Update index.yaml

Signed-off-by: szaimen <szaimen@users.noreply.github.com>

.github/dependabot.yml

@@ -108,15 +108,6 @@ updates:
   labels:
   - 3. to review
   - dependencies
-- package-ecosystem: "docker"
-  directory: "/Containers/talk-recording"
-  schedule:
-    interval: "daily"
-    time: "12:00"
-  open-pull-requests-limit: 10
-  labels:
-  - 3. to review
-  - dependencies
 - package-ecosystem: "docker"
   directory: "/Containers/watchtower"
   schedule:
@@ -165,21 +156,3 @@ updates:
   labels:
   - 3. to review
   - dependencies
-- package-ecosystem: "docker"
-  directory: "/Containers/notify-push"
-  schedule:
-    interval: "daily"
-    time: "12:00"
-  open-pull-requests-limit: 10
-  labels:
-  - 3. to review
-  - dependencies
-- package-ecosystem: "docker"
-  directory: "/Containers/docker-socket-proxy"
-  schedule:
-    interval: "daily"
-    time: "12:00"
-  open-pull-requests-limit: 10
-  labels:
-  - 3. to review
-  - dependencies

.github/release.yml

@@ -1,14 +0,0 @@
-changelog:
-  categories:
-    - title: 🏕 New features and other improvements
-      labels:
-        - enhancement
-    - title: 🐞 Fixed bugs
-      labels:
-        - bug
-    - title: 👒 Updated dependencies
-      labels:
-        - dependencies
-    - title: 📄 Improved documentation
-      labels:
-        - documentation

.github/workflows/codespell.yml

@@ -1,20 +0,0 @@
-name: 'Codespell'
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-
-jobs:
-  codespell:
-    name: Check spelling
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-      - name: Check spelling
-        uses: codespell-project/actions-codespell@v2
-        with:
-          check_filenames: true
-          check_hidden: true

.github/workflows/command-rebase.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Add reaction on start
-        uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 # v3.1.0
+        uses: peter-evans/create-or-update-comment@v2
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}
           repository: ${{ github.event.repository.full_name }}
@@ -31,18 +31,18 @@ jobs:
           reaction-type: "+1"
 
       - name: Checkout the latest code
-        uses: actions/checkout@v4 # v3.5.2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
           token: ${{ secrets.COMMAND_BOT_PAT }}
 
       - name: Automatic Rebase
-        uses: cirrus-actions/rebase@b87d48154a87a85666003575337e27b8cd65f691 # 1.8
+        uses: cirrus-actions/rebase@1.8
         env:
           GITHUB_TOKEN: ${{ secrets.COMMAND_BOT_PAT }}
 
       - name: Add reaction on failure
-        uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 # v3.1.0
+        uses: peter-evans/create-or-update-comment@v2
         if: failure()
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}

.github/workflows/community-containers.yml

@@ -1,37 +0,0 @@
-name: Validate community containers
-
-on:
-  pull_request:
-    paths:
-      - 'community-containers/**'
-  push:
-    branches:
-      - main
-    paths:
-      - 'community-containers/**'
-
-jobs:
-  validator-community-containers:
-    name: Validate community containers
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      - name: Validate structure
-        run: |
-          CONTAINERS="$(find ./community-containers -mindepth 1 -maxdepth 1 -type d)"
-          mapfile -t CONTAINERS <<< "$CONTAINERS"
-          for container in "${CONTAINERS[@]}"; do
-            container="$(echo "$container" | sed 's|./community-containers/||')"
-            if ! [ -f ./community-containers/"$container"/"$container.json" ]; then
-                echo ".json file must be named like its parent folder $container"
-                FAIL=1
-            fi
-            if ! [ -f ./community-containers/"$container"/readme.md ]; then
-                echo "There must be a readme.md file in the folder!"
-                FAIL=1
-            fi
-            if [ -n "$FAIL" ]; then
-                exit 1
-            fi
-          done

.github/workflows/create-psalm-container.yml

@@ -0,0 +1,54 @@
+name: Create Psalm Container
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '5 4 * * *'
+
+jobs:
+  push_to_registry:
+    runs-on: ubuntu-latest
+
+    name: Create Psalm Container
+
+    permissions:
+      packages: write
+      contents: read
+
+    steps:
+      - name: Check out the repo
+        run: |
+          git clone https://github.com/psalm/psalm-github-actions.git
+      
+      - name: Modify the Dockerfile
+        run: |
+          set -x
+          sed -i 's|FROM php:7.4-alpine|FROM php:8.1-alpine|' "psalm-github-actions/Dockerfile"
+          cat << APCU >> "psalm-github-actions/Dockerfile"
+          RUN mkdir -p /usr/src/php/ext/apcu && \
+            curl -fsSL https://pecl.php.net/get/apcu | tar xvz -C "/usr/src/php/ext/apcu" --strip 1 && \
+            docker-php-ext-install apcu
+          APCU
+
+      - name: Log in to GitHub Docker Registry
+        uses: docker/login-action@v2
+        with:
+          registry: docker.pkg.github.com
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build container image
+        uses: docker/build-push-action@v4
+        with:
+          push: true
+          context: 'psalm-github-actions'
+          file: 'psalm-github-actions/Dockerfile'
+          tags: |
+            ghcr.io/nextcloud/all-in-one-psalm:latest

.github/workflows/dependency-updates.yml

@@ -10,27 +10,26 @@ jobs:
     name: Run dependency update script
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
     - uses: shivammathur/setup-php@v2
       with:
-        php-version: 8.2
+        php-version: 8.1
         extensions: apcu
     - name: Run dependency update script
       run: |
         set -x
         cd ./php
-        composer update --with-all-dependencies
-        # Disable dependency updates for now
-        # set +e
-        # ALL_LINES="$(composer outdated | grep -v "^$\|Direct dependencies\|Everything up to date\|Transitive dependencies")"
-        # set -e
-        # while [ -n "$ALL_LINES" ]; do
-        #   CURRENT_LINE="$(echo "$ALL_LINES" | head -1)"
-        #   composer require "$(echo "$CURRENT_LINE" | awk '{print $1}')" "^$(echo "$CURRENT_LINE" | awk '{print $4}')" --with-all-dependencies
-        #   ALL_LINES="$(echo "$ALL_LINES" | sed '1d')"
-        # done
-        # echo "outdated dependencies:
-        # $(composer outdated)"
+        composer update
+        set +e
+        ALL_LINES="$(composer outdated | grep -v "^$\|Direct dependencies\|Everything up to date\|Transitive dependencies")"
+        set -e
+        while [ -n "$ALL_LINES" ]; do
+          CURRENT_LINE="$(echo "$ALL_LINES" | head -1)"
+          composer require "$(echo "$CURRENT_LINE" | awk '{print $1}')" "^$(echo "$CURRENT_LINE" | awk '{print $4}')" --with-all-dependencies
+          ALL_LINES="$(echo "$ALL_LINES" | sed '1d')"
+        done
+        echo "outdated dependencies:
+        $(composer outdated)"
     - name: Update apcu
       run: |
         # APCU
@@ -44,12 +43,12 @@ jobs:
         )"
         sed -i "s|pecl install APCu.*\;|pecl install APCu-$apcu_version\;|" ./Containers/mastercontainer/Dockerfile
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v5
+      uses: peter-evans/create-pull-request@v4
       with:
-        commit-message: php dependency updates
+        commit-message: dependency updates
         signoff: true
-        title: PHP dependency updates
-        body: Automated php dependency updates since dependabot does not support grouped updates
-        labels: dependencies, 3. to review
+        title: Dependency updates
+        body: Automated dependency updates since dependabot does not support grouped updates
+        labels: dependencies, enhancement
         milestone: next
         branch: aio-dependency-update

.github/workflows/docker-lint.yml

@@ -1,46 +0,0 @@
-name: Docker Lint
-
-on:
-  pull_request:
-    paths:
-      - 'Containers/**'
-  push:
-    branches:
-      - main
-    paths:
-      - 'Containers/**'
-
-permissions:
-  contents: read
-
-concurrency: 
-  group: docker-lint-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  docker-lint:
-    runs-on: ubuntu-latest
-
-    name: docker-lint
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Install hadolint
-        run: |
-          sudo wget https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -O /usr/bin/hadolint
-          sudo chmod +x /usr/bin/hadolint
-
-      - name: run lint
-        run: |
-          DOCKERFILES="$(find ./Containers -name Dockerfile)"
-          mapfile -t DOCKERFILES <<< "$DOCKERFILES"
-          for file in "${DOCKERFILES[@]}"; do
-            # DL3018 warning: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
-            # DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
-            hadolint "$file" --ignore DL3018 --ignore DL4006 | tee -a ./hadolint.log
-          done
-          if grep -q "DL[0-9]\+\|SC[0-9]\+" ./hadolint.log; then
-            exit 1
-          fi

.github/workflows/helm-release.yml

@@ -6,14 +6,14 @@ on:
     branches:
       - main
     paths:
-      - 'nextcloud-aio-helm-chart/**'
+      - 'helm-chart/**'
 
 jobs:
   release:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
 
       - name: Turnstyle
         uses: softprops/turnstyle@v1
@@ -32,7 +32,7 @@ jobs:
 
       # See https://github.com/helm/chart-releaser-action/issues/6
       - name: Set up Helm
-        uses: azure/setup-helm@v3.5
+        uses: azure/setup-helm@v3.1
         with:
           version: v3.6.3
 
@@ -40,8 +40,9 @@ jobs:
         # TODO: switch back @main to a specific version like @v1.5.1 or higher
         uses: helm/chart-releaser-action@main
         with:
+          charts_repo_url: https://nextcloud.github.io/all-in-one
+          charts_dir: helm-chart
           mark_as_latest: false
-          charts_dir: .
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"

.github/workflows/imaginary-update.yml

@@ -1,33 +0,0 @@
-name: imaginary-update
-
-on:
-  workflow_dispatch:
-  schedule:
-  - cron:  '00 12 * * *'
-
-jobs:
-  run_update:
-    name: update to latest imaginary commit on master branch
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - name: Run imaginary-update
-      run: |
-        # Imaginary
-        imaginary_version="$(
-          git ls-remote https://github.com/h2non/imaginary master \
-            | cut -f1 \
-            | tail -1
-        )"
-        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH $imaginary_version|" ./Containers/imaginary/Dockerfile
-        
-    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v5
-      with:
-        commit-message: imaginary-update automated change
-        signoff: true
-        title: Imaginary update
-        body: Automated Imaginary container update
-        labels: dependencies, 3. to review
-        milestone: next
-        branch: imaginary-container-update

.github/workflows/json-validator.yml

@@ -2,34 +2,19 @@ name: Json Validator
 
 on:
   pull_request:
-    paths:
-      - '**.json'
   push:
     branches:
       - main
-    paths:
-      - '**.json'
 
 jobs:
-  json-validator:
+  psalm:
     name: Json Validator
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
       - name: Validate Json
         run: |
-          sudo apt-get update
-          sudo apt-get install python3-pip -y --no-install-recommends
+          sudo apt install python3-pip --no-install-recommends
           sudo pip3 install json-spec
-          if ! json validate --schema-file=php/containers-schema.json --document-file=php/containers.json; then
-            exit 1
-          fi
-          JSON_FILES="$(find ./community-containers -name '*.json')"
-          mapfile -t JSON_FILES <<< "$JSON_FILES"
-          for file in "${JSON_FILES[@]}"; do
-            json validate --schema-file=php/containers-schema.json --document-file="$file" 2>&1 | tee -a ./json-validator.log
-          done
-          if grep -q "document does not validate with schema." ./json-validator.log; then
-            exit 1
-          fi
+          json validate --schema-file=php/containers-schema.json --document-file=php/containers.json

.github/workflows/lint-helm.yml

@@ -1,35 +0,0 @@
-name: Lint and Test Charts
-
-on:
-  workflow_dispatch:
-  pull_request:
-    paths:
-      - 'nextcloud-aio-helm-chart/**'
-
-jobs:
-  lint-helm:
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Install Helm
-        uses: azure/setup-helm@v3.5
-        with:
-          version: v3.11.1
-
-      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.6.1
-
-      - name: Run chart-testing (lint)
-        id: lint
-        run: ct lint --target-branch ${{ github.event.repository.default_branch }} --debug --chart-dirs nextcloud-aio-helm-chart
-
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.8.0
-
-      - name: Run chart-testing (install)
-        id: install
-        run: ct install --target-branch ${{ github.event.repository.default_branch }} --debug --chart-dirs nextcloud-aio-helm-chart

.github/workflows/lint-php.yml

@@ -3,22 +3,18 @@
 # https://github.com/nextcloud/.github
 # https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
 
-name: Lint php
+name: Lint
 
 on:
   pull_request:
-    paths:
-      - 'php/**'
   push:
     branches:
       - main
-    paths:
-      - 'php/**'
 
 permissions:
   contents: read
 
-concurrency:
+concurrency: 
   group: lint-php-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
@@ -27,27 +23,24 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        php-versions: [ "8.2" ]
+        php-versions: ["8.1"]
 
     name: php-lint
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4 # v3.5.2
+        uses: actions/checkout@v3
 
       - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@c5fc0d8281aba02c7fda07d3a70cc5371548067d # v2
+        uses: shivammathur/setup-php@v2
         with:
           php-version: ${{ matrix.php-versions }}
           coverage: none
-          ini-file: development
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Lint
         run: cd php && composer run lint
 
-  php-lint-summary:
+  summary:
     permissions:
       contents: none
     runs-on: ubuntu-latest

.github/workflows/nextcloud-update.yml

@@ -11,7 +11,7 @@ jobs:
     name: Run nextcloud-update script
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
     - name: Run nextcloud-update script
       run: |
         # Inspired by https://github.com/nextcloud/docker/blob/master/update.sh
@@ -63,17 +63,15 @@ jobs:
         # Nextcloud
         NC_MAJOR="$(grep "ENV NEXTCLOUD_VERSION" ./Containers/nextcloud/Dockerfile | grep -oP '[23][0-9]')"
         NCVERSION=$(curl -s -m 900 https://download.nextcloud.com/server/releases/ | sed --silent 's/.*href="nextcloud-\([^"]\+\).zip.asc".*/\1/p' | grep "$NC_MAJOR" | sort --version-sort | tail -1)
-        if [ -n "$NCVERSION" ]; then
-          sed -i "s|^ENV NEXTCLOUD_VERSION.*|ENV NEXTCLOUD_VERSION $NCVERSION|" ./Containers/nextcloud/Dockerfile
-        fi
+        sed -i "s|^ENV NEXTCLOUD_VERSION.*|ENV NEXTCLOUD_VERSION $NCVERSION|" ./Containers/nextcloud/Dockerfile
 
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v5
+      uses: peter-evans/create-pull-request@v4
       with:
         commit-message: nextcloud-update automated change
         signoff: true
-        title: Nextcloud dependency update
+        title: Nextcloud update
         body: Automated Nextcloud container update
-        labels: dependencies, 3. to review
+        labels: dependencies, enhancement
         milestone: next
         branch: nextcloud-container-update

.github/workflows/php-deprecation-detector.yml

@@ -3,24 +3,20 @@ name: PHP Deprecation Detector
 
 on:
   pull_request:
-    paths:
-      - 'php/**'
   push:
     branches:
       - main
-    paths:
-      - 'php/**'
 
 jobs:
-  phpdd:
+  psalm:
     name: PHP Deprecation Detector
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - name: Set up php8.2
+      - uses: actions/checkout@v3
+      - name: Set up php8.1
         uses: shivammathur/setup-php@v2
         with:
-          php-version: 8.2
+          php-version: 8.1
           extensions: apcu
           coverage: none
 

.github/workflows/psalm-analysis.yml

@@ -0,0 +1,28 @@
+name: Psalm Analysis
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  psalm:
+    name: Psalm
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up php8.1
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 8.1
+          extensions: apcu
+          coverage: none
+
+      - name: Run script
+        run: |
+          set -x
+          cd php
+          composer global require vimeo/psalm --prefer-dist --no-progress --dev
+          composer install
+          composer run psalm

.github/workflows/psalm-security.yml

@@ -0,0 +1,25 @@
+name: Psalm Security Analysis
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  psalm:
+    name: Psalm
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Psalm
+        uses: docker://ghcr.io/nextcloud/all-in-one-psalm
+        with:
+          relative_dir: php
+          security_analysis: true
+          composer_ignore_platform_reqs: false
+          report_file: results.sarif
+      - name: Upload Security Analysis results to GitHub
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: php/results.sarif

.github/workflows/psalm-update-baseline.yml

@@ -10,12 +10,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
 
-      - name: Set up php8.2
+      - name: Set up php8.1
         uses: shivammathur/setup-php@v2
         with:
-          php-version: 8.2
+          php-version: 8.1
           extensions: apcu
           coverage: none
 
@@ -31,7 +31,7 @@ jobs:
         continue-on-error: true
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@v4
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}
           commit-message: Update psalm baseline
@@ -39,9 +39,10 @@ jobs:
           author: nextcloud-command <nextcloud-command@users.noreply.github.com>
           signoff: true
           branch: automated/noid/psalm-baseline-update
+          # Make sure we can open multiple PRs
+          branch-suffix: timestamp
           title: '[Automated] Update psalm-baseline.xml'
-          milestone: next
           body: |
             Auto-generated update psalm-baseline.xml with fixed psalm warnings
           labels: |
-            3. to review, dependencies
+            3. to review

.github/workflows/psalm.yml

@@ -1,47 +0,0 @@
-# This workflow is provided via the organization template repository
-#
-# https://github.com/nextcloud/.github
-# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
-
-name: Static analysis
-
-on:
-  pull_request:
-    paths:
-      - 'php/**'
-  push:
-    branches:
-      - main
-    paths:
-      - 'php/**'
-
-concurrency:
-  group: psalm-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  static-analysis:
-    runs-on: ubuntu-latest
-
-    name: Nextcloud
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4 # v3.5.2
-
-      - name: Set up php
-        uses: shivammathur/setup-php@c5fc0d8281aba02c7fda07d3a70cc5371548067d # v2
-        with:
-          php-version: 8.2
-          extensions: apcu
-          coverage: none
-          ini-file: development
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Install dependencies and run psalm
-        run: |
-          set -x
-          cd php
-          composer global require vimeo/psalm --prefer-dist --no-progress --dev
-          composer install
-          composer run psalm

.github/workflows/shellcheck.yml

@@ -2,20 +2,16 @@ name: Shellcheck
 
 on:
   pull_request:
-    paths:
-      - '**.sh'
   push:
     branches:
       - main
-    paths:
-      - '**.sh'
 
 jobs:
   shellcheck:
     name: Check Shell
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
     - name: Run Shellcheck
       uses: ludeeus/action-shellcheck@2.0.0
       with:

.github/workflows/spellcheck.yml

@@ -0,0 +1,23 @@
+name: 'Spellcheck'
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  spellcheck:
+    name: Check spelling
+    runs-on: ubuntu-latest
+    steps:
+      - name: spelling or typos
+        uses: actions/checkout@v3
+      - name: fix permission for reviewdog
+        run: sudo chown -R root:root $GITHUB_WORKSPACE
+      - name: misspell
+        uses: reviewdog/action-misspell@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          locale: "US"
+          fail_on_error: true

.github/workflows/talk.yml

@@ -1,56 +0,0 @@
-name: talk-update
-
-on:
-  workflow_dispatch:
-  schedule:
-  - cron:  '00 12 * * *'
-
-jobs:
-  talk-update:
-    name: update talk
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - name: Run talk-update
-      run: |
-        # Spreed
-        spreed_version="$(
-          git ls-remote https://github.com/nextcloud/spreed v*.*.* \
-            | cut -d/ -f3 \
-            | sort -V \
-            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
-            | tail -1
-        )"
-        sed -i "s|^ENV RECORDING_VERSION.*$|ENV RECORDING_VERSION $spreed_version|" ./Containers/talk-recording/Dockerfile
-        curl -L "https://raw.githubusercontent.com/nextcloud/spreed/$spreed_version/recording/server.conf.in" -o Containers/talk-recording/recording.conf
-        
-        # Signaling
-        signaling_version="$(
-          git ls-remote https://github.com/strukturag/nextcloud-spreed-signaling v*.*.* \
-            | cut -d/ -f3 \
-            | sort -V \
-            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
-            | tail -1
-        )"
-        curl -L "https://raw.githubusercontent.com/strukturag/nextcloud-spreed-signaling/$signaling_version/server.conf.in" -o Containers/talk/server.conf.in
-        
-        # Janus
-        janus_version="$(
-          git ls-remote https://github.com/meetecho/janus-gateway v0.*.* \
-            | cut -d/ -f3 \
-            | sort -V \
-            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
-            | tail -1
-        )"
-        sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
-        
-    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v5
-      with:
-        commit-message: talk-update automated change
-        signoff: true
-        title: talk update
-        body: Automated talk container update
-        labels: dependencies, 3. to review
-        milestone: next
-        branch: talk-container-update

.github/workflows/twig-lint.yml

@@ -1,42 +0,0 @@
-name: Twig Lint
-
-on:
-  pull_request:
-    paths:
-      - '**.twig'
-  push:
-    branches:
-      - main
-    paths:
-      - '**.twig'
-
-permissions:
-  contents: read
-
-concurrency: 
-  group: lint-twig-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  twig-lint:
-    runs-on: ubuntu-latest
-    name: twig-lint
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@v2
-        with:
-          php-version: 8.2
-          extensions: apcu
-          coverage: none
-
-      - name: twig lint
-        run: |
-          cd php
-          composer require sserbin/twig-linter:@dev --no-progress --dev
-          composer install
-          chmod +x ./vendor/bin/twig-linter
-          ./vendor/bin/twig-linter lint ./templates

.github/workflows/update-helm.yml

@@ -6,28 +6,28 @@ on:
   - cron:  '00 12 * * *'
 
 jobs:
-  update-helm:
+  psalm:
     name: update helm chart
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
       - name: update helm chart
         run: |
           DOCKER_TAG="$(curl -L -s 'https://registry.hub.docker.com/v2/repositories/nextcloud/all-in-one/tags?page_size=1024' | jq '."results"[]["name"]' | sed 's|"||g' | grep '^20' | sort -r | head -1)"
           DOCKER_TAG="${DOCKER_TAG%%-latest*}"
           export DOCKER_TAG
-          if [ -n "$DOCKER_TAG" ] && ! grep -q "$DOCKER_TAG" ./nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml; then
-            sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"
+          if [ -n "$DOCKER_TAG" ] && ! grep -q "$DOCKER_TAG" ./helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml; then
+            sudo bash helm-chart/update-helm.sh "$DOCKER_TAG"
           fi
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@v4
         with:
           commit-message: Helm Chart updates
           signoff: true
           title: Helm Chart updates
           body: Automated Helm Chart updates for the yaml files. It can be merged if it looks good at any time which will automatically trigger a new release of the helm chart.
-          labels: dependencies, 3. to review
+          labels: dependencies
           milestone: next
           branch: aio-helm-update
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/update-yaml.yml

@@ -6,23 +6,23 @@ on:
   - cron:  '00 12 * * *'
 
 jobs:
-  update-yaml:
+  psalm:
     name: update yaml files
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
       - name: update yaml files
         run: |
           sudo bash manual-install/update-yaml.sh
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@v4
         with:
           commit-message: Yaml updates
           signoff: true
           title: Yaml updates
           body: Automated yaml updates for the docker-compose files. Should only be merged shortly before the next latest release.
-          labels: dependencies, 3. to review
+          labels: dependencies
           milestone: next
           branch: aio-yaml-update
           token: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -6,5 +6,4 @@
 /manual-install/*.conf
 !/manual-install/sample.conf
 /manual-install/docker-compose.yml
-/manual-install/compose.yaml
 /manual-install/.env

