Merge pull request #2814 from nextcloud/dependabot/github_actions/codespell-project/actions-codespell-2

Bump codespell-project/actions-codespell from 1 to 2

.github/dependabot.yml

@@ -108,6 +108,15 @@ updates:
   labels:
   - 3. to review
   - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/talk-recording"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies
 - package-ecosystem: "docker"
   directory: "/Containers/watchtower"
   schedule:

.github/workflows/codespell.yml

@@ -0,0 +1,20 @@
+name: 'Codespell'
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  codespell:
+    name: Check spelling
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+      - name: Check spelling
+        uses: codespell-project/actions-codespell@v2
+        with:
+          check_filenames: true
+          check_hidden: true

.github/workflows/command-rebase.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Add reaction on start
-        uses: peter-evans/create-or-update-comment@ca08ebd5dc95aa0cd97021e9708fcd6b87138c9b # v3.0.1
+        uses: peter-evans/create-or-update-comment@c6c9a1a66007646a28c153e2a8580a5bad27bcfa # v3.0.2
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}
           repository: ${{ github.event.repository.full_name }}
@@ -42,7 +42,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.COMMAND_BOT_PAT }}
 
       - name: Add reaction on failure
-        uses: peter-evans/create-or-update-comment@ca08ebd5dc95aa0cd97021e9708fcd6b87138c9b # v3.0.1
+        uses: peter-evans/create-or-update-comment@c6c9a1a66007646a28c153e2a8580a5bad27bcfa # v3.0.2
         if: failure()
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}

.github/workflows/create-psalm-container.yml

@@ -1,54 +0,0 @@
-name: Create Psalm Container
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '5 4 * * *'
-
-jobs:
-  push_to_registry:
-    runs-on: ubuntu-latest
-
-    name: Create Psalm Container
-
-    permissions:
-      packages: write
-      contents: read
-
-    steps:
-      - name: Check out the repo
-        run: |
-          git clone https://github.com/psalm/psalm-github-actions.git
-      
-      - name: Modify the Dockerfile
-        run: |
-          set -x
-          sed -i 's|FROM php:7.4-alpine|FROM php:8.2-alpine|' "psalm-github-actions/Dockerfile"
-          cat << APCU >> "psalm-github-actions/Dockerfile"
-          RUN mkdir -p /usr/src/php/ext/apcu && \
-            curl -fsSL https://pecl.php.net/get/apcu | tar xvz -C "/usr/src/php/ext/apcu" --strip 1 && \
-            docker-php-ext-install apcu
-          APCU
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v2
-        with:
-          registry: docker.pkg.github.com
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build container image
-        uses: docker/build-push-action@v4
-        with:
-          push: true
-          context: 'psalm-github-actions'
-          file: 'psalm-github-actions/Dockerfile'
-          tags: |
-            ghcr.io/nextcloud/all-in-one-psalm:latest

.github/workflows/docker-lint.yml

@@ -0,0 +1,54 @@
+name: Docker Lint
+
+on:
+  pull_request:
+    paths:
+      - 'Containers/**'
+  push:
+    branches:
+      - main
+    paths:
+      - 'Containers/**'
+
+permissions:
+  contents: read
+
+concurrency: 
+  group: docker-lint-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  docker-lint:
+    runs-on: ubuntu-latest
+
+    name: docker-lint
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Install npm and dockerfilelint
+        run: |
+          sudo apt-get update
+          sudo apt-get install nodejs npm -y --no-install-recommends
+          npm install -g dockerfilelint
+          wget https://github.com/replicatedhq/dockerfilelint/pull/184.patch -O /usr/local/lib/node_modules/dockerfilelint/184.patch
+          CURRENT_DIR=$PWD
+          cd /usr/local/lib/node_modules/dockerfilelint/
+          git apply 184.patch
+          cd $CURRENT_DIR
+          cat << RULES > ./.dockerfilelintrc
+          rules:
+            sudo_usage: off
+          RULES
+
+      - name: run lint
+        run: |
+          DOCKERFILES="$(find ./Containers -name Dockerfile)"
+          mapfile -t DOCKERFILES <<< "$DOCKERFILES"
+          for file in "${DOCKERFILES[@]}"; do
+            dockerfilelint "$file" --config ./ | tee -a ./dockerfilelint.log
+          done
+          if grep "^Issues: [0-9]" ./dockerfilelint.log; then
+            exit 1
+          fi

.github/workflows/imaginary-update.yml

@@ -19,7 +19,7 @@ jobs:
             | cut -f1 \
             | tail -1
         )"
-        sed -i "s|go install github.com/h2non/imaginary.*;|go install github.com/h2non/imaginary@$imaginary_version;|" ./Containers/imaginary/Dockerfile
+        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH $imaginary_version|" ./Containers/imaginary/Dockerfile
         
     - name: Create Pull Request
       uses: peter-evans/create-pull-request@v5

.github/workflows/json-validator.yml

@@ -2,12 +2,16 @@ name: Json Validator
 
 on:
   pull_request:
+    paths:
+      - '**.json'
   push:
     branches:
       - main
+    paths:
+      - '**.json'
 
 jobs:
-  psalm:
+  json-validator:
     name: Json Validator
     runs-on: ubuntu-latest
     steps:
@@ -15,6 +19,7 @@ jobs:
         uses: actions/checkout@v3
       - name: Validate Json
         run: |
-          sudo apt-get install python3-pip --no-install-recommends
+          sudo apt-get update
+          sudo apt-get install python3-pip -y --no-install-recommends
           sudo pip3 install json-spec
           json validate --schema-file=php/containers-schema.json --document-file=php/containers.json

.github/workflows/lint-php.yml

@@ -7,9 +7,13 @@ name: Lint php
 
 on:
   pull_request:
+    paths:
+      - 'php/**'
   push:
     branches:
       - main
+    paths:
+      - 'php/**'
 
 permissions:
   contents: read
@@ -32,7 +36,7 @@ jobs:
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 
       - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@1a18b2267f80291a81ca1d33e7c851fe09e7dfc4 # v2
+        uses: shivammathur/setup-php@c5fc0d8281aba02c7fda07d3a70cc5371548067d # v2
         with:
           php-version: ${{ matrix.php-versions }}
           coverage: none
@@ -43,7 +47,7 @@ jobs:
       - name: Lint
         run: cd php && composer run lint
 
-  summary:
+  php-lint-summary:
     permissions:
       contents: none
     runs-on: ubuntu-latest

.github/workflows/php-deprecation-detector.yml

@@ -3,12 +3,16 @@ name: PHP Deprecation Detector
 
 on:
   pull_request:
+    paths:
+      - 'php/**'
   push:
     branches:
       - main
+    paths:
+      - 'php/**'
 
 jobs:
-  psalm:
+  phpdd:
     name: PHP Deprecation Detector
     runs-on: ubuntu-latest
     steps:

.github/workflows/psalm-analysis.yml

@@ -1,28 +0,0 @@
-name: Psalm Analysis
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-
-jobs:
-  psalm:
-    name: Psalm
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - name: Set up php8.2
-        uses: shivammathur/setup-php@v2
-        with:
-          php-version: 8.2
-          extensions: apcu
-          coverage: none
-
-      - name: Run script
-        run: |
-          set -x
-          cd php
-          composer global require vimeo/psalm --prefer-dist --no-progress --dev
-          composer install
-          composer run psalm

.github/workflows/psalm-security.yml

@@ -1,25 +0,0 @@
-name: Psalm Security Analysis
-
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-  psalm:
-    name: Psalm
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-      - name: Psalm
-        uses: docker://ghcr.io/nextcloud/all-in-one-psalm
-        with:
-          relative_dir: php
-          security_analysis: true
-          composer_ignore_platform_reqs: false
-          report_file: results.sarif
-      - name: Upload Security Analysis results to GitHub
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: php/results.sarif

.github/workflows/psalm.yml

@@ -0,0 +1,47 @@
+# This workflow is provided via the organization template repository
+#
+# https://github.com/nextcloud/.github
+# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
+
+name: Static analysis
+
+on:
+  pull_request:
+    paths:
+      - 'php/**'
+  push:
+    branches:
+      - main
+    paths:
+      - 'php/**'
+
+concurrency:
+  group: psalm-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  static-analysis:
+    runs-on: ubuntu-latest
+
+    name: Nextcloud
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+
+      - name: Set up php
+        uses: shivammathur/setup-php@c5fc0d8281aba02c7fda07d3a70cc5371548067d # v2
+        with:
+          php-version: 8.2
+          extensions: apcu
+          coverage: none
+          ini-file: development
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install dependencies and run psalm
+        run: |
+          set -x
+          cd php
+          composer global require vimeo/psalm --prefer-dist --no-progress --dev
+          composer install
+          composer run psalm

.github/workflows/shellcheck.yml

@@ -2,9 +2,13 @@ name: Shellcheck
 
 on:
   pull_request:
+    paths:
+      - '**.sh'
   push:
     branches:
       - main
+    paths:
+      - '**.sh'
 
 jobs:
   shellcheck:

.github/workflows/spellcheck.yml

@@ -1,23 +0,0 @@
-name: 'Spellcheck'
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-
-jobs:
-  spellcheck:
-    name: Check spelling
-    runs-on: ubuntu-latest
-    steps:
-      - name: spelling or typos
-        uses: actions/checkout@v3
-      - name: fix permission for reviewdog
-        run: sudo chown -R root:root $GITHUB_WORKSPACE
-      - name: misspell
-        uses: reviewdog/action-misspell@v1
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          locale: "US"
-          fail_on_error: true

.github/workflows/talk.yml

@@ -0,0 +1,46 @@
+name: talk-update
+
+on:
+  workflow_dispatch:
+  schedule:
+  - cron:  '00 12 * * *'
+
+jobs:
+  talk-update:
+    name: update talk
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Run talk-update
+      run: |
+        # Spreed
+        spreed_version="$(
+          git ls-remote https://github.com/nextcloud/spreed v*.*.* \
+            | cut -d/ -f3 \
+            | sort -V \
+            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
+            | tail -1
+        )"
+        sed -i "s|^ENV RECORDING_VERSION.*$|ENV RECORDING_VERSION $spreed_version|" ./Containers/talk-recording/Dockerfile
+        curl -L "https://raw.githubusercontent.com/nextcloud/spreed/$spreed_version/recording/server.conf.in" -o Containers/talk-recording/recording.conf
+        
+        # Signaling
+        signaling_version="$(
+          git ls-remote https://github.com/strukturag/nextcloud-spreed-signaling v*.*.* \
+            | cut -d/ -f3 \
+            | sort -V \
+            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
+            | tail -1
+        )"
+        curl -L "https://raw.githubusercontent.com/strukturag/nextcloud-spreed-signaling/$signaling_version/server.conf.in" -o Containers/talk/server.conf.in
+        
+    - name: Create Pull Request
+      uses: peter-evans/create-pull-request@v5
+      with:
+        commit-message: talk-update automated change
+        signoff: true
+        title: talk update
+        body: Automated talk container update
+        labels: dependencies, 3. to review
+        milestone: next
+        branch: talk-container-update

.github/workflows/twig-lint.yml

@@ -2,9 +2,13 @@ name: Twig Lint
 
 on:
   pull_request:
+    paths:
+      - '**.twig'
   push:
     branches:
       - main
+    paths:
+      - '**.twig'
 
 permissions:
   contents: read
@@ -16,10 +20,6 @@ concurrency:
 jobs:
   twig-lint:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        php-versions: ["8.2"]
-
     name: twig-lint
 
     steps:
@@ -29,7 +29,8 @@ jobs:
       - name: Set up php ${{ matrix.php-versions }}
         uses: shivammathur/setup-php@v2
         with:
-          php-version: ${{ matrix.php-versions }}
+          php-version: 8.2
+          extensions: apcu
           coverage: none
 
       - name: twig lint
@@ -39,17 +40,3 @@ jobs:
           composer install
           chmod +x ./vendor/bin/twig-linter
           ./vendor/bin/twig-linter lint ./templates
-
-  summary:
-    permissions:
-      contents: none
-    runs-on: ubuntu-latest
-    needs: twig-lint
-
-    if: always()
-
-    name: twig-lint-summary
-
-    steps:
-      - name: Summary status
-        run: if ${{ needs.twig-lint.result != 'success' && needs.twig-lint.result != 'skipped' }}; then exit 1; fi

.github/workflows/update-helm.yml

@@ -6,7 +6,7 @@ on:
   - cron:  '00 12 * * *'
 
 jobs:
-  psalm:
+  update-helm:
     name: update helm chart
     runs-on: ubuntu-latest
     steps:

.github/workflows/update-yaml.yml

@@ -6,7 +6,7 @@ on:
   - cron:  '00 12 * * *'
 
 jobs:
-  psalm:
+  update-yaml:
     name: update yaml files
     runs-on: ubuntu-latest
     steps:

.gitignore

@@ -6,4 +6,5 @@
 /manual-install/*.conf
 !/manual-install/sample.conf
 /manual-install/docker-compose.yml
+/manual-install/compose.yaml
 /manual-install/.env

Containers/apache/Caddyfile

@@ -30,7 +30,7 @@
     # Notify Push
     route /push/* {
         uri strip_prefix /push
-        reverse_proxy {$NEXTCLOUD_HOST}:7867
+        reverse_proxy {$NOTIFY_PUSH_HOST}:7867
     }
 
     # Onlyoffice

Containers/apache/Dockerfile

@@ -1,7 +1,6 @@
-# Caddy is a requirement
 FROM caddy:2.6.4-alpine as caddy
 
-FROM httpd:2.4.57-alpine3.17
+FROM httpd:2.4.57-alpine3.18
 
 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
 

Containers/apache/nextcloud.conf

@@ -3,17 +3,20 @@ Listen 8000
     ServerName localhost
 
     # Add error log
-    CustomLog /proc/self/fd/1 combined
+    CustomLog /proc/self/fd/1 proxy
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
     ErrorLog /proc/self/fd/2
+    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
+    LogLevel warn
 
     # PHP match
     <FilesMatch "\.php$">
         SetHandler "proxy:fcgi://${NEXTCLOUD_HOST}:9000"
     </FilesMatch>
 
-    # Enable Brotli compression for js files
+    # Enable Brotli compression for js, css and svg files - other plain files are compressed by Nextcloud by default
     <IfModule mod_brotli.c>
-        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript
+        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
         BrotliCompressionQuality 0
     </IfModule>
 

Containers/borgbackup/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.17.3
+FROM alpine:3.18.2
 
 RUN set -ex; \
     \
@@ -16,6 +16,7 @@ VOLUME /root
 COPY --chmod=770 *.sh /
 
 ENTRYPOINT ["/start.sh"]
+USER root
 
 LABEL com.centurylinklabs.watchtower.monitor-only="true"
 ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"

Containers/borgbackup/backupscript.sh

@@ -137,6 +137,9 @@ if [ "$BORG_MODE" = backup ]; then
     # auto,zstd compression seems to has the best ratio based on:
     # https://forum.level1techs.com/t/optimal-compression-for-borg-backups/145870/6
     BORG_OPTS=(-v --stats --compression "auto,zstd" --exclude-caches)
+    if [ "$NEW_REPOSITORY" = 1 ]; then
+        BORG_OPTS+=(--progress)
+    fi
 
     # Exclude the nextcloud log and audit log for GDPR reasons
     BORG_EXCLUDE=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/nextcloud.log*" --exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/audit.log")
@@ -167,9 +170,8 @@ if [ "$BORG_MODE" = backup ]; then
     rm -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/skip.update"
 
     # Prune options
-    set -x
     read -ra BORG_PRUNE_OPTS <<< "$BORG_RETENTION_POLICY"
-    set +x
+    echo "BORG_PRUNE_OPTS are ${BORG_PRUNE_OPTS[*]}"
 
     # Prune archives
     echo "Pruning the archives..."
@@ -295,7 +297,7 @@ if [ "$BORG_MODE" = restore ]; then
     --exclude "nextcloud_aio_mastercontainer/data/daily_backup_running" \
     --exclude "nextcloud_aio_mastercontainer/data/session_date_file" \
     --exclude "nextcloud_aio_mastercontainer/session/**" \
-    /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes; then
+    /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes/; then
         RESTORE_FAILED=1
         echo "Something failed while restoring from backup."
     fi

Containers/clamav/Dockerfile

@@ -6,5 +6,13 @@ COPY clamav.conf /tmp/clamav.conf
 RUN set -ex; \
     apk add --no-cache tzdata; \
     cat /tmp/clamav.conf | tee -a /etc/clamav/clamd.conf; \
-    rm /tmp/clamav.conf
+    rm /tmp/clamav.conf; \
+    mkdir -p /var/run/clamav /run/lock; \
+    chown -R clamav:clamav /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock; \
+    chmod 777 -R /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock /tmp
+
+VOLUME /var/lib/clamav
+
+USER clamav
+
 LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/collabora/Dockerfile

@@ -1,5 +1,5 @@
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:22.05.14.3.1
+FROM collabora/code:23.05.0.5.1
 
 USER root
 
@@ -9,11 +9,11 @@ RUN set -ex; \
     export DEBIAN_FRONTEND=noninteractive; \
     apt-get install -y --no-install-recommends \
         tzdata \
-        netcat \
+        netcat-openbsd \
     ; \
     rm -rf /var/lib/apt/lists/*
 
-USER 104
+USER 100
 
 HEALTHCHECK CMD nc -z localhost 9980 || exit 1
 LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/domaincheck/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.17.3
+FROM alpine:3.18.2
 RUN set -ex; \
     apk add --no-cache bash lighttpd netcat-openbsd; \
     adduser -S www-data -G www-data; \

Containers/fulltextsearch/Dockerfile

@@ -1,6 +1,8 @@
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
 FROM elasticsearch:7.17.10
 
+USER root
+
 RUN set -ex; \
     \
     export DEBIAN_FRONTEND=noninteractive; \
@@ -11,5 +13,7 @@ RUN set -ex; \
     rm -rf /var/lib/apt/lists/*; \
     elasticsearch-plugin install --batch ingest-attachment
 
+USER 1000:0
+
 HEALTHCHECK CMD nc -z localhost 9200 || exit 1
 LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/imaginary/Dockerfile

@@ -1,4 +1,7 @@
-FROM golang:1.20.4-alpine3.17 as go
+FROM golang:1.20.5-alpine3.18 as go
+
+ENV IMAGINARY_HASH b632dae8cc321452c3f85bcae79c580b1ae1ed84
+
 RUN set -ex; \
     apk add --no-cache \
         vips-dev \
@@ -7,9 +10,9 @@ RUN set -ex; \
         vips-jxl \
         vips-poppler \
         build-base; \
-    go install github.com/h2non/imaginary@b632dae8cc321452c3f85bcae79c580b1ae1ed84;
+    go install github.com/h2non/imaginary@"$IMAGINARY_HASH";
 
-FROM alpine:3.17.3
+FROM alpine:3.18.2
 RUN set -ex; \
     apk add --no-cache \
         tzdata \

Containers/mastercontainer/Dockerfile

@@ -4,8 +4,8 @@ FROM docker:24.0.2-cli as docker
 # Caddy is a requirement
 FROM caddy:2.6.4-alpine as caddy
 
-# From https://github.com/docker-library/php/blob/master/8.2/alpine3.17/fpm/Dockerfile
-FROM php:8.2.6-fpm-alpine3.17
+# From https://github.com/docker-library/php/blob/master/8.2/alpine3.18/fpm/Dockerfile
+FROM php:8.2.7-fpm-alpine3.18
 
