Use CSS custom property for warning color

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
Refactor: Use CSS class instead of inline styles for update warning
2026-06-10 00:27:01 +00:00 · 2026-02-11 17:12:05 +00:00 · 2026-02-11 17:11:32 +00:00 · 2026-02-11 17:10:53 +00:00 · 2026-02-11 17:07:10 +00:00
255 changed files with 1789 additions and 5040 deletions
@@ -1,20 +0,0 @@
-# https://editorconfig.org
-
-# Tip: to find files violating the rules set out here, run `docker run --rm --volume=$PWD:/check mstruebing/editorconfig-checker`
-
-root = true
-
-[*]
-charset = utf-8
-end_of_line = lf
-indent_size = 4
-indent_style = space
-insert_final_newline = true
-trim_trailing_whitespace = true
-
-[*.yaml]
-indent_size = 2
-
-
-[*.yml]
-indent_size = 2
@@ -31,7 +31,6 @@ updates:
    - "/Containers/collabora"
    - "/Containers/docker-socket-proxy"
    - "/Containers/domaincheck"
-    - "/Containers/eurooffice"
    - "/Containers/fulltextsearch"
    - "/Containers/imaginary"
    - "/Containers/mastercontainer"
@@ -3,8 +3,3 @@
  -
  - Before sending a pull request that fixes a security issue please report it via our HackerOne page (https://hackerone.com/nextcloud) following our security policy (https://nextcloud.com/security/). This allows us to coordinate the fix and release without potentially exposing all Nextcloud servers and users in the meantime.
 -->
-
-<!-- Please check the below checkmarks if applicable -->
-
- [ ] The PR was tested and verified that it works locally
- [ ] The PR was completely or partially created with AI
@@ -18,9 +18,8 @@ jobs:
        mv cool-seccomp-profile.json php/
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: collabora-seccomp-update automated change
        signoff: true
        title: collabora seccomp update
@@ -13,7 +13,7 @@ jobs:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
      with:
-        php-version: 8.5
+        php-version: 8.4
        extensions: apcu
    - name: Run dependency update script
      run: |
@@ -43,19 +43,9 @@ jobs:
            | tail -1
        )"
        sed -i "s|pecl install APCu.*\;|pecl install APCu-$apcu_version\;|" ./Containers/mastercontainer/Dockerfile
-
-        # CADDY_REMOTE_HOST_HASH
-        CADDY_REMOTE_HOST_HASH="$(
-          git ls-remote https://github.com/muety/caddy-remote-host master \
-            | cut -f1 \
-            | tail -1
-        )"
-        sed -i "s|^ARG CADDY_REMOTE_HOST_HASH.*$|ARG CADDY_REMOTE_HOST_HASH=$CADDY_REMOTE_HOST_HASH|" ./Containers/mastercontainer/Dockerfile
-
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: php dependency updates
        signoff: true
        title: PHP dependency updates
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: "Check latest published release isn't a prerelease"
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v6
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v6
        with:
          script: |
            const tags = await github.rest.repos.listTags({
@@ -10,16 +10,13 @@ on:

 jobs:
  release:
-    # Do not run this workflow on forked repositories, as they might not have the `gh-pages` branch created, or might
-    # want to use it for other purposes than publishing helm charts
-    if: github.repository == 'nextcloud/all-in-one'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Turnstyle
-        uses: softprops/turnstyle@e15e934b3f69ee283ba389ea05c8886baa656d93 # v2
+        uses: softprops/turnstyle@e565d2d86403c5d23533937e95980570545e5586 # v2
        with:
          continue-after-seconds: 180
        env:
@@ -35,7 +32,7 @@ jobs:

      # See https://github.com/helm/chart-releaser-action/issues/6
      - name: Set up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
        with:
          version: v3.6.3

@@ -22,9 +22,8 @@ jobs:
        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH=$imaginary_version|" ./Containers/imaginary/Dockerfile
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: imaginary-update automated change
        signoff: true
        title: Imaginary update
@@ -16,7 +16,7 @@ jobs:
          fetch-depth: 0

      - name: Install Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
        with:
          version: v3.11.1

@@ -30,7 +30,7 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        php-versions: [ "8.5" ]
+        php-versions: [ "8.4" ]

    name: php-lint

@@ -41,7 +41,7 @@ jobs:
          persist-credentials: false

      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
        with:
          php-version: ${{ matrix.php-versions }}
          coverage: none
@@ -36,7 +36,7 @@ jobs:
            line-length: warning

      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1

      - name: Check GitHub actions
        run: uvx zizmor --min-severity medium .github/workflows/*.yml
@@ -14,7 +14,7 @@ jobs:
  action:
    runs-on: ubuntu-latest
    steps:
-      - uses: dessant/lock-threads@89ae32b08ed1a541efecbab17912962a5e38981c # v5
+      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v5
        with: 
          issue-inactive-days: '14'
          process-only: 'issues'
@@ -79,9 +79,8 @@ jobs:
        fi

    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: nextcloud-update automated change
        signoff: true
        title: Nextcloud dependency update
@@ -20,7 +20,7 @@ jobs:
      - name: Set up php
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
        with:
-          php-version: 8.5
+          php-version: 8.4
          extensions: apcu
          coverage: none

@@ -4,15 +4,11 @@ on:
  pull_request:
    paths:
      - 'php/**'
-      - 'Containers/mastercontainer/*.Caddyfile'
-      - 'Containers/mastercontainer/start.sh'
  push:
    branches:
      - main
    paths:
      - 'php/**'
-      - 'Containers/mastercontainer/*.Caddyfile'
-      - 'Containers/mastercontainer/start.sh'

 concurrency:
  group: playwright-${{ github.head_ref || github.run_id }}
@@ -30,9 +26,9 @@ jobs:
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
        with:
-          node-version: 24.15.0
+          node-version: lts/*

      - name: Install dependencies
        run: cd php/tests && npm ci
@@ -40,11 +36,11 @@ jobs:
      - name: Install Playwright Browsers
        run: cd php/tests && npx playwright install --with-deps chromium

-      - name: Set up php 8.5
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+      - name: Set up php 8.4
+        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
        with:
          extensions: apcu
-          php-version: 8.5
+          php-version: 8.4
          coverage: none
          ini-file: development
        env:
@@ -57,7 +53,7 @@ jobs:
          rm -r ./session
          composer install --no-dev
          composer clear-cache
-          sudo chmod 777 -R ../
+          sudo chmod 777 -R ./

      - name: Start fresh development server
        run: |
@@ -72,9 +68,6 @@ jobs:
            --publish 8080:8080 \
            --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
            --volume ./php:/var/www/docker-aio/php \
-            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
-            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
-            --volume ./Containers/mastercontainer/start.sh:/start.sh \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=true \
            --env APACHE_PORT=11000 \
@@ -104,9 +97,6 @@ jobs:
            --publish 8080:8080 \
            --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
            --volume ./php:/var/www/docker-aio/php \
-            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
-            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
-            --volume ./Containers/mastercontainer/start.sh:/start.sh \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=false \
            --env APACHE_PORT=11000 \
@@ -124,7 +114,7 @@ jobs:
            exit 1
          fi

-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
        if: ${{ !cancelled() }}
        with:
          name: playwright-report
@@ -15,9 +15,9 @@ jobs:
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
        with:
-          node-version: 24.15.0
+          node-version: lts/*

      - name: Install dependencies
        run: cd php/tests && npm ci
@@ -82,7 +82,7 @@ jobs:
            exit 1
          fi

-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
        if: ${{ !cancelled() }}
        with:
          name: playwright-report
@@ -15,10 +15,9 @@ jobs:
      - name: Set up php
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
        with:
-          php-version: 8.5
+          php-version: 8.4
          extensions: apcu
          coverage: none
-          ini-file: development

      - name: Run script
        run: |
@@ -31,9 +30,9 @@ jobs:
        continue-on-error: true

      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.COMMAND_BOT_PAT }}
          commit-message: Update psalm baseline
          committer: GitHub <noreply@github.com>
          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
@@ -37,13 +37,14 @@ jobs:
          persist-credentials: false

      - name: Set up php
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
        with:
-          php-version: 8.5
+          php-version: 8.4
          extensions: apcu
          coverage: none
          ini-file: development
-
+          # Temporary workaround for missing pcntl_* in PHP 8.3
+          ini-values: disable_functions=
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

@@ -1,140 +0,0 @@
-# This workflow is provided via the organization template repository
-#
-# https://github.com/nextcloud/.github
-# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
-#
-# SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
-# SPDX-License-Identifier: MIT
-
-# This workflow will update all workflow templates
-# Additionally it will reapply `workflow.yml.patch` files after syncing and only then commit the result
-name: Update workflows
-on:
-  workflow_dispatch:
-  schedule:
-      - cron: "5 2 * * 0"
-
-permissions:
-  contents: read
-
-jobs:
-  dispatch:
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-      matrix:
-        branches:
-          - ${{ github.event.repository.default_branch }}
-          - 'stable33'
-          - 'stable32'
-
-    name: Update workflows in ${{ matrix.branches }}
-
-    permissions:
-      contents: write
-      pull-requests: write
-
-    steps:
-      - name: Check actor permission
-        uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0
-        with:
-          require: admin
-
-      - name: Checkout workflow repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-          path: source
-          repository: nextcloud/.github
-
-      - name: Checkout app
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-          path: target
-          ref: ${{ matrix.branches }}
-
-      - name: Copy all workflow templates
-        run: |
-          echo 'SUMMARY<<EOF' >> $GITHUB_ENV
-          draft_only=0
-          for workflow in ./source/workflow-templates/*.yml; do
-            echo "❓ Looking for $workflow"
-            if [ -f "$workflow" ]; then
-              filename=$(basename "$workflow")
-              target_file="./target/.github/workflows/$filename"
-
-              # Only copy if the file exists in the target repository
-              if [ -f "$target_file" ]; then
-                if [ -f "./target/.github/actions-lock.txt" ]; then
-                  locked_version=$(grep " $filename" ./target/.github/actions-lock.txt | cat)
-                else
-                  echo "# SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors" >> ./target/.github/actions-lock.txt
-                  echo "# SPDX-License""-Identifier: MIT" >> ./target/.github/actions-lock.txt
-                  locked_version=""
-                fi
-                locked_version=$(echo $locked_version | cut -f 1 -d " ")
-                new_version=$(md5sum $workflow | cut -f 1 -d " ")
-
-                # Only update if the action changes
-                if [[ "$locked_version" != "$new_version" ]]; then
-                  echo "ℹ️ Locked version: $locked_version"
-                  echo "ℹ️ Current version: $new_version"
-                  echo "🆙 Updating existing workflow: $filename"
-                  echo "- 🆙 Updated [$filename](https://github.com/nextcloud/.github/commits/master/workflow-templates/$filename)" >> $GITHUB_ENV
-
-                  cp "$workflow" "$target_file"
-
-                  # Apply patch if one exists
-                  if [ -f "$target_file.patch" ]; then
-                    echo "🩹 Applying patch"
-                    cd ./target
-                    set +e
-                    patch -p1 < ".github/workflows/$filename.patch"
-                    patch_worked=$?
-                    set -e
-                    cd -
-                    if [[ "$patch_worked" == "0" ]]; then
-                      echo "  - Patch applied" >> $GITHUB_ENV
-                    else
-                      echo "  - [ ] ❌ Patch failed" >> $GITHUB_ENV
-                      draft_only=1
-                    fi
-                  fi
-
-                  if [[ "$locked_version" != "" ]]; then
-                    sed -i "s/$locked_version $filename/$new_version $filename/" ./target/.github/actions-lock.txt
-                  else
-                    echo "$new_version $filename" >> ./target/.github/actions-lock.txt
-                  fi
-                else
-                  echo "✅ Skipping $filename: already up to date"
-                fi
-              else
-                echo "⏭️ Skipping $filename: does not exist in target repository"
-              fi
-            fi
-          done
-          echo 'EOF' >> $GITHUB_ENV
-          echo "DRAFT_ONLY=${draft_only}" >> $GITHUB_ENV
-
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
-        with:
-          token: ${{ secrets.COMMAND_BOT_WORKFLOWS }} # zizmor: ignore[secrets-outside-env]
-          commit-message: 'ci(actions): Update workflow templates from organization template repository'
-          committer: GitHub <noreply@github.com>
-          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
-          path: target
-          signoff: true
-          branch: 'automated/noid/${{ matrix.branches }}-update-workflows'
-          title: '[${{ matrix.branches }}] ci(actions): Update workflow templates from organization template repository'
-          draft: ${{ env.DRAFT_ONLY == 1 }}
-          add-paths: .github/workflows/*.yml,.github/actions-lock.txt
-          body: |
-            Automated update of all workflow templates from [nextcloud/.github](https://github.com/nextcloud/.github)
-            ${{ env.SUMMARY }}
-          labels: |
-            dependencies
-            3. to review
@@ -45,9 +45,8 @@ jobs:
        sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: talk-update automated change
        signoff: true
        title: talk container update
@@ -29,7 +29,7 @@ jobs:
      - name: Set up php ${{ matrix.php-versions }}
        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
        with:
-          php-version: 8.5
+          php-version: 8.4
          extensions: apcu
          coverage: none

@@ -23,7 +23,7 @@ jobs:
            sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"
          fi
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          commit-message: Helm Chart updates
          signoff: true
@@ -16,7 +16,7 @@ jobs:
        run: |
          sudo bash manual-install/update-yaml.sh
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          commit-message: Yaml updates
          signoff: true
@@ -26,9 +26,8 @@ jobs:
        sed -i "s|\$WATCHTOWER_COMMIT_HASH.*$|\$WATCHTOWER_COMMIT_HASH # $watchtower_version|" ./Containers/watchtower/Dockerfile
        
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: watchtower-update automated change
        signoff: true
        title: watchtower container update
@@ -1,12 +1,7 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.23.3

 RUN set -ex; \
    apk upgrade --no-cache -a

-LABEL org.opencontainers.image.title="Alpine for Nextcloud AIO" \
-    org.opencontainers.image.description="Minimal Alpine Linux image for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+LABEL org.label-schema.vendor="Nextcloud"
@@ -15,15 +15,10 @@
 }

 https://{$ADDITIONAL_TRUSTED_DOMAIN}:443,
-http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI requests, see containers.json
+http://{$APACHE_HOST}:23973, # For Collabora callback and WOPI requests, see containers.json
 {$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} {
-    header {
-        Strict-Transport-Security max-age=31536000;
-
-        -Server
-        -X-Powered-By
-        -Via
-    }
+    header -Server
+    header -X-Powered-By