Containers/apache/Caddyfile

@@ -5,10 +5,6 @@
         root /mnt/data/caddy
     }
 
-    servers {
-        # trusted_proxies placeholder
-    }
-
     log {
         level ERROR
     }
@@ -16,21 +12,37 @@
 
 {$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} {
 
-    # Collabora
-    route /browser/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
-    }
-    route /hosting/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
-    }
-    route /cool/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
-    }
-
     # Notify Push
     route /push/* {
         uri strip_prefix /push
-        reverse_proxy {$NOTIFY_PUSH_HOST}:7867
+        reverse_proxy {$NEXTCLOUD_HOST}:7867 {
+            # trusted_proxies placeholder
+        }
+    }
+
+    # Talk
+    route /standalone-signaling/* {
+        uri strip_prefix /standalone-signaling
+        reverse_proxy {$TALK_HOST}:8081 {
+            # trusted_proxies placeholder
+        }
+    }
+
+    # Collabora
+    route /browser/* {
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
+    }
+    route /hosting/* {
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
+    }
+    route /cool/* {
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
     }
 
     # Onlyoffice
@@ -39,24 +51,19 @@
         reverse_proxy {$ONLYOFFICE_HOST}:80 {
             header_up X-Forwarded-Host {http.request.host}/onlyoffice
             header_up X-Forwarded-Proto https
+            # trusted_proxies placeholder
         }
     }
 
-    # Talk
-    route /standalone-signaling/* {
-        uri strip_prefix /standalone-signaling
-        reverse_proxy {$TALK_HOST}:8081
-    }
-
-    # Others
-    import /mnt/data/caddy-imports/*
-
     # Nextcloud
     route {
         rewrite /.well-known/carddav /remote.php/dav
         rewrite /.well-known/caldav /remote.php/dav
         header Strict-Transport-Security max-age=31536000;
-        reverse_proxy localhost:8000
+        reverse_proxy localhost:8000 {
+            # See https://github.com/nextcloud/all-in-one/issues/828
+            # trusted_proxies placeholder
+        }
     }
 
     # TLS options

Containers/apache/Dockerfile

@@ -1,16 +1,7 @@
-FROM caddy:2.7.5-alpine as caddy
+# Caddy is a requirement
+FROM caddy:2.6.4-alpine as caddy
 
-FROM httpd:2.4.58-alpine3.18
-
-COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
-
-COPY --chown=33:33 Caddyfile /Caddyfile
-COPY --chmod=664 nextcloud.conf /usr/local/apache2/conf/nextcloud.conf
-COPY --chmod=664 supervisord.conf /supervisord.conf
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
-
-VOLUME /mnt/data
+FROM httpd:2.4.56-alpine3.17
 
 RUN set -ex; \
     apk add --no-cache shadow; \
@@ -18,66 +9,77 @@ RUN set -ex; \
     usermod -u 333 -g 333 xfs; \
     groupmod -g 33 www-data; \
     usermod -u 33 -g 33 www-data; \
-    apk del --no-cache shadow; \
-    \
-    mkdir -p /mnt/data; \
-    chown -R www-data:www-data /mnt/data; \
-    chown -R 777 /tmp; \
-    \
+    apk del --no-cache shadow
+
+RUN mkdir -p /mnt/data; \
+    chown www-data:www-data /mnt/data;
+
+VOLUME /mnt/data
+
+RUN set -ex; \
     apk add --no-cache \
         bash \
         supervisor \
+        wget \
         tzdata \
         ca-certificates \
         openssl \
-        bind-tools \
-        netcat-openbsd; \
-    \
-    sed -i \
-            -e '/^Listen /d' \
-            -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_proxy.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_proxy_fcgi.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_setenvif.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_alias.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_brotli.so\)/\1/' \
-            -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
-            -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
-            -e 's/\(ScriptAlias \)/#\1/' \
-        /usr/local/apache2/conf/httpd.conf; \
-    echo "Include conf/nextcloud.conf" | tee -a /usr/local/apache2/conf/httpd.conf; \
-    echo "ServerName localhost" | tee -a /usr/local/apache2/conf/httpd.conf; \
-    \
-    rm -rf /usr/local/apache2/conf/original /var/www; \
-    mkdir -p /var/www; \
-    chown -R www-data:www-data /var/www; \
-    \
-    mkdir /var/log/supervisord; \
+        netcat-openbsd
+
+COPY --from=caddy /usr/bin/caddy /usr/bin/
+RUN chmod +x /usr/bin/caddy
+
+RUN sed -i \
+                -e '/^Listen /d' \
+                -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_proxy.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_proxy_fcgi.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_setenvif.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_alias.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
+                -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
+                -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
+                conf/httpd.conf; \
+		echo "Include conf/nextcloud.conf" | tee -a conf/httpd.conf; \
+                echo "ServerName localhost" | tee -a conf/httpd.conf
+		
+COPY nextcloud.conf conf
+
+RUN set -ex; \
+    rm -rf conf/original conf/original && \
+    rm -rf /var/www/html/* && \
+    mkdir /var/www && \
+    chown -R www-data:www-data /var/www;
+
+RUN mkdir /var/log/supervisord; \
     mkdir /var/run/supervisord; \
     chown www-data:www-data /var/run/supervisord; \
-    chown www-data:www-data /var/log/supervisord; \
-    chmod 777 /var/run/supervisord; \
-    chmod 777 /var/log/supervisord; \
-    \
+    chown www-data:www-data /var/log/supervisord;
+
+COPY Caddyfile /
+
+COPY start.sh /usr/bin/
+COPY healthcheck.sh /usr/bin/
+COPY supervisord.conf /
+RUN chmod +x /usr/bin/start.sh; \
+    chmod +x /usr/bin/healthcheck.sh; \
+    chmod +r /supervisord.conf; \
+    chown www-data:www-data /Caddyfile; \
     chown -R www-data:www-data /usr/local/apache2; \
-    chmod +r -R /usr/local/apache2; \
-    mkdir -p /usr/local/apache2/logs; \
-    chmod 777 -R /home/www-data; \
-    chmod 777 -R /usr/local/apache2/logs; \
-    rm -rf /usr/local/apache2/cgi-bin/; \
-    \
-    echo "root:$(openssl rand -base64 12)" | chpasswd
+    chmod +r -R /usr/local/apache2
+
+# Give root a random password
+RUN echo "root:$(openssl rand -base64 12)" | chpasswd
 
 USER www-data
 
-ENTRYPOINT ["/start.sh"]
+ENTRYPOINT ["start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 
-HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false"
+HEALTHCHECK CMD healthcheck.sh
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/apache/healthcheck.sh

@@ -2,8 +2,8 @@
 
 nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
 nc -z localhost 8000 || exit 1
-nc -z localhost "$APACHE_PORT" || exit 1
-if ! nc -z "$NC_DOMAIN" 443; then
-    echo "Could not reach $NC_DOMAIN on port 443."
-    exit 1
+if [ "$APACHE_PORT" != '443' ]; then
+    nc -z localhost "$APACHE_PORT" || exit 1
+else
+    nc -z "$NC_DOMAIN" "$APACHE_PORT" || exit 1
 fi

Containers/apache/nextcloud.conf

@@ -3,23 +3,13 @@ Listen 8000
     ServerName localhost
 
     # Add error log
-    CustomLog /proc/self/fd/1 proxy
-    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+    CustomLog /proc/self/fd/1 combined
     ErrorLog /proc/self/fd/2
-    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
-    LogLevel warn
 
     # PHP match
     <FilesMatch "\.php$">
         SetHandler "proxy:fcgi://${NEXTCLOUD_HOST}:9000"
     </FilesMatch>
-
-    # Enable Brotli compression for js, css and svg files - other plain files are compressed by Nextcloud by default
-    <IfModule mod_brotli.c>
-        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
-        BrotliCompressionQuality 0
-    </IfModule>
-
     # Nextcloud dir
     DocumentRoot /var/www/html/
     <Directory /var/www/html/>

Containers/apache/start.sh

@@ -17,12 +17,6 @@ while ! nc -z "$NEXTCLOUD_HOST" 9000; do
     sleep 5
 done
 
-# Get ipv4-address of Apache
-IPv4_ADDRESS="$(dig nextcloud-aio-apache A +short +search | head -1)"
-# Bring it in CIDR notation
-# shellcheck disable=SC2001
-IPv4_ADDRESS="$(echo "$IPv4_ADDRESS" | sed 's|[0-9]\+$|1/32|')"
-
 if [ -z "$APACHE_PORT" ]; then
     export APACHE_PORT="443"
 fi
@@ -41,31 +35,22 @@ if [ "$APACHE_PORT" != '443' ]; then
 else
     CADDYFILE="$(sed 's|auto_https.*|auto_https disable_redirects|' /Caddyfile)"
 fi
-echo "$CADDYFILE" > /tmp/Caddyfile
+echo "$CADDYFILE" > /Caddyfile
 
 # Change the trusted_proxies in case of reverse proxies
 if [ "$APACHE_PORT" != '443' ]; then
-    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies static private_ranges|' /tmp/Caddyfile)"
+    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies private_ranges|' /Caddyfile)"
 else
-    CADDYFILE="$(sed "s|# trusted_proxies placeholder|trusted_proxies static $IPv4_ADDRESS|" /tmp/Caddyfile)"
+    CADDYFILE="$(sed 's|trusted_proxies private_ranges|# trusted_proxies placeholder|' /Caddyfile)"
 fi
-echo "$CADDYFILE" > /tmp/Caddyfile
+echo "$CADDYFILE" > /Caddyfile
 
 # Fix the Caddyfile format
-caddy fmt --overwrite /tmp/Caddyfile
+caddy fmt --overwrite /Caddyfile
 
 # Add caddy path
 mkdir -p /mnt/data/caddy/
 
-# Add caddy import path
-mkdir -p /mnt/data/caddy-imports
-
-# Remove falsely added Nextcloud conf
-rm -f /mnt/data/caddy-imports/nextcloud
-
-# Make sure that the caddy-imports dir is not empty
-echo "# empty file so that caddy does not print a warning" > /mnt/data/caddy-imports/empty
-
 # Fix apache startup
 rm -f /usr/local/apache2/logs/httpd.pid
 

Containers/apache/supervisord.conf

@@ -20,4 +20,4 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /tmp/Caddyfile
+command=/usr/bin/caddy run --config /Caddyfile

Containers/borgbackup/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.18.4
+FROM alpine:3.17.2
 
 RUN set -ex; \
     \
@@ -13,11 +13,11 @@ RUN set -ex; \
 
 VOLUME /root
 
-COPY --chmod=770 *.sh /
+COPY start.sh /usr/bin/
+COPY backupscript.sh /
+RUN chmod +x /usr/bin/start.sh; \
+    chmod +x /backupscript.sh
 
-ENTRYPOINT ["/start.sh"]
-# hadolint ignore=DL3002
 USER root
-
-LABEL com.centurylinklabs.watchtower.enable="false"
-ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
+ENTRYPOINT ["start.sh"]
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/borgbackup/backupscript.sh

@@ -24,30 +24,22 @@ for directory in "${VOLUME_DIRS[@]}"; do
         exit 1
     fi
 done
-# Test if default volumes are there
-DEFAULT_VOLUMES=(nextcloud_aio_apache nextcloud_aio_nextcloud nextcloud_aio_database nextcloud_aio_database_dump nextcloud_aio_elasticsearch nextcloud_aio_nextcloud_data nextcloud_aio_mastercontainer)
-for volume in "${DEFAULT_VOLUMES[@]}"; do
-    if ! mountpoint -q "/nextcloud_aio_volumes/$volume"; then
-        echo "$volume is missing which is not intended."
-        exit 1
-    fi
-done
 
 # Check if target is mountpoint
 if ! mountpoint -q /mnt/borgbackup; then
-    echo "/mnt/borgbackup is not a mountpoint which is not allowed."
+    echo "/mnt/borgbackup is not a mountpoint which is not allowed"
     exit 1
 fi
 
 # Check if target is empty
 if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
-    echo "The repository is empty. Cannot perform check or restore."
+    echo "The repository is empty. cannot perform check or restore."
     exit 1
 fi
 
 # Do not continue if this file exists (needed for simple external blocking)
 if [ -f "$BORG_BACKUP_DIRECTORY/aio-lockfile" ]; then
-    echo "Not continuing because aio-lockfile exists – it seems like a script is externally running which is locking the backup archive."
+    echo "Not continuing because aio-lockfile exists - it seems like a script is externally running which is locking the backup archive."
     echo "If this should not be the case, you can fix this by deleting the 'aio-lockfile' file from the backup archive directory."
     exit 1
 fi
@@ -65,33 +57,25 @@ if [ "$BORG_MODE" = backup ]; then
         echo "configuration.json not present. Cannot perform the backup!"
         exit 1
     elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/config/config.php" ]; then
-        echo "config.php is missing. Cannot perform backup!"
+        echo "config.php is missing cannot perform backup"
         exit 1
     elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/database-dump.sql" ]; then
-        echo "database-dump is missing. Cannot perform backup!"
+        echo "database-dump is missing. cannot perform backup"
         exit 1
     fi
 
-    # Test that default volumes are not empty
-    for volume in "${DEFAULT_VOLUMES[@]}"; do
-        if [ -z "$(ls -A "/nextcloud_aio_volumes/$volume")" ] && [ "$volume" != "nextcloud_aio_elasticsearch" ]; then
-            echo "/nextcloud_aio_volumes/$volume is empty which should not happen!"
+    # Test that nothing is empty
+    for directory in "${VOLUME_DIRS[@]}"; do
+        if [ -z "$(ls -A "$directory")" ] && [ "$directory" != "/nextcloud_aio_volumes/nextcloud_aio_elasticsearch" ]; then
+            echo "$directory is empty which is not allowed."
             exit 1
         fi
     done
 
     if [ -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/export.failed" ]; then
+        echo "Database export failed the last time. Most likely was the export time not high enough."
         echo "Cannot create a backup now."
-        echo "Reason is that the database export failed the last time."
-        echo "Most likely was the database container not correctly shut down via the AIO interface."
-        echo ""
-        echo "You might want to try the database export again manually by running the three commands:"
-        echo "sudo docker start nextcloud-aio-database"
-        echo "sleep 10"
-        echo "sudo docker stop nextcloud-aio-database -t 1800"
-        echo ""
-        echo "Afterwards try to create a backup again and it should hopefully work."
-        echo "If it should still fail, feel free to report this to https://github.com/nextcloud/all-in-one/issues and post the database container logs and the borgbackup container logs into the thread. Thanks!"
+        echo "Please report this to https://github.com/nextcloud/all-in-one/issues. Thanks!"
         exit 1
     fi
 
@@ -102,14 +86,13 @@ if [ "$BORG_MODE" = backup ]; then
     if ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
         # Don't initialize if already initialized
         if [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
-            echo "No borg config file was found in the targeted directory."
-            echo "This might happen if the targeted directory is located on an external drive and the drive not connected anymore. You should check this."
-            echo "If you instead want to initialize a new backup repository, you may delete the 'borg.config' file that is stored in the mastercontainer volume manually, which will allow you to initialize a new borg repository in the chosen directory:"
+            echo "Cannot initialize a new repository as that was already done at least one time."
+            echo "If you still want to do so, you may delete the 'borg.config' file that is stored in the mastercontainer volume manually, which will allow you to initialize a new borg repository in the chosen directory:"
             echo "sudo docker exec nextcloud-aio-mastercontainer rm /mnt/docker-aio-config/data/borg.config"
             exit 1
         fi
 
-        echo "Initializing repository..."
+        echo "initializing repository..."
         NEW_REPOSITORY=1
         if ! borg init --debug --encryption=repokey-blake2 "$BORG_BACKUP_DIRECTORY"; then
             echo "Could not initialize borg repository."
@@ -144,21 +127,11 @@ if [ "$BORG_MODE" = backup ]; then
     # Borg options
     # auto,zstd compression seems to has the best ratio based on:
     # https://forum.level1techs.com/t/optimal-compression-for-borg-backups/145870/6
-    BORG_OPTS=(-v --stats --compression "auto,zstd" --exclude-caches)
-    if [ "$NEW_REPOSITORY" = 1 ]; then
-        BORG_OPTS+=(--progress)
-    fi
+    BORG_OPTS=(-v --stats --compression "auto,zstd" --exclude-caches --checkpoint-interval 86400)
 
     # Exclude the nextcloud log and audit log for GDPR reasons
     BORG_EXCLUDE=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/nextcloud.log*" --exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/audit.log")
 
-    # Make sure that there is always a borg.config file before creating a new backup
-    if ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
-        echo "Did not find borg.config file in the mastercontainer volume."
-        echo "Cannot create a backup as this is wrong."
-        exit 1
-    fi
-
     # Create the backup
     echo "Starting the backup..."
     get_start_time
@@ -166,7 +139,6 @@ if [ "$BORG_MODE" = backup ]; then
         echo "Deleting the failed backup archive..."
         borg delete --stats "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-nextcloud-aio"
         echo "Backup failed!"
-        echo "You might want to check the backup integrity via the AIO interface."
         if [ "$NEW_REPOSITORY" = 1 ]; then
             echo "Deleting borg.config file so that you can choose a different location for the backup."
             rm "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config"
@@ -178,12 +150,11 @@ if [ "$BORG_MODE" = backup ]; then
     rm -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/skip.update"
 
     # Prune options
-    read -ra BORG_PRUNE_OPTS <<< "$BORG_RETENTION_POLICY"
-    echo "BORG_PRUNE_OPTS are ${BORG_PRUNE_OPTS[*]}"
+    BORG_PRUNE_OPTS=(--stats --keep-within=7d --keep-weekly=4 --keep-monthly=6 "$BORG_BACKUP_DIRECTORY")
 
     # Prune archives
     echo "Pruning the archives..."
-    if ! borg prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}" "$BORG_BACKUP_DIRECTORY"; then
+    if ! borg prune --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
         echo "Failed to prune archives!"
         exit 1
     fi
@@ -214,13 +185,13 @@ if [ "$BORG_MODE" = backup ]; then
                 exit 1
             fi
             echo "Pruning additional volumes..."
-            if ! borg prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}" "$BORG_BACKUP_DIRECTORY"; then
+            if ! borg prune --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
                 echo "Failed to prune additional docker-volumes archives!"
                 exit 1
             fi
             echo "Compacting additional volumes..."
             if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
-                echo "Failed to compact additional docker-volume archives!"
+                echo "Failed to compact archives!"
                 exit 1
             fi
         fi
@@ -244,13 +215,13 @@ if [ "$BORG_MODE" = backup ]; then
                 exit 1
             fi
             echo "Pruning additional host mounts..."
-            if ! borg prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}" "$BORG_BACKUP_DIRECTORY"; then
+            if ! borg prune --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
                 echo "Failed to prune additional host-mount archives!"
                 exit 1
             fi
             echo "Compacting additional host mounts..."
             if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
-                echo "Failed to compact additional host-mount archives!"
+                echo "Failed to compact archives!"
                 exit 1
             fi
         fi
@@ -258,7 +229,7 @@ if [ "$BORG_MODE" = backup ]; then
 
     # Inform user
     get_expiration_time
-    echo "Backup finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
+    echo "Backup finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
     if [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/update.failed" ]; then
         echo "However a Nextcloud update failed. So reporting that the backup failed which will skip any update attempt the next time."
         echo "Please restore a backup from before the failed Nextcloud update attempt."
@@ -305,7 +276,7 @@ if [ "$BORG_MODE" = restore ]; then
     --exclude "nextcloud_aio_mastercontainer/data/daily_backup_running" \
     --exclude "nextcloud_aio_mastercontainer/data/session_date_file" \
     --exclude "nextcloud_aio_mastercontainer/session/**" \
-    /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes/; then
+    /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes; then
         RESTORE_FAILED=1
         echo "Something failed while restoring from backup."
     fi
@@ -369,7 +340,7 @@ if [ "$BORG_MODE" = restore ]; then
 
     # Inform user
     get_expiration_time
-    echo "Restore finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
+    echo "Restore finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
 
     # Add file to Nextcloud container so that it skips any update the next time
     touch "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/skip.update"
@@ -391,13 +362,12 @@ if [ "$BORG_MODE" = check ]; then
     # Perform the check
     if ! borg check -v --verify-data "$BORG_BACKUP_DIRECTORY"; then
         echo "Some errors were found while checking the backup integrity!"
-        echo "Check the AIO interface for advices on how to proceed now!"
         exit 1
     fi
 
     # Inform user
     get_expiration_time
-    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
+    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
     exit 0
 fi
 
@@ -414,7 +384,7 @@ if [ "$BORG_MODE" = "check-repair" ]; then
 
     # Inform user
     get_expiration_time
-    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
+    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
     exit 0
 fi
 

Containers/clamav/Dockerfile

@@ -1,18 +1,7 @@
-# Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/1.1/alpine/Dockerfile
-FROM clamav/clamav:1.2.1-14
+# Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/0.105/alpine/Dockerfile
+FROM clamav/clamav:1.0.1-1
 
-COPY clamav.conf /tmp/clamav.conf
-
-RUN set -ex; \
-    apk add --no-cache tzdata; \
-    cat /tmp/clamav.conf >> /etc/clamav/clamd.conf; \
-    rm /tmp/clamav.conf; \
-    mkdir -p /var/run/clamav /run/lock; \
-    chown -R clamav:clamav /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock; \
-    chmod 777 -R /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock /tmp
-
-VOLUME /var/lib/clamav
-
-USER clamav
-
-LABEL com.centurylinklabs.watchtower.enable="false"
+RUN apk add --no-cache tzdata
+COPY clamav.conf /tmp/
+RUN cat /tmp/clamav.conf >> /etc/clamav/clamd.conf
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/collabora/Dockerfile

@@ -1,20 +1,19 @@
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:23.05.5.3.1
+FROM collabora/code:22.05.12.2.1
 
 USER root
 
-# hadolint ignore=DL3008
 RUN set -ex; \
     \
     apt-get update; \
     export DEBIAN_FRONTEND=noninteractive; \
     apt-get install -y --no-install-recommends \
         tzdata \
-        netcat-openbsd \
+        netcat \
     ; \
-    rm -rf /var/lib/apt/lists/*;
+    rm -rf /var/lib/apt/lists/*
 
-USER 100
+USER 104
 
 HEALTHCHECK CMD nc -z localhost 9980 || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false"
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/docker-socket-proxy/Dockerfile

@@ -1,19 +0,0 @@
-FROM haproxy:2.8.3-alpine3.18
-
-# hadolint ignore=DL3002
-USER root
-ENV NEXTCLOUD_HOST nextcloud-aio-nextcloud
-RUN set -ex; \
-    apk add --no-cache \
-        ca-certificates \
-        tzdata \
-        bash \
-        bind-tools; \
-    chmod -R 777 /tmp
-
-COPY --chmod=775 *.sh /
-COPY --chmod=664 haproxy.cfg /haproxy.cfg
-
-ENTRYPOINT ["/start.sh"]
-HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false"

