Merge branch 'main' into enh/noid/overwrite

Add feature
Signed-off-by: Jean-Yves <7360784+docjyJ@users.noreply.github.com>
2026-05-28 06:20:14 +00:00 · 2024-09-28 20:26:14 +02:00 · 2024-08-25 17:21:38 +02:00
346 changed files with 5311 additions and 14710 deletions
--- a/.editorconfig
+++ b/.editorconfig
@@ -1,20 +0,0 @@
 # https://editorconfig.org
 # Tip: to find files violating the rules set out here, run `docker run --rm --volume=$PWD:/check mstruebing/editorconfig-checker`
 root = true
 [*]
 charset = utf-8
 end_of_line = lf
 indent_size = 4
 indent_style = space
 insert_final_newline = true
 trim_trailing_whitespace = true
 [*.yaml]
 indent_size = 2
 [*.yml]
 indent_size = 2
--- a/.github/ISSUE_TEMPLATE/Bug_report.md
+++ b/.github/ISSUE_TEMPLATE/Bug_report.md
@@ -1,15 +1,12 @@
 ---
-name: 🐛 Bug report - no questions and no support!
+name: 🐛 Bug report
-about: Help us improving by reporting a bug - this category is not for questions and also not for support! Please use one of the options below for questions and support
+about: Help us improving by reporting a bug
 labels: 0. Needs triage
 ---
 <!---
- Before submitting a bug report, please read through the documentation available at https://github.com/nextcloud/all-in-one#faq
+- If you use Cloudflare Tunnel or Cloudflare Proxy, see https://github.com/nextcloud/all-in-one#notes-on-cloudflare-proxytunnel for known issues/limitations and workarounds.
- Additional documentation is available here: https://github.com/nextcloud/all-in-one/discussions/categories/wiki
+- For issues with Collabora or Talk, make sure to follow https://github.com/nextcloud/all-in-one/discussions/1358. It may already resolve your issue and makes it easier to help you.
 - You should also read through existing questions and their answer here: https://github.com/nextcloud/all-in-one/discussions/categories/questions
 - Additional threads can be found here: https://help.nextcloud.com/tag/aio
 - Existing feature requests are listed here: https://github.com/nextcloud/all-in-one/discussions/categories/ideas
 --->
 <!--- Please fill out the whole template below -->
@@ -30,10 +27,4 @@ labels: 0. Needs triage
 #### Docker run command or docker-compose file that you used
-#### Output of `sudo docker logs nextcloud-aio-mastercontainer`
+#### Other valuable info <!--- (like logs, screenshots & Co.) -->
 #### Output of `sudo docker inspect nextcloud-aio-mastercontainer`
 #### Output of `sudo docker ps -a`
 #### Other valuable info <!--- (like additional logs, screenshots & Co.) -->
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,14 +1,14 @@
 blank_issues_enabled: false
 contact_links:
    - name: 📘 Documentation on Nextcloud AIO
      url: https://github.com/nextcloud/all-in-one#faq
      about: Please read the docs first before submitting any report or request!
    - name: ⛑️ Questions and support
      url: https://help.nextcloud.com/tag/aio
      about: For questions, support and help
    - name: 💡 Suggest a new feature or discuss one
      url:  https://github.com/nextcloud/all-in-one/discussions/categories/ideas
      about: For new feature requests and discussion of existing ones
    - name: ❓ Questions on AIO
      url: https://github.com/nextcloud/all-in-one/discussions/categories/questions
      about: For questions regarding AIO
    - name: ⛑️ Community Support and Help
      url: https://help.nextcloud.com/tag/aio
      about: For other types of questions
    - name: 💼 Nextcloud Enterprise
      url: https://portal.nextcloud.com/
-      about: If you are a Nextcloud Enterprise customer, or need Professional support, so it can be resolved directly by our dedicated engineers more quickly
+      about: If you are a Nextcloud Enterprise customer, or need Professional support, so it can be resolved directly by our dedicated engineers more quickly
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,30 +1,22 @@
 version: 2
 updates:
 - package-ecosystem: "github-actions"
-  directory: ".github/workflows"
+  directory: "/"
  schedule:
    interval: "daily"
    time: "12:00"
  open-pull-requests-limit: 10
  rebase-strategy: "disabled"
  labels:
  - 3. to review
  - dependencies
  cooldown:
    default-days: 7
 - package-ecosystem: composer
  directory: "/php/"
  schedule:
    interval: "daily"
    time: "12:00"
  open-pull-requests-limit: 10
  rebase-strategy: "auto"
  labels:
  - 3. to review
  - dependencies
 - package-ecosystem: "docker"
  directories:
    - "/Containers/alpine"
    - "/Containers/apache"
    - "/Containers/borgbackup"
    - "/Containers/clamav"
@@ -47,7 +39,6 @@ updates:
    interval: "daily"
    time: "04:00"
  open-pull-requests-limit: 10
  rebase-strategy: "disabled"
  labels:
  - 3. to review
  - dependencies
@@ -57,6 +48,6 @@ updates:
    - dependency-name: "postgres"
      update-types: ["version-update:semver-major"]
    - dependency-name: "redis"
-      update-types: ["version-update:semver-major"]
+      update-types: ["version-update:semver-major", "version-update:semver-minor"]
    - dependency-name: "elasticsearch"
      update-types: ["version-update:semver-major"]
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,5 +0,0 @@
 <!--
  - 🚨 SECURITY INFO
  -
  - Before sending a pull request that fixes a security issue please report it via our HackerOne page (https://hackerone.com/nextcloud) following our security policy (https://nextcloud.com/security/). This allows us to coordinate the fix and release without potentially exposing all Nextcloud servers and users in the meantime.
 -->
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -12,9 +12,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
      - name: Check spelling
-        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2
+        uses: codespell-project/actions-codespell@v2
        with:
          check_filenames: true
          check_hidden: true
--- a/.github/workflows/collabora.yml
+++ b/.github/workflows/collabora.yml
@@ -1,30 +0,0 @@
 name: collabora-update
 on:
  workflow_dispatch:
  schedule:
  - cron:  '00 12 * * *'
 jobs:
  collabora-update:
    name: update collabora
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run collabora-profile-update
      run: |
        rm -f php/cool-seccomp-profile.json
        wget https://raw.githubusercontent.com/CollaboraOnline/online/refs/heads/main/docker/cool-seccomp-profile.json
        mv cool-seccomp-profile.json php/
    - name: Create Pull Request
      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: collabora-seccomp-update automated change
        signoff: true
        title: collabora seccomp update
        body: Automated collabora seccomp profile update
        labels: dependencies, 3. to review
        milestone: next
        branch: collabora-seccomp-update
--- a/.github/workflows/community-containers.yml
+++ b/.github/workflows/community-containers.yml
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
      - name: Validate structure
        run: |
          CONTAINERS="$(find ./community-containers -mindepth 1 -maxdepth 1 -type d)"
--- a/.github/workflows/dependency-updates.yml
+++ b/.github/workflows/dependency-updates.yml
@@ -8,12 +8,12 @@ on:
 jobs:
  dependency_updates:
    name: Run dependency update script
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@v4
-    - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+    - uses: shivammathur/setup-php@v2
      with:
-        php-version: 8.5
+        php-version: 8.3
        extensions: apcu
    - name: Run dependency update script
      run: |
@@ -43,19 +43,9 @@ jobs:
            | tail -1
        )"
        sed -i "s|pecl install APCu.*\;|pecl install APCu-$apcu_version\;|" ./Containers/mastercontainer/Dockerfile
        # CADDY_REMOTE_HOST_HASH
        CADDY_REMOTE_HOST_HASH="$(
          git ls-remote https://github.com/muety/caddy-remote-host master \
            | cut -f1 \
            | tail -1
        )"
        sed -i "s|^ARG CADDY_REMOTE_HOST_HASH.*$|ARG CADDY_REMOTE_HOST_HASH=$CADDY_REMOTE_HOST_HASH|" ./Containers/mastercontainer/Dockerfile
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: php dependency updates
        signoff: true
        title: PHP dependency updates
--- a/.github/workflows/docker-lint.yml
+++ b/.github/workflows/docker-lint.yml
@@ -25,7 +25,7 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
      - name: Install hadolint
        run: |
--- a/.github/workflows/fail-on-prerelease.yml
+++ b/.github/workflows/fail-on-prerelease.yml
@@ -1,50 +0,0 @@
 name: Block if prerelease is present
 on:
  pull_request:
 permissions:
  contents: read
 jobs:
  check-latest-release:
    runs-on: ubuntu-latest
    steps:
      - name: "Check latest published release isn't a prerelease"
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v6
        with:
          script: |
            const tags = await github.rest.repos.listTags({
              owner: context.repo.owner,
              repo: context.repo.repo,
              per_page: 1
            });
            if (!tags.data || tags.data.length === 0) {
              core.info('No tags found for this repository; skipping prerelease check.');
              return;
            }
            const latestTag = tags.data[0].name;
            core.info(`Latest tag found: ${latestTag}`);
            try {
              const { data } = await github.rest.repos.getReleaseByTag({
                owner: context.repo.owner,
                repo: context.repo.repo,
                tag: latestTag
              });
              if (data.prerelease) {
                core.setFailed(`Release for tag ${latestTag} (${data.tag_name}) is a prerelease. Blocking merges to main as we need to wait for the prerelease to become stable.`);
              } else {
                core.info(`Release for tag ${latestTag} (${data.tag_name}) is not a prerelease.`);
              }
            } catch (err) {
              if (err.status === 404) {
                core.info(`No release found for tag ${latestTag}; skipping prerelease check.`);
              } else {
                throw err;
              }
            }
--- a/.github/workflows/helm-release.yml
+++ b/.github/workflows/helm-release.yml
@@ -10,16 +10,13 @@ on:
 jobs:
  release:
    # Do not run this workflow on forked repositories, as they might not have the `gh-pages` branch created, or might
    # want to use it for other purposes than publishing helm charts
    if: github.repository == 'nextcloud/all-in-one'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
      - name: Turnstyle
-        uses: softprops/turnstyle@e15e934b3f69ee283ba389ea05c8886baa656d93 # v2
+        uses: softprops/turnstyle@v2
        with:
          continue-after-seconds: 180
        env:
@@ -35,7 +32,7 @@ jobs:
      # See https://github.com/helm/chart-releaser-action/issues/6
      - name: Set up Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@v4
        with:
          version: v3.6.3
@@ -44,7 +41,7 @@ jobs:
          helm lint ./nextcloud-aio-helm-chart
      - name: Run chart-releaser
-        uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0
+        uses: helm/chart-releaser-action@v1.6.0
        with:
          mark_as_latest: false
          charts_dir: .
--- a/.github/workflows/imaginary-update.yml
+++ b/.github/workflows/imaginary-update.yml
@@ -10,7 +10,7 @@ jobs:
    name: update to latest imaginary commit on master branch
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@v4
    - name: Run imaginary-update
      run: |
        # Imaginary
@@ -22,9 +22,8 @@ jobs:
        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH=$imaginary_version|" ./Containers/imaginary/Dockerfile
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: imaginary-update automated change
        signoff: true
        title: Imaginary update
--- a/.github/workflows/json-validator.yml
+++ b/.github/workflows/json-validator.yml
@@ -1,37 +1,35 @@
-name: Json Validator
+name: Json Validator
-
+
-on:
+on:
-  pull_request:
+  pull_request:
-    paths:
+    paths:
-      - '**.json'
+      - '**.json'
-  push:
+  push:
-    branches:
+    branches:
-      - main
+      - main
-    paths:
+    paths:
-      - '**.json'
+      - '**.json'
-
+
-jobs:
+jobs:
-  json-validator:
+  json-validator:
-    name: Json Validator
+    name: Json Validator
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest
-    steps:
+    steps:
-      - name: Checkout code
+      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
-      - name: Validate Json
+      - name: Validate Json
-        run: |
+        run: |
-          sudo apt-get update
+          sudo apt-get update
-          sudo apt-get install python3-venv -y --no-install-recommends
+          sudo apt-get install python3-pip -y --no-install-recommends
-          python3 -m venv venv
+          sudo pip3 install json-spec
-          . venv/bin/activate
+          if ! json validate --schema-file=php/containers-schema.json --document-file=php/containers.json; then
-          pip3 install json-spec
+            exit 1
-          if ! json validate --schema-file=php/containers-schema.json --document-file=php/containers.json; then
+          fi
-            exit 1
+          JSON_FILES="$(find ./community-containers -name '*.json')"
-          fi
+          mapfile -t JSON_FILES <<< "$JSON_FILES"
-          JSON_FILES="$(find ./community-containers -name '*.json')"
+          for file in "${JSON_FILES[@]}"; do
-          mapfile -t JSON_FILES <<< "$JSON_FILES"
+            json validate --schema-file=php/containers-schema.json --document-file="$file" 2>&1 | tee -a ./json-validator.log
-          for file in "${JSON_FILES[@]}"; do
+          done
-            json validate --schema-file=php/containers-schema.json --document-file="$file" 2>&1 | tee -a ./json-validator.log
+          if grep -q "document does not validate with schema.\|invalid JSONFile" ./json-validator.log; then
-          done
+            exit 1
-          if grep -q "document does not validate with schema.\|invalid JSONFile" ./json-validator.log; then
+          fi
            exit 1
          fi
--- a/.github/workflows/lint-helm.yml
+++ b/.github/workflows/lint-helm.yml
@@ -11,12 +11,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Install Helm
-        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        uses: azure/setup-helm@v4
        with:
          version: v3.11.1
--- a/.github/workflows/lint-php.yml
+++ b/.github/workflows/lint-php.yml
@@ -2,9 +2,6 @@
 #
 # https://github.com/nextcloud/.github
 # https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
 #
 # SPDX-FileCopyrightText: 2021-2024 Nextcloud GmbH and Nextcloud contributors
 # SPDX-License-Identifier: MIT
 name: Lint php
@@ -30,18 +27,16 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        php-versions: [ "8.5" ]
+        php-versions: [ "8.3" ]
    name: php-lint
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          persist-credentials: false
      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@a4e22b60bbb9c1021113f2860347b0759f66fe5d # v2
        with:
          php-version: ${{ matrix.php-versions }}
          coverage: none
--- a/.github/workflows/lint-yaml.yml
+++ b/.github/workflows/lint-yaml.yml
@@ -1,42 +0,0 @@
 # This workflow is provided via the organization template repository
 #
 # https://github.com/nextcloud/.github
 # https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
 #
 # SPDX-FileCopyrightText: 2021-2024 Nextcloud GmbH and Nextcloud contributors
 # SPDX-License-Identifier: MIT
 name: Lint YAML
 on: 
  pull_request:
    paths:
      - '**.yml'
 permissions:
  contents: read
 jobs:
  yaml-lint:
    runs-on: ubuntu-latest
    name: yaml
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.1
        with:
          persist-credentials: false
      - name: GitHub action templates lint
        uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
        with:
          file_or_dir: .github/workflows
          config_data: |
            line-length: warning
      - name: Install the latest version of uv
        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
      - name: Check GitHub actions
        run: uvx zizmor --min-severity medium .github/workflows/*.yml
--- a/.github/workflows/lock-threads.yml
+++ b/.github/workflows/lock-threads.yml
@@ -14,7 +14,7 @@ jobs:
  action:
    runs-on: ubuntu-latest
    steps:
-      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v5
+      - uses: dessant/lock-threads@v5
        with: 
          issue-inactive-days: '14'
          process-only: 'issues'
--- a/.github/workflows/nextcloud-update.yml
+++ b/.github/workflows/nextcloud-update.yml
@@ -11,7 +11,7 @@ jobs:
    name: Run nextcloud-update script
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@v4
    - name: Run nextcloud-update script
      run: |
        # Inspired by https://github.com/nextcloud/docker/blob/master/update.sh
@@ -25,7 +25,7 @@ jobs:
            | sort -V \
            | tail -1
        )"
-        sed -i "s|\(pecl install[^;]*APCu-\)[0-9.]*|\1$apcu_version|" ./Containers/nextcloud/Dockerfile
+        sed -i "s|pecl install APCu.*\;|pecl install APCu-$apcu_version\;|" ./Containers/nextcloud/Dockerfile
        # Memcached
        memcached_version="$(
@@ -36,7 +36,7 @@ jobs:
            | sort -V \
            | tail -1
        )"
-        sed -i "s|\(pecl install[^;]*memcached-\)[0-9.]*|\1$memcached_version|" ./Containers/nextcloud/Dockerfile
+        sed -i "s|pecl install memcached.* |pecl install memcached-$memcached_version |" ./Containers/nextcloud/Dockerfile
        # Redis
        redis_version="$(
@@ -47,18 +47,18 @@ jobs:
            | sort -V \
            | tail -1
        )"
-        sed -i "s|\(pecl install[^;]*redis-\)[0-9.]*|\1$redis_version|" ./Containers/nextcloud/Dockerfile
+        sed -i "s|pecl install redis.* |pecl install redis-$redis_version |" ./Containers/nextcloud/Dockerfile
        # Imagick
        imagick_version="$(
-          git ls-remote --tags https://github.com/imagick/imagick.git \
+          git ls-remote --tags https://github.com/mkoppanen/imagick.git \
            | cut -d/ -f3 \
            | grep -viE '[a-z]' \
            | tr -d '^{}' \
            | sort -V \
            | tail -1
        )"
-        sed -i "s|\(pecl install[^;]*imagick-\)[0-9.]*|\1$imagick_version|" ./Containers/nextcloud/Dockerfile
+        sed -i "s|pecl install imagick.*\;|pecl install imagick-$imagick_version\;|" ./Containers/nextcloud/Dockerfile
        # Igbinary
        igbinary_version="$(
@@ -69,7 +69,7 @@ jobs:
            | sort -V \
            | tail -1
        )"
-        sed -i "s|\(pecl install[^;]*igbinary-\)[0-9.]*|\1$igbinary_version|" ./Containers/nextcloud/Dockerfile
+        sed -i "s|pecl install igbinary.*\;|pecl install igbinary-$igbinary_version\;|" ./Containers/nextcloud/Dockerfile
        # Nextcloud
        NC_MAJOR="$(grep "ENV NEXTCLOUD_VERSION" ./Containers/nextcloud/Dockerfile | grep -oP '[23][0-9]')"
@@ -79,9 +79,8 @@ jobs:
        fi
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: nextcloud-update automated change
        signoff: true
        title: Nextcloud dependency update
--- a/.github/workflows/php-deprecation-detector.yml
+++ b/.github/workflows/php-deprecation-detector.yml
@@ -16,11 +16,11 @@ jobs:
    name: PHP Deprecation Detector
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v4
      - name: Set up php
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+        uses: shivammathur/setup-php@v2
        with:
-          php-version: 8.5
+          php-version: 8.3
          extensions: apcu
          coverage: none
--- a/.github/workflows/playwright-on-push.yml
+++ b/.github/workflows/playwright-on-push.yml
@@ -1,133 +0,0 @@
 name: Playwright Tests on push
 on:
  pull_request:
    paths:
      - 'php/**'
      - 'Containers/mastercontainer/*.Caddyfile'
      - 'Containers/mastercontainer/start.sh'
  push:
    branches:
      - main
    paths:
      - 'php/**'
      - 'Containers/mastercontainer/*.Caddyfile'
      - 'Containers/mastercontainer/start.sh'
 concurrency:
  group: playwright-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 env:
  BASE_URL: https://localhost:8080
 jobs:
  test:
    timeout-minutes: 60
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: lts/*
      - name: Install dependencies
        run: cd php/tests && npm ci
      - name: Install Playwright Browsers
        run: cd php/tests && npx playwright install --with-deps chromium
      - name: Set up php 8.5
        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
        with:
          extensions: apcu
          php-version: 8.5
          coverage: none
          ini-file: development
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Adjust some things and fix permissions
        run: |
          cd php
          rm -r ./data
          rm -r ./session
          composer install --no-dev
          composer clear-cache
          sudo chmod 777 -R ../
      - name: Start fresh development server
        run: |
          docker rm --force nextcloud-aio-{mastercontainer,apache,notify-push,nextcloud,redis,database,domaincheck,whiteboard,imaginary,talk,collabora,borgbackup} || true
          docker volume rm nextcloud_aio_{mastercontainer,apache,database,database_dump,nextcloud,nextcloud_data,redis,backup_cache,elasticsearch} || true
          docker pull ghcr.io/nextcloud-releases/all-in-one:develop
          docker run \
            -d \
            --init \
            --name nextcloud-aio-mastercontainer \
            --restart always \
            --publish 8080:8080 \
            --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
            --volume ./php:/var/www/docker-aio/php \
            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
            --volume ./Containers/mastercontainer/start.sh:/start.sh \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=true \
            --env APACHE_PORT=11000 \
            ghcr.io/nextcloud-releases/all-in-one:develop
          echo Waiting for 10 seconds for the development container to start ...
          sleep 10
      - name: Run Playwright tests for initial setup
        run: |
          cd php/tests
          export DEBUG=pw:api
          if ! npx playwright test tests/initial-setup.spec.js; then
            docker logs nextcloud-aio-mastercontainer
            docker logs nextcloud-aio-borgbackup
            exit 1
          fi
      - name: Start fresh development server
        run: |
          docker rm --force nextcloud-aio-{mastercontainer,apache,notify-push,nextcloud,redis,database,domaincheck,whiteboard,imaginary,talk,collabora,borgbackup} || true
          docker volume rm nextcloud_aio_{mastercontainer,apache,database,database_dump,nextcloud,nextcloud_data,redis,backup_cache,elasticsearch} || true
          docker run \
            -d \
            --init \
            --name nextcloud-aio-mastercontainer \
            --restart always \
            --publish 8080:8080 \
            --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
            --volume ./php:/var/www/docker-aio/php \
            --volume ./Containers/mastercontainer/internal.Caddyfile:/internal.Caddyfile \
            --volume ./Containers/mastercontainer/headers.Caddyfile:/headers.Caddyfile \
            --volume ./Containers/mastercontainer/start.sh:/start.sh \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=false \
            --env APACHE_PORT=11000 \
            ghcr.io/nextcloud-releases/all-in-one:develop
          echo Waiting for 10 seconds for the development container to start ...
          sleep 10
      - name: Run Playwright tests for backup restore
        run: |
          cd php/tests 
          export DEBUG=pw:api
          if ! npx playwright test tests/restore-instance.spec.js; then
            docker logs nextcloud-aio-mastercontainer
            docker logs nextcloud-aio-borgbackup
            exit 1
          fi
      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: ${{ !cancelled() }}
        with:
          name: playwright-report
          path: php/tests/playwright-report/
          retention-days: 14
          overwrite: true
--- a/.github/workflows/playwright-on-workflow-dispatch.yml
+++ b/.github/workflows/playwright-on-workflow-dispatch.yml
@@ -1,91 +0,0 @@
 name: Playwright Tests
 on:
  workflow_dispatch:
 env:
  BASE_URL: https://localhost:8080
 jobs:
  test:
    timeout-minutes: 60
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: lts/*
      - name: Install dependencies
        run: cd php/tests && npm ci
      - name: Install Playwright Browsers
        run: cd php/tests && npx playwright install --with-deps chromium
      - name: Start fresh development server
        run: |
          docker rm --force nextcloud-aio-{mastercontainer,apache,notify-push,nextcloud,redis,database,domaincheck,whiteboard,imaginary,talk,collabora,borgbackup} || true
          docker volume rm nextcloud_aio_{mastercontainer,apache,database,database_dump,nextcloud,nextcloud_data,redis,backup_cache,elasticsearch} || true
          docker pull ghcr.io/nextcloud-releases/all-in-one:develop
          docker run \
            -d \
            --init \
            --name nextcloud-aio-mastercontainer \
            --restart always \
            --publish 8080:8080 \
            --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=true \
            --env APACHE_PORT=11000 \
            ghcr.io/nextcloud-releases/all-in-one:develop
          echo Waiting for 10 seconds for the development container to start ...
          sleep 10
      - name: Run Playwright tests for initial setup
        run: |
          cd php/tests
          export DEBUG=pw:api
          if ! npx playwright test tests/initial-setup.spec.js; then
            docker logs nextcloud-aio-mastercontainer
            docker logs nextcloud-aio-borgbackup
            exit 1
          fi
      - name: Start fresh development server
        run: |
          docker rm --force nextcloud-aio-{mastercontainer,apache,notify-push,nextcloud,redis,database,domaincheck,whiteboard,imaginary,talk,collabora,borgbackup} || true
          docker volume rm nextcloud_aio_{mastercontainer,apache,database,database_dump,nextcloud,nextcloud_data,redis,backup_cache,elasticsearch} || true
          docker run \
            -d \
            --init \
            --name nextcloud-aio-mastercontainer \
            --restart always \
            --publish 8080:8080 \
            --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
            --env SKIP_DOMAIN_VALIDATION=false \
            --env APACHE_PORT=11000 \
            ghcr.io/nextcloud-releases/all-in-one:develop
          echo Waiting for 10 seconds for the development container to start ...
          sleep 10
      - name: Run Playwright tests for backup restore
        run: |
          cd php/tests 
          export DEBUG=pw:api
          if ! npx playwright test tests/restore-instance.spec.js; then
            docker logs nextcloud-aio-mastercontainer
            docker logs nextcloud-aio-borgbackup
            exit 1
          fi
      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: ${{ !cancelled() }}
        with:
          name: playwright-report
          path: php/tests/playwright-report/
          retention-days: 14
          overwrite: true
--- a/.github/workflows/psalm-update-baseline.yml
+++ b/.github/workflows/psalm-update-baseline.yml
@@ -10,15 +10,14 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v4
      - name: Set up php
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+        uses: shivammathur/setup-php@v2
        with:
-          php-version: 8.5
+          php-version: 8.3
          extensions: apcu
          coverage: none
          ini-file: development
      - name: Run script
        run: |
@@ -31,9 +30,9 @@ jobs:
        continue-on-error: true
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@v7
        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.COMMAND_BOT_PAT }}
          commit-message: Update psalm baseline
          committer: GitHub <noreply@github.com>
          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
--- a/.github/workflows/psalm.yml
+++ b/.github/workflows/psalm.yml
@@ -2,9 +2,6 @@
 #
 # https://github.com/nextcloud/.github
 # https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
 #
 # SPDX-FileCopyrightText: 2022-2024 Nextcloud GmbH and Nextcloud contributors
 # SPDX-License-Identifier: MIT
 name: Static analysis
@@ -22,9 +19,6 @@ concurrency:
  group: psalm-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  static-analysis:
    runs-on: ubuntu-latest
@@ -32,18 +26,15 @@ jobs:
    name: static-psalm-analysis
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          persist-credentials: false
      - name: Set up php
-        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2.37.0
+        uses: shivammathur/setup-php@a4e22b60bbb9c1021113f2860347b0759f66fe5d # v2
        with:
-          php-version: 8.5
+          php-version: 8.3
          extensions: apcu
          coverage: none
          ini-file: development
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -15,9 +15,9 @@ jobs:
    name: Check Shell
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@v4
    - name: Run Shellcheck
-      uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
+      uses: ludeeus/action-shellcheck@2.0.0
      with:
        check_together: 'yes'
      env:
--- a/.github/workflows/sync-workflow-templates.yml
+++ b/.github/workflows/sync-workflow-templates.yml
@@ -1,140 +0,0 @@
 # This workflow is provided via the organization template repository
 #
 # https://github.com/nextcloud/.github
 # https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
 #
 # SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
 # SPDX-License-Identifier: MIT
 # This workflow will update all workflow templates
 # Additionally it will reapply `workflow.yml.patch` files after syncing and only then commit the result
 name: Update workflows
 on:
  workflow_dispatch:
  schedule:
      - cron: "5 2 * * 0"
 permissions:
  contents: read
 jobs:
  dispatch:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        branches:
          - ${{ github.event.repository.default_branch }}
          - 'stable33'
          - 'stable32'
    name: Update workflows in ${{ matrix.branches }}
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Check actor permission
        uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0
        with:
          require: admin
      - name: Checkout workflow repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          path: source
          repository: nextcloud/.github
      - name: Checkout app
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          path: target
          ref: ${{ matrix.branches }}
      - name: Copy all workflow templates
        run: |
          echo 'SUMMARY<<EOF' >> $GITHUB_ENV
          draft_only=0
          for workflow in ./source/workflow-templates/*.yml; do
            echo "❓ Looking for $workflow"
            if [ -f "$workflow" ]; then
              filename=$(basename "$workflow")
              target_file="./target/.github/workflows/$filename"
              # Only copy if the file exists in the target repository
              if [ -f "$target_file" ]; then
                if [ -f "./target/.github/actions-lock.txt" ]; then
                  locked_version=$(grep " $filename" ./target/.github/actions-lock.txt | cat)
                else
                  echo "# SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors" >> ./target/.github/actions-lock.txt
                  echo "# SPDX-License""-Identifier: MIT" >> ./target/.github/actions-lock.txt
                  locked_version=""
                fi
                locked_version=$(echo $locked_version | cut -f 1 -d " ")
                new_version=$(md5sum $workflow | cut -f 1 -d " ")
                # Only update if the action changes
                if [[ "$locked_version" != "$new_version" ]]; then
                  echo "ℹ️ Locked version: $locked_version"
                  echo "ℹ️ Current version: $new_version"
                  echo "🆙 Updating existing workflow: $filename"
                  echo "- 🆙 Updated [$filename](https://github.com/nextcloud/.github/commits/master/workflow-templates/$filename)" >> $GITHUB_ENV
                  cp "$workflow" "$target_file"
                  # Apply patch if one exists
                  if [ -f "$target_file.patch" ]; then
                    echo "🩹 Applying patch"
                    cd ./target
                    set +e
                    patch -p1 < ".github/workflows/$filename.patch"
                    patch_worked=$?
