mask deSEC password behind details reveal; add hex length comment

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/4e99bcbc-4f32-45e6-af08-5026ce4b1f45

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>

.github/workflows/collabora.yml

@@ -18,7 +18,7 @@ jobs:
         mv cool-seccomp-profile.json php/
         
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: collabora-seccomp-update automated change

.github/workflows/dependency-updates.yml

@@ -53,7 +53,7 @@ jobs:
         sed -i "s|^ARG CADDY_REMOTE_HOST_HASH.*$|ARG CADDY_REMOTE_HOST_HASH=$CADDY_REMOTE_HOST_HASH|" ./Containers/mastercontainer/Dockerfile
 
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: php dependency updates

.github/workflows/fail-on-prerelease.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Check latest published release isn't a prerelease"
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v6
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v6
         with:
           script: |
             const tags = await github.rest.repos.listTags({

.github/workflows/helm-release.yml

@@ -32,7 +32,7 @@ jobs:
 
       # See https://github.com/helm/chart-releaser-action/issues/6
       - name: Set up Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
         with:
           version: v3.6.3
 

.github/workflows/imaginary-update.yml

@@ -22,7 +22,7 @@ jobs:
         sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH=$imaginary_version|" ./Containers/imaginary/Dockerfile
         
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: imaginary-update automated change

.github/workflows/lint-helm.yml

@@ -16,7 +16,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
         with:
           version: v3.11.1
 

.github/workflows/lint-yaml.yml

@@ -36,7 +36,7 @@ jobs:
             line-length: warning
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
 
       - name: Check GitHub actions
         run: uvx zizmor --min-severity medium .github/workflows/*.yml

.github/workflows/nextcloud-update.yml

@@ -79,7 +79,7 @@ jobs:
         fi
 
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: nextcloud-update automated change

.github/workflows/playwright-on-push.yml

@@ -120,7 +120,7 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: ${{ !cancelled() }}
         with:
           name: playwright-report

.github/workflows/playwright-on-workflow-dispatch.yml

@@ -82,7 +82,7 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: ${{ !cancelled() }}
         with:
           name: playwright-report

.github/workflows/psalm-update-baseline.yml

@@ -31,7 +31,7 @@ jobs:
         continue-on-error: true
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Update psalm baseline

.github/workflows/sync-workflow-templates.yml

@@ -120,7 +120,7 @@ jobs:
           echo "DRAFT_ONLY=${draft_only}" >> $GITHUB_ENV
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
           token: ${{ secrets.COMMAND_BOT_WORKFLOWS }} # zizmor: ignore[secrets-outside-env]
           commit-message: 'ci(actions): Update workflow templates from organization template repository'

.github/workflows/talk.yml

@@ -45,7 +45,7 @@ jobs:
         sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
         
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: talk-update automated change

.github/workflows/update-helm.yml

@@ -23,7 +23,7 @@ jobs:
             sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"
           fi
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
         with:
           commit-message: Helm Chart updates
           signoff: true

.github/workflows/update-yaml.yml

@@ -16,7 +16,7 @@ jobs:
         run: |
           sudo bash manual-install/update-yaml.sh
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
         with:
           commit-message: Yaml updates
           signoff: true

.github/workflows/watchtower-update.yml

@@ -26,7 +26,7 @@ jobs:
         sed -i "s|\$WATCHTOWER_COMMIT_HASH.*$|\$WATCHTOWER_COMMIT_HASH # $watchtower_version|" ./Containers/watchtower/Dockerfile
         
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+      uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: watchtower-update automated change

Containers/alpine/Dockerfile

@@ -4,4 +4,9 @@ FROM alpine:3.23.4
 RUN set -ex; \
     apk upgrade --no-cache -a
 
-LABEL org.label-schema.vendor="Nextcloud"
+LABEL org.opencontainers.image.title="Alpine for Nextcloud AIO" \
+    org.opencontainers.image.description="Minimal Alpine Linux image for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/apache/Dockerfile

@@ -60,6 +60,19 @@ RUN set -ex; \
     grep -q '<IfModule mpm_event_module>' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
 # ServerLimit needs to be set to MaxRequestWorkers divided by ThreadsPerChild which is set to 25 by default
     sed -i '/<IfModule mpm_event_module>/a\ \ \ \ ServerLimit 200' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
+# Pin ThreadsPerChild so the value is deterministic regardless of the httpd base-image
+# defaults; 25 threads per process balances concurrency against per-process memory use.
+    sed -i 's|ThreadsPerChild.*|ThreadsPerChild 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
+# Start two server processes on boot to absorb the first requests without spawning
+# new processes on the critical path, while avoiding unnecessary memory overhead.
+    sed -i 's|StartServers.*|StartServers 2|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
+# Keep at least 25 idle threads (one full process worth) so traffic bursts can be
+# absorbed immediately without triggering new process creation.
+    sed -i 's|MinSpareThreads.*|MinSpareThreads 25|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
+# Retire idle threads above 50 to reclaim memory during quiet periods. 50 is the
+# minimum valid value (MinSpareThreads + ThreadsPerChild = 25 + 25) and is enough
+# to absorb typical bursts without respawning a new process.
+    sed -i 's|MaxSpareThreads.*|MaxSpareThreads 50|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
     \
     rm -rf /usr/local/apache2/conf/original /var/www; \
     mkdir -p /var/www; \
@@ -90,4 +103,9 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Apache and Caddy for Nextcloud AIO" \
+    org.opencontainers.image.description="Apache HTTP server with Caddy for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/apache/nextcloud.conf

@@ -9,6 +9,34 @@ Listen 8000
     ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
     LogLevel warn
 