Containers/docker-socket-proxy/haproxy.cfg

@@ -1,59 +0,0 @@
-# Inspiration: https://github.com/Tecnativa/docker-socket-proxy/blob/master/haproxy.cfg
-
-global
-    maxconn 10
-
-defaults
-    timeout connect 10s
-    timeout client 10s
-    timeout server 10s
-
-frontend http
-    mode http
-    bind :::2375 v4v6
-    http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src NC_IPV4_PLACEHOLDER } || { src NC_IPV6_PLACEHOLDER }
-    # docker system _ping
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } METH_GET
-    # container inspect: GET containers/%s/json
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET
-    # container start/stop: POST containers/%s/start containers/%s/stop
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((start)|(stop)) } METH_POST
-    # container rm: DELETE containers/%s
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE
-
-
-    # container create: POST containers/create?name=%s
-    # ACL to restrict container name to nc_app_[a-zA-Z0-9_.-]+
-    acl nc_app_container_name url_param(name) -m reg -i "^nc_app_[a-zA-Z0-9_.-]+"
-
-    # ACL to restrict the number of Mounts to 1
-    acl one_mount_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*(?:(?!\"Mounts\"\s*:\s*\[)[^}]*)}[^}]*\]"
-    # ACL to deny if there are any binds
-    acl binds_present req.body -m reg -i "\"HostConfig\"\s*:.*\"Binds\"\s*:"
-    # ACL to restrict the type of Mounts to volume
-    acl type_not_volume req.body -m reg -i "\"Mounts\":\s*\[[^\]]*(\"Type\":\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST
-
-    # ACL to restrict container creation, that it has HostConfig.Privileged not set
-    acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\""
-    # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data
-    acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !no_privileged_flag nc_app_volume_data_only METH_POST
-    # end of container create
-
-    # volume create: POST volumes/create
-    # restrict name
-    acl nc_app_volume_data req.body -m reg -i "\"Name\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
-    # do not allow to use "device" word e.g., "--opt device=:/path/to/dir"
-    acl volume_no_device req.body -m reg -i "\"device\""
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data !volume_no_device METH_POST
-    # volume rm: DELETE volumes/%s
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/nc_app_[a-zA-Z0-9_.-]+_data } METH_DELETE
-    # image pull: POST images/create?fromImage=%s
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/create } METH_POST
-    http-request deny
-    default_backend dockerbackend
-
-backend dockerbackend
-    mode http
-    server dockersocket /var/run/docker.sock

Containers/docker-socket-proxy/healthcheck.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-
-nc -z "$NEXTCLOUD_HOST" 9001 || exit 0
-nc -z localhost 2375 || exit 1

Containers/docker-socket-proxy/start.sh

@@ -1,23 +0,0 @@
-#!/bin/sh
-
-# Only start container if nextcloud is accessible
-while ! nc -z "$NEXTCLOUD_HOST" 9001; do
-    echo "Waiting for Nextcloud to start..."
-    sleep 5
-done
-
-set -x
-IPv4_ADDRESS_NC="$(dig nextcloud-aio-nextcloud IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
-HAPROXYFILE="$(sed "s|NC_IPV4_PLACEHOLDER|$IPv4_ADDRESS_NC|" /haproxy.cfg)" 
-echo "$HAPROXYFILE" > /tmp/haproxy.cfg
-
-IPv6_ADDRESS_NC="$(dig nextcloud-aio-nextcloud AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
-if [ -n "$IPv6_ADDRESS_NC" ]; then
-    HAPROXYFILE="$(sed "s|NC_IPV6_PLACEHOLDER|$IPv6_ADDRESS_NC|" /tmp/haproxy.cfg)"
-else
-    HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
-fi
-echo "$HAPROXYFILE" > /tmp/haproxy.cfg
-set +x
-
-haproxy -f /tmp/haproxy.cfg -db

Containers/domaincheck/Dockerfile

@@ -1,18 +1,19 @@
-FROM alpine:3.18.4
-RUN set -ex; \
-    apk add --no-cache bash lighttpd netcat-openbsd; \
-    adduser -S www-data -G www-data; \
-    rm -rf /etc/lighttpd/lighttpd.conf; \
-    chmod 777 -R /etc/lighttpd; \
-    mkdir -p /var/www/domaincheck; \
-    chown www-data:www-data -R /var/www; \
-    chmod 777 -R /var/www/domaincheck
-COPY --chown=www-data:www-data lighttpd.conf /lighttpd.conf
+FROM alpine:3.17.2
+RUN apk add --no-cache lighttpd bash netcat-openbsd
 
-COPY --chmod=775 start.sh /start.sh
+RUN adduser -S www-data -G www-data
+RUN rm -rf /etc/lighttpd/lighttpd.conf
+COPY lighttpd.conf /etc/lighttpd/lighttpd.conf
+RUN chmod +r -R /etc/lighttpd && \
+    chown www-data:www-data -R /var/www && \
+    chown www-data:www-data /etc/lighttpd/lighttpd.conf
+
+COPY start.sh /
+RUN chmod +x /start.sh
 
 USER www-data
+RUN mkdir -p /var/www/domaincheck/
 ENTRYPOINT ["/start.sh"]
 
 HEALTHCHECK CMD nc -z localhost $APACHE_PORT || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false"
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/domaincheck/start.sh

@@ -11,7 +11,7 @@ if [ -z "$APACHE_PORT" ]; then
     export APACHE_PORT="443"
 fi
 
-CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /lighttpd.conf)"
+CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /etc/lighttpd/lighttpd.conf)"
 echo "$CONF_FILE" > /etc/lighttpd/lighttpd.conf
 
 # Check config file

Containers/fulltextsearch/Dockerfile

@@ -1,20 +1,15 @@
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:8.10.4
+FROM elasticsearch:7.17.9
 
-USER root
+RUN elasticsearch-plugin install --batch ingest-attachment
 
-# hadolint ignore=DL3008
 RUN set -ex; \
     \
-    export DEBIAN_FRONTEND=noninteractive; \
     apt-get update; \
     apt-get install -y --no-install-recommends \
         tzdata \
     ; \
-    rm -rf /var/lib/apt/lists/*; \
-    elasticsearch-plugin install --batch ingest-attachment
-
-USER 1000:0
+    rm -rf /var/lib/apt/lists/*
 
 HEALTHCHECK CMD nc -z localhost 9200 || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false"
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/imaginary/Dockerfile

@@ -1,38 +1,29 @@
-FROM golang:1.21.3-alpine3.18 as go
-
-ENV IMAGINARY_HASH 7efb66c243056e5b3b65215e101be7915983e364
+# From https://github.com/h2non/imaginary/blob/master/Dockerfile
+FROM nextcloud/imaginary:20230301
 
+USER root
 RUN set -ex; \
-    apk add --no-cache \
-        vips-dev \
-        vips-magick \
-        vips-heif \
-        vips-jxl \
-        vips-poppler \
-        build-base; \
-    go install github.com/h2non/imaginary@"$IMAGINARY_HASH";
-
-FROM alpine:3.18.4
-RUN set -ex; \
-    apk add --no-cache \
-        tzdata \
-        ca-certificates \
-        netcat-openbsd \
-        vips \
-        vips-magick \
-        vips-heif \
-        vips-jxl \
-        vips-poppler
-
-COPY --from=go /go/bin/imaginary /usr/local/bin/imaginary
-
-ENV PORT 9000
-
+    \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        netcat \
+    ; \
+    echo "deb http://deb.debian.org/debian bookworm main" > /etc/apt/sources.list.d/bookworm.list; \
+    apt-get update; \
+    apt-get install -t bookworm -y --no-install-recommends \
+        libheif1 \
+        libde265-0 \
+        libx265-199 \
+        libvips \
+    ; \
+    rm /etc/apt/sources.list.d/bookworm.list; \
+    rm -rf /var/lib/apt/lists/*
 USER nobody
 
+ENTRYPOINT ["/usr/local/bin/imaginary", "-return-size", "-max-allowed-resolution", "222.2"]
+
+HEALTHCHECK CMD nc -z localhost 9000 || exit 1
+LABEL com.centurylinklabs.watchtower.monitor-only="true"
+
 # https://github.com/h2non/imaginary#memory-issues
 ENV MALLOC_ARENA_MAX=2
-ENTRYPOINT ["imaginary", "-return-size", "-max-allowed-resolution", "222.2"]
-
-HEALTHCHECK CMD nc -z localhost "$PORT" || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false"

Containers/mastercontainer/Caddyfile

@@ -10,21 +10,18 @@
     log {
         level ERROR
     }
-
-    servers {
-        protocols h1 h2 h2c
-    }
-
-    on_demand_tls {
-        ask http://localhost:9876/
-    }
 }
 
 http://:80 {
-    redir https://{host}{uri} permanent
+  redir https://{host}{uri}
 }
 
-https://:8443 {
+# Match only host names and not ip-addresses:
+https://*.*:8443,
+https://*.*.*:8443,
+https://*.*.*.*:8443,
+https://*.*.*.*.*:8443,
+https://*.*.*.*.*.*:8443 {
 
     reverse_proxy localhost:8000
 

Containers/mastercontainer/Dockerfile

@@ -1,29 +1,28 @@
 # Docker CLI is a requirement
-FROM docker:24.0.7-cli as docker
+FROM docker:23.0.1-dind as dind
 
 # Caddy is a requirement
-FROM caddy:2.7.5-alpine as caddy
+FROM caddy:2.6.4-alpine as caddy
 
-# From https://github.com/docker-library/php/blob/master/8.2/alpine3.18/fpm/Dockerfile
-FROM php:8.2.12-fpm-alpine3.18
+# From https://github.com/docker-library/php/blob/master/8.1/alpine3.17/fpm/Dockerfile
+FROM php:8.1.17-fpm-alpine3.17
 
-EXPOSE 80
-EXPOSE 8080
-EXPOSE 8443
-
-COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
-COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker
-
-WORKDIR /var/www/docker-aio
-
-# hadolint ignore=SC2086,DL3047,DL3003,DL3004
 RUN set -ex; \
     apk add --no-cache shadow; \
     groupmod -g 333 xfs; \
     usermod -u 333 -g 333 xfs; \
     groupmod -g 33 www-data; \
-    usermod -u 33 -g 33 www-data; \
-    \
+    usermod -u 33 -g 33 www-data
+
+EXPOSE 80
+EXPOSE 8080
+EXPOSE 8443
+
+RUN mkdir -p /var/www/docker-aio;
+
+WORKDIR /var/www/docker-aio
+
+RUN set -ex; \
     apk add --no-cache \
         util-linux-misc \
         ca-certificates \
@@ -37,54 +36,60 @@ RUN set -ex; \
         sudo \
         netcat-openbsd \
         curl \
-        grep; \
-    \
+        grep
+
+RUN set -ex; \
     apk add --no-cache --virtual .build-deps \
         autoconf \
         build-base; \
     pecl install APCu-5.1.22; \
     docker-php-ext-enable apcu; \
     rm -r /tmp/pear; \
+    \
     runDeps="$( \
         scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
             | tr ',' '\n' \
             | sort -u \
             | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
     )"; \
-    apk add --no-cache --virtual .nextcloud-aio-rundeps $runDeps; \
+    apk add --virtual .nextcloud-aio-rundeps $runDeps; \
     apk del .build-deps; \
     grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
-    grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \
-    \
+    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf
+
+COPY --from=caddy /usr/bin/caddy /usr/bin/
+RUN chmod +x /usr/bin/caddy
+
+COPY --from=dind /usr/local/bin/docker /usr/local/bin/
+RUN chmod +x /usr/local/bin/docker
+
+RUN set -e && \
     apk add --no-cache git; \
     wget https://getcomposer.org/installer -O - | php -- --install-dir=/usr/local/bin --filename=composer; \
     chmod +x /usr/local/bin/composer; \
     cd /var/www/docker-aio; \
     git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
-    find ./ -maxdepth 1 -mindepth 1 -not -path ./php -not -path ./community-containers -exec rm -r {} \; ; \
-    chown www-data:www-data -R /var/www/docker-aio; \
     cd php; \
-    sudo -u www-data composer install --no-dev; \
-    sudo -u www-data composer clear-cache; \
+    composer install --no-dev; \
+    composer clearcache; \
     cd ..; \
     rm -f /usr/local/bin/composer; \
-    chmod -R 770 /var/www/docker-aio; \
-    chown -R www-data:www-data /var/www; \
-    rm -r php/data; \
-    rm -r php/session; \
-    \
-    mkdir -p /etc/apache2/certs; \
-    cd /etc/apache2/certs; \
-    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout /etc/apache2/certs/ssl.key -out /etc/apache2/certs/ssl.crt; \
-    \
-    sed -i \
+    chmod 770 -R ./; \
+    chown www-data:www-data -R /var/www; \
+    rm -r ./php/data; \
+    rm -r ./php/session; \
+    apk del --no-cache git
+
+RUN mkdir -p /etc/apache2/certs && \
+    cd /etc/apache2/certs && \
+    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt;
+
+COPY mastercontainer.conf /etc/apache2/sites-available/
+
+RUN sed -i \
             -e '/^Listen /d' \
-            -e 's/^LogLevel .*/LogLevel error/' \
-            -e 's|^ErrorLog .*|ErrorLog /proc/self/fd/2|' \
             -e 's/User apache/User www-data/g' \
             -e 's/Group apache/Group www-data/g' \
             -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
@@ -96,34 +101,41 @@ RUN set -ex; \
             -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
             -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
             -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
-            -e 's/\(ScriptAlias \)/#\1/' \
         /etc/apache2/httpd.conf; \
         mkdir -p /etc/apache2/logs; \
         rm /etc/apache2/conf.d/ssl.conf; \
         echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \
-        grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \
-        sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \
-        echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \
         echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \
         echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \
-        echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \
-    \
+        echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf
+
+RUN set -ex; \
     rm -f /etc/apache2/conf.d/default.conf \
           /etc/apache2/conf.d/userdir.conf \
-          /etc/apache2/conf.d/info.conf; \
-    \
-    rm -rf /var/www/localhost/cgi-bin/; \
-    mkdir /var/log/supervisord; \
+          /etc/apache2/conf.d/info.conf
+
+RUN mkdir /var/log/supervisord; \
     mkdir /var/run/supervisord;
 
-COPY --chmod=775 *.sh /
-COPY --chmod=664 Caddyfile /Caddyfile
-COPY --chmod=664 supervisord.conf /supervisord.conf
-COPY mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf
+COPY Caddyfile /
+COPY start.sh /usr/bin/
+COPY backup-time-file-watcher.sh /
+COPY session-deduplicator.sh /
+COPY cron.sh /
+COPY daily-backup.sh /
+COPY supervisord.conf /
+COPY healthcheck.sh /
+RUN chmod +x /usr/bin/start.sh; \
+    chmod +x /cron.sh; \
+    chmod +x /session-deduplicator.sh; \
+    chmod +x /backup-time-file-watcher.sh; \
+    chmod +x /daily-backup.sh; \
+    chmod a+r /Caddyfile; \
+    chmod +x /healthcheck.sh
 
-# hadolint ignore=DL3002
 USER root
 
-ENTRYPOINT ["/start.sh"]
+ENTRYPOINT ["start.sh"]
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 
 HEALTHCHECK CMD /healthcheck.sh

Containers/mastercontainer/cron.sh

@@ -12,11 +12,6 @@ while true; do
             export AUTOMATIC_UPDATES=0
             export START_CONTAINERS=1
         fi
-        if [ "$(sed -n '3p' "/mnt/docker-aio-config/data/daily_backup_time")" != 'successNotificationsAreNotEnabled' ]; then
-            export SEND_SUCCESS_NOTIFICATIONS=1
-        else
-            export SEND_SUCCESS_NOTIFICATIONS=0
-        fi
         set +x
         if [ -f "/mnt/docker-aio-config/data/daily_backup_running" ]; then
             export LOCK_FILE_PRESENT=1
@@ -62,14 +57,6 @@ while true; do
     # Remove dangling images
     sudo -u www-data docker image prune --force
 
-    # Check for available free space
-    sudo -u www-data php /var/www/docker-aio/php/src/Cron/CheckFreeDiskSpace.php
-
-    # Remove mastercontainer from default bridge network
-    if sudo -u www-data docker inspect nextcloud-aio-mastercontainer  --format "{{.NetworkSettings.Networks}}" | grep -q "bridge"; then
-        sudo -u www-data docker network disconnect bridge nextcloud-aio-mastercontainer
-    fi
-
     # Wait 60s so that the whole loop will not be executed again
     sleep 60
 done

Containers/mastercontainer/daily-backup.sh

@@ -16,7 +16,7 @@ fi
 sudo -u www-data touch "/mnt/docker-aio-config/data/daily_backup_running"
 
 # Check if apache is running/stopped, watchtower is stopped and backupcontainer is stopped
-APACHE_PORT="$(docker inspect nextcloud-aio-apache --format "{{.HostConfig.PortBindings}}" | grep -o '[0-9]\+' | head -1)"
+APACHE_PORT="$(docker inspect nextcloud-aio-apache --format "{{.HostConfig.PortBindings}}" | grep -oP '[0-9]+' | head -1)"
 while docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-apache$" && ! nc -z nextcloud-aio-apache "$APACHE_PORT"; do
     echo "Waiting for apache to become available"
     sleep 30
@@ -105,7 +105,7 @@ if [ "$DAILY_BACKUP" = 1 ] && ([ "$AUTOMATIC_UPDATES" = 1 ] || [ "$START_CONTAIN
         done
     fi
     echo "Sending backup notification..."
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/BackupNotification.php
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/BackupNotification.php
 fi
 
 echo "Daily backup script has finished"

Containers/mastercontainer/healthcheck.sh

@@ -1,10 +1,5 @@
 #!/bin/bash
 
 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
-    nc -z localhost 80 || exit 1
-    nc -z localhost 8000 || exit 1
     nc -z localhost 8080 || exit 1
-    nc -z localhost 8443 || exit 1
-    nc -z localhost 9000 || exit 1
-    nc -z localhost 9876 || exit 1
 fi

Containers/mastercontainer/mastercontainer.conf

@@ -11,11 +11,8 @@ Listen 8080
     ServerName localhost
 
     # Add error log
-    CustomLog /proc/self/fd/1 proxy
-    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+    CustomLog /proc/self/fd/1 combined
     ErrorLog /proc/self/fd/2
-    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
-    LogLevel warn
 
     # PHP match
     <FilesMatch "\.php$">

Containers/mastercontainer/start.sh

@@ -6,12 +6,6 @@ print_green() {
     printf "%b%s%b\n" "\e[0;92m" "$TEXT" "\e[0m"
 }
 
-# Function to show text in red
-print_red() {
-    local TEXT="$1"
-    printf "%b%s%b\n" "\e[0;31m" "$TEXT" "\e[0m"
-}
-
 # Function to check if number was provided
 check_if_number() {
 case "${1}" in
@@ -20,28 +14,12 @@ case "${1}" in
 esac
 }
 
-# Check if running as root user
-if [ "$EUID" != "0" ]; then
-    print_red "Container does not run as root user. This is not supported."
-    exit 1
-fi
-
-# Check that the CMD is not overwritten nor set
-if [ "$*" != "" ]; then
-    print_red "Docker run command for AIO is incorrect as a CMD option was given which is not expected."
-    exit 1
-fi
-
 # Check if socket is available and readable
 if ! [ -a "/var/run/docker.sock" ]; then
-    print_red "Docker socket is not available. Cannot continue."
-    echo "Please make sure to mount the docker socket into /var/run/docker.sock inside the container!"
-    echo "If you did this by purpose because you don't want the container to have access to the docker socket, see https://github.com/nextcloud/all-in-one/tree/main/manual-install."
+    echo "Docker socket is not available. Cannot continue."
     exit 1
 elif ! mountpoint -q "/mnt/docker-aio-config"; then
-    print_red "/mnt/docker-aio-config is not a mountpoint. Cannot proceed!"
-    echo "Please make sure to mount the nextcloud_aio_mastercontainer docker volume into /mnt/docker-aio-config inside the container!"
-    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
+    echo "/mnt/docker-aio-config is not a mountpoint. Cannot proceed!"
     exit 1
 elif ! sudo -u www-data test -r /var/run/docker.sock; then
     echo "Trying to fix docker.sock permissions internally..."
@@ -62,16 +40,14 @@ elif ! sudo -u www-data test -r /var/run/docker.sock; then
         usermod -aG docker www-data
     fi
     if ! sudo -u www-data test -r /var/run/docker.sock; then
-        print_red "Docker socket is not readable by the www-data user. Cannot continue."
+        echo "Docker socket is not readable by the www-data user. Cannot continue."
         exit 1
     fi
 fi
 
 # Check if api version is supported
 if ! sudo -u www-data docker info &>/dev/null; then
-    print_red "Cannot connect to the docker socket. Cannot proceed."
-    echo "If SELinux is enabled on your host, see https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled"
-    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
+    echo "Cannot connect to the docker socket. Cannot proceed."
     exit 1
 fi
 API_VERSION_FILE="$(find ./ -name DockerActionManager.php | head -1)"
@@ -81,7 +57,7 @@ API_VERSION_NUMB="$(echo "$API_VERSION" | sed 's/\.//')"
 LOCAL_API_VERSION_NUMB="$(sudo -u www-data docker version | grep -i "api version" | grep -oP '[0-9]+.[0-9]+' | head -1 | sed 's/\.//')"
 if [ -n "$LOCAL_API_VERSION_NUMB" ] && [ -n "$API_VERSION_NUMB" ]; then
     if ! [ "$LOCAL_API_VERSION_NUMB" -ge "$API_VERSION_NUMB" ]; then
-        print_red "Docker API v$API_VERSION is not supported by your docker engine. Cannot proceed. Please upgrade your docker engine if you want to run Nextcloud AIO!"
+        echo "Docker API v$API_VERSION is not supported by your docker engine. Cannot proceed. Please upgrade your docker engine if you want to run Nextcloud AIO!"
         exit 1
     fi
 else
@@ -102,16 +78,16 @@ fi
 