    # Collabora
    route /browser/* {
@@ -47,14 +42,7 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
        uri strip_prefix /onlyoffice
        reverse_proxy {$ONLYOFFICE_HOST}:80 {
            header_up X-Forwarded-Host {http.request.hostport}/onlyoffice
-        }
-    }
-
-    # EuroOffice
-    route /eurooffice/* {
-        uri strip_prefix /eurooffice
-        reverse_proxy {$EUROOFFICE_HOST}:80 {
-            header_up X-Forwarded-Host {http.request.hostport}/eurooffice
+            header_up X-Forwarded-Proto https
        }
    }

@@ -70,13 +58,9 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
        reverse_proxy {$WHITEBOARD_HOST}:3002
    }

-    # HaRP (ExApps)
-    route /exapps/* {
-        reverse_proxy {$HARP_HOST}:8780
-    }
-
    # Nextcloud
    route {
+        header Strict-Transport-Security max-age=31536000;
        reverse_proxy 127.0.0.1:8000
    }
    redir /.well-known/carddav /remote.php/dav/ 301
@@ -85,9 +69,6 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
    # TLS options
    tls {
        issuer acme {
-            profile tlsserver
-            # Disable HTTP challenge because that would require port 80, which we don't get (it's exposed to the mastercontainer).
-            # This container by default only exposes port 443 if not configured otherwise via APACHE_PORT.
            disable_http_challenge
        }
    }
@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:latest
-FROM caddy:2.11.4-alpine AS caddy
+FROM caddy:2.10.2-alpine AS caddy

 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.67-alpine3.23
+FROM httpd:2.4.66-alpine3.23

 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy

@@ -60,19 +60,6 @@ RUN set -ex; \
    grep -q '<IfModule mpm_event_module>' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # ServerLimit needs to be set to MaxRequestWorkers divided by ThreadsPerChild which is set to 25 by default
    sed -i '/<IfModule mpm_event_module>/a\ \ \ \ ServerLimit 200' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# Pin ThreadsPerChild so the value is deterministic regardless of the httpd base-image
-# defaults; 25 threads per process balances concurrency against per-process memory use.
-    sed -i 's|ThreadsPerChild.*|ThreadsPerChild 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# Start two server processes on boot to absorb the first requests without spawning
-# new processes on the critical path, while avoiding unnecessary memory overhead.
-    sed -i 's|StartServers.*|StartServers 2|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# Keep at least 25 idle threads (one full process worth) so traffic bursts can be
-# absorbed immediately without triggering new process creation.
-    sed -i 's|MinSpareThreads.*|MinSpareThreads 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# Retire idle threads above 50 to reclaim memory during quiet periods. 50 is the
-# minimum valid value (MinSpareThreads + ThreadsPerChild = 25 + 25) and is enough
-# to absorb typical bursts without respawning a new process.
-    sed -i 's|MaxSpareThreads.*|MaxSpareThreads 50|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
    \
    rm -rf /usr/local/apache2/conf/original /var/www; \
    mkdir -p /var/www; \
@@ -92,8 +79,7 @@ RUN set -ex; \
    chmod 777 -R /usr/local/apache2/logs; \
    rm -rf /usr/local/apache2/cgi-bin/; \
    \
-    echo "root:$(openssl rand -base64 12)" | chpasswd; \
-    apk --no-cache del openssl
+    echo "root:$(openssl rand -base64 12)" | chpasswd

 USER 33

@@ -103,10 +89,4 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Apache and Caddy for Nextcloud AIO" \
-    org.opencontainers.image.description="Apache HTTP server with Caddy for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
 nc -z 127.0.0.1 8000 || exit 1
 nc -z 127.0.0.1 "$APACHE_PORT" || exit 1
@@ -7,7 +7,7 @@ Listen 8000
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
    ErrorLog /proc/self/fd/2
    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
-    LogLevel ${AIO_LOG_LEVEL}
+    LogLevel warn

    # PHP match
    <FilesMatch "\.php$">
@@ -17,9 +17,7 @@ Listen 8000
    <Proxy "fcgi://${NEXTCLOUD_HOST}:9000" flushpackets=on>
    </Proxy>

-    # Compress JS, CSS and SVG responses with Brotli.
-    # Other plain-text files are already compressed by Nextcloud itself.
-    # Desktop and mobile sync clients never request JS/CSS/SVG assets.
+    # Enable Brotli compression for js, css and svg files - other plain files are compressed by Nextcloud by default
    <IfModule mod_brotli.c>
        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
        BrotliCompressionQuality 0
@@ -28,9 +26,11 @@ Listen 8000
    # Nextcloud dir
    DocumentRoot /var/www/html/
    <Directory /var/www/html/>
-        Options FollowSymLinks MultiViews
+        Options Indexes FollowSymLinks
        Require all granted
        AllowOverride All
+        Options FollowSymLinks MultiViews
+        Satisfy Any
        <IfModule mod_dav.c>
            Dav off
        </IfModule>
@@ -1,20 +1,10 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -z "$NC_DOMAIN" ]; then
    echo "NC_DOMAIN and NEXTCLOUD_HOST need to be provided. Exiting!"
    exit 1
 fi

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    export SUPERVISORD_STDOUT=/dev/stdout
-else
-    export SUPERVISORD_STDOUT=NONE
-fi
-
 # Need write access to /mnt/data
 if ! [ -w /mnt/data ]; then
    echo "Cannot write to /mnt/data"
@@ -1,18 +1,19 @@
 [supervisord]
 nodaemon=true
+nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error

 [program:apache]
 # Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
+stdout_logfile=NONE
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=httpd -DFOREGROUND
+command=apachectl -DFOREGROUND

 [program:caddy]
 stdout_logfile=/dev/stdout
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.23.3

 RUN set -ex; \
    \
@@ -25,12 +25,5 @@ USER root

 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Borgbackup for Nextcloud AIO" \
-    org.opencontainers.image.description="BorgBackup-based backup service for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6" \
-    AIO_LOG_LEVEL="warn"
+    org.label-schema.vendor="Nextcloud"
+ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Functions
 get_start_time(){
    START_TIME=$(date +%s)
@@ -44,7 +40,7 @@ if [ -z "$BORG_REMOTE_REPO" ] && ! mountpoint -q "$MOUNT_DIR"; then
 fi

 # Check if repo is uninitialized
-if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! borg info > /dev/null; then
    if [ -n "$BORG_REMOTE_REPO" ]; then
        echo "The repository is uninitialized or cannot connect to remote. Cannot perform check or restore."
    else
@@ -81,10 +77,6 @@ if [ "$BORG_MODE" = backup ]; then
    if ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" ]; then
        echo "configuration.json not present. Cannot perform the backup!"
        exit 1
-    elif ! grep -q '"domain"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" \
-    || ! grep -q '"wasStartButtonClicked"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json"; then
-        echo "It seems like the configuration.json setup was not done correctly. Something is wrong! (Most likely the provided configuration.json is invalid)"
-        exit 1
    elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/config/config.php" ]; then
        echo "config.php is missing. Cannot perform backup!"
        exit 1
@@ -127,7 +119,7 @@ if [ "$BORG_MODE" = backup ]; then
    fi

    # Initialize the repository if can't get info from target
-    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+    if ! borg info > /dev/null; then
        # Don't initialize if already initialized
        if [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
            if [ -n "$BORG_REMOTE_REPO" ]; then
@@ -144,14 +136,14 @@ if [ "$BORG_MODE" = backup ]; then

        echo "Initializing repository..."
        NEW_REPOSITORY=1
-        if ! borg "$BORG_LOG_LEVEL_FLAG" init --encryption=repokey-blake2; then
+        if ! borg init --debug --encryption=repokey-blake2; then
            echo "Could not initialize borg repository."
            exit 1
        fi

        if [ -z "$BORG_REMOTE_REPO" ]; then
            # borg config only works for local repos; it's up to the remote to ensure the disk isn't full
-            borg "$BORG_LOG_LEVEL_FLAG" config :: additional_free_space 2G
+            borg config :: additional_free_space 2G

            # Fix too large Borg cache
            # https://borgbackup.readthedocs.io/en/stable/faq.html#the-borg-cache-eats-way-too-much-disk-space-what-can-i-do
@@ -160,7 +152,7 @@ if [ "$BORG_MODE" = backup ]; then
            touch "/root/.cache/borg/$BORG_ID/chunks.archive.d"
        fi

-        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+        if ! borg info > /dev/null; then
            echo "Borg can't get info from the repo it created. Something is wrong."
            exit 1
        fi
@@ -220,9 +212,9 @@ if [ "$BORG_MODE" = backup ]; then
    # Create the backup
    echo "Starting the backup..."
    get_start_time
-    if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
+    if ! borg create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
        echo "Deleting the failed backup archive..."
-        borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-nextcloud-aio"
+        borg delete --stats "::$CURRENT_DATE-nextcloud-aio"
        echo "Backup failed!"
        echo "You might want to check the backup integrity via the AIO interface."
        if [ "$NEW_REPOSITORY" = 1 ]; then
@@ -241,14 +233,14 @@ if [ "$BORG_MODE" = backup ]; then

    # Prune archives
    echo "Pruning the archives..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
+    if ! borg prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
        echo "Failed to prune archives!"
        exit 1
    fi

    # Compact archives
    echo "Compacting the archives..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+    if ! borg compact; then
        echo "Failed to compact archives!"
        exit 1
    fi
@@ -265,19 +257,19 @@ if [ "$BORG_MODE" = backup ]; then
                fi
            done
            echo "Starting the backup for additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
+            if ! borg create "${BORG_OPTS[@]}" "::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
                echo "Deleting the failed backup archive..."
-                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-docker-volumes"
+                borg delete --stats "::$CURRENT_DATE-additional-docker-volumes"
                echo "Backup of additional docker-volumes failed!"
                exit 1
            fi
            echo "Pruning additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
                echo "Failed to prune additional docker-volumes archives!"
                exit 1
            fi
            echo "Compacting additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+            if ! borg compact; then
                echo "Failed to compact additional docker-volume archives!"
                exit 1
            fi
@@ -295,19 +287,19 @@ if [ "$BORG_MODE" = backup ]; then
                EXCLUDE_DIRS+=(--exclude "/host_mounts/$directory/")
            done
            echo "Starting the backup for additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
+            if ! borg create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
                echo "Deleting the failed backup archive..."
-                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-host-mounts"
+                borg delete --stats "::$CURRENT_DATE-additional-host-mounts"
                echo "Backup of additional host-mounts failed!"
                exit 1
            fi
            echo "Pruning additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
                echo "Failed to prune additional host-mount archives!"
                exit 1
            fi
            echo "Compacting additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+            if ! borg compact; then
                echo "Failed to compact additional host-mount archives!"
                exit 1
            fi
@@ -389,7 +381,7 @@ if [ "$BORG_MODE" = restore ]; then

    if [ -z "$BORG_REMOTE_REPO" ]; then
        mkdir -p /tmp/borg
-        if ! borg "$BORG_LOG_LEVEL_FLAG" mount "::$SELECTED_ARCHIVE" /tmp/borg; then
+        if ! borg mount "::$SELECTED_ARCHIVE" /tmp/borg; then
            echo "Could not mount the backup!"
            exit 1
        fi
@@ -436,7 +428,7 @@ if [ "$BORG_MODE" = restore ]; then
        #
        # Older backups may still contain files we've since excluded, so we have to exclude on extract as well.
        cd /  # borg extract has no destination arg and extracts to CWD
-        if ! borg "$BORG_LOG_LEVEL_FLAG" extract "::$SELECTED_ARCHIVE" --progress --exclude-from /borg_excludes "${ADDITIONAL_BORG_EXCLUDES[@]}" --pattern '+nextcloud_aio_volumes/**'
+        if ! borg extract "::$SELECTED_ARCHIVE" --progress --exclude-from /borg_excludes "${ADDITIONAL_BORG_EXCLUDES[@]}" --pattern '+nextcloud_aio_volumes/**'
        then
            RESTORE_FAILED=1
            echo "Failed to extract backup archive."
@@ -468,7 +460,7 @@ if [ "$BORG_MODE" = restore ]; then
                    \) \
                    | LC_ALL=C sort \
                    | LC_ALL=C comm -23 - \
-                        <(borg "$BORG_LOG_LEVEL_FLAG" list "::$SELECTED_ARCHIVE" --short --exclude-from /borg_excludes  --pattern '+nextcloud_aio_volumes/**' | LC_ALL=C sort) \
+                        <(borg list "::$SELECTED_ARCHIVE" --short --exclude-from /borg_excludes  --pattern '+nextcloud_aio_volumes/**' | LC_ALL=C sort) \
                    > /tmp/local_files_not_in_backup
            then
                RESTORE_FAILED=1
@@ -522,10 +514,6 @@ if [ "$BORG_MODE" = restore ]; then

    if [ "$RESTORE_FAILED" = 1 ]; then
        exit 1
-    elif ! grep -q '"domain"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" \
-    || ! grep -q '"wasStartButtonClicked"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json"; then
-        echo "It seems like the restore of the configuration.json was not done correctly. Something is wrong! (Most likely is the restore archive already incorrect)!"
-        exit 1
    fi

    # Inform user
@@ -556,7 +544,7 @@ if [ "$BORG_MODE" = check ]; then
    echo "Checking the backup integrity..."

    # Perform the check
-    if ! borg "$BORG_LOG_LEVEL_FLAG" check -v --verify-data; then
+    if ! borg check -v --verify-data; then
        echo "Some errors were found while checking the backup integrity!"
        echo "Check the AIO interface for advice on how to proceed now!"
        exit 1
@@ -574,7 +562,7 @@ if [ "$BORG_MODE" = "check-repair" ]; then
    echo "Checking the backup integrity and repairing it..."