                    set -e
                    cd -
                    if [[ "$patch_worked" == "0" ]]; then
                      echo "  - Patch applied" >> $GITHUB_ENV
                    else
                      echo "  - [ ] ❌ Patch failed" >> $GITHUB_ENV
                      draft_only=1
                    fi
                  fi
                  if [[ "$locked_version" != "" ]]; then
                    sed -i "s/$locked_version $filename/$new_version $filename/" ./target/.github/actions-lock.txt
                  else
                    echo "$new_version $filename" >> ./target/.github/actions-lock.txt
                  fi
                else
                  echo "✅ Skipping $filename: already up to date"
                fi
              else
                echo "⏭️ Skipping $filename: does not exist in target repository"
              fi
            fi
          done
          echo 'EOF' >> $GITHUB_ENV
          echo "DRAFT_ONLY=${draft_only}" >> $GITHUB_ENV
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          token: ${{ secrets.COMMAND_BOT_WORKFLOWS }} # zizmor: ignore[secrets-outside-env]
          commit-message: 'ci(actions): Update workflow templates from organization template repository'
          committer: GitHub <noreply@github.com>
          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
          path: target
          signoff: true
          branch: 'automated/noid/${{ matrix.branches }}-update-workflows'
          title: '[${{ matrix.branches }}] ci(actions): Update workflow templates from organization template repository'
          draft: ${{ env.DRAFT_ONLY == 1 }}
          add-paths: .github/workflows/*.yml,.github/actions-lock.txt
          body: |
            Automated update of all workflow templates from [nextcloud/.github](https://github.com/nextcloud/.github)
            ${{ env.SUMMARY }}
          labels: |
            dependencies
            3. to review
--- a/.github/workflows/talk.yml
+++ b/.github/workflows/talk.yml
@@ -10,7 +10,7 @@ jobs:
    name: update talk
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@v4
    - name: Run talk-container-update
      run: |
        # Recording
@@ -36,7 +36,7 @@ jobs:
        # Janus
        janus_version="$(
-          git ls-remote https://github.com/meetecho/janus-gateway v1.*.* \
+          git ls-remote https://github.com/meetecho/janus-gateway v0.*.* \
            | cut -d/ -f3 \
            | sort -V \
            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
@@ -45,9 +45,8 @@ jobs:
        sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      uses: peter-evans/create-pull-request@v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: talk-update automated change
        signoff: true
        title: talk container update
--- a/.github/workflows/twig-lint.yml
+++ b/.github/workflows/twig-lint.yml
@@ -24,12 +24,12 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
+        uses: shivammathur/setup-php@v2
        with:
-          php-version: 8.5
+          php-version: 8.3
          extensions: apcu
          coverage: none
--- a/.github/workflows/update-copyright.yml
+++ b/.github/workflows/update-copyright.yml
@@ -1,11 +0,0 @@
 name: Update Copyright
 on:
  workflow_dispatch:
 jobs:
  update-copyright:
    name: update copyright
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
--- a/.github/workflows/update-helm.yml
+++ b/.github/workflows/update-helm.yml
@@ -11,19 +11,16 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
      - name: update helm chart
        run: |
-          set -x
+          DOCKER_TAG="$(curl -L -s 'https://registry.hub.docker.com/v2/repositories/nextcloud/all-in-one/tags?page_size=1024' | jq '."results"[]["name"]' | sed 's|"||g' | grep '^20[0-9_]\+' | grep -v latest | sort -r | head -1)"
          GHCR_TOKEN="$(curl https://ghcr.io/token?scope=repository:nextcloud-releases/nce-php-fpm-mgmt:pull | jq '.token' | sed 's|"||g')"
          DOCKER_TAG="$(curl -H "Authorization: Bearer ${GHCR_TOKEN}" -L -s 'https://ghcr.io/v2/nextcloud-releases/all-in-one/tags/list?page_size=1024' | jq '.tags' | sed 's|"||g;s|[[:space:]]||g;s|,||g' | grep '^20[0-9_]\+' | grep -v latest | sort -r | head -1)"
          export DOCKER_TAG
-          set +x
+          if [ -n "$DOCKER_TAG" ] && ! grep -q "$DOCKER_TAG" ./nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml; then
          if [ -n "$DOCKER_TAG" ] && ! grep -q "aio-nextcloud:$DOCKER_TAG" ./nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml; then
            sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"
          fi
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@v7
        with:
          commit-message: Helm Chart updates
          signoff: true
--- a/.github/workflows/update-yaml.yml
+++ b/.github/workflows/update-yaml.yml
@@ -11,12 +11,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
      - name: update yaml files
        run: |
          sudo bash manual-install/update-yaml.sh
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@v7
        with:
          commit-message: Yaml updates
          signoff: true
--- a/.github/workflows/watchtower-update.yml
+++ b/.github/workflows/watchtower-update.yml
@@ -1,38 +0,0 @@
 name: watchtower-update
 on:
  workflow_dispatch:
  schedule:
  - cron:  '00 12 * * *'
 jobs:
  watchtower-update:
    name: update watchtower
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Run watchtower-container-update
      run: |
        # Watchtower
        watchtower_version="$(
          git ls-remote https://github.com/nicholas-fedor/watchtower v* \
            | cut -d/ -f3 \
            | sort -V \
            | grep -E "^v[0-9\.]+$" \
            | tail -1
        )"
        watchtower_commit_hash="$(git ls-remote https://github.com/nicholas-fedor/watchtower $watchtower_version | sed 's/refs.*//')"
        sed -i "s|^ENV WATCHTOWER_COMMIT_HASH.*$|ENV WATCHTOWER_COMMIT_HASH=$watchtower_commit_hash|" ./Containers/watchtower/Dockerfile
        sed -i "s|\$WATCHTOWER_COMMIT_HASH.*$|\$WATCHTOWER_COMMIT_HASH # $watchtower_version|" ./Containers/watchtower/Dockerfile
    - name: Create Pull Request
      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: watchtower-update automated change
        signoff: true
        title: watchtower container update
        body: Automated watchtower container update
        labels: dependencies, 3. to review
        milestone: next
        branch: watchtower-container-update
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -1,13 +0,0 @@
 <!--
 - SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors
 - SPDX-License-Identifier: AGPL-3.0-or-later
 -->
 In the Nextcloud community, participants from all over the world come together to create Free Software for a free internet. This is made possible by the support, hard work and enthusiasm of thousands of people, including those who create and use Nextcloud software.
 Our code of conduct offers some guidance to ensure Nextcloud participants can cooperate effectively in a positive and inspiring atmosphere, and to explain how together we can strengthen and support each other.
 The Code of Conduct is shared by all contributors and users who engage with the Nextcloud team and its community services. It presents a summary of the shared values and “common sense” thinking in our community.
 You can find our full code of conduct on our website: https://nextcloud.com/code-of-conduct/
 Please, keep our CoC in mind when you contribute! That way, everyone can be a part of our community in a productive, positive, creative and fun way.
--- a/Containers/alpine/Dockerfile
+++ b/Containers/alpine/Dockerfile
@@ -1,12 +0,0 @@
 # syntax=docker/dockerfile:latest
 FROM alpine:3.23.4
 RUN set -ex; \
    apk upgrade --no-cache -a
 LABEL org.opencontainers.image.title="Alpine for Nextcloud AIO" \
    org.opencontainers.image.description="Minimal Alpine Linux image for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
--- a/Containers/apache/Caddyfile
+++ b/Containers/apache/Caddyfile
@@ -15,15 +15,9 @@
 }
 https://{$ADDITIONAL_TRUSTED_DOMAIN}:443,
 http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI requests, see containers.json
 {$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} {
-    header {
+    header -Server
-        Strict-Transport-Security max-age=31536000;
+    header -X-Powered-By
        -Server
        -X-Powered-By
        -Via
    }
    # Collabora
    route /browser/* {
@@ -46,7 +40,7 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
    route /onlyoffice/* {
        uri strip_prefix /onlyoffice
        reverse_proxy {$ONLYOFFICE_HOST}:80 {
-            header_up X-Forwarded-Host {http.request.hostport}/onlyoffice
+            header_up X-Forwarded-Host {http.request.host}/onlyoffice
            header_up X-Forwarded-Proto https
        }
    }
@@ -63,13 +57,9 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
        reverse_proxy {$WHITEBOARD_HOST}:3002
    }
    # HaRP (ExApps)
    route /exapps/* {
        reverse_proxy {$HARP_HOST}:8780
    }
    # Nextcloud
    route {
        header Strict-Transport-Security max-age=31536000;
        reverse_proxy 127.0.0.1:8000
    }
    redir /.well-known/carddav /remote.php/dav/ 301
@@ -78,9 +68,6 @@ http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI req
    # TLS options
    tls {
        issuer acme {
            profile shortlived
            # Disable HTTP challenge because that would require port 80, which we don't get (it's exposed to the mastercontainer).
            # This container by default only exposes port 443 if not configured otherwise via APACHE_PORT.
            disable_http_challenge
        }
    }
--- a/Containers/apache/Dockerfile
+++ b/Containers/apache/Dockerfile
@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:latest
-FROM caddy:2.11.3-alpine AS caddy
+FROM caddy:2.8.4-alpine AS caddy
 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.67-alpine3.23
+FROM httpd:2.4.62-alpine3.20
 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
@@ -60,19 +60,6 @@ RUN set -ex; \
    grep -q '<IfModule mpm_event_module>' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # ServerLimit needs to be set to MaxRequestWorkers divided by ThreadsPerChild which is set to 25 by default
    sed -i '/<IfModule mpm_event_module>/a\ \ \ \ ServerLimit 200' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # Pin ThreadsPerChild so the value is deterministic regardless of the httpd base-image
 # defaults; 25 threads per process balances concurrency against per-process memory use.
    sed -i 's|ThreadsPerChild.*|ThreadsPerChild 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # Start two server processes on boot to absorb the first requests without spawning
 # new processes on the critical path, while avoiding unnecessary memory overhead.
    sed -i 's|StartServers.*|StartServers 2|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # Keep at least 25 idle threads (one full process worth) so traffic bursts can be
 # absorbed immediately without triggering new process creation.
    sed -i 's|MinSpareThreads.*|MinSpareThreads 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # Retire idle threads above 50 to reclaim memory during quiet periods. 50 is the
 # minimum valid value (MinSpareThreads + ThreadsPerChild = 25 + 25) and is enough
 # to absorb typical bursts without respawning a new process.
    sed -i 's|MaxSpareThreads.*|MaxSpareThreads 50|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
    \
    rm -rf /usr/local/apache2/conf/original /var/www; \
    mkdir -p /var/www; \
@@ -92,20 +79,12 @@ RUN set -ex; \
    chmod 777 -R /usr/local/apache2/logs; \
    rm -rf /usr/local/apache2/cgi-bin/; \
    \
-    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    echo "root:$(openssl rand -base64 12)" | chpasswd
    apk --no-cache del openssl
-USER 33
+USER www-data
 ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false" \
+LABEL com.centurylinklabs.watchtower.enable="false"
    wud.watch="false" \
    org.opencontainers.image.title="Apache and Caddy for Nextcloud AIO" \
    org.opencontainers.image.description="Apache HTTP server with Caddy for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
--- a/Containers/apache/healthcheck.sh
+++ b/Containers/apache/healthcheck.sh
@@ -1,9 +1,9 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
 nc -z 127.0.0.1 8000 || exit 1
 nc -z 127.0.0.1 "$APACHE_PORT" || exit 1
 if ! nc -z "$NC_DOMAIN" 443; then
    echo "Could not reach $NC_DOMAIN on port 443."
    exit 1
 fi
--- a/Containers/apache/nextcloud.conf
+++ b/Containers/apache/nextcloud.conf
@@ -7,7 +7,7 @@ Listen 8000
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
    ErrorLog /proc/self/fd/2
    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
-    LogLevel ${AIO_LOG_LEVEL}
+    LogLevel warn
    # PHP match
    <FilesMatch "\.php$">
@@ -17,9 +17,7 @@ Listen 8000
    <Proxy "fcgi://${NEXTCLOUD_HOST}:9000" flushpackets=on>
    </Proxy>
-    # Compress JS, CSS and SVG responses with Brotli.
+    # Enable Brotli compression for js, css and svg files - other plain files are compressed by Nextcloud by default
    # Other plain-text files are already compressed by Nextcloud itself.
    # Desktop and mobile sync clients never request JS/CSS/SVG assets.
    <IfModule mod_brotli.c>
        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
        BrotliCompressionQuality 0
@@ -28,9 +26,11 @@ Listen 8000
    # Nextcloud dir
    DocumentRoot /var/www/html/
    <Directory /var/www/html/>
-        Options FollowSymLinks MultiViews
+        Options Indexes FollowSymLinks
        Require all granted
        AllowOverride All
        Options FollowSymLinks MultiViews
        Satisfy Any
        <IfModule mod_dav.c>
            Dav off
        </IfModule>
--- a/Containers/apache/start.sh
+++ b/Containers/apache/start.sh
@@ -1,20 +1,10 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [ -z "$NC_DOMAIN" ]; then
    echo "NC_DOMAIN and NEXTCLOUD_HOST need to be provided. Exiting!"
    exit 1
 fi
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    export SUPERVISORD_STDOUT=/dev/stdout
 else
    export SUPERVISORD_STDOUT=NONE
 fi
 # Need write access to /mnt/data
 if ! [ -w /mnt/data ]; then
    echo "Cannot write to /mnt/data"
@@ -56,9 +46,7 @@ echo "$CADDYFILE" > /tmp/Caddyfile
 # Change the trusted_proxies in case of reverse proxies
 if [ "$APACHE_PORT" != '443' ]; then
-    # Here the 100.64.0.0/10 range gets added which is the CGNAT range used by Tailscale nodes
+    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies static private_ranges|' /tmp/Caddyfile)"
    # See https://github.com/nextcloud/all-in-one/pull/6703 for reference
    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies static private_ranges 100.64.0.0/10|' /tmp/Caddyfile)"
 else
    CADDYFILE="$(sed "s|# trusted_proxies placeholder|trusted_proxies static $IPv4_ADDRESS|" /tmp/Caddyfile)"
 fi
@@ -76,11 +64,6 @@ caddy fmt --overwrite /tmp/Caddyfile
 # Add caddy path
 mkdir -p /mnt/data/caddy/
 # Fix caddy startup
 if [ -d "/mnt/data/caddy/locks" ]; then
    rm -rf /mnt/data/caddy/locks/*
 fi
 # Fix apache startup
 rm -f /usr/local/apache2/logs/httpd.pid
--- a/Containers/apache/supervisord.conf
+++ b/Containers/apache/supervisord.conf
@@ -1,18 +1,19 @@
 [supervisord]
 nodaemon=true
 nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error
 [program:apache]
-# Stdout logging is disabled as otherwise the logs are spammed
+# stdout_logfile=/dev/stdout
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
+# stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=httpd -DFOREGROUND
+command=apachectl -DFOREGROUND
 [program:caddy]
 stdout_logfile=/dev/stdout
--- a/Containers/borgbackup/Dockerfile
+++ b/Containers/borgbackup/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.20.3
 RUN set -ex; \
    \
@@ -11,25 +11,15 @@ RUN set -ex; \
        rsync \
        fuse \
        py3-llfuse \
-        jq \
+        jq
        openssh-client
 VOLUME /root
 COPY --chmod=770 *.sh /
 COPY borg_excludes /
 ENTRYPOINT ["/start.sh"]
 # hadolint ignore=DL3002
 USER root
-LABEL com.centurylinklabs.watchtower.enable="false" \
+LABEL com.centurylinklabs.watchtower.enable="false"
-    wud.watch="false" \
+ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
    org.opencontainers.image.title="Borgbackup for Nextcloud AIO" \
    org.opencontainers.image.description="BorgBackup-based backup service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6" \
    AIO_LOG_LEVEL="warn"
--- a/Containers/borgbackup/backupscript.sh
+++ b/Containers/borgbackup/backupscript.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 # Functions
 get_start_time(){
    START_TIME=$(date +%s)
@@ -38,23 +34,19 @@ for volume in "${DEFAULT_VOLUMES[@]}"; do
 done
 # Check if target is mountpoint
-if [ -z "$BORG_REMOTE_REPO" ] && ! mountpoint -q "$MOUNT_DIR"; then
+if ! mountpoint -q /mnt/borgbackup; then
-    echo "$MOUNT_DIR is not a mountpoint which is not allowed."
+    echo "/mnt/borgbackup is not a mountpoint which is not allowed."
    exit 1
 fi
-# Check if repo is uninitialized
+# Check if target is empty
-if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
-    if [ -n "$BORG_REMOTE_REPO" ]; then
+    echo "The repository is empty. Cannot perform check or restore."
        echo "The repository is uninitialized or cannot connect to remote. Cannot perform check or restore."
    else
        echo "The repository is uninitialized. Cannot perform check or restore."
    fi
    exit 1
 fi
 # Do not continue if this file exists (needed for simple external blocking)
-if [ -z "$BORG_REMOTE_REPO" ] && [ -f "$BORG_BACKUP_DIRECTORY/aio-lockfile" ]; then
+if [ -f "$BORG_BACKUP_DIRECTORY/aio-lockfile" ]; then
    echo "Not continuing because aio-lockfile exists – it seems like a script is externally running which is locking the backup archive."
    echo "If this should not be the case, you can fix this by deleting the 'aio-lockfile' file from the backup archive directory."
    exit 1
@@ -65,15 +57,6 @@ if [ "$BORG_MODE" = backup ] || [ "$BORG_MODE" = restore ]; then
    touch "/nextcloud_aio_volumes/nextcloud_aio_database_dump/backup-is-running"
 fi
 if [ -n "$BORG_REMOTE_REPO" ] && ! [ -f "$BORGBACKUP_KEY" ]; then
    echo "First run, creating borg ssh key"
    ssh-keygen  -f "$BORGBACKUP_KEY" -N ""
    echo "You should configure the remote to accept this public key"
 fi
 if [ -n "$BORG_REMOTE_REPO" ] && [ -f "$BORGBACKUP_KEY.pub" ]; then
    echo "Your public ssh key for borgbackup is: $(cat "$BORGBACKUP_KEY.pub")"
 fi
 # Do the backup
 if [ "$BORG_MODE" = backup ]; then
@@ -81,10 +64,6 @@ if [ "$BORG_MODE" = backup ]; then
    if ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" ]; then
        echo "configuration.json not present. Cannot perform the backup!"
        exit 1
    elif ! grep -q '"domain"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" \
    || ! grep -q '"wasStartButtonClicked"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json"; then
        echo "It seems like the configuration.json setup was not done correctly. Something is wrong! (Most likely the provided configuration.json is invalid)"
        exit 1
    elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/config/config.php" ]; then
        echo "config.php is missing. Cannot perform backup!"
        exit 1
@@ -121,22 +100,15 @@ if [ "$BORG_MODE" = backup ]; then
        exit 1
    fi
-    if [ -z "$BORG_REMOTE_REPO" ]; then
+    # Create backup folder
-        # Create backup folder
+    mkdir -p "$BORG_BACKUP_DIRECTORY"
        mkdir -p "$BORG_BACKUP_DIRECTORY"
    fi
-    # Initialize the repository if can't get info from target
+    # Initialize the repository if the target is empty
-    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+    if ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
        # Don't initialize if already initialized
        if [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
-            if [ -n "$BORG_REMOTE_REPO" ]; then
+            echo "No borg config file was found in the targeted directory."
-                echo "Borg could not get info from the remote repo."
+            echo "This might happen if the targeted directory is located on an external drive and the drive not connected anymore. You should check this."
                echo "This might be a failure to connect to the remote server. See the above borg info output for details."
            else
                echo "Borg could not get info from the targeted directory."
                echo "This might happen if the targeted directory is located on an external drive and the drive not connected anymore. You should check this."
            fi
            echo "If you instead want to initialize a new backup repository, you may delete the 'borg.config' file that is stored in the mastercontainer volume manually, which will allow you to initialize a new borg repository in the chosen directory:"
            echo "sudo docker exec nextcloud-aio-mastercontainer rm /mnt/docker-aio-config/data/borg.config"
            exit 1
@@ -144,39 +116,28 @@ if [ "$BORG_MODE" = backup ]; then
        echo "Initializing repository..."
        NEW_REPOSITORY=1
-        if ! borg "$BORG_LOG_LEVEL_FLAG" init --encryption=repokey-blake2; then
+        if ! borg init --debug --encryption=repokey-blake2 "$BORG_BACKUP_DIRECTORY"; then
            echo "Could not initialize borg repository."
            rm -f "$BORG_BACKUP_DIRECTORY/config"
            exit 1
        fi
        borg config "$BORG_BACKUP_DIRECTORY" additional_free_space 2G
-        if [ -z "$BORG_REMOTE_REPO" ]; then
+        # Fix too large Borg cache
-            # borg config only works for local repos; it's up to the remote to ensure the disk isn't full
+        # https://borgbackup.readthedocs.io/en/stable/faq.html#the-borg-cache-eats-way-too-much-disk-space-what-can-i-do
-            borg "$BORG_LOG_LEVEL_FLAG" config :: additional_free_space 2G
+        BORG_ID="$(borg config "$BORG_BACKUP_DIRECTORY" id)"
        rm -r "/root/.cache/borg/$BORG_ID/chunks.archive.d"
        touch "/root/.cache/borg/$BORG_ID/chunks.archive.d"
-            # Fix too large Borg cache
+        # Make a backup from the borg config file
-            # https://borgbackup.readthedocs.io/en/stable/faq.html#the-borg-cache-eats-way-too-much-disk-space-what-can-i-do
+        if ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
-            BORG_ID="$(borg config :: id)"
+            echo "The borg config file wasn't created. Something is wrong."
            rm -r "/root/.cache/borg/$BORG_ID/chunks.archive.d"
            touch "/root/.cache/borg/$BORG_ID/chunks.archive.d"
        fi
        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
            echo "Borg can't get info from the repo it created. Something is wrong."
            exit 1
        fi
        rm -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config"
-        if [ -n "$BORG_REMOTE_REPO" ]; then
+        if ! cp "$BORG_BACKUP_DIRECTORY/config" "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config"; then
-            # `borg config` does not support remote repos so instead create a dummy file and rely on the remote to avoid
+            echo "Could not copy config file to second place. Cannot perform backup."
-            # corruption of the config file (which contains the encryption key). We don't actually use the contents of
+            exit 1
            # this file anywhere, so a touch is all we need so we remember we already initialized the repo.
            touch "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config"
        else
            # Make a backup from the borg config file
            if ! cp "$BORG_BACKUP_DIRECTORY/config" "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config"; then
                echo "Could not copy config file to second place. Cannot perform backup."
                exit 1
            fi
        fi
        echo "Repository successfully initialized."
@@ -188,27 +149,13 @@ if [ "$BORG_MODE" = backup ]; then
    # Borg options
    # auto,zstd compression seems to has the best ratio based on:
    # https://forum.level1techs.com/t/optimal-compression-for-borg-backups/145870/6
-    BORG_OPTS=(-v --stats --compression "auto,zstd")
+    BORG_OPTS=(-v --stats --compression "auto,zstd" --exclude-caches)
    if [ "$NEW_REPOSITORY" = 1 ]; then
        BORG_OPTS+=(--progress)
    fi
    # Exclude the nextcloud log and audit log for GDPR reasons
-    BORG_EXCLUDE=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/nextcloud.log*" --exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/audit.log" --exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/lost+found")
+    BORG_EXCLUDE=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/nextcloud.log*" --exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/audit.log")
    BORG_INCLUDE=()
    # Exclude datadir if .noaiobackup file was found
    # shellcheck disable=SC2144
    if [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/.noaiobackup" ]; then
        BORG_EXCLUDE+=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/")
        BORG_INCLUDE+=(--pattern="+/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/.noaiobackup")
        echo "⚠️⚠️⚠️ '.noaiobackup' file was found in Nextcloud's data directory. Excluding the data directory from backup!"
    # Exclude preview folder if .noaiobackup file was found
    elif [ -f /nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_*/preview/.noaiobackup ]; then
        BORG_EXCLUDE+=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_*/preview/")
        BORG_INCLUDE+=(--pattern="+/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_*/preview/.noaiobackup")
        echo "⚠️⚠️⚠️ '.noaiobackup' file was found in the preview directory. Excluding the preview directory from backup!"
    fi
    # Make sure that there is always a borg.config file before creating a new backup
    if ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
@@ -220,9 +167,9 @@ if [ "$BORG_MODE" = backup ]; then
    # Create the backup
    echo "Starting the backup..."
    get_start_time
-    if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
+    if ! borg create "${BORG_OPTS[@]}" "${BORG_EXCLUDE[@]}" "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/"; then
        echo "Deleting the failed backup archive..."
-        borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-nextcloud-aio"
+        borg delete --stats "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-nextcloud-aio"
        echo "Backup failed!"
        echo "You might want to check the backup integrity via the AIO interface."
        if [ "$NEW_REPOSITORY" = 1 ]; then
@@ -241,14 +188,14 @@ if [ "$BORG_MODE" = backup ]; then
    # Prune archives
    echo "Pruning the archives..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
+    if ! borg prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}" "$BORG_BACKUP_DIRECTORY"; then
        echo "Failed to prune archives!"
        exit 1
    fi
    # Compact archives
    echo "Compacting the archives..."
-    if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+    if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
        echo "Failed to compact archives!"
        exit 1
    fi
@@ -265,19 +212,19 @@ if [ "$BORG_MODE" = backup ]; then
                fi
            done
            echo "Starting the backup for additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
+            if ! borg create "${BORG_OPTS[@]}" "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-additional-docker-volumes" "/docker_volumes/"; then
                echo "Deleting the failed backup archive..."
-                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-docker-volumes"
+                borg delete --stats "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-additional-docker-volumes"
                echo "Backup of additional docker-volumes failed!"
                exit 1
            fi
            echo "Pruning additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}" "$BORG_BACKUP_DIRECTORY"; then
                echo "Failed to prune additional docker-volumes archives!"
                exit 1
            fi
            echo "Compacting additional volumes..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+            if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
                echo "Failed to compact additional docker-volume archives!"
                exit 1
            fi
@@ -295,19 +242,19 @@ if [ "$BORG_MODE" = backup ]; then
                EXCLUDE_DIRS+=(--exclude "/host_mounts/$directory/")
            done
            echo "Starting the backup for additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
+            if ! borg create "${BORG_OPTS[@]}" "${EXCLUDE_DIRS[@]}" "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-additional-host-mounts" "/host_mounts/"; then
                echo "Deleting the failed backup archive..."