+    # KeepAlive On: allow the same TCP connection to carry multiple HTTP requests.
+    # Without this each asset (JS, CSS, image) would require a full TCP handshake,
+    # which is especially expensive on TLS connections and noticeably slows down
+    # Nextcloud's login page and file manager that load dozens of resources at once.
+    KeepAlive On
+    # KeepAliveTimeout: close an idle keep-alive connection after 5 seconds.
+    # A short timeout frees Apache worker threads quickly so they are available
+    # for new requests; 5 s is long enough to cover the gap between requests
+    # that a browser issues while rendering a page (typically < 1 s), yet short
+    # enough to avoid holding threads open for idle or slow clients.
+    KeepAliveTimeout 5
+    # MaxKeepAliveRequests: allow at most 500 requests per persistent connection.
+    # 100 (the Apache default) is too low for Nextcloud: the desktop and mobile
+    # sync clients issue many small API calls (PROPFIND, GET, PUT, checksums …)
+    # per sync cycle and routinely exceed 100 requests on a single connection.
+    # Hitting the limit forces a new TCP/TLS handshake, adding latency and CPU
+    # overhead. 500 gives sync clients enough headroom while still periodically
+    # recycling threads to contain per-process memory growth.
+    MaxKeepAliveRequests 500
+
+    # sendfile(2) is disabled because it bypasses Apache's output-filter chain: with
+    # it enabled, mod_brotli is silently skipped for static files (JS, CSS, SVG),
+    # negating the compression configured below.  MMAP is also
+    # disabled because files can be replaced by Nextcloud at any time and mmap'd
+    # pages could serve stale data.
+    EnableSendfile Off
+    EnableMMAP Off
+
     # PHP match
     <FilesMatch "\.php$">
         SetHandler "proxy:fcgi://${NEXTCLOUD_HOST}:9000"
@@ -17,20 +45,25 @@ Listen 8000
     <Proxy "fcgi://${NEXTCLOUD_HOST}:9000" flushpackets=on>
     </Proxy>
 
-    # Enable Brotli compression for js, css and svg files - other plain files are compressed by Nextcloud by default
+    # Compress JS, CSS and SVG responses with Brotli (quality 4 gives good
+    # compression with reasonable CPU cost; the default of 0 barely compresses).
+    # Other plain-text files are already compressed by Nextcloud itself.
+    # No deflate fallback is needed: every browser that Nextcloud supports
+    # (Chrome 49+, Firefox 44+, Safari 11+, Edge 15+ — all from 2016-2017)
+    # supports Brotli. Internet Explorer, the only browser that never gained
+    # Brotli support, was dropped by Nextcloud with NC15 (2019).
+    # Desktop and mobile sync clients never request JS/CSS/SVG assets.
     <IfModule mod_brotli.c>
         AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
-        BrotliCompressionQuality 0
+        BrotliCompressionQuality 4
     </IfModule>
 
     # Nextcloud dir
     DocumentRoot /var/www/html/
     <Directory /var/www/html/>
-        Options Indexes FollowSymLinks
+        Options FollowSymLinks MultiViews
         Require all granted
         AllowOverride All
-        Options FollowSymLinks MultiViews
-        Satisfy Any
         <IfModule mod_dav.c>
             Dav off
         </IfModule>

Containers/apache/supervisord.conf

@@ -1,6 +1,5 @@
 [supervisord]
 nodaemon=true
-nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/

Containers/borgbackup/Dockerfile

@@ -25,5 +25,10 @@ USER root
 
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Borgbackup for Nextcloud AIO" \
+    org.opencontainers.image.description="BorgBackup-based backup service for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"

Containers/clamav/Dockerfile

@@ -13,6 +13,15 @@ RUN set -ex; \
     sed -i "s|#\?PCREMaxFileSize.*|PCREMaxFileSize 2000M|g" /etc/clamav/clamd.conf; \
 # StreamMaxLength must be synced with av_stream_max_length inside the Nextcloud files_antivirus plugin
     sed -i "s|#\?StreamMaxLength.*|StreamMaxLength 2000M|g" /etc/clamav/clamd.conf; \
+# By default clamd keeps the old signature database in RAM while loading the new one,
+# briefly doubling memory usage (~1 GB extra) during each freshclam update cycle.
+# Setting ConcurrentDatabaseReload to "no" makes clamd unload the old database first,
+# eliminating that transient peak and significantly reducing maximum RAM consumption.
+    sed -i "s|#\?ConcurrentDatabaseReload.*|ConcurrentDatabaseReload no|g" /etc/clamav/clamd.conf; \
+# The default thread pool is 10-12 threads, each reserving its own stack and scan buffers.
+# The Nextcloud antivirus plugin sends one file at a time, so 2 threads are sufficient
+# and avoids the idle per-thread memory overhead of the larger default pool.
+    sed -i "s|#\?MaxThreads.*|MaxThreads 2|g" /etc/clamav/clamd.conf; \
     sed -i "s|#\?TCPSocket|TCPSocket|g" /etc/clamav/clamd.conf; \
     sed -i "s|^LocalSocket .*|LocalSocket /tmp/clamd.sock|g" /etc/clamav/clamd.conf; \
     sed -i "s|Example| |g" /etc/clamav/clamav-milter.conf; \
@@ -34,5 +43,10 @@ ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="ClamAV for Nextcloud AIO" \
+    org.opencontainers.image.description="ClamAV antivirus scanner for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh

Containers/clamav/supervisord.conf

@@ -1,6 +1,5 @@
 [supervisord]
 nodaemon=true
-nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/

Containers/collabora-online/Dockerfile

@@ -13,4 +13,9 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Collabora Online for Nextcloud AIO" \
+    org.opencontainers.image.description="Collabora Online document editor from upstream for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/collabora/Dockerfile

@@ -12,4 +12,9 @@ USER 1001
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Collabora for Nextcloud AIO" \
+    org.opencontainers.image.description="Collabora CODE document editor for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/dnsmasq/Dockerfile