    # Perform the check-repair
-    if ! echo YES | borg "$BORG_LOG_LEVEL_FLAG" check -v --repair; then
+    if ! echo YES | borg check -v --repair; then
        echo "Some errors were found while checking and repairing the backup integrity!"
        exit 1
    fi
@@ -588,7 +576,7 @@ fi
 # Do the backup test
 if [ "$BORG_MODE" = test ]; then
    if [ -n "$BORG_REMOTE_REPO" ]; then
-        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+        if ! borg info > /dev/null; then
            echo "Borg could not get info from the remote repo."
            echo "See the above borg info output for details."
            exit 1
@@ -609,12 +597,12 @@ if [ "$BORG_MODE" = test ]; then
        fi
    fi

-    if ! borg "$BORG_LOG_LEVEL_FLAG" list >/dev/null; then
+    if ! borg list >/dev/null; then
        echo "The entered path seems to be valid but could not open the backup archive."
        echo "Most likely the entered password was wrong so please adjust it accordingly!"
        exit 1
    else
-        if ! borg "$BORG_LOG_LEVEL_FLAG" list | grep "nextcloud-aio"; then
+        if ! borg list | grep "nextcloud-aio"; then
            echo "The backup archive does not contain a valid Nextcloud AIO backup."
            echo "Most likely was the archive not created via Nextcloud AIO."
            exit 1
@@ -627,7 +615,7 @@ fi

 if [ "$BORG_MODE" = list ]; then
    echo "Updating backup list..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+    if ! borg info > /dev/null; then
        echo "Could not update the backup list."
        exit 1
    fi
@@ -1,16 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-if [ "$AIO_LOG_LEVEL" = "warn" ]; then
-    BORG_LOG_LEVEL_FLAG="--warning"
-else
-    BORG_LOG_LEVEL_FLAG="--$AIO_LOG_LEVEL"
-fi
-export BORG_LOG_LEVEL_FLAG
-
 # Variables
 export MOUNT_DIR="/mnt/borgbackup"
 export BORG_BACKUP_DIRECTORY="$MOUNT_DIR/borg"  # necessary even when remote to store the aio-lockfile
@@ -59,7 +48,7 @@ fi
 rm -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/backup-is-running"

 # Get a list of all available borg archives
-if borg "$BORG_LOG_LEVEL_FLAG" list &>/dev/null; then
+if borg list &>/dev/null; then
    borg list | grep "nextcloud-aio" | awk -F " " '{print $1","$3,$4}' > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
 else
    echo "" > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.23.3

 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -13,15 +13,6 @@ RUN set -ex; \
    sed -i "s|#\?PCREMaxFileSize.*|PCREMaxFileSize 2000M|g" /etc/clamav/clamd.conf; \
 # StreamMaxLength must be synced with av_stream_max_length inside the Nextcloud files_antivirus plugin
    sed -i "s|#\?StreamMaxLength.*|StreamMaxLength 2000M|g" /etc/clamav/clamd.conf; \
-# By default clamd keeps the old signature database in RAM while loading the new one,
-# briefly doubling memory usage (~1 GB extra) during each freshclam update cycle.
-# Setting ConcurrentDatabaseReload to "no" makes clamd unload the old database first,
-# eliminating that transient peak and significantly reducing maximum RAM consumption.
-    sed -i "s|#\?ConcurrentDatabaseReload.*|ConcurrentDatabaseReload no|g" /etc/clamav/clamd.conf; \
-# The default thread pool is 10-12 threads, each reserving its own stack and scan buffers.
-# The Nextcloud antivirus plugin sends one file at a time, so 2 threads are sufficient
-# and avoids the idle per-thread memory overhead of the larger default pool.
-    sed -i "s|#\?MaxThreads.*|MaxThreads 2|g" /etc/clamav/clamd.conf; \
    sed -i "s|#\?TCPSocket|TCPSocket|g" /etc/clamav/clamd.conf; \
    sed -i "s|^LocalSocket .*|LocalSocket /tmp/clamd.sock|g" /etc/clamav/clamd.conf; \
    sed -i "s|Example| |g" /etc/clamav/clamav-milter.conf; \
@@ -43,11 +34,5 @@ ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="ClamAV for Nextcloud AIO" \
-    org.opencontainers.image.description="ClamAV antivirus scanner for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ "$(echo "PING" | nc 127.0.0.1 3310)" != "PONG" ]; then
 	echo "ERROR: Unable to contact server"
 	exit 1
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-	set -x
-fi
-
 # Print out clamav version for compliance reasons
 clamscan --version

@@ -1,11 +1,12 @@
 [supervisord]
 nodaemon=true
+nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error

 [program:freshclam]
 stdout_logfile=/dev/stdout
@@ -13,10 +13,4 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Collabora Online for Nextcloud AIO" \
-    org.opencontainers.image.description="Collabora Online document editor from upstream for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,11 +1,10 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile
-FROM collabora/code:26.04.1.3.1
+FROM collabora/code:25.04.8.3.1

 USER root
 ARG DEBIAN_FRONTEND=noninteractive

-COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

 USER 1001
@@ -13,12 +12,4 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Collabora for Nextcloud AIO" \
-    org.opencontainers.image.description="Collabora CODE document editor for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
-
-ENTRYPOINT ["/start.sh"]
+    org.label-schema.vendor="Nextcloud"
@@ -1,19 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-if [ "$AIO_LOG_LEVEL" = "warn" ]; then
-    COLLABORA_LOG_LEVEL="warning"
-elif [ "$AIO_LOG_LEVEL" = "info" ]; then
-    COLLABORA_LOG_LEVEL="notice"
-else
-    COLLABORA_LOG_LEVEL="$AIO_LOG_LEVEL"
-fi
-
-# Replace the hardcoded log level in extra_params with the translated one
-extra_params+=" --o:logging.level=$COLLABORA_LOG_LEVEL --o:logging.level_startup=$COLLABORA_LOG_LEVEL"
-export extra_params
-
-exec /start-collabora-online.sh "$@"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.4.0-alpine
+FROM haproxy:3.3.2-alpine

 # hadolint ignore=DL3002
 USER root
@@ -20,10 +20,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Docker Socket Proxy for Nextcloud AIO" \
-    org.opencontainers.image.description="HAProxy-based Docker socket proxy for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,8 +1,4 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z "$NEXTCLOUD_HOST" 9001 || exit 0
 nc -z 127.0.0.1 2375 || exit 1
@@ -1,9 +1,5 @@
 #!/bin/sh

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Only start container if nextcloud is accessible
 while ! nc -z "$NEXTCLOUD_HOST" 9001; do
    echo "Waiting for Nextcloud to start..."
@@ -22,8 +18,6 @@ else
    HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
 fi
 echo "$HAPROXYFILE" > /tmp/haproxy.cfg
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 haproxy -f /tmp/haproxy.cfg -db
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.23.3
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache bash lighttpd netcat-openbsd; \
@@ -19,10 +19,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD nc -z 127.0.0.1 $APACHE_PORT || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Domain Check for Nextcloud AIO" \
-    org.opencontainers.image.description="Domain validation service for Nextcloud All-in-One setup" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -z "$INSTANCE_ID" ]; then
    echo "You need to provide an instance id."
    exit 1
@@ -18,20 +14,6 @@ fi
 CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /lighttpd.conf)"
 echo "$CONF_FILE" > /etc/lighttpd/lighttpd.conf

-# shellcheck disable=SC2235
-if ([ "$AIO_LOG_LEVEL" = 'debug' ] || [ "$AIO_LOG_LEVEL" = 'info' ]) && ! grep -q debug.log-request-handling /etc/lighttpd/lighttpd.conf; then
-    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
-debug.log-request-handling = "enable"
-CONF_FILE
-fi
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ] && ! grep -q debug.log-request-header /etc/lighttpd/lighttpd.conf; then
-    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
-debug.log-request-header = "enable"
-debug.log-response-header = "enable"
-CONF_FILE
-fi
-
 # Check config file
 lighttpd -tt -f /etc/lighttpd/lighttpd.conf

@@ -1,17 +0,0 @@
-# syntax=docker/dockerfile:latest
-FROM ghcr.io/euro-office/documentserver:v9.3.1-beta.1
-
-# USER root is probably used
-
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
-
-HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false" \
-    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="EuroOffice for Nextcloud AIO" \
-    org.opencontainers.image.description="EuroOffice Document Server for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
@@ -1,7 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-nc -z 127.0.0.1 80 || exit 1
@@ -1,19 +1,21 @@
 # syntax=docker/dockerfile:latest
-# Probably from here https://github.com/elastic/dockerfiles/blob/9.3/elasticsearch/Dockerfile
-FROM elasticsearch:9.4.2
+# Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
+FROM elasticsearch:8.19.11

 USER root

-# hadolint ignore=DL3041
+ARG DEBIAN_FRONTEND=noninteractive
+
+# hadolint ignore=DL3008
 RUN set -ex; \
    \
-    microdnf update -y; \
-    microdnf install -y --setopt=tsflags=nodocs \
+    apt-get update; \
+    apt-get upgrade -y; \
+    apt-get install -y --no-install-recommends \
        tzdata \
    ; \
-    microdnf clean all;
+    rm -rf /var/lib/apt/lists/*;

-COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

 USER 1000:0
@@ -21,13 +23,5 @@ USER 1000:0
 HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Full Text Search for Nextcloud AIO" \
-    org.opencontainers.image.description="Elasticsearch-based full-text search for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
 ENV ES_JAVA_OPTS="-Xms512M -Xmx512M"
-
-ENTRYPOINT ["/start.sh"]
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-curl -fs -u "elastic:$ELASTIC_PASSWORD" "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1
+nc -z 127.0.0.1 9200 || exit 1
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-ELASTIC_LOG_LEVEL="$(echo "$AIO_LOG_LEVEL" | tr '[:lower:]' '[:upper:]')"
-
-exec env "logger.level=$ELASTIC_LOG_LEVEL" /usr/local/bin/docker-entrypoint.sh "$@"
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.4-alpine3.23 AS go
+FROM golang:1.26.0-alpine3.23 AS go

 ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee

@@ -14,7 +14,7 @@ RUN set -ex; \
        build-base; \
    go install github.com/h2non/imaginary@"$IMAGINARY_HASH";

-FROM alpine:3.23.4
+FROM alpine:3.23.3
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache \
@@ -33,8 +33,7 @@ COPY --from=go /go/bin/imaginary /usr/local/bin/imaginary
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

-ENV PORT=9000 \
-    AIO_LOG_LEVEL=warn
+ENV PORT=9000

 USER 65534

@@ -45,10 +44,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Imaginary for Nextcloud AIO" \
-    org.opencontainers.image.description="High-performance image processing service for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z 127.0.0.1 "$PORT" || exit 1
@@ -1,26 +1,8 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-GOLANG_LOG="$(case "$AIO_LOG_LEVEL" in
-    debug) printf 'info' ;;
-    info) printf 'info' ;;
-    warn) printf 'warning' ;;
-    error) printf 'error' ;;
-esac)"
-export GOLANG_LOG
-if [ "$AIO_LOG_LEVEL" = "debug" ]; then
-    export DEBUG='*'
-fi
-
 echo "Imaginary has started"
-
-IMAGINARY_ARGS=(-return-size -max-allowed-resolution 222.2)
-
-if [ -n "$IMAGINARY_SECRET" ]; then
-    IMAGINARY_ARGS+=(-key "$IMAGINARY_SECRET")
+if [ -z "$IMAGINARY_SECRET" ]; then
+    imaginary -return-size -max-allowed-resolution 222.2 "$@"
+else
+    imaginary -return-size -max-allowed-resolution 222.2 -key "$IMAGINARY_SECRET" "$@"
 fi
-
-exec imaginary "${IMAGINARY_ARGS[@]}" "$@"
@@ -0,0 +1,37 @@
+{
+    # auto_https will create redirects for https://{host}:8443 instead of https://{host}
+    # https redirects are added manually in the http://:80 block
+    auto_https disable_redirects
+
+    storage file_system {
+        root /mnt/docker-aio-config/caddy/
+    }
+
+    log {
+        level ERROR
+    }
+
+    servers {
+        protocols h1 h2 h2c
+    }
+
+    on_demand_tls {
+        ask http://127.0.0.1:9876/
+    }
+}
+
+http://:80 {
+    redir https://{host}{uri} permanent
+}
+
+https://:8443 {
+
+    reverse_proxy 127.0.0.1:8000
+
+    tls {
+        on_demand
+        issuer acme {
+            disable_tlsalpn_challenge
+        }
+    }
+}
@@ -1,17 +1,12 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.5.2-cli AS docker
-
-ARG CADDY_REMOTE_HOST_HASH=e80a9931765a8dbcbb47db415863387f0df0e1b3
+FROM docker:29.2.1-cli AS docker

 # Caddy is a requirement
-FROM caddy:2.11.4-builder-alpine AS caddy
-RUN set -ex; \
-    xcaddy build --with github.com/muety/caddy-remote-host@"$CADDY_REMOTE_HOST_HASH"; \
-    /usr/bin/caddy list-modules
+FROM caddy:2.10.2-alpine AS caddy

-# From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
-FROM php:8.5.6-fpm-alpine3.23
+# From https://github.com/docker-library/php/blob/master/8.4/alpine3.23/fpm/Dockerfile
+FROM php:8.4.17-fpm-alpine3.23

 EXPOSE 80
 EXPOSE 8080
@@ -26,8 +21,9 @@ COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker
 COPY community-containers /var/www/docker-aio/community-containers
 COPY php /var/www/docker-aio/php
 COPY --chmod=775 Containers/mastercontainer/*.sh /
-COPY --chmod=664 Containers/mastercontainer/*.Caddyfile /
+COPY --chmod=664 Containers/mastercontainer/Caddyfile /Caddyfile
 COPY --chmod=664 Containers/mastercontainer/supervisord.conf /supervisord.conf
+COPY Containers/mastercontainer/mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf

 WORKDIR /var/www/docker-aio

@@ -41,8 +37,13 @@ RUN set -ex; \
    apk add --no-cache \
        util-linux-misc \
        ca-certificates \
+        wget \
        bash \
+        apache2 \
+        apache2-proxy \
+        apache2-ssl \
        supervisor \
+        openssl \
        sudo \
        netcat-openbsd \
        curl \
@@ -53,16 +54,6 @@ RUN set -ex; \
        build-base; \
    pecl install APCu-5.1.28; \
    docker-php-ext-enable apcu; \
-    { \
-        echo 'apc.shm_size=32M'; \
-    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
-    { \
-        echo 'opcache.enable=1'; \
-        echo 'opcache.memory_consumption=32'; \
-        echo 'opcache.interned_strings_buffer=8'; \
-        echo 'opcache.max_accelerated_files=4000'; \
-        echo 'opcache.validate_timestamps=0'; \
-    } > /usr/local/etc/php/conf.d/docker-php-ext-opcache.ini; \
    rm -r /tmp/pear; \
    runDeps="$( \
        scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
@@ -76,12 +67,11 @@ RUN set -ex; \
    sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
-    grep -q '^listen =' /usr/local/etc/php-fpm.d/docker.conf; \
-    sed -i 's|listen =.*|listen = /run/php.sock|' /usr/local/etc/php-fpm.d/docker.conf; \
-    echo "listen.owner = www-data" | tee -a /usr/local/etc/php-fpm.d/docker.conf; \
+    grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \
+    sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \
    \
    apk add --no-cache git; \
-    curl https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer; \
+    wget https://getcomposer.org/installer -O - | php -- --install-dir=/usr/local/bin --filename=composer; \
    chmod +x /usr/local/bin/composer; \
    cd /var/www/docker-aio; \
    rm -r ./php/tests; \
@@ -96,18 +86,48 @@ RUN set -ex; \
    rm -r php/data; \
    rm -r php/session; \
    \
+    mkdir -p /etc/apache2/certs; \
+    cd /etc/apache2/certs; \
+    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout /etc/apache2/certs/ssl.key -out /etc/apache2/certs/ssl.crt; \
+    \
+    sed -i \
+            -e '/^Listen /d' \
+            -e 's/^LogLevel .*/LogLevel error/' \
+            -e 's|^ErrorLog .*|ErrorLog /proc/self/fd/2|' \
+            -e 's/User apache/User www-data/g' \
+            -e 's/Group apache/Group www-data/g' \
+            -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \
+            -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
+            -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
+            -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
+            -e 's/\(ScriptAlias \)/#\1/' \
+        /etc/apache2/httpd.conf; \
+        mkdir -p /etc/apache2/logs; \
+        rm /etc/apache2/conf.d/ssl.conf; \
+        echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \
+        grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \
+        sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \
+        echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \
+        echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \
+        echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \
+        echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \
+    \
+    rm -f /etc/apache2/conf.d/default.conf \
+          /etc/apache2/conf.d/userdir.conf \
+          /etc/apache2/conf.d/info.conf; \
+    \
+    rm -rf /var/www/localhost/cgi-bin/; \
    mkdir /var/log/supervisord; \
    mkdir /var/run/supervisord;

 # hadolint ignore=DL3048
-LABEL org.opencontainers.image.title="Nextcloud All-in-One Mastercontainer" \
-    org.opencontainers.image.description="Easy deployment and maintenance of a Nextcloud server with all dependencies and optional services" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md" \
+LABEL org.label-schema.vendor="Nextcloud" \
    wud.watch="false" \
-    dockhand.update="false" \
    com.docker.compose.project="nextcloud-aio"

 # hadolint ignore=DL3002
@@ -12,8 +12,8 @@ The mastercontainer acts as the central orchestration service for the deployment
 of all other containers in the Nextcloud All-in-One stack. It hosts:

 - A dedicated PHP SAPI/backend (php-fpm) for AIO itself (not Nextcloud Server)
- A Caddy server enabling self-signed HTTPS access to the AIO frontend on port 8080/tcp.
- A Caddy server enabling trusted HTTPS access to the AIO frontend on port 8443/tcp.
+- An Apache service for accessing the AIO interface via a self-signed HTTPS VirtualHost on 8080/tcp
+- A Caddy reverse proxy service enabling HTTPS access to the AIO frontend on port 8443/tcp.
  - Caddy will automatically issue a Let's Encrypt issued certificate if port 80 and 8443
    is open/forwarded and a domain pointer is in place; then, simply open the Nextcloud AIO interface using the
    domain (`https://your-domain-that-points-to-this-server.tld:8443`). The Let's Encrypt certificate request will
@@ -1,56 +0,0 @@
-{
-	admin off
-
-	# auto_https will create redirects for https://{host}:8443 instead of https://{host}
-	# https redirects are added manually in the http://:80 block
-	auto_https disable_redirects
-
-	storage file_system {
-		root /mnt/docker-aio-config/caddy/
-	}
-
-	log {
-		level ERROR
-		# We need to exclude the remote-host plugin from logging as it would spam the logs
-		# See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 
-		exclude http.matchers.remote_host
-	}
-
-	servers {
-		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
-		protocols h1
-	}
-
-	on_demand_tls {
-		ask http://127.0.0.1:9876/
-	}
-
-	skip_install_trust
-}
-
-http://:80 {
-	redir https://{host}{uri} permanent
-}
-
-https://:8443 {
-    import headers.Caddyfile
-    header Strict-Transport-Security max-age=31536000;
-
-	@denied {
-		path /api/auth/login /api/auth/getlogin
-		remote_host nextcloud-aio-nextcloud
-	}
-	abort @denied
-
-	root * /var/www/docker-aio/php/public
-	php_fastcgi unix//run/php.sock
-	file_server
-
-	tls {
-		on_demand
-		issuer acme {
-            profile shortlived
-			disable_tlsalpn_challenge
-		}
-	}
-}
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 restart_process() {
    echo "Restarting cron.sh because daily backup time was set, changed or unset."
    pkill cron.sh
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 while true; do
    if [ -f "/mnt/docker-aio-config/data/daily_backup_time" ]; then
        set -x
@@ -21,9 +17,7 @@ while true; do
        else
            export SEND_SUCCESS_NOTIFICATIONS=0
        fi
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-            set +x
-        fi
+        set +x
        if [ -f "/mnt/docker-aio-config/data/daily_backup_running" ]; then
            export LOCK_FILE_PRESENT=1
        else
@@ -65,9 +59,8 @@ while true; do
        sudo -E -u www-data docker container remove nextcloud-aio-domaincheck
    fi

-    # Remove dangling images (support both deprecated label-schema and OCI standard vendor label)
+    # Remove dangling images
    sudo -E -u www-data docker image prune --filter "label=org.label-schema.vendor=Nextcloud" --force
-    sudo -E -u www-data docker image prune --filter "label=org.opencontainers.image.vendor=Nextcloud" --force

    # Check for available free space
    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/CheckFreeDiskSpace.php
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 echo "Daily backup script has started"

 # Check if initial configuration has been done, otherwise this script should do nothing.
@@ -1,31 +0,0 @@
-header {
-    # CSP limits which features can be used. By default we allow nothing and only allow required options. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy
-    # default-src 'none'; Allow nothing by default
-    # script-src-elem/style-src-elem 'self'; Only allow loading css/js files from same origin (AIO itself) while blocking all inline css/js
-    # img-src 'self'; Only allow loading images from same origin (from AIO itself)
-    # connect-src 'self'; Allow fetch to only connect same origin (to AIO itself)
-    # frame-src 'self'; Allow AIO to only embed itself "what can be embedded"
-    # base-uri 'none'; This does not fallback to default-src, AIO does not use the html base tag
-    # form-action 'self'; Html forms are only allowed to submit to AIO and not cross origin
-    # frame-ancestors 'self'; Only allow AIO itself to embed it self "who can embed"
-    # upgrade-insecure-requests; Upgrade all http embedings to https
-    # require-trusted-types-for 'script'; trusted-types 'none'; Blocks DOM changes via js
-    Content-Security-Policy "default-src 'none'; script-src-elem 'self'; style-src-elem 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests; require-trusted-types-for 'script'; trusted-types 'none';"
-    X-Content-Type-Options "nosniff" # This forces the browser to use the MIME type of the Content-Type header. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options
-    X-Frame-Options "SAMEORIGIN" # Only allow AIO itself to embed itself, this is also enforced as part of the CSP frame-ancestors. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Frame-Options
-    X-Permitted-Cross-Domain-Policies "none" # We block all cross origin request, including ones from Adobe Acrobat or Microsoft Silverlight and Adobe Flash Player. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Permitted-Cross-Domain-Policies
-    X-DNS-Prefetch-Control "off" # Tells the browser to not pre-fetch the DNS of linked pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-DNS-Prefetch-Control
-    Referrer-Policy "no-referrer" # Tells the browser to never sent a Referer header. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Referrer-Policy
-    X-Robots-Tag "noindex, nofollow" # Tells web crawlers to not index this page. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Robots-Tag
-    Origin-Agent-Cluster "?1" # Isolates AIO from other same site pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin-Agent-Cluster
-    Cross-Origin-Opener-Policy "same-origin" # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
-    Cross-Origin-Embedder-Policy "require-corp" # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
-    Cross-Origin-Resource-Policy "same-origin" # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
-
-    # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
-    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), local-network=(), local-network-access=(), loopback-network=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), summarizer=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
-
-    -Server
-    -X-Powered-By
-    -Via
-}
@@ -1,13 +1,10 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
    nc -z 127.0.0.1 80 || exit 1
+    nc -z 127.0.0.1 8000 || exit 1
    nc -z 127.0.0.1 8080 || exit 1
    nc -z 127.0.0.1 8443 || exit 1
-    test -S /run/php.sock || exit 1
+    nc -z 127.0.0.1 9000 || exit 1
    nc -z 127.0.0.1 9876 || exit 1
 fi
@@ -1,43 +0,0 @@
-{
-	admin off
-
-	# auto_https will be handled manually in acme.Caddyfile
-	auto_https disable_redirects
-
-	storage file_system {
-		root /mnt/docker-aio-config/caddy-internal/
-	}
-
-	log {
-		level ERROR
-		# We need to exclude the remote-host plugin from logging as it would spam the logs
-		# See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 
-		exclude http.matchers.remote_host
-	}
-
-	servers {
-		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
-		protocols h1
-	}
-
-	skip_install_trust
-}
-
-https://:8080 {
-    import headers.Caddyfile
-
-	@denied {
-		path /api/auth/login /api/auth/getlogin
-		remote_host nextcloud-aio-nextcloud
-	}
-	abort @denied
-
-	root * /var/www/docker-aio/php/public
-	php_fastcgi unix//run/php.sock
-	file_server
-
-	tls {
-		on_demand
-		issuer internal
-	}
-}
@@ -0,0 +1,62 @@
+Listen 127.0.0.1:8000
+Listen 8080 https
+
+# Deny access to .ht files
+<Files ".ht*">
+    Require all denied
+</Files>
+
+# Http host
+<VirtualHost 127.0.0.1:8000>
+    ServerName 127.0.0.1
+
+    # Add error log
+    CustomLog /proc/self/fd/1 proxy
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+    ErrorLog /proc/self/fd/2
+    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
+    LogLevel warn
+
+    # PHP match
+    <FilesMatch "\.php$">
+        SetHandler "proxy:fcgi://127.0.0.1:9000"
+    </FilesMatch>
+    # Master dir
+    DocumentRoot /var/www/docker-aio/php/public/
+    <Directory /var/www/docker-aio/php/public/>
+        RewriteEngine On
+        RewriteCond %{REQUEST_FILENAME} !-f
+        RewriteRule ^ index.php [QSA,L]
+        Options Indexes FollowSymLinks
+        Require all granted
+        AllowOverride All
+        Options FollowSymLinks MultiViews
+        Satisfy Any
+        <IfModule mod_dav.c>
+            Dav off
+        </IfModule>
+    </Directory>
+</VirtualHost>
+
+# Https host
+<VirtualHost *:8080>
+    # Proxy to https
+    ProxyPass / http://127.0.0.1:8000/
+    ProxyPassReverse / http://127.0.0.1:8000/
+    ProxyPreserveHost On
+    # SSL
+    SSLCertificateKeyFile /etc/apache2/certs/ssl.key
+    SSLCertificateFile /etc/apache2/certs/ssl.crt
+    SSLEngine               on
+    SSLProtocol             -all +TLSv1.2 +TLSv1.3
+    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    SSLHonorCipherOrder     off
+    SSLSessionTickets       off
+</VirtualHost>
+
+# Increase timeout in case e.g. the initial download takes a long time
+Timeout 7200
+ProxyTimeout 7200
+
+# See https://httpd.apache.org/docs/trunk/mod/core.html#traceenable
+TraceEnable Off
@@ -16,10 +16,6 @@ compare_times() {
    fi
 }

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 while true; do
    compare_times
    sleep 2
@@ -20,10 +20,6 @@ case "${1}" in
 esac
 }

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Check if running as root user
 if [ "$EUID" != "0" ]; then
    print_red "Container does not run as root user. This is not supported."
@@ -166,9 +162,6 @@ if ! sudo -E -u www-data docker ps --format "{{.Names}}" | grep -q "^nextcloud-a
 Using a different name is not supported since mastercontainer updates will not work in that case!
 If you are on docker swarm and try to run AIO, see https://github.com/nextcloud/all-in-one#can-i-run-this-with-docker-swarm"
    exit 1
-elif sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer --format "{{.Config.Image}}" | grep -q '@'; then
-    print_red "It seems like you used a hash for the mastercontainer image tag. This is not supported!"
-    exit 1
 elif ! sudo -E -u www-data docker volume ls --format "{{.Name}}" | grep -q "^nextcloud_aio_mastercontainer$"; then
    print_red "It seems like you did not give the mastercontainer volume the correct name? (The 'nextcloud_aio_mastercontainer' volume was not found.)
 Using a different name is not supported since the built-in backup solution will not work in that case!"
@@ -316,42 +309,6 @@ if [ -n "$AIO_COMMUNITY_CONTAINERS" ]; then
    print_red "You've set AIO_COMMUNITY_CONTAINERS but the option was removed.
 The community containers get managed via the AIO interface now."
 fi
-if [ -n "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
-    print_red "The environmental variable NEXTCLOUD_ENABLE_DRI_DEVICE is deprecated. Please mount the /dev/dri device into the mastercontainer instead and remove NEXTCLOUD_ENABLE_DRI_DEVICE. It will then be set automatically."
-fi
-
-# Automatically enable the /dev/dri device if it is mounted into the mastercontainer
-if [ -d "/dev/dri" ]; then
-    export NEXTCLOUD_ENABLE_DRI_DEVICE="true"
-    if [ -e "/dev/dri/renderD128" ]; then
-        NEXTCLOUD_DRI_GID="$(stat -c '%g' /dev/dri/renderD128)"
-        export NEXTCLOUD_DRI_GID
-    else
-        export NEXTCLOUD_DRI_GID=""
-    fi
-else
-    if [ -z "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
-        # Force the unset of the env if it was not externally overwritten already
-        export NEXTCLOUD_ENABLE_DRI_DEVICE="false"
-    fi
-    export NEXTCLOUD_DRI_GID=""
-fi
-
-# Log level logics
-if [ -n "$AIO_LOG_LEVEL" ] && ! echo "$AIO_LOG_LEVEL" | grep -q "^debug$\|^info$\|^warn$\|^error$"; then
-    print_red "AIO_LOG_LEVEL must be one of 'debug', 'info', 'warn' or 'error'.
-It is set to '$AIO_LOG_LEVEL'".
-    exit 1
-fi
-if [ -z "$AIO_LOG_LEVEL" ]; then
-    export AIO_LOG_LEVEL="warn"
-fi
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    export SUPERVISORD_STDOUT=/dev/stdout
-else
-    export SUPERVISORD_STDOUT=NONE
-fi