-                borg "$BORG_LOG_LEVEL_FLAG" delete --stats "::$CURRENT_DATE-additional-host-mounts"
+                borg delete --stats "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-additional-host-mounts"
                echo "Backup of additional host-mounts failed!"
                exit 1
            fi
            echo "Pruning additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
+            if ! borg prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}" "$BORG_BACKUP_DIRECTORY"; then
                echo "Failed to prune additional host-mount archives!"
                exit 1
            fi
            echo "Compacting additional host mounts..."
-            if ! borg "$BORG_LOG_LEVEL_FLAG" compact; then
+            if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
                echo "Failed to compact additional host-mount archives!"
                exit 1
            fi
@@ -329,38 +276,17 @@ fi
 if [ "$BORG_MODE" = restore ]; then
    get_start_time
-    # Pick archive to restore
+    # Perform the restore
    if [ -n "$SELECTED_RESTORE_TIME" ]; then
-        SELECTED_ARCHIVE="$(borg list | grep "nextcloud-aio" | grep "$SELECTED_RESTORE_TIME" | awk -F " " '{print $1}' | head -1)"
+        SELECTED_ARCHIVE="$(borg list "$BORG_BACKUP_DIRECTORY" | grep "nextcloud-aio" | grep "$SELECTED_RESTORE_TIME" | awk -F " " '{print $1}' | head -1)"
    else
-        SELECTED_ARCHIVE="$(borg list | grep "nextcloud-aio" | awk -F " " '{print $1}' | sort -r | head -1)"
+        SELECTED_ARCHIVE="$(borg list "$BORG_BACKUP_DIRECTORY" | grep "nextcloud-aio" | awk -F " " '{print $1}' | sort -r | head -1)"
    fi
    echo "Restoring '$SELECTED_ARCHIVE'..."
-
+    mkdir -p /tmp/borg
-    ADDITIONAL_RSYNC_EXCLUDES=()
+    if ! borg mount "$BORG_BACKUP_DIRECTORY::$SELECTED_ARCHIVE" /tmp/borg; then
-    ADDITIONAL_BORG_EXCLUDES=()
+        echo "Could not mount the backup!"
-    ADDITIONAL_FIND_EXCLUDES=()
+        exit 1
    # Exclude datadir if .noaiobackup file was found
    # shellcheck disable=SC2144
    if [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/.noaiobackup" ]; then
        # Keep these 3 in sync. Beware, the pattern syntax and the paths differ
        ADDITIONAL_RSYNC_EXCLUDES=(--exclude "nextcloud_aio_nextcloud_data/**")
        ADDITIONAL_BORG_EXCLUDES=(--exclude "sh:nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/**")
        ADDITIONAL_FIND_EXCLUDES=(-o -regex 'nextcloud_aio_volumes/nextcloud_aio_nextcloud_data\(/.*\)?')
        echo "⚠️⚠️⚠️ '.noaiobackup' file was found in Nextcloud's data directory. Excluding the data directory from restore!"
        echo "You might run into problems due to this afterwards as potentially this makes the directory go out of sync with the database."
        echo "You might be able to fix this by running 'occ files:scan --all' and 'occ maintenance:repair' and 'occ files:scan-app-data' after the restore."
        echo "See https://github.com/nextcloud/all-in-one#how-to-run-occ-commands"
    # Exclude previews from restore if selected to speed up process or exclude preview folder if .noaiobackup file was found
    elif [ -n "$RESTORE_EXCLUDE_PREVIEWS" ] || [ -f /nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_*/preview/.noaiobackup ]; then
        # Keep these 3 in sync. Beware, the pattern syntax and the paths differ
        ADDITIONAL_RSYNC_EXCLUDES=(--exclude "nextcloud_aio_nextcloud_data/appdata_*/preview/**")
        ADDITIONAL_BORG_EXCLUDES=(--exclude "sh:nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_*/preview/**")
        ADDITIONAL_FIND_EXCLUDES=(-o -regex 'nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_[^/]*/preview\(/.*\)?')
        echo "⚠️⚠️⚠️ Excluding previews from restore!"
        echo "You might run into problems due to this afterwards as potentially this makes the directory go out of sync with the database."
        echo "You might be able to fix this by running 'occ files:scan-app-data preview' after the restore."
        echo "See https://github.com/nextcloud/all-in-one#how-to-run-occ-commands"
    fi
    # Save Additional Backup dirs
@@ -373,12 +299,27 @@ if [ "$BORG_MODE" = restore ]; then
        DAILY_BACKUPTIME="$(cat /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/daily_backup_time)"
    fi
    # Restore everything except the configuration file
    if ! rsync --stats --archive --human-readable -vv --delete \
    --exclude "nextcloud_aio_apache/caddy/**" \
    --exclude "nextcloud_aio_mastercontainer/caddy/**" \
    --exclude "nextcloud_aio_nextcloud/data/nextcloud.log*" \
    --exclude "nextcloud_aio_nextcloud/data/audit.log" \
    --exclude "nextcloud_aio_mastercontainer/certs/**" \
    --exclude "nextcloud_aio_mastercontainer/data/configuration.json" \
    --exclude "nextcloud_aio_mastercontainer/data/daily_backup_running" \
    --exclude "nextcloud_aio_mastercontainer/data/session_date_file" \
    --exclude "nextcloud_aio_mastercontainer/session/**" \
    /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes/; then
        RESTORE_FAILED=1
        echo "Something failed while restoring from backup."
    fi
    # Save current aio password
    AIO_PASSWORD="$(jq '.password' /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json)"
-    # Save current backup location vars
+    # Save current path
    BORG_LOCATION="$(jq '.borg_backup_host_location' /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json)"
    REMOTE_REPO="$(jq '.borg_remote_repo' /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json)"
    # Save current nextcloud datadir
    if grep -q '"nextcloud_datadir":' /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json; then
@@ -387,116 +328,21 @@ if [ "$BORG_MODE" = restore ]; then
        NEXTCLOUD_DATADIR='""'
    fi
-    if [ -z "$BORG_REMOTE_REPO" ]; then
+    # Restore the configuration file
-        mkdir -p /tmp/borg
+    if ! rsync --archive --human-readable -vv \
-        if ! borg "$BORG_LOG_LEVEL_FLAG" mount "::$SELECTED_ARCHIVE" /tmp/borg; then
+    /tmp/borg/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json \
-            echo "Could not mount the backup!"
+    /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json; then
-            exit 1
+        RESTORE_FAILED=1
-        fi
+        echo "Something failed while restoring the configuration.json."
        # Restore everything except the configuration file
        #
        # These exclude patterns need to be kept in sync with the borg_excludes file and the find excludes in this file,
        # which use a different syntax (patterns appear in 3 places in total)
        if ! rsync --stats --archive --human-readable -vv --delete \
        --exclude "nextcloud_aio_apache/caddy/**" \
        --exclude "nextcloud_aio_mastercontainer/caddy/**" \
        --exclude "nextcloud_aio_nextcloud/data/nextcloud.log*" \
        --exclude "nextcloud_aio_nextcloud/data/audit.log" \
        --exclude "nextcloud_aio_mastercontainer/certs/**" \
        --exclude "nextcloud_aio_mastercontainer/data/configuration.json" \
        --exclude "nextcloud_aio_mastercontainer/data/daily_backup_running" \
        --exclude "nextcloud_aio_mastercontainer/data/session_date_file" \
        --exclude "nextcloud_aio_mastercontainer/session/**" \
        --exclude "nextcloud_aio_nextcloud_data/lost+found" \
        "${ADDITIONAL_RSYNC_EXCLUDES[@]}" \
        /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes/; then
            RESTORE_FAILED=1
            echo "Something failed while restoring from backup."
        fi
        # Restore the configuration file
        if ! rsync --archive --human-readable -vv \
                /tmp/borg/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json \
                /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json; then
            RESTORE_FAILED=1
            echo "Something failed while restoring the configuration.json."
        fi
        if ! umount /tmp/borg; then
            echo "Failed to unmount the borg archive but should still be able to restore successfully"
        fi
    else
        # Restore nearly everything
        #
        # borg mount is really slow for remote repos (did not check whether it's slow for local repos too),
        # using extract to /tmp would require temporarily storing a second copy of the data.
        # So instead extract directly on top of the destination with exclude patterns for the config, but
        # then we do still need to delete local files which are not present in the archive.
        #
        # Older backups may still contain files we've since excluded, so we have to exclude on extract as well.
        cd /  # borg extract has no destination arg and extracts to CWD
        if ! borg "$BORG_LOG_LEVEL_FLAG" extract "::$SELECTED_ARCHIVE" --progress --exclude-from /borg_excludes "${ADDITIONAL_BORG_EXCLUDES[@]}" --pattern '+nextcloud_aio_volumes/**'
        then
            RESTORE_FAILED=1
            echo "Failed to extract backup archive."
        else
            # Delete files/dirs present locally, but not in the backup archive, excluding conf files
            # https://unix.stackexchange.com/a/759341
            # This comm does not support -z, but I doubt any file names would have \n in them
            #
            # These find patterns need to be kept in sync with the borg_excludes file and the rsync excludes in this
            # file, which use a different syntax (patterns appear in 3 places in total)
            echo "Deleting local files which do not exist in the backup"
            if ! find nextcloud_aio_volumes \
                    -not \( \
                        -path nextcloud_aio_volumes/nextcloud_aio_apache/caddy \
                        -o -path "nextcloud_aio_volumes/nextcloud_aio_apache/caddy/*" \
                        -o -path nextcloud_aio_volumes/nextcloud_aio_mastercontainer/caddy \
                        -o -path "nextcloud_aio_volumes/nextcloud_aio_mastercontainer/caddy/*" \
                        -o -path nextcloud_aio_volumes/nextcloud_aio_mastercontainer/certs \
                        -o -path "nextcloud_aio_volumes/nextcloud_aio_mastercontainer/certs/*" \
                        -o -path nextcloud_aio_volumes/nextcloud_aio_mastercontainer/session \
                        -o -path "nextcloud_aio_volumes/nextcloud_aio_mastercontainer/session/*" \
                        -o -path "nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/nextcloud.log*" \
                        -o -path nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/audit.log \
                        -o -path nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/daily_backup_running \
                        -o -path nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/session_date_file \
                        -o -path "nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/id_borg*" \
                        -o -path "nextcloud_aio_nextcloud_data/lost+found" \
                        "${ADDITIONAL_FIND_EXCLUDES[@]}" \
                    \) \
                    | LC_ALL=C sort \
                    | LC_ALL=C comm -23 - \
                        <(borg "$BORG_LOG_LEVEL_FLAG" list "::$SELECTED_ARCHIVE" --short --exclude-from /borg_excludes  --pattern '+nextcloud_aio_volumes/**' | LC_ALL=C sort) \
                    > /tmp/local_files_not_in_backup
            then
                RESTORE_FAILED=1
                echo "Failed to delete local files not in backup archive."
            else
                # More robust than e.g. xargs as I got a ~"args line too long" error while testing that, but it's slower
                # https://stackoverflow.com/a/21848934
                while IFS= read -r file
                do rm -vrf -- "$file" || DELETE_FAILED=1
                done < /tmp/local_files_not_in_backup
                if [ "$DELETE_FAILED" = 1 ]; then
                    RESTORE_FAILED=1
                    echo "Failed to delete (some) local files not in backup archive."
                fi
            fi
        fi
    fi
    # Set backup-mode to restore since it was a restore
    CONTENTS="$(jq '."backup-mode" = "restore"' /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json)"
    echo -E "${CONTENTS}" > /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json
-    # Reset the backup location vars to the currently used one
+    # Reset the backup path to the currently used one
    CONTENTS="$(jq ".borg_backup_host_location = $BORG_LOCATION" /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json)"
    echo -E "${CONTENTS}" > /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json
    CONTENTS="$(jq ".borg_remote_repo = $REMOTE_REPO" /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json)"
    echo -E "${CONTENTS}" > /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json
    # Reset the AIO password to the currently used one
    CONTENTS="$(jq ".password = $AIO_PASSWORD" /nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json)"
@@ -520,12 +366,10 @@ if [ "$BORG_MODE" = restore ]; then
        chmod 770 "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/daily_backup_time"
    fi
    umount /tmp/borg
    if [ "$RESTORE_FAILED" = 1 ]; then
        exit 1
    elif ! grep -q '"domain"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json" \
    || ! grep -q '"wasStartButtonClicked"' "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/configuration.json"; then
        echo "It seems like the restore of the configuration.json was not done correctly. Something is wrong! (Most likely is the restore archive already incorrect)!"
        exit 1
    fi
    # Inform user
@@ -540,12 +384,6 @@ if [ "$BORG_MODE" = restore ]; then
    touch "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/fingerprint.update"
    chmod 777 "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/fingerprint.update"
    # Add file to Netcloud container to trigger a preview scan the next time it starts
    if [ -n "$RESTORE_EXCLUDE_PREVIEWS" ]; then
        touch "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/trigger-preview.scan"
        chmod 777 "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/trigger-preview.scan"
    fi
    # Delete redis cache
    rm -f "/mnt/redis/dump.rdb"
 fi
@@ -556,9 +394,9 @@ if [ "$BORG_MODE" = check ]; then
    echo "Checking the backup integrity..."
    # Perform the check
-    if ! borg "$BORG_LOG_LEVEL_FLAG" check -v --verify-data; then
+    if ! borg check -v --verify-data "$BORG_BACKUP_DIRECTORY"; then
        echo "Some errors were found while checking the backup integrity!"
-        echo "Check the AIO interface for advice on how to proceed now!"
+        echo "Check the AIO interface for advices on how to proceed now!"
        exit 1
    fi
@@ -574,7 +412,7 @@ if [ "$BORG_MODE" = "check-repair" ]; then
    echo "Checking the backup integrity and repairing it..."
    # Perform the check-repair
-    if ! echo YES | borg "$BORG_LOG_LEVEL_FLAG" check -v --repair; then
+    if ! echo YES | borg check -v --repair "$BORG_BACKUP_DIRECTORY"; then
        echo "Some errors were found while checking and repairing the backup integrity!"
        exit 1
    fi
@@ -587,49 +425,24 @@ fi
 # Do the backup test
 if [ "$BORG_MODE" = test ]; then
-    if [ -n "$BORG_REMOTE_REPO" ]; then
+    if ! [ -d "$BORG_BACKUP_DIRECTORY" ]; then
-        if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
+        echo "No 'borg' directory in the given backup directory found!"
-            echo "Borg could not get info from the remote repo."
+        echo "Only the files/folders below have been found in the given directory."
-            echo "See the above borg info output for details."
+        ls -a "$MOUNT_DIR"
-            exit 1
+        echo "Please adjust the directory so that the borg archive is positioned in a folder named 'borg' inside the given directory!"
-        fi
+        exit 1
-    else
+    elif ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
-        if ! [ -d "$BORG_BACKUP_DIRECTORY" ]; then
+        echo "A 'borg' directory was found but could not find the borg archive."
-            echo "No 'borg' directory in the given backup directory found!"
+        echo "Only the files/folders below have been found in the borg directory."
-            echo "Only the files/folders below have been found in the given directory."
+        ls -a "$BORG_BACKUP_DIRECTORY"
-            ls -a "$MOUNT_DIR"
+        echo "The archive and most importantly the config file must be positioned directly in the 'borg' subfolder."
-            echo "Please adjust the directory so that the borg archive is positioned in a folder named 'borg' inside the given directory!"
+        exit 1
-            exit 1
+    elif ! borg list "$BORG_BACKUP_DIRECTORY"; then
        elif ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
            echo "A 'borg' directory was found but could not find the borg archive."
            echo "Only the files/folders below have been found in the borg directory."
            ls -a "$BORG_BACKUP_DIRECTORY"
            echo "The archive and most importantly the config file must be positioned directly in the 'borg' subfolder."
            exit 1
        fi
    fi
    if ! borg "$BORG_LOG_LEVEL_FLAG" list >/dev/null; then
        echo "The entered path seems to be valid but could not open the backup archive."
        echo "Most likely the entered password was wrong so please adjust it accordingly!"
        exit 1
    else
-        if ! borg "$BORG_LOG_LEVEL_FLAG" list | grep "nextcloud-aio"; then
+        echo "Everything looks fine so feel free to continue!"
-            echo "The backup archive does not contain a valid Nextcloud AIO backup."
+        exit 0
            echo "Most likely was the archive not created via Nextcloud AIO."
            exit 1
        else
            echo "Everything looks fine so feel free to continue!"
            exit 0
        fi
    fi
 fi
 if [ "$BORG_MODE" = list ]; then
    echo "Updating backup list..."
    if ! borg "$BORG_LOG_LEVEL_FLAG" info > /dev/null; then
        echo "Could not update the backup list."
        exit 1
    fi
    # The update gets done automatically in the wrapper start.sh script.
 fi
--- a/Containers/borgbackup/borg_excludes
+++ b/Containers/borgbackup/borg_excludes
@@ -1,11 +0,0 @@
 # These patterns need to be kept in sync with rsync and find excludes in backupscript.sh,
 # which use a different syntax (patterns appear in 3 places in total)
 nextcloud_aio_volumes/nextcloud_aio_apache/caddy/
 nextcloud_aio_volumes/nextcloud_aio_mastercontainer/caddy/
 nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/nextcloud.log*
 nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/audit.log
 nextcloud_aio_volumes/nextcloud_aio_mastercontainer/certs/
 nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/daily_backup_running
 nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/session_date_file
 nextcloud_aio_volumes/nextcloud_aio_mastercontainer/session/
 nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/id_borg*
--- a/Containers/borgbackup/start.sh
+++ b/Containers/borgbackup/start.sh
@@ -1,19 +1,8 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [ "$AIO_LOG_LEVEL" = "warn" ]; then
    BORG_LOG_LEVEL_FLAG="--warning"
 else
    BORG_LOG_LEVEL_FLAG="--$AIO_LOG_LEVEL"
 fi
 export BORG_LOG_LEVEL_FLAG
 # Variables
 export MOUNT_DIR="/mnt/borgbackup"
-export BORG_BACKUP_DIRECTORY="$MOUNT_DIR/borg"  # necessary even when remote to store the aio-lockfile
+export BORG_BACKUP_DIRECTORY="$MOUNT_DIR/borg"
 # Validate BORG_PASSWORD
 if [ -z "$BORG_PASSWORD" ] && [ -z "$BACKUP_RESTORE_PASSWORD" ]; then
@@ -29,22 +18,10 @@ else
 fi
 export BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes
 export BORG_RELOCATED_REPO_ACCESS_IS_OK=yes
 if [ -n "$BORG_REMOTE_REPO" ]; then
    export BORG_REPO="$BORG_REMOTE_REPO"
    # Location to create the borg ssh pub/priv key
    export BORGBACKUP_KEY="/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/id_borg"
    # Accept any host key the first time connecting to the remote. Strictly speaking should be provided by user but you'd
    # have to be very unlucky to get MitM'ed on your first connection.
    export BORG_RSH="ssh -o StrictHostKeyChecking=accept-new -i $BORGBACKUP_KEY"
 else
    export BORG_REPO="$BORG_BACKUP_DIRECTORY"
 fi
 # Validate BORG_MODE
-if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != restore ] && [ "$BORG_MODE" != check ] && [ "$BORG_MODE" != "check-repair" ] && [ "$BORG_MODE" != "test" ] && [ "$BORG_MODE" != "list" ]; then
+if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != restore ] && [ "$BORG_MODE" != check ] && [ "$BORG_MODE" != "check-repair" ] && [ "$BORG_MODE" != test ]; then
-    echo "No correct BORG_MODE mode applied. Valid are 'backup', 'check', 'restore', 'test' and 'list'."
+    echo "No correct BORG_MODE mode applied. Valid are 'backup', 'check', 'restore' and 'test'."
    exit 1
 fi
@@ -59,8 +36,8 @@ fi
 rm -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/backup-is-running"
 # Get a list of all available borg archives
-if borg "$BORG_LOG_LEVEL_FLAG" list &>/dev/null; then
+if borg list "$BORG_BACKUP_DIRECTORY" &>/dev/null; then
-    borg list | grep "nextcloud-aio" | awk -F " " '{print $1","$3,$4}' > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
+    borg list "$BORG_BACKUP_DIRECTORY" | grep "nextcloud-aio" | awk -F " " '{print $1","$3,$4}' > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
 else
    echo "" > "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/backup_archives.list"
 fi
--- a/Containers/clamav/Dockerfile
+++ b/Containers/clamav/Dockerfile
@@ -1,52 +1,26 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+# Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/1.3/alpine/Dockerfile
 FROM clamav/clamav:1.4.1-5
 COPY clamav.conf /clamav.conf
 COPY --chmod=775 start.script /start.script
 RUN set -ex; \
    apk upgrade --no-cache -a; \
-    apk add --no-cache tzdata clamav clamav-milter supervisor bash; \
+    apk add --no-cache tzdata bash; \
-    mkdir -p /tmp /var/lib/clamav /run/clamav /var/log/supervisord /var/run/supervisord; \
+    mkdir -p /var/run/clamav /run/lock; \
-    chmod 777 -R /tmp /run/clamav /var/log/clamav /var/log/supervisord /var/run/supervisord; \
+    chown -R clamav:clamav /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock; \
-    chown -R 100:100 /var/lib/clamav; \
+    chmod 777 -R /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock /tmp; \
-    sed -i "s|#\?MaxDirectoryRecursion.*|MaxDirectoryRecursion 30|g" /etc/clamav/clamd.conf; \
+    sed -i "/^set -eu/r /start.script" /init-unprivileged; \
-    sed -i "s|#\?MaxScanSize.*|MaxScanSize 2000M|g" /etc/clamav/clamd.conf; \
+    rm /start.script; \
-    sed -i "s|#\?MaxFileSize.*|MaxFileSize 2000M|g" /etc/clamav/clamd.conf; \
+    grep -q 'clamd --foreground &' /init-unprivileged; \
-    sed -i "s|#\?PCREMaxFileSize.*|PCREMaxFileSize 2000M|g" /etc/clamav/clamd.conf; \
+    sed -i "s|clamd --foreground \&|clamd --foreground --config-file /tmp/clamd.conf \&|" /init-unprivileged; \
-# StreamMaxLength must be synced with av_stream_max_length inside the Nextcloud files_antivirus plugin
+    cat /init-unprivileged
    sed -i "s|#\?StreamMaxLength.*|StreamMaxLength 2000M|g" /etc/clamav/clamd.conf; \
 # By default clamd keeps the old signature database in RAM while loading the new one,
 # briefly doubling memory usage (~1 GB extra) during each freshclam update cycle.
 # Setting ConcurrentDatabaseReload to "no" makes clamd unload the old database first,
 # eliminating that transient peak and significantly reducing maximum RAM consumption.
    sed -i "s|#\?ConcurrentDatabaseReload.*|ConcurrentDatabaseReload no|g" /etc/clamav/clamd.conf; \
 # The default thread pool is 10-12 threads, each reserving its own stack and scan buffers.
 # The Nextcloud antivirus plugin sends one file at a time, so 2 threads are sufficient
 # and avoids the idle per-thread memory overhead of the larger default pool.
    sed -i "s|#\?MaxThreads.*|MaxThreads 2|g" /etc/clamav/clamd.conf; \
    sed -i "s|#\?TCPSocket|TCPSocket|g" /etc/clamav/clamd.conf; \
    sed -i "s|^LocalSocket .*|LocalSocket /tmp/clamd.sock|g" /etc/clamav/clamd.conf; \
    sed -i "s|Example| |g" /etc/clamav/clamav-milter.conf; \
    sed -i "s|#\?MilterSocket inet:7357|MilterSocket inet:7357|g" /etc/clamav/clamav-milter.conf; \
    sed -i "s|#\?ClamdSocket unix:/run/clamav/clamd.sock|ClamdSocket unix:/tmp/clamd.sock|g" /etc/clamav/clamav-milter.conf; \
    sed -i "s|#\?OnInfected Quarantine|OnInfected Reject|g" /etc/clamav/clamav-milter.conf; \
    sed -i "s|#\?AddHeader Replace|AddHeader Add|g" /etc/clamav/clamav-milter.conf; \
    sed -i "s|#\?Foreground yes|Foreground yes|g" /etc/clamav/clamav-milter.conf
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
 COPY --chmod=664 supervisord.conf /supervisord.conf
 USER 100
 RUN set -ex; \
    freshclam --foreground --stdout
 VOLUME /var/lib/clamav
-ENTRYPOINT ["/start.sh"]
+
-CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
+USER clamav
-LABEL com.centurylinklabs.watchtower.enable="false" \
+
-    wud.watch="false" \
+LABEL com.centurylinklabs.watchtower.enable="false"
-    org.opencontainers.image.title="ClamAV for Nextcloud AIO" \
+
-    org.opencontainers.image.description="ClamAV antivirus scanner for Nextcloud All-in-One" \
+ENTRYPOINT ["/init-unprivileged"]
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
--- a/Containers/clamav/clamav.conf
+++ b/Containers/clamav/clamav.conf
@@ -0,0 +1,5 @@
 # AIO settings
 MaxDirectoryRecursion 30
 MaxFileSize 10G
 PCREMaxFileSize 10G
 StreamMaxLength 10G
--- a/Containers/clamav/healthcheck.sh
+++ b/Containers/clamav/healthcheck.sh
@@ -1,13 +0,0 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [ "$(echo "PING" | nc 127.0.0.1 3310)" != "PONG" ]; then
 	echo "ERROR: Unable to contact server"
 	exit 1
 fi
 echo "Clamd is up"
 exit 0
--- a/Containers/clamav/start.script
+++ b/Containers/clamav/start.script
@@ -0,0 +1,4 @@
 # Adjust settings
 cat /etc/clamav/clamd.conf > /tmp/clamd.conf
 CLAMAV_FILE="$(sed "s|10G|$MAX_SIZE|" /clamav.conf)"
 echo "$CLAMAV_FILE" >> /tmp/clamd.conf
--- a/Containers/clamav/start.sh
+++ b/Containers/clamav/start.sh
@@ -1,12 +0,0 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
 	set -x
 fi
 # Print out clamav version for compliance reasons
 clamscan --version
 echo "Clamav started"
 exec "$@"
--- a/Containers/clamav/supervisord.conf
+++ b/Containers/clamav/supervisord.conf
@@ -1,29 +0,0 @@
 [supervisord]
 nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                              
 loglevel=%(ENV_AIO_LOG_LEVEL)s
 [program:freshclam]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=freshclam --foreground --stdout --daemon --daemon-notify=/etc/clamav/clamd.conf
 [program:clamd]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=clamd --foreground --config-file=/etc/clamav/clamd.conf
 [program:milter]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=clamav-milter --config-file=/etc/clamav/clamav-milter.conf
--- a/Containers/collabora-online/Dockerfile
+++ b/Containers/collabora-online/Dockerfile
@@ -1,21 +0,0 @@
 # syntax=docker/dockerfile:latest
 # From https://gitlab.collabora.com/collabora-online/docker
 # hadolint ignore=DL3007
 FROM registry.gitlab.collabora.com/collabora-online/docker:latest
 USER root
 ARG DEBIAN_FRONTEND=noninteractive
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
 USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
    wud.watch="false" \
    org.opencontainers.image.title="Collabora Online for Nextcloud AIO" \
    org.opencontainers.image.description="Collabora Online document editor from upstream for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