 # Check if startup command was executed correctly
 if ! sudo -u www-data docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-mastercontainer$"; then
-    print_red "It seems like you did not give the mastercontainer the correct name? (The 'nextcloud-aio-mastercontainer' container was not found.)
+    echo "It seems like you did not give the mastercontainer the correct name? (The 'nextcloud-aio-mastercontainer' container was not found.)
 Using a different name is not supported since mastercontainer updates will not work in that case!
 If you are on docker swarm and try to run AIO, see https://github.com/nextcloud/all-in-one#can-i-run-this-with-docker-swarm"
     exit 1
 elif ! sudo -u www-data docker volume ls --format "{{.Name}}" | grep -q "^nextcloud_aio_mastercontainer$"; then
-    print_red "It seems like you did not give the mastercontainer volume the correct name? (The 'nextcloud_aio_mastercontainer' volume was not found.)
+    echo "It seems like you did not give the mastercontainer volume the correct name? (The 'nextcloud_aio_mastercontainer' volume was not found.)
 Using a different name is not supported since the built-in backup solution will not work in that case!"
     exit 1
 elif ! sudo -u www-data docker inspect nextcloud-aio-mastercontainer | grep -q "nextcloud_aio_mastercontainer"; then
-    print_red "It seems like you did not attach the 'nextcloud_aio_mastercontainer' volume to the mastercontainer?
+    echo "It seems like you did not attach the 'nextcloud_aio_mastercontainer' volume to the mastercontainer?
 This is not supported since the built-in backup solution will not work in that case!"
     exit 1
 fi
@@ -119,34 +95,34 @@ fi
 # Check for other options
 if [ -n "$NEXTCLOUD_DATADIR" ]; then
     if [ "$NEXTCLOUD_DATADIR" = "nextcloud_aio_nextcloud_datadir" ]; then
-        sleep 1
+        echo "NEXTCLOUD_DATADIR is set to $NEXTCLOUD_DATADIR"
     elif ! echo "$NEXTCLOUD_DATADIR" | grep -q "^/" || [ "$NEXTCLOUD_DATADIR" = "/" ]; then
-        print_red "You've set NEXTCLOUD_DATADIR but not to an allowed value.
-The string must start with '/' and must not be equal to '/'. Also allowed is 'nextcloud_aio_nextcloud_datadir'.
+        echo "You've set NEXTCLOUD_DATADIR but not to an allowed value.
+The string must start with '/' and must not be equal to '/'.
 It is set to '$NEXTCLOUD_DATADIR'."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_MOUNT" ]; then
     if ! echo "$NEXTCLOUD_MOUNT" | grep -q "^/" || [ "$NEXTCLOUD_MOUNT" = "/" ]; then
-        print_red "You've set NEXCLOUD_MOUNT but not to an allowed value.
+        echo "You've set NEXCLOUD_MOUNT but not to an allowed value.
 The string must start with '/' and must not be equal to '/'.
 It is set to '$NEXTCLOUD_MOUNT'."
         exit 1
     elif [ "$NEXTCLOUD_MOUNT" = "/mnt/ncdata" ] || echo "$NEXTCLOUD_MOUNT" | grep -q "^/mnt/ncdata/"; then
-        print_red "'/mnt/ncdata' and '/mnt/ncdata/' are not allowed as values for NEXTCLOUD_MOUNT."
+        echo "'/mnt/ncdata' and '/mnt/ncdata/' are not allowed as values for NEXTCLOUD_MOUNT."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_DATADIR" ] && [ -n "$NEXTCLOUD_MOUNT" ]; then
     if [ "$NEXTCLOUD_DATADIR" = "$NEXTCLOUD_MOUNT" ]; then
-        print_red "NEXTCLOUD_DATADIR and NEXTCLOUD_MOUNT are not allowed to be equal."
+        echo "NEXTCLOUD_DATADIR and NEXTCLOUD_MOUNT are not allowed to be equal."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_UPLOAD_LIMIT" ]; then
     if ! echo "$NEXTCLOUD_UPLOAD_LIMIT" | grep -q '^[0-9]\+G$'; then
-        print_red "You've set NEXTCLOUD_UPLOAD_LIMIT but not to an allowed value.
+        echo "You've set NEXTCLOUD_UPLOAD_LIMIT but not to an allowed value.
 The string must start with a number and end with 'G'.
 It is set to '$NEXTCLOUD_UPLOAD_LIMIT'."
         exit 1
@@ -154,7 +130,7 @@ It is set to '$NEXTCLOUD_UPLOAD_LIMIT'."
 fi
 if [ -n "$NEXTCLOUD_MAX_TIME" ]; then
     if ! echo "$NEXTCLOUD_MAX_TIME" | grep -q '^[0-9]\+$'; then
-        print_red "You've set NEXTCLOUD_MAX_TIME but not to an allowed value.
+        echo "You've set NEXTCLOUD_MAX_TIME but not to an allowed value.
 The string must be a number. E.g. '3600'.
 It is set to '$NEXTCLOUD_MAX_TIME'."
         exit 1
@@ -162,7 +138,7 @@ It is set to '$NEXTCLOUD_MAX_TIME'."
 fi
 if [ -n "$NEXTCLOUD_MEMORY_LIMIT" ]; then
     if ! echo "$NEXTCLOUD_MEMORY_LIMIT" | grep -q '^[0-9]\+M$'; then
-        print_red "You've set NEXTCLOUD_MEMORY_LIMIT but not to an allowed value.
+        echo "You've set NEXTCLOUD_MEMORY_LIMIT but not to an allowed value.
 The string must start with a number and end with 'M'.
 It is set to '$NEXTCLOUD_MEMORY_LIMIT'."
         exit 1
@@ -170,64 +146,64 @@ It is set to '$NEXTCLOUD_MEMORY_LIMIT'."
 fi
 if [ -n "$APACHE_PORT" ]; then
     if ! check_if_number "$APACHE_PORT"; then
-        print_red "You provided an Apache port but did not only use numbers.
+        echo "You provided an Apache port but did not only use numbers.
 It is set to '$APACHE_PORT'."
         exit 1
     elif ! [ "$APACHE_PORT" -le 65535 ] || ! [ "$APACHE_PORT" -ge 1 ]; then
-        print_red "The provided Apache port is invalid. It must be between 1 and 65535"
+        echo "The provided Apache port is invalid. It must be between 1 and 65535"
         exit 1
     fi
 fi
 if [ -n "$APACHE_IP_BINDING" ]; then
-    if ! echo "$APACHE_IP_BINDING" | grep -q '^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$\|^[0-9a-f:]\+$'; then
-        print_red "You provided an ip-address for the apache container's ip-binding but it was not a valid ip-address.
+    if ! echo "$APACHE_IP_BINDING" | grep -q '^[0-9.]\+$'; then
+        echo "You provided an ip-address for the apache container's ip-binding but it was not a valid ip-address.
 It is set to '$APACHE_IP_BINDING'."
         exit 1
     fi
 fi
 if [ -n "$TALK_PORT" ]; then
     if ! check_if_number "$TALK_PORT"; then
-        print_red "You provided an Talk port but did not only use numbers.
+        echo "You provided an Talk port but did not only use numbers.
 It is set to '$TALK_PORT'."
         exit 1
     elif ! [ "$TALK_PORT" -le 65535 ] || ! [ "$TALK_PORT" -ge 1 ]; then
-        print_red "The provided Talk port is invalid. It must be between 1 and 65535"
+        echo "The provided Talk port is invalid. It must be between 1 and 65535"
         exit 1
     fi
 fi
 if [ -n "$APACHE_PORT" ] && [ -n "$TALK_PORT" ]; then
     if [ "$APACHE_PORT" = "$TALK_PORT" ]; then
-        print_red "APACHE_PORT and TALK_PORT are not allowed to be equal."
+        echo "APACHE_PORT and TALK_PORT are not allowed to be equal."
         exit 1
     fi
 fi
-if [ -n "$WATCHTOWER_DOCKER_SOCKET_PATH" ]; then
-    if ! echo "$WATCHTOWER_DOCKER_SOCKET_PATH" | grep -q "^/" || echo "$WATCHTOWER_DOCKER_SOCKET_PATH" | grep -q "/$"; then
-        print_red "You've set WATCHTOWER_DOCKER_SOCKET_PATH but not to an allowed value.
+if [ -n "$DOCKER_SOCKET_PATH" ]; then
+    if ! echo "$DOCKER_SOCKET_PATH" | grep -q "^/" || echo "$DOCKER_SOCKET_PATH" | grep -q "/$"; then
+        echo "You've set DOCKER_SOCKET_PATH but not to an allowed value.
 The string must start with '/' and must not end with '/'.
-It is set to '$WATCHTOWER_DOCKER_SOCKET_PATH'."
+It is set to '$DOCKER_SOCKET_PATH'."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_TRUSTED_CACERTS_DIR" ]; then
     if ! echo "$NEXTCLOUD_TRUSTED_CACERTS_DIR" | grep -q "^/" || echo "$NEXTCLOUD_TRUSTED_CACERTS_DIR" | grep -q "/$"; then
-        print_red "You've set NEXTCLOUD_TRUSTED_CACERTS_DIR but not to an allowed value.
+        echo "You've set NEXTCLOUD_TRUSTED_CACERTS_DIR but not to an allowed value.
 It should be an absolute path to a directory that starts with '/' but not end with '/'.
 It is set to '$NEXTCLOUD_TRUSTED_CACERTS_DIR '."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_STARTUP_APPS" ]; then
-    if ! echo "$NEXTCLOUD_STARTUP_APPS" | grep -q "^[a-z0-9 _-]\+$"; then
-        print_red "You've set NEXTCLOUD_STARTUP_APPS but not to an allowed value.
-It needs to be a string. Allowed are small letters a-z, 0-9, spaces, hyphens and '_'.
+    if ! echo "$NEXTCLOUD_STARTUP_APPS" | grep -q "^[a-z _-]\+$"; then
+        echo "You've set NEXTCLOUD_STARTUP_APPS but not to an allowed value.
+It needs to be a string. Allowed are small letters a-z, spaces, hyphens and '_'.
 It is set to '$NEXTCLOUD_STARTUP_APPS'."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_ADDITIONAL_APKS" ]; then
     if ! echo "$NEXTCLOUD_ADDITIONAL_APKS" | grep -q "^[a-z0-9 ._-]\+$"; then
-        print_red "You've set NEXTCLOUD_ADDITIONAL_APKS but not to an allowed value.
+        echo "You've set NEXTCLOUD_ADDITIONAL_APKS but not to an allowed value.
 It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens, dots and '_'.
 It is set to '$NEXTCLOUD_ADDITIONAL_APKS'."
         exit 1
@@ -235,67 +211,24 @@ It is set to '$NEXTCLOUD_ADDITIONAL_APKS'."
 fi
 if [ -n "$NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS" ]; then
     if ! echo "$NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS" | grep -q "^[a-z0-9 ._-]\+$"; then
-        print_red "You've set NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS but not to an allowed value.
+        echo "You've set NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS but not to an allowed value.
 It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens, dots and '_'.
 It is set to '$NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS'."
         exit 1
     fi
 fi
-if [ -n "$AIO_COMMUNITY_CONTAINERS" ]; then
-    read -ra AIO_CCONTAINERS <<< "$AIO_COMMUNITY_CONTAINERS"
-    for container in "${AIO_CCONTAINERS[@]}"; do
-        if ! [ -d "/var/www/docker-aio/community-containers/$container" ]; then
-            print_red "The community container $container was not found!"
-            FAIL_CCONTAINERS=1
-        fi
-    done
-    if [ -n "$FAIL_CCONTAINERS" ]; then
-        print_red "You've set AIO_COMMUNITY_CONTAINERS but at least one container was not found.
-It is set to '$AIO_COMMUNITY_CONTAINERS'."
-        exit 1
-    fi
-fi
 
 # Check DNS resolution
 # Prevents issues like https://github.com/nextcloud/all-in-one/discussions/565
 curl https://nextcloud.com &>/dev/null
 if [ "$?" = 6 ]; then
-    print_red "Could not resolve the host nextcloud.com."
+    echo "Could not resolve the host nextcloud.com."
     echo "Most likely the DNS resolving does not work."
     echo "You should be able to fix this by following https://dockerlabs.collabnix.com/intermediate/networking/Configuring_DNS.html"
     echo "Apart from that, there has been this: https://github.com/nextcloud/all-in-one/discussions/2065"
     exit 1
 fi
 
-# Check that no changes have been made to timezone settings since AIO only supports running in Etc/UTC timezone
-if [ -n "$TZ" ]; then
-    print_red "The environmental variable TZ has been set which is not supported by AIO since it only supports running in the default Etc/UTC timezone!"
-    echo "The correct timezone can be set in the AIO interface later on!"
-    # Disable exit since it seems to be by default set on unraid and we dont want to break these instances
-    # exit 1
-fi
-if mountpoint -q /etc/localtime; then
-    print_red "/etc/localtime has been mounted into the container which is not allowed because AIO only supports running in the default Etc/UTC timezone!"
-    echo "The correct timezone can be set in the AIO interface later on!"
-    exit 1
-fi
-if mountpoint -q /etc/timezone; then
-    print_red "/etc/timezone has been mounted into the container which is not allowed because AIO only supports running in the default Etc/UTC timezone!"
-    echo "The correct timezone can be set in the AIO interface later on!"
-    exit 1
-fi
-
-# Check if unsupported env are set (but don't exit as it would break many instances)
-if [ -n "$APACHE_DISABLE_REWRITE_IP" ]; then
-    print_red "The environmental variable APACHE_DISABLE_REWRITE_IP has been set which is not supported by AIO. Please remove it!"
-fi
-if [ -n "$NEXTCLOUD_TRUSTED_DOMAINS" ]; then
-    print_red "The environmental variable NEXTCLOUD_TRUSTED_DOMAINS has been set which is not supported by AIO. Please remove it!"
-fi
-if [ -n "$TRUSTED_PROXIES" ]; then
-    print_red "The environmental variable TRUSTED_PROXIES has been set which is not supported by AIO. Please remove it!"
-fi
-
 # Add important folders
 mkdir -p /mnt/docker-aio-config/data/
 mkdir -p /mnt/docker-aio-config/session/
@@ -340,15 +273,15 @@ if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then
     cp "$GENERATED_CERTS/ssl.key" ./
 fi
 
-print_green "Initial startup of Nextcloud All-in-One complete!
+print_green "Initial startup of Nextcloud All In One complete!
 You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
 E.g. https://internal.ip.of.this.server:8080
 
 If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
 https://your-domain-that-points-to-this-server.tld:8443"
 
-# Set the timezone to Etc/UTC
-export TZ=Etc/UTC
+# Set the timezone to UTC
+export TZ=UTC
 
 # Fix apache startup
 rm -f /var/run/apache2/httpd.pid
@@ -359,5 +292,4 @@ caddy fmt --overwrite /Caddyfile
 # Fix caddy log 
 chmod 777 /root
 
-# Start supervisord
-/usr/bin/supervisord -c /supervisord.conf
+exec "$@"

Containers/mastercontainer/supervisord.conf

@@ -38,7 +38,6 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/cron.sh
-user=root
 
 [program:backup-time-file-watcher]
 stdout_logfile=/dev/stdout
@@ -55,12 +54,3 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/session-deduplicator.sh
 user=root
-
-[program:domain-validator]
-# Logging is disabled as otherwise all attempts will be logged which spams the logs
-# stdout_logfile=/dev/stdout
-# stdout_logfile_maxbytes=0
-# stderr_logfile=/dev/stderr
-# stderr_logfile_maxbytes=0
-command=php -S 127.0.0.1:9876 /var/www/docker-aio/php/domain-validator.php
-user=www-data

Containers/nextcloud/Dockerfile

@@ -1,54 +1,58 @@
-FROM php:8.1.25-fpm-alpine3.18
-
-ENV PHP_MEMORY_LIMIT 512M
-ENV PHP_UPLOAD_LIMIT 10G
-ENV PHP_MAX_TIME 3600
-ENV NEXTCLOUD_VERSION 27.1.3
-ENV AIO_TOKEN 123456
-ENV AIO_URL localhost
-
-COPY --chmod=775 *.sh /
-COPY --chmod=774 upgrade.exclude /upgrade.exclude
-COPY config/*.php /
-COPY supervisord.conf /supervisord.conf
-
-VOLUME /mnt/ncdata
-VOLUME /var/www/html
+# From https://github.com/nextcloud/docker/blob/master/23/fpm-alpine/Dockerfile
+FROM php:8.0.28-fpm-alpine3.16
 
 # Custom: change id of www-data user as it needs to be the same like on old installations
-# hadolint ignore=SC2086,DL3003
 RUN set -ex; \
     apk add --no-cache shadow; \
     deluser www-data; \
     groupmod -g 333 xfs; \
     usermod -u 333 -g 333 xfs; \
     addgroup -g 33 -S www-data; \
-    adduser -u 33 -D -S -G www-data www-data; \
-    \
+    adduser -u 33 -D -S -G www-data www-data
+
 # entrypoint.sh and cron.sh dependencies
+RUN set -ex; \
+    \
     apk add --no-cache \
         rsync \
-    ; \
+    ;
+
 # install the PHP extensions we need
 # see https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html
+ENV PHP_MEMORY_LIMIT 512M
+ENV PHP_UPLOAD_LIMIT 10G
+ENV PHP_MAX_TIME 3600
+RUN set -ex; \
+    \
     apk add --no-cache --virtual .build-deps \
         $PHPIZE_DEPS \
         autoconf \
+        libtool \
         freetype-dev \
-        gmp-dev \
         icu-dev \
-        imagemagick-dev \
         libevent-dev \
         libjpeg-turbo-dev \
         libmcrypt-dev \
-        libmemcached-dev \
         libpng-dev \
-        libwebp-dev \
+        libmemcached-dev \
         libxml2-dev \
         libzip-dev \
         openldap-dev \
         pcre-dev \
         postgresql-dev \
+        libwebp-dev \
+        gmp-dev \
+        lcms2-dev \
+        fontconfig-dev \
+        freetype-dev \
+        ghostscript-dev \
+        tiff-dev \
+        zlib-dev \
+        imagemagick-dev \
+        libheif-dev \
+        librsvg-dev \
+        libxext-dev \
+        ghostscript-fonts \
     ; \
     \
     docker-php-ext-configure gd --with-freetype --with-jpeg --with-webp; \
@@ -57,20 +61,19 @@ RUN set -ex; \
         bcmath \
         exif \
         gd \
-        gmp \
         intl \
         ldap \
         opcache \
         pcntl \
         pdo_pgsql \
-        sysvsem \
         zip \
+        gmp \
     ; \
     \
 # pecl will claim success even if one install fails, so we need to perform each install separately
     pecl install APCu-5.1.22; \
     pecl install memcached-3.2.0; \
-    pecl install redis-6.0.2; \
+    pecl install redis-5.3.7; \
     pecl install imagick-3.7.0; \
     \
     docker-php-ext-enable \
@@ -86,18 +89,15 @@ RUN set -ex; \
             | sort -u \
             | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
     )"; \
-    apk add --no-cache --virtual .nextcloud-phpext-rundeps $runDeps; \
-    apk del .build-deps; \
-    \
+    apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
+    apk del .build-deps
+
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
-    { \
-        echo 'opcache.memory_consumption=256'; \
-        echo 'opcache.interned_strings_buffer=64'; \
+RUN { \
+        echo 'opcache.interned_strings_buffer=32'; \
         echo 'opcache.save_comments=1'; \
         echo 'opcache.revalidate_freq=60'; \
-        echo 'opcache.jit=1255'; \
-        echo 'opcache.jit_buffer_size=8M'; \
     } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
     \
     echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
@@ -110,10 +110,15 @@ RUN set -ex; \
         echo 'max_input_time=${PHP_MAX_TIME}'; \
     } > /usr/local/etc/php/conf.d/nextcloud.ini; \
     \
-    mkdir -p /var/www/data; \
+    mkdir /var/www/data; \
     chown -R www-data:root /var/www; \
-    chmod -R g=u /var/www; \
-    \
+    chmod -R g=u /var/www
+
+VOLUME /var/www/html
+
+ENV NEXTCLOUD_VERSION 25.0.5
+
+RUN set -ex; \
     apk add --no-cache --virtual .fetch-deps \
         bzip2 \
         gnupg \
@@ -133,18 +138,27 @@ RUN set -ex; \
     mkdir -p /usr/src/nextcloud/data; \
     mkdir -p /usr/src/nextcloud/custom_apps; \
     chmod +x /usr/src/nextcloud/occ; \
-    mkdir -p /usr/src/nextcloud/config; \
-    mv /*.php /usr/src/nextcloud/config/; \
-    apk del .fetch-deps; \
-    \
+    apk del .fetch-deps
+
+COPY *.sh upgrade.exclude /
+COPY config/* /usr/src/nextcloud/config/
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["php-fpm"]
+
 # Template from https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/full/fpm-alpine/Dockerfile
+
+RUN set -ex; \
+    \
     apk add --no-cache \
         ffmpeg \
         procps \
         samba-client \
         supervisor \
 #       libreoffice \
-    ; \
+    ;
+
+RUN set -ex; \
     \
     apk add --no-cache --virtual .build-deps \
         $PHPIZE_DEPS \
@@ -171,13 +185,22 @@ RUN set -ex; \
             | sort -u \
             | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
     )"; \
-    apk add --no-cache --virtual .nextcloud-phpext-rundeps $runDeps; \
-    apk del .build-deps; \
-    \
-    mkdir -p \
+    apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
+    apk del .build-deps
+
+RUN mkdir -p \
     /var/log/supervisord \
     /var/run/supervisord \
-    ; \
+;
+
+COPY supervisord.conf /
+
+ENV NEXTCLOUD_UPDATE=1
+
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
+
+# Custom:
+RUN set -ex; \
     \
     apk add --no-cache \
         bash \
@@ -187,44 +210,63 @@ RUN set -ex; \
         git \
         postgresql-client \
         tzdata \
+        mawk \
         sudo \
         grep \
-        nodejs \
-        bind-tools \
-        coreutils; \
-    \
+        coreutils \
+        libjpeg \
+        librsvg \
+        libheif \
+        libpng \
+        ghostscript-fonts;
+
+RUN set -ex; \
     grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
-# Sync this with max db connections
-# We don't actually expect so many children but don't want to limit it artificially because people will report issues otherwise.
-# Also children will usually be terminated again after the process is done due to the ondemand setting
-    sed -i 's/^pm.max_children =.*/pm.max_children = 5000/' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
-    \
+    sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
+    sed -i 's/^pm.start_servers =.*/pm.start_servers = 2/' /usr/local/etc/php-fpm.d/www.conf; \
+    sed -i 's/^pm.min_spare_servers =.*/pm.min_spare_servers = 1/' /usr/local/etc/php-fpm.d/www.conf; \
+    sed -i 's/^pm.max_spare_servers =.*/pm.max_spare_servers = 3/' /usr/local/etc/php-fpm.d/www.conf; \
+    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf
+
+RUN set -ex; \
     rm -rf /tmp/nextcloud-aio && \
     mkdir -p /tmp/nextcloud-aio && \
     cd /tmp/nextcloud-aio && \
     git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
     mkdir -p /usr/src/nextcloud/apps/nextcloud-aio; \
-    cp -r ./app/* /usr/src/nextcloud/apps/nextcloud-aio/; \
-    \
+    cp -r ./app/* /usr/src/nextcloud/apps/nextcloud-aio/
+
+RUN set -ex; \
     chown www-data:root -R /usr/src && \
     chown www-data:root -R /usr/local/etc/php/conf.d && \
     chown www-data:root -R /usr/local/etc/php-fpm.d && \
-    chmod -R 777 /tmp; \
-    rm -r /usr/src/nextcloud/apps/updatenotification; \
-    \
-    mkdir -p /nc-updater; \
-    chown -R www-data:www-data /nc-updater; \
-    chmod -R 770 /nc-updater; \
-    \
-# Give root a random password
-    echo "root:$(openssl rand -base64 12)" | chpasswd
+    rm -r /usr/src/nextcloud/apps/updatenotification
+
+COPY start.sh /
+COPY notify.sh /
+COPY notify-all.sh /
+RUN set -ex; \
+    chmod +x /start.sh && \
+    chmod +x /entrypoint.sh && \
+    chmod +r /upgrade.exclude && \
+    chmod +x /cron.sh && \
+    chmod +x /notify.sh && \
+    chmod +x /notify-all.sh && \
+    chmod +x /activate-collabora.sh && \
+    chmod +x /healthcheck.sh
+
+RUN set -ex; \
+    mkdir /mnt/ncdata; \
+    chown www-data:www-data /mnt/ncdata;
+
+VOLUME /mnt/ncdata
+
+# Give root a random password
+RUN echo "root:$(openssl rand -base64 12)" | chpasswd
 
-# hadolint ignore=DL3002
 USER root
 ENTRYPOINT ["/start.sh"]
-CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 
-HEALTHCHECK --start-period=60s CMD sudo -E -u www-data bash /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false"
+HEALTHCHECK CMD sudo -E -u www-data bash /healthcheck.sh
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/nextcloud/activate-collabora.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+if [ "$COLLABORA_ENABLED" != yes ]; then
+    # Basically sleep for forever if collabora is not enabled
+    sleep inf
+fi
+while ! nc -z "$NC_DOMAIN" 443; do
+    sleep 5
+done
+sleep 10
+echo "Activating collabora config..."
+php /var/www/html/occ richdocuments:activate-config
+sleep inf

Containers/nextcloud/config/aio.config.php

@@ -1,5 +0,0 @@
-<?php
-$CONFIG = array (
-  'one-click-instance' => true,
-  'one-click-instance.user-limit' => 100,
-);

