so that caddy does not print a warning" > /mnt/data/caddy-imports/empty
+
 # Fix apache startup
 rm -f /usr/local/apache2/logs/httpd.pid

--- a/Containers/apache/supervisord.conf
+++ b/Containers/apache/supervisord.conf
@@ -20,4 +20,4 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /Caddyfile
+command=/usr/bin/caddy run --config /tmp/Caddyfile
--- a/Containers/borgbackup/Dockerfile
+++ b/Containers/borgbackup/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.17.2
+FROM alpine:3.18.2

 RUN set -ex; \
    \
@@ -13,11 +13,10 @@ RUN set -ex; \

 VOLUME /root

-COPY start.sh /usr/bin/
-COPY backupscript.sh /
-RUN chmod +x /usr/bin/start.sh; \
-    chmod +x /backupscript.sh
+COPY --chmod=770 *.sh /

+ENTRYPOINT ["/start.sh"]
 USER root
-ENTRYPOINT ["start.sh"]
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+
+LABEL com.centurylinklabs.watchtower.enable="false"
+ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
--- a/Containers/borgbackup/backupscript.sh
+++ b/Containers/borgbackup/backupscript.sh
@@ -24,6 +24,14 @@ for directory in "${VOLUME_DIRS[@]}"; do
        exit 1
    fi
 done
+# Test if default volumes are there
+DEFAULT_VOLUMES=(nextcloud_aio_apache nextcloud_aio_nextcloud nextcloud_aio_database nextcloud_aio_database_dump nextcloud_aio_elasticsearch nextcloud_aio_nextcloud_data nextcloud_aio_mastercontainer)
+for volume in "${DEFAULT_VOLUMES[@]}"; do
+    if ! mountpoint -q "/nextcloud_aio_volumes/$volume"; then
+        echo "$volume is missing which is not intended."
+        exit 1
+    fi
+done

 # Check if target is mountpoint
 if ! mountpoint -q /mnt/borgbackup; then
@@ -86,8 +94,9 @@ if [ "$BORG_MODE" = backup ]; then
    if ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
        # Don't initialize if already initialized
        if [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
-            echo "Cannot initialize a new repository as that was already done at least one time."
-            echo "If you still want to do so, you may delete the 'borg.config' file that is stored in the mastercontainer volume manually, which will allow you to initialize a new borg repository in the chosen directory:"
+            echo "No borg config file was found in the targeted directory."
+            echo "This might happen if the targeted directory is located on an external drive and the drive not connected anymore. You should check this."
+            echo "If you instead want to initialize a new backup repository, you may delete the 'borg.config' file that is stored in the mastercontainer volume manually, which will allow you to initialize a new borg repository in the chosen directory:"
            echo "sudo docker exec nextcloud-aio-mastercontainer rm /mnt/docker-aio-config/data/borg.config"
            exit 1
        fi
@@ -127,11 +136,21 @@ if [ "$BORG_MODE" = backup ]; then
    # Borg options
    # auto,zstd compression seems to has the best ratio based on:
    # https://forum.level1techs.com/t/optimal-compression-for-borg-backups/145870/6
-    BORG_OPTS=(-v --stats --compression "auto,zstd" --exclude-caches --checkpoint-interval 86400)
+    BORG_OPTS=(-v --stats --compression "auto,zstd" --exclude-caches)
+    if [ "$NEW_REPOSITORY" = 1 ]; then
+        BORG_OPTS+=(--progress)
+    fi

    # Exclude the nextcloud log and audit log for GDPR reasons
    BORG_EXCLUDE=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/nextcloud.log*" --exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/audit.log")

+    # Make sure that there is always a borg.config file before creating a new backup
+    if ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
+        echo "Did not find borg.config file in the mastercontainer volume."
+        echo "Cannot create a backup as this is wrong."
+        exit 1
+    fi
+
    # Create the backup
    echo "Starting the backup..."
    get_start_time
@@ -139,6 +158,7 @@ if [ "$BORG_MODE" = backup ]; then
        echo "Deleting the failed backup archive..."
        borg delete --stats "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-nextcloud-aio"
        echo "Backup failed!"
+        echo "You might want to check the backup integrity via the AIO interface."
        if [ "$NEW_REPOSITORY" = 1 ]; then
            echo "Deleting borg.config file so that you can choose a different location for the backup."
            rm "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config"
@@ -150,11 +170,12 @@ if [ "$BORG_MODE" = backup ]; then
    rm -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/skip.update"

    # Prune options
-    BORG_PRUNE_OPTS=(--stats --keep-within=7d --keep-weekly=4 --keep-monthly=6 "$BORG_BACKUP_DIRECTORY")
+    read -ra BORG_PRUNE_OPTS <<< "$BORG_RETENTION_POLICY"
+    echo "BORG_PRUNE_OPTS are ${BORG_PRUNE_OPTS[*]}"

    # Prune archives
    echo "Pruning the archives..."
-    if ! borg prune --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
+    if ! borg prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}" "$BORG_BACKUP_DIRECTORY"; then
        echo "Failed to prune archives!"
        exit 1
    fi
@@ -185,7 +206,7 @@ if [ "$BORG_MODE" = backup ]; then
                exit 1
            fi
            echo "Pruning additional volumes..."
-            if ! borg prune --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}" "$BORG_BACKUP_DIRECTORY"; then
                echo "Failed to prune additional docker-volumes archives!"
                exit 1
            fi
@@ -215,7 +236,7 @@ if [ "$BORG_MODE" = backup ]; then
                exit 1
            fi
            echo "Pruning additional host mounts..."
-            if ! borg prune --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}" "$BORG_BACKUP_DIRECTORY"; then
                echo "Failed to prune additional host-mount archives!"
                exit 1
            fi
@@ -276,7 +297,7 @@ if [ "$BORG_MODE" = restore ]; then
    --exclude "nextcloud_aio_mastercontainer/data/daily_backup_running" \
    --exclude "nextcloud_aio_mastercontainer/data/session_date_file" \
    --exclude "nextcloud_aio_mastercontainer/session/**" \
-    /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes; then
+    /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes/; then
        RESTORE_FAILED=1
        echo "Something failed while restoring from backup."
    fi
@@ -362,6 +383,7 @@ if [ "$BORG_MODE" = check ]; then
    # Perform the check
    if ! borg check -v --verify-data "$BORG_BACKUP_DIRECTORY"; then
        echo "Some errors were found while checking the backup integrity!"
+        echo "Check the AIO interface for advices on how to proceed now!"
        exit 1
    fi

--- a/Containers/clamav/Dockerfile
+++ b/Containers/clamav/Dockerfile
@@ -1,7 +1,18 @@
-# Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/0.105/alpine/Dockerfile
-FROM clamav/clamav:1.0.1-1
+# Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/1.1/alpine/Dockerfile
+FROM clamav/clamav:1.1.0-1

-RUN apk add --no-cache tzdata
-COPY clamav.conf /tmp/
-RUN cat /tmp/clamav.conf >> /etc/clamav/clamd.conf
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+COPY clamav.conf /tmp/clamav.conf
+
+RUN set -ex; \
+    apk add --no-cache tzdata; \
+    cat /tmp/clamav.conf | tee -a /etc/clamav/clamd.conf; \
+    rm /tmp/clamav.conf; \
+    mkdir -p /var/run/clamav /run/lock; \
+    chown -R clamav:clamav /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock; \
+    chmod 777 -R /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock /tmp
+
+VOLUME /var/lib/clamav
+
+USER clamav
+
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/collabora/Dockerfile
+++ b/Containers/collabora/Dockerfile
@@ -1,5 +1,5 @@
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:22.05.12.2.1
+FROM collabora/code:23.05.1.3.1

 USER root

@@ -9,11 +9,11 @@ RUN set -ex; \
    export DEBIAN_FRONTEND=noninteractive; \
    apt-get install -y --no-install-recommends \
        tzdata \
-        netcat \
+        netcat-openbsd \
    ; \
-    rm -rf /var/lib/apt/lists/*
+    rm -rf /var/lib/apt/lists/*;

-USER 104
+USER 100

 HEALTHCHECK CMD nc -z localhost 9980 || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/domaincheck/Dockerfile
+++ b/Containers/domaincheck/Dockerfile
@@ -1,19 +1,18 @@
-FROM alpine:3.17.2
-RUN apk add --no-cache lighttpd bash netcat-openbsd
+FROM alpine:3.18.2
+RUN set -ex; \
+    apk add --no-cache bash lighttpd netcat-openbsd; \
+    adduser -S www-data -G www-data; \
+    rm -rf /etc/lighttpd/lighttpd.conf; \
+    chmod 777 -R /etc/lighttpd; \
+    mkdir -p /var/www/domaincheck; \
+    chown www-data:www-data -R /var/www; \
+    chmod 777 -R /var/www/domaincheck
+COPY --chown=www-data:www-data lighttpd.conf /lighttpd.conf

-RUN adduser -S www-data -G www-data
-RUN rm -rf /etc/lighttpd/lighttpd.conf
-COPY lighttpd.conf /etc/lighttpd/lighttpd.conf
-RUN chmod +r -R /etc/lighttpd && \
-    chown www-data:www-data -R /var/www && \
-    chown www-data:www-data /etc/lighttpd/lighttpd.conf
-
-COPY start.sh /
-RUN chmod +x /start.sh
+COPY --chmod=775 start.sh /start.sh

 USER www-data
-RUN mkdir -p /var/www/domaincheck/
 ENTRYPOINT ["/start.sh"]

 HEALTHCHECK CMD nc -z localhost $APACHE_PORT || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/domaincheck/start.sh
+++ b/Containers/domaincheck/start.sh
@@ -11,7 +11,7 @@ if [ -z "$APACHE_PORT" ]; then
    export APACHE_PORT="443"
 fi

-CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /etc/lighttpd/lighttpd.conf)"
+CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /lighttpd.conf)"
 echo "$CONF_FILE" > /etc/lighttpd/lighttpd.conf

 # Check config file
--- a/Containers/fulltextsearch/Dockerfile
+++ b/Containers/fulltextsearch/Dockerfile
@@ -1,15 +1,19 @@
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:7.17.9
+FROM elasticsearch:8.8.0

-RUN elasticsearch-plugin install --batch ingest-attachment
+USER root

 RUN set -ex; \
    \
+    export DEBIAN_FRONTEND=noninteractive; \
    apt-get update; \
    apt-get install -y --no-install-recommends \
        tzdata \
    ; \
-    rm -rf /var/lib/apt/lists/*
+    rm -rf /var/lib/apt/lists/*; \
+    elasticsearch-plugin install --batch ingest-attachment
+
+USER 1000:0

 HEALTHCHECK CMD nc -z localhost 9200 || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/imaginary/Dockerfile
+++ b/Containers/imaginary/Dockerfile
@@ -1,29 +1,38 @@
-# From https://github.com/h2non/imaginary/blob/master/Dockerfile
-FROM nextcloud/imaginary:20230301
+FROM golang:1.20.6-alpine3.18 as go
+
+ENV IMAGINARY_HASH b632dae8cc321452c3f85bcae79c580b1ae1ed84

-USER root
 RUN set -ex; \
-    \
-    apt-get update; \
-    apt-get install -y --no-install-recommends \
-        netcat \
-    ; \
-    echo "deb http://deb.debian.org/debian bookworm main" > /etc/apt/sources.list.d/bookworm.list; \
-    apt-get update; \
-    apt-get install -t bookworm -y --no-install-recommends \
-        libheif1 \
-        libde265-0 \
-        libx265-199 \
-        libvips \
-    ; \
-    rm /etc/apt/sources.list.d/bookworm.list; \
-    rm -rf /var/lib/apt/lists/*
+    apk add --no-cache \
+        vips-dev \
+        vips-magick \
+        vips-heif \
+        vips-jxl \
+        vips-poppler \
+        build-base; \
+    go install github.com/h2non/imaginary@"$IMAGINARY_HASH";
+
+FROM alpine:3.18.2
+RUN set -ex; \
+    apk add --no-cache \
+        tzdata \
+        ca-certificates \
+        netcat-openbsd \
+        vips \
+        vips-magick \
+        vips-heif \
+        vips-jxl \
+        vips-poppler
+
+COPY --from=go /go/bin/imaginary /usr/local/bin/imaginary
+
+ENV PORT 9000
+
 USER nobody

-ENTRYPOINT ["/usr/local/bin/imaginary", "-return-size", "-max-allowed-resolution", "222.2"]
-
-HEALTHCHECK CMD nc -z localhost 9000 || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
-
 # https://github.com/h2non/imaginary#memory-issues
 ENV MALLOC_ARENA_MAX=2
+ENTRYPOINT ["imaginary", "-return-size", "-max-allowed-resolution", "222.2"]
+
+HEALTHCHECK CMD nc -z localhost "$PORT" || exit 1
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/mastercontainer/Caddyfile
+++ b/Containers/mastercontainer/Caddyfile
@@ -10,6 +10,10 @@
    log {
        level ERROR
    }
+
+    servers {
+        protocols h1 h2 h2c
+    }
 }

 http://:80 {
--- a/Containers/mastercontainer/Dockerfile
+++ b/Containers/mastercontainer/Dockerfile
@@ -1,28 +1,28 @@
 # Docker CLI is a requirement
-FROM docker:23.0.1-dind as dind
+FROM docker:24.0.4-cli as docker

 # Caddy is a requirement
 FROM caddy:2.6.4-alpine as caddy

-# From https://github.com/docker-library/php/blob/master/8.1/alpine3.17/fpm/Dockerfile
-FROM php:8.1.17-fpm-alpine3.17
+# From https://github.com/docker-library/php/blob/master/8.2/alpine3.18/fpm/Dockerfile
+FROM php:8.2.8-fpm-alpine3.18
+
+EXPOSE 80
+EXPOSE 8080
+EXPOSE 8443
+
+COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
+COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker
+
+WORKDIR /var/www/docker-aio

 RUN set -ex; \
    apk add --no-cache shadow; \
    groupmod -g 333 xfs; \
    usermod -u 333 -g 333 xfs; \
    groupmod -g 33 www-data; \
-    usermod -u 33 -g 33 www-data
-
-EXPOSE 80
-EXPOSE 8080
-EXPOSE 8443
-
-RUN mkdir -p /var/www/docker-aio;
-
-WORKDIR /var/www/docker-aio
-
-RUN set -ex; \
+    usermod -u 33 -g 33 www-data; \
+    \
    apk add --no-cache \
        util-linux-misc \
        ca-certificates \
@@ -36,16 +36,14 @@ RUN set -ex; \
        sudo \
        netcat-openbsd \
        curl \
-        grep
-
-RUN set -ex; \
+        grep; \
+    \
    apk add --no-cache --virtual .build-deps \
        autoconf \
        build-base; \
    pecl install APCu-5.1.22; \
    docker-php-ext-enable apcu; \
    rm -r /tmp/pear; \
-    \
    runDeps="$( \
        scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
            | tr ',' '\n' \
@@ -57,39 +55,33 @@ RUN set -ex; \
    grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf
-
-COPY --from=caddy /usr/bin/caddy /usr/bin/
-RUN chmod +x /usr/bin/caddy
-
-COPY --from=dind /usr/local/bin/docker /usr/local/bin/
-RUN chmod +x /usr/local/bin/docker
-
-RUN set -e && \
+    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
+    \
    apk add --no-cache git; \
    wget https://getcomposer.org/installer -O - | php -- --install-dir=/usr/local/bin --filename=composer; \
    chmod +x /usr/local/bin/composer; \
    cd /var/www/docker-aio; \
    git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
+    find ./ -maxdepth 1 -mindepth 1 -not -path ./php -exec rm -r {} \; ; \
+    chown www-data:www-data -R /var/www/docker-aio; \
    cd php; \
-    composer install --no-dev; \
-    composer clearcache; \
+    sudo -u www-data composer install --no-dev; \
+    sudo -u www-data composer clear-cache; \
    cd ..; \
    rm -f /usr/local/bin/composer; \
-    chmod 770 -R ./; \
-    chown www-data:www-data -R /var/www; \
-    rm -r ./php/data; \
-    rm -r ./php/session; \
-    apk del --no-cache git
-
-RUN mkdir -p /etc/apache2/certs && \
-    cd /etc/apache2/certs && \
-    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt;
-
-COPY mastercontainer.conf /etc/apache2/sites-available/
-
-RUN sed -i \
+    chmod -R 770 /var/www/docker-aio; \
+    chown -R www-data:www-data /var/www; \
+    rm -r php/data; \
+    rm -r php/session; \
+    \
+    mkdir -p /etc/apache2/certs; \
+    cd /etc/apache2/certs; \
+    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout /etc/apache2/certs/ssl.key -out /etc/apache2/certs/ssl.crt; \
+    \
+    sed -i \
            -e '/^Listen /d' \
+            -e 's/^LogLevel .*/LogLevel error/' \
+            -e 's|^ErrorLog .*|ErrorLog /proc/self/fd/2|' \
            -e 's/User apache/User www-data/g' \
            -e 's/Group apache/Group www-data/g' \
            -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
@@ -101,41 +93,34 @@ RUN sed -i \
            -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
            -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
            -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
+            -e 's/\(ScriptAlias \)/#\1/' \
        /etc/apache2/httpd.conf; \
        mkdir -p /etc/apache2/logs; \
        rm /etc/apache2/conf.d/ssl.conf; \
        echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \
+        grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \
+        sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \
+        echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \
        echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \
        echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \
-        echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf
-
-RUN set -ex; \
+        echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \
+    \
    rm -f /etc/apache2/conf.d/default.conf \
          /etc/apache2/conf.d/userdir.conf \
-          /etc/apache2/conf.d/info.conf
-
-RUN mkdir /var/log/supervisord; \
+          /etc/apache2/conf.d/info.conf; \
+    \
+    rm -rf /var/www/localhost/cgi-bin/; \
+    mkdir /var/log/supervisord; \
    mkdir /var/run/supervisord;

-COPY Caddyfile /
-COPY start.sh /usr/bin/
-COPY backup-time-file-watcher.sh /
-COPY session-deduplicator.sh /
-COPY cron.sh /
-COPY daily-backup.sh /
-COPY supervisord.conf /
-COPY healthcheck.sh /
-RUN chmod +x /usr/bin/start.sh; \
-    chmod +x /cron.sh; \
-    chmod +x /session-deduplicator.sh; \
-    chmod +x /backup-time-file-watcher.sh; \
-    chmod +x /daily-backup.sh; \
-    chmod a+r /Caddyfile; \
-    chmod +x /healthcheck.sh
+COPY --chmod=775 *.sh /
+COPY --chmod=664 Caddyfile /Caddyfile
+COPY --chmod=664 supervisord.conf /supervisord.conf
+COPY mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf

 USER root

-ENTRYPOINT ["start.sh"]
+ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

 HEALTHCHECK CMD /healthcheck.sh
--- a/Containers/mastercontainer/cron.sh
+++ b/Containers/mastercontainer/cron.sh
@@ -57,6 +57,14 @@ while true; do
    # Remove dangling images
    sudo -u www-data docker image prune --force

+    # Check for available free space
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/CheckFreeDiskSpace.php
+
+    # Remove mastercontainer from default bridge network
+    if sudo -u www-data docker inspect nextcloud-aio-mastercontainer  --format "{{.NetworkSettings.Networks}}" | grep -q "bridge"; then
+        sudo -u www-data docker network disconnect bridge nextcloud-aio-mastercontainer
+    fi
+
    # Wait 60s so that the whole loop will not be executed again
    sleep 60
 done
--- a/Containers/mastercontainer/mastercontainer.conf
+++ b/Containers/mastercontainer/mastercontainer.conf
@@ -11,8 +11,11 @@ Listen 8080
    ServerName localhost

    # Add error log
-    CustomLog /proc/self/fd/1 combined
+    CustomLog /proc/self/fd/1 proxy
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
    ErrorLog /proc/self/fd/2
+    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
+    LogLevel warn

    # PHP match
    <FilesMatch "\.php$">
--- a/Containers/mastercontainer/start.sh
+++ b/Containers/mastercontainer/start.sh
@@ -6,6 +6,12 @@ print_green() {
    printf "%b%s%b\n" "\e[0;92m" "$TEXT" "\e[0m"
 }

+# Function to show text in red
+print_red() {
+    local TEXT="$1"
+    printf "%b%s%b\n" "\e[0;31m" "$TEXT" "\e[0m"
+}
+
 # Function to check if number was provided
 check_if_number() {
 case "${1}" in
@@ -14,12 +20,22 @@ case "${1}" in
 esac
 }