--- a/Containers/collabora-online/healthcheck.sh
+++ b/Containers/collabora-online/healthcheck.sh
@@ -1,7 +0,0 @@
 #!/bin/bash
 # Unfortunately, no curl and no nc is installed in the container 
 # and packages can also not be added as the package list is broken.
 # So always exiting 0 for now.
 # nc http://127.0.0.1:9980 || exit 1
 exit 0
--- a/Containers/collabora/Dockerfile
+++ b/Containers/collabora/Dockerfile
@@ -1,23 +1,21 @@
 # syntax=docker/dockerfile:latest
-# From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile
+# From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:25.04.9.4.1
+FROM collabora/code:24.04.7.2.1
 USER root
 ARG DEBIAN_FRONTEND=noninteractive
-COPY --chmod=775 start.sh /start.sh
+# hadolint ignore=DL3008
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
+RUN set -ex; \
    \
    apt-get update; \
    apt-get install -y --no-install-recommends \
        tzdata \
        netcat-openbsd \
    ; \
    rm -rf /var/lib/apt/lists/*;
-USER 1001
+USER 100
-HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
+HEALTHCHECK CMD nc -z 127.0.0.1 9980 || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false" \
+LABEL com.centurylinklabs.watchtower.enable="false"
    wud.watch="false" \
    org.opencontainers.image.title="Collabora for Nextcloud AIO" \
    org.opencontainers.image.description="Collabora CODE document editor for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 ENTRYPOINT ["/start.sh"]
--- a/Containers/collabora/healthcheck.sh
+++ b/Containers/collabora/healthcheck.sh
@@ -1,7 +0,0 @@
 #!/bin/bash
 # Unfortunately, no curl and no nc is installed in the container 
 # and packages can also not be added as the package list is broken.
 # So always exiting 0 for now.
 # nc http://127.0.0.1:9980 || exit 1
 exit 0
--- a/Containers/collabora/start.sh
+++ b/Containers/collabora/start.sh
@@ -1,19 +0,0 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [ "$AIO_LOG_LEVEL" = "warn" ]; then
    COLLABORA_LOG_LEVEL="warning"
 elif [ "$AIO_LOG_LEVEL" = "info" ]; then
    COLLABORA_LOG_LEVEL="notice"
 else
    COLLABORA_LOG_LEVEL="$AIO_LOG_LEVEL"
 fi
 # Replace the hardcoded log level in extra_params with the translated one
 extra_params+=" --o:logging.level=$COLLABORA_LOG_LEVEL --o:logging.level_startup=$COLLABORA_LOG_LEVEL"
 export extra_params
 exec /start-collabora-online.sh "$@"
--- a/Containers/docker-socket-proxy/Dockerfile
+++ b/Containers/docker-socket-proxy/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.3.10-alpine
+FROM haproxy:3.0.5-alpine
 # hadolint ignore=DL3002
 USER root
@@ -18,11 +18,4 @@ COPY --chmod=664 haproxy.cfg /haproxy.cfg
 ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false" \
+LABEL com.centurylinklabs.watchtower.enable="false"
    wud.watch="false" \
    org.opencontainers.image.title="Docker Socket Proxy for Nextcloud AIO" \
    org.opencontainers.image.description="HAProxy-based Docker socket proxy for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
--- a/Containers/docker-socket-proxy/haproxy.cfg
+++ b/Containers/docker-socket-proxy/haproxy.cfg
@@ -4,18 +4,16 @@ global
    maxconn 10
 defaults
-    timeout connect 30s
+    timeout connect 10s
-    timeout client 30s
+    timeout client 10s
-    timeout server 1800s
+    timeout server 10s
 frontend http
    mode http
    bind :::2375 v4v6
    http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src NC_IPV4_PLACEHOLDER } || { src NC_IPV6_PLACEHOLDER }
    # docker system _ping
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping$ } METH_GET
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } METH_GET
    # docker inspect image: GET images/%s/json
    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/.*/json } METH_GET
    # container inspect: GET containers/%s/json
    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET
    # container inspect: GET containers/%s/logs
@@ -24,12 +22,7 @@ frontend http
    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((start)|(stop)) } METH_POST
    # container rm: DELETE containers/%s
    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE
-    # container update/exec: POST containers/%s/update containers/%s/exec
+
    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((update)|(exec)) } METH_POST
    # container put: PUT containers/%s/archive
    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/archive } METH_PUT
    # run exec instance: POST exec/%s
    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec/[a-zA-Z0-9_.-]+/start } METH_POST
    # container create: POST containers/create?name=%s
    # ACL to restrict container name to nc_app_[a-zA-Z0-9_.-]+
@@ -40,19 +33,19 @@ frontend http
    # ACL to deny if there are any binds
    acl binds_present req.body -m reg -i "\"HostConfig\"\s*:.*\"Binds\"\s*:"
    # ACL to restrict the type of Mounts to volume
-    acl type_not_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[[^\]]*(\"Type\"\s*:\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
+    acl type_not_volume req.body -m reg -i "\"Mounts\":\s*\[[^\]]*(\"Type\":\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST
-    # ACL to restrict container creation, that it has HostConfig.Privileged(by searching for "Privileged" word in all payload)
+    # ACL to restrict container creation, that it has HostConfig.Privileged not set
-    acl no_privileged_flag req.body -m reg -i "\"Privileged\""
+    acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\""
    # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data
-    acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*{[^}]*\"Source\"\s*:\s*\"nc_app_[a-zA-Z0-9_.-]+_data\""
+    acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !no_privileged_flag nc_app_volume_data_only METH_POST
    # end of container create
    # volume create: POST volumes/create
    # restrict name
-    acl nc_app_volume_data req.body -m reg -i "\"Name\"\s*:\s*\"nc_app_[a-zA-Z0-9_.-]+_data\""
+    acl nc_app_volume_data req.body -m reg -i "\"Name\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
    # do not allow to use "device" word e.g., "--opt device=:/path/to/dir"
    acl volume_no_device req.body -m reg -i "\"device\""
    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data !volume_no_device METH_POST
--- a/Containers/docker-socket-proxy/healthcheck.sh
+++ b/Containers/docker-socket-proxy/healthcheck.sh
@@ -1,8 +1,4 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 nc -z "$NEXTCLOUD_HOST" 9001 || exit 0
 nc -z 127.0.0.1 2375 || exit 1
--- a/Containers/docker-socket-proxy/start.sh
+++ b/Containers/docker-socket-proxy/start.sh
@@ -1,9 +1,5 @@
 #!/bin/sh
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 # Only start container if nextcloud is accessible
 while ! nc -z "$NEXTCLOUD_HOST" 9001; do
    echo "Waiting for Nextcloud to start..."
@@ -22,8 +18,6 @@ else
    HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
 fi
 echo "$HAPROXYFILE" > /tmp/haproxy.cfg
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+set +x
    set +x
 fi
 haproxy -f /tmp/haproxy.cfg -db
--- a/Containers/domaincheck/Dockerfile
+++ b/Containers/domaincheck/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.23.4
+FROM alpine:3.20.3
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache bash lighttpd netcat-openbsd; \
@@ -17,11 +17,4 @@ USER www-data
 ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD nc -z 127.0.0.1 $APACHE_PORT || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false" \
+LABEL com.centurylinklabs.watchtower.enable="false"
    wud.watch="false" \
    org.opencontainers.image.title="Domain Check for Nextcloud AIO" \
    org.opencontainers.image.description="Domain validation service for Nextcloud All-in-One setup" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
--- a/Containers/domaincheck/start.sh
+++ b/Containers/domaincheck/start.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [ -z "$INSTANCE_ID" ]; then
    echo "You need to provide an instance id."
    exit 1
@@ -18,20 +14,6 @@ fi
 CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /lighttpd.conf)"
 echo "$CONF_FILE" > /etc/lighttpd/lighttpd.conf
 # shellcheck disable=SC2235
 if ([ "$AIO_LOG_LEVEL" = 'debug' ] || [ "$AIO_LOG_LEVEL" = 'info' ]) && ! grep -q debug.log-request-handling /etc/lighttpd/lighttpd.conf; then
    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
 debug.log-request-handling = "enable"
 CONF_FILE
 fi
 if [ "$AIO_LOG_LEVEL" = 'debug' ] && ! grep -q debug.log-request-header /etc/lighttpd/lighttpd.conf; then
    cat << CONF_FILE >> /etc/lighttpd/lighttpd.conf
 debug.log-request-header = "enable"
 debug.log-response-header = "enable"
 CONF_FILE
 fi
 # Check config file
 lighttpd -tt -f /etc/lighttpd/lighttpd.conf
--- a/Containers/fulltextsearch/Dockerfile
+++ b/Containers/fulltextsearch/Dockerfile
@@ -1,32 +1,23 @@
 # syntax=docker/dockerfile:latest
-# Probably from here https://github.com/elastic/dockerfiles/blob/9.3/elasticsearch/Dockerfile
+# Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:9.4.1
+FROM elasticsearch:8.15.1
 USER root
-# hadolint ignore=DL3041
+ARG DEBIAN_FRONTEND=noninteractive
 # hadolint ignore=DL3008
 RUN set -ex; \
    \
-    microdnf update -y; \
+    apt-get update; \
-    microdnf install -y --setopt=tsflags=nodocs \
+    apt-get upgrade -y; \
    apt-get install -y --no-install-recommends \
        tzdata \
    ; \
-    microdnf clean all;
+    rm -rf /var/lib/apt/lists/*; \
-
+    elasticsearch-plugin install --batch ingest-attachment
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
 USER 1000:0
-HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD /healthcheck.sh
+HEALTHCHECK CMD nc -z 127.0.0.1 9200 || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false" \
+LABEL com.centurylinklabs.watchtower.enable="false"
    wud.watch="false" \
    org.opencontainers.image.title="Full Text Search for Nextcloud AIO" \
    org.opencontainers.image.description="Elasticsearch-based full-text search for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 ENV ES_JAVA_OPTS="-Xms512M -Xmx512M"
 ENTRYPOINT ["/start.sh"]
--- a/Containers/fulltextsearch/healthcheck.sh
+++ b/Containers/fulltextsearch/healthcheck.sh
@@ -1,7 +0,0 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 curl -fs "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1
--- a/Containers/fulltextsearch/start.sh
+++ b/Containers/fulltextsearch/start.sh
@@ -1,9 +0,0 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 ELASTIC_LOG_LEVEL="$(echo "$AIO_LOG_LEVEL" | tr '[:lower:]' '[:upper:]')"
 exec env "logger.level=$ELASTIC_LOG_LEVEL" /usr/local/bin/docker-entrypoint.sh "$@"
--- a/Containers/imaginary/Dockerfile
+++ b/Containers/imaginary/Dockerfile
@@ -1,10 +1,9 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.3-alpine3.23 AS go
+FROM golang:1.23.1-alpine3.20 AS go
-ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
+ENV IMAGINARY_HASH=6cd9edd1d3fb151eb773c14552886e4fc8e50138
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache \
        vips-dev \
        vips-magick \
@@ -14,7 +13,7 @@ RUN set -ex; \
        build-base; \
    go install github.com/h2non/imaginary@"$IMAGINARY_HASH";
-FROM alpine:3.23.4
+FROM alpine:3.20.3
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache \
@@ -31,23 +30,14 @@ RUN set -ex; \
 COPY --from=go /go/bin/imaginary /usr/local/bin/imaginary
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
-ENV PORT=9000 \
+ENV PORT=9000
    AIO_LOG_LEVEL=warn
-USER 65534
+USER nobody
 # https://github.com/h2non/imaginary#memory-issues
 ENV MALLOC_ARENA_MAX=2
 ENTRYPOINT ["/start.sh"]
-HEALTHCHECK CMD /healthcheck.sh
+HEALTHCHECK CMD nc -z 127.0.0.1 "$PORT" || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false" \
+LABEL com.centurylinklabs.watchtower.enable="false"
    wud.watch="false" \
    org.opencontainers.image.title="Imaginary for Nextcloud AIO" \
    org.opencontainers.image.description="High-performance image processing service for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
--- a/Containers/imaginary/healthcheck.sh
+++ b/Containers/imaginary/healthcheck.sh
@@ -1,7 +0,0 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 nc -z 127.0.0.1 "$PORT" || exit 1
--- a/Containers/imaginary/start.sh
+++ b/Containers/imaginary/start.sh
@@ -1,26 +1,8 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 GOLANG_LOG="$(case "$AIO_LOG_LEVEL" in
    debug) printf 'info' ;;
    info) printf 'info' ;;
    warn) printf 'warning' ;;
    error) printf 'error' ;;
 esac)"
 export GOLANG_LOG
 if [ "$AIO_LOG_LEVEL" = "debug" ]; then
    export DEBUG='*'
 fi
 echo "Imaginary has started"
-
+if [ -z "$IMAGINARY_SECRET" ]; then
-IMAGINARY_ARGS=(-return-size -max-allowed-resolution 222.2)
+    imaginary -return-size -max-allowed-resolution 222.2 "$@"
-
+else
-if [ -n "$IMAGINARY_SECRET" ]; then
+    imaginary -return-size -max-allowed-resolution 222.2 -key "$IMAGINARY_SECRET" "$@"
    IMAGINARY_ARGS+=(-key "$IMAGINARY_SECRET")
 fi
 exec imaginary "${IMAGINARY_ARGS[@]}" "$@"
--- a/Containers/mastercontainer/Caddyfile
+++ b/Containers/mastercontainer/Caddyfile
@@ -0,0 +1,37 @@
 {
    # auto_https will create redirects for https://{host}:8443 instead of https://{host}
    # https redirects are added manually in the http://:80 block
    auto_https disable_redirects
    storage file_system {
        root /mnt/docker-aio-config/caddy/
    }
    log {
        level ERROR
    }
    servers {
        protocols h1 h2 h2c
    }
    on_demand_tls {
        ask http://127.0.0.1:9876/
    }
 }
 http://:80 {
    redir https://{host}{uri} permanent
 }
 https://:8443 {
    reverse_proxy 127.0.0.1:8000
    tls {
        on_demand
        issuer acme {
            disable_tlsalpn_challenge
        }
    }
 }
--- a/Containers/mastercontainer/Dockerfile
+++ b/Containers/mastercontainer/Dockerfile
@@ -1,34 +1,20 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.5.2-cli AS docker
+FROM docker:27.3.1-cli AS docker
 ARG CADDY_REMOTE_HOST_HASH=e80a9931765a8dbcbb47db415863387f0df0e1b3
 # Caddy is a requirement
-FROM caddy:2.11.3-builder-alpine AS caddy
+FROM caddy:2.8.4-alpine AS caddy
 RUN set -ex; \
    xcaddy build --with github.com/muety/caddy-remote-host@"$CADDY_REMOTE_HOST_HASH"; \
    /usr/bin/caddy list-modules
-# From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
+# From https://github.com/docker-library/php/blob/master/8.3/alpine3.20/fpm/Dockerfile
-FROM php:8.5.6-fpm-alpine3.23
+FROM php:8.3.11-fpm-alpine3.20
 EXPOSE 80
 EXPOSE 8080
 EXPOSE 8443
 # Overwrite home variable for subservices
 ENV HOME=/var/www
 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
 COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker
 COPY community-containers /var/www/docker-aio/community-containers
 COPY php /var/www/docker-aio/php
 COPY --chmod=775 Containers/mastercontainer/*.sh /
 COPY --chmod=664 Containers/mastercontainer/*.Caddyfile /
 COPY --chmod=664 Containers/mastercontainer/supervisord.conf /supervisord.conf
 WORKDIR /var/www/docker-aio
 # hadolint ignore=SC2086,DL3047,DL3003,DL3004
@@ -41,8 +27,13 @@ RUN set -ex; \
    apk add --no-cache \
        util-linux-misc \
        ca-certificates \
        wget \
        bash \
        apache2 \
        apache2-proxy \
        apache2-ssl \
        supervisor \
        openssl \
        sudo \
        netcat-openbsd \
        curl \
@@ -51,18 +42,8 @@ RUN set -ex; \
    apk add --no-cache --virtual .build-deps \
        autoconf \
        build-base; \
-    pecl install APCu-5.1.28; \
+    pecl install APCu-5.1.24; \
    docker-php-ext-enable apcu; \
    { \
        echo 'apc.shm_size=32M'; \
    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
    { \
        echo 'opcache.enable=1'; \
        echo 'opcache.memory_consumption=32'; \
        echo 'opcache.interned_strings_buffer=8'; \
        echo 'opcache.max_accelerated_files=4000'; \
        echo 'opcache.validate_timestamps=0'; \
    } > /usr/local/etc/php/conf.d/docker-php-ext-opcache.ini; \
    rm -r /tmp/pear; \
    runDeps="$( \
        scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
@@ -76,19 +57,19 @@ RUN set -ex; \
    sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
-    grep -q '^listen =' /usr/local/etc/php-fpm.d/docker.conf; \
+    grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's|listen =.*|listen = /run/php.sock|' /usr/local/etc/php-fpm.d/docker.conf; \
+    sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \
    echo "listen.owner = www-data" | tee -a /usr/local/etc/php-fpm.d/docker.conf; \
    \
    apk add --no-cache git; \
-    curl https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer; \
+    wget https://getcomposer.org/installer -O - | php -- --install-dir=/usr/local/bin --filename=composer; \
    chmod +x /usr/local/bin/composer; \
    cd /var/www/docker-aio; \
-    rm -r ./php/tests; \
+    git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
    find ./ -maxdepth 1 -mindepth 1 -not -path ./php -not -path ./community-containers -exec rm -r {} \; ; \
    chown www-data:www-data -R /var/www/docker-aio; \
    cd php; \
-    sudo -E -u www-data composer install --no-dev; \
+    sudo -u www-data composer install --no-dev; \
-    sudo -E -u www-data composer clear-cache; \
+    sudo -u www-data composer clear-cache; \
    cd ..; \
    rm -f /usr/local/bin/composer; \
    chmod -R 770 /var/www/docker-aio; \
@@ -96,18 +77,49 @@ RUN set -ex; \
    rm -r php/data; \
    rm -r php/session; \
    \
    mkdir -p /etc/apache2/certs; \
    cd /etc/apache2/certs; \
    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout /etc/apache2/certs/ssl.key -out /etc/apache2/certs/ssl.crt; \
    \
    sed -i \
            -e '/^Listen /d' \
            -e 's/^LogLevel .*/LogLevel error/' \
            -e 's|^ErrorLog .*|ErrorLog /proc/self/fd/2|' \
            -e 's/User apache/User www-data/g' \
            -e 's/Group apache/Group www-data/g' \
            -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
            -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \
            -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \
            -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \
            -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \
            -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \
            -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
            -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
            -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
            -e 's/\(ScriptAlias \)/#\1/' \
        /etc/apache2/httpd.conf; \
        mkdir -p /etc/apache2/logs; \
        rm /etc/apache2/conf.d/ssl.conf; \
        echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \
        grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \
        sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \
        echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \
        echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \
        echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \
        echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \
    \
    rm -f /etc/apache2/conf.d/default.conf \
          /etc/apache2/conf.d/userdir.conf \
          /etc/apache2/conf.d/info.conf; \
    \
    rm -rf /var/www/localhost/cgi-bin/; \
    mkdir /var/log/supervisord; \
    mkdir /var/run/supervisord;
-# hadolint ignore=DL3048
+COPY --chmod=775 *.sh /
-LABEL org.opencontainers.image.title="Nextcloud All-in-One Mastercontainer" \
+COPY --chmod=664 Caddyfile /Caddyfile
-    org.opencontainers.image.description="Easy deployment and maintenance of a Nextcloud server with all dependencies and optional services" \
+COPY --chmod=664 supervisord.conf /supervisord.conf
-    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+COPY mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md" \
    wud.watch="false" \
    com.docker.compose.project="nextcloud-aio"
 # hadolint ignore=DL3002
 USER root
--- a/Containers/mastercontainer/README.md
+++ b/Containers/mastercontainer/README.md
@@ -1,69 +0,0 @@
 # Nextcloud All-in-One `mastercontainer`
 This folder contains the OCI/Docker container definition, along with associated resources and
 configuration files, for building the `mastercontainer` as part of the Nextcloud All-in-One
 project. This container hosts [the Nextcloud AIO interface](
 https://github.com/nextcloud/all-in-one/tree/main/php)[^app], and a dedicated PHP environment
 for it (which is completely independent of the Nextcloud Server).
 ## Overview
 The mastercontainer acts as the central orchestration service for the deployment and management
 of all other containers in the Nextcloud All-in-One stack. It hosts:
 - A dedicated PHP SAPI/backend (php-fpm) for AIO itself (not Nextcloud Server)
 - A Caddy server enabling self-signed HTTPS access to the AIO frontend on port 8080/tcp.
 - A Caddy server enabling trusted HTTPS access to the AIO frontend on port 8443/tcp.
  - Caddy will automatically issue a Let's Encrypt issued certificate if port 80 and 8443
    is open/forwarded and a domain pointer is in place; then, simply open the Nextcloud AIO interface using the
    domain (`https://your-domain-that-points-to-this-server.tld:8443`). The Let's Encrypt certificate request will
    use an [ACME HTTP-01](https://letsencrypt.org/docs/challenge-types/#http-01-challenge) challenge.
 - Miscellaneous support services specific to AIO (backup management, health checks, etc.)
 ## Key Responsibilities
 - Orchestrates the deployment and lifecycle of all Nextcloud service containers
 - Handles initial setup and container configuration
 - Coordinates image updates
 - Monitors general system health
 It triggers the initial installation and ensures the smooth operation of the Nextcloud
 All-in-One stack.
 ## Contents
 - **Dockerfile**: Instructions for building the mastercontainer image.
 - **Entrypoint script**: The `start.sh` script is used for container initialization and runtime
  configuration before starting supervisord.
 - [**Nextcloud All-in-One Controller App**](https://github.com/nextcloud/all-in-one/tree/main/php): The
  core AIO orchestrator that handles configuration and settings for the containers.
 - **Supervisor**: The `supervisord.conf` file defines the long-running services hosted within
  the container (php-fpm, cron, etc.)
 ## Usage
 This container should be used as the trigger image when deploying the Nextcloud All-in-One
 stack in a Docker or other OCI-compliant container environment. For detailed deployment
 instructions, refer to the [project documentation](
 https://github.com/nextcloud/all-in-one).
 ## Related Resources
 - [Main Repository](https://github.com/nextcloud/all-in-one)
 - [Documentation](https://github.com/nextcloud/all-in-one#readme)
 ## Contributing
 Contributions are welcome! Please follow the Nextcloud project's guidelines and submit pull
 requests or issues via the main repository.
 ## License
 This folder and its contents are licensed under the
 [GNU AGPLv3](https://www.gnu.org/licenses/agpl-3.0.html), in line with the rest of Nextcloud
 All-in-One.
 [^app]: The Nextcloud All-in-One interface allows users to install, configure, and
 manage their Nextcloud instance and related containers via a secure web interface and API.
 It automates and simplifies complex tasks such as container orchestration, backups, updates,
 and service management for users deploying Nextcloud in Docker environments.
--- a/Containers/mastercontainer/acme.Caddyfile
+++ b/Containers/mastercontainer/acme.Caddyfile
@@ -1,56 +0,0 @@
 {
 	admin off
 	# auto_https will create redirects for https://{host}:8443 instead of https://{host}
 	# https redirects are added manually in the http://:80 block
 	auto_https disable_redirects
 	storage file_system {
 		root /mnt/docker-aio-config/caddy/
 	}
 	log {
 		level ERROR
 		# We need to exclude the remote-host plugin from logging as it would spam the logs
 		# See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 
 		exclude http.matchers.remote_host
 	}
 	servers {
 		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
 		protocols h1
 	}
 	on_demand_tls {
 		ask http://127.0.0.1:9876/
 	}
 	skip_install_trust
 }
 http://:80 {
 	redir https://{host}{uri} permanent
 }
 https://:8443 {
    import headers.Caddyfile
    header Strict-Transport-Security max-age=31536000;
 	@denied {
 		path /api/auth/login /api/auth/getlogin
 		remote_host nextcloud-aio-nextcloud
 	}
 	abort @denied
 	root * /var/www/docker-aio/php/public
 	php_fastcgi unix//run/php.sock
 	file_server
 	tls {
 		on_demand
 		issuer acme {
            profile shortlived
 			disable_tlsalpn_challenge
 		}
 	}
 }
--- a/Containers/mastercontainer/backup-time-file-watcher.sh
+++ b/Containers/mastercontainer/backup-time-file-watcher.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 restart_process() {
    echo "Restarting cron.sh because daily backup time was set, changed or unset."
    pkill cron.sh
--- a/Containers/mastercontainer/cron.sh
+++ b/Containers/mastercontainer/cron.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 while true; do
    if [ -f "/mnt/docker-aio-config/data/daily_backup_time" ]; then
        set -x
@@ -21,9 +17,7 @@ while true; do
        else
            export SEND_SUCCESS_NOTIFICATIONS=0
        fi
-        if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+        set +x
            set +x
        fi
        if [ -f "/mnt/docker-aio-config/data/daily_backup_running" ]; then
            export LOCK_FILE_PRESENT=1
        else
@@ -51,30 +45,29 @@ while true; do
    # Check for updates and send notification if yes on saturdays
    if [ "$(date +%u)" = 6 ]; then
-        sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/UpdateNotification.php
+        sudo -u www-data php /var/www/docker-aio/php/src/Cron/UpdateNotification.php
    fi
    # Check if AIO is outdated
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/OutdatedNotification.php
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/OutdatedNotification.php
    # Remove sessions older than 24h
    find "/mnt/docker-aio-config/session/" -mindepth 1 -mmin +1440 -delete
    # Remove nextcloud-aio-domaincheck container
-    if sudo -E -u www-data docker ps --format "{{.Names}}" --filter "status=exited" | grep -q "^nextcloud-aio-domaincheck$"; then
+    if sudo -u www-data docker ps --format "{{.Names}}" --filter "status=exited" | grep -q "^nextcloud-aio-domaincheck$"; then
-        sudo -E -u www-data docker container remove nextcloud-aio-domaincheck
+        sudo -u www-data docker container remove nextcloud-aio-domaincheck
    fi
-    # Remove dangling images (support both deprecated label-schema and OCI standard vendor label)
+    # Remove dangling images
-    sudo -E -u www-data docker image prune --filter "label=org.label-schema.vendor=Nextcloud" --force
+    sudo -u www-data docker image prune --force
    sudo -E -u www-data docker image prune --filter "label=org.opencontainers.image.vendor=Nextcloud" --force
    # Check for available free space
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/CheckFreeDiskSpace.php
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/CheckFreeDiskSpace.php
    # Remove mastercontainer from default bridge network
-    if sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer  --format "{{.NetworkSettings.Networks}}" | grep -q "bridge"; then
+    if sudo -u www-data docker inspect nextcloud-aio-mastercontainer  --format "{{.NetworkSettings.Networks}}" | grep -q "bridge"; then
-        sudo -E -u www-data docker network disconnect bridge nextcloud-aio-mastercontainer
+        sudo -u www-data docker network disconnect bridge nextcloud-aio-mastercontainer
    fi
    # Wait 60s so that the whole loop will not be executed again
--- a/Containers/mastercontainer/daily-backup.sh
+++ b/Containers/mastercontainer/daily-backup.sh
@@ -1,18 +1,7 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 echo "Daily backup script has started"
 # Check if initial configuration has been done, otherwise this script should do nothing.
 CONFIG_FILE=/mnt/docker-aio-config/data/configuration.json
 if ! [ -f "$CONFIG_FILE" ] || (! grep -q "wasStartButtonClicked.*1" "$CONFIG_FILE" && ! grep -q "wasStartButtonClicked.*true" "$CONFIG_FILE"); then
    echo "Initial configuration via AIO interface not done yet. Exiting..."
    exit 0
 fi
 # Daily backup and backup check cannot be run at the same time
 if [ "$DAILY_BACKUP" = 1 ] && [ "$CHECK_BACKUP" = 1 ]; then
    echo "Daily backup and backup check cannot be run at the same time. Exiting..."