Containers/nextcloud/entrypoint.sh

@@ -10,15 +10,6 @@ directory_empty() {
     [ -z "$(ls -A "$1/")" ]
 }
 
-run_upgrade_if_needed_due_to_app_update() {
-    if php /var/www/html/occ status | grep needsDbUpgrade | grep -q true; then
-        # Disable integrity check temporarily until next update
-        php /var/www/html/occ config:system:set integrity.check.disabled --type bool --value true
-        php /var/www/html/occ upgrade
-        php /var/www/html/occ app:enable nextcloud-aio --force
-    fi
-}
-
 echo "Configuring Redis as session handler..."
 cat << REDIS_CONF > /usr/local/etc/php/conf.d/redis-session.ini
 session.save_handler = redis
@@ -30,6 +21,13 @@ redis.session.lock_retries = -1
 redis.session.lock_wait_time = 10000
 REDIS_CONF
 
+echo "Setting php max children..."
+MEMORY=$(mawk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
+PHP_MAX_CHILDREN=$((MEMORY/50))
+if [ -n "$PHP_MAX_CHILDREN" ]; then
+    sed -i "s/^pm.max_children =.*/pm.max_children = $PHP_MAX_CHILDREN/" /usr/local/etc/php-fpm.d/www.conf
+fi
+
 # Check permissions in ncdata
 touch "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" &>/dev/null
 if ! [ -f "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" ]; then
@@ -149,8 +147,6 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                 fi
             done
 
-            run_upgrade_if_needed_due_to_app_update
-
             php /var/www/html/occ maintenance:mode --off
 
             echo "Getting and backing up the status of apps for later, this might take a while..."
@@ -174,8 +170,6 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
 
             php /var/www/html/occ app:update --all
 
-            run_upgrade_if_needed_due_to_app_update
-
             # Fix removing the updatenotification for old instances
             UPDATENOTIFICATION_STATUS="$(php /var/www/html/occ config:app:get updatenotification enabled)"
             if [ -d "/var/www/html/apps/updatenotification" ]; then
@@ -211,14 +205,6 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                 INSTALL_OPTIONS+=(--data-dir "$NEXTCLOUD_DATA_DIR")
             fi
 
-            # We do our own permission check so the permission check is not needed
-            cat << DATADIR_PERMISSION_CONF > /var/www/html/config/datadir.permission.config.php
-<?php
-    \$CONFIG = array (
-    'check_data_directory_permissions' => false
-);
-DATADIR_PERMISSION_CONF
-
             echo "Installing with PostgreSQL database"
             INSTALL_OPTIONS+=(--database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST")
 
@@ -229,6 +215,9 @@ DATADIR_PERMISSION_CONF
                 exit 1
             fi
 
+            # We do our own permission check so the permission check is not needed
+            php /var/www/html/occ config:system:set check_data_directory_permissions --value=false --type=bool
+
             # Try to force generation of appdata dir:
             php /var/www/html/occ maintenance:repair
 
@@ -249,45 +238,9 @@ DATADIR_PERMISSION_CONF
                 fi
             fi
 
-            # This autoconfig is not needed anymore and should be able to be overwritten by the user
-            rm /var/www/html/config/datadir.permission.config.php
-
             # unset admin password
             unset ADMIN_PASSWORD
 
-            if [ "$INSTALL_LATEST_MAJOR" = yes ]; then
-                php /var/www/html/occ config:system:set updater.release.channel --value=beta
-                php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
-                php /var/www/html/updater/updater.phar --no-interaction
-                if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
-                    echo "Installation of Nextcloud failed!"
-                    touch "$NEXTCLOUD_DATA_DIR/install.failed"
-                    exit 1
-                fi
-                # shellcheck disable=SC2016
-                installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-                INSTALLED_MAJOR="${installed_version%%.*}"
-                IMAGE_MAJOR="${image_version%%.*}"
-                if ! [ "$INSTALLED_MAJOR" -gt "$IMAGE_MAJOR" ]; then
-                    php /var/www/html/updater/updater.phar --no-interaction
-                    if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
-                        echo "Installation of Nextcloud failed!"
-                        touch "$NEXTCLOUD_DATA_DIR/install.failed"
-                        exit 1
-                    fi
-                    # shellcheck disable=SC2016
-                    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-                fi
-                php /var/www/html/occ app:disable updatenotification
-                rm -rf /var/www/html/apps/updatenotification
-                php /var/www/html/occ config:system:set updater.release.channel --value=stable
-                php /var/www/html/occ app:enable nextcloud-aio --force
-                php /var/www/html/occ db:add-missing-indices
-                php /var/www/html/occ db:add-missing-columns
-                php /var/www/html/occ db:add-missing-primary-keys
-                yes | php /var/www/html/occ db:convert-filecache-bigint
-            fi
-
             # Apply log settings
             echo "Applying default settings..."
             mkdir -p /var/www/html/data
@@ -312,7 +265,6 @@ DATADIR_PERMISSION_CONF
             php /var/www/html/occ config:system:set enabledPreviewProviders 4 --value="OC\\Preview\\TXT"
             php /var/www/html/occ config:system:set enabledPreviewProviders 5 --value="OC\\Preview\\OpenDocument"
             php /var/www/html/occ config:system:set enabledPreviewProviders 6 --value="OC\\Preview\\Movie"
-            php /var/www/html/occ config:system:set enabledPreviewProviders 7 --value="OC\\Preview\\Krita"
             php /var/www/html/occ config:system:set enable_previews --value=true --type=boolean
 
             # Apply other settings
@@ -347,27 +299,26 @@ DATADIR_PERMISSION_CONF
                 done
             fi
 
+            # Set the permission check to its default value again if not set
+            if [ "$SKIP_DATA_DIRECTORY_PERMISSION_CHECK" != yes ]; then
+                php /var/www/html/occ config:system:set check_data_directory_permissions --value=true --type=bool
+            fi
+
         #upgrade
         else
             touch "$NEXTCLOUD_DATA_DIR/update.failed"
             echo "Upgrading nextcloud from $installed_version to $image_version..."
-            php /var/www/html/occ config:system:delete integrity.check.disabled
             if ! php /var/www/html/occ upgrade || ! php /var/www/html/occ -V; then
                 echo "Upgrade failed. Please restore from backup."
                 bash /notify.sh "Nextcloud update to $image_version failed!" "Please restore from backup!"
                 exit 1
             fi
 
-            # shellcheck disable=SC2016
-            installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-
             rm "$NEXTCLOUD_DATA_DIR/update.failed"
             bash /notify.sh "Nextcloud update to $image_version successful!" "Feel free to inspect the Nextcloud container logs for more info."
 
             php /var/www/html/occ app:update --all
 
-            run_upgrade_if_needed_due_to_app_update
-
             # Restore app status
             if [ "${APPSTORAGE[0]}" != "no-export-done" ]; then
                 echo "Restoring the status of apps. This can take a while..."
@@ -376,12 +327,6 @@ DATADIR_PERMISSION_CONF
                         if [ "${APPSTORAGE[$app]}" != "no" ]; then
                             echo "Enabling $app..."
                             if ! php /var/www/html/occ app:enable "$app" >/dev/null; then
-                                php /var/www/html/occ app:disable "$app" >/dev/null
-                                if ! php /var/www/html/occ -V &>/dev/null; then
-                                    rm -r "/var/www/html/custom_apps/$app"
-                                    php /var/www/html/occ maintenance:mode --off
-                                fi
-                                run_upgrade_if_needed_due_to_app_update
                                 echo "The $app app could not get enabled. Probably because it is not compatible with the new Nextcloud version."
                                 if [ "$app" = apporder ]; then
                                     CUSTOM_HINT="The apporder app was deprecated. A possible replacement is the side_menu app, aka 'Custom menu'."
@@ -402,8 +347,6 @@ DATADIR_PERMISSION_CONF
 
             php /var/www/html/occ app:update --all
 
-            run_upgrade_if_needed_due_to_app_update
-
             # Apply optimization
             echo "Doing some optimizations..."
             php /var/www/html/occ maintenance:repair
@@ -419,7 +362,8 @@ DATADIR_PERMISSION_CONF
     # Performing update of all apps if daily backups are enabled, running and successful and if it is saturday
     if [ "$UPDATE_NEXTCLOUD_APPS" = 'yes' ] && [ "$(date +%u)" = 6 ]; then
         UPDATED_APPS="$(php /var/www/html/occ app:update --all)"
-        run_upgrade_if_needed_due_to_app_update
+        # Update all apps again and try to prevent something like https://github.com/nextcloud/polls/issues/2793 from happening
+        php /var/www/html/occ app:update --all
         if [ -n "$UPDATED_APPS" ]; then
              bash /notify.sh "Your apps just got updated!" "$UPDATED_APPS"
         fi
@@ -428,28 +372,23 @@ else
     SKIP_UPDATE=1
 fi
 
-run_upgrade_if_needed_due_to_app_update
-
 if [ -z "$OBJECTSTORE_S3_BUCKET" ] && [ -z "$OBJECTSTORE_SWIFT_URL" ]; then
     # Check if appdata is present
     # If not, something broke (e.g. changing ncdatadir after aio was first started)
     if [ -z "$(find "$NEXTCLOUD_DATA_DIR/" -maxdepth 1 -mindepth 1 -type d -name "appdata_*")" ]; then
-        echo "Appdata is not present. Did you maybe change the datadir after the initial Nextcloud installation? This is not supported!"
+        echo "Appdata is not present. Did you maybe change the datadir after aio was first started?"
         echo "See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir"
-        echo "If you adjusted the datadir to be located on an external drive, make sure that the drive is still mounted!"
         echo "In the datadir was found:"
         ls -la "$NEXTCLOUD_DATA_DIR/"
         exit 1
     fi
 
-    # Delete formerly configured tempdirectory as the default is usually faster (if the datadir is on a HDD or network FS)
-    if [ "$(php /var/www/html/occ config:system:get tempdirectory)" = "$NEXTCLOUD_DATA_DIR/tmp/" ]; then
-        php /var/www/html/occ config:system:delete tempdirectory
-        if [ -d "$NEXTCLOUD_DATA_DIR/tmp/" ]; then
-            rm -r "$NEXTCLOUD_DATA_DIR/tmp/"
-        fi
+    # Configure tempdirectory
+    mkdir -p "$NEXTCLOUD_DATA_DIR/tmp/"
+    if ! grep -q upload_tmp_dir /usr/local/etc/php/conf.d/nextcloud.ini; then
+        echo "upload_tmp_dir = $NEXTCLOUD_DATA_DIR/tmp/" >> /usr/local/etc/php/conf.d/nextcloud.ini
     fi
-
+    php /var/www/html/occ config:system:set tempdirectory --value="$NEXTCLOUD_DATA_DIR/tmp/"
 fi
 
 # Perform fingerprint update if instance was restored
@@ -467,22 +406,16 @@ php /var/www/html/occ app:enable support
 
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
-php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
 php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
 php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
-php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
 
 # Apply network settings
 echo "Applying network settings..."
-php /var/www/html/occ config:system:set davstorage.request_timeout --value="$PHP_MAX_TIME" --type=int
 php /var/www/html/occ config:system:set trusted_domains 1 --value="$NC_DOMAIN"
 php /var/www/html/occ config:system:set overwrite.cli.url --value="https://$NC_DOMAIN/"
 php /var/www/html/occ config:system:set htaccess.RewriteBase --value="/"
 php /var/www/html/occ maintenance:update:htaccess
 
-# Revert dbpersistent setting to check if it fixes too many db connections
-php /var/www/html/occ config:system:set dbpersistent --value=false --type=bool
-
 # Disallow creating local external storages when nothing was mounted
 if [ -z "$NEXTCLOUD_MOUNT" ]; then
     php /var/www/html/occ config:system:set files_external_allow_create_new_local --type=bool --value=false
@@ -520,8 +453,11 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
     # Fix https://github.com/nextcloud/all-in-one/issues/188:
     php /var/www/html/occ config:system:set allow_local_remote_servers --type=bool --value=true
     # Make collabora more save
-    COLLABORA_IPv4_ADDRESS="$(dig "$NC_DOMAIN" A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
-    COLLABORA_IPv6_ADDRESS="$(dig "$NC_DOMAIN" AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+    COLLABORA_IPv4_ADDRESS="$(echo "<?php echo gethostbyname('$NC_DOMAIN');" | php | head -1)"
+    COLLABORA_IPv6_ADDRESS="<?php \$record = dns_get_record('$NC_DOMAIN', DNS_AAAA);"
+    # shellcheck disable=SC2016
+    COLLABORA_IPv6_ADDRESS+='if (!empty($record)) {echo $record[0]["ipv6"];}'
+    COLLABORA_IPv6_ADDRESS="$(echo "$COLLABORA_IPv6_ADDRESS" | php | head -1)"
     COLLABORA_ALLOW_LIST="$(php /var/www/html/occ config:app:get richdocuments wopi_allowlist)"
     if [ -n "$COLLABORA_IPv4_ADDRESS" ]; then
         if ! echo "$COLLABORA_ALLOW_LIST" | grep -q "$COLLABORA_IPv4_ADDRESS"; then
@@ -555,7 +491,7 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
         echo "Warning: wopi_allowlist is empty which should not be the case!"
     fi
 else
-    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/richdocuments" ]; then
+    if [ -d "/var/www/html/custom_apps/richdocuments" ]; then
         php /var/www/html/occ app:remove richdocuments
     fi
 fi
@@ -574,12 +510,11 @@ if [ "$ONLYOFFICE_ENABLED" = 'yes' ]; then
         php /var/www/html/occ app:update onlyoffice
     fi
     php /var/www/html/occ config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
-    php /var/www/html/occ config:app:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
     php /var/www/html/occ config:system:set onlyoffice jwt_header --value="AuthorizationJwt"
     php /var/www/html/occ config:app:set onlyoffice DocumentServerUrl --value="https://$NC_DOMAIN/onlyoffice"
     php /var/www/html/occ config:system:set allow_local_remote_servers --type=bool --value=true
 else
-    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/onlyoffice" ] && [ -n "$ONLYOFFICE_SECRET" ] && [ "$(php /var/www/html/occ config:system:get onlyoffice jwt_secret)" = "$ONLYOFFICE_SECRET" ]; then
+    if [ -d "/var/www/html/custom_apps/onlyoffice" ] && [ -n "$ONLYOFFICE_SECRET" ] && [ "$(php /var/www/html/occ config:system:get onlyoffice jwt_secret)" = "$ONLYOFFICE_SECRET" ]; then
         php /var/www/html/occ app:remove onlyoffice
     fi
 fi
@@ -606,26 +541,11 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
         php /var/www/html/occ talk:signaling:add "https://$NC_DOMAIN/standalone-signaling/" "$SIGNALING_SECRET" --verify
     fi
 else
-    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/spreed" ]; then
+    if [ -d "/var/www/html/custom_apps/spreed" ]; then
         php /var/www/html/occ app:remove spreed
     fi
 fi
 
-# Talk recording
-if [ -d "/var/www/html/custom_apps/spreed" ]; then
-    if [ "$TALK_RECORDING_ENABLED" = 'yes' ]; then
-        while ! nc -z "$TALK_RECORDING_HOST" 1234; do
-            echo "waiting for Talk Recording to become available..."
-            sleep 5
-        done
-        # TODO: migrate to occ command if that becomes available
-        RECORDING_SERVERS_STRING="{\"servers\":[{\"server\":\"http://$TALK_RECORDING_HOST:1234/\",\"verify\":true}],\"secret\":\"$RECORDING_SECRET\"}"
-        php /var/www/html/occ config:app:set spreed recording_servers --value="$RECORDING_SERVERS_STRING"
-    else
-        php /var/www/html/occ config:app:delete spreed recording_servers
-    fi
-fi
-
 # Clamav
 if [ "$CLAMAV_ENABLED" = 'yes' ]; then
     count=0
@@ -649,26 +569,28 @@ if [ "$CLAMAV_ENABLED" = 'yes' ]; then
         php /var/www/html/occ config:app:set files_antivirus av_port --value="3310"
         php /var/www/html/occ config:app:set files_antivirus av_host --value="$CLAMAV_HOST"
         php /var/www/html/occ config:app:set files_antivirus av_stream_max_length --value="104857600"
-        php /var/www/html/occ config:app:set files_antivirus av_max_file_size --value="104857600"
+        php /var/www/html/occ config:app:set files_antivirus av_max_file_size --value="-1"
         php /var/www/html/occ config:app:set files_antivirus av_infected_action --value="only_log"
     fi
 else
-    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/files_antivirus" ]; then
+    if [ -d "/var/www/html/custom_apps/files_antivirus" ]; then
         php /var/www/html/occ app:remove files_antivirus
     fi
 fi
 
 # Imaginary
-if [ "$IMAGINARY_ENABLED" = 'yes' ]; then
-    php /var/www/html/occ config:system:set enabledPreviewProviders 0 --value="OC\\Preview\\Imaginary"
-    php /var/www/html/occ config:system:set preview_imaginary_url --value="http://$IMAGINARY_HOST:9000"
-else
-    if [ -n "$(php /var/www/html/occ config:system:get preview_imaginary_url)" ]; then
-        php /var/www/html/occ config:system:delete enabledPreviewProviders 0
-        php /var/www/html/occ config:system:delete preview_imaginary_url
-        php /var/www/html/occ config:system:delete enabledPreviewProviders 20
-        php /var/www/html/occ config:system:delete enabledPreviewProviders 21
-        php /var/www/html/occ config:system:delete enabledPreviewProviders 22
+if version_greater "$installed_version" "24.0.0.0"; then
+    if [ "$IMAGINARY_ENABLED" = 'yes' ]; then
+        php /var/www/html/occ config:system:set enabledPreviewProviders 0 --value="OC\\Preview\\Imaginary"
+        php /var/www/html/occ config:system:set preview_imaginary_url --value="http://$IMAGINARY_HOST:9000"
+    else
+        if [ -n "$(php /var/www/html/occ config:system:get preview_imaginary_url)" ]; then
+            php /var/www/html/occ config:system:delete enabledPreviewProviders 0
+            php /var/www/html/occ config:system:delete preview_imaginary_url
+            php /var/www/html/occ config:system:delete enabledPreviewProviders 20
+            php /var/www/html/occ config:system:delete enabledPreviewProviders 21
+            php /var/www/html/occ config:system:delete enabledPreviewProviders 22
+        fi
     fi
 fi
 
@@ -700,7 +622,7 @@ if [ "$FULLTEXTSEARCH_ENABLED" = 'yes' ]; then
         php /var/www/html/occ app:update files_fulltextsearch
     fi
     php /var/www/html/occ fulltextsearch:configure '{"search_platform":"OCA\\FullTextSearch_Elasticsearch\\Platform\\ElasticSearchPlatform"}'
-    php /var/www/html/occ fulltextsearch_elasticsearch:configure "{\"elastic_host\":\"http://elastic:$FULLTEXTSEARCH_PASSWORD@$FULLTEXTSEARCH_HOST:9200\",\"elastic_index\":\"nextcloud-aio\"}"
+    php /var/www/html/occ fulltextsearch_elasticsearch:configure "{\"elastic_host\":\"http://$FULLTEXTSEARCH_HOST:9200\",\"elastic_index\":\"nextcloud-aio\"}"
     php /var/www/html/occ files_fulltextsearch:configure "{\"files_pdf\":\"1\",\"files_office\":\"1\"}"
 
     # Do the index
@@ -716,33 +638,14 @@ if [ "$FULLTEXTSEARCH_ENABLED" = 'yes' ]; then
         fi
     fi
 else
-    if [ "$REMOVE_DISABLED_APPS" = yes ]; then
-        if [ -d "/var/www/html/custom_apps/fulltextsearch" ]; then
-            php /var/www/html/occ app:remove fulltextsearch
-        fi
-        if [ -d "/var/www/html/custom_apps/fulltextsearch_elasticsearch" ]; then
-            php /var/www/html/occ app:remove fulltextsearch_elasticsearch
-        fi
-        if [ -d "/var/www/html/custom_apps/files_fulltextsearch" ]; then
-            php /var/www/html/occ app:remove files_fulltextsearch
-        fi
+    if [ -d "/var/www/html/custom_apps/fulltextsearch" ]; then
+        php /var/www/html/occ app:remove fulltextsearch
     fi
-fi
-
-# Docker socket proxy
-if version_greater "$installed_version" "27.1.2.0"; then
-    if [ "$DOCKER_SOCKET_PROXY_ENABLED" = 'yes' ]; then
-        if ! [ -d "/var/www/html/custom_apps/app_api" ]; then
-            php /var/www/html/occ app:install app_api
-        elif [ "$(php /var/www/html/occ config:app:get app_api enabled)" != "yes" ]; then
-            php /var/www/html/occ app:enable app_api
-        elif [ "$SKIP_UPDATE" != 1 ]; then
-            php /var/www/html/occ app:update app_api
-        fi
-    else
-        if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/app_api" ]; then
-            php /var/www/html/occ app:remove app_api
-        fi
+    if [ -d "/var/www/html/custom_apps/fulltextsearch_elasticsearch" ]; then
+        php /var/www/html/occ app:remove fulltextsearch_elasticsearch
+    fi
+    if [ -d "/var/www/html/custom_apps/files_fulltextsearch" ]; then
+        php /var/www/html/occ app:remove files_fulltextsearch
     fi
 fi
 

Containers/nextcloud/healthcheck.sh

@@ -2,6 +2,6 @@
 
 nc -z "$POSTGRES_HOST" 5432 || exit 0
 
-if ! nc -z localhost 9000; then
+if ! nc -z localhost 9000 || ! nc -z localhost 7867; then
     exit 1
 fi

Containers/nextcloud/run-exec-commands.sh

@@ -1,28 +0,0 @@
-#!/bin/bash
-
-while ! nc -z "$NC_DOMAIN" 443; do
-    sleep 5
-done
-sleep 10
-
-if [ -n "$NEXTCLOUD_EXEC_COMMANDS" ]; then
-    echo "#!/bin/bash" > /tmp/nextcloud-exec-commands
-    echo "$NEXTCLOUD_EXEC_COMMANDS" >> /tmp/nextcloud-exec-commands
-    if ! grep "one-click-instance" /tmp/nextcloud-exec-commands; then
-        bash /tmp/nextcloud-exec-commands
-        rm /tmp/nextcloud-exec-commands
-    fi
-else
-    # Collabora must work also if using manual-install 
-    if [ "$COLLABORA_ENABLED" = yes ]; then
-        echo "Activating Collabora config..."
-        php /var/www/html/occ richdocuments:activate-config
-    fi
-    # OnlyOffice must work also if using manual-install
-    if [ "$ONLYOFFICE_ENABLED" = yes ]; then
-        echo "Activating OnlyOffice config..."
-        php /var/www/html/occ onlyoffice:documentserver --check
-    fi
-fi
-
-sleep inf

Containers/nextcloud/start.sh

@@ -34,7 +34,7 @@ fi
 # Check if /dev/dri device is present and apply correct permissions
 set -x
 if ! [ -f "/dev-dri-group-was-added" ] && [ -n "$(find /dev -maxdepth 1 -mindepth 1 -name dri)" ] && [ -n "$(find /dev/dri -maxdepth 1 -mindepth 1 -name renderD128)" ]; then
-    # From https://memories.gallery/hw-transcoding/#docker-installations
+    # From https://github.com/pulsejet/memories/wiki/QSV-Transcoding#docker-installations
     GID="$(stat -c "%g" /dev/dri/renderD128)"
     groupadd -g "$GID" render2 || true # sometimes this is needed
     GROUP="$(getent group "$GID" | cut -d: -f1)"
@@ -119,7 +119,7 @@ if [ -n "$ADDITIONAL_PHP_EXTENSIONS" ]; then
                     | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
             )";
             # shellcheck disable=SC2086
-            apk add --no-cache --virtual .nextcloud-phpext-rundeps $runDeps >/dev/null
+            apk add --virtual .nextcloud-phpext-rundeps $runDeps >/dev/null
             apk del .build-deps >/dev/null
         fi
     fi
@@ -131,24 +131,14 @@ if ! sudo -E -u www-data bash /entrypoint.sh; then
     exit 1
 fi
 