+# Check if running as root user
+if [ "$EUID" != "0" ]; then
+    print_red "Container does not run as root user. This is not supported."
+    exit 1
+fi
+
 # Check if socket is available and readable
 if ! [ -a "/var/run/docker.sock" ]; then
-    echo "Docker socket is not available. Cannot continue."
+    print_red "Docker socket is not available. Cannot continue."
+    echo "Please make sure to mount the docker socket into /var/run/docker.sock inside the container!"
+    echo "If you did this by purpose because you don't want the container to have access to the docker socket, see https://github.com/nextcloud/all-in-one/tree/main/manual-install."
    exit 1
 elif ! mountpoint -q "/mnt/docker-aio-config"; then
-    echo "/mnt/docker-aio-config is not a mountpoint. Cannot proceed!"
+    print_red "/mnt/docker-aio-config is not a mountpoint. Cannot proceed!"
+    echo "Please make sure to mount the nextcloud_aio_mastercontainer docker volume into /mnt/docker-aio-config inside the container!"
+    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
    exit 1
 elif ! sudo -u www-data test -r /var/run/docker.sock; then
    echo "Trying to fix docker.sock permissions internally..."
@@ -40,14 +56,16 @@ elif ! sudo -u www-data test -r /var/run/docker.sock; then
        usermod -aG docker www-data
    fi
    if ! sudo -u www-data test -r /var/run/docker.sock; then
-        echo "Docker socket is not readable by the www-data user. Cannot continue."
+        print_red "Docker socket is not readable by the www-data user. Cannot continue."
        exit 1
    fi
 fi

 # Check if api version is supported
 if ! sudo -u www-data docker info &>/dev/null; then
-    echo "Cannot connect to the docker socket. Cannot proceed."
+    print_red "Cannot connect to the docker socket. Cannot proceed."
+    echo "If SELinux is enabled on your host, see https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled"
+    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
    exit 1
 fi
 API_VERSION_FILE="$(find ./ -name DockerActionManager.php | head -1)"
@@ -57,7 +75,7 @@ API_VERSION_NUMB="$(echo "$API_VERSION" | sed 's/\.//')"
 LOCAL_API_VERSION_NUMB="$(sudo -u www-data docker version | grep -i "api version" | grep -oP '[0-9]+.[0-9]+' | head -1 | sed 's/\.//')"
 if [ -n "$LOCAL_API_VERSION_NUMB" ] && [ -n "$API_VERSION_NUMB" ]; then
    if ! [ "$LOCAL_API_VERSION_NUMB" -ge "$API_VERSION_NUMB" ]; then
-        echo "Docker API v$API_VERSION is not supported by your docker engine. Cannot proceed. Please upgrade your docker engine if you want to run Nextcloud AIO!"
+        print_red "Docker API v$API_VERSION is not supported by your docker engine. Cannot proceed. Please upgrade your docker engine if you want to run Nextcloud AIO!"
        exit 1
    fi
 else
@@ -78,16 +96,16 @@ fi

 # Check if startup command was executed correctly
 if ! sudo -u www-data docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-mastercontainer$"; then
-    echo "It seems like you did not give the mastercontainer the correct name? (The 'nextcloud-aio-mastercontainer' container was not found.)
+    print_red "It seems like you did not give the mastercontainer the correct name? (The 'nextcloud-aio-mastercontainer' container was not found.)
 Using a different name is not supported since mastercontainer updates will not work in that case!
 If you are on docker swarm and try to run AIO, see https://github.com/nextcloud/all-in-one#can-i-run-this-with-docker-swarm"
    exit 1
 elif ! sudo -u www-data docker volume ls --format "{{.Name}}" | grep -q "^nextcloud_aio_mastercontainer$"; then
-    echo "It seems like you did not give the mastercontainer volume the correct name? (The 'nextcloud_aio_mastercontainer' volume was not found.)
+    print_red "It seems like you did not give the mastercontainer volume the correct name? (The 'nextcloud_aio_mastercontainer' volume was not found.)
 Using a different name is not supported since the built-in backup solution will not work in that case!"
    exit 1
 elif ! sudo -u www-data docker inspect nextcloud-aio-mastercontainer | grep -q "nextcloud_aio_mastercontainer"; then
-    echo "It seems like you did not attach the 'nextcloud_aio_mastercontainer' volume to the mastercontainer?
+    print_red "It seems like you did not attach the 'nextcloud_aio_mastercontainer' volume to the mastercontainer?
 This is not supported since the built-in backup solution will not work in that case!"
    exit 1
 fi
@@ -95,34 +113,34 @@ fi
 # Check for other options
 if [ -n "$NEXTCLOUD_DATADIR" ]; then
    if [ "$NEXTCLOUD_DATADIR" = "nextcloud_aio_nextcloud_datadir" ]; then
-        echo "NEXTCLOUD_DATADIR is set to $NEXTCLOUD_DATADIR"
+        sleep 1
    elif ! echo "$NEXTCLOUD_DATADIR" | grep -q "^/" || [ "$NEXTCLOUD_DATADIR" = "/" ]; then
-        echo "You've set NEXTCLOUD_DATADIR but not to an allowed value.
-The string must start with '/' and must not be equal to '/'.
+        print_red "You've set NEXTCLOUD_DATADIR but not to an allowed value.
+The string must start with '/' and must not be equal to '/'. Also allowed is 'nextcloud_aio_nextcloud_datadir'.
 It is set to '$NEXTCLOUD_DATADIR'."
        exit 1
    fi
 fi
 if [ -n "$NEXTCLOUD_MOUNT" ]; then
    if ! echo "$NEXTCLOUD_MOUNT" | grep -q "^/" || [ "$NEXTCLOUD_MOUNT" = "/" ]; then
-        echo "You've set NEXCLOUD_MOUNT but not to an allowed value.
+        print_red "You've set NEXCLOUD_MOUNT but not to an allowed value.
 The string must start with '/' and must not be equal to '/'.
 It is set to '$NEXTCLOUD_MOUNT'."
        exit 1
    elif [ "$NEXTCLOUD_MOUNT" = "/mnt/ncdata" ] || echo "$NEXTCLOUD_MOUNT" | grep -q "^/mnt/ncdata/"; then
-        echo "'/mnt/ncdata' and '/mnt/ncdata/' are not allowed as values for NEXTCLOUD_MOUNT."
+        print_red "'/mnt/ncdata' and '/mnt/ncdata/' are not allowed as values for NEXTCLOUD_MOUNT."
        exit 1
    fi
 fi
 if [ -n "$NEXTCLOUD_DATADIR" ] && [ -n "$NEXTCLOUD_MOUNT" ]; then
    if [ "$NEXTCLOUD_DATADIR" = "$NEXTCLOUD_MOUNT" ]; then
-        echo "NEXTCLOUD_DATADIR and NEXTCLOUD_MOUNT are not allowed to be equal."
+        print_red "NEXTCLOUD_DATADIR and NEXTCLOUD_MOUNT are not allowed to be equal."
        exit 1
    fi
 fi
 if [ -n "$NEXTCLOUD_UPLOAD_LIMIT" ]; then
    if ! echo "$NEXTCLOUD_UPLOAD_LIMIT" | grep -q '^[0-9]\+G$'; then
-        echo "You've set NEXTCLOUD_UPLOAD_LIMIT but not to an allowed value.
+        print_red "You've set NEXTCLOUD_UPLOAD_LIMIT but not to an allowed value.
 The string must start with a number and end with 'G'.
 It is set to '$NEXTCLOUD_UPLOAD_LIMIT'."
        exit 1
@@ -130,7 +148,7 @@ It is set to '$NEXTCLOUD_UPLOAD_LIMIT'."
 fi
 if [ -n "$NEXTCLOUD_MAX_TIME" ]; then
    if ! echo "$NEXTCLOUD_MAX_TIME" | grep -q '^[0-9]\+$'; then
-        echo "You've set NEXTCLOUD_MAX_TIME but not to an allowed value.
+        print_red "You've set NEXTCLOUD_MAX_TIME but not to an allowed value.
 The string must be a number. E.g. '3600'.
 It is set to '$NEXTCLOUD_MAX_TIME'."
        exit 1
@@ -138,7 +156,7 @@ It is set to '$NEXTCLOUD_MAX_TIME'."
 fi
 if [ -n "$NEXTCLOUD_MEMORY_LIMIT" ]; then
    if ! echo "$NEXTCLOUD_MEMORY_LIMIT" | grep -q '^[0-9]\+M$'; then
-        echo "You've set NEXTCLOUD_MEMORY_LIMIT but not to an allowed value.
+        print_red "You've set NEXTCLOUD_MEMORY_LIMIT but not to an allowed value.
 The string must start with a number and end with 'M'.
 It is set to '$NEXTCLOUD_MEMORY_LIMIT'."
        exit 1
@@ -146,64 +164,64 @@ It is set to '$NEXTCLOUD_MEMORY_LIMIT'."
 fi
 if [ -n "$APACHE_PORT" ]; then
    if ! check_if_number "$APACHE_PORT"; then
-        echo "You provided an Apache port but did not only use numbers.
+        print_red "You provided an Apache port but did not only use numbers.
 It is set to '$APACHE_PORT'."
        exit 1
    elif ! [ "$APACHE_PORT" -le 65535 ] || ! [ "$APACHE_PORT" -ge 1 ]; then
-        echo "The provided Apache port is invalid. It must be between 1 and 65535"
+        print_red "The provided Apache port is invalid. It must be between 1 and 65535"
        exit 1
    fi
 fi
 if [ -n "$APACHE_IP_BINDING" ]; then
    if ! echo "$APACHE_IP_BINDING" | grep -q '^[0-9.]\+$'; then
-        echo "You provided an ip-address for the apache container's ip-binding but it was not a valid ip-address.
+        print_red "You provided an ip-address for the apache container's ip-binding but it was not a valid ip-address.
 It is set to '$APACHE_IP_BINDING'."
        exit 1
    fi
 fi
 if [ -n "$TALK_PORT" ]; then
    if ! check_if_number "$TALK_PORT"; then
-        echo "You provided an Talk port but did not only use numbers.
+        print_red "You provided an Talk port but did not only use numbers.
 It is set to '$TALK_PORT'."
        exit 1
    elif ! [ "$TALK_PORT" -le 65535 ] || ! [ "$TALK_PORT" -ge 1 ]; then
-        echo "The provided Talk port is invalid. It must be between 1 and 65535"
+        print_red "The provided Talk port is invalid. It must be between 1 and 65535"
        exit 1
    fi
 fi
 if [ -n "$APACHE_PORT" ] && [ -n "$TALK_PORT" ]; then
    if [ "$APACHE_PORT" = "$TALK_PORT" ]; then
-        echo "APACHE_PORT and TALK_PORT are not allowed to be equal."
+        print_red "APACHE_PORT and TALK_PORT are not allowed to be equal."
        exit 1
    fi
 fi
-if [ -n "$DOCKER_SOCKET_PATH" ]; then
-    if ! echo "$DOCKER_SOCKET_PATH" | grep -q "^/" || echo "$DOCKER_SOCKET_PATH" | grep -q "/$"; then
-        echo "You've set DOCKER_SOCKET_PATH but not to an allowed value.
+if [ -n "$WATCHTOWER_DOCKER_SOCKET_PATH" ]; then
+    if ! echo "$WATCHTOWER_DOCKER_SOCKET_PATH" | grep -q "^/" || echo "$WATCHTOWER_DOCKER_SOCKET_PATH" | grep -q "/$"; then
+        print_red "You've set WATCHTOWER_DOCKER_SOCKET_PATH but not to an allowed value.
 The string must start with '/' and must not end with '/'.
-It is set to '$DOCKER_SOCKET_PATH'."
+It is set to '$WATCHTOWER_DOCKER_SOCKET_PATH'."
        exit 1
    fi
 fi
 if [ -n "$NEXTCLOUD_TRUSTED_CACERTS_DIR" ]; then
    if ! echo "$NEXTCLOUD_TRUSTED_CACERTS_DIR" | grep -q "^/" || echo "$NEXTCLOUD_TRUSTED_CACERTS_DIR" | grep -q "/$"; then
-        echo "You've set NEXTCLOUD_TRUSTED_CACERTS_DIR but not to an allowed value.
+        print_red "You've set NEXTCLOUD_TRUSTED_CACERTS_DIR but not to an allowed value.
 It should be an absolute path to a directory that starts with '/' but not end with '/'.
 It is set to '$NEXTCLOUD_TRUSTED_CACERTS_DIR '."
        exit 1
    fi
 fi
 if [ -n "$NEXTCLOUD_STARTUP_APPS" ]; then
-    if ! echo "$NEXTCLOUD_STARTUP_APPS" | grep -q "^[a-z _-]\+$"; then
-        echo "You've set NEXTCLOUD_STARTUP_APPS but not to an allowed value.
-It needs to be a string. Allowed are small letters a-z, spaces, hyphens and '_'.
+    if ! echo "$NEXTCLOUD_STARTUP_APPS" | grep -q "^[a-z0-9 _-]\+$"; then
+        print_red "You've set NEXTCLOUD_STARTUP_APPS but not to an allowed value.
+It needs to be a string. Allowed are small letters a-z, 0-9, spaces, hyphens and '_'.
 It is set to '$NEXTCLOUD_STARTUP_APPS'."
        exit 1
    fi
 fi
 if [ -n "$NEXTCLOUD_ADDITIONAL_APKS" ]; then
    if ! echo "$NEXTCLOUD_ADDITIONAL_APKS" | grep -q "^[a-z0-9 ._-]\+$"; then
-        echo "You've set NEXTCLOUD_ADDITIONAL_APKS but not to an allowed value.
+        print_red "You've set NEXTCLOUD_ADDITIONAL_APKS but not to an allowed value.
 It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens, dots and '_'.
 It is set to '$NEXTCLOUD_ADDITIONAL_APKS'."
        exit 1
@@ -211,7 +229,7 @@ It is set to '$NEXTCLOUD_ADDITIONAL_APKS'."
 fi
 if [ -n "$NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS" ]; then
    if ! echo "$NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS" | grep -q "^[a-z0-9 ._-]\+$"; then
-        echo "You've set NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS but not to an allowed value.
+        print_red "You've set NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS but not to an allowed value.
 It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens, dots and '_'.
 It is set to '$NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS'."
        exit 1
@@ -222,7 +240,7 @@ fi
 # Prevents issues like https://github.com/nextcloud/all-in-one/discussions/565
 curl https://nextcloud.com &>/dev/null
 if [ "$?" = 6 ]; then
-    echo "Could not resolve the host nextcloud.com."
+    print_red "Could not resolve the host nextcloud.com."
    echo "Most likely the DNS resolving does not work."
    echo "You should be able to fix this by following https://dockerlabs.collabnix.com/intermediate/networking/Configuring_DNS.html"
    echo "Apart from that, there has been this: https://github.com/nextcloud/all-in-one/discussions/2065"
@@ -273,7 +291,7 @@ if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then
    cp "$GENERATED_CERTS/ssl.key" ./
 fi

-print_green "Initial startup of Nextcloud All In One complete!
+print_green "Initial startup of Nextcloud All-in-One complete!
 You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
 E.g. https://internal.ip.of.this.server:8080

--- a/Containers/mastercontainer/supervisord.conf
+++ b/Containers/mastercontainer/supervisord.conf
@@ -38,6 +38,7 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/cron.sh
+user=root

 [program:backup-time-file-watcher]
 stdout_logfile=/dev/stdout
--- a/Containers/nextcloud/Dockerfile
+++ b/Containers/nextcloud/Dockerfile
@@ -1,5 +1,19 @@
-# From https://github.com/nextcloud/docker/blob/master/23/fpm-alpine/Dockerfile
-FROM php:8.0.28-fpm-alpine3.16
+FROM php:8.1.21-fpm-alpine3.18
+
+ENV PHP_MEMORY_LIMIT 512M
+ENV PHP_UPLOAD_LIMIT 10G
+ENV PHP_MAX_TIME 3600
+ENV NEXTCLOUD_VERSION 26.0.4
+ENV AIO_TOKEN 123456
+ENV AIO_URL localhost
+
+COPY --chmod=775 *.sh /
+COPY --chmod=774 upgrade.exclude /upgrade.exclude
+COPY config/*.php /
+COPY supervisord.conf /supervisord.conf
+
+VOLUME /mnt/ncdata
+VOLUME /var/www/html

 # Custom: change id of www-data user as it needs to be the same like on old installations
 RUN set -ex; \
@@ -8,51 +22,32 @@ RUN set -ex; \
    groupmod -g 333 xfs; \
    usermod -u 333 -g 333 xfs; \
    addgroup -g 33 -S www-data; \
-    adduser -u 33 -D -S -G www-data www-data
-
-# entrypoint.sh and cron.sh dependencies
-RUN set -ex; \
+    adduser -u 33 -D -S -G www-data www-data; \
    \
+# entrypoint.sh and cron.sh dependencies
    apk add --no-cache \
        rsync \
-    ;
-
+    ; \
 # install the PHP extensions we need
 # see https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html
-ENV PHP_MEMORY_LIMIT 512M
-ENV PHP_UPLOAD_LIMIT 10G
-ENV PHP_MAX_TIME 3600
-RUN set -ex; \
-    \
    apk add --no-cache --virtual .build-deps \
        $PHPIZE_DEPS \
        autoconf \
-        libtool \
        freetype-dev \
+        gmp-dev \
        icu-dev \
+        imagemagick-dev \
        libevent-dev \
        libjpeg-turbo-dev \
        libmcrypt-dev \
-        libpng-dev \
        libmemcached-dev \
+        libpng-dev \
+        libwebp-dev \
        libxml2-dev \
        libzip-dev \
        openldap-dev \
        pcre-dev \
        postgresql-dev \
-        libwebp-dev \
-        gmp-dev \
-        lcms2-dev \
-        fontconfig-dev \
-        freetype-dev \
-        ghostscript-dev \
-        tiff-dev \
-        zlib-dev \
-        imagemagick-dev \
-        libheif-dev \
-        librsvg-dev \
-        libxext-dev \
-        ghostscript-fonts \
    ; \
    \
    docker-php-ext-configure gd --with-freetype --with-jpeg --with-webp; \
@@ -61,13 +56,14 @@ RUN set -ex; \
        bcmath \
        exif \
        gd \
+        gmp \
        intl \
        ldap \
        opcache \
        pcntl \
        pdo_pgsql \
+        sysvsem \
        zip \
-        gmp \
    ; \
    \
 # pecl will claim success even if one install fails, so we need to perform each install separately
@@ -90,14 +86,17 @@ RUN set -ex; \
            | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
    )"; \
    apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
-    apk del .build-deps
-
+    apk del .build-deps; \
+    \
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
-RUN { \
-        echo 'opcache.interned_strings_buffer=32'; \
+    { \
+        echo 'opcache.memory_consumption=256'; \
+        echo 'opcache.interned_strings_buffer=64'; \
        echo 'opcache.save_comments=1'; \
        echo 'opcache.revalidate_freq=60'; \
+        echo 'opcache.jit=1255'; \
+        echo 'opcache.jit_buffer_size=8M'; \
    } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
    \
    echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
@@ -110,15 +109,10 @@ RUN { \
        echo 'max_input_time=${PHP_MAX_TIME}'; \
    } > /usr/local/etc/php/conf.d/nextcloud.ini; \
    \
-    mkdir /var/www/data; \
+    mkdir -p /var/www/data; \
    chown -R www-data:root /var/www; \
-    chmod -R g=u /var/www
-
-VOLUME /var/www/html
-
-ENV NEXTCLOUD_VERSION 25.0.5
-
-RUN set -ex; \
+    chmod -R g=u /var/www; \
+    \
    apk add --no-cache --virtual .fetch-deps \
        bzip2 \
        gnupg \
@@ -138,27 +132,18 @@ RUN set -ex; \
    mkdir -p /usr/src/nextcloud/data; \
    mkdir -p /usr/src/nextcloud/custom_apps; \
    chmod +x /usr/src/nextcloud/occ; \
-    apk del .fetch-deps
-
-COPY *.sh upgrade.exclude /
-COPY config/* /usr/src/nextcloud/config/
-
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["php-fpm"]
-
-# Template from https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/full/fpm-alpine/Dockerfile
-
-RUN set -ex; \
+    mkdir -p /usr/src/nextcloud/config; \
+    mv /*.php /usr/src/nextcloud/config/; \
+    apk del .fetch-deps; \
    \
+# Template from https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/full/fpm-alpine/Dockerfile
    apk add --no-cache \
        ffmpeg \
        procps \
        samba-client \
        supervisor \
 #       libreoffice \
-    ;
-
-RUN set -ex; \
+    ; \
    \
    apk add --no-cache --virtual .build-deps \
        $PHPIZE_DEPS \
@@ -186,21 +171,12 @@ RUN set -ex; \
            | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
    )"; \
    apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
-    apk del .build-deps
-
-RUN mkdir -p \
+    apk del .build-deps; \
+    \
+    mkdir -p \
    /var/log/supervisord \
    /var/run/supervisord \
-;
-
-COPY supervisord.conf /
-
-ENV NEXTCLOUD_UPDATE=1
-
-CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
-
-# Custom:
-RUN set -ex; \
+    ; \
    \
    apk add --no-cache \
        bash \
@@ -210,63 +186,42 @@ RUN set -ex; \
        git \
        postgresql-client \
        tzdata \
-        mawk \
        sudo \
        grep \
-        coreutils \
-        libjpeg \
-        librsvg \
-        libheif \
-        libpng \
-        ghostscript-fonts;
-
-RUN set -ex; \
+        nodejs \
+        coreutils; \
+    \
    grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's/^pm.start_servers =.*/pm.start_servers = 2/' /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's/^pm.min_spare_servers =.*/pm.min_spare_servers = 1/' /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's/^pm.max_spare_servers =.*/pm.max_spare_servers = 3/' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf
-
-RUN set -ex; \
+    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
+    \
    rm -rf /tmp/nextcloud-aio && \
    mkdir -p /tmp/nextcloud-aio && \
    cd /tmp/nextcloud-aio && \
    git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
    mkdir -p /usr/src/nextcloud/apps/nextcloud-aio; \
-    cp -r ./app/* /usr/src/nextcloud/apps/nextcloud-aio/
-
-RUN set -ex; \
+    cp -r ./app/* /usr/src/nextcloud/apps/nextcloud-aio/; \
+    \
    chown www-data:root -R /usr/src && \
    chown www-data:root -R /usr/local/etc/php/conf.d && \
    chown www-data:root -R /usr/local/etc/php-fpm.d && \
-    rm -r /usr/src/nextcloud/apps/updatenotification
-
-COPY start.sh /
-COPY notify.sh /
-COPY notify-all.sh /
-RUN set -ex; \
-    chmod +x /start.sh && \
-    chmod +x /entrypoint.sh && \
-    chmod +r /upgrade.exclude && \
-    chmod +x /cron.sh && \
-    chmod +x /notify.sh && \
-    chmod +x /notify-all.sh && \
-    chmod +x /activate-collabora.sh && \
-    chmod +x /healthcheck.sh
-
-RUN set -ex; \
-    mkdir /mnt/ncdata; \
-    chown www-data:www-data /mnt/ncdata;
-
-VOLUME /mnt/ncdata
-
+    chmod -R 777 /tmp; \
+    rm -r /usr/src/nextcloud/apps/updatenotification; \
+    \
+    mkdir -p /nc-updater; \
+    chown -R www-data:www-data /nc-updater; \
+    chmod -R 770 /nc-updater; \
+    \
 # Give root a random password
-RUN echo "root:$(openssl rand -base64 12)" | chpasswd
+    echo "root:$(openssl rand -base64 12)" | chpasswd