 # Check if ghcr.io is reachable
 # Solves issues like https://github.com/nextcloud/all-in-one/discussions/5268
@@ -404,7 +361,7 @@ fi
 mkdir -p /mnt/docker-aio-config/data/
 mkdir -p /mnt/docker-aio-config/session/
 mkdir -p /mnt/docker-aio-config/caddy/
-mkdir -p /mnt/docker-aio-config/caddy-internal/
+mkdir -p /mnt/docker-aio-config/certs/ 

 # Adjust permissions for all instances
 chmod 770 -R /mnt/docker-aio-config
@@ -412,7 +369,37 @@ chmod 777 /mnt/docker-aio-config
 chown www-data:www-data -R /mnt/docker-aio-config/data/
 chown www-data:www-data -R /mnt/docker-aio-config/session/
 chown www-data:www-data -R /mnt/docker-aio-config/caddy/
-chown www-data:www-data -R /mnt/docker-aio-config/caddy-internal/
+chown root:root -R /mnt/docker-aio-config/certs/
+
+# Don't allow access to the AIO interface from the Nextcloud container
+# Probably more cosmetic than anything but at least an attempt
+if ! grep -q '# nextcloud-aio-block' /etc/apache2/httpd.conf; then
+    cat << APACHE_CONF >> /etc/apache2/httpd.conf
+# nextcloud-aio-block-start
+<Location />
+order allow,deny
+deny from nextcloud-aio-nextcloud.nextcloud-aio
+allow from all
+</Location>
+# nextcloud-aio-block-end
+APACHE_CONF
+fi
+
+# Adjust certs
+GENERATED_CERTS="/mnt/docker-aio-config/certs"
+TMP_CERTS="/etc/apache2/certs"
+mkdir -p "$GENERATED_CERTS"
+cd "$GENERATED_CERTS" || exit 1
+if ! [ -f ./ssl.crt ] && ! [ -f ./ssl.key ]; then
+    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt
+fi
+if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then
+    cd "$TMP_CERTS" || exit 1
+    rm ./ssl.crt
+    rm ./ssl.key
+    cp "$GENERATED_CERTS/ssl.crt" ./
+    cp "$GENERATED_CERTS/ssl.key" ./
+fi

 print_green "Initial startup of Nextcloud All-in-One complete!
 You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
@@ -425,11 +412,8 @@ https://your-domain-that-points-to-this-server.tld:8443"
 # Set the timezone to Etc/UTC
 export TZ=Etc/UTC

-# Remove unused certs
-rm -vrf /mnt/docker-aio-config/certs
-
-# Remove the php socket as safeguard
-rm -vf /run/php.sock
+# Fix apache startup
+rm -f /var/run/apache2/httpd.pid

 # Fix caddy startup
 if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then
@@ -437,17 +421,10 @@ if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then
 fi

 # Fix the Caddyfile format
-caddy fmt --overwrite /acme.Caddyfile
-caddy fmt --overwrite /internal.Caddyfile
+caddy fmt --overwrite /Caddyfile

 # Fix caddy log 
 chmod 777 /root

-# Create Twig template cache directory (path must match TWIG_CACHE_PATH in php/public/index.php)
-mkdir -p /tmp/twig-cache
-rm -rf /tmp/twig-cache/*
-chown www-data:www-data /tmp/twig-cache
-chmod 770 /tmp/twig-cache
-
 # Start supervisord
 exec /usr/bin/supervisord -c /supervisord.conf
@@ -5,31 +5,31 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                 
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error
 user=root

 [program:php-fpm]
 # Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
+stdout_logfile=NONE
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=php-fpm
 user=root

-[program:caddy-internal]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
+[program:apache]
+# Stdout logging is disabled as otherwise the logs are spammed
+stdout_logfile=NONE
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /internal.Caddyfile
-user=www-data
+command=httpd -DFOREGROUND
+user=root

-[program:caddy-acme]
+[program:caddy]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /acme.Caddyfile
+command=/usr/bin/caddy run --config /Caddyfile
 user=www-data

 [program:cron]
@@ -54,11 +54,11 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/session-deduplicator.sh
-user=www-data
+user=root

 [program:domain-validator]
 # Logging is disabled as otherwise all attempts will be logged which spams the logs
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
-stderr_logfile=%(ENV_SUPERVISORD_STDOUT)s
+stdout_logfile=NONE
+stderr_logfile=NONE
 command=php -S 127.0.0.1:9876 /var/www/docker-aio/php/domain-validator.php
 user=www-data
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM php:8.3.31-fpm-alpine3.23
+FROM php:8.3.30-fpm-alpine3.23

 ENV PHP_MEMORY_LIMIT=512M
 ENV PHP_UPLOAD_LIMIT=16G
@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0

 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=33.0.5
+ENV NEXTCLOUD_VERSION=32.0.5
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!
@@ -114,18 +114,18 @@ RUN set -ex; \
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/installation/server_tuning.html#enable-php-opcache and below
    { \
-        echo 'opcache.max_accelerated_files=20000'; \
+        echo 'opcache.max_accelerated_files=10000'; \
        echo 'opcache.memory_consumption=256'; \
        echo 'opcache.interned_strings_buffer=64'; \
        echo 'opcache.save_comments=1'; \
        echo 'opcache.revalidate_freq=60'; \
        echo 'opcache.jit=1255'; \
-        echo 'opcache.jit_buffer_size=128M'; \
+        echo 'opcache.jit_buffer_size=8M'; \
    } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
    \
    { \
        echo 'apc.enable_cli=1'; \
-        echo 'apc.shm_size=128M'; \
+        echo 'apc.shm_size=64M'; \
    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
    \
    { \
@@ -135,20 +135,14 @@ RUN set -ex; \
        echo 'max_execution_time=${PHP_MAX_TIME}'; \
        echo 'max_input_time=-1'; \
        echo 'default_socket_timeout=${PHP_MAX_TIME}'; \
-        echo 'output_buffering=0'; \
-        echo 'realpath_cache_size=8M'; \
-        echo 'realpath_cache_ttl=600'; \
    } > /usr/local/etc/php/conf.d/nextcloud.ini; \
    \
    { \
        echo 'session.save_handler = redis'; \
-        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}&timeout=3.0&read_timeout=10.0"'; \
+        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}"'; \
        echo 'redis.session.locking_enabled = 1'; \
        echo 'redis.session.lock_retries = -1'; \
-        echo '; 100ms in microseconds - prevents timeout on long requests such as large file uploads'; \
-        echo 'redis.session.lock_wait_time = 100000'; \
-        echo '; prevents stale locks from crashed workers (seconds)'; \
-        echo 'redis.session.lock_expire = 60'; \
+        echo 'redis.session.lock_wait_time = 10000'; \
        echo 'session.gc_maxlifetime = 86400'; \
    } > /usr/local/etc/php/conf.d/redis-session.ini; \
    \
@@ -250,21 +244,6 @@ RUN set -ex; \
 # We don't actually expect so many children but don't want to limit it artificially because people will report issues otherwise.
 # Also children will usually be terminated again after the process is done due to the ondemand setting
    sed -i 's/^pm.max_children =.*/pm.max_children = 5000/' /usr/local/etc/php-fpm.d/www.conf; \
-# With pm = ondemand, workers are killed after pm.process_idle_timeout seconds
-# of inactivity.  The upstream default is 10 s, which is aggressive: after a
-# brief quiet period (e.g. desktop-sync clients polling every few seconds), all
-# workers are reaped and the next request burst must wait for fresh forks.  On
-# a loaded host that spawn latency can push Apache past its FastCGI timeout and
-# produce a 502.  300 s (5 min) keeps a warm pool through normal sync-client
-# polling cycles while still reclaiming memory during genuinely idle periods.
-    sed -i 's/^;*pm.process_idle_timeout\s*=.*/pm.process_idle_timeout = 300s/' /usr/local/etc/php-fpm.d/www.conf; \
-# Set request_terminate_timeout so that PHP-FPM forcibly kills workers that
-# exceed the wall-clock limit.  Without this (default = 0 = disabled) a worker
-# stuck on a slow DB query, a stalled Redis connection, or a hung syscall is
-# never reaped.  Over time these zombies fill up pm.max_children, leaving no
-# free slots for legitimate requests and causing Apache to return 502 Bad
-# Gateway upstream.
-    sed -i "s|^;*request_terminate_timeout = .*|request_terminate_timeout = \${PHP_MAX_TIME}|" /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
    \
    echo "[ -n \"\$TERM\" ] && [ -f /root.motd ] && cat /root.motd" >> /root/.bashrc; \
@@ -286,10 +265,4 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Nextcloud for Nextcloud AIO" \
-    org.opencontainers.image.description="Nextcloud server with all required PHP extensions for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -2,5 +2,4 @@
 $CONFIG = array (
  'one-click-instance' => true,
  'one-click-instance.user-limit' => 100,
-  'update_channel' => 'stable',
 );
@@ -16,12 +16,6 @@ $CONFIG = array (
 if (getenv('APPS_ALLOWLIST')) {
    $CONFIG['appsallowlist'] = explode(" ", getenv('APPS_ALLOWLIST'));
 }
-
-$appStoreUrl = getenv('NEXTCLOUD_APP_STORE_URL');
-if ($appStoreUrl) {
-    if ($appStoreUrl === 'no') {
-        $CONFIG['appstoreenabled '] = false;
-    } else {
-        $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
-    }
+if (getenv('NEXTCLOUD_APP_STORE_URL')) {
+    $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
 }
@@ -1,20 +1,14 @@
 <?php
-if (getenv('REDIS_MODE') !== 'rediscluster') {
+if (getenv('REDIS_HOST')) {
  $CONFIG = array(
    'memcache.distributed' => '\OC\Memcache\Redis',
    'memcache.locking' => '\OC\Memcache\Redis',
+    'redis' => array(
+      'host' => getenv('REDIS_HOST'),
+      'password' => (string) getenv('REDIS_HOST_PASSWORD'),
+    ),
  );

-  if (getenv('REDIS_HOST')) {
-    $CONFIG['redis']['host'] = (string) getenv('REDIS_HOST');
-    $CONFIG['redis']['timeout'] = 3.0;
-    $CONFIG['redis']['read_timeout'] = 10.0;
-  }
-
-  if (getenv('REDIS_HOST_PASSWORD')) {
-    $CONFIG['redis']['password'] = (string) getenv('REDIS_HOST_PASSWORD');
-  }
-
  if (getenv('REDIS_PORT')) {
    $CONFIG['redis']['port'] = (int) getenv('REDIS_PORT');
  }
@@ -23,52 +17,7 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
    $CONFIG['redis']['dbindex'] = (int) getenv('REDIS_DB_INDEX');
  }

-  if (getenv('REDIS_PREFIX')) {
-    $CONFIG['redis']['memcache_customprefix'] = getenv('REDIS_PREFIX');
-  }
-
-  if (getenv('REDIS_USER_AUTH')) {
+  if (getenv('REDIS_USER_AUTH') !== false) {
    $CONFIG['redis']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
  }
-
-  if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) {
-    $CONFIG['redis']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt';
-  }
-} else {
-  $CONFIG = array(
-    'memcache.distributed' => '\OC\Memcache\Redis',
-    'memcache.locking' => '\OC\Memcache\Redis',
-    'redis.cluster' => array(
-      'timeout' => 0.0,
-      'read_timeout' => 0.0,
-      'failover_mode' => \RedisCluster::FAILOVER_ERROR,
-      'seeds' => array_values(array_filter(array(
-        (getenv('REDIS_HOST') && getenv('REDIS_PORT')) ? (getenv('REDIS_HOST') . ':' . (string)getenv('REDIS_PORT')) : null,
-        (getenv('REDIS_HOST_2') && getenv('REDIS_PORT_2')) ? (getenv('REDIS_HOST_2') . ':' . (string)getenv('REDIS_PORT_2')) : null,
-        (getenv('REDIS_HOST_3') && getenv('REDIS_PORT_3')) ? (getenv('REDIS_HOST_3') . ':' . (string)getenv('REDIS_PORT_3')) : null,
-        (getenv('REDIS_HOST_4') && getenv('REDIS_PORT_4')) ? (getenv('REDIS_HOST_4') . ':' . (string)getenv('REDIS_PORT_4')) : null,
-        (getenv('REDIS_HOST_5') && getenv('REDIS_PORT_5')) ? (getenv('REDIS_HOST_5') . ':' . (string)getenv('REDIS_PORT_5')) : null,
-        (getenv('REDIS_HOST_6') && getenv('REDIS_PORT_6')) ? (getenv('REDIS_HOST_6') . ':' . (string)getenv('REDIS_PORT_6')) : null,
-        (getenv('REDIS_HOST_7') && getenv('REDIS_PORT_7')) ? (getenv('REDIS_HOST_7') . ':' . (string)getenv('REDIS_PORT_7')) : null,
-        (getenv('REDIS_HOST_8') && getenv('REDIS_PORT_8')) ? (getenv('REDIS_HOST_8') . ':' . (string)getenv('REDIS_PORT_8')) : null,
-        (getenv('REDIS_HOST_9') && getenv('REDIS_PORT_9')) ? (getenv('REDIS_HOST_9') . ':' . (string)getenv('REDIS_PORT_9')) : null,
-      ))),
-    ),
-  );
-
-  if (getenv('REDIS_HOST_PASSWORD')) {
-    $CONFIG['redis.cluster']['password'] = (string) getenv('REDIS_HOST_PASSWORD');
-  }
-
-  if (getenv('REDIS_USER_AUTH')) {
-    $CONFIG['redis.cluster']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
-  }
-
-  if (getenv('REDIS_PREFIX')) {
-    $CONFIG['redis.cluster']['memcache_customprefix'] = getenv('REDIS_PREFIX');
-  }
-
-  if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) {
-    $CONFIG['redis.cluster']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt';
-  }
 }
@@ -34,14 +34,4 @@ if (getenv('OBJECTSTORE_S3_BUCKET')) {
  if ($sse_c_key) {
    $CONFIG['objectstore']['arguments']['sse_c_key'] = $sse_c_key;
  }
-
-  $requestChecksumValidation = getenv('OBJECTSTORE_S3_REQUEST_CHECKSUM_VALIDATION');
-  if ($requestChecksumValidation) {
-    $CONFIG['objectstore']['arguments']['request_checksum_calculation'] = $requestChecksumValidation;
-  }
-
-  $responseChecksumValidation = getenv('OBJECTSTORE_S3_RESPONSE_CHECKSUM_VALIDATION');
-  if ($responseChecksumValidation) {
-    $CONFIG['objectstore']['arguments']['response_checksum_validation'] = $responseChecksumValidation;
-  }
 }
@@ -1,4 +0,0 @@
-<?php
-$CONFIG = array (
-  'serverid' => hexdec(hash('xxh32', gethostname())) & 0x1FF,
-);
@@ -1,9 +1,4 @@
 #!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 wait_for_cron() {
    set -x
    while [ -n "$(pgrep -f /var/www/html/cron.php)" ]; do
@@ -10,10 +10,6 @@ directory_empty() {
    [ -z "$(ls -A "$1/")" ]
 }