@@ -0,0 +1,17 @@
+# syntax=docker/dockerfile:latest
+FROM alpine:3.21
+
+RUN apk add --no-cache dnsmasq iproute2
+
+COPY --chmod=755 start.sh /start.sh
+
+ENTRYPOINT ["/start.sh"]
+
+LABEL com.centurylinklabs.watchtower.enable="false" \
+    wud.watch="false" \
+    org.opencontainers.image.title="Dnsmasq for Nextcloud AIO" \
+    org.opencontainers.image.description="Lightweight DNS server that resolves NC_DOMAIN to the local server IP for LAN devices" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/community-containers/dnsmasq/readme.md"

Containers/dnsmasq/start.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+set -e
+
+if [ -z "$NC_DOMAIN" ]; then
+    echo "ERROR: NC_DOMAIN is not set" >&2
+    exit 1
+fi
+
+LOCAL_IP=""
+
+# Determine the server's primary LAN IP - use the source address chosen by the kernel
+# for a route to a well-known public IP (1.1.1.1 is used purely to query the routing table;
+# no traffic is sent there).
+LOCAL_IP=$(ip route get 1.1.1.1 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="src") {print $(i+1); exit}}')
+
+if [ -z "$LOCAL_IP" ]; then
+    LOCAL_IP=$(hostname -I 2>/dev/null | awk '{print $1}')
+fi
+
+if [ -z "$LOCAL_IP" ]; then
+    echo "ERROR: Could not determine local IP address" >&2
+    exit 1
+fi
+
+echo "Nextcloud AIO dnsmasq: resolving $NC_DOMAIN -> $LOCAL_IP"
+echo "Configure your router's DHCP to hand out $LOCAL_IP as the DNS server for LAN clients."
+
+mkdir -p /etc/dnsmasq.d
+
+cat > /etc/dnsmasq.d/nextcloud-aio.conf << EOF
+# Auto-generated by Nextcloud AIO dnsmasq container.
+# Resolves NC_DOMAIN (and all its subdomains) to this server's local IP.
+address=/$NC_DOMAIN/$LOCAL_IP
+
+# Bind only to the LAN interface to avoid conflicts with any system DNS resolver.
+bind-interfaces
+listen-address=$LOCAL_IP
+EOF
+
+exec dnsmasq --no-daemon --log-queries --conf-dir=/etc/dnsmasq.d

Containers/docker-socket-proxy/Dockerfile

@@ -20,4 +20,9 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Docker Socket Proxy for Nextcloud AIO" \
+    org.opencontainers.image.description="HAProxy-based Docker socket proxy for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/domaincheck/Dockerfile

@@ -19,4 +19,9 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD nc -z 127.0.0.1 $APACHE_PORT || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Domain Check for Nextcloud AIO" \
+    org.opencontainers.image.description="Domain validation service for Nextcloud All-in-One setup" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/fulltextsearch/Dockerfile

@@ -23,5 +23,10 @@ USER 1000:0
 HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Full Text Search for Nextcloud AIO" \
+    org.opencontainers.image.description="Elasticsearch-based full-text search for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"
 ENV ES_JAVA_OPTS="-Xms512M -Xmx512M"

Containers/fulltextsearch/healthcheck.sh

@@ -1,3 +1,3 @@
 #!/bin/bash
 
-nc -z 127.0.0.1 9200 || exit 1
+curl -fs "http://127.0.0.1:9200/_cluster/health?filter_path=status" | grep -qE '"status":"(green|yellow)"' || exit 1

Containers/imaginary/Dockerfile

@@ -44,4 +44,9 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Imaginary for Nextcloud AIO" \
+    org.opencontainers.image.description="High-performance image processing service for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/imaginary/start.sh

@@ -1,8 +1,11 @@
 #!/bin/bash
 
 echo "Imaginary has started"
-if [ -z "$IMAGINARY_SECRET" ]; then
-    imaginary -return-size -max-allowed-resolution 222.2 "$@"
-else
-    imaginary -return-size -max-allowed-resolution 222.2 -key "$IMAGINARY_SECRET" "$@"
+
+IMAGINARY_ARGS=(-return-size -max-allowed-resolution 222.2)
+
+if [ -n "$IMAGINARY_SECRET" ]; then
+    IMAGINARY_ARGS+=(-key "$IMAGINARY_SECRET")
 fi
+
+exec imaginary "${IMAGINARY_ARGS[@]}" "$@"

Containers/mastercontainer/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.4.0-cli AS docker
+FROM docker:29.4.1-cli AS docker
 
 ARG CADDY_REMOTE_HOST_HASH=b21775afa730ffb52a24ddff310c8a6d1fd37276
 
@@ -53,6 +53,16 @@ RUN set -ex; \
         build-base; \
     pecl install APCu-5.1.28; \
     docker-php-ext-enable apcu; \
+    { \
+        echo 'apc.shm_size=32M'; \
+    } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
+    { \
+        echo 'opcache.enable=1'; \
+        echo 'opcache.memory_consumption=32'; \
+        echo 'opcache.interned_strings_buffer=8'; \
+        echo 'opcache.max_accelerated_files=4000'; \
+        echo 'opcache.validate_timestamps=0'; \
+    } > /usr/local/etc/php/conf.d/docker-php-ext-opcache.ini; \
     rm -r /tmp/pear; \
     runDeps="$( \
         scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
@@ -90,7 +100,12 @@ RUN set -ex; \
     mkdir /var/run/supervisord;
 
 # hadolint ignore=DL3048
-LABEL org.label-schema.vendor="Nextcloud" \
+LABEL org.opencontainers.image.title="Nextcloud All-in-One Mastercontainer" \
+    org.opencontainers.image.description="Easy deployment and maintenance of a Nextcloud server with all dependencies and optional services" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md" \
     wud.watch="false" \
     com.docker.compose.project="nextcloud-aio"
 

Containers/mastercontainer/cron.sh

@@ -51,6 +51,9 @@ while true; do
     # Check if AIO is outdated
     sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/OutdatedNotification.php
 