 EXPOSE 80
 EXPOSE 8080
@@ -62,7 +62,7 @@ RUN set -ex; \
     chmod +x /usr/local/bin/composer; \
     cd /var/www/docker-aio; \
     git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
-    find ./ -not -path ./php -maxdepth 1 -mindepth 1 -delete; \
+    find ./ -maxdepth 1 -mindepth 1 -not -path ./php -exec rm -r {} \; ; \
     chown www-data:www-data -R /var/www/docker-aio; \
     cd php; \
     sudo -u www-data composer install --no-dev; \
@@ -80,6 +80,8 @@ RUN set -ex; \
     \
     sed -i \
             -e '/^Listen /d' \
+            -e 's/^LogLevel .*/LogLevel error/' \
+            -e 's|^ErrorLog .*|ErrorLog /proc/self/fd/2|' \
             -e 's/User apache/User www-data/g' \
             -e 's/Group apache/Group www-data/g' \
             -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
@@ -95,6 +97,9 @@ RUN set -ex; \
         mkdir -p /etc/apache2/logs; \
         rm /etc/apache2/conf.d/ssl.conf; \
         echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \
+        grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \
+        sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \
+        echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \
         echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \
         echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \
         echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \

Containers/mastercontainer/cron.sh

@@ -57,6 +57,11 @@ while true; do
     # Remove dangling images
     sudo -u www-data docker image prune --force
 
+    # Remove mastercontainer from default bridge network
+    if sudo -u www-data docker inspect nextcloud-aio-mastercontainer  --format "{{.NetworkSettings.Networks}}" | grep -q "bridge"; then
+        sudo -u www-data docker network disconnect bridge nextcloud-aio-mastercontainer
+    fi
+
     # Wait 60s so that the whole loop will not be executed again
     sleep 60
 done

Containers/mastercontainer/mastercontainer.conf

@@ -11,8 +11,11 @@ Listen 8080
     ServerName localhost
 
     # Add error log
-    CustomLog /proc/self/fd/1 combined
+    CustomLog /proc/self/fd/1 proxy
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
     ErrorLog /proc/self/fd/2
+    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
+    LogLevel warn
 
     # PHP match
     <FilesMatch "\.php$">

Containers/mastercontainer/start.sh

@@ -29,10 +29,13 @@ fi
 # Check if socket is available and readable
 if ! [ -a "/var/run/docker.sock" ]; then
     print_red "Docker socket is not available. Cannot continue."
+    echo "Please make sure to mount the docker socket into /var/run/docker.sock inside the container!"
     echo "If you did this by purpose because you don't want the container to have access to the docker socket, see https://github.com/nextcloud/all-in-one/tree/main/manual-install."
     exit 1
 elif ! mountpoint -q "/mnt/docker-aio-config"; then
     print_red "/mnt/docker-aio-config is not a mountpoint. Cannot proceed!"
+    echo "Please make sure to mount the nextcloud_aio_mastercontainer docker volume into /mnt/docker-aio-config inside the container!"
+    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
     exit 1
 elif ! sudo -u www-data test -r /var/run/docker.sock; then
     echo "Trying to fix docker.sock permissions internally..."
@@ -61,6 +64,9 @@ fi
 # Check if api version is supported
 if ! sudo -u www-data docker info &>/dev/null; then
     print_red "Cannot connect to the docker socket. Cannot proceed."
+    echo "If you are on Docker Desktop v4.19 or higher, see https://github.com/nextcloud/all-in-one/issues/2450"
+    echo "If SELinux is enabled on your host, see https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled"
+    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
     exit 1
 fi
 API_VERSION_FILE="$(find ./ -name DockerActionManager.php | head -1)"

Containers/mastercontainer/supervisord.conf

@@ -38,6 +38,7 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/cron.sh
+user=root
 
 [program:backup-time-file-watcher]
 stdout_logfile=/dev/stdout

Containers/nextcloud/Dockerfile

@@ -1,5 +1,19 @@
-# From https://github.com/nextcloud/docker/blob/master/23/fpm-alpine/Dockerfile
-FROM php:8.1.19-fpm-alpine3.17
+FROM php:8.1.20-fpm-alpine3.18
+
+ENV PHP_MEMORY_LIMIT 512M
+ENV PHP_UPLOAD_LIMIT 10G
+ENV PHP_MAX_TIME 3600
+ENV NEXTCLOUD_VERSION 26.0.2
+ENV AIO_TOKEN 123456
+ENV AIO_URL localhost
+
+COPY --chmod=775 *.sh /
+COPY --chmod=774 upgrade.exclude /upgrade.exclude
+COPY config/*.php /
+COPY supervisord.conf /supervisord.conf
+
+VOLUME /mnt/ncdata
+VOLUME /var/www/html
 
 # Custom: change id of www-data user as it needs to be the same like on old installations
 RUN set -ex; \
@@ -8,22 +22,14 @@ RUN set -ex; \
     groupmod -g 333 xfs; \
     usermod -u 333 -g 333 xfs; \
     addgroup -g 33 -S www-data; \
-    adduser -u 33 -D -S -G www-data www-data
-
-# entrypoint.sh and cron.sh dependencies
-RUN set -ex; \
+    adduser -u 33 -D -S -G www-data www-data; \
     \
+# entrypoint.sh and cron.sh dependencies
     apk add --no-cache \
         rsync \
-    ;
-
+    ; \
 # install the PHP extensions we need
 # see https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html
-ENV PHP_MEMORY_LIMIT 512M
-ENV PHP_UPLOAD_LIMIT 10G
-ENV PHP_MAX_TIME 3600
-RUN set -ex; \
-    \
     apk add --no-cache --virtual .build-deps \
         $PHPIZE_DEPS \
         autoconf \
@@ -80,16 +86,17 @@ RUN set -ex; \
             | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
     )"; \
     apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
-    apk del .build-deps
-
+    apk del .build-deps; \
+    \
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
-RUN { \
-        echo 'opcache.interned_strings_buffer=32'; \
+    { \
+        echo 'opcache.memory_consumption=256'; \
+        echo 'opcache.interned_strings_buffer=64'; \
         echo 'opcache.save_comments=1'; \
         echo 'opcache.revalidate_freq=60'; \
         echo 'opcache.jit=1255'; \
-        echo 'opcache.jit_buffer_size=128M'; \
+        echo 'opcache.jit_buffer_size=8M'; \
     } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
     \
     echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
@@ -102,15 +109,10 @@ RUN { \
         echo 'max_input_time=${PHP_MAX_TIME}'; \
     } > /usr/local/etc/php/conf.d/nextcloud.ini; \
     \
-    mkdir /var/www/data; \
+    mkdir -p /var/www/data; \
     chown -R www-data:root /var/www; \
-    chmod -R g=u /var/www
-
-VOLUME /var/www/html
-
-ENV NEXTCLOUD_VERSION 26.0.2
-
-RUN set -ex; \
+    chmod -R g=u /var/www; \
+    \
     apk add --no-cache --virtual .fetch-deps \
         bzip2 \
         gnupg \
@@ -130,27 +132,18 @@ RUN set -ex; \
     mkdir -p /usr/src/nextcloud/data; \
     mkdir -p /usr/src/nextcloud/custom_apps; \
     chmod +x /usr/src/nextcloud/occ; \
-    apk del .fetch-deps
-
-COPY *.sh upgrade.exclude /
-COPY config/* /usr/src/nextcloud/config/
-
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["php-fpm"]
-
-# Template from https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/full/fpm-alpine/Dockerfile
-
-RUN set -ex; \
+    mkdir -p /usr/src/nextcloud/config; \
+    mv /*.php /usr/src/nextcloud/config/; \
+    apk del .fetch-deps; \
     \
+# Template from https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/full/fpm-alpine/Dockerfile
     apk add --no-cache \
         ffmpeg \
         procps \
         samba-client \
         supervisor \
 #       libreoffice \
-    ;
-
-RUN set -ex; \
+    ; \
     \
     apk add --no-cache --virtual .build-deps \
         $PHPIZE_DEPS \
@@ -178,21 +171,12 @@ RUN set -ex; \
             | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
     )"; \
     apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
-    apk del .build-deps
-
-RUN mkdir -p \
+    apk del .build-deps; \
+    \
+    mkdir -p \
     /var/log/supervisord \
     /var/run/supervisord \
-;
-
-COPY supervisord.conf /
-
-ENV NEXTCLOUD_UPDATE=1
-
-CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
-
-# Custom:
-RUN set -ex; \
+    ; \
     \
     apk add --no-cache \
         bash \
@@ -202,64 +186,41 @@ RUN set -ex; \
         git \
         postgresql-client \
         tzdata \
-        mawk \
         sudo \
         grep \
         nodejs \
-        coreutils;
-
-RUN set -ex; \
+        coreutils; \
+    \
     grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm.start_servers =.*/pm.start_servers = 2/' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm.min_spare_servers =.*/pm.min_spare_servers = 1/' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm.max_spare_servers =.*/pm.max_spare_servers = 3/' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf
-
-RUN set -ex; \
+    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
+    \
     rm -rf /tmp/nextcloud-aio && \
     mkdir -p /tmp/nextcloud-aio && \
     cd /tmp/nextcloud-aio && \
     git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
     mkdir -p /usr/src/nextcloud/apps/nextcloud-aio; \
-    cp -r ./app/* /usr/src/nextcloud/apps/nextcloud-aio/
-
-RUN set -ex; \
+    cp -r ./app/* /usr/src/nextcloud/apps/nextcloud-aio/; \
+    \
     chown www-data:root -R /usr/src && \
     chown www-data:root -R /usr/local/etc/php/conf.d && \
     chown www-data:root -R /usr/local/etc/php-fpm.d && \
-    rm -r /usr/src/nextcloud/apps/updatenotification
-
-COPY start.sh /
-COPY notify.sh /
-COPY notify-all.sh /
-RUN set -ex; \
-    chmod +x /start.sh && \
-    chmod +x /entrypoint.sh && \
-    chmod +r /upgrade.exclude && \
-    chmod +x /cron.sh && \
-    chmod +x /notify.sh && \
-    chmod +x /notify-all.sh && \
-    chmod +x /run-exec-commands.sh && \
-    chmod +x /healthcheck.sh
-
-RUN set -ex; \
-    mkdir /mnt/ncdata; \
-    chown www-data:www-data /mnt/ncdata;
-
-VOLUME /mnt/ncdata
-
-RUN set -ex; \
+    rm -r /usr/src/nextcloud/apps/updatenotification; \
+    \
     mkdir -p /nc-updater; \
     chown -R www-data:www-data /nc-updater; \
-    chmod -R 770 /nc-updater
-
+    chmod -R 770 /nc-updater; \
+    \
 # Give root a random password
-RUN echo "root:$(openssl rand -base64 12)" | chpasswd
+    echo "root:$(openssl rand -base64 12)" | chpasswd
 
 USER root
 ENTRYPOINT ["/start.sh"]
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 
 HEALTHCHECK CMD sudo -E -u www-data bash /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/nextcloud/entrypoint.sh

@@ -10,6 +10,15 @@ directory_empty() {
     [ -z "$(ls -A "$1/")" ]
 }
 
+run_upgrade_if_needed_due_to_app_update() {
+    if php /var/www/html/occ status | grep needsDbUpgrade | grep -q true; then
+        # Disable integrity check temporarily until next update
+        php /var/www/html/occ config:system:set integrity.check.disabled --type bool --value true
+        php /var/www/html/occ upgrade
+        php /var/www/html/occ app:enable nextcloud-aio --force
+    fi
+}
+
 echo "Configuring Redis as session handler..."
 cat << REDIS_CONF > /usr/local/etc/php/conf.d/redis-session.ini
 session.save_handler = redis
@@ -22,7 +31,7 @@ redis.session.lock_wait_time = 10000
 REDIS_CONF
 
 echo "Setting php max children..."
-MEMORY=$(mawk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
+MEMORY=$(awk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
 PHP_MAX_CHILDREN=$((MEMORY/50))
 if [ -n "$PHP_MAX_CHILDREN" ]; then
     sed -i "s/^pm.max_children =.*/pm.max_children = $PHP_MAX_CHILDREN/" /usr/local/etc/php-fpm.d/www.conf
@@ -147,6 +156,8 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                 fi
             done
 
+            run_upgrade_if_needed_due_to_app_update
+
             php /var/www/html/occ maintenance:mode --off
 
             echo "Getting and backing up the status of apps for later, this might take a while..."
@@ -170,6 +181,8 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
 
             php /var/www/html/occ app:update --all
 
+            run_upgrade_if_needed_due_to_app_update
+
             # Fix removing the updatenotification for old instances
             UPDATENOTIFICATION_STATUS="$(php /var/www/html/occ config:app:get updatenotification enabled)"
             if [ -d "/var/www/html/apps/updatenotification" ]; then
@@ -253,7 +266,6 @@ DATADIR_PERMISSION_CONF
                 php /var/www/html/occ config:system:set updater.release.channel --value=beta
                 php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
                 php /var/www/html/updater/updater.phar --no-interaction
-                php /var/www/html/occ app:enable nextcloud-aio --force
                 if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
                     echo "Installation of Nextcloud failed!"
                     touch "$NEXTCLOUD_DATA_DIR/install.failed"
@@ -264,8 +276,6 @@ DATADIR_PERMISSION_CONF
                 INSTALLED_MAJOR="${installed_version%%.*}"
                 IMAGE_MAJOR="${image_version%%.*}"
                 if ! [ "$INSTALLED_MAJOR" -gt "$IMAGE_MAJOR" ]; then
-                    php /var/www/html/occ config:system:set updater.release.channel --value=beta
-                    php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
                     php /var/www/html/updater/updater.phar --no-interaction
                     if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
                         echo "Installation of Nextcloud failed!"
@@ -273,7 +283,10 @@ DATADIR_PERMISSION_CONF
                         exit 1
                     fi
                 fi
+                php /var/www/html/occ app:disable updatenotification
+                rm -rf /var/www/html/apps/updatenotification
                 php /var/www/html/occ config:system:set updater.release.channel --value=stable
+                php /var/www/html/occ app:enable nextcloud-aio --force
                 php /var/www/html/occ db:add-missing-indices
                 php /var/www/html/occ db:add-missing-columns
                 php /var/www/html/occ db:add-missing-primary-keys
@@ -343,6 +356,7 @@ DATADIR_PERMISSION_CONF
         else
             touch "$NEXTCLOUD_DATA_DIR/update.failed"
             echo "Upgrading nextcloud from $installed_version to $image_version..."
+            php /var/www/html/occ config:system:delete integrity.check.disabled
             if ! php /var/www/html/occ upgrade || ! php /var/www/html/occ -V; then
                 echo "Upgrade failed. Please restore from backup."
                 bash /notify.sh "Nextcloud update to $image_version failed!" "Please restore from backup!"
@@ -354,6 +368,8 @@ DATADIR_PERMISSION_CONF
 
             php /var/www/html/occ app:update --all
 
+            run_upgrade_if_needed_due_to_app_update
+
             # Restore app status
             if [ "${APPSTORAGE[0]}" != "no-export-done" ]; then
                 echo "Restoring the status of apps. This can take a while..."
@@ -362,6 +378,12 @@ DATADIR_PERMISSION_CONF
                         if [ "${APPSTORAGE[$app]}" != "no" ]; then
                             echo "Enabling $app..."
                             if ! php /var/www/html/occ app:enable "$app" >/dev/null; then
+                                php /var/www/html/occ app:disable "$app" >/dev/null
+                                if ! php /var/www/html/occ -V &>/dev/null; then
+                                    rm -r "/var/www/html/custom_apps/$app"
+                                    php /var/www/html/occ maintenance:mode --off
+                                fi
+                                run_upgrade_if_needed_due_to_app_update
                                 echo "The $app app could not get enabled. Probably because it is not compatible with the new Nextcloud version."
                                 if [ "$app" = apporder ]; then
                                     CUSTOM_HINT="The apporder app was deprecated. A possible replacement is the side_menu app, aka 'Custom menu'."
@@ -382,6 +404,8 @@ DATADIR_PERMISSION_CONF
 
             php /var/www/html/occ app:update --all
 
+            run_upgrade_if_needed_due_to_app_update
+
             # Apply optimization
             echo "Doing some optimizations..."
             php /var/www/html/occ maintenance:repair
@@ -397,8 +421,7 @@ DATADIR_PERMISSION_CONF
     # Performing update of all apps if daily backups are enabled, running and successful and if it is saturday
     if [ "$UPDATE_NEXTCLOUD_APPS" = 'yes' ] && [ "$(date +%u)" = 6 ]; then
         UPDATED_APPS="$(php /var/www/html/occ app:update --all)"
-        # Update all apps again and try to prevent something like https://github.com/nextcloud/polls/issues/2793 from happening
-        php /var/www/html/occ app:update --all
+        run_upgrade_if_needed_due_to_app_update
         if [ -n "$UPDATED_APPS" ]; then
              bash /notify.sh "Your apps just got updated!" "$UPDATED_APPS"
         fi
@@ -407,12 +430,15 @@ else
     SKIP_UPDATE=1
 fi
 
+run_upgrade_if_needed_due_to_app_update
+
 if [ -z "$OBJECTSTORE_S3_BUCKET" ] && [ -z "$OBJECTSTORE_SWIFT_URL" ]; then
     # Check if appdata is present
     # If not, something broke (e.g. changing ncdatadir after aio was first started)
     if [ -z "$(find "$NEXTCLOUD_DATA_DIR/" -maxdepth 1 -mindepth 1 -type d -name "appdata_*")" ]; then
-        echo "Appdata is not present. Did you maybe change the datadir after aio was first started?"
+        echo "Appdata is not present. Did you maybe change the datadir after the initial Nextcloud installation? This is not supported!"
         echo "See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir"
+        echo "If you adjusted the datadir to be located on an external drive, make sure that the drive is still mounted!"
         echo "In the datadir was found:"
         ls -la "$NEXTCLOUD_DATA_DIR/"
         exit 1
@@ -441,6 +467,7 @@ php /var/www/html/occ app:enable support
 
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
+php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
 php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
 php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
 php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
@@ -583,6 +610,21 @@ else
     fi
 fi
 
+# Talk recording
+if [ -d "/var/www/html/custom_apps/spreed" ]; then
+    if [ "$TALK_RECORDING_ENABLED" = 'yes' ]; then
+        while ! nc -z "$TALK_RECORDING_HOST" 1234; do
+            echo "waiting for Talk Recording to become available..."
+            sleep 5
+        done
+        # TODO: migrate to occ command if that becomes available
+        RECORDING_SERVERS_STRING="{\"servers\":[{\"server\":\"http://$TALK_RECORDING_HOST:1234/\",\"verify\":true}],\"secret\":\"$RECORDING_SECRET\"}"
+        php /var/www/html/occ config:app:set spreed recording_servers --value="$RECORDING_SERVERS_STRING"
+    else
+        php /var/www/html/occ config:app:delete spreed recording_servers
+    fi
+fi
+
 # Clamav
 if [ "$CLAMAV_ENABLED" = 'yes' ]; then
     count=0

Containers/nextcloud/healthcheck.sh

@@ -2,6 +2,6 @@
 
 nc -z "$POSTGRES_HOST" 5432 || exit 0
 
-if ! nc -z localhost 9000 || ! nc -z localhost 7867; then
+if ! nc -z localhost 9000; then
     exit 1
 fi

Containers/nextcloud/start.sh

@@ -131,14 +131,4 @@ if ! sudo -E -u www-data bash /entrypoint.sh; then
     exit 1
 fi
 