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 run_upgrade_if_needed_due_to_app_update() {
    if php /var/www/html/occ status | grep maintenance | grep -q true; then
        php /var/www/html/occ maintenance:mode --off
@@ -24,14 +20,6 @@ run_upgrade_if_needed_due_to_app_update() {
    fi
 }

-NEXTCLOUD_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
-    debug) printf '0' ;;
-    info) printf '1' ;;
-    warn) printf '2' ;;
-    error) printf '3' ;;
-esac)"
-export NEXTCLOUD_LOG_LEVEL
-
 # Create cert bundle
 if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then

@@ -87,9 +75,7 @@ if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then
    cat "$CERTIFICATE_BUNDLE"

    # Disable debug mode
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
 fi

 # Adjust DATABASE_TYPE to by Nextcloud supported value
@@ -129,11 +115,6 @@ rm -f "$test_file"
 if [ -f /var/www/html/version.php ]; then
    # shellcheck disable=SC2016
    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-    if [ -z "$installed_version" ]; then
-        echo "Could not determine the installed Nextcloud version via php -r. The PHP installation might be broken."
-        echo "Please check the container logs and your PHP installation."
-        exit 1
-    fi
 else
    installed_version="0.0.0.0"
 fi
@@ -236,9 +217,7 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                if grep -q appstoreurl /var/www/html/config/config.php; then
                    set -x
                    APPSTORE_URL="$(grep appstoreurl /var/www/html/config/config.php | grep -oP 'https://.*v[0-9]+')"
-                    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-                        set +x
-                    fi
+                    set +x
                fi
                # Default appstoreurl parameter in config.php defaults to 'https://apps.nextcloud.com/api/v1' so we check for the apps.json file stored in there
                CURL_STATUS="$(curl -LI "$APPSTORE_URL"/apps.json -o /dev/null -w '%{http_code}\n' -s)"
@@ -305,9 +284,7 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                    "$SOURCE_LOCATION/custom_apps/" \
                    /var/www/html/custom_apps/
            done
-            if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-                set +x
-            fi
+            set +x
        fi

        # Copy these from Nextcloud archive if they don't exist yet (i.e. new install)
@@ -419,32 +396,53 @@ EOF

 # AIO update to latest start # Do not remove or change this line!
            if [ "$INSTALL_LATEST_MAJOR" = yes ]; then
-                if ! bash /upgrade-latest-major.sh; then
-                    echo "Upgrade to latest major version failed! Check the output above for details."
+                php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
+                INSTALLED_AT="$(php /var/www/html/occ config:app:get core installedat)"
+                if [ -n "${INSTALLED_AT}" ]; then
+                    # Set the installdat to 00 which will allow to skip staging and install the next major directly
+                    # shellcheck disable=SC2001
+                    INSTALLED_AT="$(echo "${INSTALLED_AT}" | sed "s|[0-9][0-9]$|00|")"
+                    php /var/www/html/occ config:app:set core installedat --value="${INSTALLED_AT}" 
+                fi
+                php /var/www/html/updater/updater.phar --no-interaction --no-backup
+                if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
+                    echo "Installation of Nextcloud failed!"
+                    touch "$NEXTCLOUD_DATA_DIR/install.failed"
                    exit 1
                fi
                # shellcheck disable=SC2016
                installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+                INSTALLED_MAJOR="${installed_version%%.*}"
+                IMAGE_MAJOR="${image_version%%.*}"
+                # If a valid upgrade path, trigger the Nextcloud built-in Updater
+                if ! [ "$INSTALLED_MAJOR" -gt "$IMAGE_MAJOR" ]; then
+                    php /var/www/html/updater/updater.phar --no-interaction --no-backup
+                    if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
+                        echo "Installation of Nextcloud failed!"
+                        # TODO: Add a hint here about what to do / where to look / updater.log? 
+                        touch "$NEXTCLOUD_DATA_DIR/install.failed"
+                        exit 1
+                    fi
+                    # shellcheck disable=SC2016
+                    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+                fi
+                php /var/www/html/occ config:system:set updatechecker --type=bool --value=true
+                php /var/www/html/occ app:enable nextcloud-aio --force
+                php /var/www/html/occ db:add-missing-columns
+                php /var/www/html/occ db:add-missing-primary-keys
+                yes | php /var/www/html/occ db:convert-filecache-bigint
            fi
 # AIO update to latest end # Do not remove or change this line!

            # Apply log settings
            echo "Applying default settings..."
            mkdir -p /var/www/html/data
-            php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
-            if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
-                php /var/www/html/occ config:system:set log_type --value="errorlog"
-                php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
-                php /var/www/html/occ app:disable logreader
-            else
-                php /var/www/html/occ config:system:set log_type --value="file"
-                php /var/www/html/occ config:system:set log_type_audit --value="file"
-                php /var/www/html/occ app:enable logreader
-                php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
-                php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
-            fi
+            php /var/www/html/occ config:system:set loglevel --value="2" --type=integer
+            php /var/www/html/occ config:system:set log_type --value="file"
+            php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
            php /var/www/html/occ config:system:set log_rotate_size --value="10485760" --type=integer
            php /var/www/html/occ app:enable admin_audit
+            php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
            php /var/www/html/occ config:system:set log.condition apps 0 --value="admin_audit"

            # Apply preview settings
@@ -642,18 +640,8 @@ fi
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
 php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
-php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
-if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
-    php /var/www/html/occ config:system:set log_type --value="errorlog"
-    php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
-    php /var/www/html/occ app:disable logreader
-else
-    php /var/www/html/occ config:system:set log_type --value="file"
-    php /var/www/html/occ config:system:set log_type_audit --value="file"
-    php /var/www/html/occ app:enable logreader
-    php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
-    php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
-fi
+php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
+php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
 php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
 if [ -n "$NEXTCLOUD_SKELETON_DIRECTORY" ]; then
    if [ "$NEXTCLOUD_SKELETON_DIRECTORY" = "empty" ]; then
@@ -681,12 +669,8 @@ php /var/www/html/occ config:system:set documentation_url.server_logs --value="h
 php /var/www/html/occ config:system:set htaccess.RewriteBase --value="/"
 php /var/www/html/occ maintenance:update:htaccess

-# Handle db persistent settings
-if [ "$NEXTCLOUD_PERSIST_DATABASE_CONNECTIONS" = "yes" ]; then
-    php /var/www/html/occ config:system:set dbpersistent --value=true --type=bool
-else
-    php /var/www/html/occ config:system:set dbpersistent --value=false --type=bool
-fi
+# Revert dbpersistent setting to check if it fixes too many db connections
+php /var/www/html/occ config:system:set dbpersistent --value=false --type=bool

 if [ "$DISABLE_BRUTEFORCE_PROTECTION" = yes ]; then
    php /var/www/html/occ config:system:set auth.bruteforce.protection.enabled --type=bool --value=false
@@ -754,9 +738,7 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
    if echo "$COLLABORA_HOST" | grep -q "nextcloud-.*-collabora"; then
        COLLABORA_HOST="$NC_DOMAIN"
    fi
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
    # Remove richdcoumentscode if it should be incorrectly installed
    if [ -d "/var/www/html/custom_apps/richdocumentscode" ]; then
        php /var/www/html/occ app:remove richdocumentscode
@@ -867,58 +849,6 @@ else
    fi
 fi

-# EuroOffice
-if [ "$EUROOFFICE_ENABLED" = 'yes' ]; then
-    # Determine EuroOffice port based on host pattern
-    if echo "$EUROOFFICE_HOST" | grep -q "nextcloud-.*-eurooffice"; then
-        EUROOFFICE_PORT=80
-    else
-        EUROOFFICE_PORT=443
-    fi
-
-    count=0
-    while ! nc -z "$EUROOFFICE_HOST" "$EUROOFFICE_PORT" && [ "$count" -lt 90 ]; do
-        echo "Waiting for EuroOffice to become available..."
-        count=$((count+5))
-        sleep 5
-    done
-    if [ "$count" -ge 90 ]; then
-        bash /notify.sh "EuroOffice did not start in time!" "Skipping initialization and disabling eurooffice app."
-        php /var/www/html/occ app:disable eurooffice
-    else
-        # Install or enable EuroOffice app as needed
-        if ! [ -d "/var/www/html/custom_apps/eurooffice" ]; then
-            php /var/www/html/occ app:install eurooffice
-        elif [ "$(php /var/www/html/occ config:app:get eurooffice enabled)" != "yes" ]; then
-            php /var/www/html/occ app:enable eurooffice
-        elif [ "$SKIP_UPDATE" != 1 ]; then
-            php /var/www/html/occ app:update eurooffice
-        fi
-
-        # Set EuroOffice configuration
-        php /var/www/html/occ config:system:set eurooffice editors_check_interval --value="0" --type=integer 
-        php /var/www/html/occ config:system:set eurooffice jwt_secret --value="$EUROOFFICE_SECRET"
-        php /var/www/html/occ config:app:set eurooffice jwt_secret --value="$EUROOFFICE_SECRET"
-        php /var/www/html/occ config:system:set eurooffice jwt_header --value="AuthorizationJwt"
-
-        # Adjust the EuroOffice host if using internal pattern
-        if echo "$EUROOFFICE_HOST" | grep -q "nextcloud-.*-eurooffice"; then
-            EUROOFFICE_HOST="$NC_DOMAIN/eurooffice"
-            export EUROOFFICE_HOST
-        fi
-
-        php /var/www/html/occ config:app:set eurooffice DocumentServerUrl --value="https://$EUROOFFICE_HOST"
-    fi
-else
-    # Remove EuroOffice app if disabled and removal is requested
-    if [ "$REMOVE_DISABLED_APPS" = yes ] && \
-       [ -d "/var/www/html/custom_apps/eurooffice" ] && \
-       [ -n "$EUROOFFICE_SECRET" ] && \
-       [ "$(php /var/www/html/occ config:system:get eurooffice jwt_secret)" = "$EUROOFFICE_SECRET" ]; then
-        php /var/www/html/occ app:remove eurooffice
-    fi
-fi
-
 # Talk
 if [ "$TALK_ENABLED" = 'yes' ]; then
    set -x
@@ -929,9 +859,7 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
    if [ -z "$TURN_DOMAIN" ]; then
        TURN_DOMAIN="$TALK_HOST"
    fi
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-        set +x
-    fi
+    set +x
    if ! [ -d "/var/www/html/custom_apps/spreed" ]; then
        php /var/www/html/occ app:install spreed
    elif [ "$(php /var/www/html/occ config:app:get spreed enabled)" != "yes" ]; then
@@ -939,20 +867,16 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
    elif [ "$SKIP_UPDATE" != 1 ]; then
        php /var/www/html/occ app:update spreed
    fi
-    # Add turn server
-    # shellcheck disable=SC2153
-    if ! php /var/www/html/occ talk:turn:list --output="plain" | grep server | grep -q " $TURN_DOMAIN:$TALK_PORT"; then
+    # Based on https://github.com/nextcloud/spreed/issues/960#issuecomment-416993435
+    if [ -z "$(php /var/www/html/occ talk:turn:list --output="plain")" ]; then
+        # shellcheck disable=SC2153
        php /var/www/html/occ talk:turn:add turn "$TURN_DOMAIN:$TALK_PORT" "udp,tcp" --secret="$TURN_SECRET"
    fi
-    # Add stun server
    STUN_SERVER="$(php /var/www/html/occ talk:stun:list --output="plain")"
-    if ! echo "$STUN_SERVER" | grep -q " $TURN_DOMAIN:$TALK_PORT"; then
-        php /var/www/html/occ talk:stun:add "$TURN_DOMAIN:$TALK_PORT"
-    fi
    if [ -z "$STUN_SERVER" ] || echo "$STUN_SERVER" | grep -oP '[a-zA-Z.:0-9]+' | grep -q "^stun.nextcloud.com:443$"; then
+        php /var/www/html/occ talk:stun:add "$TURN_DOMAIN:$TALK_PORT"
        php /var/www/html/occ talk:stun:delete "stun.nextcloud.com:443"
    fi
-    # Add HPB
    if ! php /var/www/html/occ talk:signaling:list --output="plain" | grep -q "https://$TALK_HOST$HPB_PATH"; then
        php /var/www/html/occ talk:signaling:add "https://$TALK_HOST$HPB_PATH" "$SIGNALING_SECRET" --verify
    fi
@@ -1101,13 +1025,13 @@ else
    fi
 fi

-# Docker socket proxy / HaRP
+# Docker socket proxy
 # app_api is a shipped app
 if [ -d "/var/www/html/custom_apps/app_api" ]; then
    php /var/www/html/occ app:disable app_api
    rm -r "/var/www/html/custom_apps/app_api"
 fi
-if [ "$DOCKER_SOCKET_PROXY_ENABLED" = 'yes' ] || [ "$HARP_ENABLED" = 'yes' ]; then
+if [ "$DOCKER_SOCKET_PROXY_ENABLED" = 'yes' ]; then
    if [ "$(php /var/www/html/occ config:app:get app_api enabled)" != "yes" ]; then
        php /var/www/html/occ app:enable app_api
    fi
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
    POSTGRES_PORT=5432
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [[ "$EUID" = 0 ]]; then
    COMMAND=(sudo -E -u www-data php /var/www/html/occ)
 else
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if [[ "$EUID" = 0 ]]; then
    COMMAND=(sudo -E -u www-data php /var/www/html/occ)
 else
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Wait until the apache container is ready
 while ! nc -z "$APACHE_HOST" "$APACHE_PORT"; do
    echo "Waiting for $APACHE_HOST to become available..."
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
    POSTGRES_PORT=5432
@@ -29,7 +25,7 @@ fi
 # Fix false database connection on old instances
 if [ -f "/var/www/html/config/config.php" ]; then
    sleep 2
-    while ! sudo -E -u www-data env PGPASSWORD="$POSTGRES_PASSWORD" psql -h "$POSTGRES_HOST" -p "$POSTGRES_PORT" -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
+    while ! sudo -E -u www-data psql -d "postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB" -c "select now()"; do
        echo "Waiting for the database to start..."
        sleep 5
    done
@@ -57,9 +53,7 @@ if ! [ -f "/dev-dri-group-was-added" ] && [ -n "$(find /dev -maxdepth 1 -mindept
    usermod -aG "$GROUP" www-data
    touch "/dev-dri-group-was-added"
 fi
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 # Check datadir permissions
 sudo -E -u www-data touch "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" &>/dev/null
@@ -176,8 +170,6 @@ if [ "$THIS_IS_AIO" = "true" ] && [ "$APACHE_PORT" = 443 ]; then
    sed -i "/^listen.allowed_clients/s/,$//" /usr/local/etc/php-fpm.d/www.conf
    grep listen.allowed_clients /usr/local/etc/php-fpm.d/www.conf
 fi
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-    set +x
-fi
+set +x

 exec "$@"
@@ -6,7 +6,7 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
 logfile_backups=10                              ; number of backed up logfiles
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error
 user=root