 USER root
 ENTRYPOINT ["/start.sh"]
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

 HEALTHCHECK CMD sudo -E -u www-data bash /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/nextcloud/activate-collabora.sh
+++ b/Containers/nextcloud/activate-collabora.sh
@@ -1,13 +0,0 @@
-#!/bin/bash
-
-if [ "$COLLABORA_ENABLED" != yes ]; then
-    # Basically sleep for forever if collabora is not enabled
-    sleep inf
-fi
-while ! nc -z "$NC_DOMAIN" 443; do
-    sleep 5
-done
-sleep 10
-echo "Activating collabora config..."
-php /var/www/html/occ richdocuments:activate-config
-sleep inf
--- a/Containers/nextcloud/config/aio.config.php
+++ b/Containers/nextcloud/config/aio.config.php
@@ -0,0 +1,5 @@
+<?php
+$CONFIG = array (
+  'one-click-instance' => true,
+  'one-click-instance.user-limit' => 100,
+);
--- a/Containers/nextcloud/entrypoint.sh
+++ b/Containers/nextcloud/entrypoint.sh
@@ -10,6 +10,15 @@ directory_empty() {
    [ -z "$(ls -A "$1/")" ]
 }

+run_upgrade_if_needed_due_to_app_update() {
+    if php /var/www/html/occ status | grep needsDbUpgrade | grep -q true; then
+        # Disable integrity check temporarily until next update
+        php /var/www/html/occ config:system:set integrity.check.disabled --type bool --value true
+        php /var/www/html/occ upgrade
+        php /var/www/html/occ app:enable nextcloud-aio --force
+    fi
+}
+
 echo "Configuring Redis as session handler..."
 cat << REDIS_CONF > /usr/local/etc/php/conf.d/redis-session.ini
 session.save_handler = redis
@@ -22,7 +31,7 @@ redis.session.lock_wait_time = 10000
 REDIS_CONF

 echo "Setting php max children..."
-MEMORY=$(mawk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
+MEMORY=$(awk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
 PHP_MAX_CHILDREN=$((MEMORY/50))
 if [ -n "$PHP_MAX_CHILDREN" ]; then
    sed -i "s/^pm.max_children =.*/pm.max_children = $PHP_MAX_CHILDREN/" /usr/local/etc/php-fpm.d/www.conf
@@ -147,6 +156,8 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                fi
            done

+            run_upgrade_if_needed_due_to_app_update
+
            php /var/www/html/occ maintenance:mode --off

            echo "Getting and backing up the status of apps for later, this might take a while..."
@@ -170,6 +181,8 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then

            php /var/www/html/occ app:update --all

+            run_upgrade_if_needed_due_to_app_update
+
            # Fix removing the updatenotification for old instances
            UPDATENOTIFICATION_STATUS="$(php /var/www/html/occ config:app:get updatenotification enabled)"
            if [ -d "/var/www/html/apps/updatenotification" ]; then
@@ -205,6 +218,14 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                INSTALL_OPTIONS+=(--data-dir "$NEXTCLOUD_DATA_DIR")
            fi

+            # We do our own permission check so the permission check is not needed
+            cat << DATADIR_PERMISSION_CONF > /var/www/html/config/datadir.permission.config.php
+<?php
+    \$CONFIG = array (
+    'check_data_directory_permissions' => false
+);
+DATADIR_PERMISSION_CONF
+
            echo "Installing with PostgreSQL database"
            INSTALL_OPTIONS+=(--database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST")

@@ -215,9 +236,6 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                exit 1
            fi

-            # We do our own permission check so the permission check is not needed
-            php /var/www/html/occ config:system:set check_data_directory_permissions --value=false --type=bool
-
            # Try to force generation of appdata dir:
            php /var/www/html/occ maintenance:repair

@@ -238,9 +256,43 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                fi
            fi

+            # This autoconfig is not needed anymore and should be able to be overwritten by the user
+            rm /var/www/html/config/datadir.permission.config.php
+
            # unset admin password
            unset ADMIN_PASSWORD

+            if [ "$INSTALL_LATEST_MAJOR" = yes ]; then
+                php /var/www/html/occ config:system:set updater.release.channel --value=beta
+                php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
+                php /var/www/html/updater/updater.phar --no-interaction
+                if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
+                    echo "Installation of Nextcloud failed!"
+                    touch "$NEXTCLOUD_DATA_DIR/install.failed"
+                    exit 1
+                fi
+                # shellcheck disable=SC2016
+                installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+                INSTALLED_MAJOR="${installed_version%%.*}"
+                IMAGE_MAJOR="${image_version%%.*}"
+                if ! [ "$INSTALLED_MAJOR" -gt "$IMAGE_MAJOR" ]; then
+                    php /var/www/html/updater/updater.phar --no-interaction
+                    if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
+                        echo "Installation of Nextcloud failed!"
+                        touch "$NEXTCLOUD_DATA_DIR/install.failed"
+                        exit 1
+                    fi
+                fi
+                php /var/www/html/occ app:disable updatenotification
+                rm -rf /var/www/html/apps/updatenotification
+                php /var/www/html/occ config:system:set updater.release.channel --value=stable
+                php /var/www/html/occ app:enable nextcloud-aio --force
+                php /var/www/html/occ db:add-missing-indices
+                php /var/www/html/occ db:add-missing-columns
+                php /var/www/html/occ db:add-missing-primary-keys
+                yes | php /var/www/html/occ db:convert-filecache-bigint
+            fi
+
            # Apply log settings
            echo "Applying default settings..."
            mkdir -p /var/www/html/data
@@ -265,6 +317,7 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
            php /var/www/html/occ config:system:set enabledPreviewProviders 4 --value="OC\\Preview\\TXT"
            php /var/www/html/occ config:system:set enabledPreviewProviders 5 --value="OC\\Preview\\OpenDocument"
            php /var/www/html/occ config:system:set enabledPreviewProviders 6 --value="OC\\Preview\\Movie"
+            php /var/www/html/occ config:system:set enabledPreviewProviders 7 --value="OC\\Preview\\Krita"
            php /var/www/html/occ config:system:set enable_previews --value=true --type=boolean

            # Apply other settings
@@ -299,15 +352,11 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                done
            fi

-            # Set the permission check to its default value again if not set
-            if [ "$SKIP_DATA_DIRECTORY_PERMISSION_CHECK" != yes ]; then
-                php /var/www/html/occ config:system:set check_data_directory_permissions --value=true --type=bool
-            fi
-
        #upgrade
        else
            touch "$NEXTCLOUD_DATA_DIR/update.failed"
            echo "Upgrading nextcloud from $installed_version to $image_version..."
+            php /var/www/html/occ config:system:delete integrity.check.disabled
            if ! php /var/www/html/occ upgrade || ! php /var/www/html/occ -V; then
                echo "Upgrade failed. Please restore from backup."
                bash /notify.sh "Nextcloud update to $image_version failed!" "Please restore from backup!"
@@ -319,6 +368,8 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then

            php /var/www/html/occ app:update --all

+            run_upgrade_if_needed_due_to_app_update
+
            # Restore app status
            if [ "${APPSTORAGE[0]}" != "no-export-done" ]; then
                echo "Restoring the status of apps. This can take a while..."
@@ -327,6 +378,12 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                        if [ "${APPSTORAGE[$app]}" != "no" ]; then
                            echo "Enabling $app..."
                            if ! php /var/www/html/occ app:enable "$app" >/dev/null; then
+                                php /var/www/html/occ app:disable "$app" >/dev/null
+                                if ! php /var/www/html/occ -V &>/dev/null; then
+                                    rm -r "/var/www/html/custom_apps/$app"
+                                    php /var/www/html/occ maintenance:mode --off
+                                fi
+                                run_upgrade_if_needed_due_to_app_update
                                echo "The $app app could not get enabled. Probably because it is not compatible with the new Nextcloud version."
                                if [ "$app" = apporder ]; then
                                    CUSTOM_HINT="The apporder app was deprecated. A possible replacement is the side_menu app, aka 'Custom menu'."
@@ -347,6 +404,8 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then

            php /var/www/html/occ app:update --all

+            run_upgrade_if_needed_due_to_app_update
+
            # Apply optimization
            echo "Doing some optimizations..."
            php /var/www/html/occ maintenance:repair
@@ -362,8 +421,7 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
    # Performing update of all apps if daily backups are enabled, running and successful and if it is saturday
    if [ "$UPDATE_NEXTCLOUD_APPS" = 'yes' ] && [ "$(date +%u)" = 6 ]; then
        UPDATED_APPS="$(php /var/www/html/occ app:update --all)"
-        # Update all apps again and try to prevent something like https://github.com/nextcloud/polls/issues/2793 from happening
-        php /var/www/html/occ app:update --all
+        run_upgrade_if_needed_due_to_app_update
        if [ -n "$UPDATED_APPS" ]; then
             bash /notify.sh "Your apps just got updated!" "$UPDATED_APPS"
        fi
@@ -372,23 +430,28 @@ else
    SKIP_UPDATE=1
 fi

+run_upgrade_if_needed_due_to_app_update
+
 if [ -z "$OBJECTSTORE_S3_BUCKET" ] && [ -z "$OBJECTSTORE_SWIFT_URL" ]; then
    # Check if appdata is present
    # If not, something broke (e.g. changing ncdatadir after aio was first started)
    if [ -z "$(find "$NEXTCLOUD_DATA_DIR/" -maxdepth 1 -mindepth 1 -type d -name "appdata_*")" ]; then
-        echo "Appdata is not present. Did you maybe change the datadir after aio was first started?"
+        echo "Appdata is not present. Did you maybe change the datadir after the initial Nextcloud installation? This is not supported!"
        echo "See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir"
+        echo "If you adjusted the datadir to be located on an external drive, make sure that the drive is still mounted!"
        echo "In the datadir was found:"
        ls -la "$NEXTCLOUD_DATA_DIR/"
        exit 1
    fi

-    # Configure tempdirectory
-    mkdir -p "$NEXTCLOUD_DATA_DIR/tmp/"
-    if ! grep -q upload_tmp_dir /usr/local/etc/php/conf.d/nextcloud.ini; then
-        echo "upload_tmp_dir = $NEXTCLOUD_DATA_DIR/tmp/" >> /usr/local/etc/php/conf.d/nextcloud.ini
+    # Delete formerly configured tempdirectory as the default is usually faster (if the datadir is on a HDD or network FS)
+    if [ "$(php /var/www/html/occ config:system:get tempdirectory)" = "$NEXTCLOUD_DATA_DIR/tmp/" ]; then
+        php /var/www/html/occ config:system:delete tempdirectory
+        if [ -d "$NEXTCLOUD_DATA_DIR/tmp/" ]; then
+            rm -r "$NEXTCLOUD_DATA_DIR/tmp/"
+        fi
    fi
-    php /var/www/html/occ config:system:set tempdirectory --value="$NEXTCLOUD_DATA_DIR/tmp/"
+
 fi

 # Perform fingerprint update if instance was restored
@@ -406,8 +469,10 @@ php /var/www/html/occ app:enable support

 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
+php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
 php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
 php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
+php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"

 # Apply network settings
 echo "Applying network settings..."
@@ -510,6 +575,7 @@ if [ "$ONLYOFFICE_ENABLED" = 'yes' ]; then
        php /var/www/html/occ app:update onlyoffice
    fi
    php /var/www/html/occ config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
+    php /var/www/html/occ config:app:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
    php /var/www/html/occ config:system:set onlyoffice jwt_header --value="AuthorizationJwt"
    php /var/www/html/occ config:app:set onlyoffice DocumentServerUrl --value="https://$NC_DOMAIN/onlyoffice"
    php /var/www/html/occ config:system:set allow_local_remote_servers --type=bool --value=true
@@ -546,6 +612,21 @@ else
    fi
 fi

+# Talk recording
+if [ -d "/var/www/html/custom_apps/spreed" ]; then
+    if [ "$TALK_RECORDING_ENABLED" = 'yes' ]; then
+        while ! nc -z "$TALK_RECORDING_HOST" 1234; do
+            echo "waiting for Talk Recording to become available..."
+            sleep 5
+        done
+        # TODO: migrate to occ command if that becomes available
+        RECORDING_SERVERS_STRING="{\"servers\":[{\"server\":\"http://$TALK_RECORDING_HOST:1234/\",\"verify\":true}],\"secret\":\"$RECORDING_SECRET\"}"
+        php /var/www/html/occ config:app:set spreed recording_servers --value="$RECORDING_SERVERS_STRING"
+    else
+        php /var/www/html/occ config:app:delete spreed recording_servers
+    fi
+fi
+
 # Clamav
 if [ "$CLAMAV_ENABLED" = 'yes' ]; then
    count=0
@@ -569,7 +650,7 @@ if [ "$CLAMAV_ENABLED" = 'yes' ]; then
        php /var/www/html/occ config:app:set files_antivirus av_port --value="3310"
        php /var/www/html/occ config:app:set files_antivirus av_host --value="$CLAMAV_HOST"
        php /var/www/html/occ config:app:set files_antivirus av_stream_max_length --value="104857600"
-        php /var/www/html/occ config:app:set files_antivirus av_max_file_size --value="-1"
+        php /var/www/html/occ config:app:set files_antivirus av_max_file_size --value="104857600"
        php /var/www/html/occ config:app:set files_antivirus av_infected_action --value="only_log"
    fi
 else
@@ -579,18 +660,16 @@ else
 fi

 # Imaginary
-if version_greater "$installed_version" "24.0.0.0"; then
-    if [ "$IMAGINARY_ENABLED" = 'yes' ]; then
-        php /var/www/html/occ config:system:set enabledPreviewProviders 0 --value="OC\\Preview\\Imaginary"
-        php /var/www/html/occ config:system:set preview_imaginary_url --value="http://$IMAGINARY_HOST:9000"
-    else
-        if [ -n "$(php /var/www/html/occ config:system:get preview_imaginary_url)" ]; then
-            php /var/www/html/occ config:system:delete enabledPreviewProviders 0
-            php /var/www/html/occ config:system:delete preview_imaginary_url
-            php /var/www/html/occ config:system:delete enabledPreviewProviders 20
-            php /var/www/html/occ config:system:delete enabledPreviewProviders 21
-            php /var/www/html/occ config:system:delete enabledPreviewProviders 22
-        fi
+if [ "$IMAGINARY_ENABLED" = 'yes' ]; then
+    php /var/www/html/occ config:system:set enabledPreviewProviders 0 --value="OC\\Preview\\Imaginary"
+    php /var/www/html/occ config:system:set preview_imaginary_url --value="http://$IMAGINARY_HOST:9000"
+else
+    if [ -n "$(php /var/www/html/occ config:system:get preview_imaginary_url)" ]; then
+        php /var/www/html/occ config:system:delete enabledPreviewProviders 0
+        php /var/www/html/occ config:system:delete preview_imaginary_url
+        php /var/www/html/occ config:system:delete enabledPreviewProviders 20
+        php /var/www/html/occ config:system:delete enabledPreviewProviders 21
+        php /var/www/html/occ config:system:delete enabledPreviewProviders 22
    fi
 fi

--- a/Containers/nextcloud/healthcheck.sh
+++ b/Containers/nextcloud/healthcheck.sh
@@ -2,6 +2,6 @@

 nc -z "$POSTGRES_HOST" 5432 || exit 0

-if ! nc -z localhost 9000 || ! nc -z localhost 7867; then
+if ! nc -z localhost 9000; then
    exit 1
 fi
--- a/Containers/nextcloud/run-exec-commands.sh
+++ b/Containers/nextcloud/run-exec-commands.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+while ! nc -z "$NC_DOMAIN" 443; do
+    sleep 5
+done
+sleep 10
+
+if [ -n "$NEXTCLOUD_EXEC_COMMANDS" ]; then
+    echo "#!/bin/bash" > /tmp/nextcloud-exec-commands
+    echo "$NEXTCLOUD_EXEC_COMMANDS" >> /tmp/nextcloud-exec-commands
+    if ! grep "one-click-instance" /tmp/nextcloud-exec-commands; then
+        bash /tmp/nextcloud-exec-commands
+        rm /tmp/nextcloud-exec-commands
+    fi
+else
+    # Collabora must work also if using manual-install 
+    if [ "$COLLABORA_ENABLED" = yes ]; then
+        echo "Activating collabora config..."
+        php /var/www/html/occ richdocuments:activate-config
+    fi
+fi
+
+sleep inf
--- a/Containers/nextcloud/start.sh
+++ b/Containers/nextcloud/start.sh
@@ -131,14 +131,4 @@ if ! sudo -E -u www-data bash /entrypoint.sh; then
    exit 1
 fi

-# Correctly set CPU_ARCH for notify_push
-CPU_ARCH="$(uname -m)"
-export CPU_ARCH
-if [ -z "$CPU_ARCH" ]; then
-    echo "Could not get processor architecture. Exiting."
-    exit 1
-elif [ "$CPU_ARCH" != "x86_64" ]; then
-    export CPU_ARCH="aarch64"
-fi
-
 exec "$@"
--- a/Containers/nextcloud/supervisord.conf
+++ b/Containers/nextcloud/supervisord.conf
@@ -25,18 +25,10 @@ stderr_logfile_maxbytes=0
 command=/cron.sh
 user=www-data