+    # Update deSEC DNS IP record (no-op when IP is unchanged or deSEC is not configured)
+    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/UpdateDesecIp.php
+
     # Remove sessions older than 24h
     find "/mnt/docker-aio-config/session/" -mindepth 1 -mmin +1440 -delete
 
@@ -59,8 +62,9 @@ while true; do
         sudo -E -u www-data docker container remove nextcloud-aio-domaincheck
     fi
 
-    # Remove dangling images
+    # Remove dangling images (support both deprecated label-schema and OCI standard vendor label)
     sudo -E -u www-data docker image prune --filter "label=org.label-schema.vendor=Nextcloud" --force
+    sudo -E -u www-data docker image prune --filter "label=org.opencontainers.image.vendor=Nextcloud" --force
 
     # Check for available free space
     sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/CheckFreeDiskSpace.php

Containers/mastercontainer/headers.Caddyfile

@@ -22,6 +22,9 @@ header {
     Cross-Origin-Embedder-Policy "require-corp"; # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
     Cross-Origin-Resource-Policy "same-origin"; # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
 
+    # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
+    Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), local-network=(), local-network-access=(), loopback-network=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), summarizer=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"
+
     -Server
     -X-Powered-By
     -Via

Containers/mastercontainer/start.sh

@@ -312,6 +312,26 @@ if [ -n "$AIO_COMMUNITY_CONTAINERS" ]; then
     print_red "You've set AIO_COMMUNITY_CONTAINERS but the option was removed.
 The community containers get managed via the AIO interface now."
 fi
+if [ -n "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
+    print_red "The environmental variable NEXTCLOUD_ENABLE_DRI_DEVICE is deprecated. Please mount the /dev/dri device into the mastercontainer instead and remove NEXTCLOUD_ENABLE_DRI_DEVICE. It will then be set automatically."
+fi
+
+# Automatically enable the /dev/dri device if it is mounted into the mastercontainer
+if [ -d "/dev/dri" ]; then
+    export NEXTCLOUD_ENABLE_DRI_DEVICE="true"
+    if [ -e "/dev/dri/renderD128" ]; then
+        NEXTCLOUD_DRI_GID="$(stat -c '%g' /dev/dri/renderD128)"
+        export NEXTCLOUD_DRI_GID
+    else
+        export NEXTCLOUD_DRI_GID=""
+    fi
+else
+    if [ -z "$NEXTCLOUD_ENABLE_DRI_DEVICE" ]; then
+        # Force the unset of the env if it was not externally overwritten already
+        export NEXTCLOUD_ENABLE_DRI_DEVICE="false"
+    fi
+    export NEXTCLOUD_DRI_GID=""
+fi
 
 # Check if ghcr.io is reachable
 # Solves issues like https://github.com/nextcloud/all-in-one/discussions/5268
@@ -403,5 +423,11 @@ caddy fmt --overwrite /internal.Caddyfile
 # Fix caddy log 
 chmod 777 /root
 
+# Create Twig template cache directory (path must match TWIG_CACHE_PATH in php/public/index.php)
+mkdir -p /tmp/twig-cache
+rm -rf /tmp/twig-cache/*
+chown www-data:www-data /tmp/twig-cache
+chmod 770 /tmp/twig-cache
+
 # Start supervisord
 exec /usr/bin/supervisord -c /supervisord.conf

Containers/nextcloud/Dockerfile

@@ -114,18 +114,18 @@ RUN set -ex; \
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/installation/server_tuning.html#enable-php-opcache and below
     { \
-        echo 'opcache.max_accelerated_files=10000'; \
+        echo 'opcache.max_accelerated_files=20000'; \
         echo 'opcache.memory_consumption=256'; \
         echo 'opcache.interned_strings_buffer=64'; \
         echo 'opcache.save_comments=1'; \
         echo 'opcache.revalidate_freq=60'; \
         echo 'opcache.jit=1255'; \
-        echo 'opcache.jit_buffer_size=8M'; \
+        echo 'opcache.jit_buffer_size=128M'; \
     } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
     \
     { \
         echo 'apc.enable_cli=1'; \
-        echo 'apc.shm_size=64M'; \
+        echo 'apc.shm_size=128M'; \
     } >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
     \
     { \
@@ -135,14 +135,20 @@ RUN set -ex; \
         echo 'max_execution_time=${PHP_MAX_TIME}'; \
         echo 'max_input_time=-1'; \
         echo 'default_socket_timeout=${PHP_MAX_TIME}'; \
+        echo 'output_buffering=0'; \
+        echo 'realpath_cache_size=8M'; \
+        echo 'realpath_cache_ttl=600'; \
     } > /usr/local/etc/php/conf.d/nextcloud.ini; \
     \
     { \
         echo 'session.save_handler = redis'; \
-        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}"'; \
+        echo 'session.save_path = "tcp://${REDIS_HOST}:${REDIS_PORT}?database=${REDIS_DB_INDEX}${REDIS_USER_AUTH}&auth[]=${REDIS_HOST_PASSWORD}&timeout=3.0&read_timeout=10.0"'; \
         echo 'redis.session.locking_enabled = 1'; \
         echo 'redis.session.lock_retries = -1'; \
-        echo 'redis.session.lock_wait_time = 10000'; \
+        echo '; 100ms in microseconds - prevents timeout on long requests such as large file uploads'; \
+        echo 'redis.session.lock_wait_time = 100000'; \
+        echo '; prevents stale locks from crashed workers (seconds)'; \
+        echo 'redis.session.lock_expire = 60'; \
         echo 'session.gc_maxlifetime = 86400'; \
     } > /usr/local/etc/php/conf.d/redis-session.ini; \
     \
@@ -265,4 +271,9 @@ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Nextcloud for Nextcloud AIO" \
+    org.opencontainers.image.description="Nextcloud server with all required PHP extensions for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/nextcloud/config/apps.config.php