-# Correctly set CPU_ARCH for notify_push
-CPU_ARCH="$(uname -m)"
-export CPU_ARCH
-if [ -z "$CPU_ARCH" ]; then
-    echo "Could not get processor architecture. Exiting."
-    exit 1
-elif [ "$CPU_ARCH" != "x86_64" ]; then
-    export CPU_ARCH="aarch64"
-fi
-
 exec "$@"

Containers/nextcloud/supervisord.conf

@@ -25,14 +25,6 @@ stderr_logfile_maxbytes=0
 command=/cron.sh
 user=www-data
 
-[program:notify-push]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=/var/www/html/custom_apps/notify_push/bin/%(ENV_CPU_ARCH)s/notify_push /var/www/html/config/config.php --port 7867 --redis-url redis://:%(ENV_REDIS_HOST_PASSWORD)s@%(ENV_REDIS_HOST)s
-user=www-data
-
 [program:run-exec-commands]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0

Containers/notify-push/Dockerfile

@@ -0,0 +1,21 @@
+FROM alpine:3.18.2
+
+COPY --chmod=775 start.sh /start.sh
+
+RUN set -ex; \
+    apk add --no-cache \
+        ca-certificates \
+        netcat-openbsd \
+        tzdata \
+        bash \
+        openssl; \
+# Give root a random password
+    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    apk del --no-cache \
+        openssl;
+
+USER 33
+ENTRYPOINT ["/start.sh"]
+
+HEALTHCHECK CMD nc -z localhost 7867 || exit 1
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/notify-push/start.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+if [ -z "$NEXTCLOUD_HOST" ]; then
+    echo "NEXTCLOUD_HOST need to be provided. Exiting!"
+    exit 1
+elif [ -z "$POSTGRES_HOST" ]; then
+    echo "POSTGRES_HOST need to be provided. Exiting!"
+    exit 1
+elif [ -z "$REDIS_HOST" ]; then
+    echo "REDIS_HOST need to be provided. Exiting!"
+    exit 1
+fi
+
+# Only start container if nextcloud is accessible
+while ! nc -z "$NEXTCLOUD_HOST" 9000; do
+    echo "Waiting for Nextcloud to start..."
+    sleep 5
+done
+
+# Correctly set CPU_ARCH for notify_push
+CPU_ARCH="$(uname -m)"
+export CPU_ARCH
+if [ -z "$CPU_ARCH" ]; then
+    echo "Could not get processor architecture. Exiting."
+    exit 1
+elif [ "$CPU_ARCH" != "x86_64" ]; then
+    export CPU_ARCH="aarch64"
+fi
+
+# Run it
+/nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
+    --database-prefix="oc_" \
+    --nextcloud-url "https://$NC_DOMAIN" \
+    --port 7867 \
+    --redis-url "redis://:$REDIS_HOST_PASSWORD@$REDIS_HOST" \
+    --database-url "postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST/$POSTGRES_DB"
+
+exec "$@"

Containers/onlyoffice/Dockerfile

@@ -1,5 +1,7 @@
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:7.3.3.50
+FROM onlyoffice/documentserver:7.4.0.1
+
+# USER root is probably used
 
 HEALTHCHECK CMD nc -z localhost 80 || exit 1
 LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/postgresql/Dockerfile

@@ -6,7 +6,11 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 COPY --chmod=775 init-user-db.sh /docker-entrypoint-initdb.d/init-user-db.sh
 
 RUN set -ex; \
-    apk add --no-cache bash openssl shadow grep mawk; \
+    apk add --no-cache \
+        bash \
+        openssl \
+        shadow \
+        grep; \
     \
 # We need to use the same gid and uid as on old installations
     deluser postgres; \
@@ -24,7 +28,8 @@ RUN set -ex; \
     chown postgres:postgres /mnt/data; \
     \
 # Give root a random password
-    echo "root:$(openssl rand -base64 12)" | chpasswd
+    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    apk --no-cache del openssl;
 
 VOLUME /mnt/data
 

Containers/postgresql/start.sh

@@ -146,11 +146,19 @@ if ! [ -f "$DATADIR/PG_VERSION" ] && ! [ -f "$DUMP_FILE" ]; then
     rm -rf "${DATADIR:?}/"*
 fi
 
-echo "Setting max connections..."
-MEMORY=$(mawk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
-MAX_CONNECTIONS=$((MEMORY/50+3))
-if [ -n "$MAX_CONNECTIONS" ]; then
-    sed -i "s|^max_connections =.*|max_connections = $MAX_CONNECTIONS|" "/var/lib/postgresql/data/postgresql.conf"
+# Modify postgresql.conf
+if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
+    echo "Setting max connections..."
+    MEMORY=$(awk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
+    MAX_CONNECTIONS=$((MEMORY/50+3))
+    if [ -n "$MAX_CONNECTIONS" ]; then
+        sed -i "s|^max_connections =.*|max_connections = $MAX_CONNECTIONS|" "/var/lib/postgresql/data/postgresql.conf"
+    fi
+
+    # Modify conf
+    if grep -q "#log_checkpoints" /var/lib/postgresql/data/postgresql.conf; then
+        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' /var/lib/postgresql/data/postgresql.conf
+    fi
 fi
 
 # Catch docker stop attempts

Containers/redis/Dockerfile

@@ -1,7 +1,7 @@
 # From https://github.com/docker-library/redis/blob/master/7.0/alpine/Dockerfile
 FROM redis:7.0.11-alpine
 
-COPY --chmod=775 start.sh /usr/bin/start.sh
+COPY --chmod=775 start.sh /start.sh
 
 RUN set -ex; \
     apk add --no-cache openssl bash; \
@@ -10,7 +10,7 @@ RUN set -ex; \
     echo "root:$(openssl rand -base64 12)" | chpasswd
 
 USER redis
-ENTRYPOINT ["start.sh"]
+ENTRYPOINT ["/start.sh"]
 
 HEALTHCHECK CMD redis-cli -a $REDIS_HOST_PASSWORD PING || exit 1
 LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/redis/start.sh

@@ -8,9 +8,9 @@ fi
 
 # Run redis with a password if provided
 if [ -n "$REDIS_HOST_PASSWORD" ]; then
-    exec redis-server --requirepass "$REDIS_HOST_PASSWORD"
+    exec redis-server --requirepass "$REDIS_HOST_PASSWORD" --loglevel warning
 else
-    exec redis-server
+    exec redis-server --loglevel warning
 fi
 
 exec "$@"

Containers/talk-recording/Dockerfile

@@ -0,0 +1,46 @@
+FROM python:3.11.4-alpine3.18
+
+COPY --chmod=775 start.sh /start.sh
+
+ENV RECORDING_VERSION v17.0.0
+
+RUN set -ex; \
+    apk add --no-cache \
+        ca-certificates \
+        tzdata \
+        bash \
+        xvfb \
+        ffmpeg \
+        firefox \
+        bind-tools \
+        netcat-openbsd \
+        git \
+        wget \
+        shadow \
+        pulseaudio \
+        openssl; \
+    # chromium chromium-chromedriver?
+    apk add --no-cache geckodriver --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing; \
+    useradd -d /tmp --system recording; \
+# Give root a random password
+    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    git clone --recursive https://github.com/nextcloud/spreed --depth=1 --single-branch --branch "$RECORDING_VERSION" /src; \
+    mv -v /src/recording/pyproject.toml /src/recording/src/pyproject.toml; \
+    python3 -m pip install /src/recording/src; \
+    rm -rf /src; \
+    touch /etc/recording.conf; \
+    chown recording:recording -R \
+        /tmp /etc/recording.conf; \
+    apk del --no-cache \
+        git \
+        wget \
+        shadow \
+        openssl;
+
+WORKDIR /tmp
+USER recording
+ENTRYPOINT ["/start.sh"]
+CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/etc/recording.conf"]
+
+HEALTHCHECK CMD nc -z localhost 1234 || exit 1
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/talk-recording/recording.conf

@@ -0,0 +1,111 @@
+[logs]
+# Log level based on numeric values of Python logging levels:
+# - Critical: 50
+# - Error:    40
+# - Warning:  30
+# - Info:     20
+# - Debug:    10
+# - Not set:   0
+#level = 20
+
+[http]
+# IP and port to listen on for HTTP requests.
+#listen = 127.0.0.1:8000
+
+[backend]
+# Allow any hostname as backend endpoint. This is extremely insecure and should
+# only be used during development.
+#allowall = false
+
+# Common shared secret for requests from and to the backend servers if
+# "allowall" is enabled. This must be the same value as configured in the
+# Nextcloud admin ui.
+#secret = the-shared-secret
+
+# Comma-separated list of backend ids allowed to connect.
+#backends = backend-id, another-backend
+
+# If set to "true", certificate validation of backend endpoints will be skipped.
+# This should only be enabled during development, e.g. to work with self-signed
+# certificates.
+# Overridable by backend.
+#skipverify = false
+
+# Maximum allowed size in bytes for messages sent by the backend.
+# Overridable by backend.
+#maxmessagesize = 1024
+
+# Width for recorded videos.
+# Overridable by backend.
+#videowidth = 1920
+
+# Height for recorded videos.
+# Overridable by backend.
+#videoheight = 1080
+
+# Temporary directory used to store recordings until uploaded. It must be
+# writable by the user running the recording server.
+# Overridable by backend.
+#directory = /tmp
+
+# Backend configurations as defined in the "[backend]" section above. The
+# section names must match the ids used in "backends" above.
+#[backend-id]
+# URL of the Nextcloud instance
+#url = https://cloud.domain.invalid
+
+# Shared secret for requests from and to the backend servers. This must be the
+# same value as configured in the Nextcloud admin ui.
+#secret = the-shared-secret
+
+#[another-backend]
+# URL of the Nextcloud instance
+#url = https://cloud.otherdomain.invalid
+
+# Shared secret for requests from and to the backend servers. This must be the
+# same value as configured in the Nextcloud admin ui.
+#secret = the-shared-secret
+
+[signaling]
+# Common shared secret for authenticating as an internal client of signaling
+# servers if a specific secret is not set for a signaling server. This must be
+# the same value as configured in the signaling server configuration file.
+#internalsecret = the-shared-secret-for-internal-clients
+
+# Comma-separated list of signaling servers with specific internal secrets.
+#signalings = signaling-id, another-signaling
+
+# Signaling server configurations as defined in the "[signaling]" section above.
+# The section names must match the ids used in "signalings" above.
+#[signaling-id]
+# URL of the signaling server
+#url = https://signaling.domain.invalid
+
+# Shared secret for authenticating as an internal client of signaling servers.
+# This must be the same value as configured in the signaling server
+# configuration file.
+#internalsecret = the-shared-secret-for-internal-clients
+
+#[another-signaling]
+# URL of the signaling server
+#url = https://signaling.otherdomain.invalid
+
+# Shared secret for authenticating as an internal client of signaling servers.
+# This must be the same value as configured in the signaling server
+# configuration file.
+#internalsecret = the-shared-secret-for-internal-clients
+
+[ffmpeg]
+# The options given to FFmpeg to encode the audio output. The options given here
+# fully override the default options for the audio output.
+#outputaudio = -c:a libopus
+
+# The options given to FFmpeg to encode the video output. The options given here
+# fully override the default options for the video output.
+#outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
+
+# The extension of the file for audio only recordings.
+#extensionaudio = .ogg
+
+# The extension of the file for audio and video recordings.
+#extensionvideo = .webm

Containers/talk-recording/start.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# Variables
+if [ -z "$NC_DOMAIN" ]; then
+    echo "You need to provide the NC_DOMAIN."
+    exit 1
+elif [ -z "$RECORDING_SECRET" ]; then
+    echo "You need to provide the RECORDING_SECRET."
+    exit 1
+elif [ -z "$INTERNAL_SECRET" ]; then
+    echo "You need to provide the INTERNAL_SECRET."
+    exit 1
+fi
+
+cat << RECORDING_CONF > "/etc/recording.conf"
+[logs]
+level = 30
+
+[http]
+listen = 0.0.0.0:1234
+
+[backend]
+allowall = false
+# TODO: remove secret below when https://github.com/nextcloud/spreed/issues/9580 is fixed
+secret = ${RECORDING_SECRET}
+backends = backend-1
+skipverify = false
+maxmessagesize = 1024
+videowidth = 1920
+videoheight = 1080
+directory = /tmp
+
+[backend-1]
+url = https://${NC_DOMAIN}
+secret = ${RECORDING_SECRET}
+skipverify = false
+
+[signaling]
+signalings = signaling-1
+
+[signaling-1]
+url = https://${NC_DOMAIN}/standalone-signaling/
+internalsecret = ${INTERNAL_SECRET}
+
+[ffmpeg]
+# outputaudio = -c:a libopus
+# outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
+extensionaudio = .ogg
+extensionvideo = .webm
+RECORDING_CONF
+
+exec "$@"

Containers/talk/Dockerfile

@@ -1,19 +1,23 @@
-FROM nats:2.9.17-scratch as nats
+FROM nats:2.9.18-scratch as nats
 FROM strukturag/nextcloud-spreed-signaling:1.1.2 as signaling
-FROM coturn/coturn:4.6.2-r0-alpine
+FROM coturn/coturn:4.6.2-r3-alpine
 USER root
+# Pin alpine version manually as long as https://github.com/coturn/coturn/issues/1226 is not done
+ENV ALPINE_VERSION=3.18
 
 COPY --from=nats /nats-server /usr/local/bin/nats-server
 COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
 
-COPY --chmod=775 start.sh /usr/bin/start.sh
+COPY --chmod=775 start.sh /start.sh
 COPY --chmod=664 supervisord.conf /supervisord.conf
 
 RUN set -ex; \
+    grep VERSION_ID /etc/os-release | grep -q "$ALPINE_VERSION.[0-9]\+$"; \
     apk add --no-cache \
         ca-certificates \
         tzdata \
         bash \
+        janus-gateway \
         openssl \
         supervisor \
         bind-tools \
@@ -21,9 +25,9 @@ RUN set -ex; \
         shadow \
         util-linux \
         build-base \
+        wget \
         lua5.3-dev \
         luarocks5.3; \
-    apk add --no-cache janus-gateway --repository http://dl-cdn.alpinelinux.org/alpine/edge/community; \
     useradd --system talk; \
     luarocks-5.3 install luajson; \
     luarocks-5.3 install ansicolors; \
@@ -32,6 +36,7 @@ RUN set -ex; \
         shadow \
         util-linux \
         build-base \
+        wget \
         lua5.3-dev \
         luarocks5.3; \
     \
@@ -62,8 +67,8 @@ RUN set -ex; \
 ENV TALK_PORT=3478
 
 USER talk
-ENTRYPOINT ["start.sh"]
-CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
+ENTRYPOINT ["/start.sh"]
+CMD ["supervisord", "-c", "/supervisord.conf"]
 
 HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost "$TALK_PORT" && nc -z "$NC_DOMAIN" "$TALK_PORT") || exit 1
 LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/talk/server.conf.in