@@ -24,19 +13,14 @@ fi
 if [ "$LOCK_FILE_PRESENT" = 0 ] || ! [ -f "/mnt/docker-aio-config/data/daily_backup_running" ]; then
    find "/mnt/docker-aio-config/session/" -mindepth 1 -delete
 fi
-sudo -E -u www-data touch "/mnt/docker-aio-config/data/daily_backup_running"
+sudo -u www-data touch "/mnt/docker-aio-config/data/daily_backup_running"
 # Check if apache is running/stopped, watchtower is stopped and backupcontainer is stopped
-LOCAL_APACHE_PORT="$(docker inspect nextcloud-aio-apache --format "{{.Config.Env}}" | grep -o 'APACHE_PORT=[0-9]\+' | grep -o '[0-9]\+' | head -1)"
+APACHE_PORT="$(docker inspect nextcloud-aio-apache --format "{{.Config.Env}}" | grep -o 'APACHE_PORT=[0-9]\+' | grep -o '[0-9]\+' | head -1)"
-if [ -z "$LOCAL_APACHE_PORT" ]; then
+if [ -z "$APACHE_PORT" ]; then
    echo "APACHE_PORT is not set which is not expected..."
 else
-    # Connect mastercontainer to nextcloud-aio network to make sure that nextcloud-aio-apache is reachable
+    while docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-apache$" && ! nc -z nextcloud-aio-apache "$APACHE_PORT"; do
    # Prevent issues like https://github.com/nextcloud/all-in-one/discussions/5222
    docker network connect nextcloud-aio nextcloud-aio-mastercontainer &>/dev/null
    # Wait for apache to start
    while docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-apache$" && ! nc -z nextcloud-aio-apache "$LOCAL_APACHE_PORT"; do
        echo "Waiting for apache to become available"
        sleep 30
    done
@@ -54,7 +38,7 @@ done
 if [ "$AUTOMATIC_UPDATES" = 1 ]; then
    echo "Starting mastercontainer update..." 
    echo "(The script might get exited due to that. In order to update all the other containers correctly, you need to run this script with the same settings a second time.)"
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/UpdateMastercontainer.php
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/UpdateMastercontainer.php
 fi
 # Wait for watchtower to stop
@@ -68,23 +52,17 @@ if [ "$AUTOMATIC_UPDATES" = 1 ]; then
    done
 fi
 # Update container images to reduce downtime later on
 if [ "$AUTOMATIC_UPDATES" = 1 ]; then
    echo "Updating container images..."
    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/PullContainerImages.php
 fi
 # Stop containers if required
 # shellcheck disable=SC2235
 if [ "$CHECK_BACKUP" != 1 ] && ([ "$DAILY_BACKUP" != 1 ] || [ "$STOP_CONTAINERS" = 1 ]); then
    echo "Stopping containers..."
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/StopContainers.php
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/StopContainers.php
 fi
 # Execute the backup itself and some related tasks (also stops the containers)
 if [ "$DAILY_BACKUP" = 1 ]; then
    echo "Creating daily backup..."
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/CreateBackup.php
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/CreateBackup.php
    if ! docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-borgbackup$"; then
        echo "Something seems to be wrong: the borg container should be started at this step."
    fi
@@ -97,17 +75,17 @@ fi
 # Execute backup check
 if [ "$CHECK_BACKUP" = 1 ]; then
    echo "Starting backup check..."
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/CheckBackup.php
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/CheckBackup.php
 fi
 # Start and/or update containers
 if [ "$AUTOMATIC_UPDATES" = 1 ]; then
    echo "Starting and updating containers..."
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/StartAndUpdateContainers.php
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/StartAndUpdateContainers.php
 else
    if [ "$START_CONTAINERS" = 1 ]; then
        echo "Starting containers without updating them..."
-        sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/StartContainers.php
+        sudo -u www-data php /var/www/docker-aio/php/src/Cron/StartContainers.php
    fi
 fi
--- a/Containers/mastercontainer/headers.Caddyfile
+++ b/Containers/mastercontainer/headers.Caddyfile
@@ -1,31 +0,0 @@
 header {
    # CSP limits which features can be used. By default we allow nothing and only allow required options. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy
    # default-src 'none'; Allow nothing by default
    # script-src-elem/style-src-elem 'self'; Only allow loading css/js files from same origin (AIO itself) while blocking all inline css/js
    # img-src 'self'; Only allow loading images from same origin (from AIO itself)
    # connect-src 'self'; Allow fetch to only connect same origin (to AIO itself)
    # frame-src 'self'; Allow AIO to only embed itself "what can be embedded"
    # base-uri 'none'; This does not fallback to default-src, AIO does not use the html base tag
    # form-action 'self'; Html forms are only allowed to submit to AIO and not cross origin
    # frame-ancestors 'self'; Only allow AIO itself to embed it self "who can embed"
    # upgrade-insecure-requests; Upgrade all http embedings to https
    # require-trusted-types-for 'script'; trusted-types 'none'; Blocks DOM changes via js
    Content-Security-Policy "default-src 'none'; script-src-elem 'self'; style-src-elem 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests; require-trusted-types-for 'script'; trusted-types 'none';"
    X-Content-Type-Options "nosniff" # This forces the browser to use the MIME type of the Content-Type header. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options
    X-Frame-Options "SAMEORIGIN" # Only allow AIO itself to embed itself, this is also enforced as part of the CSP frame-ancestors. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Frame-Options
    X-Permitted-Cross-Domain-Policies "none" # We block all cross origin request, including ones from Adobe Acrobat or Microsoft Silverlight and Adobe Flash Player. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Permitted-Cross-Domain-Policies
    X-DNS-Prefetch-Control "off" # Tells the browser to not pre-fetch the DNS of linked pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-DNS-Prefetch-Control
    Referrer-Policy "no-referrer" # Tells the browser to never sent a Referer header. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Referrer-Policy
    X-Robots-Tag "noindex, nofollow" # Tells web crawlers to not index this page. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Robots-Tag
    Origin-Agent-Cluster "?1" # Isolates AIO from other same site pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin-Agent-Cluster
    Cross-Origin-Opener-Policy "same-origin" # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
    Cross-Origin-Embedder-Policy "require-corp" # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
    Cross-Origin-Resource-Policy "same-origin" # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
    # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), local-network=(), local-network-access=(), loopback-network=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), summarizer=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
    -Server
    -X-Powered-By
    -Via
 }
--- a/Containers/mastercontainer/healthcheck.sh
+++ b/Containers/mastercontainer/healthcheck.sh
@@ -1,13 +1,10 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
    nc -z 127.0.0.1 80 || exit 1
    nc -z 127.0.0.1 8000 || exit 1
    nc -z 127.0.0.1 8080 || exit 1
    nc -z 127.0.0.1 8443 || exit 1
-    test -S /run/php.sock || exit 1
+    nc -z 127.0.0.1 9000 || exit 1
    nc -z 127.0.0.1 9876 || exit 1
 fi
--- a/Containers/mastercontainer/internal.Caddyfile
+++ b/Containers/mastercontainer/internal.Caddyfile
@@ -1,43 +0,0 @@
 {
 	admin off
 	# auto_https will be handled manually in acme.Caddyfile
 	auto_https disable_redirects
 	storage file_system {
 		root /mnt/docker-aio-config/caddy-internal/
 	}
 	log {
 		level ERROR
 		# We need to exclude the remote-host plugin from logging as it would spam the logs
 		# See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 
 		exclude http.matchers.remote_host
 	}
 	servers {
 		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
 		protocols h1
 	}
 	skip_install_trust
 }
 https://:8080 {
    import headers.Caddyfile
 	@denied {
 		path /api/auth/login /api/auth/getlogin
 		remote_host nextcloud-aio-nextcloud
 	}
 	abort @denied
 	root * /var/www/docker-aio/php/public
 	php_fastcgi unix//run/php.sock
 	file_server
 	tls {
 		on_demand
 		issuer internal
 	}
 }
--- a/Containers/mastercontainer/mastercontainer.conf
+++ b/Containers/mastercontainer/mastercontainer.conf
@@ -0,0 +1,62 @@
 Listen 8000
 Listen 8080
 # Deny access to .ht files
 <Files ".ht*">
    Require all denied
 </Files>
 # Http host
 <VirtualHost *:8000>
    ServerName localhost
    # Add error log
    CustomLog /proc/self/fd/1 proxy
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
    ErrorLog /proc/self/fd/2
    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
    LogLevel warn
    # PHP match
    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://127.0.0.1:9000"
    </FilesMatch>
    # Master dir
    DocumentRoot /var/www/docker-aio/php/public/
    <Directory /var/www/docker-aio/php/public/>
        RewriteEngine On
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule ^ index.php [QSA,L]
        Options Indexes FollowSymLinks
        Require all granted
        AllowOverride All
        Options FollowSymLinks MultiViews
        Satisfy Any
        <IfModule mod_dav.c>
            Dav off
        </IfModule>
    </Directory>
 </VirtualHost>
 # Https host
 <VirtualHost *:8080>
    # Proxy to https
    ProxyPass / http://127.0.0.1:8000/
    ProxyPassReverse / http://127.0.0.1:8000/
    ProxyPreserveHost On
    # SSL
    SSLCertificateKeyFile /etc/apache2/certs/ssl.key
    SSLCertificateFile /etc/apache2/certs/ssl.crt
    SSLEngine               on
    SSLProtocol             -all +TLSv1.2 +TLSv1.3
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLSessionTickets       off
 </VirtualHost>
 # Increase timeout in case e.g. the initial download takes a long time
 Timeout 7200
 ProxyTimeout 7200
 # See https://httpd.apache.org/docs/trunk/mod/core.html#traceenable
 TraceEnable Off
--- a/Containers/mastercontainer/session-deduplicator.sh
+++ b/Containers/mastercontainer/session-deduplicator.sh
@@ -16,10 +16,6 @@ compare_times() {
    fi
 }
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 while true; do
    compare_times
    sleep 2
--- a/Containers/mastercontainer/start.sh
+++ b/Containers/mastercontainer/start.sh
@@ -20,10 +20,6 @@ case "${1}" in
 esac
 }
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 # Check if running as root user
 if [ "$EUID" != "0" ]; then
    print_red "Container does not run as root user. This is not supported."
@@ -37,25 +33,17 @@ if [ "$*" != "" ]; then
 fi
 # Check if socket is available and readable
-if ! [ -e "/var/run/docker.sock" ]; then
+if ! [ -a "/var/run/docker.sock" ]; then
    print_red "Docker socket is not available. Cannot continue."
    echo "Please make sure to mount the docker socket into /var/run/docker.sock inside the container!"
    echo "If you did this by purpose because you don't want the container to have access to the docker socket, see https://github.com/nextcloud/all-in-one/tree/main/manual-install."
    echo "And https://github.com/nextcloud/all-in-one/blob/main/manual-install/latest.yml"
    exit 1
 elif ! mountpoint -q "/mnt/docker-aio-config"; then
    print_red "/mnt/docker-aio-config is not a mountpoint. Cannot proceed!"
    echo "Please make sure to mount the nextcloud_aio_mastercontainer docker volume into /mnt/docker-aio-config inside the container!"
    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
    exit 1
-elif mountpoint -q /var/www/docker-aio/php/containers.json; then
+elif ! sudo -u www-data test -r /var/run/docker.sock; then
    print_red "/var/www/docker-aio/php/containers.json is a mountpoint. Cannot proceed!"
    echo "This is a not-supported customization of the mastercontainer!"
    echo "Please remove this bind-mount from the mastercontainer."
    echo "If you need to customize things, feel free to use https://github.com/nextcloud/all-in-one/tree/main/manual-install"
    echo "See https://github.com/nextcloud/all-in-one/blob/main/manual-install/latest.yml"
    exit 1
 elif ! sudo -E -u www-data test -r /var/run/docker.sock; then
    echo "Trying to fix docker.sock permissions internally..."
    DOCKER_GROUP=$(stat -c '%G' /var/run/docker.sock)
    DOCKER_GROUP_ID=$(stat -c '%g' /var/run/docker.sock)
@@ -73,68 +61,28 @@ elif ! sudo -E -u www-data test -r /var/run/docker.sock; then
        groupadd -g "$DOCKER_GROUP_ID" docker
        usermod -aG docker www-data
    fi
-    if ! sudo -E -u www-data test -r /var/run/docker.sock; then
+    if ! sudo -u www-data test -r /var/run/docker.sock; then
        print_red "Docker socket is not readable by the www-data user. Cannot continue."
        exit 1
    fi
 fi
-# Get default docker api version
+# Check if api version is supported
-API_VERSION_FILE="$(find ./ -name DockerActionManager.php | head -1)"
+if ! sudo -u www-data docker info &>/dev/null; then
-API_VERSION="$(grep -oP 'const string API_VERSION.*\;' "$API_VERSION_FILE" | grep -oP '[0-9]+.[0-9]+' | head -1)"
+    print_red "Cannot connect to the docker socket. Cannot proceed."
-if [ -z "$API_VERSION" ]; then
+    echo "Did you maybe remove group read permissions for the docker socket? AIO needs them in order to access the docker socket."
-    print_red "Could not get API_VERSION. Something is wrong!"
+    echo "If SELinux is enabled on your host, see https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled"
    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
    exit 1
 fi
-
+API_VERSION_FILE="$(find ./ -name DockerActionManager.php | head -1)"
-# Check if DOCKER_API_VERSION is set globally
+API_VERSION="$(grep -oP 'const string API_VERSION.*\;' "$API_VERSION_FILE" | grep -oP '[0-9]+.[0-9]+' | head -1)"
 if [ -n "$DOCKER_API_VERSION" ]; then
    if ! echo "$DOCKER_API_VERSION" | grep -q '^[0-9].[0-9]\+$'; then
        print_red "You've set DOCKER_API_VERSION but not to an allowed value.
 The string must be a version number like e.g. '1.44'.
 It is set to '$DOCKER_API_VERSION'."
        exit 1
    fi
    print_red "DOCKER_API_VERSION was found to be set to '$DOCKER_API_VERSION'."
    print_red "Please note that only v$API_VERSION is officially supported and tested by the maintainers of Nextcloud AIO."
    print_red "So you run on your own risk and things might break without warning."
 else
    # Export docker api version to use it everywhere
    export DOCKER_API_VERSION="$API_VERSION"
 fi
 # Set a fallback docker api version. Needed for api version check. 
 # The check will not work otherwise on old docker versions
 FALLBACK_DOCKER_API_VERSION="1.41"
 # Check if docker info can be used
 if ! sudo -E -u www-data docker info &>/dev/null; then
    if ! sudo -E -u www-data DOCKER_API_VERSION="$FALLBACK_DOCKER_API_VERSION" docker info &>/dev/null; then
        print_red "Cannot connect to the docker socket. Cannot proceed."
        echo "Did you maybe remove group read permissions for the docker socket? AIO needs them in order to access the docker socket."
        echo "If SELinux is enabled on your host, see https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled"
        echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
        echo "On macOS, see https://github.com/nextcloud/all-in-one#how-to-run-aio-on-macos"
        echo "Another possibility might be that Docker api v$API_VERSION is not supported by your docker daemon."
        echo "In that case, you should report this to https://github.com/nextcloud/all-in-one/issues"
        echo ""
        exit 1
    fi
 fi
 # Docker api version check
 # shellcheck disable=SC2001
-API_VERSION_NUMB="$(echo "$DOCKER_API_VERSION" | sed 's/\.//')"
+API_VERSION_NUMB="$(echo "$API_VERSION" | sed 's/\.//')"
-LOCAL_API_VERSION_NUMB="$(sudo -E -u www-data docker version | grep -i "api version" | grep -oP '[0-9]+.[0-9]+' | head -1 | sed 's/\.//')"
+LOCAL_API_VERSION_NUMB="$(sudo -u www-data docker version | grep -i "api version" | grep -oP '[0-9]+.[0-9]+' | head -1 | sed 's/\.//')"
 if [ -z "$LOCAL_API_VERSION_NUMB" ]; then
    LOCAL_API_VERSION_NUMB="$(sudo -E -u www-data DOCKER_API_VERSION="$FALLBACK_DOCKER_API_VERSION" docker version | grep -i "api version" | grep -oP '[0-9]+.[0-9]+' | head -1 | sed 's/\.//')"
 fi
 if [ -n "$LOCAL_API_VERSION_NUMB" ] && [ -n "$API_VERSION_NUMB" ]; then
    if ! [ "$LOCAL_API_VERSION_NUMB" -ge "$API_VERSION_NUMB" ]; then
-        print_red "Docker API v$DOCKER_API_VERSION is not supported by your docker engine. Cannot proceed. Please upgrade your docker engine if you want to run Nextcloud AIO!"
+        print_red "Docker API v$API_VERSION is not supported by your docker engine. Cannot proceed. Please upgrade your docker engine if you want to run Nextcloud AIO!"
        echo "Alternatively, set the DOCKER_API_VERSION environmental variable to a compatible version."
        echo "However please note that only v$API_VERSION is officially supported and tested by the maintainers of Nextcloud AIO."
        echo "See https://github.com/nextcloud/all-in-one#how-to-adjust-the-internally-used-docker-api-version"
        exit 1
    fi
 else
@@ -143,7 +91,7 @@ else
 fi
 # Check Storage drivers
-STORAGE_DRIVER="$(sudo -E -u www-data docker info | grep "Storage Driver")"
+STORAGE_DRIVER="$(sudo -u www-data docker info | grep "Storage Driver")"
 # Check if vfs is used: https://github.com/nextcloud/all-in-one/discussions/1467
 if echo "$STORAGE_DRIVER" | grep -q vfs; then
    echo "$STORAGE_DRIVER"
@@ -154,26 +102,23 @@ elif echo "$STORAGE_DRIVER" | grep -q fuse-overlayfs; then
 fi
 # Check if snap install
-if sudo -E -u www-data docker info | grep "Docker Root Dir" | grep "/var/snap/docker/"; then
+if sudo -u www-data docker info | grep "Docker Root Dir" | grep "/var/snap/docker/"; then
    print_red "Warning: It looks like your installation uses docker installed via snap."
    print_red "This comes with some limitations and is disrecommended by the docker maintainers."
    print_red "See for example https://github.com/nextcloud/all-in-one/discussions/4890#discussioncomment-10386752"
 fi
 # Check if startup command was executed correctly
-if ! sudo -E -u www-data docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-mastercontainer$"; then
+if ! sudo -u www-data docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-mastercontainer$"; then
    print_red "It seems like you did not give the mastercontainer the correct name? (The 'nextcloud-aio-mastercontainer' container was not found.)
 Using a different name is not supported since mastercontainer updates will not work in that case!
 If you are on docker swarm and try to run AIO, see https://github.com/nextcloud/all-in-one#can-i-run-this-with-docker-swarm"
    exit 1
-elif sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer --format "{{.Config.Image}}" | grep -q '@'; then
+elif ! sudo -u www-data docker volume ls --format "{{.Name}}" | grep -q "^nextcloud_aio_mastercontainer$"; then
    print_red "It seems like you used a hash for the mastercontainer image tag. This is not supported!"
    exit 1
 elif ! sudo -E -u www-data docker volume ls --format "{{.Name}}" | grep -q "^nextcloud_aio_mastercontainer$"; then
    print_red "It seems like you did not give the mastercontainer volume the correct name? (The 'nextcloud_aio_mastercontainer' volume was not found.)
 Using a different name is not supported since the built-in backup solution will not work in that case!"
    exit 1
-elif ! sudo -E -u www-data docker inspect nextcloud-aio-mastercontainer --format '{{.Mounts}}' | grep -q " nextcloud_aio_mastercontainer "; then
+elif ! sudo -u www-data docker inspect nextcloud-aio-mastercontainer | grep -q "nextcloud_aio_mastercontainer"; then
    print_red "It seems like you did not attach the 'nextcloud_aio_mastercontainer' volume to the mastercontainer?
 This is not supported since the built-in backup solution will not work in that case!"
    exit 1
@@ -192,7 +137,7 @@ It is set to '$NEXTCLOUD_DATADIR'."
 fi
 if [ -n "$NEXTCLOUD_MOUNT" ]; then
    if ! echo "$NEXTCLOUD_MOUNT" | grep -q "^/" || [ "$NEXTCLOUD_MOUNT" = "/" ]; then
-        print_red "You've set NEXTCLOUD_MOUNT but not to an allowed value.
+        print_red "You've set NEXCLOUD_MOUNT but not to an allowed value.
 The string must start with '/' and must not be equal to '/'.
 It is set to '$NEXTCLOUD_MOUNT'."
        exit 1
@@ -248,14 +193,6 @@ It is set to '$APACHE_IP_BINDING'."
        exit 1
    fi
 fi
 if [ -n "$APACHE_ADDITIONAL_NETWORK" ]; then
    if ! echo "$APACHE_ADDITIONAL_NETWORK" | grep -q "^[a-zA-Z0-9._-]\+$"; then
        print_red "You've set APACHE_ADDITIONAL_NETWORK but not to an allowed value.
 It needs to be a string with letters, numbers, hyphens and underscores.
 It is set to '$APACHE_ADDITIONAL_NETWORK'."
        exit 1
    fi
 fi
 if [ -n "$TALK_PORT" ]; then
    if ! check_if_number "$TALK_PORT"; then
        print_red "You provided an Talk port but did not only use numbers.
@@ -313,54 +250,28 @@ It is set to '$NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS'."
    fi
 fi
 if [ -n "$AIO_COMMUNITY_CONTAINERS" ]; then
-    print_red "You've set AIO_COMMUNITY_CONTAINERS but the option was removed.
+    read -ra AIO_CCONTAINERS <<< "$AIO_COMMUNITY_CONTAINERS"
-The community containers get managed via the AIO interface now."
+    for container in "${AIO_CCONTAINERS[@]}"; do
-fi
+        if ! [ -d "/var/www/docker-aio/community-containers/$container" ]; then
-if [ -n "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
+            print_red "The community container $container was not found!"
-    print_red "The environmental variable NEXTCLOUD_ENABLE_DRI_DEVICE is deprecated. Please mount the /dev/dri device into the mastercontainer instead and remove NEXTCLOUD_ENABLE_DRI_DEVICE. It will then be set automatically."
+            FAIL_CCONTAINERS=1
-fi
+        fi
-
+    done
-# Automatically enable the /dev/dri device if it is mounted into the mastercontainer
+    if [ -n "$FAIL_CCONTAINERS" ]; then
-if [ -d "/dev/dri" ]; then
+        print_red "You've set AIO_COMMUNITY_CONTAINERS but at least one container was not found.
-    export NEXTCLOUD_ENABLE_DRI_DEVICE="true"
+It is set to '$AIO_COMMUNITY_CONTAINERS'."
-    if [ -e "/dev/dri/renderD128" ]; then
+        exit 1
        NEXTCLOUD_DRI_GID="$(stat -c '%g' /dev/dri/renderD128)"
        export NEXTCLOUD_DRI_GID
    else
        export NEXTCLOUD_DRI_GID=""
    fi
 else
    if [ -z "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
        # Force the unset of the env if it was not externally overwritten already
        export NEXTCLOUD_ENABLE_DRI_DEVICE="false"
    fi
    export NEXTCLOUD_DRI_GID=""
 fi
-# Log level logics
+# Check DNS resolution
-if [ -n "$AIO_LOG_LEVEL" ] && ! echo "$AIO_LOG_LEVEL" | grep -q "^debug$\|^info$\|^warn$\|^error$"; then
+# Prevents issues like https://github.com/nextcloud/all-in-one/discussions/565
-    print_red "AIO_LOG_LEVEL must be one of 'debug', 'info', 'warn' or 'error'.
+curl https://nextcloud.com &>/dev/null
-It is set to '$AIO_LOG_LEVEL'".
+if [ "$?" = 6 ]; then
-    exit 1
+    print_red "Could not resolve the host nextcloud.com."
-fi
+    echo "Most likely the DNS resolving does not work."
 if [ -z "$AIO_LOG_LEVEL" ]; then
    export AIO_LOG_LEVEL="warn"
 fi
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    export SUPERVISORD_STDOUT=/dev/stdout
 else
    export SUPERVISORD_STDOUT=NONE
 fi
 # Check if ghcr.io is reachable
 # Solves issues like https://github.com/nextcloud/all-in-one/discussions/5268
 if ! curl --no-progress-meter https://ghcr.io/v2/ >/dev/null; then
    print_red "Could not reach https://ghcr.io."
    echo "Most likely is something blocking access to it."
    echo "You should be able to fix this by following https://dockerlabs.collabnix.com/intermediate/networking/Configuring_DNS.html"
-    echo "Another solution is using https://github.com/nextcloud/all-in-one/tree/main/manual-install"
+    echo "Apart from that, there has been this: https://github.com/nextcloud/all-in-one/discussions/2065"
    echo "See https://github.com/nextcloud/all-in-one/blob/main/manual-install/latest.yml"
    exit 1
 fi
@@ -371,13 +282,6 @@ if [ -n "$TZ" ]; then
    # Disable exit since it seems to be by default set on unraid and we dont want to break these instances
    # exit 1
 fi
 # Check that http proxy or no_proxy variable is not set which AIO does not support
 if [ -n "$HTTP_PROXY" ] || [ -n "$http_proxy" ] || [ -n "$HTTPS_PROXY" ] || [ -n "$https_proxy" ] || [ -n "$NO_PROXY" ] || [ -n "$no_proxy" ]; then
    print_red "The environmental variable HTTP_PROXY, http_proxy, HTTPS_PROXY, https_proxy, NO_PROXY or no_proxy has been set which is not supported by AIO."
    echo "If you need this, then you should use https://github.com/nextcloud/all-in-one/tree/main/manual-install"
    echo "See https://github.com/nextcloud/all-in-one/blob/main/manual-install/latest.yml"
    exit 1
 fi
 if mountpoint -q /etc/localtime; then
    print_red "/etc/localtime has been mounted into the container which is not allowed because AIO only supports running in the default Etc/UTC timezone!"
    echo "The correct timezone can be set in the AIO interface later on!"
@@ -404,7 +308,7 @@ fi
 mkdir -p /mnt/docker-aio-config/data/
 mkdir -p /mnt/docker-aio-config/session/
 mkdir -p /mnt/docker-aio-config/caddy/
-mkdir -p /mnt/docker-aio-config/caddy-internal/
+mkdir -p /mnt/docker-aio-config/certs/ 
 # Adjust permissions for all instances
 chmod 770 -R /mnt/docker-aio-config
@@ -412,7 +316,37 @@ chmod 777 /mnt/docker-aio-config
 chown www-data:www-data -R /mnt/docker-aio-config/data/
 chown www-data:www-data -R /mnt/docker-aio-config/session/
 chown www-data:www-data -R /mnt/docker-aio-config/caddy/
-chown www-data:www-data -R /mnt/docker-aio-config/caddy-internal/
+chown root:root -R /mnt/docker-aio-config/certs/
 # Don't allow access to the AIO interface from the Nextcloud container
 # Probably more cosmetic than anything but at least an attempt
 if ! grep -q '# nextcloud-aio-block' /etc/apache2/httpd.conf; then
    cat << APACHE_CONF >> /etc/apache2/httpd.conf
 # nextcloud-aio-block-start
 <Location />
 order allow,deny
 deny from nextcloud-aio-nextcloud.nextcloud-aio
 allow from all
 </Location>
 # nextcloud-aio-block-end
 APACHE_CONF
 fi
 # Adjust certs
 GENERATED_CERTS="/mnt/docker-aio-config/certs"
 TMP_CERTS="/etc/apache2/certs"
 mkdir -p "$GENERATED_CERTS"
 cd "$GENERATED_CERTS" || exit 1
 if ! [ -f ./ssl.crt ] && ! [ -f ./ssl.key ]; then
    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt
 fi
 if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then
    cd "$TMP_CERTS" || exit 1
    rm ./ssl.crt
    rm ./ssl.key
    cp "$GENERATED_CERTS/ssl.crt" ./
    cp "$GENERATED_CERTS/ssl.key" ./
 fi
 print_green "Initial startup of Nextcloud All-in-One complete!