-while [ -z "$(dig nextcloud-aio-apache A +short +search)" ]; do
-    echo "Waiting for nextcloud-aio-apache to start..."
-    sleep 5
-done
+# Correctly set CPU_ARCH for notify_push
+CPU_ARCH="$(uname -m)"
+export CPU_ARCH
+if [ -z "$CPU_ARCH" ]; then
+    echo "Could not get processor architecture. Exiting."
+    exit 1
+elif [ "$CPU_ARCH" != "x86_64" ]; then
+    export CPU_ARCH="aarch64"
+fi
 
-# set -x
-# if [ "$APACHE_PORT" = 443 ] || [ "$APACHE_IP_BINDING" = "127.0.0.1" ] || [ "$APACHE_IP_BINDING" = "::1" ]; then
-#     IPv4_ADDRESS_APACHE="$(dig nextcloud-aio-apache A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
-#     IPv6_ADDRESS_APACHE="$(dig nextcloud-aio-apache AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
-#     IPv4_ADDRESS_MASTERCONTAINER="$(dig nextcloud-aio-mastercontainer A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
-#     IPv6_ADDRESS_MASTERCONTAINER="$(dig nextcloud-aio-mastercontainer AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
-
-#     sed -i "s|^;listen.allowed_clients|listen.allowed_clients|" /usr/local/etc/php-fpm.d/www.conf
-#     sed -i "s|listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1,$IPv4_ADDRESS_APACHE,$IPv6_ADDRESS_APACHE,$IPv4_ADDRESS_MASTERCONTAINER,$IPv6_ADDRESS_MASTERCONTAINER|" /usr/local/etc/php-fpm.d/www.conf
-#     sed -i "/^listen.allowed_clients/s/,,/,/g" /usr/local/etc/php-fpm.d/www.conf
-#     sed -i "/^listen.allowed_clients/s/,$//" /usr/local/etc/php-fpm.d/www.conf
-#     grep listen.allowed_clients /usr/local/etc/php-fpm.d/www.conf
-# fi
-# set +x
-
-exec "$@"
+exec "$@"

Containers/nextcloud/supervisord.conf

@@ -25,19 +25,18 @@ stderr_logfile_maxbytes=0
 command=/cron.sh
 user=www-data
 
-[program:run-exec-commands]
+[program:notify-push]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/run-exec-commands.sh
+command=/var/www/html/custom_apps/notify_push/bin/%(ENV_CPU_ARCH)s/notify_push /var/www/html/config/config.php --port 7867 --redis-url redis://:%(ENV_REDIS_HOST_PASSWORD)s@%(ENV_REDIS_HOST)s
 user=www-data
 
-# This is a hack but no better solution is there
-[program:is-nextcloud-online]
+[program:activate-collabora]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=nc -lk 9001
+command=/activate-collabora.sh
 user=www-data

Containers/notify-push/Dockerfile

@@ -1,22 +0,0 @@
-FROM alpine:3.18.4
-
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
-
-RUN set -ex; \
-    apk add --no-cache \
-        ca-certificates \
-        netcat-openbsd \
-        tzdata \
-        bash \
-        openssl; \
-# Give root a random password
-    echo "root:$(openssl rand -base64 12)" | chpasswd; \
-    apk del --no-cache \
-        openssl;
-
-USER 33
-ENTRYPOINT ["/start.sh"]
-
-HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false"

Containers/notify-push/healthcheck.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-
-if ! nc -z "$NEXTCLOUD_HOST" 9001; then
-    exit 0
-fi
-
-nc -z localhost 7867 || exit 1

Containers/notify-push/start.sh

@@ -1,55 +0,0 @@
-#!/bin/bash
-
-if [ -z "$NEXTCLOUD_HOST" ]; then
-    echo "NEXTCLOUD_HOST need to be provided. Exiting!"
-    exit 1
-elif [ -z "$POSTGRES_HOST" ]; then
-    echo "POSTGRES_HOST need to be provided. Exiting!"
-    exit 1
-elif [ -z "$REDIS_HOST" ]; then
-    echo "REDIS_HOST need to be provided. Exiting!"
-    exit 1
-fi
-
-# Only start container if nextcloud is accessible
-while ! nc -z "$NEXTCLOUD_HOST" 9001; do
-    echo "Waiting for Nextcloud to start..."
-    sleep 5
-done
-
-# Correctly set CPU_ARCH for notify_push
-CPU_ARCH="$(uname -m)"
-export CPU_ARCH
-if [ -z "$CPU_ARCH" ]; then
-    echo "Could not get processor architecture. Exiting."
-    exit 1
-elif [ "$CPU_ARCH" != "x86_64" ]; then
-    export CPU_ARCH="aarch64"
-fi
-
-# Add warning
-if ! [ -f /nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
-    echo "The notify_push binary was not found."
-    echo "Most likely is DNS resolution not working correctly."
-    echo "You can try to fix this by configuring a DNS server globally in dockers daemon.json."
-    echo "See https://dockerlabs.collabnix.com/intermediate/networking/Configuring_DNS.html"
-    echo "Afterwards a restart of docker should automatically resolve this."
-    echo "Additionally, make sure to disable VPN software that might be running on your server"
-    echo "Also check your firewall if it blocks connections to github"
-    echo "If it should still not work afterwards, feel free to create a new thread at https://github.com/nextcloud/all-in-one/discussions/new?category=questions and post the Nextcloud container logs there."
-    echo ""
-    echo ""
-    exit 1
-fi
-
-# Set sensitive values as env
-export DATABASE_URL="postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST/$POSTGRES_DB"
-export REDIS_URL="redis://:$REDIS_HOST_PASSWORD@$REDIS_HOST"
-
-# Run it
-/nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
-    --database-prefix="oc_" \
-    --nextcloud-url "https://$NC_DOMAIN" \
-    --port 7867
-
-exec "$@"

Containers/onlyoffice/Dockerfile

@@ -1,7 +1,5 @@
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:7.5.0.1
-
-# USER root is probably used
+FROM onlyoffice/documentserver:7.3.3.49
 
 HEALTHCHECK CMD nc -z localhost 80 || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false"
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/postgresql/Dockerfile

@@ -1,41 +1,39 @@
 # From https://github.com/docker-library/postgres/blob/master/15/alpine/Dockerfile
-FROM postgres:15.4-alpine
+FROM postgres:15.2-alpine
 
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
-COPY --chmod=775 init-user-db.sh /docker-entrypoint-initdb.d/init-user-db.sh
+RUN apk add --no-cache bash openssl shadow grep mawk
 
-RUN set -ex; \
-    apk add --no-cache \
-        bash \
-        openssl \
-        shadow \
-        grep; \
-    \
 # We need to use the same gid and uid as on old installations
+RUN set -ex; \
     deluser postgres; \
     groupmod -g 9999 ping; \
     addgroup -g 999 -S postgres; \
-    adduser -u 999 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
-    apk del --no-cache shadow; \
-    \
+    adduser -u 999 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres
+
 # Fix default permissions
+RUN set -ex; \
     chown -R postgres:postgres /var/lib/postgresql; \
     chown -R postgres:postgres /var/run/postgresql; \
-    chmod -R 777 /var/run/postgresql; \
-    chown -R postgres:postgres "$PGDATA"; \
-    \
-    mkdir /mnt/data; \
-    chown postgres:postgres /mnt/data; \
-    \
-# Give root a random password
-    echo "root:$(openssl rand -base64 12)" | chpasswd; \
-    apk --no-cache del openssl;
+    chown -R postgres:postgres "$PGDATA"
+
+COPY start.sh /usr/bin/
+COPY healthcheck.sh /usr/bin/
+COPY init-user-db.sh /docker-entrypoint-initdb.d/
+RUN set -ex; \
+    chmod +x /usr/bin/start.sh; \
+    chmod +xr /docker-entrypoint-initdb.d/init-user-db.sh; \
+    chmod +x /usr/bin/healthcheck.sh
+
+RUN mkdir /mnt/data; \
+    chown postgres:postgres /mnt/data;
 
 VOLUME /mnt/data
 
-USER postgres
-ENTRYPOINT ["/start.sh"]
+# Give root a random password
+RUN echo "root:$(openssl rand -base64 12)" | chpasswd
 
-HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false"
+USER postgres
+ENTRYPOINT ["start.sh"]
+
+HEALTHCHECK CMD healthcheck.sh
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/postgresql/start.sh

@@ -31,7 +31,7 @@ fi
 if [ -f "$DUMP_DIR/initialization.failed" ]; then
     echo "The database initialization failed. Most likely was a wrong timezone selected."
     echo "The selected timezone is '$TZ'." 
-    echo "Please check if it is in the 'TZ identifier' column of the timezone list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List"
+    echo "Please check if it is in 'TZ database name' column of the timezone list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List"
     echo "For further clues on what went wrong, look at the logs above."
     echo "You might start again from scratch by following https://github.com/nextcloud/all-in-one#how-to-properly-reset-the-instance and selecting a proper timezone."
     exit 1
@@ -92,14 +92,14 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
 
     # Check if the line we grep for later on is there
     GREP_STRING='Name: oc_appconfig; Type: TABLE; Schema: public; Owner:'
-    if ! grep -qa "$GREP_STRING" "$DUMP_FILE"; then
+    if ! grep -q "$GREP_STRING" "$DUMP_FILE"; then
         echo "The needed oc_appconfig line is not there which is unexpected."
         echo "Please report this to https://github.com/nextcloud/all-in-one/issues. Thanks!"
         exit 1
     fi
 
     # Get the Owner
-    DB_OWNER="$(grep -a "$GREP_STRING" "$DUMP_FILE" | grep -oP 'Owner:.*$' | sed 's|Owner:||;s| ||g')"
+    DB_OWNER="$(grep "$GREP_STRING" "$DUMP_FILE" | grep -oP 'Owner:.*$' | sed 's|Owner:||;s| ||g')"
     if [ "$DB_OWNER" = "$POSTGRES_USER" ]; then
         echo "Unfortunately was the found database owner of the dump file the same as the POSTGRES_USER $POSTGRES_USER"
         echo "It is not possible to import a database dump from this database owner."
@@ -146,25 +146,11 @@ if ! [ -f "$DATADIR/PG_VERSION" ] && ! [ -f "$DUMP_FILE" ]; then
     rm -rf "${DATADIR:?}/"*
 fi
 
-# Modify postgresql.conf
-if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
-    echo "Setting postgres values..."
-
-    # 5000 connections is apparently the highest possible value with postgres so set it to that so that we don't run into a limit here.
-    # We don't actually expect so many connections but don't want to limit it artificially because people will report issues otherwise
-    # Also connections should usually be closed again after the process is done
-    # If we should actually exceed this limit, it is definitely a bug in Nextcloud server or some of its apps that does not close connections correctly and not a bug in AIO
-    sed -i "s|^max_connections =.*|max_connections = 5000|" "/var/lib/postgresql/data/postgresql.conf"
-
-    # Do not log checkpoints
-    if grep -q "#log_checkpoints" /var/lib/postgresql/data/postgresql.conf; then
-        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' /var/lib/postgresql/data/postgresql.conf
-    fi
-
-    # Closing idling connections automatically seems to break any logic so was reverted again to default where it is disabled
-    if grep -q "^idle_session_timeout" /var/lib/postgresql/data/postgresql.conf; then
-        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' /var/lib/postgresql/data/postgresql.conf
-    fi
+echo "Setting max connections..."
+MEMORY=$(mawk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
+MAX_CONNECTIONS=$((MEMORY/50+3))
+if [ -n "$MAX_CONNECTIONS" ]; then
+    sed -i "s|^max_connections =.*|max_connections = $MAX_CONNECTIONS|" "/var/lib/postgresql/data/postgresql.conf"
 fi
 
 # Catch docker stop attempts

Containers/redis/Dockerfile

@@ -1,16 +1,16 @@
 # From https://github.com/docker-library/redis/blob/master/7.0/alpine/Dockerfile
-FROM redis:7.2.3-alpine
+FROM redis:7.0.10-alpine
 
-COPY --chmod=775 start.sh /start.sh
+RUN apk add --no-cache openssl bash
+
+COPY start.sh /usr/bin/
+RUN chmod +x /usr/bin/start.sh
 
-RUN set -ex; \
-    apk add --no-cache openssl bash; \
-    \
 # Give root a random password
-    echo "root:$(openssl rand -base64 12)" | chpasswd
+RUN echo "root:$(openssl rand -base64 12)" | chpasswd
 
 USER redis
-ENTRYPOINT ["/start.sh"]
+ENTRYPOINT ["start.sh"]
 
 HEALTHCHECK CMD redis-cli -a $REDIS_HOST_PASSWORD PING || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false"
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/redis/start.sh

@@ -8,9 +8,9 @@ fi
 
 # Run redis with a password if provided
 if [ -n "$REDIS_HOST_PASSWORD" ]; then
-    exec redis-server --requirepass "$REDIS_HOST_PASSWORD" --loglevel warning
+    exec redis-server --requirepass "$REDIS_HOST_PASSWORD"
 else
-    exec redis-server --loglevel warning
+    exec redis-server
 fi
 
 exec "$@"

Containers/talk-recording/Dockerfile

@@ -1,53 +0,0 @@
-FROM python:3.12.0-alpine3.18
-
-COPY --chmod=775 start.sh /start.sh
-
-ENV RECORDING_VERSION v17.1.2
-ENV ALLOW_ALL false
-ENV HPB_PROTOCOL https
-ENV SKIP_VERIFY false
-ENV HPB_PATH /standalone-signaling/
-
-RUN set -ex; \
-    apk add --no-cache \
-        ca-certificates \
-        tzdata \
-        bash \
-        xvfb \
-        ffmpeg \
-        firefox \
-        bind-tools \
-        netcat-openbsd \
-        git \
-        wget \
-        shadow \
-        pulseaudio \
-        openssl; \
-    # chromium chromium-chromedriver?
-    apk add --no-cache geckodriver --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing; \
-    useradd -d /tmp --system recording; \
-# Give root a random password
-    echo "root:$(openssl rand -base64 12)" | chpasswd; \
-    git clone --recursive https://github.com/nextcloud/spreed --depth=1 --single-branch --branch "$RECORDING_VERSION" /src; \
-    mv -v /src/recording/pyproject.toml /src/recording/src/pyproject.toml; \
-    python3 -m pip install --no-cache-dir /src/recording/src; \
-    rm -rf /src; \
-    touch /etc/recording.conf; \
-    chown recording:recording -R \
-        /tmp /etc/recording.conf; \
-    mkdir -p /conf; \
-    chmod 777 /conf; \
-    chmod 777 /tmp; \
-    apk del --no-cache \
-        git \
-        wget \
-        shadow \
-        openssl;
-
-WORKDIR /tmp
-USER recording
-ENTRYPOINT ["/start.sh"]
-CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.conf"]
-
-HEALTHCHECK CMD nc -z localhost 1234 || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false"

Containers/talk-recording/recording.conf

@@ -1,111 +0,0 @@
-[logs]
-# Log level based on numeric values of Python logging levels:
-# - Critical: 50
-# - Error:    40
-# - Warning:  30
-# - Info:     20
-# - Debug:    10
-# - Not set:   0
-#level = 20
-
-[http]
-# IP and port to listen on for HTTP requests.
-#listen = 127.0.0.1:8000
-
-[backend]
-# Allow any hostname as backend endpoint. This is extremely insecure and should
-# only be used during development.
-#allowall = false
-
-# Common shared secret for requests from and to the backend servers if
-# "allowall" is enabled. This must be the same value as configured in the
-# Nextcloud admin ui.
-#secret = the-shared-secret
-
-# Comma-separated list of backend ids allowed to connect.
-#backends = backend-id, another-backend
-
-# If set to "true", certificate validation of backend endpoints will be skipped.
-# This should only be enabled during development, e.g. to work with self-signed
-# certificates.
-# Overridable by backend.
-#skipverify = false
-
-# Maximum allowed size in bytes for messages sent by the backend.
-# Overridable by backend.
-#maxmessagesize = 1024
-
-# Width for recorded videos.
-# Overridable by backend.
-#videowidth = 1920
-
-# Height for recorded videos.
-# Overridable by backend.
-#videoheight = 1080
-
-# Temporary directory used to store recordings until uploaded. It must be
-# writable by the user running the recording server.
-# Overridable by backend.
-#directory = /tmp
-
-# Backend configurations as defined in the "[backend]" section above. The
-# section names must match the ids used in "backends" above.
-#[backend-id]
-# URL of the Nextcloud instance
-#url = https://cloud.domain.invalid
-
-# Shared secret for requests from and to the backend servers. This must be the
-# same value as configured in the Nextcloud admin ui.
-#secret = the-shared-secret
-
-#[another-backend]
-# URL of the Nextcloud instance
-#url = https://cloud.otherdomain.invalid
-
-# Shared secret for requests from and to the backend servers. This must be the
-# same value as configured in the Nextcloud admin ui.
-#secret = the-shared-secret
-
-[signaling]
-# Common shared secret for authenticating as an internal client of signaling
-# servers if a specific secret is not set for a signaling server. This must be
-# the same value as configured in the signaling server configuration file.
-#internalsecret = the-shared-secret-for-internal-clients
-
-# Comma-separated list of signaling servers with specific internal secrets.
-#signalings = signaling-id, another-signaling
-
-# Signaling server configurations as defined in the "[signaling]" section above.
-# The section names must match the ids used in "signalings" above.
-#[signaling-id]
-# URL of the signaling server
-#url = https://signaling.domain.invalid
-
-# Shared secret for authenticating as an internal client of signaling servers.
-# This must be the same value as configured in the signaling server
-# configuration file.
-#internalsecret = the-shared-secret-for-internal-clients
-
-#[another-signaling]
-# URL of the signaling server
-#url = https://signaling.otherdomain.invalid
-
-# Shared secret for authenticating as an internal client of signaling servers.
-# This must be the same value as configured in the signaling server
-# configuration file.
-#internalsecret = the-shared-secret-for-internal-clients
-
-[ffmpeg]
-# The options given to FFmpeg to encode the audio output. The options given here
-# fully override the default options for the audio output.
-#outputaudio = -c:a libopus
-
-# The options given to FFmpeg to encode the video output. The options given here
-# fully override the default options for the video output.
-#outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
-
-# The extension of the file for audio only recordings.
-#extensionaudio = .ogg
-
-# The extension of the file for audio and video recordings.
-#extensionvideo = .webm

Containers/talk-recording/start.sh

@@ -1,57 +0,0 @@
-#!/bin/bash
-
-# Variables
-if [ -z "$NC_DOMAIN" ]; then
-    echo "You need to provide the NC_DOMAIN."
-    exit 1
-elif [ -z "$RECORDING_SECRET" ]; then
-    echo "You need to provide the RECORDING_SECRET."
-    exit 1
-elif [ -z "$INTERNAL_SECRET" ]; then
-    echo "You need to provide the INTERNAL_SECRET."
-    exit 1
-fi
-
-if [ -z "$HPB_DOMAIN" ]; then
-    export HPB_DOMAIN="$NC_DOMAIN"
-fi
-
-cat << RECORDING_CONF > "/conf/recording.conf"
-[logs]
-# 30 means Warning
-level = 30
-
-[http]
-listen = 0.0.0.0:1234
-
-[backend]
-allowall = ${ALLOW_ALL}
-# TODO: remove secret below when https://github.com/nextcloud/spreed/issues/9580 is fixed
-secret = ${RECORDING_SECRET}
-backends = backend-1
-skipverify = ${SKIP_VERIFY}
-maxmessagesize = 1024
-videowidth = 1920
-videoheight = 1080
-directory = /tmp
-
-[backend-1]
-url = ${HPB_PROTOCOL}://${NC_DOMAIN}
-secret = ${RECORDING_SECRET}
-skipverify = ${SKIP_VERIFY}
-
-[signaling]
-signalings = signaling-1
-
-[signaling-1]
-url = ${HPB_PROTOCOL}://${HPB_DOMAIN}${HPB_PATH}
-internalsecret = ${INTERNAL_SECRET}
-
-[ffmpeg]
-# outputaudio = -c:a libopus
-# outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
-extensionaudio = .ogg
-extensionvideo = .webm
-RECORDING_CONF
-
-exec "$@"

Containers/talk/Dockerfile

@@ -1,104 +1,71 @@
-FROM nats:2.10.4-scratch as nats
-FROM eturnal/eturnal:1.12.0 AS eturnal
-FROM strukturag/nextcloud-spreed-signaling:1.2.0 as signaling
-FROM alpine:3.18.4 as janus
+FROM nats:2.9.15-scratch as nats
+FROM strukturag/nextcloud-spreed-signaling:1.1.2 as signaling
+FROM alpine:3.17.2
+USER root
 
-ARG JANUS_VERSION=v0.14.0
-WORKDIR /src
-RUN set -ex; \
-    apk add --no-cache \
-        ca-certificates \
-        git \
-        autoconf \
-        automake \
-        build-base \
-        pkgconfig \
-        libtool \
-        util-linux \
-        glib-dev \
-        zlib-dev \
-        openssl-dev \
-        jansson-dev \
-        libnice-dev \
-        libconfig-dev \
-        libsrtp-dev \
-        libusrsctp-dev \
-        gengetopt-dev \
-        libwebsockets-dev; \
-    git clone --recursive https://github.com/meetecho/janus-gateway --depth=1 --single-branch --branch "$JANUS_VERSION" /src; \
-    /src/autogen.sh; \
-    /src/configure --disable-rabbitmq --disable-mqtt --disable-boringssl; \
-    make; \
-    make install; \
-    make configs; \
-    rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
-
-FROM alpine:3.18.4
-ENV ETURNAL_ETC_DIR="/conf"
-COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
-COPY --from=eturnal   --chmod=777 --chown=1000:1000 /opt/eturnal                        /opt/eturnal
-COPY --from=nats      --chmod=777 --chown=1000:1000 /nats-server                        /usr/local/bin/nats-server
-COPY --from=signaling --chmod=777 --chown=1000:1000 /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
-
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
-COPY --chmod=664 supervisord.conf /supervisord.conf
+COPY --from=nats /nats-server /usr/local/bin/nats-server
+COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
 