@@ -0,0 +1,314 @@
+[http]
+# IP and port to listen on for HTTP requests.
+# Comment line to disable the listener.
+#listen = 127.0.0.1:8080
+
+# HTTP socket read timeout in seconds.
+#readtimeout = 15
+
+# HTTP socket write timeout in seconds.
+#writetimeout = 15
+
+[https]
+# IP and port to listen on for HTTPS requests.
+# Comment line to disable the listener.
+#listen = 127.0.0.1:8443
+
+# HTTPS socket read timeout in seconds.
+#readtimeout = 15
+
+# HTTPS socket write timeout in seconds.
+#writetimeout = 15
+
+# Certificate / private key to use for the HTTPS server.
+certificate = /etc/nginx/ssl/server.crt
+key = /etc/nginx/ssl/server.key
+
+[app]
+# Set to "true" to install pprof debug handlers.
+# See "https://golang.org/pkg/net/http/pprof/" for further information.
+debug = false
+
+# Set to "true" to allow subscribing any streams. This is insecure and should
+# only be enabled for testing. By default only streams of users in the same
+# room and call can be subscribed.
+#allowsubscribeany = false
+
+[sessions]
+# Secret value used to generate checksums of sessions. This should be a random
+# string of 32 or 64 bytes.
+hashkey = the-secret-for-session-checksums
+
+# Optional key for encrypting data in the sessions. Must be either 16, 24 or
+# 32 bytes.
+# If no key is specified, data will not be encrypted (not recommended).
+blockkey = -encryption-key-
+
+[clients]
+# Shared secret for connections from internal clients. This must be the same
+# value as configured in the respective internal services.
+internalsecret = the-shared-secret-for-internal-clients
+
+[backend]
+# Type of backend configuration.
+# Defaults to "static".
+#
+# Possible values:
+# - static: A comma-separated list of backends is given in the "backends" option.
+# - etcd: Backends are retrieved from an etcd cluster.
+#backendtype = static
+
+# For backend type "static":
+# Comma-separated list of backend ids from which clients are allowed to connect
+# from. Each backend will have isolated rooms, i.e. clients connecting to room
+# "abc12345" on backend 1 will be in a different room than clients connected to
+# a room with the same name on backend 2. Also sessions connected from different
+# backends will not be able to communicate with each other.
+#backends = backend-id, another-backend
+
+# For backend type "etcd":
+# Key prefix of backend entries. All keys below will be watched and assumed to
+# contain a JSON document with the following entries:
+# - "url": Url of the Nextcloud instance.
+# - "secret": Shared secret for requests from and to the backend servers.
+#
+# Additional optional entries:
+# - "maxstreambitrate": Maximum bitrate per publishing stream (in bits per second).
+# - "maxscreenbitrate": Maximum bitrate per screensharing stream (in bits per second).
+# - "sessionlimit": Number of sessions that are allowed to connect.
+#
+# Example:
+# "/signaling/backend/one" -> {"url": "https://nextcloud.domain1.invalid", ...}
+# "/signaling/backend/two" -> {"url": "https://domain2.invalid/nextcloud", ...}
+#backendprefix = /signaling/backend
+
+# Allow any hostname as backend endpoint. This is extremely insecure and should
+# only be used while running the benchmark client against the server.
+allowall = false
+
+# Common shared secret for requests from and to the backend servers if
+# "allowall" is enabled. This must be the same value as configured in the
+# Nextcloud admin ui.
+#secret = the-shared-secret
+
+# Timeout in seconds for requests to the backend.
+timeout = 10
+
+# Maximum number of concurrent backend connections per host.
+connectionsperhost = 8
+
+# If set to "true", certificate validation of backend endpoints will be skipped.
+# This should only be enabled during development, e.g. to work with self-signed
+# certificates.
+#skipverify = false
+
+# For backendtype "static":
+# Backend configurations as defined in the "[backend]" section above. The
+# section names must match the ids used in "backends" above.
+#[backend-id]
+# URL of the Nextcloud instance
+#url = https://cloud.domain.invalid
+
+# Shared secret for requests from and to the backend servers. This must be the
+# same value as configured in the Nextcloud admin ui.
+#secret = the-shared-secret
+
+# Limit the number of sessions that are allowed to connect to this backend.
+# Omit or set to 0 to not limit the number of sessions.
+#sessionlimit = 10
+
+# The maximum bitrate per publishing stream (in bits per second).
+# Defaults to the maximum bitrate configured for the proxy / MCU.
+#maxstreambitrate = 1048576
+
+# The maximum bitrate per screensharing stream (in bits per second).
+# Defaults to the maximum bitrate configured for the proxy / MCU.
+#maxscreenbitrate = 2097152
+
+#[another-backend]
+# URL of the Nextcloud instance
+#url = https://cloud.otherdomain.invalid
+
+# Shared secret for requests from and to the backend servers. This must be the
+# same value as configured in the Nextcloud admin ui.
+#secret = the-shared-secret
+
+[nats]
+# Url of NATS backend to use. This can also be a list of URLs to connect to
+# multiple backends. For local development, this can be set to "nats://loopback"
+# to process NATS messages internally instead of sending them through an
+# external NATS backend.
+#url = nats://localhost:4222
+
+[mcu]
+# The type of the MCU to use. Currently only "janus" and "proxy" are supported.
+# Leave empty to disable MCU functionality.
+#type =
+
+# For type "janus": the URL to the websocket endpoint of the MCU server.
+# For type "proxy": a space-separated list of proxy URLs to connect to.
+#url =
+
+# The maximum bitrate per publishing stream (in bits per second).
+# Defaults to 1 mbit/sec.
+# For type "proxy": will be capped to the maximum bitrate configured at the
+# proxy server that is used.
+#maxstreambitrate = 1048576
+
+# The maximum bitrate per screensharing stream (in bits per second).
+# Default is 2 mbit/sec.
+# For type "proxy": will be capped to the maximum bitrate configured at the
+# proxy server that is used.
+#maxscreenbitrate = 2097152
+
+# For type "proxy": timeout in seconds for requests to the proxy server.
+#proxytimeout = 2
+
+# For type "proxy": type of URL configuration for proxy servers.
+# Defaults to "static".
+#
+# Possible values:
+# - static: A space-separated list of proxy URLs is given in the "url" option.
+# - etcd: Proxy URLs are retrieved from an etcd cluster (see below).
+#urltype = static
+
+# If set to "true", certificate validation of proxy servers will be skipped.
+# This should only be enabled during development, e.g. to work with self-signed
+# certificates.
+#skipverify = false
+
+# For type "proxy": the id of the token to use when connecting to proxy servers.
+#token_id = server1
+
+# For type "proxy": the private key for the configured token id to use when
+# connecting to proxy servers.
+#token_key = privkey.pem
+
+# For url type "static": Enable DNS discovery on hostname of configured URL.
+# If the hostname resolves to multiple IP addresses, a connection is established
+# to each of them.
+# Changes to the DNS are monitored regularly and proxy connections are created
+# or deleted as necessary.
+#dnsdiscovery = true
+
+# For url type "etcd": Key prefix of MCU proxy entries. All keys below will be
+# watched and assumed to contain a JSON document. The entry "address" from this
+# document will be used as proxy URL, other contents in the document will be
+# ignored.
+#
+# Example:
+# "/signaling/proxy/server/one" -> {"address": "https://proxy1.domain.invalid"}
+# "/signaling/proxy/server/two" -> {"address": "https://proxy2.domain.invalid"}
+#keyprefix = /signaling/proxy/server
+
+[turn]
+# API key that the MCU will need to send when requesting TURN credentials.
+#apikey = the-api-key-for-the-rest-service
+
+# The shared secret to use for generating TURN credentials. This must be the
+# same as on the TURN server.
+#secret = 6d1c17a7-c736-4e22-b02c-e2955b7ecc64
+
+# A comma-separated list of TURN servers to use. Leave empty to disable the
+# TURN REST API.
+#servers = turn:1.2.3.4:9991?transport=udp,turn:1.2.3.4:9991?transport=tcp
+
+[geoip]
+# License key to use when downloading the MaxMind GeoIP database. You can
+# register an account at "https://www.maxmind.com/en/geolite2/signup" for
+# free. See "https://dev.maxmind.com/geoip/geoip2/geolite2/" for further
+# information.
+# Leave empty to disable GeoIP lookups.
+#license =
+
+# Optional URL to download a MaxMind GeoIP database from. Will be generated if
+# "license" is provided above. Can be a "file://" url if a local file should
+# be used. Please note that the database must provide a country field when
+# looking up IP addresses.
+#url =
+
+[geoip-overrides]
+# Optional overrides for GeoIP lookups. The key is an IP address / range, the
+# value the associated country code.
+#127.0.0.1 = DE
+#192.168.0.0/24 = DE
+
+[continent-overrides]
+# Optional overrides for continent mappings. The key is a continent code, the
+# value a comma-separated list of continent codes to map the continent to.
+# Use European servers for clients in Africa.
+#AF = EU
+# Use servers in North Africa for clients in South America.
+#SA = NA
+
+[stats]
+# Comma-separated list of IP addresses that are allowed to access the stats
+# endpoint. Leave empty (or commented) to only allow access from "127.0.0.1".
+#allowed_ips =
+
+[etcd]
+# Comma-separated list of static etcd endpoints to connect to.
+#endpoints = 127.0.0.1:2379,127.0.0.1:22379,127.0.0.1:32379
+
+# Options to perform endpoint discovery through DNS SRV.
+# Only used if no endpoints are configured manually.
+#discoverysrv = example.com
+#discoveryservice = foo
+
+# Path to private key, client certificate and CA certificate if TLS
+# authentication should be used.
+#clientkey = /path/to/etcd-client.key
+#clientcert = /path/to/etcd-client.crt
+#cacert = /path/to/etcd-ca.crt
+
+[grpc]
+# IP and port to listen on for GRPC requests.
+# Comment line to disable the listener.
+#listen = 0.0.0.0:9090
+
+# Certificate / private key to use for the GRPC server.
+# Omit to use unencrypted connections.
+#servercertificate = /path/to/grpc-server.crt
+#serverkey = /path/to/grpc-server.key
+
+# CA certificate that is allowed to issue certificates of GRPC servers.
+# Omit to expect unencrypted connections.
+#serverca = /path/to/grpc-ca.crt
+
+# Certificate / private key to use for the GRPC client.
+# Omit if clients don't need to authenticate on the server.
+#clientcertificate = /path/to/grpc-client.crt
+#clientkey = /path/to/grpc-client.key
+
+# CA certificate that is allowed to issue certificates of GRPC clients.
+# Omit to allow any clients to connect.
+#clientca = /path/to/grpc-ca.crt
+
+# Type of GRPC target configuration.
+# Defaults to "static".
+#
+# Possible values:
+# - static: A comma-separated list of targets is given in the "targets" option.
+# - etcd: Target URLs are retrieved from an etcd cluster.
+#targettype = static
+
+# For target type "static": Comma-separated list of GRPC targets to connect to
+# for clustering mode.
+#targets = 192.168.0.1:9090, 192.168.0.2:9090
+
+# For target type "static": Enable DNS discovery on hostnames of GRPC target.
+# If a hostname resolves to multiple IP addresses, a connection is established
+# to each of them.
+# Changes to the DNS are monitored regularly and GRPC clients are created or
+# deleted as necessary.
+#dnsdiscovery = true
+
+# For target type "etcd": Key prefix of GRPC target entries. All keys below will
+# be watched and assumed to contain a JSON document. The entry "address" from
+# this document will be used as target URL, other contents in the document will
+# be ignored.
+#
+# Example:
+# "/signaling/cluster/grpc/one" -> {"address": "192.168.0.1:9090"}
+# "/signaling/cluster/grpc/two" -> {"address": "192.168.0.2:9090"}
+#targetprefix = /signaling/cluster/grpc

Containers/talk/start.sh

@@ -10,6 +10,9 @@ elif [ -z "$TURN_SECRET" ]; then
 elif [ -z "$SIGNALING_SECRET" ]; then
     echo "You need to provide the SIGNALING_SECRET."
     exit 1
+elif [ -z "$INTERNAL_SECRET" ]; then
+    echo "You need to provide the INTERNAL_SECRET."
+    exit 1
 fi
 
 set -x
@@ -63,7 +66,7 @@ hashkey = $(openssl rand -hex 16)
 blockkey = $(openssl rand -hex 16)
 
 [clients]
-internalsecret = $(openssl rand -hex 16)
+internalsecret = ${INTERNAL_SECRET}
 
 [backend]
 backends = backend-1

Containers/talk/supervisord.conf

@@ -27,7 +27,7 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=janus --config=/etc/janus/janus.jcfg --disable-colors --log-stdout
+command=janus --config=/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
 
 [program:signaling]
 stdout_logfile=/dev/stdout

Containers/watchtower/Dockerfile

@@ -1,12 +1,14 @@
 # From https://github.com/containrrr/watchtower/blob/main/dockerfiles/Dockerfile.self-contained
 FROM containrrr/watchtower:1.5.3 as watchtower
 
-FROM alpine:3.17.3
+FROM alpine:3.18.2
 
 RUN apk add --no-cache bash
 COPY --from=watchtower /watchtower /watchtower
 
 COPY --chmod=775 start.sh /start.sh
 
+USER root
+
 ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.monitor-only="true"

app/appinfo/info.xml

@@ -5,7 +5,7 @@
 	<name>Nextcloud All-in-One</name>
 	<summary>Provides a login link for admins.</summary>
 	<description>Add a link to the admin settings that gives access to the Nextcloud All-in-One admin interface</description>
-	<version>0.3.0</version>
+	<version>0.4.0</version>
 	<licence>agpl</licence>
 	<author>Azul</author>
 	<namespace>AllInOne</namespace>

compose.yaml

@@ -1,9 +1,3 @@
-version: "3.8"
-
-volumes:
-  nextcloud_aio_mastercontainer:
-    name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work
-
 services:
   nextcloud:
     image: nextcloud/all-in-one:latest
@@ -13,26 +7,26 @@ services:
       - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
       - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
     ports:
-      - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
       - 8080:8080
-      - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
     # environment: # Is needed when using any of the options below
-      # - AIO_DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface.
-      # - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-      # - APACHE_IP_BINDING=127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      # - AIO_DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
+      # - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      # - APACHE_IP_BINDING=127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
       # - BORG_RETENTION_POLICY=--keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
       # - COLLABORA_SECCOMP_DISABLED=false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
-      # - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
+      # - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
       # - NEXTCLOUD_MOUNT=/mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
       # - NEXTCLOUD_UPLOAD_LIMIT=10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
       # - NEXTCLOUD_MAX_TIME=3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
       # - NEXTCLOUD_MEMORY_LIMIT=512M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
-      # - NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defiend-certification-authorities-ca
+      # - NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
       # - NEXTCLOUD_STARTUP_APPS=deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
       # - NEXTCLOUD_ADDITIONAL_APKS=imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
       # - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
-      # - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container which is needed for hardware-transcoding. See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
-      # - TALK_PORT=3478 # This allows to adjust the port that the talk container is using.
+      # - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
+      # - TALK_PORT=3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
       # - WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
     # networks: # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
       # - nextcloud-aio # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
@@ -51,9 +45,12 @@ services:
   #     - ./sites:/srv
   #   network_mode: "host"
 
+volumes:
+  nextcloud_aio_mastercontainer:
+    name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work
+
 # # Optional: If you need ipv6, follow step 1 and 2 of https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md first and then uncomment the below config in order to activate ipv6 for the internal nextcloud-aio network.
 # # Please make sure to uncomment also the networking lines of the mastercontainer above in order to actually create the network with docker-compose
-# # Inspired by https://github.com/mailcow/mailcow-dockerized/blob/master/docker-compose.yml
 # networks:
 #   nextcloud-aio:
 #     name: nextcloud-aio # This line is not allowed to be changed as otherwise the created network will not be used by the other containers of AIO

docker-rootless.md

@@ -9,7 +9,7 @@ You can run AIO with docker rootless by following the steps below.
 1. Also do not forget to run `loginctl enable-linger USERNAME` (and substitute USERNAME with the correct one) in order to make sure that user services are automatically started after every reboot.
 1. Expose the privileged ports by following https://docs.docker.com/engine/security/rootless/#exposing-privileged-ports. (`sudo setcap cap_net_bind_service=ep $(which rootlesskit); systemctl --user restart docker`)
 1. Use the official AIO startup command but use `--volume $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro` instead of `--volume /var/run/docker.sock:/var/run/docker.sock:ro` and also add `--env WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock` to the initial container startup (which is needed for mastercontainer updates to work correctly).
-1. Now everything should work like without docker rootless. You can consider using docker-compose for this or running it behind a reverse proxy. Basically the only thing that needs to be adjusted always in the startup command or docker-compose file (after installing docker rootles) are things that are mentioned in point 3.
+1. Now everything should work like without docker rootless. You can consider using docker-compose for this or running it behind a reverse proxy. Basically the only thing that needs to be adjusted always in the startup command or compose.yaml file (after installing docker rootles) are things that are mentioned in point 3.
 
 **Please note:** All files outside the containers get created, written to and accessed as the user that is running the docker daemon or a subuid of it. So for the built-in backup to work you need to allow this user to write to the target directory. E.g. with `sudo chown -R USERNAME:GROUPNAME /mnt/backup`. The same applies when changing Nextcloud's datadir. E.g. `sudo chown -R USERNAME:GROUPNAME /mnt/ncdata`. When you want to use the NEXTCLOUD_MOUNT option for local external storage, you need to adjust the permissions of the chosen folders to be accessible/writeable by the userid `100032:100032` (if running `grep ^$(whoami): /etc/subuid` as the user that is running the docker daemon returns 100000 as first value). 
 

local-instance.md

@@ -6,14 +6,14 @@ The recommended way is the following:
 1. Set up your domain correctly to point to your home network
 1. Set up a reverse proxy by following the [reverse proxy documentation](./reverse-proxy.md) but only open port 80 (which is needed for the ACME challenge to work - however no real traffic will use this port).
 1. Set up a local DNS-server like a pi-hole and configure it to be your local DNS-server for the whole network. Then in the Pi-hole interface, add a custom DNS-record for your domain and overwrite the A-record (and possibly the AAAA-record, too) to point to the private ip-address of your reverse proxy (see https://github.com/nextcloud/all-in-one#how-can-i-access-nextcloud-locally)
-1. Enter the ip-address of your local dns-server in the deamon.json file for docker so that you are sure that all docker containers use the correct local dns-server.
+1. Enter the ip-address of your local dns-server in the daemon.json file for docker so that you are sure that all docker containers use the correct local dns-server.
 1. Now, entering the domain in the AIO-interface should work as expected and should allow you to continue with the setup
 
 ## 2. Use the ACME DNS-challenge
 You can alternatively use the ACME DNS-challenge to get a valid certificate for Nextcloud. Here is described how to set it up: https://github.com/nextcloud/all-in-one#how-to-get-nextcloud-running-using-the-acme-dns-challenge
 
 ## 3. Use Cloudflare
-If you do not have any contol over the network, you may think about using Cloudflare Tunnel to get a valid certificate for your Nextcloud. However it will be opened to the public internet then. See https://github.com/nextcloud/all-in-one#how-to-run-nextcloud-behind-a-cloudflare-tunnel how to set this up.
+If you do not have any control over the network, you may think about using Cloudflare Tunnel to get a valid certificate for your Nextcloud. However it will be opened to the public internet then. See https://github.com/nextcloud/all-in-one#how-to-run-nextcloud-behind-a-cloudflare-tunnel how to set this up.
 
 ## 4. Buy a certificate and use that
 If none of the above ways work for you, you may simply buy a certificate from an issuer for your domain. You then download the certificate onto your server, configure AIO in [reverse proxy mode](./reverse-proxy.md) and use the certificate for your domain in your reverse proxy config.

manual-install/latest.yml

@@ -1,5 +1,3 @@
-version: "3.8"
-
 services:
   nextcloud-aio-apache:
     depends_on:
@@ -42,9 +40,9 @@ services:
       - PGTZ=${TIMEZONE}
     stop_grace_period: 1800s
     restart: unless-stopped
+    shm_size: 268435456
     networks:
       - nextcloud-aio
-    shm_size: 268435456
 
   nextcloud-aio-nextcloud:
     depends_on:
@@ -52,6 +50,7 @@ services:
       - nextcloud-aio-redis
       - nextcloud-aio-clamav
       - nextcloud-aio-fulltextsearch
+      - nextcloud-aio-talk-recording
       - nextcloud-aio-imaginary
     image: nextcloud/aio-nextcloud:latest
     expose:
@@ -69,7 +68,6 @@ services:
       - POSTGRES_USER=nextcloud
       - REDIS_HOST=nextcloud-aio-redis
       - REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
-      - AIO_TOKEN=${AIO_TOKEN}
       - NC_DOMAIN=${NC_DOMAIN}
       - ADMIN_USER=admin
       - ADMIN_PASSWORD=${NEXTCLOUD_PASSWORD}
@@ -79,7 +77,6 @@ services:
       - TURN_SECRET=${TURN_SECRET}
       - SIGNALING_SECRET=${SIGNALING_SECRET}
       - ONLYOFFICE_SECRET=${ONLYOFFICE_SECRET}
-      - AIO_URL=${AIO_URL}
       - NEXTCLOUD_MOUNT=${NEXTCLOUD_MOUNT}
       - CLAMAV_ENABLED=${CLAMAV_ENABLED}
       - CLAMAV_HOST=nextcloud-aio-clamav
@@ -103,6 +100,9 @@ services:
       - ADDITIONAL_APKS=${NEXTCLOUD_ADDITIONAL_APKS}
       - ADDITIONAL_PHP_EXTENSIONS=${NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS}
       - INSTALL_LATEST_MAJOR=${INSTALL_LATEST_MAJOR}
+      - TALK_RECORDING_ENABLED=${TALK_RECORDING_ENABLED}
+      - RECORDING_SECRET=${RECORDING_SECRET}
+      - TALK_RECORDING_HOST=nextcloud-aio-talk-recording
     restart: unless-stopped
     networks:
       - nextcloud-aio
@@ -119,9 +119,9 @@ services:
     restart: unless-stopped
     networks:
       - nextcloud-aio
+    read_only: true
 
   nextcloud-aio-collabora:
-    profiles: ["collabora"]
     image: nextcloud/aio-collabora:latest
     expose:
       - "9980"
@@ -132,14 +132,13 @@ services:
       - TZ=${TIMEZONE}
       - server_name=${NC_DOMAIN}
       - DONT_GEN_SSL_CERT=1
-    volumes:
-      - nextcloud_aio_collabora_fonts:/opt/cool/systemplate/tmpfonts:rw
     restart: unless-stopped
+    profiles:
+      - collabora
     networks:
       - nextcloud-aio
 
   nextcloud-aio-talk:
-    profiles: ["talk"]
     image: nextcloud/aio-talk:latest
     ports:
       - ${TALK_PORT}:${TALK_PORT}/tcp
@@ -152,12 +151,31 @@ services:
       - SIGNALING_SECRET=${SIGNALING_SECRET}
       - TZ=${TIMEZONE}
       - TALK_PORT=${TALK_PORT}
+      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
     restart: unless-stopped
+    profiles:
+      - talk
+      - talk-recording
+    networks:
+      - nextcloud-aio
+
+  nextcloud-aio-talk-recording:
+    image: nextcloud/aio-talk-recording:latest
+    expose:
+      - "1234"
+    environment:
+      - NC_DOMAIN=${NC_DOMAIN}
+      - TZ=${TIMEZONE}
+      - RECORDING_SECRET=${RECORDING_SECRET}
+      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
+    shm_size: 2147483648
+    restart: unless-stopped
+    profiles:
+      - talk-recording
     networks:
       - nextcloud-aio
 
   nextcloud-aio-clamav:
-    profiles: ["clamav"]
     image: nextcloud/aio-clamav:latest
     expose:
       - "3310"
@@ -167,11 +185,12 @@ services:
     volumes:
       - nextcloud_aio_clamav:/var/lib/clamav:rw
     restart: unless-stopped
+    profiles:
+      - clamav
     networks:
       - nextcloud-aio
 
   nextcloud-aio-onlyoffice:
-    profiles: ["onlyoffice"]
     image: nextcloud/aio-onlyoffice:latest
     expose:
       - "80"
@@ -183,24 +202,26 @@ services:
     volumes:
       - nextcloud_aio_onlyoffice:/var/lib/onlyoffice:rw
     restart: unless-stopped
+    profiles:
+      - onlyoffice
     networks:
       - nextcloud-aio
 
   nextcloud-aio-imaginary:
-    profiles: ["imaginary"]
     image: nextcloud/aio-imaginary:latest
     expose:
       - "9000"
     environment:
       - TZ=${TIMEZONE}
     restart: unless-stopped
-    networks:
-      - nextcloud-aio
     cap_add:
       - SYS_NICE
+    profiles:
+      - imaginary
+    networks:
+      - nextcloud-aio
 
   nextcloud-aio-fulltextsearch:
-    profiles: ["fulltextsearch"]
     image: nextcloud/aio-fulltextsearch:latest
     expose:
       - "9200"
@@ -212,6 +233,8 @@ services:
     volumes:
       - nextcloud_aio_elasticsearch:/usr/share/elasticsearch/data:rw
     restart: unless-stopped
+    profiles:
+      - fulltextsearch
     networks:
       - nextcloud-aio
 
@@ -220,8 +243,6 @@ volumes:
     name: nextcloud_aio_apache
   nextcloud_aio_clamav:
     name: nextcloud_aio_clamav
-  nextcloud_aio_collabora_fonts:
-    name: nextcloud_aio_collabora_fonts
   nextcloud_aio_database:
     name: nextcloud_aio_database
   nextcloud_aio_database_dump:

manual-install/readme.md

@@ -11,33 +11,34 @@ You can run the containers that are build for AIO with docker-compose. This come
 - You lose the AIO interface
 - You lose update notifications and automatic updates
 - You lose all AIO backup and restore features
-- **You need to know what you are doing, especially when modifying the docker-compose file**
+- **You need to know what you are doing, especially when modifying the compose.yaml file**
 - For updating, you need to strictly follow the at the bottom described update routine
 - Probably more
 
 ## How to use this?
-First, install docker and docker-compose if not already done. Then simply run the following:
+First, install docker and docker-compose (v2) if not already done. Then simply run the following:
 ```bash
 git clone https://github.com/nextcloud/all-in-one.git
 cd all-in-one/manual-install
 ```
 Then copy the sample.conf to default environment file, e.g. `cp sample.conf .env`, open the new conf file, e.g. with `nano .env`, edit all values that are marked with `# TODO!`, close and save the file. (Note: there is no clamav image for arm64).
 