 You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
@@ -425,29 +359,14 @@ https://your-domain-that-points-to-this-server.tld:8443"
 # Set the timezone to Etc/UTC
 export TZ=Etc/UTC
-# Remove unused certs
+# Fix apache startup
-rm -vrf /mnt/docker-aio-config/certs
+rm -f /var/run/apache2/httpd.pid
 # Remove the php socket as safeguard
 rm -vf /run/php.sock
 # Fix caddy startup
 if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then
    rm -rf /mnt/docker-aio-config/caddy/locks/*
 fi
 # Fix the Caddyfile format
-caddy fmt --overwrite /acme.Caddyfile
+caddy fmt --overwrite /Caddyfile
 caddy fmt --overwrite /internal.Caddyfile
 # Fix caddy log 
 chmod 777 /root
 # Create Twig template cache directory (path must match TWIG_CACHE_PATH in php/public/index.php)
 mkdir -p /tmp/twig-cache
 rm -rf /tmp/twig-cache/*
 chown www-data:www-data /tmp/twig-cache
 chmod 770 /tmp/twig-cache
 # Start supervisord
-exec /usr/bin/supervisord -c /supervisord.conf
+/usr/bin/supervisord -c /supervisord.conf
--- a/Containers/mastercontainer/supervisord.conf
+++ b/Containers/mastercontainer/supervisord.conf
@@ -5,31 +5,31 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                 
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error
 user=root
 [program:php-fpm]
-# Stdout logging is disabled as otherwise the logs are spammed
+# stdout_logfile=/dev/stdout
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
+# stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=php-fpm
 user=root
-[program:caddy-internal]
+[program:apache]
-stdout_logfile=/dev/stdout
+# stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
+# stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /internal.Caddyfile
+command=httpd -DFOREGROUND
-user=www-data
+user=root
-[program:caddy-acme]
+[program:caddy]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /acme.Caddyfile
+command=/usr/bin/caddy run --config /Caddyfile
 user=www-data
 [program:cron]
@@ -54,11 +54,13 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/session-deduplicator.sh
-user=www-data
+user=root
 [program:domain-validator]
 # Logging is disabled as otherwise all attempts will be logged which spams the logs
-stdout_logfile=%(ENV_SUPERVISORD_STDOUT)s
+# stdout_logfile=/dev/stdout
-stderr_logfile=%(ENV_SUPERVISORD_STDOUT)s
+# stdout_logfile_maxbytes=0
 # stderr_logfile=/dev/stderr
 # stderr_logfile_maxbytes=0
 command=php -S 127.0.0.1:9876 /var/www/docker-aio/php/domain-validator.php
 user=www-data
--- a/Containers/nextcloud/Dockerfile
+++ b/Containers/nextcloud/Dockerfile
@@ -1,27 +1,23 @@
 # syntax=docker/dockerfile:latest
-FROM php:8.3.31-fpm-alpine3.23
+FROM php:8.2.23-fpm-alpine3.20
 ENV PHP_MEMORY_LIMIT=512M
-ENV PHP_UPLOAD_LIMIT=16G
+ENV PHP_UPLOAD_LIMIT=10G
 ENV PHP_MAX_TIME=3600
 ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0
 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=33.0.3
+ENV NEXTCLOUD_VERSION=29.0.7
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!
-COPY --chmod=775 Containers/nextcloud/*.sh /
+COPY --chmod=775 *.sh /
-COPY --chmod=774 Containers/nextcloud/upgrade.exclude /upgrade.exclude
+COPY --chmod=774 upgrade.exclude /upgrade.exclude
-COPY Containers/nextcloud/config/*.php /
+COPY config/*.php /
-COPY Containers/nextcloud/supervisord.conf /supervisord.conf
+COPY supervisord.conf /supervisord.conf
-
+COPY root.motd /root.motd
 # AIO cloning start # Do not remove or change this line!
 COPY app /usr/src/nextcloud/apps/nextcloud-aio
 COPY Containers/nextcloud/root.motd /root.motd
 # AIO cloning end # Do not remove or change this line!
 VOLUME /mnt/ncdata
 VOLUME /var/www/html
@@ -82,18 +78,19 @@ RUN set -ex; \
    ; \
    \
 # pecl will claim success even if one install fails, so we need to perform each install separately
-    pecl install -o igbinary-3.2.16; \
+    pecl install igbinary-3.2.16; \ 
-    pecl install APCu-5.1.28; \
+    pecl install APCu-5.1.24; \
-    pecl install -D 'enable-memcached-igbinary="yes"' memcached-3.4.0; \
+    pecl install memcached-3.2.0 \
-    pecl install -oD 'enable-redis-igbinary="yes" enable-redis-zstd="yes" enable-redis-lz4="yes"' redis-6.3.0; \
+        --configureoptions 'enable-memcached-igbinary="yes"'; \
-   pecl install -o imagick-3.8.1; \
+    pecl install redis-6.0.2 \
        --configureoptions 'enable-redis-igbinary="yes" enable-redis-zstd="yes" enable-redis-lz4="yes"'; \
    pecl install imagick-3.7.0; \
    \
    docker-php-ext-enable \
        igbinary \
        apcu \
        memcached \
        redis \
        imagick \
    ; \
    rm -r /tmp/pear; \
    \
@@ -112,44 +109,33 @@ RUN set -ex; \
    } >> /usr/local/etc/php/conf.d/docker-php-ext-igbinary.ini; \
    \
 # set recommended PHP.ini settings
-# see https://docs.nextcloud.com/server/stable/admin_manual/installation/server_tuning.html#enable-php-opcache and below
+# see https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
    { \
        echo 'opcache.max_accelerated_files=20000'; \
        echo 'opcache.memory_consumption=256'; \
        echo 'opcache.interned_strings_buffer=64'; \
        echo 'opcache.save_comments=1'; \
        echo 'opcache.revalidate_freq=60'; \
        echo 'opcache.jit=1255'; \
-        echo 'opcache.jit_buffer_size=128M'; \
+        echo 'opcache.jit_buffer_size=8M'; \
    } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
    \
-    { \
+    echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
        echo 'apc.enable_cli=1'; \
        echo 'apc.shm_size=128M'; \
    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
    \
    { \
        echo 'memory_limit=${PHP_MEMORY_LIMIT}'; \
        echo 'upload_max_filesize=${PHP_UPLOAD_LIMIT}'; \
        echo 'post_max_size=${PHP_UPLOAD_LIMIT}'; \
        echo 'max_execution_time=${PHP_MAX_TIME}'; \
-        echo 'max_input_time=-1'; \
+        echo 'max_input_time=${PHP_MAX_TIME}'; \
-        echo 'default_socket_timeout=${PHP_MAX_TIME}'; \
+        echo 'default_socket_timeout=600'; \
        echo 'output_buffering=0'; \
        echo 'realpath_cache_size=8M'; \
        echo 'realpath_cache_ttl=600'; \
    } > /usr/local/etc/php/conf.d/nextcloud.ini; \
    \
    { \
        echo 'session.save_handler = redis'; \
-        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}&timeout=3.0&read_timeout=10.0"'; \
+        echo 'session.save_path = "tcp://${REDIS_HOST}:6379/${REDIS_DB_INDEX}?auth=${REDIS_HOST_PASSWORD}"'; \
        echo 'redis.session.locking_enabled = 1'; \
        echo 'redis.session.lock_retries = -1'; \
-        echo '; 100ms in microseconds - prevents timeout on long requests such as large file uploads'; \
+        echo 'redis.session.lock_wait_time = 10000'; \
        echo 'redis.session.lock_wait_time = 100000'; \
        echo '; prevents stale locks from crashed workers (seconds)'; \
        echo 'redis.session.lock_expire = 60'; \
        echo 'session.gc_maxlifetime = 86400'; \
    } > /usr/local/etc/php/conf.d/redis-session.ini; \
    \
    mkdir -p /var/www/data; \
@@ -163,7 +149,7 @@ RUN set -ex; \
    ; \
    \
    curl -fsSL -o nextcloud.tar.bz2 \
-        "https://github.com/nextcloud-releases/server/releases/download/v${NEXTCLOUD_VERSION}/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2"; \
+        "https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2"; \
    curl -fsSL -o nextcloud.tar.bz2.asc \
        "https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2.asc"; \
    export GNUPGHOME="$(mktemp -d)"; \
@@ -223,8 +209,8 @@ RUN set -ex; \
    /var/log/supervisord \
    /var/run/supervisord \
    ; \
-    chmod 777 -R /var/log/supervisord; \
+    chown www-data:root -R /var/log/supervisord; \
-    chmod 777 -R /var/run/supervisord; \
+    chown www-data:root -R /var/run/supervisord; \
    \
    apk add --no-cache \
        bash \
@@ -250,45 +236,35 @@ RUN set -ex; \
 # We don't actually expect so many children but don't want to limit it artificially because people will report issues otherwise.
 # Also children will usually be terminated again after the process is done due to the ondemand setting
    sed -i 's/^pm.max_children =.*/pm.max_children = 5000/' /usr/local/etc/php-fpm.d/www.conf; \
 # With pm = ondemand, workers are killed after pm.process_idle_timeout seconds
 # of inactivity.  The upstream default is 10 s, which is aggressive: after a
 # brief quiet period (e.g. desktop-sync clients polling every few seconds), all
 # workers are reaped and the next request burst must wait for fresh forks.  On
 # a loaded host that spawn latency can push Apache past its FastCGI timeout and
 # produce a 502.  300 s (5 min) keeps a warm pool through normal sync-client
 # polling cycles while still reclaiming memory during genuinely idle periods.
    sed -i 's/^;*pm.process_idle_timeout\s*=.*/pm.process_idle_timeout = 300s/' /usr/local/etc/php-fpm.d/www.conf; \
 # Set request_terminate_timeout so that PHP-FPM forcibly kills workers that
 # exceed the wall-clock limit.  Without this (default = 0 = disabled) a worker
 # stuck on a slow DB query, a stalled Redis connection, or a hung syscall is
 # never reaped.  Over time these zombies fill up pm.max_children, leaving no
 # free slots for legitimate requests and causing Apache to return 502 Bad
 # Gateway upstream.
    sed -i "s|^;*request_terminate_timeout = .*|request_terminate_timeout = \${PHP_MAX_TIME}|" /usr/local/etc/php-fpm.d/www.conf; \
    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
    \
-    echo "[ -n \"\$TERM\" ] && [ -f /root.motd ] && cat /root.motd" >> /root/.bashrc; \
+# AIO cloning start # Do not remove or change this line!
    rm -rf /tmp/nextcloud-aio && \
    mkdir -p /tmp/nextcloud-aio && \
    cd /tmp/nextcloud-aio && \
    git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
    mkdir -p /usr/src/nextcloud/apps/nextcloud-aio; \
    cp -r ./app/* /usr/src/nextcloud/apps/nextcloud-aio/; \
    echo "[ -n \"\$TERM\" ] && cat /root.motd" >> /root/.bashrc; \
 # AIO cloning end # Do not remove or change this line!
    \
    chown www-data:root -R /usr/src && \
-    chmod 777 -R /usr/local/etc/php/conf.d && \
+    chown www-data:root -R /usr/local/etc/php/conf.d && \
-    chmod 777 -R /usr/local/etc/php-fpm.d && \
+    chown www-data:root -R /usr/local/etc/php-fpm.d && \
    chmod -R 777 /tmp; \
-    chmod -R 777 /etc/openldap; \
+    rm -rf /usr/src/nextcloud/apps/updatenotification; \
    \
    mkdir -p /nc-updater; \
-    chmod -R 777 /nc-updater
+    chown -R www-data:www-data /nc-updater; \
    chmod -R 770 /nc-updater; \
    \
 # Give root a random password
    echo "root:$(openssl rand -base64 12)" | chpasswd
 # hadolint ignore=DL3002
 USER root
 ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
-HEALTHCHECK CMD /healthcheck.sh
+HEALTHCHECK --start-period=60s CMD sudo -E -u www-data bash /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false" \
+LABEL com.centurylinklabs.watchtower.enable="false"
    wud.watch="false" \
    org.opencontainers.image.title="Nextcloud for Nextcloud AIO" \
    org.opencontainers.image.description="Nextcloud server with all required PHP extensions for Nextcloud All-in-One" \
    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
    org.opencontainers.image.vendor="Nextcloud" \
    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
--- a/Containers/nextcloud/README.md
+++ b/Containers/nextcloud/README.md
@@ -1,35 +0,0 @@
 # Nextcloud All-in-One ``nextcloud`` Container
 This folder contains the OCI/Docker container definition, along with associated resources and configuration files, for building the `nextcloud` container as part of the [Nextcloud All-in-One](https://github.com/nextcloud/all-in-one) project. This container hosts PHP and the Nextcloud Server application.
 ## Overview
 The Nextcloud container provides the core Nextcloud application environment, including the necessary dependencies and configuration for seamless integration into the All-in-One stack. The container hosts:
 - The PHP SAPI/backend (php-fpm)
 - Nextcloud background jobs and scheduled tasks, which are handled via cron
 - Miscellaneous minor support services specific to AIO's Nextcloud deployment (health and exec)
 ## Contents
 - **Dockerfile**: Instructions for building the Nextcloud container image.
 - **Entrypoint script**: The `start.sh` script is used for container initialization and runtime configuration before starting supervisord.
 - **Nextcloud configuration files**: Specific to running in a containerized setting and/or within AIO.
 - **Supervisor**: The `supervisord.conf` file defines the long-running services hosted within the container (php-fpm, cron, etc.).
 ## Usage
 This container is intended to be used as part of the All-in-One deployment and is not meant to be used on its own. Among other requirements, it needs a web server container (which AIO provides in a dedicated Apache container). It is designed to be orchestrated by the [All-in-One mastercontainer](https://github.com/nextcloud/all-in-one/tree/main/Containers/mastercontainer) or used within an [AIO Manual Installation](https://github.com/nextcloud/all-in-one/tree/main/manual-install) or [AIO Helm chart](https://github.com/nextcloud/all-in-one/tree/main/nextcloud-aio-helm-chart).
 ## Documentation
 - [Nextcloud All-in-One Documentation](https://github.com/nextcloud/all-in-one#readme)
 - [Nextcloud Documentation](https://docs.nextcloud.com/)
 ## Contributing
 Contributions are welcome! Please follow the Nextcloud project's guidelines and submit pull requests or issues via the main repository.
 ## License
 This folder and its contents are licensed under the [GNU AGPLv3](https://www.gnu.org/licenses/agpl-3.0.html), in line with the rest of Nextcloud All-in-One.
--- a/Containers/nextcloud/config/apps.config.php
+++ b/Containers/nextcloud/config/apps.config.php
@@ -16,12 +16,3 @@ $CONFIG = array (
 if (getenv('APPS_ALLOWLIST')) {
    $CONFIG['appsallowlist'] = explode(" ", getenv('APPS_ALLOWLIST'));
 }
 $appStoreUrl = getenv('NEXTCLOUD_APP_STORE_URL');
 if ($appStoreUrl) {
    if ($appStoreUrl === 'no') {
        $CONFIG['appstoreenabled '] = false;
    } else {
        $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
    }
 }
--- a/Containers/nextcloud/config/certificates-bundle.config.php
+++ b/Containers/nextcloud/config/certificates-bundle.config.php
@@ -1,5 +0,0 @@
 <?php
 // Check if NEXTCLOUD_TRUSTED_CERTIFICATES_ are configured
 if (str_contains(implode(' ', array_keys(getenv())), 'NEXTCLOUD_TRUSTED_CERTIFICATES_')) {
  $CONFIG['default_certificates_bundle_path'] = '/var/www/html/data/certificates/ca-bundle.crt';
 }
--- a/Containers/nextcloud/config/postgres.config.php
+++ b/Containers/nextcloud/config/postgres.config.php
@@ -1,17 +0,0 @@
 <?php
 if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_POSTGRES')) {
  $CONFIG = array(
    'pgsql_ssl' => array(
      'mode' => 'verify-ca',
      'rootcert' => '/var/www/html/data/certificates/ca-bundle.crt',
    ),
  );
 }
 if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_MYSQL')) {
  $CONFIG = array(
    'dbdriveroptions' => array(
      PDO::MYSQL_ATTR_SSL_CA => '/var/www/html/data/certificates/ca-bundle.crt',
    ),
  );
 }
--- a/Containers/nextcloud/config/redis.config.php
+++ b/Containers/nextcloud/config/redis.config.php
@@ -1,74 +1,21 @@
 <?php
-if (getenv('REDIS_MODE') !== 'rediscluster') {
+if (getenv('REDIS_HOST')) {
  $CONFIG = array(
    'memcache.distributed' => '\OC\Memcache\Redis',
    'memcache.locking' => '\OC\Memcache\Redis',
    'redis' => array(
      'host' => getenv('REDIS_HOST'),
      'password' => (string) getenv('REDIS_HOST_PASSWORD'),
    ),
  );
-  if (getenv('REDIS_HOST')) {
+  if (getenv('REDIS_HOST_PORT')) {
-    $CONFIG['redis']['host'] = (string) getenv('REDIS_HOST');
+    $CONFIG['redis']['port'] = (int) getenv('REDIS_HOST_PORT');
-    $CONFIG['redis']['timeout'] = 3.0;
+  } elseif (getenv('REDIS_HOST')[0] != '/') {
-    $CONFIG['redis']['read_timeout'] = 10.0;
+    $CONFIG['redis']['port'] = 6379;
  }
  if (getenv('REDIS_HOST_PASSWORD')) {
    $CONFIG['redis']['password'] = (string) getenv('REDIS_HOST_PASSWORD');
  }
  if (getenv('REDIS_PORT')) {
    $CONFIG['redis']['port'] = (int) getenv('REDIS_PORT');
  }
  if (getenv('REDIS_DB_INDEX')) {
    $CONFIG['redis']['dbindex'] = (int) getenv('REDIS_DB_INDEX');
  }
  if (getenv('REDIS_PREFIX')) {
    $CONFIG['redis']['memcache_customprefix'] = getenv('REDIS_PREFIX');
  }
  if (getenv('REDIS_USER_AUTH')) {
    $CONFIG['redis']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
  }
  if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) {
    $CONFIG['redis']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt';
  }
 } else {
  $CONFIG = array(
    'memcache.distributed' => '\OC\Memcache\Redis',
    'memcache.locking' => '\OC\Memcache\Redis',
    'redis.cluster' => array(
      'timeout' => 0.0,
      'read_timeout' => 0.0,
      'failover_mode' => \RedisCluster::FAILOVER_ERROR,
      'seeds' => array_values(array_filter(array(
        (getenv('REDIS_HOST') && getenv('REDIS_PORT')) ? (getenv('REDIS_HOST') . ':' . (string)getenv('REDIS_PORT')) : null,
        (getenv('REDIS_HOST_2') && getenv('REDIS_PORT_2')) ? (getenv('REDIS_HOST_2') . ':' . (string)getenv('REDIS_PORT_2')) : null,
        (getenv('REDIS_HOST_3') && getenv('REDIS_PORT_3')) ? (getenv('REDIS_HOST_3') . ':' . (string)getenv('REDIS_PORT_3')) : null,
        (getenv('REDIS_HOST_4') && getenv('REDIS_PORT_4')) ? (getenv('REDIS_HOST_4') . ':' . (string)getenv('REDIS_PORT_4')) : null,
        (getenv('REDIS_HOST_5') && getenv('REDIS_PORT_5')) ? (getenv('REDIS_HOST_5') . ':' . (string)getenv('REDIS_PORT_5')) : null,
        (getenv('REDIS_HOST_6') && getenv('REDIS_PORT_6')) ? (getenv('REDIS_HOST_6') . ':' . (string)getenv('REDIS_PORT_6')) : null,
        (getenv('REDIS_HOST_7') && getenv('REDIS_PORT_7')) ? (getenv('REDIS_HOST_7') . ':' . (string)getenv('REDIS_PORT_7')) : null,
        (getenv('REDIS_HOST_8') && getenv('REDIS_PORT_8')) ? (getenv('REDIS_HOST_8') . ':' . (string)getenv('REDIS_PORT_8')) : null,
        (getenv('REDIS_HOST_9') && getenv('REDIS_PORT_9')) ? (getenv('REDIS_HOST_9') . ':' . (string)getenv('REDIS_PORT_9')) : null,
      ))),
    ),
  );
  if (getenv('REDIS_HOST_PASSWORD')) {
    $CONFIG['redis.cluster']['password'] = (string) getenv('REDIS_HOST_PASSWORD');
  }
  if (getenv('REDIS_USER_AUTH')) {
    $CONFIG['redis.cluster']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
  }
  if (getenv('REDIS_PREFIX')) {
    $CONFIG['redis.cluster']['memcache_customprefix'] = getenv('REDIS_PREFIX');
  }
  if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) {
    $CONFIG['redis.cluster']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt';
  }
 }
--- a/Containers/nextcloud/config/s3.config.php
+++ b/Containers/nextcloud/config/s3.config.php
@@ -4,44 +4,26 @@ if (getenv('OBJECTSTORE_S3_BUCKET')) {
  $use_path = getenv('OBJECTSTORE_S3_USEPATH_STYLE');
  $use_legacyauth = getenv('OBJECTSTORE_S3_LEGACYAUTH');
  $autocreate = getenv('OBJECTSTORE_S3_AUTOCREATE');
  $multibucket = getenv('OBJECTSTORE_S3_MULTIBUCKET');
  $CONFIG = array(
    'objectstore' => array(
      'class' => '\OC\Files\ObjectStore\S3',
      'arguments' => array(
        'multibucket' => $multibucket === 'true',
        'num_buckets' => (int)getenv('OBJECTSTORE_S3_NUM_BUCKETS') ?: 64,
        'bucket' => getenv('OBJECTSTORE_S3_BUCKET'),
        'key' => getenv('OBJECTSTORE_S3_KEY') ?: '',
        'secret' => getenv('OBJECTSTORE_S3_SECRET') ?: '',
        'sse_c_key' => getenv('OBJECTSTORE_S3_SSE_C_KEY') ?: '',
        'region' => getenv('OBJECTSTORE_S3_REGION') ?: '',
        'hostname' => getenv('OBJECTSTORE_S3_HOST') ?: '',
        'port' => getenv('OBJECTSTORE_S3_PORT') ?: '',
        'storageClass' => getenv('OBJECTSTORE_S3_STORAGE_CLASS') ?: '',
        'objectPrefix' => getenv("OBJECTSTORE_S3_OBJECT_PREFIX") ? getenv("OBJECTSTORE_S3_OBJECT_PREFIX") : "urn:oid:",
-        'autocreate' => strtolower($autocreate) !== 'false',
+        'autocreate' => (strtolower($autocreate) === 'false' || $autocreate == false) ? false : true,
-        'use_ssl' => strtolower($use_ssl) !== 'false',
+        'use_ssl' => (strtolower($use_ssl) === 'false' || $use_ssl == false) ? false : true,
        // required for some non Amazon S3 implementations
-        'use_path_style' => strtolower($use_path) === 'true',
+        'use_path_style' => $use_path == true && strtolower($use_path) !== 'false',
        // required for older protocol versions
-        'legacy_auth' => strtolower($use_legacyauth) === 'true',
+        'legacy_auth' => $use_legacyauth == true && strtolower($use_legacyauth) !== 'false'
        'use_nextcloud_bundle' => 1,
      )
    )
  );
-
+} 
  $sse_c_key = getenv('OBJECTSTORE_S3_SSE_C_KEY');
  if ($sse_c_key) {
    $CONFIG['objectstore']['arguments']['sse_c_key'] = $sse_c_key;
  }
  $requestChecksumValidation = getenv('OBJECTSTORE_S3_REQUEST_CHECKSUM_VALIDATION');
  if ($requestChecksumValidation) {
    $CONFIG['objectstore']['arguments']['request_checksum_calculation'] = $requestChecksumValidation;
  }
  $responseChecksumValidation = getenv('OBJECTSTORE_S3_RESPONSE_CHECKSUM_VALIDATION');
  if ($responseChecksumValidation) {
    $CONFIG['objectstore']['arguments']['response_checksum_validation'] = $responseChecksumValidation;
  }
 }
--- a/Containers/nextcloud/config/server.config.php
+++ b/Containers/nextcloud/config/server.config.php
@@ -1,4 +0,0 @@
 <?php
 $CONFIG = array (
  'serverid' => hexdec(hash('xxh32', gethostname())) & 0x1FF,
 );
--- a/Containers/nextcloud/config/smtp.config.php
+++ b/Containers/nextcloud/config/smtp.config.php
@@ -18,14 +18,3 @@ if (getenv('SMTP_HOST') && getenv('MAIL_FROM_ADDRESS') && getenv('MAIL_DOMAIN'))
      $CONFIG['mail_smtppassword'] = '';
  }
 }
 if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_MAILER')) {
  $CONFIG = array(
    'mail_smtpstreamoptions' => array(
      'ssl' => array(
        'verify_peer_name' => false,
        'cafile' => '/var/www/html/data/certificates/ca-bundle.crt',
      )
    )
  );
 }
--- a/Containers/nextcloud/cron.sh
+++ b/Containers/nextcloud/cron.sh
@@ -1,9 +1,4 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 wait_for_cron() {
    set -x
    while [ -n "$(pgrep -f /var/www/html/cron.php)" ]; do
--- a/Containers/nextcloud/entrypoint.sh
+++ b/Containers/nextcloud/entrypoint.sh
@@ -10,10 +10,6 @@ directory_empty() {
    [ -z "$(ls -A "$1/")" ]
 }
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 run_upgrade_if_needed_due_to_app_update() {
    if php /var/www/html/occ status | grep maintenance | grep -q true; then
        php /var/www/html/occ maintenance:mode --off
@@ -24,116 +20,35 @@ run_upgrade_if_needed_due_to_app_update() {
    fi
 }
-NEXTCLOUD_LOG_LEVEL="$(case "$AIO_LOG_LEVEL" in
+# Only start container if redis is accessible
    debug) printf '0' ;;
    info) printf '1' ;;
    warn) printf '2' ;;
    error) printf '3' ;;
 esac)"
 export NEXTCLOUD_LOG_LEVEL
 # Create cert bundle
 if env | grep -q NEXTCLOUD_TRUSTED_CERTIFICATES_; then
    # Enable debug mode
    set -x
    # Default vars
    CERTIFICATES_ROOT_DIR="/var/www/html/data/certificates"
    CERTIFICATE_BUNDLE="/var/www/html/data/certificates/ca-bundle.crt"
    # Remove old root certs and recreate them with current ones
    rm -rf "$CERTIFICATES_ROOT_DIR"
    mkdir -p "$CERTIFICATES_ROOT_DIR"
    # Retrieve default root cert bundle
    if ! [ -f "$SOURCE_LOCATION/resources/config/ca-bundle.crt" ]; then
        echo "Root ca-bundle not found. Only concattening configured NEXTCLOUD_TRUSTED_CERTIFICATES files!"
        # Recreate cert file
        touch "$CERTIFICATE_BUNDLE"
    else
        # Write default bundle to the target ca file
        cat "$SOURCE_LOCATION/resources/config/ca-bundle.crt" > "$CERTIFICATE_BUNDLE"
    fi
    # Iterate through certs
    TRUSTED_CERTIFICATES="$(env | grep NEXTCLOUD_TRUSTED_CERTIFICATES_ | grep -oP '^[A-Z_a-z0-9]+')"
    mapfile -t TRUSTED_CERTIFICATES <<< "$TRUSTED_CERTIFICATES"
    for certificate in "${TRUSTED_CERTIFICATES[@]}"; do
        # Create new line
        echo "" >> "$CERTIFICATE_BUNDLE"
        # Check if variable is an actual cert
        if echo "${!certificate}" | grep -q "BEGIN CERTIFICATE" && echo "${!certificate}" | grep -q "END CERTIFICATE"; then
            # Write out cert to bundle
            echo "${!certificate}" >> "$CERTIFICATE_BUNDLE"
        fi
        # Create file in cert dir for extra logic in other places
        if ! [ -f "$CERTIFICATES_ROOT_DIR/$CERTIFICATE_NAME" ]; then
            touch "$CERTIFICATES_ROOT_DIR/$CERTIFICATE_NAME"
        fi
    done
    # Backwards compatibility with older instances
    if [ -f "/var/www/html/config/postgres.config.php" ]; then
        sed -i "s|/var/www/html/data/certificates/POSTGRES|/var/www/html/data/certificates/ca-bundle.crt|" /var/www/html/config/postgres.config.php
        sed -i "s|/var/www/html/data/certificates/MYSQL|/var/www/html/data/certificates/ca-bundle.crt|" /var/www/html/config/postgres.config.php
    fi
    # Print out bundle one last time
    cat "$CERTIFICATE_BUNDLE"
    # Disable debug mode
    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
        set +x
    fi
 fi
 # Adjust DATABASE_TYPE to by Nextcloud supported value
 if [ "$DATABASE_TYPE" = postgres ]; then
    export DATABASE_TYPE=pgsql
 fi
 # Only start container if Redis is accessible
 # shellcheck disable=SC2153
-while ! nc -z "$REDIS_HOST" "$REDIS_PORT"; do
+while ! nc -z "$REDIS_HOST" "6379"; do
-    echo "Waiting for Redis to start..."