 RUN set -ex; \
     apk add --no-cache \
         ca-certificates \
         tzdata \
         bash \
+        coturn \
         openssl \
         supervisor \
         bind-tools \
         netcat-openbsd \
-        \
-        glib \
-        zlib \
-        libssl3 \
-        libcrypto3 \
-        jansson \
-        libnice \
-        libconfig \
-        libsrtp \
-        libusrsctp \
-        libwebsockets \
-        \
-        shadow; \
-    useradd --system -u 1000 eturnal; \
+        shadow \
+        util-linux \
+        build-base \
+        lua5.3-dev \
+        luarocks5.3; \
+    apk add --no-cache janus-gateway --repository http://dl-cdn.alpinelinux.org/alpine/edge/community; \
+    useradd --system talk; \
+    luarocks-5.3 install luajson; \
+    luarocks-5.3 install ansicolors; \
+    rename -v ".jcfg.sample" ".jcfg" /etc/janus/*.sample; \
     apk del --no-cache \
-        shadow; \
-    \
+        shadow \
+        util-linux \
+        build-base \
+        lua5.3-dev \
+        luarocks5.3;
+
 # Give root a random password
-    echo "root:$(openssl rand -base64 12)" | chpasswd; \
-    \
+RUN echo "root:$(openssl rand -base64 12)" | chpasswd
+
+COPY --chmod=775 start.sh /usr/bin/start.sh
+COPY --chmod=664 supervisord.conf /supervisord.conf
+
+RUN set -ex; \
     touch \
         /etc/nats.conf \
-        /etc/eturnal.yml; \
+        /etc/signaling.conf \
+        /etc/turnserver.conf; \
     echo "listen: 127.0.0.1:4222" | tee /etc/nats.conf; \
     mkdir -p \
         /var/tmp \
-        /conf \
         /var/lib/turn \
         /var/log/supervisord \
-        /var/run/supervisord \
-        /usr/local/lib/janus/loggers; \
-    chown eturnal:eturnal -R \
-        /etc/nats.conf \
-        /var/log/supervisord \
         /var/run/supervisord; \
-    chmod 777 -R \
-        /tmp \
-        /conf \
-        /var/run/supervisord \
-        /var/log/supervisord; \
-    ln -s /opt/eturnal/bin/stun /usr/local/bin/stun; \
-    ln -s /opt/eturnal/bin/eturnalctl /usr/local/bin/eturnalctl
+    chown talk:talk -R \
+        /usr \
+        /etc/janus \
+        /etc/nats.conf \
+        /etc/signaling.conf \
+        /etc/turnserver.conf \
+        /var/lib/turn \
+        /var/log/supervisord \
+        /var/run/supervisord;
 
-USER eturnal
-ENTRYPOINT ["/start.sh"]
-CMD ["supervisord", "-c", "/supervisord.conf"]
+# Set default talk port https://github.com/nextcloud/all-in-one/issues/1011
+ENV TALK_PORT=3478
 
-HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false"
+USER talk
+ENTRYPOINT ["start.sh"]
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
+
+HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost $TALK_PORT) || exit 1
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/talk/healthcheck.sh

@@ -1,11 +0,0 @@
-#!/bin/bash
-
-nc -z localhost 8081 || exit 1
-nc -z localhost 8188 || exit 1
-nc -z localhost 4222 || exit 1
-nc -z localhost "$TALK_PORT" || exit 1
-eturnalctl status || exit 1
-if ! nc -z "$NC_DOMAIN" "$TALK_PORT"; then
-    echo "Could not reach $NC_DOMAIN on port $TALK_PORT."
-    exit 1
-fi

Containers/talk/server.conf.in

@@ -1,317 +0,0 @@
-[http]
-# IP and port to listen on for HTTP requests.
-# Comment line to disable the listener.
-#listen = 127.0.0.1:8080
-
-# HTTP socket read timeout in seconds.
-#readtimeout = 15
-
-# HTTP socket write timeout in seconds.
-#writetimeout = 15
-
-[https]
-# IP and port to listen on for HTTPS requests.
-# Comment line to disable the listener.
-#listen = 127.0.0.1:8443
-
-# HTTPS socket read timeout in seconds.
-#readtimeout = 15
-
-# HTTPS socket write timeout in seconds.
-#writetimeout = 15
-
-# Certificate / private key to use for the HTTPS server.
-certificate = /etc/nginx/ssl/server.crt
-key = /etc/nginx/ssl/server.key
-
-[app]
-# Set to "true" to install pprof debug handlers.
-# See "https://golang.org/pkg/net/http/pprof/" for further information.
-debug = false
-
-# Set to "true" to allow subscribing any streams. This is insecure and should
-# only be enabled for testing. By default only streams of users in the same
-# room and call can be subscribed.
-#allowsubscribeany = false
-
-[sessions]
-# Secret value used to generate checksums of sessions. This should be a random
-# string of 32 or 64 bytes.
-hashkey = the-secret-for-session-checksums
-
-# Optional key for encrypting data in the sessions. Must be either 16, 24 or
-# 32 bytes.
-# If no key is specified, data will not be encrypted (not recommended).
-blockkey = -encryption-key-
-
-[clients]
-# Shared secret for connections from internal clients. This must be the same
-# value as configured in the respective internal services.
-internalsecret = the-shared-secret-for-internal-clients
-
-[backend]
-# Type of backend configuration.
-# Defaults to "static".
-#
-# Possible values:
-# - static: A comma-separated list of backends is given in the "backends" option.
-# - etcd: Backends are retrieved from an etcd cluster.
-#backendtype = static
-
-# For backend type "static":
-# Comma-separated list of backend ids from which clients are allowed to connect
-# from. Each backend will have isolated rooms, i.e. clients connecting to room
-# "abc12345" on backend 1 will be in a different room than clients connected to
-# a room with the same name on backend 2. Also sessions connected from different
-# backends will not be able to communicate with each other.
-#backends = backend-id, another-backend
-
-# For backend type "etcd":
-# Key prefix of backend entries. All keys below will be watched and assumed to
-# contain a JSON document with the following entries:
-# - "url": Url of the Nextcloud instance.
-# - "secret": Shared secret for requests from and to the backend servers.
-#
-# Additional optional entries:
-# - "maxstreambitrate": Maximum bitrate per publishing stream (in bits per second).
-# - "maxscreenbitrate": Maximum bitrate per screensharing stream (in bits per second).
-# - "sessionlimit": Number of sessions that are allowed to connect.
-#
-# Example:
-# "/signaling/backend/one" -> {"url": "https://nextcloud.domain1.invalid", ...}
-# "/signaling/backend/two" -> {"url": "https://domain2.invalid/nextcloud", ...}
-#backendprefix = /signaling/backend
-
-# Allow any hostname as backend endpoint. This is extremely insecure and should
-# only be used while running the benchmark client against the server.
-allowall = false
-
-# Common shared secret for requests from and to the backend servers. Used if
-# "allowall" is enabled or as fallback for individual backends that don't have
-# their own secret set.
-# This must be the same value as configured in the Nextcloud admin ui.
-#secret = the-shared-secret-for-allowall
-
-# Timeout in seconds for requests to the backend.
-timeout = 10
-
-# Maximum number of concurrent backend connections per host.
-connectionsperhost = 8
-
-# If set to "true", certificate validation of backend endpoints will be skipped.
-# This should only be enabled during development, e.g. to work with self-signed
-# certificates.
-#skipverify = false
-
-# For backendtype "static":
-# Backend configurations as defined in the "[backend]" section above. The
-# section names must match the ids used in "backends" above.
-#[backend-id]
-# URL of the Nextcloud instance
-#url = https://cloud.domain.invalid
-
-# Shared secret for requests from and to the backend servers. Leave empty to use
-# the common shared secret from above.
-# This must be the same value as configured in the Nextcloud admin ui.
-#secret = the-shared-secret
-
-# Limit the number of sessions that are allowed to connect to this backend.
-# Omit or set to 0 to not limit the number of sessions.
-#sessionlimit = 10
-
-# The maximum bitrate per publishing stream (in bits per second).
-# Defaults to the maximum bitrate configured for the proxy / MCU.
-#maxstreambitrate = 1048576
-
-# The maximum bitrate per screensharing stream (in bits per second).
-# Defaults to the maximum bitrate configured for the proxy / MCU.
-#maxscreenbitrate = 2097152
-
-#[another-backend]
-# URL of the Nextcloud instance
-#url = https://cloud.otherdomain.invalid
-
-# Shared secret for requests from and to the backend servers. Leave empty to use
-# the common shared secret from above.
-# This must be the same value as configured in the Nextcloud admin ui.
-#secret = the-shared-secret
-
-[nats]
-# Url of NATS backend to use. This can also be a list of URLs to connect to
-# multiple backends. For local development, this can be set to "nats://loopback"
-# to process NATS messages internally instead of sending them through an
-# external NATS backend.
-#url = nats://localhost:4222
-
-[mcu]
-# The type of the MCU to use. Currently only "janus" and "proxy" are supported.
-# Leave empty to disable MCU functionality.
-#type =
-
-# For type "janus": the URL to the websocket endpoint of the MCU server.
-# For type "proxy": a space-separated list of proxy URLs to connect to.
-#url =
-
-# The maximum bitrate per publishing stream (in bits per second).
-# Defaults to 1 mbit/sec.
-# For type "proxy": will be capped to the maximum bitrate configured at the
-# proxy server that is used.
-#maxstreambitrate = 1048576
-
-# The maximum bitrate per screensharing stream (in bits per second).
-# Default is 2 mbit/sec.
-# For type "proxy": will be capped to the maximum bitrate configured at the
-# proxy server that is used.
-#maxscreenbitrate = 2097152
-
-# For type "proxy": timeout in seconds for requests to the proxy server.
-#proxytimeout = 2
-
-# For type "proxy": type of URL configuration for proxy servers.
-# Defaults to "static".
-#
-# Possible values:
-# - static: A space-separated list of proxy URLs is given in the "url" option.
-# - etcd: Proxy URLs are retrieved from an etcd cluster (see below).
-#urltype = static
-
-# If set to "true", certificate validation of proxy servers will be skipped.
-# This should only be enabled during development, e.g. to work with self-signed
-# certificates.
-#skipverify = false
-
-# For type "proxy": the id of the token to use when connecting to proxy servers.
-#token_id = server1
-
-# For type "proxy": the private key for the configured token id to use when
-# connecting to proxy servers.
-#token_key = privkey.pem
-
-# For url type "static": Enable DNS discovery on hostname of configured URL.
-# If the hostname resolves to multiple IP addresses, a connection is established
-# to each of them.
-# Changes to the DNS are monitored regularly and proxy connections are created
-# or deleted as necessary.
-#dnsdiscovery = true
-
-# For url type "etcd": Key prefix of MCU proxy entries. All keys below will be
-# watched and assumed to contain a JSON document. The entry "address" from this
-# document will be used as proxy URL, other contents in the document will be
-# ignored.
-#
-# Example:
-# "/signaling/proxy/server/one" -> {"address": "https://proxy1.domain.invalid"}
-# "/signaling/proxy/server/two" -> {"address": "https://proxy2.domain.invalid"}
-#keyprefix = /signaling/proxy/server
-
-[turn]
-# API key that the MCU will need to send when requesting TURN credentials.
-#apikey = the-api-key-for-the-rest-service
-
-# The shared secret to use for generating TURN credentials. This must be the
-# same as on the TURN server.
-#secret = 6d1c17a7-c736-4e22-b02c-e2955b7ecc64
-
-# A comma-separated list of TURN servers to use. Leave empty to disable the
-# TURN REST API.
-#servers = turn:1.2.3.4:9991?transport=udp,turn:1.2.3.4:9991?transport=tcp
-
-[geoip]
-# License key to use when downloading the MaxMind GeoIP database. You can
-# register an account at "https://www.maxmind.com/en/geolite2/signup" for
-# free. See "https://dev.maxmind.com/geoip/geoip2/geolite2/" for further
-# information.
-# Leave empty to disable GeoIP lookups.
-#license =
-
-# Optional URL to download a MaxMind GeoIP database from. Will be generated if
-# "license" is provided above. Can be a "file://" url if a local file should
-# be used. Please note that the database must provide a country field when
-# looking up IP addresses.
-#url =
-
-[geoip-overrides]
-# Optional overrides for GeoIP lookups. The key is an IP address / range, the
-# value the associated country code.
-#127.0.0.1 = DE
-#192.168.0.0/24 = DE
-
-[continent-overrides]
-# Optional overrides for continent mappings. The key is a continent code, the
-# value a comma-separated list of continent codes to map the continent to.
-# Use European servers for clients in Africa.
-#AF = EU
-# Use servers in North Africa for clients in South America.
-#SA = NA
-
-[stats]
-# Comma-separated list of IP addresses that are allowed to access the stats
-# endpoint. Leave empty (or commented) to only allow access from "127.0.0.1".
-#allowed_ips =
-
-[etcd]
-# Comma-separated list of static etcd endpoints to connect to.
-#endpoints = 127.0.0.1:2379,127.0.0.1:22379,127.0.0.1:32379
-
-# Options to perform endpoint discovery through DNS SRV.
-# Only used if no endpoints are configured manually.
-#discoverysrv = example.com
-#discoveryservice = foo
-
-# Path to private key, client certificate and CA certificate if TLS
-# authentication should be used.
-#clientkey = /path/to/etcd-client.key
-#clientcert = /path/to/etcd-client.crt
-#cacert = /path/to/etcd-ca.crt
-
-[grpc]
-# IP and port to listen on for GRPC requests.
-# Comment line to disable the listener.
-#listen = 0.0.0.0:9090
-
-# Certificate / private key to use for the GRPC server.
-# Omit to use unencrypted connections.
-#servercertificate = /path/to/grpc-server.crt
-#serverkey = /path/to/grpc-server.key
-
-# CA certificate that is allowed to issue certificates of GRPC servers.
-# Omit to expect unencrypted connections.
-#serverca = /path/to/grpc-ca.crt
-
-# Certificate / private key to use for the GRPC client.
-# Omit if clients don't need to authenticate on the server.
-#clientcertificate = /path/to/grpc-client.crt
-#clientkey = /path/to/grpc-client.key
-
-# CA certificate that is allowed to issue certificates of GRPC clients.
-# Omit to allow any clients to connect.
-#clientca = /path/to/grpc-ca.crt
-
-# Type of GRPC target configuration.
-# Defaults to "static".
-#
-# Possible values:
-# - static: A comma-separated list of targets is given in the "targets" option.
-# - etcd: Target URLs are retrieved from an etcd cluster.
-#targettype = static
-
-# For target type "static": Comma-separated list of GRPC targets to connect to
-# for clustering mode.
-#targets = 192.168.0.1:9090, 192.168.0.2:9090
-
-# For target type "static": Enable DNS discovery on hostnames of GRPC target.
-# If a hostname resolves to multiple IP addresses, a connection is established
-# to each of them.
-# Changes to the DNS are monitored regularly and GRPC clients are created or
-# deleted as necessary.
-#dnsdiscovery = true
-
-# For target type "etcd": Key prefix of GRPC target entries. All keys below will
-# be watched and assumed to contain a JSON document. The entry "address" from
-# this document will be used as target URL, other contents in the document will
-# be ignored.
-#
-# Example:
-# "/signaling/cluster/grpc/one" -> {"address": "192.168.0.1:9090"}
-# "/signaling/cluster/grpc/two" -> {"address": "192.168.0.2:9090"}
-#targetprefix = /signaling/cluster/grpc

Containers/talk/start.sh

@@ -4,54 +4,55 @@
 if [ -z "$NC_DOMAIN" ]; then
     echo "You need to provide the NC_DOMAIN."
     exit 1
-elif [ -z "$TALK_PORT" ]; then
-    echo "You need to provide the TALK_PORT."
-    exit 1
 elif [ -z "$TURN_SECRET" ]; then
     echo "You need to provide the TURN_SECRET."
     exit 1
 elif [ -z "$SIGNALING_SECRET" ]; then
     echo "You need to provide the SIGNALING_SECRET."
     exit 1
-elif [ -z "$INTERNAL_SECRET" ]; then
-    echo "You need to provide the INTERNAL_SECRET."
-    exit 1
 fi
 
 set -x
-IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
-IPv6_ADDRESS_TALK="$(dig nextcloud-aio-talk AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk A +short)"
 set +x
 
 # Turn
-cat << TURN_CONF > "/conf/eturnal.yml"
-eturnal:
-  listen:
-    - ip: "::"
-      port: $TALK_PORT
-      transport: udp
-    - ip: "::"
-      port: $TALK_PORT
-      transport: tcp
-  log_dir: stdout
-  log_level: warning
-  secret: "$TURN_SECRET"
-  relay_ipv4_addr: "$IPv4_ADDRESS_TALK"
-  relay_ipv6_addr: "$IPv6_ADDRESS_TALK"
-  blacklist_peers:
-  - recommended
-  whitelist_peers:
-  - 127.0.0.1
-  - ::1
-  - "$IPv4_ADDRESS_TALK"
-  - "$IPv6_ADDRESS_TALK"
+cat << TURN_CONF > "/etc/turnserver.conf"
+listening-port=$TALK_PORT
+fingerprint
+lt-cred-mech
+use-auth-secret
+static-auth-secret=$TURN_SECRET
+realm=$NC_DOMAIN
+total-quota=0
+bps-capacity=0
+stale-nonce
+no-multicast-peers
+simple-log
+pidfile=/var/tmp/turnserver.pid
+no-tls
+no-dtls
+userdb=/var/lib/turn/turndb
+# Based on https://nextcloud-talk.readthedocs.io/en/latest/TURN/#turn-server-and-internal-networks
+allowed-peer-ip=$IPv4_ADDRESS_TALK
+denied-peer-ip=0.0.0.0-0.255.255.255
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+denied-peer-ip=240.0.0.0-255.255.255.255
 TURN_CONF
 
-# Remove empty lines so that the config is not invalid
-sed -i '/""/d' /conf/eturnal.yml
-
 # Signling
-cat << SIGNALING_CONF > "/conf/signaling.conf"
+cat << SIGNALING_CONF > "/etc/signaling.conf"
 [http]
 listen = 0.0.0.0:8081
 
@@ -63,7 +64,7 @@ hashkey = $(openssl rand -hex 16)
 blockkey = $(openssl rand -hex 16)
 
 [clients]
-internalsecret = ${INTERNAL_SECRET}
+internalsecret = $(openssl rand -hex 16)
 
 [backend]
 backends = backend-1

Containers/talk/supervisord.conf

@@ -1,5 +1,6 @@
 [supervisord]
 nodaemon=true
+nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
@@ -7,12 +8,12 @@ logfile_maxbytes=50MB
 logfile_backups=10                              
 loglevel=error
 
-[program:eturnal]
+[program:turnserver]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=eturnalctl foreground
+command=turnserver -c /etc/turnserver.conf
 
 [program:nats-server]
 stdout_logfile=/dev/stdout
@@ -26,12 +27,11 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-# debug-level 3 means warning
-command=janus --config=/usr/local/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
+command=janus --config=/etc/janus/janus.jcfg --disable-colors --log-stdout
 
 [program:signaling]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=nextcloud-spreed-signaling -config /conf/signaling.conf
+command=nextcloud-spreed-signaling -config /etc/signaling.conf

Containers/watchtower/Dockerfile

@@ -1,15 +1,14 @@
 # From https://github.com/containrrr/watchtower/blob/main/dockerfiles/Dockerfile.self-contained
-FROM containrrr/watchtower:1.6.0 as watchtower
+FROM containrrr/watchtower:1.5.3 as watchtower
 
-FROM alpine:3.18.4
+FROM alpine:3.17.2
 
 RUN apk add --no-cache bash
-COPY --from=watchtower /watchtower /watchtower
+COPY --from=watchtower /watchtower /
 
-COPY --chmod=775 start.sh /start.sh
+COPY start.sh /
+RUN chmod +x /start.sh
 
-# hadolint ignore=DL3002
 USER root
-
 ENTRYPOINT ["/start.sh"]
-LABEL com.centurylinklabs.watchtower.enable="false"
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

app/appinfo/info.xml

@@ -2,10 +2,10 @@
 <info xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance"
 	  xsi:noNamespaceSchemaLocation="https://apps.nextcloud.com/schema/apps/info.xsd">
 	<id>nextcloud-aio</id>
-	<name>Nextcloud All-in-One</name>
+	<name>Nextcloud All In One</name>
 	<summary>Provides a login link for admins.</summary>
-	<description>Add a link to the admin settings that gives access to the Nextcloud All-in-One admin interface</description>
-	<version>0.4.0</version>
+	<description>Add a link to the admin settings that gives access to the Nextcloud All In One admin interface</description>
+	<version>0.3.0</version>
 	<licence>agpl</licence>
 	<author>Azul</author>
 	<namespace>AllInOne</namespace>
@@ -13,7 +13,7 @@
 	<category>monitoring</category>
 	<bugs>https://github.com/nextcloud/all-in-one/issues</bugs>
 	<dependencies>
-		<nextcloud min-version="26" max-version="27"/>
+		<nextcloud min-version="24" max-version="25"/>
 	</dependencies>
 
 	<settings>

app/lib/Settings/Admin.php

@@ -78,6 +78,6 @@ class Admin implements ISettings {
 	 * E.g.: 70
 	 */
 	public function getPriority(): int {
-		return 0;
+		return 5;
 	}
 }

app/templates/admin.php

@@ -10,7 +10,6 @@ declare(strict_types=1);
  */
 	/** @var array $_ */ ?>
 <div id="allinone" class="section">
-	<h2><?php p($l->t('Nextcloud All-in-One'));?></h2>
-	<a href="<?php p($_['AIOLoginUrl']);?>" class="button" target="_blank" rel="noopener">Open Nextcloud AIO Interface ↗</a><br><br>
-	<p><a href="https://github.com/nextcloud/all-in-one#how-to-easily-log-in-to-the-aio-interface">Click here for more infos on this feature (e.g. also on how to change the link in the button)</a></p>
+	<h2><?php p($l->t('Nextcloud All In One'));?></h2>
+	<a href="<?php p($_['AIOLoginUrl']);?>" class="button" target="_blank" rel="noopener">Open Nextcloud AIO Interface ↗</a>
 </div>

community-containers/caddy/caddy.json

@@ -1,52 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-caddy",
-            "display_name": "Caddy with geoblocking",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy",
-            "image": "szaimen/aio-caddy",
-            "image_tag": "v1",
-            "internal_port": "443",
-            "restart": "unless-stopped",
-            "ports": [
-                {
-                  "ip_binding": "",
-                  "port_number": "443",
-                  "protocol": "tcp"
-                },
-                {
-                    "ip_binding": "",
-                    "port_number": "443",
-                    "protocol": "udp"
-                }
-            ],
-            "environment": [
-                "TZ=%TIMEZONE%",
-                "NC_DOMAIN=%NC_DOMAIN%",
-                "APACHE_PORT=%APACHE_PORT%"
-            ],
-            "volumes": [
-                {
-                    "source": "nextcloud_aio_caddy",
-                    "destination": "/data",
-                    "writeable": true
-                },
-                {
-                    "source": "%NEXTCLOUD_DATADIR%",
-                    "destination": "/nextcloud",
-                    "writeable": false
-                }
-            ],
-            "aio_variables": [
-                "apache_ip_binding=127.0.0.1",
-                "apache_port=11000"
-            ],
-            "nextcloud_exec_commands": [
-                "mkdir '/mnt/ncdata/admin/files/nextcloud-aio-caddy'",
-                "touch '/mnt/ncdata/admin/files/nextcloud-aio-caddy/allowed-countries.txt'",
-                "echo 'Scanning nextcloud-aio-caddy folder for admin user...'",
-                "php /var/www/html/occ files:scan --path='/admin/files/nextcloud-aio-caddy'"
-            ]
-        }
-    ]
-}

community-containers/caddy/readme.md

@@ -1,15 +0,0 @@
-## Caddy with geoblocking
-This container bundles caddy and auto-configures it for you. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden by listening on `bw.$NC_DOMAIN`, if installed.
-
-### Notes
-- This container is incompatible with the [npmplus](https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus) community container. So make sure that you do not enable both at the same time!
-- Make sure that no other service is using port 443 on your host as otherwise the containers will fail to start. You can check this with `sudo netstat -tulpn | grep 443` before installing AIO.
-- If you want to use this with https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, make sure that you point `bw.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for vaultwarden.
-- After the container was started the first time, you should see a new `nextcloud-aio-caddy` folder and inside there an `allowed-countries.txt` file when you open the files app with the default `admin` user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. `IT FR` would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the `GeoLite2-Country.mmdb` and upload it with this exact name into the `nextcloud-aio-caddy` folder. Afterwards restart all containers from the AIO interface and your new config should be active!
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository
-https://github.com/szaimen/aio-caddy
-
-### Maintainer
-https://github.com/szaimen