-Now copy the provided yaml file to a docker-compose file by running `cp latest.yml docker-compose.yml`.
+Now copy the provided yaml file to a compose.yaml file by running `cp latest.yml compose.yaml`.
 
 Now you should be ready to go with `sudo docker-compose up`.
 
 ## Docker profiles
-The default profile of `latest.yml` only provide the minimum necessary services: nextcloud, database, redis and apache. To get optional services collabora, onlyoffice, talk, clamav, imaginary or fulltextsearch use additional arguments for each of them, for example `--profile collabora`. (Note: there is no clamav image for arm64).
+The default profile of `latest.yml` only provide the minimum necessary services: nextcloud, database, redis and apache. To get optional services collabora, talk, talk-recording, clamav, imaginary or fulltextsearch use additional arguments for each of them, for example `--profile collabora`. (Note: there is no clamav image for arm64).
 
-For a complete all-in-one with collabora use `sudo docker-compose --profile collabora --profile talk --profile clamav --profile imaginary --profile fulltextsearch up`. (Note: there is no clamav image for arm64).
+For a complete all-in-one with collabora use `sudo docker-compose --profile collabora --profile talk --profile talk-recording --profile clamav --profile imaginary --profile fulltextsearch up`. (Note: there is no clamav image for arm64).
 
 ## How to update?
 Since the AIO containers may change in the future, it is highly recommended to strictly follow the following procedure whenever you want to upgrade your containers.
-1. If your previous copy of `sample.conf` is named `my.conf`, run `mv my.conf .env` in order to rename the file to `.env`.
+1. If your previous copy of `sample.conf` is named `my.conf`, run `mv -vn my.conf .env` in order to rename the file to `.env`.
 1. Run `sudo docker-compose down` to stop all running containers
 1. Back up all important files and folders
-1. Run `git pull` in order to get the updated yaml files from the repository. Now bring your `docker-compose.yml` file up-to-date with the updated one from the repository. You can use `diff docker-compose.yml latest.yml` for comparing. ⚠️ **Please note**: Starting with AIO v5.1.0, ipv6 networking will be enabled by default, so make sure to either enable it first by following steps 1 and 2 of https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md and then proceed with the steps below or disable ipv6 networking by editing the docker-compose file and removing ipv6 from the network.
+1. If your compose file is still named `docker-compose.yml` rename it to `compose.yaml` by running `mv -vn docker-compose.yml compose.yaml`
+1. Run `git pull` in order to get the updated yaml files from the repository. Now bring your `compose.yaml` file up-to-date with the updated one from the repository. You can use `diff compose.yaml latest.yml` for comparing. ⚠️ **Please note**: Starting with AIO v5.1.0, ipv6 networking will be enabled by default, so make sure to either enable it first by following steps 1 and 2 of https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md and then proceed with the steps below or disable ipv6 networking by editing the compose.yaml file and removing ipv6 from the network.
 1. Also have a look at the `sample.conf` if any variable was added or renamed and add that to your conf file as well. Here may help the diff command as well.
 1. After the file update was successful, simply run `sudo docker-compose pull` to pull the new images.
 1. At the end run `sudo docker-compose up` in order to start and update the containers with the new configuration.

manual-install/sample.conf

@@ -1,34 +1,37 @@
-AIO_TOKEN=123456          # Has no function but needs to be set!
-AIO_URL=localhost          # Has no function but needs to be set!
-APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx and else) and if that is running on the same host and using localhost to connect
-APACHE_MAX_SIZE=10737418240          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
-APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx and else).
-CLAMAV_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
-COLLABORA_DICTIONARIES="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"        # You can change this in order to enable other dictionaries for collabora
-COLLABORA_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
-COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.
 DATABASE_PASSWORD=          # TODO! This needs to be a unique and good password!
+NC_DOMAIN=yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.
+NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".
+ONLYOFFICE_SECRET=          # TODO! This needs to be a unique and good password!
+RECORDING_SECRET=          # TODO! This needs to be a unique and good password!
+REDIS_PASSWORD=          # TODO! This needs to be a unique and good password!
+SIGNALING_SECRET=          # TODO! This needs to be a unique and good password!
+TALK_INTERNAL_SECRET=          # TODO! This needs to be a unique and good password!
+TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.
+TURN_SECRET=          # TODO! This needs to be a unique and good password!
+
+CLAMAV_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+COLLABORA_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 FULLTEXTSEARCH_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 IMAGINARY_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+ONLYOFFICE_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+TALK_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+TALK_RECORDING_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+
+APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) and if that is running on the same host and using localhost to connect
+APACHE_MAX_SIZE=10737418240          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
+APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else).
+COLLABORA_DICTIONARIES="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"        # You can change this in order to enable other dictionaries for collabora
+COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.
 INSTALL_LATEST_MAJOR=no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation
-NC_DOMAIN=yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.
 NEXTCLOUD_ADDITIONAL_APKS=imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.
 NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick        # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value.
 NEXTCLOUD_DATADIR=nextcloud_aio_nextcloud_data          # You can change this to e.g. "/mnt/ncdata" to map it to a location on your host. It needs to be adjusted before the first startup and never afterwards!
 NEXTCLOUD_MAX_TIME=3600          # This allows to change the upload time limit of the Nextcloud container
 NEXTCLOUD_MEMORY_LIMIT=512M          # This allows to change the PHP memory limit of the Nextcloud container
 NEXTCLOUD_MOUNT=/mnt/          # This allows the Nextcloud container to access directories on the host. It must never be equal to the value of NEXTCLOUD_DATADIR!
-NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".
 NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time
 NEXTCLOUD_TRUSTED_CACERTS_DIR=/usr/local/share/ca-certificates/my-custom-ca          # Nextcloud container will trust all the Certification Authorities, whose certificates are included in the given directory.
 NEXTCLOUD_UPLOAD_LIMIT=10G          # This allows to change the upload limit of the Nextcloud container
-ONLYOFFICE_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
-ONLYOFFICE_SECRET=          # TODO! This needs to be a unique and good password!
-REDIS_PASSWORD=          # TODO! This needs to be a unique and good password!
-SIGNALING_SECRET=          # TODO! This needs to be a unique and good password!
-TALK_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 TALK_PORT=3478          # This allows to adjust the port that the talk container is using.
-TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.
-TURN_SECRET=          # TODO! This needs to be a unique and good password!
 UPDATE_NEXTCLOUD_APPS="no"          # When setting to "yes" (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.
 IPV6_NETWORK=fd12:3456:789a:2::/64 # IPv6 subnet to use

manual-install/update-yaml.sh

@@ -32,6 +32,11 @@ sed -i '/stop_grace_period:/s/$/s/' containers.yml
 sed -i '/: \[\]/d' containers.yml
 sed -i 's|- source: |- |' containers.yml
 sed -i 's|- ip_binding: |- |' containers.yml
+sed -i '/AIO_TOKEN/d' containers.yml
+sed -i '/AIO_URL/d' containers.yml
+
+sed -i '/AIO_TOKEN/d' sample.conf
+sed -i '/AIO_URL/d' sample.conf
 
 TCP="$(grep -oP '[%A-Z0-9_]+/tcp' containers.yml | sort -u)"
 mapfile -t TCP <<< "$TCP"
@@ -73,11 +78,9 @@ sed -i 's|APACHE_MAX_SIZE=|APACHE_MAX_SIZE=10737418240          # This needs to
 sed -i 's|NEXTCLOUD_MAX_TIME=|NEXTCLOUD_MAX_TIME=3600          # This allows to change the upload time limit of the Nextcloud container|' sample.conf
 sed -i 's|NEXTCLOUD_TRUSTED_CACERTS_DIR=|NEXTCLOUD_TRUSTED_CACERTS_DIR=/usr/local/share/ca-certificates/my-custom-ca          # Nextcloud container will trust all the Certification Authorities, whose certificates are included in the given directory.|' sample.conf
 sed -i 's|UPDATE_NEXTCLOUD_APPS=|UPDATE_NEXTCLOUD_APPS="no"          # When setting to "yes" (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.|' sample.conf
-sed -i 's|APACHE_PORT=|APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx and else).|' sample.conf
-sed -i 's|APACHE_IP_BINDING=|APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx and else) and if that is running on the same host and using localhost to connect|' sample.conf
+sed -i 's|APACHE_PORT=|APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else).|' sample.conf
+sed -i 's|APACHE_IP_BINDING=|APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) and if that is running on the same host and using localhost to connect|' sample.conf
 sed -i 's|TALK_PORT=|TALK_PORT=3478          # This allows to adjust the port that the talk container is using.|' sample.conf
-sed -i 's|AIO_TOKEN=|AIO_TOKEN=123456          # Has no function but needs to be set!|' sample.conf
-sed -i 's|AIO_URL=|AIO_URL=localhost          # Has no function but needs to be set!|' sample.conf
 sed -i 's|NC_DOMAIN=|NC_DOMAIN=yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.|' sample.conf
 sed -i 's|NEXTCLOUD_PASSWORD=|NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".|' sample.conf
 sed -i 's|TIMEZONE=|TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.|' sample.conf
@@ -89,6 +92,16 @@ sed -i 's|INSTALL_LATEST_MAJOR=|INSTALL_LATEST_MAJOR=no        # Setting this to
 sed -i 's|=$|=          # TODO! This needs to be a unique and good password!|' sample.conf
 echo 'IPV6_NETWORK=fd12:3456:789a:2::/64 # IPv6 subnet to use' >> sample.conf
 
+grep  '# TODO!' sample.conf > todo.conf
+grep -v '# TODO!\|_ENABLED' sample.conf > temp.conf
+grep '_ENABLED' sample.conf > enabled.conf
+cat todo.conf > sample.conf
+# shellcheck disable=SC2129
+echo '' >> sample.conf
+cat enabled.conf >> sample.conf
+echo '' >> sample.conf
+cat temp.conf >> sample.conf
+rm todo.conf temp.conf enabled.conf
 cat sample.conf
 
 OUTPUT="$(cat containers.yml)"
@@ -96,23 +109,13 @@ NAMES="$(grep -oP "container_name:.*" containers.yml | grep -oP 'nextcloud-aio.*
 mapfile -t NAMES <<< "$NAMES"
 for name in "${NAMES[@]}"
 do
-    OUTPUT="$(echo "$OUTPUT" | sed "/container_name.*$name/i\ \ $name:")"
+    OUTPUT="$(echo "$OUTPUT" | sed "/container_name.*$name$/i\ \ $name:")"
     if [ "$name" != "nextcloud-aio-apache" ]; then
         OUTPUT="$(echo "$OUTPUT" | sed "/  $name:/i\ ")"
     fi
-    if ! echo "$name" | grep "apache$" && ! echo "$name" | grep "database$" && ! echo "$name" | grep "nextcloud$" && ! echo "$name" | grep "redis$"; then
-        sed -i '/container_name/d' containers.yml
-        SLIM_NAME="${name##nextcloud-aio-}"
-        OUTPUT="$(echo "$OUTPUT" | sed "/container_name: $name$/a\ \ \ \ profiles:\ \[\"$SLIM_NAME\"\]")"
-    fi
 done
 
-OUTPUT="$(echo "$OUTPUT" | sed "/restart: /a\ \ \ \ networks:\n\ \ \ \ \ \ - nextcloud-aio")"
-
-echo 'version: "3.8"' > containers.yml
-echo "" >> containers.yml
-
-echo "$OUTPUT" >> containers.yml
+echo "$OUTPUT" > containers.yml
 
 sed -i '/container_name/d' containers.yml
 sed -i 's|^ $||' containers.yml

nextcloud-aio-helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 5.2.2
+version: 6.1.1
 apiVersion: v2
 keywords:
   - latest

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml

@@ -54,7 +54,7 @@ spec:
               value: nextcloud-aio-talk
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-apache:20230530_084406-latest
+          image: nextcloud/aio-apache:20230613_120442-latest
           name: nextcloud-aio-apache
           ports:
             - containerPort: {{ .Values.APACHE_PORT }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml

@@ -38,7 +38,7 @@ spec:
               value: "90"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-clamav:20230530_084406-latest
+          image: nextcloud/aio-clamav:20230613_120442-latest
           name: nextcloud-aio-clamav
           ports:
             - containerPort: 3310

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml

@@ -22,16 +22,6 @@ spec:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-collabora
     spec:
-      initContainers:
-        - name: init-volumes
-          image: alpine
-          command:
-            - chmod
-            - "777"
-            - /nextcloud-aio-collabora-fonts
-          volumeMounts:
-            - name: nextcloud-aio-collabora-fonts
-              mountPath: /nextcloud-aio-collabora-fonts
       containers:
         - env:
             - name: DONT_GEN_SSL_CERT
@@ -46,15 +36,8 @@ spec:
               value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json
             - name: server_name
               value: "{{ .Values.NC_DOMAIN }}"
-          image: nextcloud/aio-collabora:20230530_084406-latest
+          image: nextcloud/aio-collabora:20230613_120442-latest
           name: nextcloud-aio-collabora
           ports:
             - containerPort: 9980
-          volumeMounts:
-            - mountPath: /opt/cool/systemplate/tmpfonts
-              name: nextcloud-aio-collabora-fonts
-      volumes:
-        - name: nextcloud-aio-collabora-fonts
-          persistentVolumeClaim:
-            claimName: nextcloud-aio-collabora-fonts
 {{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-fonts-persistentvolumeclaim.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  labels:
-    io.kompose.service: nextcloud-aio-collabora-fonts
-  name: nextcloud-aio-collabora-fonts
-spec:
-  {{- if .Values.STORAGE_CLASS }}
-  storageClassName: {{ .Values.STORAGE_CLASS }}
-  {{- end }}
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: {{ .Values.COLLABORA_FONTS_STORAGE_SIZE }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml

@@ -60,7 +60,7 @@ spec:
               value: nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-postgresql:20230530_084406-latest
+          image: nextcloud/aio-postgresql:20230613_120442-latest
           name: nextcloud-aio-database
           ports:
             - containerPort: 5432

nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml

@@ -42,7 +42,7 @@ spec:
               value: "{{ .Values.TIMEZONE }}"
             - name: discovery.type
               value: single-node
-          image: nextcloud/aio-fulltextsearch:20230530_084406-latest
+          image: nextcloud/aio-fulltextsearch:20230613_120442-latest
           name: nextcloud-aio-fulltextsearch
           ports:
             - containerPort: 9200

nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml

@@ -26,7 +26,7 @@ spec:
         - env:
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-imaginary:20230530_084406-latest
+          image: nextcloud/aio-imaginary:20230613_120442-latest
           name: nextcloud-aio-imaginary
           ports:
             - containerPort: 9000

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml

@@ -44,10 +44,6 @@ spec:
               value: "{{ .Values.NEXTCLOUD_PASSWORD }}"
             - name: ADMIN_USER
               value: admin
-            - name: AIO_TOKEN
-              value: "{{ .Values.AIO_TOKEN }}"
-            - name: AIO_URL
-              value: "{{ .Values.AIO_URL }}"
             - name: CLAMAV_ENABLED
               value: "{{ .Values.CLAMAV_ENABLED }}"
             - name: CLAMAV_HOST
@@ -94,6 +90,8 @@ spec:
               value: "{{ .Values.DATABASE_PASSWORD }}"
             - name: POSTGRES_USER
               value: nextcloud
+            - name: RECORDING_SECRET
+              value: "{{ .Values.RECORDING_SECRET }}"
             - name: REDIS_HOST
               value: nextcloud-aio-redis
             - name: REDIS_HOST_PASSWORD
@@ -106,6 +104,10 @@ spec:
               value: "{{ .Values.TALK_ENABLED }}"
             - name: TALK_PORT
               value: "{{ .Values.TALK_PORT }}"
+            - name: TALK_RECORDING_ENABLED
+              value: "{{ .Values.TALK_RECORDING_ENABLED }}"
+            - name: TALK_RECORDING_HOST
+              value: nextcloud-aio-talk-recording
             - name: TRUSTED_CACERTS_DIR
               value: "{{ .Values.NEXTCLOUD_TRUSTED_CACERTS_DIR }}"
             - name: TURN_SECRET
@@ -114,7 +116,7 @@ spec:
               value: "{{ .Values.TIMEZONE }}"
             - name: UPDATE_NEXTCLOUD_APPS
               value: "{{ .Values.UPDATE_NEXTCLOUD_APPS }}"
-          image: nextcloud/aio-nextcloud:20230530_084406-latest
+          image: nextcloud/aio-nextcloud:20230613_120442-latest
           name: nextcloud-aio-nextcloud
           ports:
             - containerPort: 9000

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml

@@ -42,7 +42,7 @@ spec:
               value: "{{ .Values.ONLYOFFICE_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-onlyoffice:20230530_084406-latest
+          image: nextcloud/aio-onlyoffice:20230613_120442-latest
           name: nextcloud-aio-onlyoffice
           ports:
             - containerPort: 80

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml

@@ -37,7 +37,7 @@ spec:
               value: "{{ .Values.REDIS_PASSWORD }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-redis:20230530_084406-latest
+          image: nextcloud/aio-redis:20230613_120442-latest
           name: nextcloud-aio-redis
           ports:
             - containerPort: 6379