 [program:php-fpm]
@@ -25,14 +25,6 @@ stderr_logfile_maxbytes=0
 command=/cron.sh
 user=www-data

-[program:taskprocessing-worker]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=php /var/www/html/occ taskprocessing:worker --timeout 300
-user=www-data
-
 [program:run-exec-commands]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
@@ -1,43 +0,0 @@
-#!/bin/bash
-
-PHP_CLI="php"
-if [[ "$EUID" = 0 ]]; then
-    PHP_CLI="sudo -u www-data -E $PHP_CLI"
-fi
-
-# shellcheck disable=SC2016
-image_version="$($PHP_CLI -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-export IMAGE_MAJOR="${image_version%%.*}"
-
-$PHP_CLI /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
-INSTALLED_AT="$($PHP_CLI /var/www/html/occ config:app:get core installedat)"
-if [ -n "${INSTALLED_AT}" ]; then
-    # Set the installedat to 00 which will allow to skip staging and install the next major directly
-    # shellcheck disable=SC2001
-    INSTALLED_AT="$(echo "${INSTALLED_AT}" | sed "s|[0-9][0-9]$|00|")"
-    $PHP_CLI /var/www/html/occ config:app:set core installedat --value="${INSTALLED_AT}"
-fi
-$PHP_CLI /var/www/html/updater/updater.phar --no-interaction --no-backup
-if ! $PHP_CLI /var/www/html/occ -V || $PHP_CLI /var/www/html/occ status | grep maintenance | grep -q 'true'; then
-    echo "Installation of Nextcloud failed!"
-    touch "$NEXTCLOUD_DATA_DIR/install.failed"
-    exit 1
-fi
-# shellcheck disable=SC2016
-installed_version="$($PHP_CLI -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-export INSTALLED_MAJOR="${installed_version%%.*}"
-# If a valid upgrade path, trigger the Nextcloud built-in Updater
-if ! $PHP_CLI -r "version_compare(getenv('INSTALLED_MAJOR'), getenv('IMAGE_MAJOR'), '>') || exit(1);"; then
-    $PHP_CLI /var/www/html/updater/updater.phar --no-interaction --no-backup
-    if ! $PHP_CLI /var/www/html/occ -V || $PHP_CLI /var/www/html/occ status | grep maintenance | grep -q 'true'; then
-        echo "Installation of Nextcloud failed!"
-        # TODO: Add a hint here about what to do / where to look / updater.log?
-        touch "$NEXTCLOUD_DATA_DIR/install.failed"
-        exit 1
-    fi
-fi
-$PHP_CLI /var/www/html/occ config:system:set updatechecker --type=bool --value=true
-$PHP_CLI /var/www/html/occ app:enable nextcloud-aio --force
-$PHP_CLI /var/www/html/occ db:add-missing-columns
-$PHP_CLI /var/www/html/occ db:add-missing-primary-keys
-yes | $PHP_CLI /var/www/html/occ db:convert-filecache-bigint
@@ -3,4 +3,3 @@
 /custom_apps/
 /themes/
 /version.php
-/lost+found
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.23.3

 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -11,6 +11,7 @@ RUN set -ex; \
        netcat-openbsd \
        tzdata \
        bash \
+        jq \
        openssl; \
 # Give root a random password
    echo "root:$(openssl rand -base64 12)" | chpasswd; \
@@ -23,10 +24,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Notify Push for Nextcloud AIO" \
-    org.opencontainers.image.description="Nextcloud notify_push high-performance backend for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,9 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 if ! nc -z "$NEXTCLOUD_HOST" 9001; then
    exit 0
 fi
@@ -1,14 +1,14 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-export RUST_LOG="$AIO_LOG_LEVEL"
-
 if [ -z "$NEXTCLOUD_HOST" ]; then
    echo "NEXTCLOUD_HOST needs to be provided. Exiting!"
    exit 1
+elif [ -z "$POSTGRES_HOST" ]; then
+    echo "POSTGRES_HOST needs to be provided. Exiting!"
+    exit 1
+elif [ -z "$REDIS_HOST" ]; then
+    echo "REDIS_HOST needs to be provided. Exiting!"
+    exit 1
 fi

 # Only start container if nextcloud is accessible
@@ -28,7 +28,7 @@ elif [ "$CPU_ARCH" != "x86_64" ]; then
 fi

 # Add warning
-if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ] && ! [ -f /var/www/html/apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
+if ! [ -f /nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
    echo "The notify_push binary was not found."
    echo "Most likely is DNS resolution not working correctly."
    echo "You can try to fix this by configuring a DNS server globally in dockers daemon.json."
@@ -42,24 +42,54 @@ if ! [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ] &&
    exit 1
 fi

-# Logic for ipv6 disabled servers
-BIND="::"
-if grep -q "1" /sys/module/ipv6/parameters/disable \
-|| grep -q "1" /proc/sys/net/ipv6/conf/all/disable_ipv6 \
-|| grep -q "1" /proc/sys/net/ipv6/conf/default/disable_ipv6; then
-    BIND="0.0.0.0"
-fi
-export BIND
-
 echo "notify-push was started"

-
-if [ -f /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
-    PUSH_PATH="/var/www/html/custom_apps/notify_push/bin/$CPU_ARCH/notify_push"
-else
-    PUSH_PATH="/var/www/html/apps/notify_push/bin/$CPU_ARCH/notify_push"
+# Set a default value for POSTGRES_PORT
+if [ -z "$POSTGRES_PORT" ]; then
+    POSTGRES_PORT=5432
 fi
+# Set a default for redis db index
+if [ -z "$REDIS_DB_INDEX" ]; then
+    REDIS_DB_INDEX=0
+fi
+# Set a default value for REDIS_PORT
+if [ -z "$REDIS_PORT" ]; then
+    REDIS_PORT=6379
+fi
+# Set a default for db type
+if [ -z "$DATABASE_TYPE" ]; then
+    DATABASE_TYPE=postgres
+elif [ "$DATABASE_TYPE" != postgres ] && [ "$DATABASE_TYPE" != mysql ]; then
+    echo "DB type must be either postgres or mysql"
+    exit 1
+fi
+
+# Use the correct Postgres username
+if [ "$POSTGRES_USER" = nextcloud ]; then
+    POSTGRES_USER="oc_$POSTGRES_USER"
+    export POSTGRES_USER
+fi
+
+# URL-encode passwords
+POSTGRES_PASSWORD="$(jq -rn --arg v "$POSTGRES_PASSWORD" '$v|@uri')"
+REDIS_HOST_PASSWORD="$(jq -rn --arg v "$REDIS_HOST_PASSWORD" '$v|@uri')"
+
+# Postgres root cert
+if [ -f "/nextcloud/data/certificates/POSTGRES" ]; then
+    CERT_OPTIONS="?sslmode=verify-ca&sslrootcert=/nextcloud/data/certificates/ca-bundle.crt"
+# Mysql root cert
+elif [ -f "/nextcloud/data/certificates/MYSQL" ]; then
+    CERT_OPTIONS="?sslmode=verify-ca&ssl-ca=/nextcloud/data/certificates/ca-bundle.crt"
+fi
+
+# Set sensitive values as env
+export DATABASE_URL="$DATABASE_TYPE://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB$CERT_OPTIONS"
+export REDIS_URL="redis://$REDIS_USER:$REDIS_HOST_PASSWORD@$REDIS_HOST:$REDIS_PORT/$REDIS_DB_INDEX"
+
 # Run it
-exec "$PUSH_PATH" \
-    --port 7867 \
-    /var/www/html/config/config.php
+/nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
+    --database-prefix="oc_" \
+    --nextcloud-url "https://$NC_DOMAIN" \
+    --port 7867
+
+exec "$@"
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:9.3.1.2
+FROM onlyoffice/documentserver:9.2.1.1

 # USER root is probably used

@@ -9,10 +9,4 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="OnlyOffice for Nextcloud AIO" \
-    org.opencontainers.image.description="OnlyOffice Document Server for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z 127.0.0.1 80 || exit 1
@@ -1,8 +1,6 @@
 # syntax=docker/dockerfile:latest
-# From https://github.com/docker-library/postgres/blob/master/18/alpine3.23/Dockerfile
-FROM postgres:18.4-alpine
-
-ENV PGDATA=/var/lib/postgresql/data
+# From https://github.com/docker-library/postgres/blob/master/17/alpine3.23/Dockerfile
+FROM postgres:17.7-alpine

 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -14,7 +12,6 @@ RUN set -ex; \
        bash \
        openssl \
        shadow \
-        netcat-openbsd \
        grep; \
    \
 # We need to use the same gid and uid as on old installations
@@ -25,7 +22,6 @@ RUN set -ex; \
    apk del --no-cache shadow; \
    \
 # Fix default permissions
-    mkdir -p /var/lib/postgresql/data; \
    chown -R postgres:postgres /var/lib/postgresql; \
    chown -R postgres:postgres /var/run/postgresql; \
    chmod -R 777 /var/run/postgresql; \
@@ -49,10 +45,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="PostgreSQL for Nextcloud AIO" \
-    org.opencontainers.image.description="PostgreSQL database for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,14 +1,7 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 test -f "/mnt/data/backup-is-running" && exit 0

-# If database import is running, do not continue with the health check
-if nc -z 127.0.0.1 11000; then
-    exit 0
-fi
+psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()" && exit 0

-PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 5432 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" || exit 1
+psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:5432/$POSTGRES_DB" -c "select now()" || exit 1
@@ -1,16 +1,10 @@
 #!/bin/bash
-
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 set -ex

 touch "$DUMP_DIR/initialization.failed"

-psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \
-	-v "pg_new_password=$POSTGRES_PASSWORD" <<-EOSQL
-	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD :'pg_new_password' CREATEDB;
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
 	ALTER DATABASE "$POSTGRES_DB" OWNER TO "oc_$POSTGRES_USER";
 	GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "oc_$POSTGRES_USER";
 	GRANT ALL PRIVILEGES ON SCHEMA public TO "oc_$POSTGRES_USER";
@@ -1,17 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-POSTGRES_LOG_MIN_MESSAGES="$(case "$AIO_LOG_LEVEL" in
-    debug) printf 'debug1' ;;
-    info) printf 'info' ;;
-    warn) printf 'warning' ;;
-    error) printf 'error' ;;
-esac)"
-export POSTGRES_LOG_MIN_MESSAGES
-
 # Variables
 DATADIR="/var/lib/postgresql/data"
 export DUMP_DIR="/mnt/data"
@@ -97,7 +85,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
    exec docker-entrypoint.sh postgres &

    # Wait for creation
-    while ! psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
+    while ! psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()"; do
        echo "Waiting for the database to start."
        sleep 5
    done
@@ -119,9 +107,8 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
        exit 1
    elif [ "$DB_OWNER" != "oc_$POSTGRES_USER" ]; then
        DIFFERENT_DB_OWNER=1
-        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \
-            -v "pg_new_password=$POSTGRES_PASSWORD" <<-EOSQL
-            CREATE USER "$DB_OWNER" WITH PASSWORD :'pg_new_password' CREATEDB;
+        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+            CREATE USER "$DB_OWNER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
            ALTER DATABASE "$POSTGRES_DB" OWNER TO "$DB_OWNER";
            GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "$DB_OWNER";
            GRANT ALL PRIVILEGES ON SCHEMA public TO "$DB_OWNER";
@@ -164,71 +151,23 @@ fi
 # Modify postgresql.conf
 if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
    echo "Setting postgres values..."
-    PGCONF="/var/lib/postgresql/data/postgresql.conf"

    # Sync this with max pm.max_children and MaxRequestWorkers
    # 5000 connections is apparently the highest possible value with postgres so set it to that so that we don't run into a limit here.
    # We don't actually expect so many connections but don't want to limit it artificially because people will report issues otherwise
    # Also connections should usually be closed again after the process is done
    # If we should actually exceed this limit, it is definitely a bug in Nextcloud server or some of its apps that does not close connections correctly and not a bug in AIO
-    sed -i "s|^max_connections =.*|max_connections = 5000|" "$PGCONF"
+    sed -i "s|^max_connections =.*|max_connections = 5000|" "/var/lib/postgresql/data/postgresql.conf"

    # Do not log checkpoints
-    if grep -q "#log_checkpoints" "$PGCONF"; then
-        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' "$PGCONF"
-    fi
-
-    if grep -q "^#\?log_min_messages" /var/lib/postgresql/data/postgresql.conf; then
-        sed -i "s|^#\?log_min_messages.*|log_min_messages = $POSTGRES_LOG_MIN_MESSAGES|" /var/lib/postgresql/data/postgresql.conf
-    else
-        echo "log_min_messages = $POSTGRES_LOG_MIN_MESSAGES" >> /var/lib/postgresql/data/postgresql.conf
+    if grep -q "#log_checkpoints" /var/lib/postgresql/data/postgresql.conf; then
+        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' /var/lib/postgresql/data/postgresql.conf
    fi