@@ -16,6 +16,12 @@ $CONFIG = array (
 if (getenv('APPS_ALLOWLIST')) {
     $CONFIG['appsallowlist'] = explode(" ", getenv('APPS_ALLOWLIST'));
 }
-if (getenv('NEXTCLOUD_APP_STORE_URL')) {
-    $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
+
+$appStoreUrl = getenv('NEXTCLOUD_APP_STORE_URL');
+if ($appStoreUrl) {
+    if ($appStoreUrl === 'no') {
+        $CONFIG['appstoreenabled '] = false;
+    } else {
+        $CONFIG['appstoreurl'] = getenv('NEXTCLOUD_APP_STORE_URL');
+    }
 }

Containers/nextcloud/config/redis.config.php

@@ -7,6 +7,8 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
 
   if (getenv('REDIS_HOST')) {
     $CONFIG['redis']['host'] = (string) getenv('REDIS_HOST');
+    $CONFIG['redis']['timeout'] = 3.0;
+    $CONFIG['redis']['read_timeout'] = 10.0;
   }
 
   if (getenv('REDIS_HOST_PASSWORD')) {
@@ -21,6 +23,10 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
     $CONFIG['redis']['dbindex'] = (int) getenv('REDIS_DB_INDEX');
   }
 
+  if (getenv('REDIS_PREFIX')) {
+    $CONFIG['redis']['memcache_customprefix'] = getenv('REDIS_PREFIX');
+  }
+
   if (getenv('REDIS_USER_AUTH')) {
     $CONFIG['redis']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
   }
@@ -58,6 +64,10 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
     $CONFIG['redis.cluster']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
   }
 
+  if (getenv('REDIS_PREFIX')) {
+    $CONFIG['redis.cluster']['memcache_customprefix'] = getenv('REDIS_PREFIX');
+  }
+
   if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) {
     $CONFIG['redis.cluster']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt';
   }

Containers/nextcloud/entrypoint.sh

@@ -115,6 +115,11 @@ rm -f "$test_file"
 if [ -f /var/www/html/version.php ]; then
     # shellcheck disable=SC2016
     installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+    if [ -z "$installed_version" ]; then
+        echo "Could not determine the installed Nextcloud version via php -r. The PHP installation might be broken."
+        echo "Please check the container logs and your PHP installation."
+        exit 1
+    fi
 else
     installed_version="0.0.0.0"
 fi
@@ -438,11 +443,19 @@ EOF
             echo "Applying default settings..."
             mkdir -p /var/www/html/data
             php /var/www/html/occ config:system:set loglevel --value="2" --type=integer
-            php /var/www/html/occ config:system:set log_type --value="file"
-            php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
+            if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
+                php /var/www/html/occ config:system:set log_type --value="errorlog"
+                php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
+                php /var/www/html/occ app:disable logreader
+            else
+                php /var/www/html/occ config:system:set log_type --value="file"
+                php /var/www/html/occ config:system:set log_type_audit --value="file"
+                php /var/www/html/occ app:enable logreader
+                php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
+                php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
+            fi
             php /var/www/html/occ config:system:set log_rotate_size --value="10485760" --type=integer
             php /var/www/html/occ app:enable admin_audit
-            php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
             php /var/www/html/occ config:system:set log.condition apps 0 --value="admin_audit"
 
             # Apply preview settings
@@ -640,8 +653,17 @@ fi
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
 php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
-php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
-php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
+if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
+    php /var/www/html/occ config:system:set log_type --value="errorlog"
+    php /var/www/html/occ config:system:set log_type_audit --value="errorlog"
+    php /var/www/html/occ app:disable logreader
+else
+    php /var/www/html/occ config:system:set log_type --value="file"
+    php /var/www/html/occ config:system:set log_type_audit --value="file"
+    php /var/www/html/occ app:enable logreader
+    php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
+    php /var/www/html/occ config:system:set logfile_audit --value="/var/www/html/data/audit.log"
+fi
 php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
 if [ -n "$NEXTCLOUD_SKELETON_DIRECTORY" ]; then
     if [ "$NEXTCLOUD_SKELETON_DIRECTORY" = "empty" ]; then

Containers/nextcloud/start.sh

@@ -25,7 +25,7 @@ fi
 # Fix false database connection on old instances
 if [ -f "/var/www/html/config/config.php" ]; then
     sleep 2
-    while ! sudo -E -u www-data psql -d "postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB" -c "select now()"; do
+    while ! sudo -E -u www-data env PGPASSWORD="$POSTGRES_PASSWORD" psql -h "$POSTGRES_HOST" -p "$POSTGRES_PORT" -U "$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
         echo "Waiting for the database to start..."
         sleep 5
     done

Containers/nextcloud/supervisord.conf

@@ -25,6 +25,14 @@ stderr_logfile_maxbytes=0
 command=/cron.sh
 user=www-data
 
+[program:taskprocessing-worker]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=php /var/www/html/occ taskprocessing:worker --timeout 300
+user=www-data
+
 [program:run-exec-commands]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0

Containers/notify-push/Dockerfile

@@ -23,4 +23,9 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Notify Push for Nextcloud AIO" \
+    org.opencontainers.image.description="Nextcloud notify_push high-performance backend for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/notify-push/start.sh

@@ -39,8 +39,6 @@ fi
 echo "notify-push was started"
 
 # Run it
-/var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
+exec /var/www/html/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
     --port 7867 \
     /var/www/html/config/config.php
-
-exec "$@"

Containers/onlyoffice/Dockerfile

@@ -9,4 +9,9 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="OnlyOffice for Nextcloud AIO" \
+    org.opencontainers.image.description="OnlyOffice Document Server for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/postgresql/Dockerfile

@@ -48,4 +48,9 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="PostgreSQL for Nextcloud AIO" \
+    org.opencontainers.image.description="PostgreSQL database for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/postgresql/healthcheck.sh

@@ -2,6 +2,6 @@
 
 test -f "/mnt/data/backup-is-running" && exit 0
 
-psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()" && exit 0
+PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" && exit 0
 
-psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:5432/$POSTGRES_DB" -c "select now()" || exit 1
+PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 5432 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" || exit 1

Containers/postgresql/init-user-db.sh

@@ -3,8 +3,9 @@ set -ex
 
 touch "$DUMP_DIR/initialization.failed"
 
-psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \
+	-v "pg_new_password=$POSTGRES_PASSWORD" <<-EOSQL
+	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD :'pg_new_password' CREATEDB;
 	ALTER DATABASE "$POSTGRES_DB" OWNER TO "oc_$POSTGRES_USER";
 	GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "oc_$POSTGRES_USER";
 	GRANT ALL PRIVILEGES ON SCHEMA public TO "oc_$POSTGRES_USER";

Containers/postgresql/start.sh

@@ -85,7 +85,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
     exec docker-entrypoint.sh postgres &
 
     # Wait for creation
-    while ! psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()"; do
+    while ! psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()"; do
         echo "Waiting for the database to start."
         sleep 5
     done
@@ -107,8 +107,9 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
         exit 1
     elif [ "$DB_OWNER" != "oc_$POSTGRES_USER" ]; then
         DIFFERENT_DB_OWNER=1
-        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-            CREATE USER "$DB_OWNER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
+        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" \
+            -v "pg_new_password=$POSTGRES_PASSWORD" <<-EOSQL
+            CREATE USER "$DB_OWNER" WITH PASSWORD :'pg_new_password' CREATEDB;
             ALTER DATABASE "$POSTGRES_DB" OWNER TO "$DB_OWNER";
             GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "$DB_OWNER";
             GRANT ALL PRIVILEGES ON SCHEMA public TO "$DB_OWNER";
@@ -151,23 +152,65 @@ fi
 # Modify postgresql.conf
 if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
     echo "Setting postgres values..."
+    PGCONF="/var/lib/postgresql/data/postgresql.conf"
 
     # Sync this with max pm.max_children and MaxRequestWorkers
     # 5000 connections is apparently the highest possible value with postgres so set it to that so that we don't run into a limit here.
     # We don't actually expect so many connections but don't want to limit it artificially because people will report issues otherwise
     # Also connections should usually be closed again after the process is done
     # If we should actually exceed this limit, it is definitely a bug in Nextcloud server or some of its apps that does not close connections correctly and not a bug in AIO
-    sed -i "s|^max_connections =.*|max_connections = 5000|" "/var/lib/postgresql/data/postgresql.conf"
+    sed -i "s|^max_connections =.*|max_connections = 5000|" "$PGCONF"
 
     # Do not log checkpoints
-    if grep -q "#log_checkpoints" /var/lib/postgresql/data/postgresql.conf; then
-        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' /var/lib/postgresql/data/postgresql.conf
+    if grep -q "#log_checkpoints" "$PGCONF"; then
+        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' "$PGCONF"
     fi
 
     # Closing idling connections automatically seems to break any logic so was reverted again to default where it is disabled
-    if grep -q "^idle_session_timeout" /var/lib/postgresql/data/postgresql.conf; then
-        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' /var/lib/postgresql/data/postgresql.conf
+    if grep -q "^idle_session_timeout" "$PGCONF"; then
+        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' "$PGCONF"
     fi
+
+    # Increase shared_buffers from the 128MB default for better data caching
+    sed -i "s|^#shared_buffers = .*|shared_buffers = 256MB|" "$PGCONF"
+    sed -i "s|^shared_buffers = .*|shared_buffers = 256MB|" "$PGCONF"
+
+    # Hint to the query planner about available OS page cache (does not allocate memory)
+    sed -i "s|^#effective_cache_size = .*|effective_cache_size = 1GB|" "$PGCONF"
+    sed -i "s|^effective_cache_size = .*|effective_cache_size = 1GB|" "$PGCONF"
+
+    # Increase per-operation sort/hash memory to reduce disk spills for file listing and share queries.
+    # Note: this is allocated per sort/hash operation, not per connection, so the theoretical worst-case
+    # (max_connections × work_mem) is rarely approached in practice.
+    sed -i "s|^#work_mem = .*|work_mem = 16MB|" "$PGCONF"
+    sed -i "s|^work_mem = .*|work_mem = 16MB|" "$PGCONF"
+
+    # Increase memory for VACUUM, CREATE INDEX, and other maintenance operations
+    sed -i "s|^#maintenance_work_mem = .*|maintenance_work_mem = 256MB|" "$PGCONF"
+    sed -i "s|^maintenance_work_mem = .*|maintenance_work_mem = 256MB|" "$PGCONF"
+
+    # Increase WAL buffers to reduce WAL write latency under concurrent write load
+    sed -i "s|^#wal_buffers = .*|wal_buffers = 16MB|" "$PGCONF"
+    sed -i "s|^wal_buffers = .*|wal_buffers = 16MB|" "$PGCONF"
+
+    # Spread checkpoint I/O over a longer window to reduce spikes
+    sed -i "s|^#checkpoint_timeout = .*|checkpoint_timeout = 15min|" "$PGCONF"
+    sed -i "s|^checkpoint_timeout = .*|checkpoint_timeout = 15min|" "$PGCONF"
+
+    # Tune for SSD storage: random reads are nearly as fast as sequential reads
+    sed -i "s|^#random_page_cost = .*|random_page_cost = 1.1|" "$PGCONF"
+    sed -i "s|^random_page_cost = .*|random_page_cost = 1.1|" "$PGCONF"
+
+    # Allow the kernel to issue more concurrent I/O prefetch requests (suitable for SSDs)
+    sed -i "s|^#effective_io_concurrency = .*|effective_io_concurrency = 200|" "$PGCONF"
+    sed -i "s|^effective_io_concurrency = .*|effective_io_concurrency = 200|" "$PGCONF"
+
+    # Trigger autovacuum earlier on large Nextcloud tables (e.g. oc_filecache, oc_activity)
+    # to prevent table bloat accumulating before the default 20% threshold is reached
+    sed -i "s|^#autovacuum_vacuum_scale_factor = .*|autovacuum_vacuum_scale_factor = 0.05|" "$PGCONF"
+    sed -i "s|^autovacuum_vacuum_scale_factor = .*|autovacuum_vacuum_scale_factor = 0.05|" "$PGCONF"
+    sed -i "s|^#autovacuum_analyze_scale_factor = .*|autovacuum_analyze_scale_factor = 0.02|" "$PGCONF"
+    sed -i "s|^autovacuum_analyze_scale_factor = .*|autovacuum_analyze_scale_factor = 0.02|" "$PGCONF"
 fi
 