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml

@@ -24,6 +24,8 @@ spec:
     spec:
       containers:
         - env:
+            - name: INTERNAL_SECRET
+              value: "{{ .Values.TALK_INTERNAL_SECRET }}"
             - name: NC_DOMAIN
               value: "{{ .Values.NC_DOMAIN }}"
             - name: SIGNALING_SECRET
@@ -34,7 +36,7 @@ spec:
               value: "{{ .Values.TURN_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-talk:20230530_084406-latest
+          image: nextcloud/aio-talk:20230613_120442-latest
           name: nextcloud-aio-talk
           ports:
             - containerPort: {{ .Values.TALK_PORT }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml

@@ -0,0 +1,39 @@
+{{- if eq .Values.TALK_RECORDING_ENABLED "yes" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    kompose.cmd: kompose convert -c -f latest.yml
+    kompose.version: 1.28.0 (c4137012e)
+  labels:
+    io.kompose.service: nextcloud-aio-talk-recording
+  name: nextcloud-aio-talk-recording
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      io.kompose.service: nextcloud-aio-talk-recording
+  template:
+    metadata:
+      annotations:
+        kompose.cmd: kompose convert -c -f latest.yml
+        kompose.version: 1.28.0 (c4137012e)
+      labels:
+        io.kompose.network/nextcloud-aio: "true"
+        io.kompose.service: nextcloud-aio-talk-recording
+    spec:
+      containers:
+        - env:
+            - name: INTERNAL_SECRET
+              value: "{{ .Values.TALK_INTERNAL_SECRET }}"
+            - name: NC_DOMAIN
+              value: "{{ .Values.NC_DOMAIN }}"
+            - name: RECORDING_SECRET
+              value: "{{ .Values.RECORDING_SECRET }}"
+            - name: TZ
+              value: "{{ .Values.TIMEZONE }}"
+          image: nextcloud/aio-talk-recording:20230613_120442-latest
+          name: nextcloud-aio-talk-recording
+          ports:
+            - containerPort: 1234
+{{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-service.yaml

@@ -0,0 +1,18 @@
+{{- if eq .Values.TALK_RECORDING_ENABLED "yes" }}
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kompose.cmd: kompose convert -c -f latest.yml
+    kompose.version: 1.28.0 (c4137012e)
+  labels:
+    io.kompose.service: nextcloud-aio-talk-recording
+  name: nextcloud-aio-talk-recording
+spec:
+  ports:
+    - name: "1234"
+      port: 1234
+      targetPort: 1234
+  selector:
+    io.kompose.service: nextcloud-aio-talk-recording
+{{- end }}

nextcloud-aio-helm-chart/update-helm.sh

@@ -113,6 +113,10 @@ find ./ -name '*service.yaml' -exec sed -i "/^status:/,$ d" \{} \;
 # shellcheck disable=SC1083
 find ./ -name '*deployment.yaml' -exec sed -i "s|manual-install-nextcloud-aio|nextcloud-aio|" \{} \; 
 # shellcheck disable=SC1083
+find ./ -name '*deployment.yaml' -exec sed -i "/medium: Memory/d" \{} \;
+# shellcheck disable=SC1083
+find ./ -name '*deployment.yaml' -exec sed -i "s|emptyDir:|emptyDir: {}|" \{} \; 
+# shellcheck disable=SC1083
 find ./ -name '*persistentvolumeclaim.yaml' -exec sed -i "s|ReadOnlyMany|ReadWriteOnce|" \{} \;   
 # shellcheck disable=SC1083
 find ./ -name '*persistentvolumeclaim.yaml' -exec sed -i "/accessModes:/i\ \ {{- if .Values.STORAGE_CLASS }}" \{} \;  
@@ -193,6 +197,7 @@ sed -i '/_ENABLED.*/s/ yes / "yes" /' /tmp/sample.conf
 sed -i '/_ENABLED.*/s/ no / "no" /' /tmp/sample.conf
 sed -i 's|^NEXTCLOUD_TRUSTED_CACERTS_DIR: .*|NEXTCLOUD_TRUSTED_CACERTS_DIR:        # Setting this to any value allows to automatically import root certificates into the Nextcloud container|' /tmp/sample.conf
 sed -i 's|10737418240|"10737418240"|' /tmp/sample.conf
+echo "" >> /tmp/sample.conf
 # shellcheck disable=SC2129
 echo 'STORAGE_CLASS:        # By setting this, you can adjust the storage class for your volumes' >> /tmp/sample.conf
 for variable in "${VOLUME_VARIABLE[@]}"; do
@@ -200,12 +205,12 @@ for variable in "${VOLUME_VARIABLE[@]}"; do
 done
 mv /tmp/sample.conf ../helm-chart/values.yaml
 
-ENABLED_VARIABLES="$(grep -oP '^[A-Z]+_ENABLED' ../helm-chart/values.yaml)"
+ENABLED_VARIABLES="$(grep -oP '^[A-Z_]+_ENABLED' ../helm-chart/values.yaml)"
 mapfile -t ENABLED_VARIABLES <<< "$ENABLED_VARIABLES"
 
 cd ../helm-chart/
 for variable in "${ENABLED_VARIABLES[@]}"; do
-    name="$(echo "$variable" | sed 's|_ENABLED||g' | tr '[:upper:]' '[:lower:]')"
+    name="$(echo "$variable" | sed 's|_ENABLED||g;s|_|-|g' | tr '[:upper:]' '[:lower:]')"
     # shellcheck disable=SC1083
     find ./ -name "*nextcloud-aio-$name-deployment.yaml" -exec sed -i "1i\\{{- if eq .Values.$variable \"yes\" }}" \{} \; 
     # shellcheck disable=SC1083

nextcloud-aio-helm-chart/values.yaml

@@ -1,37 +1,39 @@
-AIO_TOKEN: 123456          # Has no function but needs to be set!
-AIO_URL: localhost          # Has no function but needs to be set!
-APACHE_MAX_SIZE: "10737418240"          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
-APACHE_PORT: 443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx and else).
-CLAMAV_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
-COLLABORA_DICTIONARIES: de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru        # You can change this in order to enable other dictionaries for collabora
-COLLABORA_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
-COLLABORA_SECCOMP_POLICY: --o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.
 DATABASE_PASSWORD:           # TODO! This needs to be a unique and good password!
+NC_DOMAIN: yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.
+NEXTCLOUD_PASSWORD:           # TODO! This is the password of the initially created Nextcloud admin with username admin.
+ONLYOFFICE_SECRET:           # TODO! This needs to be a unique and good password!
+RECORDING_SECRET:           # TODO! This needs to be a unique and good password!
+REDIS_PASSWORD:           # TODO! This needs to be a unique and good password!
+SIGNALING_SECRET:           # TODO! This needs to be a unique and good password!
+TALK_INTERNAL_SECRET:           # TODO! This needs to be a unique and good password!
+TIMEZONE: Europe/Berlin          # TODO! This is the timezone that your containers will use.
+TURN_SECRET:           # TODO! This needs to be a unique and good password!
+
+CLAMAV_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+COLLABORA_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 FULLTEXTSEARCH_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 IMAGINARY_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+ONLYOFFICE_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+TALK_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+TALK_RECORDING_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+
+APACHE_MAX_SIZE: "10737418240"          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
+APACHE_PORT: 443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else).
+COLLABORA_DICTIONARIES: de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru        # You can change this in order to enable other dictionaries for collabora
+COLLABORA_SECCOMP_POLICY: --o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.
 INSTALL_LATEST_MAJOR: no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation
-NC_DOMAIN: yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.
 NEXTCLOUD_ADDITIONAL_APKS: imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.
 NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick        # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value.
 NEXTCLOUD_MAX_TIME: 3600          # This allows to change the upload time limit of the Nextcloud container
 NEXTCLOUD_MEMORY_LIMIT: 512M          # This allows to change the PHP memory limit of the Nextcloud container
-NEXTCLOUD_PASSWORD:           # TODO! This is the password of the initially created Nextcloud admin with username admin.
-NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time
+NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time
 NEXTCLOUD_TRUSTED_CACERTS_DIR:        # Setting this to any value allows to automatically import root certificates into the Nextcloud container
 NEXTCLOUD_UPLOAD_LIMIT: 10G          # This allows to change the upload limit of the Nextcloud container
-ONLYOFFICE_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
-ONLYOFFICE_SECRET:           # TODO! This needs to be a unique and good password!
-REDIS_PASSWORD:           # TODO! This needs to be a unique and good password!
-SIGNALING_SECRET:           # TODO! This needs to be a unique and good password!
-TALK_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 TALK_PORT: 3478          # This allows to adjust the port that the talk container is using.
-TIMEZONE: Europe/Berlin          # TODO! This is the timezone that your containers will use.
-TURN_SECRET:           # TODO! This needs to be a unique and good password!
 UPDATE_NEXTCLOUD_APPS: no          # When setting to yes (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.
 STORAGE_CLASS:        # By setting this, you can adjust the storage class for your volumes
 APACHE_STORAGE_SIZE: 1Gi       # You can change the size of the apache volume that default to 1Gi with this value
 CLAMAV_STORAGE_SIZE: 1Gi       # You can change the size of the clamav volume that default to 1Gi with this value
-COLLABORA_FONTS_STORAGE_SIZE: 1Gi       # You can change the size of the collabora-fonts volume that default to 1Gi with this value
 DATABASE_STORAGE_SIZE: 1Gi       # You can change the size of the database volume that default to 1Gi with this value
 DATABASE_DUMP_STORAGE_SIZE: 1Gi       # You can change the size of the database-dump volume that default to 1Gi with this value
 ELASTICSEARCH_STORAGE_SIZE: 1Gi       # You can change the size of the elasticsearch volume that default to 1Gi with this value

php/composer.lock

@@ -626,16 +626,16 @@
         },
         {
             "name": "php-di/php-di",
-            "version": "7.0.2",
+            "version": "7.0.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/PHP-DI/PHP-DI.git",
-                "reference": "5d1a8664e24f23b25e0426bbcb1288287fb49181"
+                "reference": "d5dad2500f409d8b78371823c8b382fe9b5d0917"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/PHP-DI/PHP-DI/zipball/5d1a8664e24f23b25e0426bbcb1288287fb49181",
-                "reference": "5d1a8664e24f23b25e0426bbcb1288287fb49181",
+                "url": "https://api.github.com/repos/PHP-DI/PHP-DI/zipball/d5dad2500f409d8b78371823c8b382fe9b5d0917",
+                "reference": "d5dad2500f409d8b78371823c8b382fe9b5d0917",
                 "shasum": ""
             },
             "require": {
@@ -649,13 +649,13 @@
             },
             "require-dev": {
                 "friendsofphp/php-cs-fixer": "^3",
+                "friendsofphp/proxy-manager-lts": "^1",
                 "mnapoli/phpunit-easymock": "^1.3",
-                "ocramius/proxy-manager": "^2.11.2",
                 "phpunit/phpunit": "^9.5",
                 "vimeo/psalm": "^4.6"
             },
             "suggest": {
-                "ocramius/proxy-manager": "Install it if you want to use lazy injection (version ^2.3)"
+                "friendsofphp/proxy-manager-lts": "Install it if you want to use lazy injection (version ^1)"
             },
             "type": "library",
             "autoload": {
@@ -683,7 +683,7 @@
             ],
             "support": {
                 "issues": "https://github.com/PHP-DI/PHP-DI/issues",
-                "source": "https://github.com/PHP-DI/PHP-DI/tree/7.0.2"
+                "source": "https://github.com/PHP-DI/PHP-DI/tree/7.0.3"
             },
             "funding": [
                 {
@@ -695,7 +695,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2023-02-07T17:34:03+00:00"
+            "time": "2023-06-17T10:21:14+00:00"
         },
         {
             "name": "php-di/slim-bridge",
@@ -1398,16 +1398,16 @@
         },
         {
             "name": "symfony/deprecation-contracts",
-            "version": "v3.2.1",
+            "version": "v3.3.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/deprecation-contracts.git",
-                "reference": "e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e"
+                "reference": "7c3aff79d10325257a001fcf92d991f24fc967cf"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e",
-                "reference": "e2d1534420bd723d0ef5aec58a22c5fe60ce6f5e",
+                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/7c3aff79d10325257a001fcf92d991f24fc967cf",
+                "reference": "7c3aff79d10325257a001fcf92d991f24fc967cf",
                 "shasum": ""
             },
             "require": {
@@ -1416,7 +1416,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "3.3-dev"
+                    "dev-main": "3.4-dev"
                 },
                 "thanks": {
                     "name": "symfony/contracts",
@@ -1445,7 +1445,7 @@
             "description": "A generic function and convention to trigger deprecation notices",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.2.1"
+                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.3.0"
             },
             "funding": [
                 {
@@ -1461,7 +1461,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2023-03-01T10:25:55+00:00"
+            "time": "2023-05-23T14:45:45+00:00"
         },
         {
             "name": "symfony/polyfill-ctype",
@@ -1709,16 +1709,16 @@
         },
         {
             "name": "twig/twig",
-            "version": "v3.6.0",
+            "version": "v3.6.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/twigphp/Twig.git",
-                "reference": "106c170d08e8415d78be2d16c3d057d0d108262b"
+                "reference": "7e7d5839d4bec168dfeef0ac66d5c5a2edbabffd"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/twigphp/Twig/zipball/106c170d08e8415d78be2d16c3d057d0d108262b",
-                "reference": "106c170d08e8415d78be2d16c3d057d0d108262b",
+                "url": "https://api.github.com/repos/twigphp/Twig/zipball/7e7d5839d4bec168dfeef0ac66d5c5a2edbabffd",
+                "reference": "7e7d5839d4bec168dfeef0ac66d5c5a2edbabffd",
                 "shasum": ""
             },
             "require": {
@@ -1764,7 +1764,7 @@
             ],
             "support": {
                 "issues": "https://github.com/twigphp/Twig/issues",
-                "source": "https://github.com/twigphp/Twig/tree/v3.6.0"
+                "source": "https://github.com/twigphp/Twig/tree/v3.6.1"
             },
             "funding": [
                 {
@@ -1776,7 +1776,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2023-05-03T19:06:57+00:00"
+            "time": "2023-06-08T12:52:13+00:00"
         }
     ],
     "packages-dev": [],

php/containers-schema.json

@@ -117,8 +117,31 @@
 						"type": "array",
 						"items": {
 							"type": "string",
-							"pattern": "^(php /var/www/html/occ .*|echo .*)$",
-							"minlength": 1
+							"pattern": "^(php /var/www/html/occ .*|echo .*)$"
+						}
+					},
+					"profiles": {
+						"type": "array",
+						"items": {
+							"type": "string",
+							"pattern": "^[a-z-]+$"
+						}
+					},
+					"networks": {
+						"type": "array",
+						"items": {
+							"type": "string",
+							"pattern": "^nextcloud-aio$"
+						}
+					},
+					"read_only": {
+						"type": "boolean"
+					},
+					"tmpfs": {
+						"type": "array",
+						"items": {
+							"type": "string",
+							"pattern": "^/[a-z/_]+$"
 						}
 					},
 					"volumes": {