    # Closing idling connections automatically seems to break any logic so was reverted again to default where it is disabled
-    if grep -q "^idle_session_timeout" "$PGCONF"; then
-        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' "$PGCONF"
+    if grep -q "^idle_session_timeout" /var/lib/postgresql/data/postgresql.conf; then
+        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' /var/lib/postgresql/data/postgresql.conf
    fi
-
-    # Increase shared_buffers from the 128MB default for better data caching
-    sed -i "s|^#shared_buffers = .*|shared_buffers = 256MB|" "$PGCONF"
-    sed -i "s|^shared_buffers = .*|shared_buffers = 256MB|" "$PGCONF"
-
-    # Hint to the query planner about available OS page cache (does not allocate memory)
-    sed -i "s|^#effective_cache_size = .*|effective_cache_size = 1GB|" "$PGCONF"
-    sed -i "s|^effective_cache_size = .*|effective_cache_size = 1GB|" "$PGCONF"
-
-    # Increase per-operation sort/hash memory to reduce disk spills for file listing and share queries.
-    # Note: this is allocated per sort/hash operation, not per connection, so the theoretical worst-case
-    # (max_connections × work_mem) is rarely approached in practice.
-    sed -i "s|^#work_mem = .*|work_mem = 16MB|" "$PGCONF"
-    sed -i "s|^work_mem = .*|work_mem = 16MB|" "$PGCONF"
-
-    # Increase memory for VACUUM, CREATE INDEX, and other maintenance operations
-    sed -i "s|^#maintenance_work_mem = .*|maintenance_work_mem = 256MB|" "$PGCONF"
-    sed -i "s|^maintenance_work_mem = .*|maintenance_work_mem = 256MB|" "$PGCONF"
-
-    # Increase WAL buffers to reduce WAL write latency under concurrent write load
-    sed -i "s|^#wal_buffers = .*|wal_buffers = 16MB|" "$PGCONF"
-    sed -i "s|^wal_buffers = .*|wal_buffers = 16MB|" "$PGCONF"
-
-    # Spread checkpoint I/O over a longer window to reduce spikes
-    sed -i "s|^#checkpoint_timeout = .*|checkpoint_timeout = 15min|" "$PGCONF"
-    sed -i "s|^checkpoint_timeout = .*|checkpoint_timeout = 15min|" "$PGCONF"
-
-    # Tune for SSD storage: random reads are nearly as fast as sequential reads
-    sed -i "s|^#random_page_cost = .*|random_page_cost = 1.1|" "$PGCONF"
-    sed -i "s|^random_page_cost = .*|random_page_cost = 1.1|" "$PGCONF"
-
-    # Allow the kernel to issue more concurrent I/O prefetch requests (suitable for SSDs)
-    sed -i "s|^#effective_io_concurrency = .*|effective_io_concurrency = 200|" "$PGCONF"
-    sed -i "s|^effective_io_concurrency = .*|effective_io_concurrency = 200|" "$PGCONF"
-
-    # Trigger autovacuum earlier on large Nextcloud tables (e.g. oc_filecache, oc_activity)
-    # to prevent table bloat accumulating before the default 20% threshold is reached
-    sed -i "s|^#autovacuum_vacuum_scale_factor = .*|autovacuum_vacuum_scale_factor = 0.05|" "$PGCONF"
-    sed -i "s|^autovacuum_vacuum_scale_factor = .*|autovacuum_vacuum_scale_factor = 0.05|" "$PGCONF"
-    sed -i "s|^#autovacuum_analyze_scale_factor = .*|autovacuum_analyze_scale_factor = 0.02|" "$PGCONF"
-    sed -i "s|^autovacuum_analyze_scale_factor = .*|autovacuum_analyze_scale_factor = 0.02|" "$PGCONF"
 fi

 do_database_dump() {
@@ -241,16 +180,12 @@ do_database_dump() {
        pg_ctl stop -m fast
        rm "$DUMP_DIR/export.failed"
        echo 'Database dump successful!'
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-            set +x
-        fi
+        set +x
        exit 0
    else
        pg_ctl stop -m fast
        echo "Database dump unsuccessful!"
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
-            set +x
-        fi
+        set +x
        exit 1
    fi
 }
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/redis/docker-library-redis/blob/release/8.2/alpine/Dockerfile
-FROM redis:8.6.3-alpine
+FROM redis:8.2.3-alpine

 COPY --chmod=775 start.sh /start.sh

@@ -10,7 +10,6 @@ RUN set -ex; \
    \
 # Give root a random password
    echo "root:$(openssl rand -base64 12)" | chpasswd; \
-    apk --no-cache del openssl; \
    \
 # Get rid of unused binaries
    rm -f /usr/local/bin/gosu;
@@ -23,10 +22,4 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Redis for Nextcloud AIO" \
-    org.opencontainers.image.description="Redis cache server for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 redis-cli -a "$REDIS_HOST_PASSWORD" PING || exit 1
@@ -1,50 +1,17 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-# Redis only supports [debug, verbose, notice, warning, nothing] as log level
-if [ "$AIO_LOG_LEVEL" = "warn" ] || [ "$AIO_LOG_LEVEL" = "error" ]; then
-    REDIS_LOG_LEVEL="warning"
-elif [ "$AIO_LOG_LEVEL" = "info" ]; then
-    REDIS_LOG_LEVEL="notice"
-else
-    REDIS_LOG_LEVEL="$AIO_LOG_LEVEL"
-fi
-export REDIS_LOG_LEVEL
-
 # Show wiki if vm.overcommit is disabled
 if [ "$(sysctl -n vm.overcommit_memory)" != "1" ]; then
    echo "Memory overcommit is disabled but necessary for safe operation"
    echo "See https://github.com/nextcloud/all-in-one/discussions/1731 how to enable overcommit"
 fi

-# Warn if Transparent Huge Pages are enabled (causes latency spikes)
-if [ -f /sys/kernel/mm/transparent_hugepage/enabled ]; then
-    if grep -q '\[always\]' /sys/kernel/mm/transparent_hugepage/enabled; then
-        echo "WARNING: Transparent Huge Pages (THP) are enabled. This can cause latency and memory issues with Redis."
-        echo "Consider disabling THP by running: echo never > /sys/kernel/mm/transparent_hugepage/enabled"
-    fi
-fi
-
-# Build the redis-server argument list.
-REDIS_ARGS=(
-    --loglevel "$REDIS_LOG_LEVEL"
-    --save "" # Disable RDB persistence (Redis is used as a pure cache/lock store)
-    --maxmemory-policy allkeys-lru # Evict least-recently-used keys when memory is full
-    --lazyfree-lazy-eviction yes # Perform evictions in a background thread
-    --lazyfree-lazy-expire yes # Expire keys in a background thread
-    --lazyfree-lazy-server-del yes # DEL/UNLINK in background thread
-    --replica-lazy-flush yes # Flush replica dataset in background thread
-    --activedefrag yes # Reclaim fragmented memory without restart
-    --hz 15 # Run background tasks 15×/s (default 10) for faster key expiry
-)
-
-if [ -n "$REDIS_HOST_PASSWORD" ]; then
-    REDIS_ARGS+=(--requirepass "$REDIS_HOST_PASSWORD")
-fi
-
 # Run redis with a password if provided
 echo "Redis has started"
-exec redis-server "${REDIS_ARGS[@]}"
+if [ -n "$REDIS_HOST_PASSWORD" ]; then
+    exec redis-server --requirepass "$REDIS_HOST_PASSWORD" --loglevel warning
+else
+    exec redis-server --loglevel warning
+fi
+
+exec "$@"
@@ -1,16 +1,15 @@
 # syntax=docker/dockerfile:latest
-FROM python:3.14.5-alpine3.23
+FROM python:3.14.3-alpine3.23

 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

 ENV RECORDING_VERSION=v0.2.1
-ENV ALLOW_ALL=false \
-    HPB_PROTOCOL=https \
-    NC_PROTOCOL=https \
-    SKIP_VERIFY=false \
-    HPB_PATH=/standalone-signaling/ \
-    AIO_LOG_LEVEL=warn
+ENV ALLOW_ALL=false
+ENV HPB_PROTOCOL=https
+ENV NC_PROTOCOL=https
+ENV SKIP_VERIFY=false
+ENV HPB_PATH=/standalone-signaling/

 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -20,11 +19,7 @@ RUN set -ex; \
        bash \
        xvfb \
        ffmpeg \
-        mesa-va-gallium \
        firefox \
-        font-noto-all \
-        font-noto-cjk \
-        font-noto-cjk-extra \
        bind-tools \
        netcat-openbsd \
        git \
@@ -35,9 +30,6 @@ RUN set -ex; \
        build-base \
        linux-headers \
        geckodriver; \
-    if [ "$(apk --print-arch)" = "x86_64" ]; then \
-        apk add --no-cache intel-media-driver; \
-    fi; \
    useradd -d /tmp --system recording -u 122; \
 # Give root a random password
    echo "root:$(openssl rand -base64 12)" | chpasswd; \
@@ -67,10 +59,4 @@ CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.co
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Talk Recording for Nextcloud AIO" \
-    org.opencontainers.image.description="Nextcloud Talk recording service for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
@@ -1,7 +1,3 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
 nc -z 127.0.0.1 1234 || exit 1
@@ -1,17 +1,5 @@
 #!/bin/bash

-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
-    set -x
-fi
-
-TALK_RECORDING_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
-    debug) printf '10' ;;
-    info) printf '20' ;;
-    warn) printf '30' ;;
-    error) printf '40' ;;
-esac)"
-export TALK_RECORDING_LOG_LEVEL
-
 # Variables
 if [ -z "$NC_DOMAIN" ]; then
    echo "You need to provide the NC_DOMAIN."
@@ -31,37 +19,10 @@ fi
 # Delete all contents on startup to start fresh
 rm -fr /tmp/{*,.*}

-# Detect available hardware for transcoding and build the [ffmpeg] config section accordingly
-FFMPEG_SECTION="[ffmpeg]
-# common = ffmpeg -loglevel level+warning -n
-# outputaudio = -c:a libopus
-# outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
-extensionaudio = .ogg
-extensionvideo = .webm"
-
-# Check for NVIDIA GPU hardware encoding (NVENC)
-if [ -e "/dev/nvidia0" ] && ffmpeg -hide_banner -encoders 2>/dev/null | grep -q "h264_nvenc"; then
-    echo "NVIDIA GPU detected, enabling h264_nvenc hardware transcoding"
-    FFMPEG_SECTION="[ffmpeg]
-outputvideo = -c:v h264_nvenc -preset p4
-outputaudio = -c:a aac
-extensionaudio = .m4a
-extensionvideo = .mp4"
-# Check for VA-API render node (Intel/AMD open source drivers)
-elif [ -r "/dev/dri/renderD128" ] && ffmpeg -hide_banner -encoders 2>/dev/null | grep -q "h264_vaapi"; then
-    echo "DRI device detected, enabling h264_vaapi hardware transcoding"
-    FFMPEG_SECTION="[ffmpeg]
-common = ffmpeg -loglevel level+warning -n -vaapi_device /dev/dri/renderD128
-outputvideo = -vf format=nv12,hwupload -c:v h264_vaapi
-outputaudio = -c:a aac
-extensionaudio = .m4a
-extensionvideo = .mp4"
-fi
-
 cat << RECORDING_CONF > "/conf/recording.conf"
 [logs]
 # 30 means Warning
-level = ${TALK_RECORDING_LOG_LEVEL}
+level = 30

 [http]
 listen = 0.0.0.0:1234
@@ -89,7 +50,12 @@ signalings = signaling-1
 url = ${HPB_PROTOCOL}://${HPB_DOMAIN}${HPB_PATH}
 internalsecret = ${INTERNAL_SECRET}

-${FFMPEG_SECTION}
+[ffmpeg]
+# common = ffmpeg -loglevel level+warning -n
+# outputaudio = -c:a libopus
+# outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
+extensionaudio = .ogg
+extensionvideo = .webm

 [recording]
 browser = firefox
@@ -1,10 +1,10 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.14.2-scratch AS nats
+FROM nats:2.12.4-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
-FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
-FROM alpine:3.23.4 AS janus
+FROM strukturag/nextcloud-spreed-signaling:2.1.0 AS signaling
+FROM alpine:3.23.3 AS janus

-ARG JANUS_VERSION=v1.4.1
+ARG JANUS_VERSION=v1.4.0
 WORKDIR /src
 RUN set -ex; \
    apk upgrade --no-cache -a; \
@@ -35,10 +35,9 @@ RUN set -ex; \
    make configs; \
    rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample

-FROM alpine:3.23.4
+FROM alpine:3.23.3
 ENV ETURNAL_ETC_DIR="/conf"
-ENV SKIP_CERT_VERIFY=false \
-    AIO_LOG_LEVEL=warn
+ENV SKIP_CERT_VERIFY=false
 COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
 COPY --from=eturnal   --chmod=777 --chown=1000:1000 /opt/eturnal                        /opt/eturnal
 COPY --from=nats      --chmod=777 --chown=1000:1000 /nats-server                        /usr/local/bin/nats-server
@@ -71,8 +70,7 @@ RUN set -ex; \
        libwebsockets \
        \
        shadow \
-        grep \
-        util-linux-misc; \
+        grep; \
    useradd --system -u 1000 eturnal; \
    apk del --no-cache \
        shadow; \
@@ -83,9 +81,7 @@ RUN set -ex; \
    touch \
        /etc/nats.conf \
        /etc/eturnal.yml; \
-# write_deadline: "10s" — without a write deadline, a lagging subscriber can stall the broker indefinitely, blocking all other signaling messages.
-# max_payload: 8MB — the default is 1 MB; signaling payloads in large meetings (many participants, ICE candidates) can exceed this, causing dropped messages.
-    printf 'listen: 127.0.0.1:4222\nwrite_deadline: "10s"\nmax_payload: 8MB\n' | tee /etc/nats.conf; \
+    echo "listen: 127.0.0.1:4222" | tee /etc/nats.conf; \
    mkdir -p \
        /var/tmp \
        /conf \
@@ -112,10 +108,4 @@ CMD ["supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
-    dockhand.update="false" \
-    org.opencontainers.image.title="Talk for Nextcloud AIO" \
-    org.opencontainers.image.description="Nextcloud Talk with NATS, Janus, eturnal, and signaling server for Nextcloud All-in-One" \
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
-    org.opencontainers.image.vendor="Nextcloud" \
-    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
+    org.label-schema.vendor="Nextcloud"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
copilot-swe-agent[bot]	57f0aa3250	Use CSS custom property for warning color Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-02-11 17:12:05 +00:00
copilot-swe-agent[bot]	afe3ec1699	Refactor: Use CSS class instead of inline styles for update warning Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-02-11 17:11:32 +00:00
copilot-swe-agent[bot]	6297358d48	Add per-container update status indicator in AIO interface Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>	2026-02-11 17:10:53 +00:00
copilot-swe-agent[bot]	bd772e19ca	Initial plan	2026-02-11 17:07:10 +00:00