community-containers/dlna/dlna.json

@@ -1,39 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-dlna",
-            "display_name": "DLNA",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/dlna",
-            "image": "thanek/nextcloud-dlna",
-            "image_tag": "latest",
-            "internal_port": "host",
-            "restart": "unless-stopped",
-            "depends_on": [
-                "nextcloud-aio-database"
-            ],
-            "environment": [
-                "NC_DOMAIN=%NC_DOMAIN%",
-                "NC_PORT=443",
-                "NEXTCLOUD_DLNA_SERVER_PORT=9999",
-                "NEXTCLOUD_DLNA_FRIENDLY_NAME=nextcloud-aio",
-                "NEXTCLOUD_DATA_DIR=/data",
-                "NEXTCLOUD_DB_TYPE=postgres",
-                "NEXTCLOUD_DB_HOST=%AIO_DATABASE_HOST%",
-                "NEXTCLOUD_DB_PORT=5432",
-                "NEXTCLOUD_DB_NAME=nextcloud_database",
-                "NEXTCLOUD_DB_USER=oc_nextcloud",
-                "NEXTCLOUD_DB_PASS=%DATABASE_PASSWORD%"
-            ],
-            "secrets": [
-                "DATABASE_PASSWORD"
-            ],
-            "volumes": [
-                {
-                    "source": "%NEXTCLOUD_DATADIR%",
-                    "destination": "/data",
-                    "writeable": false
-                }
-            ]
-        }
-    ]
-}

community-containers/dlna/readme.md

@@ -1,15 +0,0 @@
-## DLNA server
-This container bundles DLNA server for your Nextcloud files to be accessible by the clients in your local network. Simply run the container and look for a new media server `nextcloud-aio` in your local network.
-
-### Notes
-- This container will work only if the Nextcloud installation is in your home network, it is not suitable for installations on remote servers.
-- This is not working with Docker Desktop since it requires the `host` networking mode in docker, and it doesn't really share the host's network interfaces in this system
-- If you have a firewall like ufw configured, you might need to open at least port 9999 TCP and 1900 UDP first in order to make it work.
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository
-https://github.com/thanek/nextcloud-dlna
-
-### Maintainer
-https://github.com/thanek
-

community-containers/fail2ban/fail2ban.json

@@ -1,32 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-fail2ban",
-            "display_name": "Fail2ban",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban",
-            "image": "szaimen/aio-fail2ban",
-            "image_tag": "v1",
-            "internal_port": "host",
-            "restart": "unless-stopped",
-            "cap_add": [
-                "NET_ADMIN",
-                "NET_RAW"
-            ],
-            "environment": [
-                "TZ=%TIMEZONE%"
-            ],
-            "volumes": [
-                {
-                    "source": "nextcloud_aio_nextcloud",
-                    "destination": "/nextcloud",
-                    "writeable": false
-                },
-                {
-                    "source": "nextcloud_aio_vaultwarden_logs",
-                    "destination": "/vaultwarden",
-                    "writeable": false
-                }
-            ]
-        }
-    ]
-}

community-containers/fail2ban/readme.md

@@ -1,13 +0,0 @@
-## Fail2ban
-This container bundles fail2ban and auto-configures it for you in order to block ip-addresses automatically. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, if installed.
-
-### Notes
-- This is not working on Docker Desktop since it needs `network_mode: host` in order to work correctly.
-- If you get an error like `"ip6tables v1.8.9 (legacy): can't initialize ip6tables table filter': Table does not exist (do you need to insmod?)"`, you need to enable ip6tables on your host via `sudo modprobe ip6table_filter`.
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository
-https://github.com/szaimen/aio-fail2ban
-
-### Maintainer
-https://github.com/szaimen

community-containers/libretranslate/libretranslate.json

@@ -1,34 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-libretranslate",
-            "display_name": "LibreTranslate",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/libretranslate",
-            "image": "szaimen/aio-libretranslate",
-            "image_tag": "v1",
-            "internal_port": "5000",
-            "restart": "unless-stopped",
-            "environment": [
-                "TZ=%TIMEZONE%"
-            ],
-            "volumes": [
-                {
-                    "source": "nextcloud_aio_libretranslate_db",
-                    "destination": "/app/db",
-                    "writeable": true
-                },
-                {
-                    "source": "nextcloud_aio_libretranslate_models",
-                    "destination": "/home/libretranslate/.local",
-                    "writeable": true
-                }
-            ],
-            "nextcloud_exec_commands": [
-                "php /var/www/html/occ app:install integration_libretranslate",
-                "php /var/www/html/occ app:enable integration_libretranslate",
-                "php /var/www/html/occ config:app:set integration_libretranslate host --value='http://nextcloud-aio-libretranslate'",
-                "php /var/www/html/occ config:app:set integration_libretranslate port --value='5000'"
-            ]
-        }
-    ]
-}

community-containers/libretranslate/readme.md

@@ -1,19 +0,0 @@
-## LibreTranslate
-This container bundles LibreTranslate and auto-configures it for you.
-
-### Notes
-
-- Please note that this community container is currently not working since its integration app is not yet compatible with Nextcloud 27 (Hub 6). You can follow the progress here: https://github.com/v1r0x/integration_libretranslate/issues/1
-- After the initial startup is done, you might want to change the default language to translate from and to via:
-```bash
-# Adjust the values `en` and `de` in commands below accordingly
-sudo docker exec --user www-data nextcloud-aio-nextcloud php occ config:app:set integration_libretranslate from_lang --value="en"
-sudo docker exec --user www-data nextcloud-aio-nextcloud php occ config:app:set integration_libretranslate to_lang --value="de"
-```
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository
-https://github.com/szaimen/aio-libretranslate
-
-### Maintainer
-https://github.com/szaimen

community-containers/local-ai/local-ai.json

@@ -1,45 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-local-ai",
-            "display_name": "Local AI",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai",
-            "image": "szaimen/aio-local-ai",
-            "image_tag": "v1",
-            "internal_port": "8080",
-            "restart": "unless-stopped",
-            "environment": [
-                "TZ=%TIMEZONE%",
-                "MODELS_PATH=/models"
-            ],
-            "volumes": [
-                {
-                    "source": "nextcloud_aio_localai_models",
-                    "destination": "/models",
-                    "writeable": true
-                },
-                {
-                    "source": "nextcloud_aio_localai_images",
-                    "destination": "/tmp/generated/images/",
-                    "writeable": true
-                },
-                {
-                    "source": "%NEXTCLOUD_DATADIR%",
-                    "destination": "/nextcloud",
-                    "writeable": false
-                }
-            ],
-            "nextcloud_exec_commands": [
-                "mkdir '/mnt/ncdata/admin/files/nextcloud-aio-local-ai'",
-                "touch '/mnt/ncdata/admin/files/nextcloud-aio-local-ai/models.yaml'",
-                "echo 'Scanning nextcloud-aio-local-ai folder for admin user...'",
-                "php /var/www/html/occ files:scan --path='/admin/files/nextcloud-aio-local-ai'",
-                "php /var/www/html/occ app:install integration_openai",
-                "php /var/www/html/occ app:enable integration_openai",
-                "php /var/www/html/occ config:app:set integration_openai url --value http://nextcloud-aio-local-ai:8080",
-                "php /var/www/html/occ app:install assistant",
-                "php /var/www/html/occ app:enable assistant"
-            ]
-        }
-    ]
-}

community-containers/local-ai/readme.md

@@ -1,27 +0,0 @@
-## Local AI
-This container bundles Local AI and auto-configures it for you.
-
-### Notes
-- Make sure to have enough storage space available. This container alone needs ~14GB storage on x64, on arm64 only ~4GB. Every model that you add to `models.yaml` will of course use additional space which adds up quite fast.
-- After the container was started the first time, you should see a new `nextcloud-aio-local-ai` folder when you open the files app with the default `admin` user. In there you should see a `models.yaml` config file. You can now add models in there. Please refer [here](https://github.com/go-skynet/model-gallery/blob/main/index.yaml) where you can get further urls that you can put in there. Afterwards restart all containers from the AIO interface and the models should automatically get downloaded by the local-ai container and activated.
-- Example for content of `models.yaml` (if you add all of them, it takes around 10GB additional space):
-```yaml
-# Stable Diffusion in NCNN with c++, supported txt2img and img2img 
-- url: github:go-skynet/model-gallery/stablediffusion.yaml
-
-# Port of OpenAI's Whisper model in C/C++ 
-- url: github:go-skynet/model-gallery/whisper-base.yaml
-  name: whisper-1
-
-# A commercially licensable model based on GPT-J and trained by Nomic AI on the v0 GPT4All dataset.
-- url: github:go-skynet/model-gallery/gpt4all-j.yaml
-  name: gpt4all-j
-```
--  Additionally after doing so, you might want to enable or disable specific features for your models in the integration_openai settings: `https://your-nc-domain.com/settings/admin/connected-accounts`
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository
-https://github.com/szaimen/aio-local-ai
-
-### Maintainer
-https://github.com/szaimen

community-containers/npmplus/npmplus.json

@@ -1,32 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-npmplus",
-            "display_name": "NPMplus",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus",
-            "image": "zoeyvid/npmplus",
-            "image_tag": "latest",
-            "internal_port": "host",
-            "restart": "unless-stopped",
-            "environment": [
-                "TZ=%TIMEZONE%",
-                "NC_AIO=true",
-                "NC_DOMAIN=%NC_DOMAIN%"
-            ],
-            "volumes": [
-                {
-                    "source": "nextcloud_aio_npmplus",
-                    "destination": "/data",
-                    "writeable": true
-                }
-            ],
-            "backup_volumes": [
-                "nextcloud_aio_npmplus"
-            ],
-            "aio_variables": [
-                "apache_ip_binding=127.0.0.1",
-                "apache_port=11000"
-            ]
-        }
-    ]
-}

community-containers/npmplus/readme.md

@@ -1,22 +0,0 @@
-## NPMplus
-This container contains a fork of the Nginx Proxy Manager, which is a WebUI for nginx. It will also automatically create a config and cert for AIO.
-
-### Notes
-- This container is incompatible with the [caddy](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy) community container. So make sure that you do not enable both at the same time!
-- Only works on linux since it uses network mode host
-- You can ignore the NPM configuration of the reverse-proxy.md. The NPMplus fork already contains the changes of the advanced tab.
-- Make sure that no other service is using port `443 (tcp/upd)` or `81 (tcp)` on your host as otherwise the containers will fail to start. You can check this with `sudo netstat -tulpn | grep "443\|81"` before installing AIO.
-- Please change the default login data first, after you can read inside the logs that the default config for AIO is created and there are no errors.
-- After the container was started the first time, please check the logs for errors. Then you can open NPMplus on `https://<ip>:81` and change the password. 
-- The default password is `iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi` and the default email is `admin@example.com`
-- If you want to use NPMplus behind a domain and outside localhost just create a new proxy host inside the NPMplus which proxies to `https`, `127.0.0.1` and port `81` - all other settings should be the same as for the AIO host.
-- If you want to set env options from this [compose.yaml](https://github.com/ZoeyVid/NPMplus/blob/develop/compose.yaml), please set them inside the `.env` file which you can find in the `nextcloud_aio_npmplus` volume
-- The data (certs, configs, etc.) of NPMplus will be automatically included in AIOs backup solution!
-- **Important:** you always need to enable https for your hosts, since `DISABLE_HTTP` is set to true
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository and Documentation
-https://github.com/ZoeyVid/NPMplus
-
-### Maintainer
-https://github.com/Zoey2936

community-containers/pi-hole/pi-hole.json

@@ -1,56 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-pihole",
-            "display_name": "Pi-hole",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/pi-hole",
-            "image": "pihole/pihole",
-            "image_tag": "latest",
-            "internal_port": "8573",
-            "restart": "unless-stopped",
-            "init": false,
-            "ports": [
-                {
-                  "ip_binding": "",
-                  "port_number": "53",
-                  "protocol": "tcp"
-                },
-                {
-                    "ip_binding": "",
-                    "port_number": "53",
-                    "protocol": "udp"
-                },
-                {
-                    "ip_binding": "",
-                    "port_number": "8573",
-                    "protocol": "tcp"
-                }
-            ],
-            "environment": [
-                "TZ=%TIMEZONE%",
-                "WEBPASSWORD=%PIHOLE_WEBPASSWORD%",
-                "DNSMASQ_LISTENING=all",
-                "WEB_PORT=8573"
-            ],
-            "volumes": [
-                {
-                    "source": "nextcloud_aio_pihole",
-                    "destination": "/etc/pihole",
-                    "writeable": true
-                },
-                {
-                    "source": "nextcloud_aio_pihole_dnsmasq",
-                    "destination": "/etc/dnsmasq.d",
-                    "writeable": true
-                }
-            ],
-            "backup_volumes": [
-                "nextcloud_aio_pihole",
-                "nextcloud_aio_pihole_dnsmasq"
-            ],
-            "secrets": [
-                "PIHOLE_WEBPASSWORD"
-            ]
-        }
-    ]
-}

community-containers/pi-hole/readme.md

@@ -1,18 +0,0 @@
-## Pi-hole
-This container bundles pi-hole and auto-configures it for you.
-
-### Notes
-- You should not run this container on a public VPS! It is only intended to run in home networks!
-- Make sure that no dns server is already running by checking with `sudo netstat -tulpn | grep 53`. Otherwise the container will not be able to start!
-- The DHCP functionality of Pi-hole has been disabled!
-- The data of pi-hole will be automatically included in AIOs backup solution!
-- After adding and starting the container, you can visit `http://ip.address.of.this.server:8573` in order to log in with the admin key that you can retrieve when running `sudo docker inspect nextcloud-aio-pihole | grep WEBPASSWORD`. There you can configure the pi-hole setup. Also you can add local dns records.
-- You can configure your home network now to use pi-hole as its dns server by configuring your router.
-- Additionally, you can configure the docker daemon to use that by editing `/etc/docker/daemon.json` and adding ` { "dns" : [ "ip.address.of.this.server" , "8.8.8.8" ] } `.
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository
-https://github.com/pi-hole/docker-pi-hole
-
-### Maintainer
-https://github.com/szaimen

community-containers/plex/plex.json

@@ -1,41 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-plex",
-            "display_name": "Plex",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/plex",
-            "image": "plexinc/pms-docker",
-            "image_tag": "latest",
-            "internal_port": "host",
-            "restart": "unless-stopped",
-            "environment": [
-                "TZ=%TIMEZONE%",
-                "PLEX_UID=33",
-                "PLEX_GID=33"
-            ],
-            "volumes": [
-                {
-                    "source": "nextcloud_aio_plex",
-                    "destination": "/config",
-                    "writeable": true
-                },
-                {
-                    "source": "%NEXTCLOUD_DATADIR%",
-                    "destination": "/data",
-                    "writeable": false
-                },
-                {
-                    "source": "%NEXTCLOUD_MOUNT%",
-                    "destination": "%NEXTCLOUD_MOUNT%",
-                    "writeable": false
-                }
-            ],
-            "devices": [
-                "/dev/dri"
-            ],
-            "backup_volumes": [
-                "nextcloud_aio_plex"
-            ]
-        }
-    ]
-}

community-containers/plex/readme.md

@@ -1,16 +0,0 @@
-## Plex
-This container bundles Plex and auto-configures it for you.
-
-### Notes
-- This is not working on arm64 since Plex does only provide x64 docker images.
-- This is not working on Docker Desktop since it needs `network_mode: host` in order to work correctly.
-- If you have a firewall like ufw configured, you might need to open all Plex ports in there first in order to make it work. Especially port 32400 is important!
-- After adding and starting the container, you need to visit http://ip.address.of.server:32400/manage in order to claim your server with a plex account
-- The data of Plex will be automatically included in AIOs backup solution!
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository
-https://github.com/plexinc/pms-docker
-
-### Maintainer
-https://github.com/szaimen

community-containers/readme.md

@@ -1,25 +0,0 @@
-# Community containers
-This directory features containers that are built for AIO which allows to add additional functionality very easily.
-
-## Disclaimers
-⚠️ This is currently beta and not stable yet!
-
-All containers that are in this directory are community maintained so the responsibility is on the community to keep them updated and secure. There is no guarantee that this will be the case in the future.
-
-## How to use this?
-Before adding any additional container, make sure to create a backup via the AIO interface!
-
-Afterwards, you might want to add additional community containers to the default AIO stack. You can do so by adding `--env AIO_COMMUNITY_CONTAINERS="container1 container2"` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and customize the value to your fitting. It must match the folder names in this directory! ⚠️⚠️⚠️ Please review the folder for documentation on each of the containers before adding them! Not reviewing the documentation for each of them first might break starting the AIO containers because e.g. fail2ban only works on Linux and not on Docker Desktop!
-
-## How to add containers?
-Simply submit a PR by creating a new folder in this directory: https://github.com/nextcloud/all-in-one/tree/main/community-containers with the name of your container. It must include a json file with the same name and with correct syntax and a readme.md with additional information. You might get inspired by caddy, fail2ban, local-ai, libretranslate, plex, pi-hole or vaultwarden (subfolders in this directory). For a full-blown example of the json file, see https://github.com/nextcloud/all-in-one/blob/main/php/containers.json. The json-schema that it validates against can be found here: https://github.com/nextcloud/all-in-one/blob/main/php/containers-schema.json.
-
-### Is there a list of ideas for new community containers?
-Yes, see [this list](https://github.com/nextcloud/all-in-one/discussions/categories/ideas?discussions_q=is%3Aopen+category%3AIdeas+label%3A%22help+wanted%22) for already existing ideas for new community containers. Feel free to pick one up and add it to this folder by following the instructions above.
-
-## How to remove containers from AIOs stack?
-In some cases, you might want to remove some community containers from the AIO stack again. Here is how to do this.
-
-First, do a backup from the AIO interface in order to save the current state. Do not start the containers again afterwards! Now simply recreate the mastercontainer and remove any container from the `--env AIO_COMMUNITY_CONTAINERS="container1 container2"` that you do not actually need. If you want to remove all, simply use `--env AIO_COMMUNITY_CONTAINERS=" "`. 
-
-After removing the containers, there might be some data left on your server that you might want to remove. You can get rid of the data by first running `sudo docker rm nextcloud-aio-container1`, (adjust `container1` accordingly) per community-container that you removed. Then run `sudo docker image prune -a` in order to remove all images that are not used anymore. As last step you can get rid of persistent data of these containers that is stored in volumes. You can check if there is some by running `sudo docker volume ls` and look for any volume that matches the ones that you removed. If so, you can remove them with `sudo docker volume rm nextcloud_aio_volume-id` (of course you need to adjust the `volume-id`).

community-containers/vaultwarden/readme.md

@@ -1,16 +0,0 @@
-## Vaultwarden
-This container bundles vaultwarden and auto-configures it for you.
-
-### Notes
-- You need to configure a reverse proxy in order to run this container since vaultwarden needs a dedicated (sub)domain! For that, you might have a look at https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy or follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md and https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples. You need to point the reverse proxy at port 8812 of this server.
-- Currently, only `bw.$NC_DOMAIN` is supported as subdomain! So if Nextcloud is using `your-domain.com`, vaultwarden will use `bw.your-domain.com`. The reverse proxy and domain must be configured accordingly!
-- If you want to secure the installation with fail2ban, you might want to check out https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban
-- The data of Vaultwarden will be automatically included in AIOs backup solution!
-- After adding and starting the container, you need to visit `https://bw.your-domain.com/admin` in order to log in with the admin key that you can retrieve when running `sudo docker inspect nextcloud-aio-vaultwarden | grep ADMIN_TOKEN`. There you can configure smtp first and then invite users via mail. After this is done, you might disable the admin panel via the reverse proxy by blocking connections to the subdirectory.
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository
-https://github.com/dani-garcia/vaultwarden
-
-### Maintainer
-https://github.com/szaimen

community-containers/vaultwarden/vaultwarden.json

@@ -1,48 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-vaultwarden",
-            "display_name": "Vaultwarden",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden",
-            "image": "vaultwarden/server",
-            "image_tag": "alpine",
-            "internal_port": "8812",
-            "restart": "unless-stopped",
-            "ports": [
-                {
-                  "ip_binding": "%APACHE_IP_BINDING%",
-                  "port_number": "8812",
-                  "protocol": "tcp"
-                }
-            ],
-            "environment": [
-                "TZ=%TIMEZONE%",
-                "ROCKET_PORT=8812",
-                "ADMIN_TOKEN=%VAULTWARDEN_ADMIN_TOKEN%",
-                "DOMAIN=https://bw.%NC_DOMAIN%",
-                "LOG_FILE=/logs/vaultwarden.log",
-                "LOG_LEVEL=warn",
-                "SIGNUPS_VERIFY=true",
-                "SIGNUPS_ALLOWED=false"
-            ],
-            "volumes": [
-                {
-                    "source": "nextcloud_aio_vaultwarden",
-                    "destination": "/data",
-                    "writeable": true
-                },
-                {
-                    "source": "nextcloud_aio_vaultwarden_logs",
-                    "destination": "/logs",
-                    "writeable": true
-                }
-            ],
-            "backup_volumes": [
-                "nextcloud_aio_vaultwarden"
-            ],
-            "secrets": [
-                "VAULTWARDEN_ADMIN_TOKEN"
-            ]
-        }
-    ]
-}

compose.yaml

@@ -1,66 +0,0 @@
-services:
-  nextcloud-aio-mastercontainer:
-    image: nextcloud/all-in-one:latest
-    init: true
-    restart: always
-    container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
-    volumes:
-      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
-      - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
-    ports:
-      - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-      - 8080:8080
-      - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-    # environment: # Is needed when using any of the options below
-      # - AIO_DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
-      # - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-      # - APACHE_IP_BINDING=127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-      # - BORG_RETENTION_POLICY=--keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
-      # - COLLABORA_SECCOMP_DISABLED=false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
-      # - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
-      # - NEXTCLOUD_MOUNT=/mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
-      # - NEXTCLOUD_UPLOAD_LIMIT=10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
-      # - NEXTCLOUD_MAX_TIME=3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
-      # - NEXTCLOUD_MEMORY_LIMIT=512M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
-      # - NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
-      # - NEXTCLOUD_STARTUP_APPS=deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
-      # - NEXTCLOUD_ADDITIONAL_APKS=imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
-      # - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
-      # - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
-      # - NEXTCLOUD_KEEP_DISABLED_APPS=false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps
-      # - TALK_PORT=3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
-      # - WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
-    # networks: # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
-      # - nextcloud-aio # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
-    # # Uncomment the following line when using SELinux
-    # security_opt: ["label:disable"]
-
-  # # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-  # # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
-  # caddy:
-  #   image: caddy:alpine
-  #   restart: always
-  #   container_name: caddy
-  #   volumes:
-  #     - ./Caddyfile:/etc/caddy/Caddyfile
-  #     - ./certs:/certs
-  #     - ./config:/config
-  #     - ./data:/data
-  #     - ./sites:/srv
-  #   network_mode: "host"
-
-volumes: # If you want to store the data on a different drive, see https://github.com/nextcloud/all-in-one#how-to-store-the-filesinstallation-on-a-separate-drive
-  nextcloud_aio_mastercontainer:
-    name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work
-
-# # Optional: If you need ipv6, follow step 1 and 2 of https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md first and then uncomment the below config in order to activate ipv6 for the internal nextcloud-aio network.
-# # Please make sure to uncomment also the networking lines of the mastercontainer above in order to actually create the network with docker-compose
-# networks:
-#   nextcloud-aio:
-#     name: nextcloud-aio # This line is not allowed to be changed as otherwise the created network will not be used by the other containers of AIO
-#     driver: bridge
-#     enable_ipv6: true
-#     ipam:
-#       driver: default
-#       config:
-#         - subnet: fd12:3456:789a:2::/64 # IPv6 subnet to use