php/containers.json

@@ -6,7 +6,8 @@
         "nextcloud-aio-onlyoffice",
         "nextcloud-aio-collabora",
         "nextcloud-aio-talk",
-        "nextcloud-aio-nextcloud"
+        "nextcloud-aio-nextcloud",
+        "nextcloud-aio-notify-push"
       ],
       "display_name": "Apache",
       "image": "nextcloud/aio-apache",
@@ -27,7 +28,8 @@
         "ONLYOFFICE_HOST=nextcloud-aio-onlyoffice",
         "TZ=%TIMEZONE%",
         "APACHE_MAX_SIZE=%APACHE_MAX_SIZE%",
-        "APACHE_MAX_TIME=%NEXTCLOUD_MAX_TIME%"
+        "APACHE_MAX_TIME=%NEXTCLOUD_MAX_TIME%",
+        "NOTIFY_PUSH_HOST=nextcloud-aio-notify-push"
       ],
       "volumes": [
         {
@@ -45,6 +47,9 @@
       "backup_volumes": [
         "nextcloud_aio_nextcloud",
         "nextcloud_aio_apache"
+      ],
+      "networks": [
+        "nextcloud-aio"
       ]
     },
     {
@@ -83,6 +88,9 @@
       "backup_volumes": [
         "nextcloud_aio_database",
         "nextcloud_aio_database_dump"
+      ],
+      "networks": [
+        "nextcloud-aio"
       ]
     },
     {
@@ -92,13 +100,13 @@
         "nextcloud-aio-redis",
         "nextcloud-aio-clamav",
         "nextcloud-aio-fulltextsearch",
+        "nextcloud-aio-talk-recording",
         "nextcloud-aio-imaginary"
       ],
       "display_name": "Nextcloud",
       "image": "nextcloud/aio-nextcloud",
       "expose": [
-        "9000",
-        "7867"
+        "9000"
       ],
       "internal_port": "9000",
       "secrets": [
@@ -170,7 +178,10 @@
         "STARTUP_APPS=%NEXTCLOUD_STARTUP_APPS%",
         "ADDITIONAL_APKS=%NEXTCLOUD_ADDITIONAL_APKS%",
         "ADDITIONAL_PHP_EXTENSIONS=%NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS%",
-        "INSTALL_LATEST_MAJOR=%INSTALL_LATEST_MAJOR%"
+        "INSTALL_LATEST_MAJOR=%INSTALL_LATEST_MAJOR%",
+        "TALK_RECORDING_ENABLED=%TALK_RECORDING_ENABLED%",
+        "RECORDING_SECRET=%RECORDING_SECRET%",
+        "TALK_RECORDING_HOST=nextcloud-aio-talk-recording"
       ],
       "restart": "unless-stopped",
       "devices": [
@@ -178,8 +189,46 @@
       ],
       "backup_volumes": [
         "nextcloud_aio_nextcloud"
+      ],
+      "networks": [
+        "nextcloud-aio"
       ]
     },
+    {
+      "container_name": "nextcloud-aio-notify-push",
+      "display_name": "Notify Push",
+      "image": "nextcloud/aio-notify-push",
+      "expose": [
+        "7867"
+      ],
+      "internal_port": "7867",
+      "secrets": [
+        "REDIS_PASSWORD",
+        "DATABASE_PASSWORD"
+      ],
+      "volumes": [
+        {
+          "source": "nextcloud_aio_nextcloud",
+          "destination": "/nextcloud",
+          "writeable": false
+        }
+      ],
+      "environment": [
+        "NC_DOMAIN=%NC_DOMAIN%",
+        "NEXTCLOUD_HOST=nextcloud-aio-nextcloud",
+        "REDIS_HOST=nextcloud-aio-redis",
+        "REDIS_HOST_PASSWORD=%REDIS_PASSWORD%",
+        "POSTGRES_HOST=nextcloud-aio-database",
+        "POSTGRES_PASSWORD=%DATABASE_PASSWORD%",
+        "POSTGRES_DB=nextcloud_database",
+        "POSTGRES_USER=nextcloud"
+      ],
+      "restart": "unless-stopped",
+      "networks": [
+        "nextcloud-aio"
+      ],
+      "read_only": true
+    },
     {
       "container_name": "nextcloud-aio-redis",
       "display_name": "Redis",
@@ -201,9 +250,14 @@
       ],
       "secrets": [
         "REDIS_PASSWORD",
-        "ONLYOFFICE_SECRET"
+        "ONLYOFFICE_SECRET",
+        "RECORDING_SECRET"
       ],
-      "restart": "unless-stopped"
+      "restart": "unless-stopped",
+      "networks": [
+        "nextcloud-aio"
+      ],
+      "read_only": true
     },
     {
       "container_name": "nextcloud-aio-collabora",
@@ -221,17 +275,16 @@
         "server_name=%NC_DOMAIN%",
         "DONT_GEN_SSL_CERT=1"
       ],
-      "volumes": [
-        {
-          "source": "nextcloud_aio_collabora_fonts",
-          "destination": "/opt/cool/systemplate/tmpfonts",
-          "writeable": true
-        }
-      ],
       "restart": "unless-stopped",
       "nextcloud_exec_commands": [
         "echo 'Activating collabora config...'",
         "php /var/www/html/occ richdocuments:activate-config"
+      ],
+      "profiles": [
+        "collabora"
+      ],
+      "networks": [
+        "nextcloud-aio"
       ]
     },
     {
@@ -259,13 +312,49 @@
         "TURN_SECRET=%TURN_SECRET%",
         "SIGNALING_SECRET=%SIGNALING_SECRET%",
         "TZ=%TIMEZONE%",
-        "TALK_PORT=%TALK_PORT%"
+        "TALK_PORT=%TALK_PORT%",
+        "INTERNAL_SECRET=%TALK_INTERNAL_SECRET%"
       ],
       "secrets": [
         "TURN_SECRET",
-        "SIGNALING_SECRET"
+        "SIGNALING_SECRET",
+        "TALK_INTERNAL_SECRET"
       ],
-      "restart": "unless-stopped"
+      "restart": "unless-stopped",
+      "profiles": [
+        "talk",
+        "talk-recording"
+      ],
+      "networks": [
+        "nextcloud-aio"
+      ]
+    },
+    {
+      "container_name": "nextcloud-aio-talk-recording",
+      "display_name": "Talk Recording",
+      "image": "nextcloud/aio-talk-recording",
+      "expose": [
+        "1234"
+      ],
+      "internal_port": "1234",
+      "environment": [
+        "NC_DOMAIN=%NC_DOMAIN%",
+        "TZ=%TIMEZONE%",
+        "RECORDING_SECRET=%RECORDING_SECRET%",
+        "INTERNAL_SECRET=%TALK_INTERNAL_SECRET%"
+      ],
+      "shm_size": 2147483648,
+      "secrets": [
+        "RECORDING_SECRET",
+        "TALK_INTERNAL_SECRET"
+      ],
+      "restart": "unless-stopped",
+      "profiles": [
+        "talk-recording"
+      ],
+      "networks": [
+        "nextcloud-aio"
+      ]
     },
     {
       "container_name": "nextcloud-aio-borgbackup",
@@ -321,7 +410,12 @@
       "cap_add": [
         "SYS_ADMIN"
       ],
-      "apparmor_unconfined": true
+      "apparmor_unconfined": true,
+      "read_only": true,
+      "tmpfs": [
+        "/tmp",
+        "/nextcloud_aio_volumes"
+      ]
     },
     {
       "container_name": "nextcloud-aio-watchtower",
@@ -335,7 +429,8 @@
           "destination": "/var/run/docker.sock",
           "writeable": false
         }
-      ]
+      ],
+      "read_only": true
     },
     {
       "container_name": "nextcloud-aio-domaincheck",
@@ -375,7 +470,19 @@
           "writeable": true
         }
       ],
-      "restart": "unless-stopped"
+      "restart": "unless-stopped",
+      "profiles": [
+        "clamav"
+      ],
+      "networks": [
+        "nextcloud-aio"
+      ],
+      "read_only": true,
+      "tmpfs": [
+        "/var/lock",
+        "/var/log/clamav",
+        "/tmp"
+      ]
     },
     {
       "container_name": "nextcloud-aio-onlyoffice",
@@ -401,7 +508,13 @@
       "secrets": [
         "ONLYOFFICE_SECRET"
       ],
-      "restart": "unless-stopped"
+      "restart": "unless-stopped",
+      "profiles": [
+        "onlyoffice"
+      ],
+      "networks": [
+        "nextcloud-aio"
+      ]
     },
     {
       "container_name": "nextcloud-aio-imaginary",
@@ -417,7 +530,14 @@
       "restart": "unless-stopped",
       "cap_add": [
         "SYS_NICE"
-      ]
+      ],
+      "profiles": [
+        "imaginary"
+      ],
+      "networks": [
+        "nextcloud-aio"
+      ],
+      "read_only": true
     },
     {
       "container_name": "nextcloud-aio-fulltextsearch",
@@ -440,7 +560,13 @@
           "writeable": true
         }
       ],
-      "restart": "unless-stopped"
+      "restart": "unless-stopped",
+      "profiles": [
+        "fulltextsearch"
+      ],
+      "networks": [
+        "nextcloud-aio"
+      ]
     }
   ]
 }

php/public/automatic_reload.js

@@ -1,7 +1,7 @@
 if (document.hasFocus()) {
     // hide reload button if the site reloads automatically
-    var list = document.getElementsByClassName("reload button");
-    for (var i = 0; i < list.length; i++) {
+    let list = document.getElementsByClassName("reload button");
+    for (let i = 0; i < list.length; i++) {
         // list[i] is a node with the desired class name
         list[i].style.display = 'none';
     }

php/public/disable-clamav.js

@@ -1,5 +1,5 @@
 document.addEventListener("DOMContentLoaded", function(event) {
     // Clamav
-    var clamav = document.getElementById("clamav");
+    let clamav = document.getElementById("clamav");
     clamav.disabled = true;
 });

php/public/disable-collabora.js

@@ -1,5 +1,5 @@
 document.addEventListener("DOMContentLoaded", function(event) {
     // Collabora
-    var collabora = document.getElementById("collabora");
+    let collabora = document.getElementById("collabora");
     collabora.disabled = true;
 });

php/public/disable-fulltextsearch.js

@@ -1,5 +1,5 @@
 document.addEventListener("DOMContentLoaded", function(event) {
     // Fulltextsearch
-    var fulltextsearch = document.getElementById("fulltextsearch");
+    let fulltextsearch = document.getElementById("fulltextsearch");
     fulltextsearch.disabled = true;
 }); 

php/public/disable-imaginary.js

@@ -1,5 +1,5 @@
 document.addEventListener("DOMContentLoaded", function(event) {
     // Imaginary
-    var imaginary = document.getElementById("imaginary");
+    let imaginary = document.getElementById("imaginary");
     imaginary.disabled = true;
 });

php/public/disable-onlyoffice.js

@@ -1,6 +1,6 @@
 document.addEventListener("DOMContentLoaded", function(event) {
     // OnlyOffice
-    var onlyoffice = document.getElementById("onlyoffice");
+    let onlyoffice = document.getElementById("onlyoffice");
     if (onlyoffice) {
         onlyoffice.disabled = true;
     }

php/public/disable-talk-recording.js

@@ -0,0 +1,4 @@
+document.addEventListener("DOMContentLoaded", function(event) {
+    // Talk-recording
+    document.getElementById("talk-recording").disabled = true;
+});

php/public/disable-talk.js

@@ -1,5 +1,5 @@
 document.addEventListener("DOMContentLoaded", function(event) {
     // Talk
-    var talk = document.getElementById("talk");
+    let talk = document.getElementById("talk");
     talk.disabled = true;
 });

php/public/forms.js

@@ -1,6 +1,6 @@
 "use strict";
 (function (){
-  var lastError;
+  let lastError;
 
   function showError(message) {
     const body = document.getElementsByTagName('body')[0]
@@ -45,7 +45,7 @@
       if (lastError) {
         lastError.remove()
       }
-      var xhr = new XMLHttpRequest();
+      let xhr = new XMLHttpRequest();
       xhr.addEventListener('load', handleEvent);
       xhr.addEventListener('error', () => showError("Failed to talk to server."));
       xhr.addEventListener('error', () => disableSpinner());

php/public/index.php

@@ -120,6 +120,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'nextcloud_max_time' => $configurationManager->GetNextcloudMaxTime(),
         'nextcloud_memory_limit' => $configurationManager->GetNextcloudMemoryLimit(),
         'is_dri_device_enabled' => $configurationManager->isDriDeviceEnabled(),
+        'is_talk_recording_enabled' => $configurationManager->isTalkRecordingEnabled(),
     ]);
 })->setName('profile');
 $app->get('/login', function (Request $request, Response $response, array $args) use ($container) {

php/public/options-form-submit.js

@@ -1,36 +1,55 @@
 function makeOptionsFormSubmitVisible() {
-    var optionsFormSubmit = document.getElementById("options-form-submit");
+    let optionsFormSubmit = document.getElementById("options-form-submit");
     optionsFormSubmit.style.display = 'block';
 }
 
+function handleTalkVisibility() {
+    let talk = document.getElementById("talk");
+    let talkRecording = document.getElementById("talk-recording")
+    if (talk.checked) {
+        talkRecording.disabled = false
+    } else {
+        talkRecording.checked = false
+        talkRecording.disabled = true
+    }
+}
+
 document.addEventListener("DOMContentLoaded", function(event) {
     // handle submit button for options form
-    var optionsFormSubmit = document.getElementById("options-form-submit");
+    let optionsFormSubmit = document.getElementById("options-form-submit");
     optionsFormSubmit.style.display = 'none';
 
     // Clamav
-    var clamav = document.getElementById("clamav");
+    let clamav = document.getElementById("clamav");
     clamav.addEventListener('change', makeOptionsFormSubmitVisible);
 
     // OnlyOffice
-    var onlyoffice = document.getElementById("onlyoffice");
+    let onlyoffice = document.getElementById("onlyoffice");
     if (onlyoffice) {
         onlyoffice.addEventListener('change', makeOptionsFormSubmitVisible);
     }
 
     // Collabora
-    var collabora = document.getElementById("collabora");
+    let collabora = document.getElementById("collabora");
     collabora.addEventListener('change', makeOptionsFormSubmitVisible);
 
     // Talk
-    var talk = document.getElementById("talk");
+    let talk = document.getElementById("talk");
     talk.addEventListener('change', makeOptionsFormSubmitVisible);
+    talk.addEventListener('change', handleTalkVisibility);
+
+    // Talk-recording
+    let talkRecording = document.getElementById("talk-recording");
+    talkRecording.addEventListener('change', makeOptionsFormSubmitVisible);
+    if (!talk.checked) {
+        talkRecording.disabled = true
+    }
 
     // Imaginary
-    var imaginary = document.getElementById("imaginary");
+    let imaginary = document.getElementById("imaginary");
     imaginary.addEventListener('change', makeOptionsFormSubmitVisible);
 
     // Fulltextsearch
-    var fulltextsearch = document.getElementById("fulltextsearch");
+    let fulltextsearch = document.getElementById("fulltextsearch");
     fulltextsearch.addEventListener('change', makeOptionsFormSubmitVisible);
 });

php/src/Container/Container.php

@@ -30,6 +30,8 @@ class Container {
     /** @var string[] */
     private array $backupVolumes;
     private array $nextcloudExecCommands;
+    private bool $readOnlyRootFs;
+    private array $tmpfs;
     private DockerActionManager $dockerActionManager;
 
     public function __construct(
@@ -50,6 +52,8 @@ class Container {
         bool $apparmorUnconfined,
         array $backupVolumes,
         array $nextcloudExecCommands,
+        bool $readOnlyRootFs,
+        array $tmpfs,
         DockerActionManager $dockerActionManager
     ) {
         $this->identifier = $identifier;
@@ -69,6 +73,8 @@ class Container {
         $this->apparmorUnconfined = $apparmorUnconfined;
         $this->backupVolumes = $backupVolumes;
         $this->nextcloudExecCommands = $nextcloudExecCommands;
+        $this->readOnlyRootFs = $readOnlyRootFs;
+        $this->tmpfs = $tmpfs;
         $this->dockerActionManager = $dockerActionManager;
     }
 
@@ -88,6 +94,10 @@ class Container {
         return $this->restartPolicy;
     }
 
+    public function GetReadOnlySetting() : bool {
+        return $this->readOnlyRootFs;
+    }
+
     public function GetShmSize() : int {
         return $this->shmSize;
     }
@@ -104,6 +114,10 @@ class Container {
         return $this->secrets;
     }
 
+    public function GetTmpfs() : array {
+        return $this->tmpfs;
+    }
+
     public function GetDevices() : array {
         return $this->devices;
     }

php/src/ContainerDefinitionFetcher.php

@@ -81,6 +81,10 @@ class ContainerDefinitionFetcher
                 if (!$this->configurationManager->isTalkEnabled()) {
                     continue;
                 }
+            } elseif ($entry['container_name'] === 'nextcloud-aio-talk-recording') {
+                if (!$this->configurationManager->isTalkRecordingEnabled()) {
+                    continue;
+                }
             } elseif ($entry['container_name'] === 'nextcloud-aio-imaginary') {
                 if (!$this->configurationManager->isImaginaryEnabled()) {
                     continue;
@@ -179,6 +183,10 @@ class ContainerDefinitionFetcher
                         if (!$this->configurationManager->isTalkEnabled()) {
                             continue;
                         }
+                    } elseif ($value === 'nextcloud-aio-talk-recording') {
+                        if (!$this->configurationManager->isTalkRecordingEnabled()) {
+                            continue;
+                        }
                     } elseif ($value === 'nextcloud-aio-imaginary') {
                         if (!$this->configurationManager->isImaginaryEnabled()) {
                             continue;
@@ -254,6 +262,16 @@ class ContainerDefinitionFetcher
                 $nextcloudExecCommands = $entry['nextcloud_exec_commands'];
             }
 
+            $readOnlyRootFs = false;
+            if (isset($entry['read_only'])) {
+                $readOnlyRootFs = $entry['read_only'];
+            }
+
+            $tmpfs = [];
+            if (isset($entry['tmpfs'])) {
+                $tmpfs = $entry['tmpfs'];
+            }
+
             $containers[] = new Container(
                 $entry['container_name'],
                 $displayName,
@@ -272,6 +290,8 @@ class ContainerDefinitionFetcher
                 $apparmorUnconfined,
                 $backupVolumes,
                 $nextcloudExecCommands,
+                $readOnlyRootFs,
+                $tmpfs,
                 $this->container->get(DockerActionManager::class)
             );
         }

php/src/Controller/ConfigurationController.php

@@ -95,6 +95,11 @@ class ConfigurationController
                 } else {
                     $this->configurationManager->SetTalkEnabledState(0);
                 }
+                if (isset($request->getParsedBody()['talk-recording'])) {
+                    $this->configurationManager->SetTalkRecordingEnabledState(1);
+                } else {
+                    $this->configurationManager->SetTalkRecordingEnabledState(0);
+                }
                 if (isset($request->getParsedBody()['imaginary'])) {
                     $this->configurationManager->SetImaginaryEnabledState(1);
                 } else {
@@ -116,6 +121,10 @@ class ConfigurationController
                 $this->configurationManager->SetCollaboraDictionaries($collaboraDictionaries);
             }
 
+            if (isset($request->getParsedBody()['delete_borg_backup_host_location'])) {
+                $this->configurationManager->DeleteBorgBackupHostLocation();
+            }
+
             return $response->withStatus(201)->withHeader('Location', '/');
         } catch (InvalidSettingConfigurationException $ex) {
             $response->getBody()->write($ex->getMessage());

php/src/Controller/DockerController.php

@@ -155,7 +155,7 @@ class DockerController
         }
 
         if (isset($request->getParsedBody()['install_latest_major'])) {
-            $installLatestMajor = 26;
+            $installLatestMajor = 27;
         } else {
             $installLatestMajor = "";
         }

php/src/Data/ConfigurationManager.php

@@ -230,6 +230,27 @@ class ConfigurationManager
         $this->WriteConfig($config);
     }
 
+    public function isTalkRecordingEnabled() : bool {
+        if (!$this->isTalkEnabled()) {
+            return false;
+        }
+        $config = $this->GetConfig();
+        if (isset($config['isTalkRecordingEnabled']) && $config['isTalkRecordingEnabled'] === 1) {
+            return true;
+        } else {
+            return false;
+        }
+    }
+
+    public function SetTalkRecordingEnabledState(int $value) : void {
+        if (!$this->isTalkEnabled()) {
+            $value = 0;
+        }
+        $config = $this->GetConfig();
+        $config['isTalkRecordingEnabled'] = $value;
+        $this->WriteConfig($config);
+    }
+
     /**
      * @throws InvalidSettingConfigurationException
      */
@@ -392,6 +413,12 @@ class ConfigurationManager
         $this->WriteConfig($config);
     }
 
+    public function DeleteBorgBackupHostLocation() : void {
+        $config = $this->GetConfig();
+        $config['borg_backup_host_location'] = '';
+        $this->WriteConfig($config);
+    }
+
         /**
      * @throws InvalidSettingConfigurationException
      */

php/src/Docker/DockerActionManager.php

@@ -278,6 +278,12 @@ class DockerActionManager
                     } else {
                         $replacements[1] = '';
                     }
+                } elseif ($out[1] === 'TALK_RECORDING_ENABLED') {
+                    if ($this->configurationManager->isTalkRecordingEnabled()) {
+                        $replacements[1] = 'yes';
+                    } else {
+                        $replacements[1] = '';
+                    }
                 } elseif ($out[1] === 'ONLYOFFICE_ENABLED') {
                     if ($this->configurationManager->isOnlyofficeEnabled()) {
                         $replacements[1] = 'yes';
@@ -363,7 +369,7 @@ class DockerActionManager
                 } else {
                     $secret = $this->configurationManager->GetSecret($out[1]);
                     if ($secret === "") {
-                        throw new \Exception("The secret " . $out[1] . " is empty. Cannot substitute its value. Pleas check if it is defined in secrets of containers.json.");
+                        throw new \Exception("The secret " . $out[1] . " is empty. Cannot substitute its value. Please check if it is defined in secrets of containers.json.");
                     }
                     $replacements[1] = $secret;
                 }
@@ -377,6 +383,8 @@ class DockerActionManager
         }
 
         $requestBody['HostConfig']['RestartPolicy']['Name'] = $container->GetRestartPolicy();
+
+        $requestBody['HostConfig']['ReadonlyRootfs'] = $container->GetReadOnlySetting();
  
         $exposedPorts = [];
         if ($container->GetInternalPort() !== 'host') {
@@ -422,6 +430,14 @@ class DockerActionManager
             $requestBody['HostConfig']['ShmSize'] = $shmSize;
         }
 
+        $tmpfs = [];
+        foreach($container->GetTmpfs() as $tmp) {
+            $tmpfs[$tmp] = "";
+        }
+        if (count($tmpfs) > 0) {
+            $requestBody['HostConfig']['Tmpfs'] =  $tmpfs;
+        }
+
         $capAdds = $container->GetCapAdds();
         if (count($capAdds) > 0) {
             $requestBody['HostConfig']['CapAdd'] = $capAdds;
@@ -514,29 +530,24 @@ class DockerActionManager
         }
     }
 
-    private function getBackupVolumes(string $id) : array
+    private function getBackupVolumes(string $id) : string
     {
         $container = $this->containerDefinitionFetcher->GetContainerById($id);
 