-[program:notify-push]
+[program:run-exec-commands]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/var/www/html/custom_apps/notify_push/bin/%(ENV_CPU_ARCH)s/notify_push /var/www/html/config/config.php --port 7867 --redis-url redis://:%(ENV_REDIS_HOST_PASSWORD)s@%(ENV_REDIS_HOST)s
-user=www-data
-
-[program:activate-collabora]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=/activate-collabora.sh
+command=/run-exec-commands.sh
 user=www-data
--- a/Containers/notify-push/Dockerfile
+++ b/Containers/notify-push/Dockerfile
@@ -0,0 +1,21 @@
+FROM alpine:3.18.2
+
+COPY --chmod=775 start.sh /start.sh
+
+RUN set -ex; \
+    apk add --no-cache \
+        ca-certificates \
+        netcat-openbsd \
+        tzdata \
+        bash \
+        openssl; \
+# Give root a random password
+    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    apk del --no-cache \
+        openssl;
+
+USER 33
+ENTRYPOINT ["/start.sh"]
+
+HEALTHCHECK CMD nc -z localhost 7867 || exit 1
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/notify-push/start.sh
+++ b/Containers/notify-push/start.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+if [ -z "$NEXTCLOUD_HOST" ]; then
+    echo "NEXTCLOUD_HOST need to be provided. Exiting!"
+    exit 1
+elif [ -z "$POSTGRES_HOST" ]; then
+    echo "POSTGRES_HOST need to be provided. Exiting!"
+    exit 1
+elif [ -z "$REDIS_HOST" ]; then
+    echo "REDIS_HOST need to be provided. Exiting!"
+    exit 1
+fi
+
+# Only start container if nextcloud is accessible
+while ! nc -z "$NEXTCLOUD_HOST" 9000; do
+    echo "Waiting for Nextcloud to start..."
+    sleep 5
+done
+
+# Correctly set CPU_ARCH for notify_push
+CPU_ARCH="$(uname -m)"
+export CPU_ARCH
+if [ -z "$CPU_ARCH" ]; then
+    echo "Could not get processor architecture. Exiting."
+    exit 1
+elif [ "$CPU_ARCH" != "x86_64" ]; then
+    export CPU_ARCH="aarch64"
+fi
+
+# Set sensitive values as env
+export DATABASE_URL="postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST/$POSTGRES_DB"
+export REDIS_URL="redis://:$REDIS_HOST_PASSWORD@$REDIS_HOST"
+
+# Run it
+/nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
+    --database-prefix="oc_" \
+    --nextcloud-url "https://$NC_DOMAIN" \
+    --port 7867
+
+exec "$@"
--- a/Containers/onlyoffice/Dockerfile
+++ b/Containers/onlyoffice/Dockerfile
@@ -1,5 +1,7 @@
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:7.3.3.49
+FROM onlyoffice/documentserver:7.4.0.1
+
+# USER root is probably used

 HEALTHCHECK CMD nc -z localhost 80 || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/postgresql/Dockerfile
+++ b/Containers/postgresql/Dockerfile
@@ -1,39 +1,41 @@
 # From https://github.com/docker-library/postgres/blob/master/15/alpine/Dockerfile
-FROM postgres:15.2-alpine
+FROM postgres:15.3-alpine

-RUN apk add --no-cache bash openssl shadow grep mawk
+COPY --chmod=775 start.sh /start.sh
+COPY --chmod=775 healthcheck.sh /healthcheck.sh
+COPY --chmod=775 init-user-db.sh /docker-entrypoint-initdb.d/init-user-db.sh

-# We need to use the same gid and uid as on old installations
 RUN set -ex; \
+    apk add --no-cache \
+        bash \
+        openssl \
+        shadow \
+        grep; \
+    \
+# We need to use the same gid and uid as on old installations
    deluser postgres; \
    groupmod -g 9999 ping; \
    addgroup -g 999 -S postgres; \
-    adduser -u 999 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres
-
+    adduser -u 999 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+    apk del --no-cache shadow; \
+    \
 # Fix default permissions
-RUN set -ex; \
    chown -R postgres:postgres /var/lib/postgresql; \
    chown -R postgres:postgres /var/run/postgresql; \
-    chown -R postgres:postgres "$PGDATA"
-
-COPY start.sh /usr/bin/
-COPY healthcheck.sh /usr/bin/
-COPY init-user-db.sh /docker-entrypoint-initdb.d/
-RUN set -ex; \
-    chmod +x /usr/bin/start.sh; \
-    chmod +xr /docker-entrypoint-initdb.d/init-user-db.sh; \
-    chmod +x /usr/bin/healthcheck.sh
-
-RUN mkdir /mnt/data; \
-    chown postgres:postgres /mnt/data;
+    chmod -R 777 /var/run/postgresql; \
+    chown -R postgres:postgres "$PGDATA"; \
+    \
+    mkdir /mnt/data; \
+    chown postgres:postgres /mnt/data; \
+    \
+# Give root a random password
+    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    apk --no-cache del openssl;

 VOLUME /mnt/data

-# Give root a random password
-RUN echo "root:$(openssl rand -base64 12)" | chpasswd
-
 USER postgres
-ENTRYPOINT ["start.sh"]
+ENTRYPOINT ["/start.sh"]

-HEALTHCHECK CMD healthcheck.sh
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+HEALTHCHECK CMD /healthcheck.sh
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/postgresql/start.sh
+++ b/Containers/postgresql/start.sh
@@ -146,11 +146,19 @@ if ! [ -f "$DATADIR/PG_VERSION" ] && ! [ -f "$DUMP_FILE" ]; then
    rm -rf "${DATADIR:?}/"*
 fi

-echo "Setting max connections..."
-MEMORY=$(mawk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
-MAX_CONNECTIONS=$((MEMORY/50+3))
-if [ -n "$MAX_CONNECTIONS" ]; then
-    sed -i "s|^max_connections =.*|max_connections = $MAX_CONNECTIONS|" "/var/lib/postgresql/data/postgresql.conf"
+# Modify postgresql.conf
+if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
+    echo "Setting max connections..."
+    MEMORY=$(awk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
+    MAX_CONNECTIONS=$((MEMORY/50+3))
+    if [ -n "$MAX_CONNECTIONS" ]; then
+        sed -i "s|^max_connections =.*|max_connections = $MAX_CONNECTIONS|" "/var/lib/postgresql/data/postgresql.conf"
+    fi
+
+    # Modify conf
+    if grep -q "#log_checkpoints" /var/lib/postgresql/data/postgresql.conf; then
+        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' /var/lib/postgresql/data/postgresql.conf
+    fi
 fi

 # Catch docker stop attempts
--- a/Containers/redis/Dockerfile
+++ b/Containers/redis/Dockerfile
@@ -1,16 +1,16 @@
 # From https://github.com/docker-library/redis/blob/master/7.0/alpine/Dockerfile
-FROM redis:7.0.10-alpine
+FROM redis:7.0.12-alpine

-RUN apk add --no-cache openssl bash
-
-COPY start.sh /usr/bin/
-RUN chmod +x /usr/bin/start.sh
+COPY --chmod=775 start.sh /start.sh

+RUN set -ex; \
+    apk add --no-cache openssl bash; \
+    \
 # Give root a random password
-RUN echo "root:$(openssl rand -base64 12)" | chpasswd
+    echo "root:$(openssl rand -base64 12)" | chpasswd

 USER redis
-ENTRYPOINT ["start.sh"]
+ENTRYPOINT ["/start.sh"]

 HEALTHCHECK CMD redis-cli -a $REDIS_HOST_PASSWORD PING || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/redis/start.sh
+++ b/Containers/redis/start.sh
@@ -8,9 +8,9 @@ fi

 # Run redis with a password if provided
 if [ -n "$REDIS_HOST_PASSWORD" ]; then
-    exec redis-server --requirepass "$REDIS_HOST_PASSWORD"
+    exec redis-server --requirepass "$REDIS_HOST_PASSWORD" --loglevel warning
 else
-    exec redis-server
+    exec redis-server --loglevel warning
 fi

 exec "$@"
--- a/Containers/talk-recording/Dockerfile
+++ b/Containers/talk-recording/Dockerfile
@@ -0,0 +1,53 @@
+FROM python:3.11.4-alpine3.18
+
+COPY --chmod=775 start.sh /start.sh
+
+ENV RECORDING_VERSION v17.0.2
+ENV ALLOW_ALL false
+ENV HPB_PROTOCOL https
+ENV SKIP_VERIFY false
+ENV HPB_PATH /standalone-signaling/
+
+RUN set -ex; \
+    apk add --no-cache \
+        ca-certificates \
+        tzdata \
+        bash \
+        xvfb \
+        ffmpeg \
+        firefox \
+        bind-tools \
+        netcat-openbsd \
+        git \
+        wget \
+        shadow \
+        pulseaudio \
+        openssl; \
+    # chromium chromium-chromedriver?
+    apk add --no-cache geckodriver --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing; \
+    useradd -d /tmp --system recording; \
+# Give root a random password
+    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    git clone --recursive https://github.com/nextcloud/spreed --depth=1 --single-branch --branch "$RECORDING_VERSION" /src; \
+    mv -v /src/recording/pyproject.toml /src/recording/src/pyproject.toml; \
+    python3 -m pip install /src/recording/src; \
+    rm -rf /src; \
+    touch /etc/recording.conf; \
+    chown recording:recording -R \
+        /tmp /etc/recording.conf; \
+    mkdir -p /conf; \
+    chmod 777 /conf; \
+    chmod 777 /tmp; \
+    apk del --no-cache \
+        git \
+        wget \
+        shadow \
+        openssl;
+
+WORKDIR /tmp
+USER recording
+ENTRYPOINT ["/start.sh"]
+CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.conf"]
+
+HEALTHCHECK CMD nc -z localhost 1234 || exit 1
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/talk-recording/recording.conf
+++ b/Containers/talk-recording/recording.conf
@@ -0,0 +1,111 @@
+[logs]
+# Log level based on numeric values of Python logging levels:
+# - Critical: 50
+# - Error:    40
+# - Warning:  30
+# - Info:     20
+# - Debug:    10
+# - Not set:   0
+#level = 20
+
+[http]
+# IP and port to listen on for HTTP requests.
+#listen = 127.0.0.1:8000
+
+[backend]
+# Allow any hostname as backend endpoint. This is extremely insecure and should
+# only be used during development.
+#allowall = false
+
+# Common shared secret for requests from and to the backend servers if
+# "allowall" is enabled. This must be the same value as configured in the
+# Nextcloud admin ui.
+#secret = the-shared-secret
+
+# Comma-separated list of backend ids allowed to connect.
+#backends = backend-id, another-backend
+
+# If set to "true", certificate validation of backend endpoints will be skipped.
+# This should only be enabled during development, e.g. to work with self-signed
+# certificates.
+# Overridable by backend.
+#skipverify = false
+
+# Maximum allowed size in bytes for messages sent by the backend.
+# Overridable by backend.
+#maxmessagesize = 1024
+
+# Width for recorded videos.
+# Overridable by backend.
+#videowidth = 1920
+
+# Height for recorded videos.
+# Overridable by backend.
+#videoheight = 1080
+
+# Temporary directory used to store recordings until uploaded. It must be
+# writable by the user running the recording server.
+# Overridable by backend.
+#directory = /tmp
+
+# Backend configurations as defined in the "[backend]" section above. The
+# section names must match the ids used in "backends" above.
+#[backend-id]
+# URL of the Nextcloud instance
+#url = https://cloud.domain.invalid
+
+# Shared secret for requests from and to the backend servers. This must be the
+# same value as configured in the Nextcloud admin ui.
+#secret = the-shared-secret
+
+#[another-backend]
+# URL of the Nextcloud instance
+#url = https://cloud.otherdomain.invalid
+
+# Shared secret for requests from and to the backend servers. This must be the
+# same value as configured in the Nextcloud admin ui.
+#secret = the-shared-secret
+
+[signaling]
+# Common shared secret for authenticating as an internal client of signaling
+# servers if a specific secret is not set for a signaling server. This must be
+# the same value as configured in the signaling server configuration file.
+#internalsecret = the-shared-secret-for-internal-clients
+
+# Comma-separated list of signaling servers with specific internal secrets.
+#signalings = signaling-id, another-signaling
+
+# Signaling server configurations as defined in the "[signaling]" section above.
+# The section names must match the ids used in "signalings" above.
+#[signaling-id]
+# URL of the signaling server
+#url = https://signaling.domain.invalid
+
+# Shared secret for authenticating as an internal client of signaling servers.
+# This must be the same value as configured in the signaling server
+# configuration file.
+#internalsecret = the-shared-secret-for-internal-clients
+
+#[another-signaling]
+# URL of the signaling server
+#url = https://signaling.otherdomain.invalid
+
+# Shared secret for authenticating as an internal client of signaling servers.
+# This must be the same value as configured in the signaling server
+# configuration file.
+#internalsecret = the-shared-secret-for-internal-clients
+
+[ffmpeg]
+# The options given to FFmpeg to encode the audio output. The options given here
+# fully override the default options for the audio output.
+#outputaudio = -c:a libopus
+
+# The options given to FFmpeg to encode the video output. The options given here
+# fully override the default options for the video output.
+#outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
+
+# The extension of the file for audio only recordings.
+#extensionaudio = .ogg
+
+# The extension of the file for audio and video recordings.
+#extensionvideo = .webm
--- a/Containers/talk-recording/start.sh
+++ b/Containers/talk-recording/start.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+# Variables
+if [ -z "$NC_DOMAIN" ]; then
+    echo "You need to provide the NC_DOMAIN."
+    exit 1
+elif [ -z "$RECORDING_SECRET" ]; then
+    echo "You need to provide the RECORDING_SECRET."
+    exit 1
+elif [ -z "$INTERNAL_SECRET" ]; then
+    echo "You need to provide the INTERNAL_SECRET."
+    exit 1
+fi
+
+cat << RECORDING_CONF > "/conf/recording.conf"
+[logs]
+# 30 means Warning
+level = 30
+
+[http]
+listen = 0.0.0.0:1234
+
+[backend]
+allowall = ${ALLOW_ALL}
+# TODO: remove secret below when https://github.com/nextcloud/spreed/issues/9580 is fixed
+secret = ${RECORDING_SECRET}
+backends = backend-1
+skipverify = ${SKIP_VERIFY}
+maxmessagesize = 1024
+videowidth = 1920
+videoheight = 1080
+directory = /tmp
+
+[backend-1]
+url = ${HPB_PROTOCOL}://${NC_DOMAIN}
+secret = ${RECORDING_SECRET}
+skipverify = ${SKIP_VERIFY}
+
+[signaling]
+signalings = signaling-1
+
+[signaling-1]
+url = ${HPB_PROTOCOL}://${NC_DOMAIN}${HPB_PATH}
+internalsecret = ${INTERNAL_SECRET}
+
+[ffmpeg]
+# outputaudio = -c:a libopus
+# outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
+extensionaudio = .ogg
+extensionvideo = .webm
+RECORDING_CONF
+
+exec "$@"
--- a/Containers/talk/Dockerfile
+++ b/Containers/talk/Dockerfile
@@ -1,71 +1,105 @@
-FROM nats:2.9.15-scratch as nats
-FROM strukturag/nextcloud-spreed-signaling:1.1.2 as signaling
-FROM alpine:3.17.2
-USER root
+FROM nats:2.9.20-scratch as nats
+FROM strukturag/nextcloud-spreed-signaling:1.1.3 as signaling
+FROM alpine:3.18.2 as janus

-COPY --from=nats /nats-server /usr/local/bin/nats-server
-COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
+ARG JANUS_VERSION=v0.13.4
+WORKDIR /src
+RUN set -ex; \
+    apk add --no-cache \
+        ca-certificates \
+        git \
+        autoconf \
+        automake \
+        build-base \
+        pkgconfig \
+        libtool \
+        util-linux \
+        glib-dev \
+        zlib-dev \
+        openssl-dev \
+        jansson-dev \
+        libnice-dev \
+        libconfig-dev \
+        libsrtp-dev \
+        libusrsctp-dev \
+        gengetopt-dev \
+        libwebsockets-dev; \
+    git clone --recursive https://github.com/meetecho/janus-gateway --depth=1 --single-branch --branch "$JANUS_VERSION" /src; \
+    /src/autogen.sh; \
+    /src/configure --disable-rabbitmq --disable-mqtt --disable-boringssl; \
+    make; \
+    make install; \
+    make configs; \
+    rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
+
+FROM coturn/coturn:4.6.2-alpine3.18
+USER root

 RUN set -ex; \
    apk add --no-cache \
        ca-certificates \
        tzdata \
        bash \
-        coturn \
        openssl \
        supervisor \
        bind-tools \
        netcat-openbsd \
-        shadow \
-        util-linux \
-        build-base \
-        lua5.3-dev \
-        luarocks5.3; \
-    apk add --no-cache janus-gateway --repository http://dl-cdn.alpinelinux.org/alpine/edge/community; \
+        \
+        glib \
+        zlib \
+        libssl3 \
+        libcrypto3 \
+        jansson \
+        libnice \
+        libconfig \
+        libsrtp \
+        libusrsctp \
+        libwebsockets \
+        \
+        shadow; \
    useradd --system talk; \
-    luarocks-5.3 install luajson; \
-    luarocks-5.3 install ansicolors; \
-    rename -v ".jcfg.sample" ".jcfg" /etc/janus/*.sample; \
    apk del --no-cache \
-        shadow \
-        util-linux \
-        build-base \
-        lua5.3-dev \
-        luarocks5.3;
-
+        shadow; \
+    \
 # Give root a random password
-RUN echo "root:$(openssl rand -base64 12)" | chpasswd
-
-COPY --chmod=775 start.sh /usr/bin/start.sh
-COPY --chmod=664 supervisord.conf /supervisord.conf
-
-RUN set -ex; \
+    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    \
    touch \
-        /etc/nats.conf \
-        /etc/signaling.conf \
-        /etc/turnserver.conf; \
+        /etc/nats.conf; \
    echo "listen: 127.0.0.1:4222" | tee /etc/nats.conf; \
    mkdir -p \
        /var/tmp \
+        /conf \
+        /var/lib/turn \
+        /var/log/supervisord \
+        /var/run/supervisord \
+        /usr/local/lib/janus/loggers; \
+    chown talk:talk -R \
+        /usr \
+        /etc/nats.conf \
        /var/lib/turn \
        /var/log/supervisord \
        /var/run/supervisord; \
-    chown talk:talk -R \
-        /usr \
-        /etc/janus \
-        /etc/nats.conf \
-        /etc/signaling.conf \
-        /etc/turnserver.conf \
+    chmod 777 -R \
+        /tmp \
+        /conf \
+        /var/run/supervisord \
        /var/lib/turn \
-        /var/log/supervisord \
-        /var/run/supervisord;
+        /var/log/supervisord;
+
+COPY --from=janus /usr/local /usr/local
+COPY --from=nats /nats-server /usr/local/bin/nats-server
+COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
+
+COPY --chmod=775 start.sh /start.sh
+COPY --chmod=664 supervisord.conf /supervisord.conf

 # Set default talk port https://github.com/nextcloud/all-in-one/issues/1011
 ENV TALK_PORT=3478

 USER talk
-ENTRYPOINT ["start.sh"]
-CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
+ENTRYPOINT ["/start.sh"]
+CMD ["supervisord", "-c", "/supervisord.conf"]

-HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost $TALK_PORT) || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost "$TALK_PORT" && nc -z "$NC_DOMAIN" "$TALK_PORT") || exit 1
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/talk/server.conf.in
+++ b/Containers/talk/server.conf.in
@@ -0,0 +1,314 @@
+[http]
+# IP and port to listen on for HTTP requests.
+# Comment line to disable the listener.
+#listen = 127.0.0.1:8080
+
+# HTTP socket read timeout in seconds.
+#readtimeout = 15
+
+# HTTP socket write timeout in seconds.
+#writetimeout = 15
+
+[https]
+# IP and port to listen on for HTTPS requests.
+# Comment line to disable the listener.
+#listen = 127.0.0.1:8443
+
+# HTTPS socket read timeout in seconds.
+#readtimeout = 15
+
+# HTTPS socket write timeout in seconds.
+#writetimeout = 15
+
+# Certificate / private key to use for the HTTPS server.
+certificate = /etc/nginx/ssl/server.crt
+key = /etc/nginx/ssl/server.key
+
+[app]
+# Set to "true" to install pprof debug handlers.
+# See "https://golang.org/pkg/net/http/pprof/" for further information.
+debug = false
+
+# Set to "true" to allow subscribing any streams. This is insecure and should
+# only be enabled for testing. By default only streams of users in the same
+# room and call can be subscribed.
+#allowsubscribeany = false
+
+[sessions]
+# Secret value used to generate checksums of sessions. This should be a random
+# string of 32 or 64 bytes.
+hashkey = the-secret-for-session-checksums
+
+# Optional key for encrypting data in the sessions. Must be either 16, 24 or
+# 32 bytes.
+# If no key is specified, data will not be encrypted (not recommended).
+blockkey = -encryption-key-
+
+[clients]
+# Shared secret for connections from internal clients. This must be the same
+# value as configured in the respective internal services.
+internalsecret = the-shared-secret-for-internal-clients
+
+[backend]
+# Type of backend configuration.
+# Defaults to "static".
+#
+# Possible values:
+# - static: A comma-separated list of backends is given in the "backends" option.
+# - etcd: Backends are retrieved from an etcd cluster.
+#backendtype = static
+
+# For backend type "static":
+# Comma-separated list of backend ids from which clients are allowed to connect
+# from. Each backend will have isolated rooms, i.e. clients connecting to room
+# "abc12345" on backend 1 will be in a different room than clients connected to
+# a room with the same name on backend 2. Also sessions connected from different
+# backends will not be able to communicate with each other.
+#backends = backend-id, another-backend
+
+# For backend type "etcd":
+# Key prefix of backend entries. All keys below will be watched and assumed to
+# contain a JSON document with the following entries:
+# - "url": Url of the Nextcloud instance.
+# - "secret": Shared secret for requests from and to the backend servers.
+#
+# Additional optional entries:
+# - "maxstreambitrate": Maximum bitrate per publishing stream (in bits per second).
+# - "maxscreenbitrate": Maximum bitrate per screensharing stream (in bits per second).
+# - "sessionlimit": Number of sessions that are allowed to connect.
+#
+# Example:
+# "/signaling/backend/one" -> {"url": "https://nextcloud.domain1.invalid", ...}
+# "/signaling/backend/two" -> {"url": "https://domain2.invalid/nextcloud", ...}
+#backendprefix = /signaling/backend
+
+# Allow any hostname as backend endpoint. This is extremely insecure and should
+# only be used while running the benchmark client against the server.
+allowall = false
+
+# Common shared secret for requests from and to the backend servers if
+# "allowall" is enabled. This must be the same value as configured in the
+# Nextcloud admin ui.
+#secret = the-shared-secret-for-allowall
+
+# Timeout in seconds for requests to the backend.
+timeout = 10
+
+# Maximum number of concurrent backend connections per host.
+connectionsperhost = 8
+
+# If set to "true", certificate validation of backend endpoints will be skipped.
+# This should only be enabled during development, e.g. to work with self-signed
+# certificates.
+#skipverify = false
+
+# For backendtype "static":
+# Backend configurations as defined in the "[backend]" section above. The
+# section names must match the ids used in "backends" above.
+#[backend-id]
+# URL of the Nextcloud instance
+#url = https://cloud.domain.invalid
+
+# Shared secret for requests from and to the backend servers. This must be the
+# same value as configured in the Nextcloud admin ui.
+#secret = the-shared-secret
+
+# Limit the number of sessions that are allowed to connect to this backend.
+# Omit or set to 0 to not limit the number of sessions.
+#sessionlimit = 10
+
+# The maximum bitrate per publishing stream (in bits per second).
+# Defaults to the maximum bitrate configured for the proxy / MCU.
+#maxstreambitrate = 1048576
+
+# The maximum bitrate per screensharing stream (in bits per second).
+# Defaults to the maximum bitrate configured for the proxy / MCU.
+#maxscreenbitrate = 2097152
+
+#[another-backend]
+# URL of the Nextcloud instance
+#url = https://cloud.otherdomain.invalid
+
+# Shared secret for requests from and to the backend servers. This must be the
+# same value as configured in the Nextcloud admin ui.
+#secret = the-shared-secret
+
+[nats]
+# Url of NATS backend to use. This can also be a list of URLs to connect to
+# multiple backends. For local development, this can be set to "nats://loopback"
+# to process NATS messages internally instead of sending them through an
+# external NATS backend.
+#url = nats://localhost:4222
+
+[mcu]
+# The type of the MCU to use. Currently only "janus" and "proxy" are supported.
+# Leave empty to disable MCU functionality.
+#type =
+
+# For type "janus": the URL to the websocket endpoint of the MCU server.
+# For type "proxy": a space-separated list of proxy URLs to connect to.
+#url =
+
+# The maximum bitrate per publishing stream (in bits per second).
+# Defaults to 1 mbit/sec.
+# For type "proxy": will be capped to the maximum bitrate configured at the
+# proxy server that is used.
+#maxstreambitrate = 1048576
+
+# The maximum bitrate per screensharing stream (in bits per second).
+# Default is 2 mbit/sec.
+# For type "proxy": will be capped to the maximum bitrate configured at the
+# proxy server that is used.
+#maxscreenbitrate = 2097152
+
+# For type "proxy": timeout in seconds for requests to the proxy server.
+#proxytimeout = 2
+
+# For type "proxy": type of URL configuration for proxy servers.
+# Defaults to "static".
+#
+# Possible values:
+# - static: A space-separated list of proxy URLs is given in the "url" option.
+# - etcd: Proxy URLs are retrieved from an etcd cluster (see below).
+#urltype = static
+
+# If set to "true", certificate validation of proxy servers will be skipped.
+# This should only be enabled during development, e.g. to work with self-signed
+# certificates.
+#skipverify = false
+
+# For type "proxy": the id of the token to use when connecting to proxy servers.
+#token_id = server1
+
+# For type "proxy": the private key for the configured token id to use when
+# connecting to proxy servers.
+#token_key = privkey.pem
+
+# For url type "static": Enable DNS discovery on hostname of configured URL.
+# If the hostname resolves to multiple IP addresses, a connection is established
+# to each of them.
+# Changes to the DNS are monitored regularly and proxy connections are created
+# or deleted as necessary.
+#dnsdiscovery = true
+
+# For url type "etcd": Key prefix of MCU proxy entries. All keys below will be
+# watched and assumed to contain a JSON document. The entry "address" from this
+# document will be used as proxy URL, other contents in the document will be
+# ignored.
+#
+# Example:
+# "/signaling/proxy/server/one" -> {"address": "https://proxy1.domain.invalid"}
+# "/signaling/proxy/server/two" -> {"address": "https://proxy2.domain.invalid"}
+#keyprefix = /signaling/proxy/server
+
+[turn]
+# API key that the MCU will need to send when requesting TURN credentials.
+#apikey = the-api-key-for-the-rest-service
+
+# The shared secret to use for generating TURN credentials. This must be the
+# same as on the TURN server.
+#secret = 6d1c17a7-c736-4e22-b02c-e2955b7ecc64
+
+# A comma-separated list of TURN servers to use. Leave empty to disable the
+# TURN REST API.
+#servers = turn:1.2.3.4:9991?transport=udp,turn:1.2.3.4:9991?transport=tcp
+
+[geoip]
+# License key to use when downloading the MaxMind GeoIP database. You can
+# register an account at "https://www.maxmind.com/en/geolite2/signup" for
+# free. See "https://dev.maxmind.com/geoip/geoip2/geolite2/" for further
+# information.
+# Leave empty to disable GeoIP lookups.
+#license =
+
+# Optional URL to download a MaxMind GeoIP database from. Will be generated if
+# "license" is provided above. Can be a "file://" url if a local file should
+# be used. Please note that the database must provide a country field when
+# looking up IP addresses.
+#url =
+
+[geoip-overrides]
+# Optional overrides for GeoIP lookups. The key is an IP address / range, the
+# value the associated country code.
+#127.0.0.1 = DE
+#192.168.0.0/24 = DE
+
+[continent-overrides]
+# Optional overrides for continent mappings. The key is a continent code, the
+# value a comma-separated list of continent codes to map the continent to.
+# Use European servers for clients in Africa.
+#AF = EU
+# Use servers in North Africa for clients in South America.
+#SA = NA
+
+[stats]
+# Comma-separated list of IP addresses that are allowed to access the stats
+# endpoint. Leave empty (or commented) to only allow access from "127.0.0.1".
+#allowed_ips =
+
+[etcd]
+# Comma-separated list of static etcd endpoints to connect to.
+#endpoints = 127.0.0.1:2379,127.0.0.1:22379,127.0.0.1:32379
+
+# Options to perform endpoint discovery through DNS SRV.
+# Only used if no endpoints are configured manually.
+#discoverysrv = example.com
+#discoveryservice = foo
+
+# Path to private key, client certificate and CA certificate if TLS
+# authentication should be used.
+#clientkey = /path/to/etcd-client.key
+#clientcert = /path/to/etcd-client.crt
+#cacert = /path/to/etcd-ca.crt
+
+[grpc]
+# IP and port to listen on for GRPC requests.
+# Comment line to disable the listener.
+#listen = 0.0.0.0:9090
+
+# Certificate / private key to use for the GRPC server.
+# Omit to use unencrypted connections.
+#servercertificate = /path/to/grpc-server.crt
+#serverkey = /path/to/grpc-server.key
+
+# CA certificate that is allowed to issue certificates of GRPC servers.
+# Omit to expect unencrypted connections.
+#serverca = /path/to/grpc-ca.crt
+
+# Certificate / private key to use for the GRPC client.
+# Omit if clients don't need to authenticate on the server.
+#clientcertificate = /path/to/grpc-client.crt
+#clientkey = /path/to/grpc-client.key
+
+# CA certificate that is allowed to issue certificates of GRPC clients.
+# Omit to allow any clients to connect.
+#clientca = /path/to/grpc-ca.crt
+
+# Type of GRPC target configuration.
+# Defaults to "static".
+#
+# Possible values:
+# - static: A comma-separated list of targets is given in the "targets" option.
+# - etcd: Target URLs are retrieved from an etcd cluster.
+#targettype = static
+
+# For target type "static": Comma-separated list of GRPC targets to connect to
+# for clustering mode.
+#targets = 192.168.0.1:9090, 192.168.0.2:9090
+
+# For target type "static": Enable DNS discovery on hostnames of GRPC target.
+# If a hostname resolves to multiple IP addresses, a connection is established
+# to each of them.
+# Changes to the DNS are monitored regularly and GRPC clients are created or
+# deleted as necessary.
+#dnsdiscovery = true
+
+# For target type "etcd": Key prefix of GRPC target entries. All keys below will
+# be watched and assumed to contain a JSON document. The entry "address" from
+# this document will be used as target URL, other contents in the document will
+# be ignored.
+#
+# Example:
+# "/signaling/cluster/grpc/one" -> {"address": "192.168.0.1:9090"}
+# "/signaling/cluster/grpc/two" -> {"address": "192.168.0.2:9090"}
+#targetprefix = /signaling/cluster/grpc
--- a/Containers/talk/start.sh
+++ b/Containers/talk/start.sh
@@ -10,6 +10,9 @@ elif [ -z "$TURN_SECRET" ]; then
 elif [ -z "$SIGNALING_SECRET" ]; then
    echo "You need to provide the SIGNALING_SECRET."
    exit 1
+elif [ -z "$INTERNAL_SECRET" ]; then
+    echo "You need to provide the INTERNAL_SECRET."
+    exit 1
 fi

 set -x
@@ -17,10 +20,9 @@ IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk A +short)"
 set +x

 # Turn
-cat << TURN_CONF > "/etc/turnserver.conf"
+cat << TURN_CONF > "/conf/turnserver.conf"
 listening-port=$TALK_PORT
 fingerprint
-lt-cred-mech
 use-auth-secret
 static-auth-secret=$TURN_SECRET
 realm=$NC_DOMAIN
@@ -52,7 +54,7 @@ denied-peer-ip=240.0.0.0-255.255.255.255
 TURN_CONF

 # Signling
-cat << SIGNALING_CONF > "/etc/signaling.conf"
+cat << SIGNALING_CONF > "/conf/signaling.conf"
 [http]
 listen = 0.0.0.0:8081

@@ -64,7 +66,7 @@ hashkey = $(openssl rand -hex 16)
 blockkey = $(openssl rand -hex 16)

 [clients]
-internalsecret = $(openssl rand -hex 16)
+internalsecret = ${INTERNAL_SECRET}

 [backend]
 backends = backend-1
--- a/Containers/talk/supervisord.conf
+++ b/Containers/talk/supervisord.conf
@@ -1,6 +1,5 @@
 [supervisord]
 nodaemon=true
-nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
@@ -13,7 +12,7 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=turnserver -c /etc/turnserver.conf
+command=turnserver -c /conf/turnserver.conf

 [program:nats-server]
 stdout_logfile=/dev/stdout
@@ -27,11 +26,12 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=janus --config=/etc/janus/janus.jcfg --disable-colors --log-stdout
+# debug-level 3 means warning
+command=janus --config=/usr/local/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3

 [program:signaling]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=nextcloud-spreed-signaling -config /etc/signaling.conf
+command=nextcloud-spreed-signaling -config /conf/signaling.conf
--- a/Containers/watchtower/Dockerfile
+++ b/Containers/watchtower/Dockerfile
@@ -1,14 +1,14 @@
 # From https://github.com/containrrr/watchtower/blob/main/dockerfiles/Dockerfile.self-contained
 FROM containrrr/watchtower:1.5.3 as watchtower

-FROM alpine:3.17.2
+FROM alpine:3.18.2

 RUN apk add --no-cache bash
-COPY --from=watchtower /watchtower /
+COPY --from=watchtower /watchtower /watchtower

-COPY start.sh /
-RUN chmod +x /start.sh
+COPY --chmod=775 start.sh /start.sh

 USER root
+
 ENTRYPOINT ["/start.sh"]
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/app/appinfo/info.xml
+++ b/app/appinfo/info.xml
@@ -2,10 +2,10 @@
 <info xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance"
 	  xsi:noNamespaceSchemaLocation="https://apps.nextcloud.com/schema/apps/info.xsd">
 	<id>nextcloud-aio</id>
-	<name>Nextcloud All In One</name>
+	<name>Nextcloud All-in-One</name>
 	<summary>Provides a login link for admins.</summary>
-	<description>Add a link to the admin settings that gives access to the Nextcloud All In One admin interface</description>
-	<version>0.3.0</version>
+	<description>Add a link to the admin settings that gives access to the Nextcloud All-in-One admin interface</description>
+	<version>0.4.0</version>
 	<licence>agpl</licence>
 	<author>Azul</author>
 	<namespace>AllInOne</namespace>
@@ -13,7 +13,7 @@
 	<category>monitoring</category>
 	<bugs>https://github.com/nextcloud/all-in-one/issues</bugs>
 	<dependencies>
-		<nextcloud min-version="24" max-version="25"/>
+		<nextcloud min-version="25" max-version="26"/>
 	</dependencies>

 	<settings>
--- a/app/templates/admin.php
+++ b/app/templates/admin.php
@@ -10,6 +10,7 @@ declare(strict_types=1);
 */
 	/** @var array $_ */ ?>
 <div id="allinone" class="section">
-	<h2><?php p($l->t('Nextcloud All In One'));?></h2>
-	<a href="<?php p($_['AIOLoginUrl']);?>" class="button" target="_blank" rel="noopener">Open Nextcloud AIO Interface ↗</a>
+	<h2><?php p($l->t('Nextcloud All-in-One'));?></h2>
+	<a href="<?php p($_['AIOLoginUrl']);?>" class="button" target="_blank" rel="noopener">Open Nextcloud AIO Interface ↗</a><br><br>
+	<p><a href="https://github.com/nextcloud/all-in-one#how-to-easily-log-in-to-the-aio-interface">Click here for more infos on this feature (e.g. also on how to change the link in the button)</a></p>
 </div>
--- a/compose.yaml
+++ b/compose.yaml
@@ -0,0 +1,62 @@
+services:
+  nextcloud:
+    image: nextcloud/all-in-one:latest
+    restart: always
+    container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
+    volumes:
+      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
+      - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
+    ports:
+      - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      - 8080:8080
+      - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+    # environment: # Is needed when using any of the options below
+      # - AIO_DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
+      # - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      # - APACHE_IP_BINDING=127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      # - BORG_RETENTION_POLICY=--keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
+      # - COLLABORA_SECCOMP_DISABLED=false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
+      # - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
+      # - NEXTCLOUD_MOUNT=/mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
+      # - NEXTCLOUD_UPLOAD_LIMIT=10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
+      # - NEXTCLOUD_MAX_TIME=3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
+      # - NEXTCLOUD_MEMORY_LIMIT=512M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
+      # - NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
+      # - NEXTCLOUD_STARTUP_APPS=deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
+      # - NEXTCLOUD_ADDITIONAL_APKS=imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
+      # - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
+      # - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
+      # - TALK_PORT=3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
+      # - WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
+    # networks: # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
+      # - nextcloud-aio # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
+
+  # # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+  # # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
+  # caddy:
+  #   image: caddy:alpine
+  #   restart: always
+  #   container_name: caddy
+  #   volumes:
+  #     - ./Caddyfile:/etc/caddy/Caddyfile
+  #     - ./certs:/certs
+  #     - ./config:/config
+  #     - ./data:/data
+  #     - ./sites:/srv
+  #   network_mode: "host"
+
+volumes:
+  nextcloud_aio_mastercontainer:
+    name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work
+
+# # Optional: If you need ipv6, follow step 1 and 2 of https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md first and then uncomment the below config in order to activate ipv6 for the internal nextcloud-aio network.
+# # Please make sure to uncomment also the networking lines of the mastercontainer above in order to actually create the network with docker-compose
+# networks:
+#   nextcloud-aio:
+#     name: nextcloud-aio # This line is not allowed to be changed as otherwise the created network will not be used by the other containers of AIO
+#     driver: bridge
+#     enable_ipv6: true
+#     ipam:
+#       driver: default
+#       config:
+#         - subnet: fd12:3456:789a:2::/64 # IPv6 subnet to use
--- a/develop.md
+++ b/develop.md
@@ -22,6 +22,8 @@ Simply use https://github.com/nextcloud/all-in-one/issues/180 as template.
 Go to https://github.com/nextcloud-releases/all-in-one/actions/workflows/repo-sync.yml and run the workflow that will first sync the repo and then build new container that automatically get published to `develop` and `develop-arm64`.

 ## How to test things correctly?
+Before testing, make sure that at least the amd64 containers are built successfully by checking the last workflow here: https://github.com/nextcloud-releases/all-in-one/actions/workflows/build_images.yml. 
+
 There is a testing-VM available for the maintainer of AIO that allows for some final testing before releasing new version. See [this](https://cloud.nextcloud.com/apps/collectives/Nextcloud%20Handbook/Technical/AIO%20testing%20VM?fileId=6350152) for details.

 ## How to promote builds from develop to beta
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,49 +0,0 @@
-version: "3.8"
-
-volumes:
-  nextcloud_aio_mastercontainer:
-    name: nextcloud_aio_mastercontainer # This line is not allowed to be changed
-
-services:
-  nextcloud:
-    image: nextcloud/all-in-one:latest
-    restart: always
-    container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed
-    volumes:
-      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed
-      - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'DOCKER_SOCKET_PATH'!
-    ports:
-      - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-      - 8080:8080
-      - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-    # environment: # Is needed when using any of the options below
-      # - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-      # - APACHE_IP_BINDING=127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-      # - COLLABORA_SECCOMP_DISABLED=false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
-      # - DOCKER_SOCKET_PATH=/var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
-      # - DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface.
-      # - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
-      # - NEXTCLOUD_MOUNT=/mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
-      # - NEXTCLOUD_UPLOAD_LIMIT=10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
-      # - NEXTCLOUD_MAX_TIME=3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
-      # - NEXTCLOUD_MEMORY_LIMIT=512M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
-      # - NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defiend-certification-authorities-ca
-      # - NEXTCLOUD_STARTUP_APPS=deck twofactor_totp tasks calendar contacts # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
-      # - NEXTCLOUD_ADDITIONAL_APKS=imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
-      # - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
-      # - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container which is needed for hardware-transcoding. See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
-      # - TALK_PORT=3478 # This allows to adjust the port that the talk container is using.
-
-  # # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-  # # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
-  # caddy:
-  #   image: caddy:alpine
-  #   restart: always
-  #   container_name: caddy
-  #   volumes:
-  #     - ./Caddyfile:/etc/caddy/Caddyfile
-  #     - ./certs:/certs
-  #     - ./config:/config
-  #     - ./data:/data
-  #     - ./sites:/srv
-  #   network_mode: "host"
--- a/docker-ipv6-support.md
+++ b/docker-ipv6-support.md
@@ -0,0 +1,45 @@
+# IPv6-Support for Docker
+
+Before enabling IPv6-Support for Docker, please note that there are still some unresolved problems in regards to IPv6-Support in Docker. See https://github.com/nextcloud/all-in-one/discussions/2557 for more details on this.
+
+Now that this was mentioned, see the instructions below on how to enable IPv6 for Docker.
+
+## Docker on Linux and Docker-rootless
+1.  Edit `/etc/docker/daemon.json` (or `~/.config/docker/daemon.json` in case of docker-rootless), set the `ipv6` key to `true` and the `fixed-cidr-v6` key to your IPv6 subnet. In this example we are setting it to `fd12:3456:789a:1::/64`. Additionally set `experimental` to `true` and `ip6tables` to `true` as well. If you are using mailcow and enabled IPv6 with the update.sh, you can keep their daemon.json, it will work too.
+
+    ```json
+    {
+      "ipv6": true,
+      "fixed-cidr-v6": "fd12:3456:789a:1::/64",
+      "experimental": true,
+      "ip6tables": true
+    }
+    ```
+
+    Save the file.
+
+2.  Reload the Docker configuration file.
+
+    ```console
+    sudo systemctl restart docker
+    ```
+3. Make sure that ipv6 is enabled for the internal `nextcloud-aio` network by running `sudo docker network inspect nextcloud-aio | grep EnableIPv6`. On a new instance, this command should return that it did not find a network with this name. Then you can run `sudo docker network create --subnet="fd12:3456:789a:2::/64" --driver bridge --ipv6 nextcloud-aio` in order to create the network with ipv6-support. However if it finds the network and its value `EnableIPv6` is set to false, make sure to follow https://github.com/nextcloud/all-in-one/discussions/2045 in order to recreate the network and enable ipv6 for it.
+
+## Docker Desktop (Windows and macOS)
+On Windows and macOS which use Docker Desktop, you need to go into the settings, and select `Docker Engine`. There you should see the currently used daemon.json file. 
+
+1. You need to now adjust this json file by setting the `ipv6` key to `true` and the `fixed-cidr-v6` key to your IPv6 subnet. In this example we are setting it to `fd12:3456:789a:1::/64`. Additionally set `experimental` to `true` and `ip6tables` to `true` as well.
+
+    ```
+    "ipv6": true,
+    "fixed-cidr-v6": "fd12:3456:789a:1::/64",
+    "experimental": true,
+    "ip6tables": true
+    ```
+
+2. Add these values to the json and make sure to keep the other currently values and that you don't see `Unexpected token in JSON at position ...` before attempting to restart by clicking on `Apply & restart`.
+3. Make sure that ipv6 is enabled for the internal `nextcloud-aio` network by running `docker network inspect nextcloud-aio`. On a new instance, this command should return that it did not find a network with this name. Then you can run `docker network create --subnet="fd12:3456:789a:2::/64" --driver bridge --ipv6 nextcloud-aio` in order to create the network with ipv6-support. However if it finds the network and its value `EnableIPv6` is set to false, make sure to follow https://github.com/nextcloud/all-in-one/discussions/2045 in order to recreate the network and enable ipv6 for it.
+
+---
+
+**Note**: This is a copy of the original docker docs at https://docs.docker.com/config/daemon/ipv6/ which apparently are not correct. However experimental is set to true which the ip6tables feature needs. Thus it will not get included into the official docs. However it is needed to make it work in our testing.
--- a/docker-rootless.md
+++ b/docker-rootless.md
@@ -4,12 +4,12 @@ You can run AIO with docker rootless by following the steps below.