 do_database_dump() {

Containers/redis/Dockerfile

@@ -23,4 +23,9 @@ ENTRYPOINT ["/start.sh"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Redis for Nextcloud AIO" \
+    org.opencontainers.image.description="Redis cache server for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/redis/start.sh

@@ -6,12 +6,31 @@ if [ "$(sysctl -n vm.overcommit_memory)" != "1" ]; then
     echo "See https://github.com/nextcloud/all-in-one/discussions/1731 how to enable overcommit"
 fi
 
-# Run redis with a password if provided
-echo "Redis has started"
-if [ -n "$REDIS_HOST_PASSWORD" ]; then
-    exec redis-server --requirepass "$REDIS_HOST_PASSWORD" --loglevel warning
-else
-    exec redis-server --loglevel warning
+# Warn if Transparent Huge Pages are enabled (causes latency spikes)
+if [ -f /sys/kernel/mm/transparent_hugepage/enabled ]; then
+    if grep -q '\[always\]' /sys/kernel/mm/transparent_hugepage/enabled; then
+        echo "WARNING: Transparent Huge Pages (THP) are enabled. This can cause latency and memory issues with Redis."
+        echo "Consider disabling THP by running: echo never > /sys/kernel/mm/transparent_hugepage/enabled"
+    fi
 fi
 
-exec "$@"
+# Build the redis-server argument list.
+REDIS_ARGS=(
+    --loglevel warning
+    --save "" # Disable RDB persistence (Redis is used as a pure cache/lock store)
+    --maxmemory-policy allkeys-lru # Evict least-recently-used keys when memory is full
+    --lazyfree-lazy-eviction yes # Perform evictions in a background thread
+    --lazyfree-lazy-expire yes # Expire keys in a background thread
+    --lazyfree-lazy-server-del yes # DEL/UNLINK in background thread
+    --replica-lazy-flush yes # Flush replica dataset in background thread
+    --activedefrag yes # Reclaim fragmented memory without restart
+    --hz 15 # Run background tasks 15×/s (default 10) for faster key expiry
+)
+
+if [ -n "$REDIS_HOST_PASSWORD" ]; then
+    REDIS_ARGS+=(--requirepass "$REDIS_HOST_PASSWORD")
+fi
+
+# Run redis with a password if provided
+echo "Redis has started"
+exec redis-server "${REDIS_ARGS[@]}"

Containers/talk-recording/Dockerfile

@@ -19,6 +19,7 @@ RUN set -ex; \
         bash \
         xvfb \
         ffmpeg \
+        mesa-va-gallium \
         firefox \
         font-noto-all \
         font-noto-cjk \
@@ -62,4 +63,9 @@ CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.co
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Talk Recording for Nextcloud AIO" \
+    org.opencontainers.image.description="Nextcloud Talk recording service for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/talk-recording/start.sh

@@ -19,6 +19,33 @@ fi
 # Delete all contents on startup to start fresh
 rm -fr /tmp/{*,.*}
 
+# Detect available hardware for transcoding and build the [ffmpeg] config section accordingly
+FFMPEG_SECTION="[ffmpeg]
+# common = ffmpeg -loglevel level+warning -n
+# outputaudio = -c:a libopus
+# outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
+extensionaudio = .ogg
+extensionvideo = .webm"
+
+# Check for NVIDIA GPU hardware encoding (NVENC)
+if [ -e "/dev/nvidia0" ] && ffmpeg -hide_banner -encoders 2>/dev/null | grep -q "h264_nvenc"; then
+    echo "NVIDIA GPU detected, enabling h264_nvenc hardware transcoding"
+    FFMPEG_SECTION="[ffmpeg]
+outputvideo = -c:v h264_nvenc -preset p4
+outputaudio = -c:a aac
+extensionaudio = .m4a
+extensionvideo = .mp4"
+# Check for VA-API render node (Intel/AMD open source drivers)
+elif [ -r "/dev/dri/renderD128" ] && ffmpeg -hide_banner -encoders 2>/dev/null | grep -q "h264_vaapi"; then
+    echo "DRI device detected, enabling h264_vaapi hardware transcoding"
+    FFMPEG_SECTION="[ffmpeg]
+common = ffmpeg -loglevel level+warning -n -vaapi_device /dev/dri/renderD128
+outputvideo = -vf format=nv12,hwupload -c:v h264_vaapi
+outputaudio = -c:a aac
+extensionaudio = .m4a
+extensionvideo = .mp4"
+fi
+
 cat << RECORDING_CONF > "/conf/recording.conf"
 [logs]
 # 30 means Warning
@@ -50,12 +77,7 @@ signalings = signaling-1
 url = ${HPB_PROTOCOL}://${HPB_DOMAIN}${HPB_PATH}
 internalsecret = ${INTERNAL_SECRET}
 
-[ffmpeg]
-# common = ffmpeg -loglevel level+warning -n
-# outputaudio = -c:a libopus
-# outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
-extensionaudio = .ogg
-extensionvideo = .webm
+${FFMPEG_SECTION}
 
 [recording]
 browser = firefox

Containers/talk/Dockerfile

@@ -4,7 +4,7 @@ FROM eturnal/eturnal:1.12.2-alpine AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
 FROM alpine:3.23.4 AS janus
 