+    echo "Waiting for redis to start..."
    sleep 5
 done
 # Check permissions in ncdata
-test_file="$NEXTCLOUD_DATA_DIR/this-is-a-test-file"
+touch "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" &>/dev/null
-touch "$test_file"
+if ! [ -f "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" ]; then
-if ! [ -f "$test_file" ]; then
+    echo "The www-data user doesn't seem to have access rights in the datadir.
-    echo "The www-data user does not appear to have access rights to the data directory."
+Most likely are the files located on a drive that does not follow linux permissions.
-    echo "It is possible that the files are on a filesystem that does not support standard Linux permissions,"
+Please adjust the permissions like mentioned below.
-    echo "or the permissions simply need to be adjusted. Please change the permissions as described below."
+The found permissions are:
-    echo "Current permissions are:"
+$(stat -c "%u:%g %a" "$NEXTCLOUD_DATA_DIR")
-    stat -c "%u:%g %a" "$NEXTCLOUD_DATA_DIR"
+(userID:groupID permissions)
-    echo "(userID:groupID permissions)"
+but they should be:
-    echo "They should be:"
+33:0 750
-    echo "33:0 750"
+(userID:groupID permissions)
-    echo "(userID:groupID permissions)"
+Also make sure that the parent directories on the host of the directory that you've chosen as datadir are publicly readable with e.g. 'sudo chmod +r /mnt' (adjust the command accordingly to your case) and the same for all subdirectories.
-    echo "Also, ensure that all parent directories on the host of your chosen data directory are publicly readable."
+Additionally, if you want to use a Fuse-mount as datadir, set 'allow_other' as additional mount option.
-    echo "For example: sudo chmod +r /mnt  (adjust this command as needed)."
+For SMB/CIFS mounts as datadir, see https://github.com/nextcloud/all-in-one#can-i-use-a-cifssmb-share-as-nextclouds-datadir"
    echo "If you want to use a FUSE mount as the data directory, add 'allow_other' as an additional mount option."
    echo "For SMB/CIFS mounts as the data directory, see:"
    echo "  https://github.com/nextcloud/all-in-one#can-i-use-a-cifssmb-share-as-nextclouds-datadir"
    exit 1
 fi
-rm -f "$test_file"
+rm "$NEXTCLOUD_DATA_DIR/this-is-a-test-file"
 if [ -f /var/www/html/version.php ]; then
    # shellcheck disable=SC2016
    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
    if [ -z "$installed_version" ]; then
        echo "Could not determine the installed Nextcloud version via php -r. The PHP installation might be broken."
        echo "Please check the container logs and your PHP installation."
        exit 1
    fi
 else
    installed_version="0.0.0.0"
 fi
@@ -151,31 +66,26 @@ fi
 # Don't start the container if Nextcloud is not compatible with the PHP version
 if [ -f "/var/www/html/lib/versioncheck.php" ] && ! php /var/www/html/lib/versioncheck.php; then
-    echo "Your installed Nextcloud version is not compatible with the PHP version provided by this image."
+    echo "It seems like your installed Nextcloud is not compatible with the by the container provided PHP version."
-    echo "This typically occurs when you restore an older Nextcloud backup that does not support the"
+    echo "This most likely happened because you tried to restore an old Nextcloud version from backup that is not compatible with the PHP version that comes with the container."
-    echo "PHP version included in this image."
+    echo "Please try to restore a more recent backup which contains a Nextcloud version that is compatible with the PHP version that comes with the container."
-    echo "Please restore a more recent backup that includes a compatible Nextcloud version."
+    echo "If you do not have a more recent backup, feel free to have a look at this documentation: https://github.com/nextcloud/all-in-one/blob/main/manual-upgrade.md"
    echo "If you do not have a more recent backup, refer to the manual upgrade documentation:"
    echo "  https://github.com/nextcloud/all-in-one/blob/main/manual-upgrade.md"
    exit 1
 fi
 # Do not start the container if the last update failed
 if [ -f "$NEXTCLOUD_DATA_DIR/update.failed" ]; then
    echo "The last Nextcloud update failed."
-    echo "Please restore from a backup and try again."
+    echo "Please restore from backup and try again!"
-    echo "If you do not have a backup, you can delete the update.failed file in the data directory"
+    echo "If you do not have a backup in place, you can simply delete the update.failed file in the datadir which will allow the container to start again."
    echo "to allow the container to start again."
    exit 1
 fi
 # Do not start the container if the install failed
 if [ -f "$NEXTCLOUD_DATA_DIR/install.failed" ]; then
    echo "The initial Nextcloud installation failed."
-    echo "For more information about what went wrong, check the logs above."
+    echo "Please reset AIO properly and try again. For further clues what went wrong, check the logs above."
-    echo "Please reset AIO properly and try again."
+    echo "See https://github.com/nextcloud/all-in-one#how-to-properly-reset-the-instance"
    echo "See:"
    echo "  https://github.com/nextcloud/all-in-one#how-to-properly-reset-the-instance"
    exit 1
 fi
@@ -190,6 +100,20 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
            # Write output to logfile.
            exec > >(tee -i "/var/www/html/data/update.log")
            exec 2>&1
            # Run built-in upgrader if version is below 28.0.2 to upgrade to 28.0.x first
            touch "$NEXTCLOUD_DATA_DIR/update.failed"
            if ! version_greater "$installed_version" "28.0.1.20"; then
                php /var/www/html/updater/updater.phar --no-interaction --no-backup
                if ! php /var/www/html/occ upgrade || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
                    echo "Upgrade failed. Please restore from backup."
                    bash /notify.sh "Nextcloud update to $image_version failed!" "Please restore from backup!"
                    exit 1
                fi
                rm "$NEXTCLOUD_DATA_DIR/update.failed"
                # shellcheck disable=SC2016
                installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
                INSTALLED_MAJOR="${installed_version%%.*}"
            fi
        fi
        if [ "$installed_version" != "0.0.0.0" ] && [ "$((IMAGE_MAJOR - INSTALLED_MAJOR))" -gt 1 ]; then
@@ -201,11 +125,8 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
            curl -fsSL -o nextcloud.tar.bz2.asc "https://download.nextcloud.com/server/releases/latest-${NEXT_MAJOR}.tar.bz2.asc"
            GNUPGHOME="$(mktemp -d)"
            export GNUPGHOME
-            if ! gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 28806A878AE423A28372792ED75899B9A724937A; then
+            # gpg key from https://nextcloud.com/nextcloud.asc
-                if ! gpg --batch --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 28806A878AE423A28372792ED75899B9A724937A; then
+            gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 28806A878AE423A28372792ED75899B9A724937A
                    curl -sSL https://nextcloud.com/nextcloud.asc | gpg --import
                fi
            fi
            gpg --batch --verify nextcloud.tar.bz2.asc nextcloud.tar.bz2
            mkdir -p /usr/src/tmp
            tar -xjf nextcloud.tar.bz2 -C /usr/src/tmp/
@@ -222,56 +143,45 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
            rm -r /usr/src/tmp
            rm -r /usr/src/temp-nextcloud
            # shellcheck disable=SC2016
-            image_version="$(php -r "require '$SOURCE_LOCATION/version.php'; echo implode('.', \$OC_Version);")"
+            image_version="$(php -r "require $SOURCE_LOCATION/version.php; echo implode('.', \$OC_Version);")"
            IMAGE_MAJOR="${image_version%%.*}"
            set +ex
 # Do not skip major versions end # Do not remove or change this line!
        fi
        if [ "$installed_version" != "0.0.0.0" ]; then
 # Check connection to appstore start # Do not remove or change this line!
            while true; do
-                echo -e "Checking connection to the app store..."
+                echo -e "Checking connection to appstore"
-                APPSTORE_URL="https://apps.nextcloud.com/api/v1"
+                CURL_STATUS="$(curl -LI "https://apps.nextcloud.com/" -o /dev/null -w '%{http_code}\n' -s)"
                if grep -q appstoreurl /var/www/html/config/config.php; then
                    set -x
                    APPSTORE_URL="$(grep appstoreurl /var/www/html/config/config.php | grep -oP 'https://.*v[0-9]+')"
                    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
                        set +x
                    fi
                fi
                # Default appstoreurl parameter in config.php defaults to 'https://apps.nextcloud.com/api/v1' so we check for the apps.json file stored in there
                CURL_STATUS="$(curl -LI "$APPSTORE_URL"/apps.json -o /dev/null -w '%{http_code}\n' -s)"
                if [[ "$CURL_STATUS" = "200" ]]
                then
-                    echo "App store is reachable."
+                    echo "Appstore is reachable"
                    break
                else
-                    echo "Curl did not return a 200 status. Is the app store reachable?"
+                    echo "Curl didn't produce a 200 status, is appstore reachable?"
                    sleep 5
                fi
            done
 # Check connection to appstore end # Do not remove or change this line!
            run_upgrade_if_needed_due_to_app_update
            php /var/www/html/occ maintenance:mode --off
-            echo "Getting and backing up the status of apps for later; this might take a while..."
+            echo "Getting and backing up the status of apps for later, this might take a while..."
            NC_APPS="$(find /var/www/html/custom_apps/ -type d -maxdepth 1 -mindepth 1 | sed 's|/var/www/html/custom_apps/||g')"
            if [ -z "$NC_APPS" ]; then
-                echo "No apps detected. Aborting export of app status..."
+                echo "No apps detected, aborting export of app status..."
                APPSTORAGE="no-export-done"
            else
                mapfile -t NC_APPS_ARRAY <<< "$NC_APPS"
                declare -Ag APPSTORAGE
-                echo "Disabling apps before the update to make the update procedure safer. This can take a while..."
+                echo "Disabling apps before the update in order to make the update procedure more safe. This can take a while..."
                for app in "${NC_APPS_ARRAY[@]}"; do
                    if APPSTORAGE[$app]="$(php /var/www/html/occ config:app:get "$app" enabled)"; then
                        php /var/www/html/occ app:disable "$app"
                    else
                        APPSTORAGE[$app]=""
-                        echo "Not disabling $app because the occ command to get its enabled state failed."
+                        echo "Not disabling $app because the occ command to get the enabled state was failing."
                    fi
                done
            fi
@@ -283,65 +193,29 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
            php /var/www/html/occ app:update --all
            run_upgrade_if_needed_due_to_app_update
        fi
-        echo "Initializing Nextcloud $image_version ..."
+            # Fix removing the updatenotification for old instances
-
+            UPDATENOTIFICATION_STATUS="$(php /var/www/html/occ config:app:get updatenotification enabled)"
-        # Copy over initial data from Nextcloud archive
+            if [ -d "/var/www/html/apps/updatenotification" ]; then
-        rsync -rlD --delete \
+                php /var/www/html/occ app:disable updatenotification
-            --exclude-from=/upgrade.exclude \
+            elif [ "$UPDATENOTIFICATION_STATUS" != "no" ] && [ -n "$UPDATENOTIFICATION_STATUS" ]; then
-            "$SOURCE_LOCATION/" \
+                php /var/www/html/occ config:app:set updatenotification enabled --value="no"
            /var/www/html/
        # Copy custom_apps from Nextcloud archive
        if ! directory_empty "$SOURCE_LOCATION/custom_apps"; then
            set -x
            for app in "$SOURCE_LOCATION/custom_apps"/*; do
                app_id="$(basename "$app")"
                mkdir -p "/var/www/html/custom_apps/$app_id"
                rsync -rlD --delete \
                    --include "/$app_id/" \
                    --exclude '/*' \
                    "$SOURCE_LOCATION/custom_apps/" \
                    /var/www/html/custom_apps/
            done
            if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
                set +x
            fi
        fi
-        # Copy these from Nextcloud archive if they don't exist yet (i.e. new install)
+        echo "Initializing nextcloud $image_version ..."
        rsync -rlD --delete --exclude-from=/upgrade.exclude "$SOURCE_LOCATION/" /var/www/html/
        for dir in config data custom_apps themes; do
            if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
-                rsync -rlD \
+                rsync -rlD --include "/$dir/" --exclude '/*' "$SOURCE_LOCATION/" /var/www/html/
                    --include "/$dir/" \
                    --exclude '/*' \
                    "$SOURCE_LOCATION/" \
                    /var/www/html/
            fi
        done
-
+        rsync -rlD --delete --include '/config/' --exclude '/*' --exclude '/config/CAN_INSTALL' --exclude '/config/config.sample.php' --exclude '/config/config.php' "$SOURCE_LOCATION/" /var/www/html/
-        rsync -rlD --delete \
+        rsync -rlD --include '/version.php' --exclude '/*' "$SOURCE_LOCATION/" /var/www/html/
            --include '/config/' \
            --exclude '/*' \
            --exclude '/config/CAN_INSTALL' \
            --exclude '/config/config.sample.php' \
            --exclude '/config/config.php' \
            "$SOURCE_LOCATION/" \
            /var/www/html/
        rsync -rlD \
            --include '/version.php' \
            --exclude '/*' \
            "$SOURCE_LOCATION/" \
            /var/www/html/
        echo "Initializing finished"
-        ################
+        #install
        # Fresh Install
        ################
        if [ "$installed_version" = "0.0.0.0" ]; then
            echo "New Nextcloud instance."
@@ -355,31 +229,21 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                INSTALL_OPTIONS+=(--data-dir "$NEXTCLOUD_DATA_DIR")
            fi
-        # Skip the default permission check (we do our own)
+            # We do our own permission check so the permission check is not needed
-        cat > /var/www/html/config/datadir.permission.config.php <<'EOF'
+            cat << DATADIR_PERMISSION_CONF > /var/www/html/config/datadir.permission.config.php
 <?php
-    $CONFIG = array (
+    \$CONFIG = array (
-        'check_data_directory_permissions' => false
+    'check_data_directory_permissions' => false
-    );
+);
-EOF
+DATADIR_PERMISSION_CONF
-            echo "Installing with $DATABASE_TYPE database"
+            echo "Installing with PostgreSQL database"
            # Set a default value for POSTGRES_PORT
            if [ -z "$POSTGRES_PORT" ]; then
-                POSTGRES_PORT=5432
+              POSTGRES_PORT=5432
            fi
            INSTALL_OPTIONS+=(--database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST" --database-port "$POSTGRES_PORT")
            # Add database options to INSTALL_OPTIONS
            # shellcheck disable=SC2153
            INSTALL_OPTIONS+=(
                --database "$DATABASE_TYPE"
                --database-name "$POSTGRES_DB"
                --database-user "$POSTGRES_USER"
                --database-pass "$POSTGRES_PASSWORD"
                --database-host "$POSTGRES_HOST"
                --database-port "$POSTGRES_PORT"
            )
            echo "Starting Nextcloud installation..."
            if ! php /var/www/html/occ maintenance:install "${INSTALL_OPTIONS[@]}"; then
                echo "Installation of Nextcloud failed!"
@@ -401,7 +265,7 @@ EOF
                if [ "$try" -ge "$max_retries" ]; then
                    echo "Installation of Nextcloud failed!"
-                    echo "Installation errors: $(cat /var/www/html/data/nextcloud.log)"
+                    echo "Install errors: $(cat /var/www/html/data/nextcloud.log)"
                    touch "$NEXTCLOUD_DATA_DIR/install.failed"
                    exit 1
                fi
@@ -413,10 +277,6 @@ EOF
            # unset admin password
            unset ADMIN_PASSWORD
            # Enable the updatenotification app but disable its UI and server update notifications
            php /var/www/html/occ config:system:set updatechecker --type=bool --value=false
            php /var/www/html/occ config:app:set updatenotification notify_groups --value="[]"
 # AIO update to latest start # Do not remove or change this line!
            if [ "$INSTALL_LATEST_MAJOR" = yes ]; then
                php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
@@ -437,19 +297,18 @@ EOF
                installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
                INSTALLED_MAJOR="${installed_version%%.*}"
                IMAGE_MAJOR="${image_version%%.*}"
                # If a valid upgrade path, trigger the Nextcloud built-in Updater
                if ! [ "$INSTALLED_MAJOR" -gt "$IMAGE_MAJOR" ]; then
                    php /var/www/html/updater/updater.phar --no-interaction --no-backup
                    if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
                        echo "Installation of Nextcloud failed!"
                        # TODO: Add a hint here about what to do / where to look / updater.log? 
                        touch "$NEXTCLOUD_DATA_DIR/install.failed"
                        exit 1
                    fi
                    # shellcheck disable=SC2016
                    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
                fi
-                php /var/www/html/occ config:system:set updatechecker --type=bool --value=true
+                php /var/www/html/occ app:disable updatenotification
                rm -rf /var/www/html/apps/updatenotification
                php /var/www/html/occ app:enable nextcloud-aio --force
                php /var/www/html/occ db:add-missing-columns
                php /var/www/html/occ db:add-missing-primary-keys
@@ -460,20 +319,12 @@ EOF
            # Apply log settings
            echo "Applying default settings..."
            mkdir -p /var/www/html/data
-            php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
+            php /var/www/html/occ config:system:set loglevel --value="2" --type=integer
-            if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
+            php /var/www/html/occ config:system:set log_type --value="file"
-                php /var/www/html/occ config:system:set log_type --value="errorlog"
+            php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
                php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
                php /var/www/html/occ app:disable logreader
            else
                php /var/www/html/occ config:system:set log_type --value="file"
                php /var/www/html/occ config:system:set log_type_audit --value="file"
                php /var/www/html/occ app:enable logreader
                php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
                php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
            fi
            php /var/www/html/occ config:system:set log_rotate_size --value="10485760" --type=integer
            php /var/www/html/occ app:enable admin_audit
            php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
            php /var/www/html/occ config:system:set log.condition apps 0 --value="admin_audit"
            # Apply preview settings
@@ -503,13 +354,15 @@ EOF
            php /var/www/html/occ config:system:set activity_expire_days --value="30" --type=integer
            php /var/www/html/occ config:system:set simpleSignUpLink.shown --type=bool --value=false
            php /var/www/html/occ config:system:set share_folder --value="/Shared"
            # Not needed anymore with the removal of the updatenotification app:
            # php /var/www/html/occ config:app:set updatenotification notify_groups --value="[]"
            # Install some apps by default
            if [ -n "$STARTUP_APPS" ]; then
                read -ra STARTUP_APPS_ARRAY <<< "$STARTUP_APPS"
                for app in "${STARTUP_APPS_ARRAY[@]}"; do
                    if ! echo "$app" | grep -q '^-'; then 
-                        if [ -z "$(find /var/www/html/apps /var/www/html/custom_apps -type d -maxdepth 1 -mindepth 1 -name "$app" )" ]; then
+                        if [ -z "$(find /var/www/html/apps -type d -maxdepth 1 -mindepth 1 -name "$app" )" ]; then
                            # If not shipped, install and enable the app
                            php /var/www/html/occ app:install "$app"
                        else
@@ -527,11 +380,11 @@ EOF
        #upgrade
        else
            touch "$NEXTCLOUD_DATA_DIR/update.failed"
-            echo "Upgrading Nextcloud from $installed_version to $image_version..."
+            echo "Upgrading nextcloud from $installed_version to $image_version..."
            php /var/www/html/occ config:system:delete integrity.check.disabled
            if ! php /var/www/html/occ upgrade || ! php /var/www/html/occ -V; then
                echo "Upgrade failed. Please restore from backup."
-                bash /notify.sh "Nextcloud update to $image_version failed!" "Please restore from backup."
+                bash /notify.sh "Nextcloud update to $image_version failed!" "Please restore from backup!"
                exit 1
            fi
@@ -539,7 +392,7 @@ EOF
            installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
            rm "$NEXTCLOUD_DATA_DIR/update.failed"
-            bash /notify.sh "Nextcloud update to $image_version successful!" "You may inspect the Nextcloud container logs for more information."
+            bash /notify.sh "Nextcloud update to $image_version successful!" "Feel free to inspect the Nextcloud container logs for more info."
            php /var/www/html/occ app:update --all
@@ -547,7 +400,7 @@ EOF
            # Restore app status
            if [ "${APPSTORAGE[0]}" != "no-export-done" ]; then
-                echo "Restoring app statuses. This may take a while..."
+                echo "Restoring the status of apps. This can take a while..."
                for app in "${!APPSTORAGE[@]}"; do
                    if [ -n "${APPSTORAGE[$app]}" ]; then
                        if [ "${APPSTORAGE[$app]}" != "no" ]; then
@@ -559,13 +412,13 @@ EOF
                                    php /var/www/html/occ maintenance:mode --off
                                fi
                                run_upgrade_if_needed_due_to_app_update
-                                echo "The $app app could not be re-enabled, probably because it is not compatible with the new Nextcloud version."
+                                echo "The $app app could not get enabled. Probably because it is not compatible with the new Nextcloud version."
                                if [ "$app" = apporder ]; then
                                    CUSTOM_HINT="The apporder app was deprecated. A possible replacement is the side_menu app, aka 'Custom menu'."
                                else
-                                    CUSTOM_HINT="Most likely, it is not compatible with the new Nextcloud version."
+                                    CUSTOM_HINT="Most likely because it is not compatible with the new Nextcloud version."
                                fi
-                                bash /notify.sh "Could not re-enable the $app app after the Nextcloud update!" "$CUSTOM_HINT Feel free to review the Nextcloud update logs and force-enable the app again if you wish."
+                                bash /notify.sh "Could not enable the $app app after the Nextcloud update!" "$CUSTOM_HINT Feel free to look at the Nextcloud update logs and force-enable the app again from the app-store UI."
                                continue
                            fi
                            # Only restore the group settings, if the app was enabled (and is thus compatible with the new NC version)
@@ -581,13 +434,8 @@ EOF
            run_upgrade_if_needed_due_to_app_update
            # Enable the updatenotification app but disable its UI and server update notifications
            php /var/www/html/occ config:system:set updatechecker --type=bool --value=false
            php /var/www/html/occ app:enable updatenotification
            php /var/www/html/occ config:app:set updatenotification notify_groups --value="[]"
            # Apply optimization
-            echo "Performing some optimizations..."
+            echo "Doing some optimizations..."
            if [ "$NEXTCLOUD_SKIP_DATABASE_OPTIMIZATION" != yes ]; then
                php /var/www/html/occ maintenance:repair --include-expensive
                php /var/www/html/occ db:add-missing-indices
@@ -618,10 +466,10 @@ if [ -z "$OBJECTSTORE_S3_BUCKET" ] && [ -z "$OBJECTSTORE_SWIFT_URL" ]; then
    # Check if appdata is present
    # If not, something broke (e.g. changing ncdatadir after aio was first started)
    if [ -z "$(find "$NEXTCLOUD_DATA_DIR/" -maxdepth 1 -mindepth 1 -type d -name "appdata_*")" ]; then
-        echo "Appdata is not present. Did you change the datadir after the initial Nextcloud installation? This is not supported!"
+        echo "Appdata is not present. Did you maybe change the datadir after the initial Nextcloud installation? This is not supported!"
        echo "See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir"
-        echo "If you moved the datadir to an external drive, make sure that the drive is still mounted."
+        echo "If you adjusted the datadir to be located on an external drive, make sure that the drive is still mounted!"
-        echo "The following was found in the datadir:"
+        echo "In the datadir was found:"
        ls -la "$NEXTCLOUD_DATA_DIR/"
        exit 1
    fi
@@ -642,12 +490,6 @@ if [ -f "$NEXTCLOUD_DATA_DIR/fingerprint.update" ]; then
    rm "$NEXTCLOUD_DATA_DIR/fingerprint.update"
 fi
 # Perform preview scan if previews were excluded from restore
 if [ -f "$NEXTCLOUD_DATA_DIR/trigger-preview.scan" ]; then
    php /var/www/html/occ files:scan-app-data preview -vvv
    rm "$NEXTCLOUD_DATA_DIR/trigger-preview.scan"
 fi
 # AIO one-click settings start # Do not remove or change this line!
 # Apply one-click-instance settings
 echo "Applying one-click-instance settings..."
@@ -671,26 +513,9 @@ fi
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
 php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
-php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
+php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
-if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
+php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
    php /var/www/html/occ config:system:set log_type --value="errorlog"
    php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
    php /var/www/html/occ app:disable logreader
 else
    php /var/www/html/occ config:system:set log_type --value="file"
    php /var/www/html/occ config:system:set log_type_audit --value="file"
    php /var/www/html/occ app:enable logreader
    php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
    php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
 fi
 php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
 if [ -n "$NEXTCLOUD_SKELETON_DIRECTORY" ]; then
    if [ "$NEXTCLOUD_SKELETON_DIRECTORY" = "empty" ]; then
        php /var/www/html/occ config:system:set skeletondirectory --value=""
    else
        php /var/www/html/occ config:system:set skeletondirectory --value="$NEXTCLOUD_SKELETON_DIRECTORY"
    fi
 fi
 if [ -n "$SERVERINFO_TOKEN" ] && [ -z "$(php /var/www/html/occ config:app:get serverinfo token)" ]; then
    php /var/www/html/occ config:app:set serverinfo token --value="$SERVERINFO_TOKEN"
 fi
@@ -706,16 +531,11 @@ php /var/www/html/occ config:system:set allow_local_remote_servers --type=bool -
 php /var/www/html/occ config:system:set davstorage.request_timeout --value="$PHP_MAX_TIME" --type=int
 php /var/www/html/occ config:system:set trusted_domains 1 --value="$NC_DOMAIN"
 php /var/www/html/occ config:system:set overwrite.cli.url --value="https://$NC_DOMAIN/"
 php /var/www/html/occ config:system:set documentation_url.server_logs --value="https://github.com/nextcloud/all-in-one/discussions/5425"
 php /var/www/html/occ config:system:set htaccess.RewriteBase --value="/"
 php /var/www/html/occ maintenance:update:htaccess
-# Handle db persistent settings
+# Revert dbpersistent setting to check if it fixes too many db connections
-if [ "$NEXTCLOUD_PERSIST_DATABASE_CONNECTIONS" = "yes" ]; then
+php /var/www/html/occ config:system:set dbpersistent --value=false --type=bool
    php /var/www/html/occ config:system:set dbpersistent --value=true --type=bool
 else
    php /var/www/html/occ config:system:set dbpersistent --value=false --type=bool
 fi
 if [ "$DISABLE_BRUTEFORCE_PROTECTION" = yes ]; then
    php /var/www/html/occ config:system:set auth.bruteforce.protection.enabled --type=bool --value=false
@@ -760,17 +580,12 @@ if [ -n "$ADDITIONAL_TRUSTED_PROXY" ]; then
    php /var/www/html/occ config:system:set trusted_proxies 2 --value="$ADDITIONAL_TRUSTED_PROXY"
 fi
-# Get ipv4-address of Nextcloud
+# Get ipv4-address of Nextcloud 
-if [ -z "$NEXTCLOUD_HOST" ]; then
+IPv4_ADDRESS="$(dig nextcloud-aio-nextcloud A +short +search | head -1)" 
    export NEXTCLOUD_HOST="nextcloud-aio-nextcloud"
 fi
 IPv4_ADDRESS="$(dig "$NEXTCLOUD_HOST" A +short +search | head -1)" 
 # Bring it in CIDR notation 
 # shellcheck disable=SC2001
 IPv4_ADDRESS="$(echo "$IPv4_ADDRESS" | sed 's|[0-9]\+$|0/16|')" 
-if [ -n "$IPv4_ADDRESS" ]; then
+php /var/www/html/occ config:system:set trusted_proxies 10 --value="$IPv4_ADDRESS"
    php /var/www/html/occ config:system:set trusted_proxies 10 --value="$IPv4_ADDRESS"
 fi
 if [ -n "$ADDITIONAL_TRUSTED_DOMAIN" ]; then
    php /var/www/html/occ config:system:set trusted_domains 2 --value="$ADDITIONAL_TRUSTED_DOMAIN"
@@ -783,9 +598,7 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
    if echo "$COLLABORA_HOST" | grep -q "nextcloud-.*-collabora"; then
        COLLABORA_HOST="$NC_DOMAIN"
    fi
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+    set +x
        set +x
    fi
    # Remove richdcoumentscode if it should be incorrectly installed
    if [ -d "/var/www/html/custom_apps/richdocumentscode" ]; then
        php /var/www/html/occ app:remove richdocumentscode
@@ -811,7 +624,7 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
            fi
        fi
    else
-        echo "Warning: No IPv4 address found for $COLLABORA_HOST."