 0. If docker is already installed, you should consider disabling it first: (`sudo systemctl disable --now docker.service docker.socket`)
 1. Install docker rootless by following the official documentation: https://docs.docker.com/engine/security/rootless/#install. The easiest way is installing it **Without packages** (`curl -fsSL https://get.docker.com/rootless | sh`). Further limitations, distribution specific hints, etc. are discussed on the same site. Also do not forget to enable the systemd service, which may not be enabled always by default. See https://docs.docker.com/engine/security/rootless/#usage. (`systemctl --user enable docker`)
-1. If you need ipv6 support, you should enable it by following https://docs.docker.com/config/daemon/ipv6/. The daemon.json file is most likely stored in `~/.config/docker/daemon.json`.
+1. If you need ipv6 support, you should enable it by following https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md.
 1. Do not forget to set the mentioned environmental variables and in best case add them to your `~/.bashrc` file as shown!
 1. Also do not forget to run `loginctl enable-linger USERNAME` (and substitute USERNAME with the correct one) in order to make sure that user services are automatically started after every reboot.
 1. Expose the privileged ports by following https://docs.docker.com/engine/security/rootless/#exposing-privileged-ports. (`sudo setcap cap_net_bind_service=ep $(which rootlesskit); systemctl --user restart docker`)
-1. Use the official AIO startup command but use `--volume $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro` instead of `--volume /var/run/docker.sock:/var/run/docker.sock:ro` and also add `-e DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock` to the initial container startup (which is needed for mastercontainer updates to work correctly).
-1. Now everything should work like without docker rootless. You can consider using docker-compose for this or running it behind a reverse proxy. Basically the only thing that needs to be adjusted always in the startup command or docker-compose file (after installing docker rootles) are things that are mentioned in point 3.
+1. Use the official AIO startup command but use `--volume $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro` instead of `--volume /var/run/docker.sock:/var/run/docker.sock:ro` and also add `--env WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock` to the initial container startup (which is needed for mastercontainer updates to work correctly).
+1. Now everything should work like without docker rootless. You can consider using docker-compose for this or running it behind a reverse proxy. Basically the only thing that needs to be adjusted always in the startup command or compose.yaml file (after installing docker rootles) are things that are mentioned in point 3.

 **Please note:** All files outside the containers get created, written to and accessed as the user that is running the docker daemon or a subuid of it. So for the built-in backup to work you need to allow this user to write to the target directory. E.g. with `sudo chown -R USERNAME:GROUPNAME /mnt/backup`. The same applies when changing Nextcloud's datadir. E.g. `sudo chown -R USERNAME:GROUPNAME /mnt/ncdata`. When you want to use the NEXTCLOUD_MOUNT option for local external storage, you need to adjust the permissions of the chosen folders to be accessible/writeable by the userid `100032:100032` (if running `grep ^$(whoami): /etc/subuid` as the user that is running the docker daemon returns 100000 as first value). 

--- a/helm-chart/Chart.yaml
+++ b/helm-chart/Chart.yaml
@@ -1,9 +0,0 @@
-name: Nextcloud AIO Helm Chart
-description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 4.6.2
-apiVersion: v2
-keywords:
-  - latest
-sources:
-  - https://github.com/nextcloud/all-in-one/tree/main/helm-chart
-home: https://github.com/nextcloud/all-in-one/tree/main/helm-chart
--- a/helm-chart/readme.md
+++ b/helm-chart/readme.md
@@ -1,3 +0,0 @@
-# You can also install the AIO containers on Kubernetes using this Helm Chart
-
-This is currently beta and not ready yet.
--- a/helm-chart/templates/nextcloud-aio-apache-deployment.yaml
+++ b/helm-chart/templates/nextcloud-aio-apache-deployment.yaml
@@ -1,73 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
-  labels:
-    io.kompose.service: nextcloud-aio-apache
-  name: nextcloud-aio-apache
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      io.kompose.service: nextcloud-aio-apache
-  template:
-    metadata:
-      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
-      labels:
-        io.kompose.network/nextcloud-aio: "true"
-        io.kompose.service: nextcloud-aio-apache
-    spec:
-      initContainers:
-        - name: init-volumes
-          image: alpine
-          command:
-            - chmod
-            - "777"
-            - /nextcloud-aio-nextcloud
-            - /nextcloud-aio-apache
-          volumeMounts:
-            - name: nextcloud-aio-apache
-              mountPath: /nextcloud-aio-apache
-            - name: nextcloud-aio-nextcloud
-              mountPath: /nextcloud-aio-nextcloud
-      containers:
-        - env:
-            - name: APACHE_MAX_SIZE
-              value: "{{ .Values.APACHE_MAX_SIZE }}"
-            - name: APACHE_MAX_TIME
-              value: "{{ .Values.NEXTCLOUD_MAX_TIME }}"
-            - name: APACHE_PORT
-              value: "{{ .Values.APACHE_PORT }}"
-            - name: COLLABORA_HOST
-              value: nextcloud-aio-collabora
-            - name: NC_DOMAIN
-              value: "{{ .Values.NC_DOMAIN }}"
-            - name: NEXTCLOUD_HOST
-              value: nextcloud-aio-nextcloud
-            - name: ONLYOFFICE_HOST
-              value: nextcloud-aio-onlyoffice
-            - name: TALK_HOST
-              value: nextcloud-aio-talk
-            - name: TZ
-              value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-apache:20230315_112022-latest
-          name: nextcloud-aio-apache
-          ports:
-            - containerPort: {{ .Values.APACHE_PORT }}
-          volumeMounts:
-            - mountPath: /var/www/html
-              name: nextcloud-aio-nextcloud
-              readOnly: true
-            - mountPath: /mnt/data
-              name: nextcloud-aio-apache
-      volumes:
-        - name: nextcloud-aio-nextcloud
-          persistentVolumeClaim:
-            claimName: nextcloud-aio-nextcloud
-        - name: nextcloud-aio-apache
-          persistentVolumeClaim:
-            claimName: nextcloud-aio-apache
--- a/helm-chart/templates/nextcloud-aio-clamav-deployment.yaml
+++ b/helm-chart/templates/nextcloud-aio-clamav-deployment.yaml
@@ -1,52 +0,0 @@
-{{- if eq .Values.CLAMAV_ENABLED "yes" }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
-  labels:
-    io.kompose.service: nextcloud-aio-clamav
-  name: nextcloud-aio-clamav
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      io.kompose.service: nextcloud-aio-clamav
-  template:
-    metadata:
-      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
-      labels:
-        io.kompose.network/nextcloud-aio: "true"
-        io.kompose.service: nextcloud-aio-clamav
-    spec:
-      initContainers:
-        - name: init-volumes
-          image: alpine
-          command:
-            - chmod
-            - "777"
-            - /nextcloud-aio-clamav
-          volumeMounts:
-            - name: nextcloud-aio-clamav
-              mountPath: /nextcloud-aio-clamav
-      containers:
-        - env:
-            - name: CLAMD_STARTUP_TIMEOUT
-              value: "90"
-            - name: TZ
-              value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-clamav:20230315_112022-latest
-          name: nextcloud-aio-clamav
-          ports:
-            - containerPort: 3310
-          volumeMounts:
-            - mountPath: /var/lib/clamav
-              name: nextcloud-aio-clamav
-      volumes:
-        - name: nextcloud-aio-clamav
-          persistentVolumeClaim:
-            claimName: nextcloud-aio-clamav
-{{- end }}
--- a/helm-chart/templates/nextcloud-aio-collabora-fonts-persistentvolumeclaim.yaml
+++ b/helm-chart/templates/nextcloud-aio-collabora-fonts-persistentvolumeclaim.yaml
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  labels:
-    io.kompose.service: nextcloud-aio-collabora-fonts
-  name: nextcloud-aio-collabora-fonts
-spec:
-  {{- if .Values.STORAGE_CLASS }}
-  storageClassName: {{ .Values.STORAGE_CLASS }}
-  {{- end }}
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: {{ .Values.COLLABORA_FONTS_STORAGE_SIZE }}
--- a/helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml
+++ b/helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml
@@ -1,37 +0,0 @@
-{{- if eq .Values.IMAGINARY_ENABLED "yes" }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
-  labels:
-    io.kompose.service: nextcloud-aio-imaginary
-  name: nextcloud-aio-imaginary
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      io.kompose.service: nextcloud-aio-imaginary
-  template:
-    metadata:
-      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
-      labels:
-        io.kompose.network/nextcloud-aio: "true"
-        io.kompose.service: nextcloud-aio-imaginary
-    spec:
-      containers:
-        - env:
-            - name: TZ
-              value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-imaginary:20230315_112022-latest
-          name: nextcloud-aio-imaginary
-          ports:
-            - containerPort: 9000
-          securityContext:
-            capabilities:
-              add:
-                - SYS_NICE
-{{- end }}
--- a/helm-chart/templates/nextcloud-aio-networkpolicy.yaml
+++ b/helm-chart/templates/nextcloud-aio-networkpolicy.yaml
@@ -1,13 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: nextcloud-aio
-spec:
-  ingress:
-    - from:
-        - podSelector:
-            matchLabels:
-              io.kompose.network/nextcloud-aio: "true"
-  podSelector:
-    matchLabels:
-      io.kompose.network/nextcloud-aio: "true"
--- a/helm-chart/templates/nextcloud-aio-talk-deployment.yaml
+++ b/helm-chart/templates/nextcloud-aio-talk-deployment.yaml
@@ -1,44 +0,0 @@
-{{- if eq .Values.TALK_ENABLED "yes" }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
-  labels:
-    io.kompose.service: nextcloud-aio-talk
-  name: nextcloud-aio-talk
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      io.kompose.service: nextcloud-aio-talk
-  template:
-    metadata:
-      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
-      labels:
-        io.kompose.network/nextcloud-aio: "true"
-        io.kompose.service: nextcloud-aio-talk
-    spec:
-      containers:
-        - env:
-            - name: NC_DOMAIN
-              value: "{{ .Values.NC_DOMAIN }}"
-            - name: SIGNALING_SECRET
-              value: "{{ .Values.SIGNALING_SECRET }}"
-            - name: TALK_PORT
-              value: "{{ .Values.TALK_PORT }}"
-            - name: TURN_SECRET
-              value: "{{ .Values.TURN_SECRET }}"
-            - name: TZ
-              value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-talk:20230315_112022-latest
-          name: nextcloud-aio-talk
-          ports:
-            - containerPort: {{ .Values.TALK_PORT }}
-            - containerPort: {{ .Values.TALK_PORT }}
-              protocol: UDP
-            - containerPort: 8081
-{{- end }}
--- a/local-instance.md
+++ b/local-instance.md
@@ -5,15 +5,15 @@ It is possible due to several reasons that you do not want or cannot open Nextcl
 The recommended way is the following:
 1. Set up your domain correctly to point to your home network
 1. Set up a reverse proxy by following the [reverse proxy documentation](./reverse-proxy.md) but only open port 80 (which is needed for the ACME challenge to work - however no real traffic will use this port).
-1. Set up a local DNS-server like a pi-hole and configure it to be your local DNS-server for the whole network. Then in the Pi-hole interface, add a custom DNS-record for your domain and overwrite the A-record (and possibly the AAAA-record, too) to point to the local ip-address of your reverse proxy (see https://github.com/nextcloud/all-in-one#how-can-i-access-nextcloud-locally)
-1. Enter the the ip-address of your local dns-server in the deamon.json file for docker so that you are sure that all docker containers use the correct local dns-server.
+1. Set up a local DNS-server like a pi-hole and configure it to be your local DNS-server for the whole network. Then in the Pi-hole interface, add a custom DNS-record for your domain and overwrite the A-record (and possibly the AAAA-record, too) to point to the private ip-address of your reverse proxy (see https://github.com/nextcloud/all-in-one#how-can-i-access-nextcloud-locally)
+1. Enter the ip-address of your local dns-server in the daemon.json file for docker so that you are sure that all docker containers use the correct local dns-server.
 1. Now, entering the domain in the AIO-interface should work as expected and should allow you to continue with the setup

 ## 2. Use the ACME DNS-challenge
 You can alternatively use the ACME DNS-challenge to get a valid certificate for Nextcloud. Here is described how to set it up: https://github.com/nextcloud/all-in-one#how-to-get-nextcloud-running-using-the-acme-dns-challenge

 ## 3. Use Cloudflare
-If you do not have any contol over the network, you may think about using Cloudflare Tunnel to get a valid certificate for your Nextcloud. However it will be opened to the public internet then. See https://github.com/nextcloud/all-in-one#how-to-run-nextcloud-behind-a-cloudflare-tunnel how to set this up.
+If you do not have any control over the network, you may think about using Cloudflare Tunnel to get a valid certificate for your Nextcloud. However it will be opened to the public internet then. See https://github.com/nextcloud/all-in-one#how-to-run-nextcloud-behind-a-cloudflare-tunnel how to set this up.

 ## 4. Buy a certificate and use that
 If none of the above ways work for you, you may simply buy a certificate from an issuer for your domain. You then download the certificate onto your server, configure AIO in [reverse proxy mode](./reverse-proxy.md) and use the certificate for your domain in your reverse proxy config.
--- a/manual-install/latest.yml
+++ b/manual-install/latest.yml
@@ -1,5 +1,3 @@
-version: "3.8"
-
 services:
  nextcloud-aio-apache:
    depends_on:
@@ -7,9 +5,11 @@ services:
      - nextcloud-aio-collabora
      - nextcloud-aio-talk
      - nextcloud-aio-nextcloud
+      - nextcloud-aio-notify-push
    image: nextcloud/aio-apache:latest
    ports:
      - ${APACHE_IP_BINDING}:${APACHE_PORT}:${APACHE_PORT}/tcp
+      - ${APACHE_IP_BINDING}:${APACHE_PORT}:${APACHE_PORT}/udp
    environment:
      - NC_DOMAIN=${NC_DOMAIN}
      - NEXTCLOUD_HOST=nextcloud-aio-nextcloud
@@ -20,12 +20,20 @@ services:
      - TZ=${TIMEZONE}
      - APACHE_MAX_SIZE=${APACHE_MAX_SIZE}
      - APACHE_MAX_TIME=${NEXTCLOUD_MAX_TIME}
+      - NOTIFY_PUSH_HOST=nextcloud-aio-notify-push
    volumes:
      - nextcloud_aio_nextcloud:/var/www/html:ro
      - nextcloud_aio_apache:/mnt/data:rw
    restart: unless-stopped
    networks:
      - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/log/supervisord
+      - /var/run/supervisord
+      - /usr/local/apache2/logs
+      - /tmp
+      - /home/www-data

  nextcloud-aio-database:
    image: nextcloud/aio-postgresql:latest
@@ -42,8 +50,12 @@ services:
      - PGTZ=${TIMEZONE}
    stop_grace_period: 1800s
    restart: unless-stopped
+    shm_size: 268435456
    networks:
      - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/run/postgresql

  nextcloud-aio-nextcloud:
    depends_on:
@@ -51,11 +63,11 @@ services:
      - nextcloud-aio-redis
      - nextcloud-aio-clamav
      - nextcloud-aio-fulltextsearch
+      - nextcloud-aio-talk-recording
      - nextcloud-aio-imaginary
    image: nextcloud/aio-nextcloud:latest
    expose:
      - "9000"
-      - "7867"
    volumes:
      - nextcloud_aio_nextcloud:/var/www/html:rw
      - ${NEXTCLOUD_DATADIR}:/mnt/ncdata:rw
@@ -68,7 +80,6 @@ services:
      - POSTGRES_USER=nextcloud
      - REDIS_HOST=nextcloud-aio-redis
      - REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
-      - AIO_TOKEN=${AIO_TOKEN}
      - NC_DOMAIN=${NC_DOMAIN}
      - ADMIN_USER=admin
      - ADMIN_PASSWORD=${NEXTCLOUD_PASSWORD}
@@ -78,7 +89,6 @@ services:
      - TURN_SECRET=${TURN_SECRET}
      - SIGNALING_SECRET=${SIGNALING_SECRET}
      - ONLYOFFICE_SECRET=${ONLYOFFICE_SECRET}
-      - AIO_URL=${AIO_URL}
      - NEXTCLOUD_MOUNT=${NEXTCLOUD_MOUNT}
      - CLAMAV_ENABLED=${CLAMAV_ENABLED}
      - CLAMAV_HOST=nextcloud-aio-clamav
@@ -101,11 +111,34 @@ services:
      - STARTUP_APPS=${NEXTCLOUD_STARTUP_APPS}
      - ADDITIONAL_APKS=${NEXTCLOUD_ADDITIONAL_APKS}
      - ADDITIONAL_PHP_EXTENSIONS=${NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS}
-      - SKIP_DATA_DIRECTORY_PERMISSION_CHECK=${SKIP_DATA_DIRECTORY_PERMISSION_CHECK}
+      - INSTALL_LATEST_MAJOR=${INSTALL_LATEST_MAJOR}
+      - TALK_RECORDING_ENABLED=${TALK_RECORDING_ENABLED}
+      - RECORDING_SECRET=${RECORDING_SECRET}
+      - TALK_RECORDING_HOST=nextcloud-aio-talk-recording
    restart: unless-stopped
    networks:
      - nextcloud-aio