-        $backupVolumes = $container->GetBackupVolumes();
-
+        $backupVolumes = '';
+        foreach ($container->GetBackupVolumes() as $backupVolume) {
+            $backupVolumes .= $backupVolume . ' ';
+        }
         foreach ($container->GetDependsOn() as $dependency) {
-            $backupVolumes[] = $this->getBackupVolumes($dependency);
+            $backupVolumes .= $this->getBackupVolumes($dependency);
         }
         return $backupVolumes;
     }
 
     private function getAllBackupVolumes() : array {
         $id = 'nextcloud-aio-apache';
-        $backupVolumesArray = $this->getBackupVolumes($id);
-        // Flatten array
-        $backupVolumesArrayFlat = iterator_to_array(
-            new \RecursiveIteratorIterator(
-                new \RecursiveArrayIterator($backupVolumesArray)
-            ),
-            $use_keys = false
-        );
-        return array_unique($backupVolumesArrayFlat);
+        $backupVolumesArray = explode(' ', $this->getBackupVolumes($id));
+        return array_unique($backupVolumesArray);
     }
 
     private function GetNextcloudExecCommands(string $id) : string
@@ -773,7 +784,8 @@ class DockerActionManager
     public function ConnectMasterContainerToNetwork() : void
     {
         $this->ConnectContainerIdToNetwork('nextcloud-aio-mastercontainer', '');
-        $this->DisconnectContainerFromBridgeNetwork('nextcloud-aio-mastercontainer');
+        // Don't disconnect here since it slows down the initial login by a lot. Is getting done during cron.sh instead.
+        // $this->DisconnectContainerFromBridgeNetwork('nextcloud-aio-mastercontainer');
     }
 
     public function ConnectContainerToNetwork(Container $container) : void

php/templates/containers.twig

@@ -16,7 +16,7 @@
     </header>
 
     <div class="content">
-        <h1>Nextcloud AIO v5.2.2</h1>
+        <h1>Nextcloud AIO v6.2.0</h1>
 
         {# Add 2nd tab warning #}
         <script type="text/javascript" src="second-tab-warning.js"></script>
@@ -27,7 +27,7 @@
         {% set isBackupOrRestoreRunning = false %}
         {% set isApacheStarting = false %}
         {# Setting newMajorVersion to '' will hide corresponding options/elements, can be set to an integer like 26 in order to show corresponding elements. If set, also increase installLatestMajor in https://github.com/nextcloud/all-in-one/blob/main/php/src/Controller/DockerController.php #}
-        {% set newMajorVersion = '' %}
+        {% set newMajorVersion = 27 %}
 
         {% if is_backup_container_running == true %}
             {% if borg_backup_mode == 'backup' or borg_backup_mode == 'restore' %}
@@ -84,9 +84,9 @@
                         {{ include('includes/aio-config.twig') }}
                         <h2>New AIO instance</h2>
                         {% if apache_port == '443' %}
-                            AIO is currently in "normal mode" which means that it handles the TLS proxying itself. This also means that it cannot be installed behind a web server or reverse proxy (like Apache, Nginx and else). If you want to run AIO behind a web server or reverse proxy (like Apache, Nginx and else), see the <b><a href="https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md">reverse proxy documentation</a></b>. Advice: have a detailed look at the changed docker run command for AIO.<br><br>
+                            AIO is currently in "normal mode" which means that it handles the TLS proxying itself. This also means that it cannot be installed behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). If you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else), see the <b><a href="https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md">reverse proxy documentation</a></b>. Advice: have a detailed look at the changed docker run command for AIO.<br><br>
                         {% else %}
-                            AIO is currently in "reverse proxy mode" which means that it can be installed behind a web server or reverse proxy (like Apache Nginx and else) and does not do the TLS proxying itself.<br><br>
+                            AIO is currently in "reverse proxy mode" which means that it can be installed behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) and does not do the TLS proxying itself.<br><br>
                         {% endif %}
                         Please type in the domain into the input field below that will be used for Nextcloud in order to create a new AIO instance.<br><br />
                         {% if skip_domain_validation == true %}
@@ -96,7 +96,7 @@
                             <input type="text" name="domain" value="{{ domain }}" placeholder="nextcloud.yourdomain.com"/>
                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                            <input class="button" type="submit" value="Submit" />
+                            <input class="button" type="submit" value="Submit domain" />
                         </form>
                         {% if skip_domain_validation == false %}
                             Make sure that this server is reachable on port 443 (port 443/tcp is open/forwarded in your firewall/router) and that you've correctly set up the DNS config for the domain that you enter (set the A record to your public ipv4-address and if you need ipv6, set the AAAA record to your public ipv6-address. A CNAME record if of course also possible). You should see hints on what went wrong if your domain does not get accepted in the top right corner.<br><br>
@@ -110,7 +110,7 @@
                                     If you run into issues getting your domain accepted, see <a href="https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things">these steps</a> for how to debug things. <br /><br/>
                                 {% endif %}
                                 <b>Hint:</b> If the domain validation fails but you are completely sure that you've configured everything correctly, you may skip the domain validation by following <a href="https://github.com/nextcloud/all-in-one#how-to-skip-the-domain-validation">this documentation</a>.<br />
-                            </details><br />
+                            </details>
                         {% endif %}
 
                         <h2>Restore former AIO instance from backup</h2>
@@ -173,7 +173,7 @@
                                 <input type="text" name="borg_restore_password" value="{{borg_restore_password}}" placeholder="enter the borg password"/>
                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                <input class="button" type="submit" value="Submit" />
+                                <input class="button" type="submit" value="Submit location and password" />
                             </form>
                             {{ include('includes/backup-dirs.twig') }}
                             ⚠️ Please note that the backup archive must be located in a subfolder of the folder that you enter here and the subfolder which contains the archive must be named 'borg'. Otherwise will the backup container not find the backup archive!<br><br>
@@ -265,7 +265,7 @@
 
                     {% if has_update_available == true %}
                         {% if is_mastercontainer_update_available == false %}
-                            ⚠️ Container updates are available. Click on <b>Stop Containers</b> and <b>Start Containers</b> to update them. You should consider creating a backup first.<br><br>
+                            ⚠️ Container updates are available. Click on <b>Stop containers</b> and <b>Start and update containers</b> to update them. You should consider creating a backup first.<br><br>
                         {% endif %}
                     {% else %}
                         {% if is_mastercontainer_update_available == false %}
@@ -273,7 +273,7 @@
                             {% if newMajorVersion != '' and isAnyRunning == true and isApacheStarting != true %}
                                 <details>
                                 <summary>Note about <b>Nextcloud {{ newMajorVersion }}</b></summary><br>
-                                    If you haven't upgraded to Nextcloud {{ newMajorVersion }} yet and want to do that now, feel free to follow <b><a href="https://github.com/nextcloud/all-in-one/discussions/2208">this documentation</a></b><br/>
+                                    If you haven't upgraded to Nextcloud {{ newMajorVersion }} yet and want to do that now, feel free to follow <b><a href="https://github.com/nextcloud/all-in-one/discussions/2692">this documentation</a></b><br/>
                                 </details><br>
                             {% endif %}
                         {% endif %}
@@ -352,7 +352,7 @@
                                 <input type="text" name="borg_backup_host_location" placeholder="/mnt/backup"/>
                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                <input class="button" type="submit" value="Submit" />
+                                <input class="button" type="submit" value="Submit backup location" />
                             </form>
                             {{ include('includes/backup-dirs.twig') }}
                         {% endif %}
@@ -378,12 +378,12 @@
                                         </details><br />
                                     {% endif %}
                                     {% if has_backup_run_once == false %}
-                                        You may change the backup path again since the initial backup was not successful. After submitting the new value, you need to click on 'Create Backup' for testing the new value.<br /><br />
+                                        You may change the backup path again since the initial backup was not successful. After submitting the new value, you need to click on <b>Create Backup</b> for testing the new value.<br /><br />
                                         <form method="POST" action="/api/configuration" class="xhr">
-                                            <input type="text" value="{{borg_backup_host_location}}" name="borg_backup_host_location" placeholder="/mnt/backup"/>
+                                            <input type="text" value="{{borg_backup_host_location}}" name="borg_backup_host_location" placeholder="/mnt/backup" />
                                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                            <input class="button" type="submit" value="Submit" />
+                                            <input class="button" type="submit" value="Set backup location again" />
                                         </form>
                                     {% endif %}
                                 {% elseif backup_exit_code == 0 %}
@@ -420,9 +420,20 @@
                                         <input class="button" type="submit" value="Create backup" onclick="return confirm('Create backup? Are you sure that you want to create a backup? This will stop all running containers and create the backup.')" />
                                     </form>
 
+                                    {% if has_backup_run_once == false %}
+                                        <h3>Reset backup host location</h3>
+                                        If the configured backup host location <b>{{ borg_backup_host_location }}</b> is wrong, you can reset it by clicking on the button below.<br><br/>
+                                        <form method="POST" action="/api/configuration" class="xhr">
+                                            <input type="hidden" name="delete_borg_backup_host_location" value="yes"/>
+                                            <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
+                                            <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
+                                            <input class="button" type="submit" value="Reset backup location" />
+                                        </form>
+                                    {% endif %}
+
                                     {% if has_backup_run_once == true %}
                                         <h3>Backup check</h3>
-                                        Click on the button below to perform a backup integrity check. This is an option that verifies that your backup is intact but it should't be needed in most situtations.<br><br/>
+                                        Click on the button below to perform a backup integrity check. This is an option that verifies that your backup is intact but it shouldn't be needed in most situations.<br><br/>
                                         <form method="POST" action="/api/docker/backup-check" class="xhr">
                                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
@@ -449,7 +460,7 @@
                                                 <input type="text" name="daily_backup_time" value="04:00" placeholder="04:00"/>
                                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                                <input class="button" type="submit" value="Submit" /><br>
+                                                <input class="button" type="submit" value="Submit backup time" /><br>
                                                 <input type="checkbox" id="automatic_updates" name="automatic_updates" checked="checked"><label for="automatic_updates">Automatically update all containers, the mastercontainer and on saturdays your Nextcloud apps</label><br>
                                             </form>
                                         {% else %}
@@ -472,7 +483,7 @@
                                             <textarea id="additional_backup_directories" name="additional_backup_directories" rows="4" cols="50" placeholder="/directory/on/the/host&#10;my_custom_docker_volume">{{ additional_backup_directories }}</textarea>
                                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                            <input class="button" type="submit" value="Submit" /><br>
+                                            <input class="button" type="submit" value="Submit additional backup locations" /><br>
                                         </form>
                                         Each line and entry needs to start with a slash or letter/digit. Allowed are only <b>a-z</b>, <b>A-Z</b>, <b>.</b>, <b>0-9</b>, <b>_</b>, <b>-</b>, and <b>/</b>. If the entry begins with a letter/digit are slashes not supported. Two valid entries are <b>/directory/on/the/host</b> and <b>my_custom_docker_volume</b>. You need to make sure yourself that all given directories exist. Otherwise the backup container will fail starting!<br><br/>
                                         Make sure to specify all storages that you want to back up separately since storages will not be mounted recursively. E.g. providing <b>/</b> as additional backup directory will only back up files and folders that are stored on the root partition and not on the EFI partition or any other. Excluded by the backup will be caches and a few other directories. You should make sure to stop all services before the backup can run correctly if you want to back up the root partition. For automating this see <a href="https://github.com/nextcloud/all-in-one#how-to-stopstartupdate-containers-or-trigger-the-daily-backup-from-a-script-externally">this documentation</a><br><br/>
@@ -485,7 +496,7 @@
                                 {% if has_backup_run_once == false %}
                                     <br />
                                 {% else %}
-                                    </details><br />
+                                    </details>
                                 {% endif %}
                             {% endif %}
                         {% endif %}
@@ -502,10 +513,10 @@
                                     <input type="text" autocomplete="new-password" name="new-master-password" placeholder="Your new AIO password"/>
                                     <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                     <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                    <input class="button" type="submit" value="Submit" />
+                                    <input class="button" type="submit" value="Submit password change" />
                                 </form>
                                 The new password needs to be at least 24 characters long. Allowed characters are the <a href="https://en.wikipedia.org/wiki/Latin_alphabet#/media/File:Abecedarium.png"><b>latin characters</b></a> <b>a-z</b>, <b>A-Z</b>, <b>0-9</b> and <b>spaces</b>.<br>
-                            </details><br>
+                            </details>
                         {% endif %}
                     {% endif %}
                 {% endif %}
@@ -514,15 +525,17 @@
                     In this section you can enable or disable optional addons.<br><br>
                     {% if isAnyRunning == true %}
                         <b>Please note:</b> You can enable or disable them when your containers are stopped.<br><br>
+                    {% else %}
+                        <b>Please note:</b> Make sure to save your changes by clicking on the button <b>Save changes</b> that is positioned below the list of optional addons. The changes will not be auto-saved.<br><br>
                     {% endif %}
                     <form id="options-form" method="POST" action="/api/configuration" class="xhr">
                         <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                         <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                         <input type="hidden" name="options-form" value="options-form">
                         {% if is_clamav_enabled == true %}
-                            <input type="checkbox" id="clamav" name="clamav" checked="checked"><label for="clamav">ClamAV (Antivirus backend for Nextcloud, only supported on x64, needs ~1GB additional RAM)</label><br>
+                            <input type="checkbox" id="clamav" name="clamav" checked="checked"><label for="clamav">ClamAV (Antivirus backend for Nextcloud, only supported on x64, needs ~1GB additional RAM)</label><br><br>
                         {% else %}
-                            <input type="checkbox" id="clamav" name="clamav"><label for="clamav">ClamAV (Antivirus backend for Nextcloud, only supported on x64, needs ~1GB additional RAM)</label><br>
+                            <input type="checkbox" id="clamav" name="clamav"><label for="clamav">ClamAV (Antivirus backend for Nextcloud, only supported on x64, needs ~1GB additional RAM)</label><br><br>
                         {% endif %}
                         {% if is_collabora_enabled == true %}
                             <input type="checkbox" id="collabora" name="collabora" checked="checked"><label for="collabora">Collabora (Nextcloud Office)</label><br>
@@ -535,15 +548,20 @@
                             <input type="checkbox" id="fulltextsearch" name="fulltextsearch"><label for="fulltextsearch">Fulltextsearch (needs ~1GB additional RAM)</label><br>
                         {% endif %}
                         {% if is_imaginary_enabled == true %}
-                            <input type="checkbox" id="imaginary" name="imaginary" checked="checked"><label for="imaginary">Imaginary (for previews of heic, heif, illustrator, pdf, svg, tiff and webp)</label><br>
+                            <input type="checkbox" id="imaginary" name="imaginary" checked="checked"><label for="imaginary">Imaginary (for previews of heic, heif, illustrator, pdf, svg, tiff and webp)</label><br><br>
                         {% else %}
-                            <input type="checkbox" id="imaginary" name="imaginary"><label for="imaginary">Imaginary (for previews of heic, heif, illustrator, pdf, svg, tiff and webp)</label><br>
+                            <input type="checkbox" id="imaginary" name="imaginary"><label for="imaginary">Imaginary (for previews of heic, heif, illustrator, pdf, svg, tiff and webp)</label><br><br>
                         {% endif %}
                         {% if is_talk_enabled == true %}
                             <input type="checkbox" id="talk" name="talk" checked="checked"><label for="talk">Nextcloud Talk (needs ports {{ talk_port }}/TCP and {{ talk_port }}/UDP open/forwarded in your firewall/router)</label><br><br>
                         {% else %}
                             <input type="checkbox" id="talk" name="talk"><label for="talk">Nextcloud Talk (needs ports {{ talk_port }}/TCP and {{ talk_port }}/UDP open/forwarded in your firewall/router)</label><br><br>
                         {% endif %}
+                        {% if is_talk_recording_enabled == true %}
+                            <input type="checkbox" id="talk-recording" name="talk-recording" checked="checked"><label for="talk-recording">Nextcloud Talk Recording-server (needs Nextcloud Talk being enabled and ~1GB additional RAM and ~2 additional vCPUs)</label><br><br>
+                        {% else %}
+                            <input type="checkbox" id="talk-recording" name="talk-recording"><label for="talk-recording">Nextcloud Talk Recording-server (needs Nextcloud Talk being enabled and ~1GB additional RAM ~2 additional vCPUs)</label><br><br>
+                        {% endif %}
                         {% if is_onlyoffice_enabled == true %}
                             <input type="checkbox" id="onlyoffice" name="onlyoffice" checked="checked"><label for="onlyoffice">OnlyOffice</label><br>
                         {% else %}
@@ -552,7 +570,7 @@
                         <input id="options-form-submit" class="button" type="submit" value="Save changes" />
                         <script type="text/javascript" src="options-form-submit.js"></script>
                     </form>
-                    <b>Minimal system requirements:</b> When any optional addon is enabled, at least 2GB RAM, a dual-core CPU and 40GB system storage are required. When enabling ClamAV or Fulltextsearch, at least 3GB RAM are required. When enabling everything, at least 4GB RAM are required. Recommended are at least 1GB more RAM than the minimal requirement. For further advices and recommendations see <b><a href="https://github.com/nextcloud/all-in-one/discussions/1335">this documentation</a></b><br><br>
+                    <b>Minimal system requirements:</b> When any optional addon is enabled, at least 2GB RAM, a dual-core CPU and 40GB system storage are required. When enabling ClamAV,  Nextcloud Talk Recording-server or Fulltextsearch, at least 3GB RAM are required. For Talk Recording-server additional 2 vCPUs are required. When enabling everything, at least 5GB RAM and a quad-core CPU are required. Recommended are at least 1GB more RAM than the minimal requirement. For further advices and recommendations see <b><a href="https://github.com/nextcloud/all-in-one/discussions/1335">this documentation</a></b><br>
                     {% if isAnyRunning == true or is_x64_platform == false %}
                         <script type="text/javascript" src="disable-clamav.js"></script>
                     {% endif %}
@@ -562,6 +580,7 @@
                         <script type="text/javascript" src="disable-onlyoffice.js"></script>
                         <script type="text/javascript" src="disable-imaginary.js"></script>
                         <script type="text/javascript" src="disable-fulltextsearch.js"></script>
+                        <script type="text/javascript" src="disable-talk-recording.js"></script>
                     {% endif %}
 
                     {% if is_collabora_enabled == true and isAnyRunning == false and was_start_button_clicked == true %}
@@ -573,7 +592,7 @@
                                 <input type="text" name="collabora_dictionaries" placeholder="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru" />
                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                <input class="button" type="submit" value="Submit" />
+                                <input class="button" type="submit" value="Submit collabora dictionaries" />
                             </form>
                             You need to make sure that the dictionaries that you enter are valid. An example is <b>de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru</b>.<br><br>
                         {% else %}
@@ -601,7 +620,7 @@
                                 <input type="text" name="timezone" placeholder="Europe/Berlin" />
                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                <input class="button" type="submit" value="Submit" onclick="return confirm('Are you sure that this is a valid timezone? Please double check by following the wikipedia article and checking the correct column since if not, it will break the startup since the database will not get correctly initialized and you will end in a startup loop.')" />
+                                <input class="button" type="submit" value="Submit timezone" onclick="return confirm('Are you sure that this is a valid timezone? Please double check by following the wikipedia article and checking the correct column since if not, it will break the startup since the database will not get correctly initialized and you will end in a startup loop.')" />
                             </form>
                             You need to make sure that the timezone that you enter is valid. An example is <b>Europe/Berlin</b>. You can get valid values by looking at the 'TZ database name' column of this list: <a href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List"><b>click here</b></a>.<br><br>
                         {% else %}

php/templates/includes/aio-config.twig

@@ -33,4 +33,4 @@
     See the <a href="https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud">NEXTCLOUD_ENABLE_DRI_DEVICE documentation</a> on how to change this.<br><br>
 
     For further documentation on AIO, refer to <b><a href="https://github.com/nextcloud/all-in-one#nextcloud-all-in-one">this page</a></b>. You can use the browser search [CTRL]+[F] to search through the documentation. Additional documentation can be found <b><a href="https://github.com/nextcloud/all-in-one/discussions/categories/wiki">here</a></b>.<br>
-</details><br />
+</details>