+        echo "Warning: No ipv4-address found for $COLLABORA_HOST."
    fi
    if [ -n "$COLLABORA_IPv6_ADDRESS" ]; then
        if ! echo "$COLLABORA_ALLOW_LIST" | grep -q "$COLLABORA_IPv6_ADDRESS"; then
@@ -822,10 +635,10 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
            fi
        fi
    else
-        echo "No IPv6 address found for $COLLABORA_HOST."
+        echo "No ipv6-address found for $COLLABORA_HOST."
    fi
    if [ -n "$COLLABORA_ALLOW_LIST" ]; then
-        PRIVATE_IP_RANGES='127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,100.64.0.0/10,fd00::/8,::1/128'
+        PRIVATE_IP_RANGES='127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,fd00::/8,::1'
        if ! echo "$COLLABORA_ALLOW_LIST" | grep -q "$PRIVATE_IP_RANGES"; then
            COLLABORA_ALLOW_LIST+=",$PRIVATE_IP_RANGES"
        fi
@@ -836,7 +649,7 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
        fi
        php /var/www/html/occ config:app:set richdocuments wopi_allowlist --value="$COLLABORA_ALLOW_LIST"
    else
-        echo "Warning: wopi_allowlist is empty; this should not be the case!"
+        echo "Warning: wopi_allowlist is empty which should not be the case!"
    fi
 else
    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/richdocuments" ]; then
@@ -846,52 +659,23 @@ fi
 # OnlyOffice
 if [ "$ONLYOFFICE_ENABLED" = 'yes' ]; then
-    # Determine OnlyOffice port based on host pattern
+    while ! nc -z "$ONLYOFFICE_HOST" 80; do
-    if echo "$ONLYOFFICE_HOST" | grep -q "nextcloud-.*-onlyoffice"; then
+        echo "waiting for OnlyOffice to become available..."
        ONLYOFFICE_PORT=80
    else
        ONLYOFFICE_PORT=443
    fi
    count=0
    while ! nc -z "$ONLYOFFICE_HOST" "$ONLYOFFICE_PORT" && [ "$count" -lt 90 ]; do
        echo "Waiting for OnlyOffice to become available..."
        count=$((count+5))
        sleep 5
    done
-    if [ "$count" -ge 90 ]; then
+    if ! [ -d "/var/www/html/custom_apps/onlyoffice" ]; then
-        bash /notify.sh "Onlyoffice did not start in time!" "Skipping initialization and disabling onlyoffice app."
+        php /var/www/html/occ app:install onlyoffice
-        php /var/www/html/occ app:disable onlyoffice
+    elif [ "$(php /var/www/html/occ config:app:get onlyoffice enabled)" != "yes" ]; then
-    else
+        php /var/www/html/occ app:enable onlyoffice
-        # Install or enable OnlyOffice app as needed
+    elif [ "$SKIP_UPDATE" != 1 ]; then
-        if ! [ -d "/var/www/html/custom_apps/onlyoffice" ]; then
+        php /var/www/html/occ app:update onlyoffice
            php /var/www/html/occ app:install onlyoffice
        elif [ "$(php /var/www/html/occ config:app:get onlyoffice enabled)" != "yes" ]; then
            php /var/www/html/occ app:enable onlyoffice
        elif [ "$SKIP_UPDATE" != 1 ]; then
            php /var/www/html/occ app:update onlyoffice
        fi
        # Set OnlyOffice configuration
        php /var/www/html/occ config:system:set onlyoffice editors_check_interval --value="0" --type=integer 
        php /var/www/html/occ config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
        php /var/www/html/occ config:app:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
        php /var/www/html/occ config:system:set onlyoffice jwt_header --value="AuthorizationJwt"
        # Adjust the OnlyOffice host if using internal pattern
        if echo "$ONLYOFFICE_HOST" | grep -q "nextcloud-.*-onlyoffice"; then
            ONLYOFFICE_HOST="$NC_DOMAIN/onlyoffice"
            export ONLYOFFICE_HOST
        fi
        php /var/www/html/occ config:app:set onlyoffice DocumentServerUrl --value="https://$ONLYOFFICE_HOST"
    fi
    php /var/www/html/occ config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
    php /var/www/html/occ config:app:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
    php /var/www/html/occ config:system:set onlyoffice jwt_header --value="AuthorizationJwt"
    php /var/www/html/occ config:app:set onlyoffice DocumentServerUrl --value="https://$NC_DOMAIN/onlyoffice"
 else
-    # Remove OnlyOffice app if disabled and removal is requested
+    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/onlyoffice" ] && [ -n "$ONLYOFFICE_SECRET" ] && [ "$(php /var/www/html/occ config:system:get onlyoffice jwt_secret)" = "$ONLYOFFICE_SECRET" ]; then
    if [ "$REMOVE_DISABLED_APPS" = yes ] && \
       [ -d "/var/www/html/custom_apps/onlyoffice" ] && \
       [ -n "$ONLYOFFICE_SECRET" ] && \
       [ "$(php /var/www/html/occ config:system:get onlyoffice jwt_secret)" = "$ONLYOFFICE_SECRET" ]; then
        php /var/www/html/occ app:remove onlyoffice
    fi
 fi
@@ -906,9 +690,7 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
    if [ -z "$TURN_DOMAIN" ]; then
        TURN_DOMAIN="$TALK_HOST"
    fi
-    if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+    set +x
        set +x
    fi
    if ! [ -d "/var/www/html/custom_apps/spreed" ]; then
        php /var/www/html/occ app:install spreed
    elif [ "$(php /var/www/html/occ config:app:get spreed enabled)" != "yes" ]; then
@@ -916,20 +698,16 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
    elif [ "$SKIP_UPDATE" != 1 ]; then
        php /var/www/html/occ app:update spreed
    fi
-    # Add turn server
+    # Based on https://github.com/nextcloud/spreed/issues/960#issuecomment-416993435
-    # shellcheck disable=SC2153
+    if [ -z "$(php /var/www/html/occ talk:turn:list --output="plain")" ]; then
-    if ! php /var/www/html/occ talk:turn:list --output="plain" | grep server | grep -q " $TURN_DOMAIN:$TALK_PORT"; then
+        # shellcheck disable=SC2153
        php /var/www/html/occ talk:turn:add turn "$TURN_DOMAIN:$TALK_PORT" "udp,tcp" --secret="$TURN_SECRET"
    fi
    # Add stun server
    STUN_SERVER="$(php /var/www/html/occ talk:stun:list --output="plain")"
    if ! echo "$STUN_SERVER" | grep -q " $TURN_DOMAIN:$TALK_PORT"; then
        php /var/www/html/occ talk:stun:add "$TURN_DOMAIN:$TALK_PORT"
    fi
    if [ -z "$STUN_SERVER" ] || echo "$STUN_SERVER" | grep -oP '[a-zA-Z.:0-9]+' | grep -q "^stun.nextcloud.com:443$"; then
        php /var/www/html/occ talk:stun:add "$TURN_DOMAIN:$TALK_PORT"
        php /var/www/html/occ talk:stun:delete "stun.nextcloud.com:443"
    fi
    # Add HPB
    if ! php /var/www/html/occ talk:signaling:list --output="plain" | grep -q "https://$TALK_HOST$HPB_PATH"; then
        php /var/www/html/occ talk:signaling:add "https://$TALK_HOST$HPB_PATH" "$SIGNALING_SECRET" --verify
    fi
@@ -943,16 +721,14 @@ fi
 if [ -d "/var/www/html/custom_apps/spreed" ]; then
    if [ "$TALK_RECORDING_ENABLED" = 'yes' ]; then
        while ! nc -z "$TALK_RECORDING_HOST" 1234; do
-            echo "Waiting for Talk Recording to become available..."
+            echo "waiting for Talk Recording to become available..."
            sleep 5
        done
        # TODO: migrate to occ command if that becomes available
        RECORDING_SERVERS_STRING="{\"servers\":[{\"server\":\"http://$TALK_RECORDING_HOST:1234/\",\"verify\":true}],\"secret\":\"$RECORDING_SECRET\"}"
        php /var/www/html/occ config:app:set spreed recording_servers --value="$RECORDING_SERVERS_STRING"
    else
-        if [ "$REMOVE_DISABLED_APPS" = yes ]; then
+        php /var/www/html/occ config:app:delete spreed recording_servers
            php /var/www/html/occ config:app:delete spreed recording_servers
        fi
    fi
 fi
@@ -960,12 +736,12 @@ fi
 if [ "$CLAMAV_ENABLED" = 'yes' ]; then
    count=0
    while ! nc -z "$CLAMAV_HOST" 3310 && [ "$count" -lt 90 ]; do
-        echo "Waiting for ClamAV to become available..."
+        echo "waiting for clamav to become available..."
        count=$((count+5))
        sleep 5
    done
    if [ "$count" -ge 90 ]; then
-        bash /notify.sh "ClamAV did not start in time!" "Skipping initialization and disabling files_antivirus app."
+        echo "Clamav did not start in time. Skipping initialization and disabling files_antivirus app."
        php /var/www/html/occ app:disable files_antivirus
    else
        if ! [ -d "/var/www/html/custom_apps/files_antivirus" ]; then
@@ -978,13 +754,9 @@ if [ "$CLAMAV_ENABLED" = 'yes' ]; then
        php /var/www/html/occ config:app:set files_antivirus av_mode --value="daemon"
        php /var/www/html/occ config:app:set files_antivirus av_port --value="3310"
        php /var/www/html/occ config:app:set files_antivirus av_host --value="$CLAMAV_HOST"
-        # av_stream_max_length must be synced with StreamMaxLength inside clamav
+        php /var/www/html/occ config:app:set files_antivirus av_stream_max_length --value="$CLAMAV_MAX_SIZE"
-        php /var/www/html/occ config:app:set files_antivirus av_stream_max_length --value="2147483648"
+        php /var/www/html/occ config:app:set files_antivirus av_max_file_size --value="$CLAMAV_MAX_SIZE"
        php /var/www/html/occ config:app:set files_antivirus av_max_file_size --value="-1"
        php /var/www/html/occ config:app:set files_antivirus av_infected_action --value="only_log"
        if [ -n "$CLAMAV_BLOCKLISTED_DIRECTORIES" ]; then
            php /var/www/html/occ config:app:set files_antivirus av_blocklisted_directories --value="$CLAMAV_BLOCKLISTED_DIRECTORIES"
        fi
    fi
 else
    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/files_antivirus" ]; then
@@ -995,7 +767,6 @@ fi
 # Imaginary
 if [ "$IMAGINARY_ENABLED" = 'yes' ]; then
    php /var/www/html/occ config:system:set enabledPreviewProviders 0 --value="OC\\Preview\\Imaginary"
    php /var/www/html/occ config:system:set enabledPreviewProviders 23 --value="OC\\Preview\\ImaginaryPDF"
    php /var/www/html/occ config:system:set preview_imaginary_url --value="http://$IMAGINARY_HOST:9000"
    php /var/www/html/occ config:system:set preview_imaginary_key --value="$IMAGINARY_SECRET"
 else
@@ -1005,63 +776,50 @@ else
        php /var/www/html/occ config:system:delete enabledPreviewProviders 20
        php /var/www/html/occ config:system:delete enabledPreviewProviders 21
        php /var/www/html/occ config:system:delete enabledPreviewProviders 22
        php /var/www/html/occ config:system:delete enabledPreviewProviders 23
    fi
 fi
 # Fulltextsearch
 if [ "$FULLTEXTSEARCH_ENABLED" = 'yes' ]; then
-    count=0
+    while ! nc -z "$FULLTEXTSEARCH_HOST" 9200; do
-    while ! nc -z "$FULLTEXTSEARCH_HOST" "$FULLTEXTSEARCH_PORT" && [ "$count" -lt 90 ]; do
+        echo "waiting for Fulltextsearch to become available..."
        echo "Waiting for Fulltextsearch to become available..."
        count=$((count+5))
        sleep 5
    done
-    if [ "$count" -ge 90 ]; then
+    if ! [ -d "/var/www/html/custom_apps/fulltextsearch" ]; then
-        echo "Fulltextsearch did not start in time. Skipping initialization and disabling fulltextsearch apps."
+        php /var/www/html/occ app:install fulltextsearch
-        php /var/www/html/occ app:disable fulltextsearch
+    elif [ "$(php /var/www/html/occ config:app:get fulltextsearch enabled)" != "yes" ]; then
-        php /var/www/html/occ app:disable fulltextsearch_elasticsearch
+        php /var/www/html/occ app:enable fulltextsearch
-        php /var/www/html/occ app:disable files_fulltextsearch
+    elif [ "$SKIP_UPDATE" != 1 ]; then
-    else
+        php /var/www/html/occ app:update fulltextsearch
-        if [ -z "$FULLTEXTSEARCH_PROTOCOL" ]; then
+    fi    
-            FULLTEXTSEARCH_PROTOCOL="http"
+    if ! [ -d "/var/www/html/custom_apps/fulltextsearch_elasticsearch" ]; then
-        fi
+        php /var/www/html/occ app:install fulltextsearch_elasticsearch
-        if ! [ -d "/var/www/html/custom_apps/fulltextsearch" ]; then
+    elif [ "$(php /var/www/html/occ config:app:get fulltextsearch_elasticsearch enabled)" != "yes" ]; then
-            php /var/www/html/occ app:install fulltextsearch
+        php /var/www/html/occ app:enable fulltextsearch_elasticsearch
-        elif [ "$(php /var/www/html/occ config:app:get fulltextsearch enabled)" != "yes" ]; then
+    elif [ "$SKIP_UPDATE" != 1 ]; then
-            php /var/www/html/occ app:enable fulltextsearch
+        php /var/www/html/occ app:update fulltextsearch_elasticsearch
-        elif [ "$SKIP_UPDATE" != 1 ]; then
+    fi    
-            php /var/www/html/occ app:update fulltextsearch
+    if ! [ -d "/var/www/html/custom_apps/files_fulltextsearch" ]; then
-        fi    
+        php /var/www/html/occ app:install files_fulltextsearch
-        if ! [ -d "/var/www/html/custom_apps/fulltextsearch_elasticsearch" ]; then
+    elif [ "$(php /var/www/html/occ config:app:get files_fulltextsearch enabled)" != "yes" ]; then
-            php /var/www/html/occ app:install fulltextsearch_elasticsearch
+        php /var/www/html/occ app:enable files_fulltextsearch
-        elif [ "$(php /var/www/html/occ config:app:get fulltextsearch_elasticsearch enabled)" != "yes" ]; then
+    elif [ "$SKIP_UPDATE" != 1 ]; then
-            php /var/www/html/occ app:enable fulltextsearch_elasticsearch
+        php /var/www/html/occ app:update files_fulltextsearch
-        elif [ "$SKIP_UPDATE" != 1 ]; then
+    fi
-            php /var/www/html/occ app:update fulltextsearch_elasticsearch
+    php /var/www/html/occ fulltextsearch:configure '{"search_platform":"OCA\\FullTextSearch_Elasticsearch\\Platform\\ElasticSearchPlatform"}'
-        fi    
+    php /var/www/html/occ fulltextsearch_elasticsearch:configure "{\"elastic_host\":\"http://elastic:$FULLTEXTSEARCH_PASSWORD@$FULLTEXTSEARCH_HOST:9200\",\"elastic_index\":\"nextcloud-aio\"}"
-        if ! [ -d "/var/www/html/custom_apps/files_fulltextsearch" ]; then
+    php /var/www/html/occ files_fulltextsearch:configure "{\"files_pdf\":\"1\",\"files_office\":\"1\"}"
            php /var/www/html/occ app:install files_fulltextsearch
        elif [ "$(php /var/www/html/occ config:app:get files_fulltextsearch enabled)" != "yes" ]; then
            php /var/www/html/occ app:enable files_fulltextsearch
        elif [ "$SKIP_UPDATE" != 1 ]; then
            php /var/www/html/occ app:update files_fulltextsearch
        fi
        php /var/www/html/occ fulltextsearch:configure '{"search_platform":"OCA\\FullTextSearch_Elasticsearch\\Platform\\ElasticSearchPlatform"}'
        php /var/www/html/occ fulltextsearch_elasticsearch:configure "{\"elastic_host\":\"$FULLTEXTSEARCH_PROTOCOL://$FULLTEXTSEARCH_USER:$FULLTEXTSEARCH_PASSWORD@$FULLTEXTSEARCH_HOST:$FULLTEXTSEARCH_PORT\",\"elastic_index\":\"$FULLTEXTSEARCH_INDEX\"}"
        php /var/www/html/occ files_fulltextsearch:configure "{\"files_pdf\":true,\"files_office\":true}"
-        # Do the index
+    # Do the index
-        if ! [ -f "$NEXTCLOUD_DATA_DIR/fts-index.done" ]; then
+    if ! [ -f "$NEXTCLOUD_DATA_DIR/fts-index.done" ]; then
-            echo "Waiting 10 seconds before activating fulltextsearch..."
+        echo "Waiting 10s before activating FTS..."
-            sleep 10
+        sleep 10
-            echo "Activating fulltextsearch..."
+        echo "Activating fulltextsearch..."
-            if php /var/www/html/occ fulltextsearch:test && php /var/www/html/occ fulltextsearch:index "{\"errors\": \"reset\"}" --no-readline; then
+        if php /var/www/html/occ fulltextsearch:test && php /var/www/html/occ fulltextsearch:index "{\"errors\": \"reset\"}" --no-readline; then
-                touch "$NEXTCLOUD_DATA_DIR/fts-index.done"
+            touch "$NEXTCLOUD_DATA_DIR/fts-index.done"
-            else
+        else
-                echo "Fulltextsearch failed. Could not index."
+            echo "Fulltextsearch failed. Could not index."
-                echo "If you want to skip indexing in the future, see https://github.com/nextcloud/all-in-one/discussions/1709"
+            echo "Feel free to follow https://github.com/nextcloud/all-in-one/discussions/1709 if you want to skip the indexing in the future."
            fi
        fi
    fi
 else
@@ -1078,21 +836,18 @@ else
    fi
 fi
-# Docker socket proxy / HaRP
+# Docker socket proxy
-# app_api is a shipped app
+if [ "$DOCKER_SOCKET_PROXY_ENABLED" = 'yes' ]; then
-if [ -d "/var/www/html/custom_apps/app_api" ]; then
+    if ! [ -d "/var/www/html/custom_apps/app_api" ]; then
-    php /var/www/html/occ app:disable app_api
+        php /var/www/html/occ app:install app_api
-    rm -r "/var/www/html/custom_apps/app_api"
+    elif [ "$(php /var/www/html/occ config:app:get app_api enabled)" != "yes" ]; then
 fi
 if [ "$DOCKER_SOCKET_PROXY_ENABLED" = 'yes' ] || [ "$HARP_ENABLED" = 'yes' ]; then
    if [ "$(php /var/www/html/occ config:app:get app_api enabled)" != "yes" ]; then
        php /var/www/html/occ app:enable app_api
    elif [ "$SKIP_UPDATE" != 1 ]; then
        php /var/www/html/occ app:update app_api
    fi
 else
-    if [ "$REMOVE_DISABLED_APPS" = yes ]; then
+    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/app_api" ]; then
-        if [ "$(php /var/www/html/occ config:app:get app_api enabled)" != "no" ]; then
+        php /var/www/html/occ app:remove app_api
            php /var/www/html/occ app:disable app_api
        fi
    fi
 fi
--- a/Containers/nextcloud/healthcheck.sh
+++ b/Containers/nextcloud/healthcheck.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
    POSTGRES_PORT=5432
--- a/Containers/nextcloud/notify-all.sh
+++ b/Containers/nextcloud/notify-all.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [[ "$EUID" = 0 ]]; then
    COMMAND=(sudo -E -u www-data php /var/www/html/occ)
 else
@@ -24,7 +20,7 @@ mapfile -t NC_USERS <<< "$NC_USERS"
 for user in "${NC_USERS[@]}"
 do
    echo "Posting '$SUBJECT' to: $user"
-    "${COMMAND[@]}" notification:generate "$user" "$NC_DOMAIN: $SUBJECT" -l "$MESSAGE" --object-type='update' --object-id="$SUBJECT"
+    "${COMMAND[@]}" notification:generate "$user" "$NC_DOMAIN: $SUBJECT" -l "$MESSAGE"
 done
 echo "Done!"
--- a/Containers/nextcloud/notify.sh
+++ b/Containers/nextcloud/notify.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 if [[ "$EUID" = 0 ]]; then
    COMMAND=(sudo -E -u www-data php /var/www/html/occ)
 else
@@ -32,7 +28,7 @@ done
 for admin in "${NC_ADMIN_USER[@]}"
 do
    echo "Posting '$SUBJECT' to: $admin"
-    "${COMMAND[@]}" notification:generate "$admin" "$NC_DOMAIN: $SUBJECT" -l "$MESSAGE" --object-type='update' --object-id="$SUBJECT"
+    "${COMMAND[@]}" notification:generate "$admin" "$NC_DOMAIN: $SUBJECT" -l "$MESSAGE"
 done
 echo "Done!"
--- a/Containers/nextcloud/root.motd
+++ b/Containers/nextcloud/root.motd
@@ -1,4 +1,4 @@
 Warning: You have logged in into the Nextcloud container as root user.
 See https://github.com/nextcloud/all-in-one#how-to-run-occ-commands if you want to run occ commands.
-Apart from that, you can use 'sudo -E -u www-data php occ <your-command>' in order to run occ commands.
+Apart from that, you can use 'sudo -u www-data -E php occ <your-command>' in order to run occ commands.
 Of course <your-command> needs to be substituted with the command that you want to use.
--- a/Containers/nextcloud/run-exec-commands.sh
+++ b/Containers/nextcloud/run-exec-commands.sh
@@ -1,14 +1,7 @@
 #!/bin/bash
-if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
+# Wait 15s for domain to be reachable
-    set -x
+sleep 15
 fi
 # Wait until the apache container is ready
 while ! nc -z "$APACHE_HOST" "$APACHE_PORT"; do
    echo "Waiting for $APACHE_HOST to become available..."
    sleep 15
 done
 if [ -n "$NEXTCLOUD_EXEC_COMMANDS" ]; then
    echo "#!/bin/bash" > /tmp/nextcloud-exec-commands
@@ -23,13 +16,11 @@ else
        echo "Activating Collabora config..."
        php /var/www/html/occ richdocuments:activate-config
    fi
    # OnlyOffice must work also if using manual-install
    if [ "$ONLYOFFICE_ENABLED" = yes ]; then
        echo "Activating OnlyOffice config..."
        php /var/www/html/occ onlyoffice:documentserver --check
    fi
 fi
-signal_handler() {
+sleep inf
    exit 0
 }
 trap signal_handler SIGINT SIGTERM
 sleep inf &
 wait $!
--- a/Containers/nextcloud/start.sh
+++ b/Containers/nextcloud/start.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
    set -x
 fi
 # Set a default value for POSTGRES_PORT
 if [ -z "$POSTGRES_PORT" ]; then
    POSTGRES_PORT=5432
@@ -12,7 +8,7 @@ fi
 # Only start container if database is accessible
 # POSTGRES_HOST must be set in the containers env vars and POSTGRES_PORT has a default above
 # shellcheck disable=SC2153
-while ! sudo -E -u www-data nc -z "$POSTGRES_HOST" "$POSTGRES_PORT"; do
+while ! sudo -u www-data nc -z "$POSTGRES_HOST" "$POSTGRES_PORT"; do
    echo "Waiting for database to start..."
    sleep 5
 done
@@ -21,15 +17,10 @@ done
 POSTGRES_USER="oc_$POSTGRES_USER"
 export POSTGRES_USER
 # Check that db type is not empty
 if [ -z "$DATABASE_TYPE" ]; then
    export DATABASE_TYPE=postgres
 fi
 # Fix false database connection on old instances
 if [ -f "/var/www/html/config/config.php" ]; then
    sleep 2
-    while ! sudo -E -u www-data env PGPASSWORD="$POSTGRES_PASSWORD" psql -h "$POSTGRES_HOST" -p "$POSTGRES_PORT" -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
+    while ! sudo -u www-data psql -d "postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB" -c "select now()"; do
        echo "Waiting for the database to start..."
        sleep 5
    done
@@ -57,17 +48,15 @@ if ! [ -f "/dev-dri-group-was-added" ] && [ -n "$(find /dev -maxdepth 1 -mindept
    usermod -aG "$GROUP" www-data
    touch "/dev-dri-group-was-added"
 fi
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+set +x
    set +x
 fi
 # Check datadir permissions
-sudo -E -u www-data touch "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" &>/dev/null
+sudo -u www-data touch "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" &>/dev/null
 if ! [ -f "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" ]; then
    chown -R www-data:root "$NEXTCLOUD_DATA_DIR"
    chmod 750 -R "$NEXTCLOUD_DATA_DIR"
 fi
-sudo -E -u www-data rm -f "$NEXTCLOUD_DATA_DIR/this-is-a-test-file"
+sudo -u www-data rm -f "$NEXTCLOUD_DATA_DIR/this-is-a-test-file"
 # Install additional dependencies
 if [ -n "$ADDITIONAL_APKS" ]; then
@@ -92,15 +81,13 @@ fi
 # Install additional php extensions
 if [ -n "$ADDITIONAL_PHP_EXTENSIONS" ]; then
    if ! [ -f "/additional-php-extensions-are-installed" ]; then
        # Allow to disable imagick without having to enable it each time
        if ! echo "$ADDITIONAL_PHP_EXTENSIONS" | grep -q imagick; then
            # Remove the ini file as there is no docker-php-ext-disable script available
            rm /usr/local/etc/php/conf.d/docker-php-ext-imagick.ini
        fi
        read -ra ADDITIONAL_PHP_EXTENSIONS_ARRAY <<< "$ADDITIONAL_PHP_EXTENSIONS"
        for app in "${ADDITIONAL_PHP_EXTENSIONS_ARRAY[@]}"; do
            if [ "$app" = imagick ]; then
-                # imagick is already enabled by default, so does not need to be enabled anymore.
+                echo "Enabling Imagick..."
                if ! docker-php-ext-enable imagick >/dev/null; then
                    echo "Could not install PHP extension imagick!"
                fi
                continue
            fi
            # shellcheck disable=SC2086
@@ -176,8 +163,6 @@ if [ "$THIS_IS_AIO" = "true" ] && [ "$APACHE_PORT" = 443 ]; then
    sed -i "/^listen.allowed_clients/s/,$//" /usr/local/etc/php-fpm.d/www.conf
    grep listen.allowed_clients /usr/local/etc/php-fpm.d/www.conf
 fi
-if [ "$AIO_LOG_LEVEL" != 'debug' ]; then
+set +x
    set +x
 fi
 exec "$@"
--- a/Containers/nextcloud/supervisord.conf
+++ b/Containers/nextcloud/supervisord.conf
@@ -6,7 +6,7 @@ pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
 logfile_backups=10                              ; number of backed up logfiles
-loglevel=%(ENV_AIO_LOG_LEVEL)s
+loglevel=error
 user=root
 [program:php-fpm]
@@ -25,14 +25,6 @@ stderr_logfile_maxbytes=0
 command=/cron.sh
 user=www-data
 [program:taskprocessing-worker]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=php /var/www/html/occ taskprocessing:worker --timeout 300
 user=www-data
 [program:run-exec-commands]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
@@ -47,7 +39,5 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-# Restart the netcat command once a day to ensure that it stays reachable
+command=nc -lk 9001
 # See https://github.com/nextcloud/all-in-one/issues/6334
 command=timeout 86400 nc -lk 9001
 user=www-data
--- a/Containers/nextcloud/upgrade.exclude
+++ b/Containers/nextcloud/upgrade.exclude
@@ -3,4 +3,3 @@
 /custom_apps/
 /themes/
 /version.php
 /lost+found
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Jean-Yves	0f69143531	Merge branch 'main' into enh/noid/overwrite	2024-09-28 20:26:14 +02:00
Jean-Yves	f2e71532e7	Add feature Signed-off-by: Jean-Yves <7360784+docjyJ@users.noreply.github.com>	2024-08-25 17:21:38 +02:00