+  nextcloud-aio-notify-push:
+    image: nextcloud/aio-notify-push:latest
+    expose:
+      - "7867"
+    volumes:
+      - nextcloud_aio_nextcloud:/nextcloud:ro
+    environment:
+      - NC_DOMAIN=${NC_DOMAIN}
+      - NEXTCLOUD_HOST=nextcloud-aio-nextcloud
+      - REDIS_HOST=nextcloud-aio-redis
+      - REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
+      - POSTGRES_HOST=nextcloud-aio-database
+      - POSTGRES_PASSWORD=${DATABASE_PASSWORD}
+      - POSTGRES_DB=nextcloud_database
+      - POSTGRES_USER=nextcloud
+    restart: unless-stopped
+    networks:
+      - nextcloud-aio
+    read_only: true
+
  nextcloud-aio-redis:
    image: nextcloud/aio-redis:latest
    expose:
@@ -118,9 +151,9 @@ services:
    restart: unless-stopped
    networks:
      - nextcloud-aio
+    read_only: true

  nextcloud-aio-collabora:
-    profiles: ["collabora"]
    image: nextcloud/aio-collabora:latest
    expose:
      - "9980"
@@ -130,14 +163,14 @@ services:
      - dictionaries=${COLLABORA_DICTIONARIES}
      - TZ=${TIMEZONE}
      - server_name=${NC_DOMAIN}
-    volumes:
-      - nextcloud_aio_collabora_fonts:/opt/cool/systemplate/tmpfonts:rw
+      - DONT_GEN_SSL_CERT=1
    restart: unless-stopped
+    profiles:
+      - collabora
    networks:
      - nextcloud-aio

  nextcloud-aio-talk:
-    profiles: ["talk"]
    image: nextcloud/aio-talk:latest
    ports:
      - ${TALK_PORT}:${TALK_PORT}/tcp
@@ -150,12 +183,42 @@ services:
      - SIGNALING_SECRET=${SIGNALING_SECRET}
      - TZ=${TIMEZONE}
      - TALK_PORT=${TALK_PORT}
+      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
    restart: unless-stopped
+    profiles:
+      - talk
+      - talk-recording
    networks:
      - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/log/supervisord
+      - /var/run/supervisord
+      - /conf
+      - /var/lib/turn
+      - /tmp
+
+  nextcloud-aio-talk-recording:
+    image: nextcloud/aio-talk-recording:latest
+    expose:
+      - "1234"
+    environment:
+      - NC_DOMAIN=${NC_DOMAIN}
+      - TZ=${TIMEZONE}
+      - RECORDING_SECRET=${RECORDING_SECRET}
+      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
+    shm_size: 2147483648
+    restart: unless-stopped
+    profiles:
+      - talk-recording
+    networks:
+      - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /tmp
+      - /conf

  nextcloud-aio-clamav:
-    profiles: ["clamav"]
    image: nextcloud/aio-clamav:latest
    expose:
      - "3310"
@@ -165,11 +228,17 @@ services:
    volumes:
      - nextcloud_aio_clamav:/var/lib/clamav:rw
    restart: unless-stopped
+    profiles:
+      - clamav
    networks:
      - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/lock
+      - /var/log/clamav
+      - /tmp

  nextcloud-aio-onlyoffice:
-    profiles: ["onlyoffice"]
    image: nextcloud/aio-onlyoffice:latest
    expose:
      - "80"
@@ -181,24 +250,29 @@ services:
    volumes:
      - nextcloud_aio_onlyoffice:/var/lib/onlyoffice:rw
    restart: unless-stopped
+    profiles:
+      - onlyoffice
    networks:
      - nextcloud-aio

  nextcloud-aio-imaginary:
-    profiles: ["imaginary"]
    image: nextcloud/aio-imaginary:latest
    expose:
      - "9000"
    environment:
      - TZ=${TIMEZONE}
    restart: unless-stopped
-    networks:
-      - nextcloud-aio
    cap_add:
      - SYS_NICE
+    profiles:
+      - imaginary
+    networks:
+      - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /tmp

  nextcloud-aio-fulltextsearch:
-    profiles: ["fulltextsearch"]
    image: nextcloud/aio-fulltextsearch:latest
    expose:
      - "9200"
@@ -210,6 +284,8 @@ services:
    volumes:
      - nextcloud_aio_elasticsearch:/usr/share/elasticsearch/data:rw
    restart: unless-stopped
+    profiles:
+      - fulltextsearch
    networks:
      - nextcloud-aio

@@ -218,8 +294,6 @@ volumes:
    name: nextcloud_aio_apache
  nextcloud_aio_clamav:
    name: nextcloud_aio_clamav
-  nextcloud_aio_collabora_fonts:
-    name: nextcloud_aio_collabora_fonts
  nextcloud_aio_database:
    name: nextcloud_aio_database
  nextcloud_aio_database_dump:
@@ -235,5 +309,13 @@ volumes:
  nextcloud_aio_nextcloud_data:
    name: nextcloud_aio_nextcloud_data

+# Inspired by https://github.com/mailcow/mailcow-dockerized/blob/master/docker-compose.yml
 networks:
  nextcloud-aio:
+    name: nextcloud-aio
+    driver: bridge
+    enable_ipv6: true
+    ipam:
+      driver: default
+      config:
+        - subnet: ${IPV6_NETWORK}
--- a/manual-install/readme.md
+++ b/manual-install/readme.md
@@ -11,33 +11,34 @@ You can run the containers that are build for AIO with docker-compose. This come
 - You lose the AIO interface
 - You lose update notifications and automatic updates
 - You lose all AIO backup and restore features
- You need to know what you are doing, especially when modifying the docker-compose file
+- **You need to know what you are doing, especially when modifying the compose.yaml file**
 - For updating, you need to strictly follow the at the bottom described update routine
 - Probably more

 ## How to use this?
-First, install docker and docker-compose if not already done. Then simply run the following:
+First, install docker and docker-compose (v2) if not already done. Then simply run the following:
 ```bash
 git clone https://github.com/nextcloud/all-in-one.git
 cd all-in-one/manual-install
 ```
 Then copy the sample.conf to default environment file, e.g. `cp sample.conf .env`, open the new conf file, e.g. with `nano .env`, edit all values that are marked with `# TODO!`, close and save the file. (Note: there is no clamav image for arm64).

-Now copy the provided yaml file to a docker-compose file by running `cp latest.yml docker-compose.yml`.
+Now copy the provided yaml file to a compose.yaml file by running `cp latest.yml compose.yaml`.

 Now you should be ready to go with `sudo docker-compose up`.

 ## Docker profiles
-The default profile of `latest.yml` only provide the minimum necessary services: nextcloud, database, redis and apache. To get optional services collabora, onlyoffice, talk, clamav, imaginary or fulltextsearch use additional arguments for each of them, for example `--profile collabora`. (Note: there is no clamav image for arm64).
+The default profile of `latest.yml` only provide the minimum necessary services: nextcloud, database, redis and apache. To get optional services collabora, talk, talk-recording, clamav, imaginary or fulltextsearch use additional arguments for each of them, for example `--profile collabora`. (Note: there is no clamav image for arm64).

-For a complete all-in-one with collabora use `sudo docker-compose --profile collabora --profile talk --profile clamav --profile imaginary --profile fulltextsearch up`. (Note: there is no clamav image for arm64).
+For a complete all-in-one with collabora use `sudo docker-compose --profile collabora --profile talk --profile talk-recording --profile clamav --profile imaginary --profile fulltextsearch up`. (Note: there is no clamav image for arm64).

 ## How to update?
 Since the AIO containers may change in the future, it is highly recommended to strictly follow the following procedure whenever you want to upgrade your containers.
-1. If your previous copy of `sample.conf` is named `my.conf`, run `mv my.conf .env` in order to rename the file to `.env`.
+1. If your previous copy of `sample.conf` is named `my.conf`, run `mv -vn my.conf .env` in order to rename the file to `.env`.
 1. Run `sudo docker-compose down` to stop all running containers
 1. Back up all important files and folders
-1. Run `git pull` in order to get the updated yaml files from the repository. Now bring your `docker-compose.yml` file up-to-date with the updated one from the repository. You can use `diff docker-compose.yml latest.yml` for comparing.
+1. If your compose file is still named `docker-compose.yml` rename it to `compose.yaml` by running `mv -vn docker-compose.yml compose.yaml`
+1. Run `git pull` in order to get the updated yaml files from the repository. Now bring your `compose.yaml` file up-to-date with the updated one from the repository. You can use `diff compose.yaml latest.yml` for comparing. ⚠️ **Please note**: Starting with AIO v5.1.0, ipv6 networking will be enabled by default, so make sure to either enable it first by following steps 1 and 2 of https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md and then proceed with the steps below or disable ipv6 networking by editing the compose.yaml file and removing ipv6 from the network.
 1. Also have a look at the `sample.conf` if any variable was added or renamed and add that to your conf file as well. Here may help the diff command as well.
 1. After the file update was successful, simply run `sudo docker-compose pull` to pull the new images.
 1. At the end run `sudo docker-compose up` in order to start and update the containers with the new configuration.
--- a/manual-install/sample.conf
+++ b/manual-install/sample.conf
@@ -1,33 +1,37 @@
-AIO_TOKEN=123456          # Has no function but needs to be set!
-AIO_URL=localhost          # Has no function but needs to be set!
-APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx and else) and if that is running on the same host and using localhost to connect
-APACHE_MAX_SIZE=10737418240          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
-APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx and else).
-CLAMAV_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
-COLLABORA_DICTIONARIES="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"        # You can change this in order to enable other dictionaries for collabora
-COLLABORA_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
-COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.
 DATABASE_PASSWORD=          # TODO! This needs to be a unique and good password!
+NC_DOMAIN=yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.
+NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".
+ONLYOFFICE_SECRET=          # TODO! This needs to be a unique and good password!
+RECORDING_SECRET=          # TODO! This needs to be a unique and good password!
+REDIS_PASSWORD=          # TODO! This needs to be a unique and good password!
+SIGNALING_SECRET=          # TODO! This needs to be a unique and good password!
+TALK_INTERNAL_SECRET=          # TODO! This needs to be a unique and good password!
+TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.
+TURN_SECRET=          # TODO! This needs to be a unique and good password!
+
+CLAMAV_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+COLLABORA_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 FULLTEXTSEARCH_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 IMAGINARY_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
-NC_DOMAIN=yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.
+ONLYOFFICE_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+TALK_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+TALK_RECORDING_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+
+APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) and if that is running on the same host and using localhost to connect
+APACHE_MAX_SIZE=10737418240          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
+APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else).
+COLLABORA_DICTIONARIES="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"        # You can change this in order to enable other dictionaries for collabora
+COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.
+INSTALL_LATEST_MAJOR=no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation
 NEXTCLOUD_ADDITIONAL_APKS=imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.
 NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick        # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value.
 NEXTCLOUD_DATADIR=nextcloud_aio_nextcloud_data          # You can change this to e.g. "/mnt/ncdata" to map it to a location on your host. It needs to be adjusted before the first startup and never afterwards!
 NEXTCLOUD_MAX_TIME=3600          # This allows to change the upload time limit of the Nextcloud container
 NEXTCLOUD_MEMORY_LIMIT=512M          # This allows to change the PHP memory limit of the Nextcloud container
 NEXTCLOUD_MOUNT=/mnt/          # This allows the Nextcloud container to access directories on the host. It must never be equal to the value of NEXTCLOUD_DATADIR!
-NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".
-NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time
+NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time
 NEXTCLOUD_TRUSTED_CACERTS_DIR=/usr/local/share/ca-certificates/my-custom-ca          # Nextcloud container will trust all the Certification Authorities, whose certificates are included in the given directory.
 NEXTCLOUD_UPLOAD_LIMIT=10G          # This allows to change the upload limit of the Nextcloud container
-ONLYOFFICE_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
-ONLYOFFICE_SECRET=          # TODO! This needs to be a unique and good password!
-REDIS_PASSWORD=          # TODO! This needs to be a unique and good password!
-SIGNALING_SECRET=          # TODO! This needs to be a unique and good password!
-SKIP_DATA_DIRECTORY_PERMISSION_CHECK="no"          # When setting to "yes" (with quotes), it will skip the datadir permission check upon the initial Nextcloud installation.
-TALK_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 TALK_PORT=3478          # This allows to adjust the port that the talk container is using.
-TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.
-TURN_SECRET=          # TODO! This needs to be a unique and good password!
 UPDATE_NEXTCLOUD_APPS="no"          # When setting to "yes" (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.
+IPV6_NETWORK=fd12:3456:789a:2::/64 # IPv6 subnet to use
--- a/manual-install/update-yaml.sh
+++ b/manual-install/update-yaml.sh
@@ -15,6 +15,8 @@ OUTPUT="$(cat /tmp/containers.json)"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].internal_port)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].secrets)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].devices)')"
+OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].backup_volumes)')"
+OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].nextcloud_exec_commands)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-watchtower"))')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-domaincheck"))')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-borgbackup"))')"
@@ -30,6 +32,11 @@ sed -i '/stop_grace_period:/s/$/s/' containers.yml
 sed -i '/: \[\]/d' containers.yml
 sed -i 's|- source: |- |' containers.yml
 sed -i 's|- ip_binding: |- |' containers.yml
+sed -i '/AIO_TOKEN/d' containers.yml
+sed -i '/AIO_URL/d' containers.yml
+
+sed -i '/AIO_TOKEN/d' sample.conf
+sed -i '/AIO_URL/d' sample.conf

 TCP="$(grep -oP '[%A-Z0-9_]+/tcp' containers.yml | sort -u)"
 mapfile -t TCP <<< "$TCP"
@@ -71,21 +78,30 @@ sed -i 's|APACHE_MAX_SIZE=|APACHE_MAX_SIZE=10737418240          # This needs to
 sed -i 's|NEXTCLOUD_MAX_TIME=|NEXTCLOUD_MAX_TIME=3600          # This allows to change the upload time limit of the Nextcloud container|' sample.conf
 sed -i 's|NEXTCLOUD_TRUSTED_CACERTS_DIR=|NEXTCLOUD_TRUSTED_CACERTS_DIR=/usr/local/share/ca-certificates/my-custom-ca          # Nextcloud container will trust all the Certification Authorities, whose certificates are included in the given directory.|' sample.conf
 sed -i 's|UPDATE_NEXTCLOUD_APPS=|UPDATE_NEXTCLOUD_APPS="no"          # When setting to "yes" (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.|' sample.conf
-sed -i 's|SKIP_DATA_DIRECTORY_PERMISSION_CHECK=|SKIP_DATA_DIRECTORY_PERMISSION_CHECK="no"          # When setting to "yes" (with quotes), it will skip the datadir permission check upon the initial Nextcloud installation.|' sample.conf
-sed -i 's|APACHE_PORT=|APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx and else).|' sample.conf
-sed -i 's|APACHE_IP_BINDING=|APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx and else) and if that is running on the same host and using localhost to connect|' sample.conf
+sed -i 's|APACHE_PORT=|APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else).|' sample.conf
+sed -i 's|APACHE_IP_BINDING=|APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) and if that is running on the same host and using localhost to connect|' sample.conf
 sed -i 's|TALK_PORT=|TALK_PORT=3478          # This allows to adjust the port that the talk container is using.|' sample.conf
-sed -i 's|AIO_TOKEN=|AIO_TOKEN=123456          # Has no function but needs to be set!|' sample.conf
-sed -i 's|AIO_URL=|AIO_URL=localhost          # Has no function but needs to be set!|' sample.conf
 sed -i 's|NC_DOMAIN=|NC_DOMAIN=yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.|' sample.conf
 sed -i 's|NEXTCLOUD_PASSWORD=|NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".|' sample.conf
 sed -i 's|TIMEZONE=|TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.|' sample.conf
 sed -i 's|COLLABORA_SECCOMP_POLICY=|COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.|' sample.conf
-sed -i 's|NEXTCLOUD_STARTUP_APPS=|NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time|' sample.conf
+sed -i 's|NEXTCLOUD_STARTUP_APPS=|NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_APKS=|NEXTCLOUD_ADDITIONAL_APKS=imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=|NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick        # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value.|' sample.conf
+sed -i 's|INSTALL_LATEST_MAJOR=|INSTALL_LATEST_MAJOR=no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation|' sample.conf
 sed -i 's|=$|=          # TODO! This needs to be a unique and good password!|' sample.conf
+echo 'IPV6_NETWORK=fd12:3456:789a:2::/64 # IPv6 subnet to use' >> sample.conf

+grep  '# TODO!' sample.conf > todo.conf
+grep -v '# TODO!\|_ENABLED' sample.conf > temp.conf
+grep '_ENABLED' sample.conf > enabled.conf
+cat todo.conf > sample.conf
+# shellcheck disable=SC2129
+echo '' >> sample.conf
+cat enabled.conf >> sample.conf
+echo '' >> sample.conf
+cat temp.conf >> sample.conf
+rm todo.conf temp.conf enabled.conf
 cat sample.conf

 OUTPUT="$(cat containers.yml)"
@@ -93,23 +109,13 @@ NAMES="$(grep -oP "container_name:.*" containers.yml | grep -oP 'nextcloud-aio.*
 mapfile -t NAMES <<< "$NAMES"
 for name in "${NAMES[@]}"
 do
-    OUTPUT="$(echo "$OUTPUT" | sed "/container_name.*$name/i\ \ $name:")"
+    OUTPUT="$(echo "$OUTPUT" | sed "/container_name.*$name$/i\ \ $name:")"
    if [ "$name" != "nextcloud-aio-apache" ]; then
        OUTPUT="$(echo "$OUTPUT" | sed "/  $name:/i\ ")"
    fi
-    if ! echo "$name" | grep "apache$" && ! echo "$name" | grep "database$" && ! echo "$name" | grep "nextcloud$" && ! echo "$name" | grep "redis$"; then
-        sed -i '/container_name/d' containers.yml
-        SLIM_NAME="${name##nextcloud-aio-}"
-        OUTPUT="$(echo "$OUTPUT" | sed "/container_name: $name$/a\ \ \ \ profiles:\ \[\"$SLIM_NAME\"\]")"
-    fi
 done

-OUTPUT="$(echo "$OUTPUT" | sed "/restart: /a\ \ \ \ networks:\n\ \ \ \ \ \ - nextcloud-aio")"
-
-echo 'version: "3.8"' > containers.yml
-echo "" >> containers.yml
-
-echo "$OUTPUT" >> containers.yml
+echo "$OUTPUT" > containers.yml

 sed -i '/container_name/d' containers.yml
 sed -i 's|^ $||' containers.yml
@@ -128,8 +134,16 @@ done

 cat << NETWORK >> containers.yml

+# Inspired by https://github.com/mailcow/mailcow-dockerized/blob/master/docker-compose.yml
 networks:
  nextcloud-aio:
+    name: nextcloud-aio
+    driver: bridge
+    enable_ipv6: true
+    ipam:
+      driver: default
+      config:
+        - subnet: \${IPV6_NETWORK}
 NETWORK

 cat containers.yml > latest.yml
--- a/migration.md
+++ b/migration.md
@@ -14,7 +14,7 @@ The procedure for migrating only the files works like this:
 1. Install Nextcloud AIO on a new server/linux installation, enter your domain and wait until all containers are running
 1. Recreate all users that were present on your former installation
 1. Take a backup using Nextcloud AIO's built-in backup solution (so that you can easily restore to this state again) (Note: this will stop all containers and is expected: don't start the container again at this point!)
-1. Restore the datadirectory of your former instance: for `/path/to/nextcloud/data/` run `sudo docker cp --follow-link /path/to/nextcloud/data/ nextcloud-aio-nextcloud:/mnt/ncdata/` Note: the `/` at the end are necessary.
+1. Restore the datadirectory of your former instance: for `/path/to/nextcloud/data/` run `sudo docker cp --follow-link /path/to/nextcloud/data/. nextcloud-aio-nextcloud:/mnt/ncdata/` Note: the `/.` and `/` at the end are necessary.
 1. Next, run `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine chown -R 33:0 /mnt/ncdata/` and `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine chmod -R 750 /mnt/ncdata/` to apply the correct permissions. (Or if `NEXTCLOUD_DATADIR` was provided, apply `chown -R 33:0` and `chmod -R 750` to the chosen path.)
 1. Start the containers again and wait until all containers are running
 1. Run `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ files:scan-app-data && sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ files:scan --all` in order to scan all files in the datadirectory.
@@ -24,7 +24,7 @@ The procedure for migrating only the files works like this:

 The procedure for migrating the files and the database works like this:
 1. Make sure that your old instance is on exactly the same version like the version used in Nextcloud AIO. (e.g. 23.0.0) You can find the used version here: [click here](https://github.com/nextcloud/all-in-one/search?l=Dockerfile&q=NEXTCLOUD_VERSION&type=). If not, simply upgrade your former installation to that version or wait until the version used in Nextcloud AIO got updated to the same version of your former installation or the other way around.
-1. Take a backup of your former instance (especially from your datadirectory and database)
+1. First, on the old instance, update all Nextcloud apps to its latest version via the app management site (important for the restore later on). Then take a backup of your former instance (especially from your datadirectory and database).
 1. If your former installation didn't use Postgresql already, you will now need to convert your old installation to use Postgresql as database temporarily (in order to be able to perform a pg_dump afterwards):
    1. Install Postgresql on your former installation: on a Debian based OS should the following command work:
        ```
@@ -56,7 +56,7 @@ The procedure for migrating the files and the database works like this:
    ```
    **Please note:** The exact name of the database export file is important! (`database-dump.sql`)<br>
    And of course you need to to use the correct name that the Postgresql database has for the export (if `$PG_DATABASE` doesn't work directly).
-1. At this point, you can finally install Nextcloud AIO on a new server/linux installation, enter your domain in the AIO interface (use the same domain that you used on your former installation) and wait until all containers are running. Then you should check the included Nextcloud version by running `sudo docker inspect nextcloud-aio-nextcloud | grep NEXTCLOUD_VERSION`.
+1. At this point, you can finally install Nextcloud AIO on a new server/linux installation, enter your domain in the AIO interface (use the same domain that you used on your former installation) and wait until all containers are running. Then you should check the included Nextcloud version by running `sudo docker inspect nextcloud-aio-nextcloud | grep NEXTCLOUD_VERSION`. Also install all apps via the apps management site that were installed on the old Nextcloud installation. Otherwise they will show as installed, but will not work.
 1. Next, take a backup using Nextcloud AIO's built-in backup solution (so that you can easily restore to this state again) (Note: this will stop all containers and is expected: don't start the container again at this point!)
 1. Now, we are slowly starting to import your files and database. First, you need to modify the datadirectory that is stored inside the database export:
    1. Find out what the directory of your old Nextcloud installation is by e.g. opening the config.php file and looking at the value `datadirectory`.
@@ -75,7 +75,7 @@ The procedure for migrating the files and the database works like this:
    sudo docker run --rm --volume nextcloud_aio_database_dump:/mnt/data:rw alpine chmod 777 /mnt/data/database-dump.sql
    sudo docker run --rm --volume nextcloud_aio_database_dump:/mnt/data:rw alpine rm /mnt/data/initial-cleanup-done
    ```
-1. If the commands above were executed successfully, restore the datadirectory of your former instance into your datadirectory: `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine sh -c "rm -rf /mnt/ncdata/*"` and `sudo docker cp --follow-link /path/to/nextcloud/data/ nextcloud-aio-nextcloud:/mnt/ncdata/` Note: the `/` at the end are necessary. (Or if `NEXTCLOUD_DATADIR` was provided, first delete the files in there and then copy the files to the chosen path.)
+1. If the commands above were executed successfully, restore the datadirectory of your former instance into your datadirectory: `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine sh -c "rm -rf /mnt/ncdata/*"` and `sudo docker cp --follow-link /path/to/nextcloud/data/. nextcloud-aio-nextcloud:/mnt/ncdata/` Note: the `/.` and `/` at the end are necessary. (Or if `NEXTCLOUD_DATADIR` was provided, first delete the files in there and then copy the files to the chosen path.)
 1. Next, run `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine chown -R 33:0 /mnt/ncdata/` and `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine chmod -R 750 /mnt/ncdata/` to apply the correct permissions on the datadirectory. (Or if `NEXTCLOUD_DATADIR` was provided, apply `chown -R 33:0` and `chmod -R 750` to the chosen path.)
 1. Edit the Nextcloud AIO config.php file using `sudo docker run -it --rm --volume nextcloud_aio_nextcloud:/var/www/html:rw alpine sh -c "apk add --no-cache nano && nano /var/www/html/config/config.php"` and modify only `passwordsalt`, `secret`, `instanceid` and set it to the old values that you used on your old installation. If you are brave, feel free to modify further values e.g. add your old LDAP config or S3 storage config. (Some things like Mail server config can be added back using Nextcloud's webinterface later on).
 1. When you are done and saved your changes to the file, finally start the containers again and wait until all containers are running.
--- a/multiple-instances.md
+++ b/multiple-instances.md
@@ -8,12 +8,12 @@ Below is described more in detail how the the second way works.
 ## Run multiple AIO instances on the same server with docker rootless
 1. Create as many linux users as you need first. The easiest way is to use `sudo adduser` and follow the setup for that. Make sure to create a strong unique password for each of them and write it down!
 1. Log in as each of the users e.g. by opening a new SSH connection and install docker rootless for each of them by following step 0-4 of the [docker rootless documentation](./docker-rootless.md).
-1. Then install AIO in reverse proxy mode by using the command that is descriebed in step 2 and 3 of the [reverse proxy documentation](./reverse-proxy.md) but use a different `APACHE_PORT` and [`TALK_PORT`](https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port) for each instance as otherwise it will bug out. Also make sure to adjust the docker socket and `DOCKER_SOCKET_PATH` correctly for each of them by following step 6 of the [docker rootless documentation](./docker-rootless.md). Additionally, modify `--publish 8080:8080` to a different port for each container, e.g. `8081:8080` as otherwise it will not work.<br>
+1. Then install AIO in reverse proxy mode by using the command that is descriebed in step 2 and 3 of the [reverse proxy documentation](./reverse-proxy.md) but use a different `APACHE_PORT` and [`TALK_PORT`](https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port) for each instance as otherwise it will bug out. Also make sure to adjust the docker socket and `WATCHTOWER_DOCKER_SOCKET_PATH` correctly for each of them by following step 6 of the [docker rootless documentation](./docker-rootless.md). Additionally, modify `--publish 8080:8080` to a different port for each container, e.g. `8081:8080` as otherwise it will not work.<br>
 **⚠️ Please note:** If you want to adjust the `NEXTCLOUD_DATADIR`, make sure to apply the correct permissions to the chosen path as documented at the bottom of the [docker rootless documentation](./docker-rootless.md). Also for the built-in backup to work, the target path needs to have the correct permissions as documented there, too.
 1. Now install your webserver of choice on the host system. It is recommended to use caddy for this as it is by far the easiest solution. You can do so by following https://caddyserver.com/docs/install#debian-ubuntu-raspbian or below. (It needs to be installed directly on the host or on a different server in the same network).
 1. Next create your Caddyfile with multiple entries and domains for the different instances like described in step 1 of the [reverse proxy documentation](./reverse-proxy.md). Obviously each domain needs to point correctly to the chosen `APACHE_PORT` that you've configured before. Then start Caddy which should automatically get the needed certificates for you if your domains are configured correctly and ports 80 and 443 are forwarded to your server.
 1. Now open each of the AIO interfaces by opening `https://ip.address.of.this.server:8080` or e.g. `https://ip.address.of.this.server:8081` or as chosen during step 3 of this documentation. 
 1. Finally type in the domain that you've configured for each of the instances during step 5 of this documentation and you are done.
-1. Please also do not forget to open each chosen `TALK_PORT` UPD and TCP in your firewall/router as otherwise Talk will not work correctly!
+1. Please also do not forget to open/forward each chosen `TALK_PORT` UPD and TCP in your firewall/router as otherwise Talk will not work correctly!

 Now everything should be set up correctly and you should have created multiple working instances of AIO on the same server!
--- a/nextcloud-aio-helm-chart/Chart.yaml
+++ b/nextcloud-aio-helm-chart/Chart.yaml
@@ -0,0 +1,13 @@
+name: nextcloud-aio-helm-chart
+description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
+version: 6.3.0
+apiVersion: v2
+keywords:
+  - latest
+  - nextcloud
+  - helm-chart
+  - open-source
+  - cloud
+sources:
+  - https://github.com/nextcloud/all-in-one/tree/main/nextcloud-aio-helm-chart
+home: https://github.com/nextcloud/all-in-one/tree/main/nextcloud-aio-helm-chart
--- a/nextcloud-aio-helm-chart/readme.md
+++ b/nextcloud-aio-helm-chart/readme.md
@@ -0,0 +1,37 @@
+# Nextcloud AIO Helm-chart
+
+You can run the containers that are build for AIO with Kubernetes using this Helm chart. This comes with a few downsides, that are discussed below.
+
+### Advantages
+- You can run it without a container having access to the docker socket
+- You can run the containers with Kubernetes
+
+### Disadvantages
+- You lose the AIO interface
+- You lose update notifications and automatic updates
+- You lose all AIO backup and restore features
+- **You need to know what you are doing**
+- For updating, you need to strictly follow the at the bottom described update routine
+- You need to monitor yourself if the volumes have enough free space and increase them if they don't by adjusting their size in values.yaml
+- Probably more
+
+## How to use this?
+
+First download this file: https://raw.githubusercontent.com/nextcloud/all-in-one/main/nextcloud-aio-helm-chart/values.yaml and adjust at least all values marked with `# TODO!`
+
+Then run:
+
+```
+helm repo add nextcloud-aio https://nextcloud.github.io/all-in-one/
+helm install my-release nextcloud-aio/nextcloud-aio-helm-chart -f values.yaml
+```
+
+And after a while, everything should be set up.
+
+## How to update?
+Since the values of this helm chart may change in the future, it is highly recommended to strictly follow the following procedure whenever you want to upgrade it.
+1. Stop all running pods
+1. Back up all volumes that got created by the Helm chart and the values.yaml file
+1. Run `helm repo update nextcloud-aio` in order to get the updated yaml files from the repository
+1. Now download the updated values.yaml file from https://raw.githubusercontent.com/nextcloud/all-in-one/main/nextcloud-aio-helm-chart/values.yaml and compare that with the one that you currently have locally. Look for variables that changed or got added. You can use the diff command to compare them.
+1. After the file update was successful, simply run `helm install my-release nextcloud-aio/nextcloud-aio-helm-chart -f values.yaml` to update to the new version.
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml
@@ -0,0 +1,118 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
+  labels:
+    io.kompose.service: nextcloud-aio-apache
+  name: nextcloud-aio-apache
+  namespace: {{ values.NAMESPACE }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      io.kompose.service: nextcloud-aio-apache
+  template:
+    metadata:
+      annotations:
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
+      labels:
+        io.kompose.network/nextcloud-aio: "true"
+        io.kompose.service: nextcloud-aio-apache
+    spec:
+      initContainers:
+        - name: init-volumes
+          image: alpine
+          command:
+            - chmod
+            - "777"
+            - /nextcloud-aio-nextcloud
+            - /nextcloud-aio-apache
+            - /nextcloud-aio-apache-tmpfs0
+            - /nextcloud-aio-apache-tmpfs1
+            - /nextcloud-aio-apache-tmpfs2
+            - /nextcloud-aio-apache-tmpfs3
+            - /nextcloud-aio-apache-tmpfs4
+          volumeMounts:
+            - name: nextcloud-aio-apache-tmpfs4
+              mountPath: /nextcloud-aio-apache-tmpfs4
+            - name: nextcloud-aio-apache-tmpfs3
+              mountPath: /nextcloud-aio-apache-tmpfs3
+            - name: nextcloud-aio-apache-tmpfs2
+              mountPath: /nextcloud-aio-apache-tmpfs2
+            - name: nextcloud-aio-apache-tmpfs1
+              mountPath: /nextcloud-aio-apache-tmpfs1
+            - name: nextcloud-aio-apache-tmpfs0
+              mountPath: /nextcloud-aio-apache-tmpfs0
+            - name: nextcloud-aio-apache
+              mountPath: /nextcloud-aio-apache
+            - name: nextcloud-aio-nextcloud
+              mountPath: /nextcloud-aio-nextcloud
+      containers:
+        - env:
+            - name: APACHE_MAX_SIZE
+              value: "{{ .Values.APACHE_MAX_SIZE }}"
+            - name: APACHE_MAX_TIME
+              value: "{{ .Values.NEXTCLOUD_MAX_TIME }}"
+            - name: APACHE_PORT
+              value: "{{ .Values.APACHE_PORT }}"
+            - name: COLLABORA_HOST
+              value: nextcloud-aio-collabora
+            - name: NC_DOMAIN
+              value: "{{ .Values.NC_DOMAIN }}"
+            - name: NEXTCLOUD_HOST
+              value: nextcloud-aio-nextcloud
+            - name: NOTIFY_PUSH_HOST
+              value: nextcloud-aio-notify-push
+            - name: ONLYOFFICE_HOST
+              value: nextcloud-aio-onlyoffice
+            - name: TALK_HOST
+              value: nextcloud-aio-talk
+            - name: TZ
+              value: "{{ .Values.TIMEZONE }}"
+          image: nextcloud/aio-apache:20230720_134150-latest
+          name: nextcloud-aio-apache
+          ports:
+            - containerPort: {{ .Values.APACHE_PORT }}
+              hostPort: {{ .Values.APACHE_PORT }}
+              protocol: TCP
+            - containerPort: {{ .Values.APACHE_PORT }}
+              hostPort: {{ .Values.APACHE_PORT }}
+              protocol: UDP
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /var/www/html
+              name: nextcloud-aio-nextcloud
+              readOnly: true
+            - mountPath: /mnt/data
+              name: nextcloud-aio-apache
+            - mountPath: /var/log/supervisord
+              name: nextcloud-aio-apache-tmpfs0
+            - mountPath: /var/run/supervisord
+              name: nextcloud-aio-apache-tmpfs1
+            - mountPath: /usr/local/apache2/logs
+              name: nextcloud-aio-apache-tmpfs2
+            - mountPath: /tmp
+              name: nextcloud-aio-apache-tmpfs3
+            - mountPath: /home/www-data
+              name: nextcloud-aio-apache-tmpfs4
+      volumes:
+        - name: nextcloud-aio-nextcloud
+          persistentVolumeClaim:
+            claimName: nextcloud-aio-nextcloud
+        - name: nextcloud-aio-apache
+          persistentVolumeClaim:
+            claimName: nextcloud-aio-apache
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs0
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs1
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs2
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs3
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs4
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-persistentvolumeclaim.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-persistentvolumeclaim.yaml
@@ -4,6 +4,7 @@ metadata:
  labels:
    io.kompose.service: nextcloud-aio-apache
  name: nextcloud-aio-apache
+  namespace: {{ values.NAMESPACE }}
 spec:
  {{- if .Values.STORAGE_CLASS }}
  storageClassName: {{ .Values.STORAGE_CLASS }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-service.yaml
@@ -2,16 +2,21 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-apache
  name: nextcloud-aio-apache
+  namespace: {{ values.NAMESPACE }}
 spec:
  type: LoadBalancer
  ports:
    - name: "{{ .Values.APACHE_PORT }}"
      port: {{ .Values.APACHE_PORT }}
      targetPort: {{ .Values.APACHE_PORT }}
+    - name: {{ .Values.APACHE_PORT }}-udp
+      port: {{ .Values.APACHE_PORT }}
+      protocol: UDP
+      targetPort: {{ .Values.APACHE_PORT }}
  selector:
    io.kompose.service: nextcloud-aio-apache
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml
@@ -0,0 +1,78 @@
+{{- if eq .Values.CLAMAV_ENABLED "yes" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
+  labels:
+    io.kompose.service: nextcloud-aio-clamav
+  name: nextcloud-aio-clamav
+  namespace: {{ values.NAMESPACE }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      io.kompose.service: nextcloud-aio-clamav
+  template:
+    metadata:
+      annotations:
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
+      labels:
+        io.kompose.network/nextcloud-aio: "true"
+        io.kompose.service: nextcloud-aio-clamav
+    spec:
+      initContainers:
+        - name: init-volumes
+          image: alpine
+          command:
+            - chmod
+            - "777"
+            - /nextcloud-aio-clamav
+            - /nextcloud-aio-clamav-tmpfs0
+            - /nextcloud-aio-clamav-tmpfs1
+            - /nextcloud-aio-clamav-tmpfs2
+          volumeMounts:
+            - name: nextcloud-aio-clamav-tmpfs2
+              mountPath: /nextcloud-aio-clamav-tmpfs2
+            - name: nextcloud-aio-clamav-tmpfs1
+              mountPath: /nextcloud-aio-clamav-tmpfs1
+            - name: nextcloud-aio-clamav-tmpfs0
+              mountPath: /nextcloud-aio-clamav-tmpfs0
+            - name: nextcloud-aio-clamav
+              mountPath: /nextcloud-aio-clamav
+      containers:
+        - env:
+            - name: CLAMD_STARTUP_TIMEOUT
+              value: "90"
+            - name: TZ
+              value: "{{ .Values.TIMEZONE }}"
+          image: nextcloud/aio-clamav:20230720_134150-latest
+          name: nextcloud-aio-clamav
+          ports:
+            - containerPort: 3310
+              hostPort: 3310
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /var/lib/clamav
+              name: nextcloud-aio-clamav
+            - mountPath: /var/lock
+              name: nextcloud-aio-clamav-tmpfs0
+            - mountPath: /var/log/clamav
+              name: nextcloud-aio-clamav-tmpfs1
+            - mountPath: /tmp
+              name: nextcloud-aio-clamav-tmpfs2
+      volumes:
+        - name: nextcloud-aio-clamav
+          persistentVolumeClaim:
+            claimName: nextcloud-aio-clamav
+        - emptyDir: {}
+          name: nextcloud-aio-clamav-tmpfs0
+        - emptyDir: {}
+          name: nextcloud-aio-clamav-tmpfs1
+        - emptyDir: {}
+          name: nextcloud-aio-clamav-tmpfs2
+{{- end }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-persistentvolumeclaim.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-persistentvolumeclaim.yaml
@@ -4,6 +4,7 @@ metadata:
  labels:
    io.kompose.service: nextcloud-aio-clamav
  name: nextcloud-aio-clamav
+  namespace: {{ values.NAMESPACE }}
 spec:
  {{- if .Values.STORAGE_CLASS }}
  storageClassName: {{ .Values.STORAGE_CLASS }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-service.yaml
@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-clamav
  name: nextcloud-aio-clamav
+  namespace: {{ values.NAMESPACE }}
 spec:
  ports:
    - name: "3310"
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml
@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-collabora
  name: nextcloud-aio-collabora
+  namespace: {{ values.NAMESPACE }}
 spec:
  replicas: 1
  selector:
@@ -16,24 +17,16 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
      labels:
        io.kompose.network/nextcloud-aio: "true"
        io.kompose.service: nextcloud-aio-collabora
    spec:
-      initContainers:
-        - name: init-volumes
-          image: alpine
-          command:
-            - chmod
-            - "777"
-            - /nextcloud-aio-collabora-fonts
-          volumeMounts:
-            - name: nextcloud-aio-collabora-fonts
-              mountPath: /nextcloud-aio-collabora-fonts
      containers:
        - env:
+            - name: DONT_GEN_SSL_CERT
+              value: "1"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
            - name: aliasgroup1
@@ -44,15 +37,10 @@ spec:
              value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json
            - name: server_name
              value: "{{ .Values.NC_DOMAIN }}"
-          image: nextcloud/aio-collabora:20230315_112022-latest
+          image: nextcloud/aio-collabora:20230720_134150-latest
          name: nextcloud-aio-collabora
          ports:
            - containerPort: 9980
-          volumeMounts:
-            - mountPath: /opt/cool/systemplate/tmpfonts
-              name: nextcloud-aio-collabora-fonts
-      volumes:
-        - name: nextcloud-aio-collabora-fonts
-          persistentVolumeClaim:
-            claimName: nextcloud-aio-collabora-fonts
+              hostPort: 9980
+              protocol: TCP
 {{- end }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-service.yaml
@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-collabora
  name: nextcloud-aio-collabora
+  namespace: {{ values.NAMESPACE }}
 spec:
  ports:
    - name: "9980"
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml
@@ -2,11 +2,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-database
  name: nextcloud-aio-database
+  namespace: {{ values.NAMESPACE }}
 spec:
  replicas: 1
  selector:
@@ -15,21 +16,41 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
      labels:
        io.kompose.network/nextcloud-aio: "true"
        io.kompose.service: nextcloud-aio-database
    spec:
      initContainers:
+        - name: init-subpath
+          image: alpine
+          command:
+            - mkdir
+            - "-p"
+            - /nextcloud-aio-database/data
+            - /nextcloud-aio-database
+            - /nextcloud-aio-database-dump
+            - /nextcloud-aio-database-tmpfs0
+          volumeMounts:
+            - name: nextcloud-aio-database-tmpfs0
+              mountPath: /nextcloud-aio-database-tmpfs0
+            - name: nextcloud-aio-database-dump
+              mountPath: /nextcloud-aio-database-dump
+            - name: nextcloud-aio-database
+              mountPath: /nextcloud-aio-database
        - name: init-volumes
          image: alpine
          command:
            - chown
            - 999:999
+            - "-R"
            - /nextcloud-aio-database
            - /nextcloud-aio-database-dump
+            - /nextcloud-aio-database-tmpfs0
          volumeMounts:
+            - name: nextcloud-aio-database-tmpfs0
+              mountPath: /nextcloud-aio-database-tmpfs0
            - name: nextcloud-aio-database-dump
              mountPath: /nextcloud-aio-database-dump
            - name: nextcloud-aio-database
@@ -46,15 +67,22 @@ spec:
              value: nextcloud
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-postgresql:20230315_112022-latest
+          image: nextcloud/aio-postgresql:20230720_134150-latest
          name: nextcloud-aio-database
          ports:
            - containerPort: 5432
+              hostPort: 5432
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
          volumeMounts:
            - mountPath: /var/lib/postgresql/data
+              subPath: data
              name: nextcloud-aio-database
            - mountPath: /mnt/data
              name: nextcloud-aio-database-dump
+            - mountPath: /var/run/postgresql
+              name: nextcloud-aio-database-tmpfs0
      terminationGracePeriodSeconds: 1800
      volumes:
        - name: nextcloud-aio-database
@@ -63,3 +91,5 @@ spec:
        - name: nextcloud-aio-database-dump
          persistentVolumeClaim:
            claimName: nextcloud-aio-database-dump
+        - emptyDir: {}
+          name: nextcloud-aio-database-tmpfs0
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-dump-persistentvolumeclaim.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-dump-persistentvolumeclaim.yaml
@@ -4,6 +4,7 @@ metadata:
  labels:
    io.kompose.service: nextcloud-aio-database-dump
  name: nextcloud-aio-database-dump
+  namespace: {{ values.NAMESPACE }}
 spec:
  {{- if .Values.STORAGE_CLASS }}
  storageClassName: {{ .Values.STORAGE_CLASS }}
--- a/Show More
+++ b/Show More