-ARG JANUS_VERSION=v1.4.0
+ARG JANUS_VERSION=v1.4.1
 WORKDIR /src
 RUN set -ex; \
     apk upgrade --no-cache -a; \
@@ -82,7 +82,9 @@ RUN set -ex; \
     touch \
         /etc/nats.conf \
         /etc/eturnal.yml; \
-    echo "listen: 127.0.0.1:4222" | tee /etc/nats.conf; \
+# write_deadline: "10s" — without a write deadline, a lagging subscriber can stall the broker indefinitely, blocking all other signaling messages.
+# max_payload: 8MB — the default is 1 MB; signaling payloads in large meetings (many participants, ICE candidates) can exceed this, causing dropped messages.
+    printf 'listen: 127.0.0.1:4222\nwrite_deadline: "10s"\nmax_payload: 8MB\n' | tee /etc/nats.conf; \
     mkdir -p \
         /var/tmp \
         /conf \
@@ -109,4 +111,9 @@ CMD ["supervisord", "-c", "/supervisord.conf"]
 HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Talk for Nextcloud AIO" \
+    org.opencontainers.image.description="Nextcloud Talk with NATS, Janus, eturnal, and signaling server for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/talk/healthcheck.sh

@@ -5,3 +5,6 @@ nc -z 127.0.0.1 8188 || exit 1
 nc -z 127.0.0.1 4222 || exit 1
 nc -z 127.0.0.1 "$TALK_PORT" || exit 1
 eturnalctl status || exit 1
+# Verify that the signaling server is actually serving requests, not just
+# listening on the TCP port (which nc -z above only tests for open port).
+wget -q -O /dev/null http://127.0.0.1:8081/api/v1/stats || exit 1

Containers/talk/start.sh

@@ -91,10 +91,12 @@ if [ -z "$TALK_MAX_SCREEN_BITRATE" ]; then
     TALK_MAX_SCREEN_BITRATE=2097152
 fi
 
-# Signling
+# Signaling
 cat << SIGNALING_CONF > "/conf/signaling.conf"
 [http]
 listen = 0.0.0.0:8081
+readtimeout = 15
+writetimeout = 30
 
 [app]
 debug = false
@@ -110,7 +112,9 @@ internalsecret = ${INTERNAL_SECRET}
 backends = backend-1
 allowall = false
 timeout = 10
-connectionsperhost = 8
+# connectionsperhost: This is the HTTP keep-alive connection pool size from the signaling server to the Nextcloud backend. 
+# Under load (many concurrent calls joining/leaving simultaneously) a pool of 8 creates a queue bottleneck for backend authentication and session lookups, thus increasing to 32.
+connectionsperhost = 32
 skipverify = ${SKIP_CERT_VERIFY}
 
 [backend-1]
@@ -129,4 +133,34 @@ maxstreambitrate = ${TALK_MAX_STREAM_BITRATE}
 maxscreenbitrate = ${TALK_MAX_SCREEN_BITRATE}
 SIGNALING_CONF
 
+# Configure Janus to use the local TURN server for its own relay candidates.
+# Ephemeral TURN credentials (TURN REST API pattern):
+#   username = "<expiry_unix_timestamp>:<random_hex>"  (valid for 3 months)
+#   password  = base64(HMAC-SHA1(TURN_SECRET, username))
+# eturnal validates both the HMAC and the embedded expiry on every Allocate,
+# so a captured credential stops working after at most 3 months.
+JANUS_TURN_USER="$(( $(date +%s) + 7776000 )):$(openssl rand -hex 16)"
+JANUS_TURN_PWD="$(printf '%s' "$JANUS_TURN_USER" | openssl dgst -sha1 -hmac "$TURN_SECRET" -binary | openssl base64)"
+
+if [ -z "$TURN_DOMAIN" ]; then
+    TURN_DOMAIN="$NC_DOMAIN"
+fi
+
+# Build janus.jcfg: strip the entire nat block from the original and append a
+# clean minimal one that points at the TURN server.
+{
+    sed '/^nat:/,/^}/d' /usr/local/etc/janus/janus.jcfg
+    cat << NAT_CONF
+nat: {
+	turn_server = "$TURN_DOMAIN"
+	turn_port = $TALK_PORT
+	turn_type = "udp"
+	turn_user = "$JANUS_TURN_USER"
+	turn_pwd = "$JANUS_TURN_PWD"
+    # The ice ignore list is set by janus by default, so also do this here
+    ice_ignore_list = "vmnet"
+}
+NAT_CONF
+} > /conf/janus.jcfg
+
 exec "$@"

Containers/talk/supervisord.conf

@@ -7,19 +7,23 @@ logfile_maxbytes=50MB
 logfile_backups=10                              
 loglevel=error
 
-[program:eturnal]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=eturnalctl foreground
-
 [program:nats-server]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=nats-server -c /etc/nats.conf
+# Start first: signaling depends on NATS being available
+priority=10
+
+[program:eturnal]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=eturnalctl foreground
+# Start alongside Janus; independent of signaling
+priority=20
 
 [program:janus]
 stdout_logfile=/dev/stdout
@@ -27,7 +31,9 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 # debug-level 3 means warning
-command=janus --config=/usr/local/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
+command=janus --config=/conf/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
+# Start alongside eturnal; signaling connects to Janus via WebSocket
+priority=20
 
 [program:signaling]
 stdout_logfile=/dev/stdout
@@ -35,3 +41,5 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=nextcloud-spreed-signaling -config /conf/signaling.conf
+# Start last: depends on NATS (priority=10) and Janus (priority=20) being up
+priority=30

Containers/watchtower/Dockerfile

@@ -25,4 +25,9 @@ USER root
 ENTRYPOINT ["/start.sh"]
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Watchtower for Nextcloud AIO" \
+    org.opencontainers.image.description="Watchtower auto-update service for Nextcloud All-in-One containers" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

Containers/whiteboard/Dockerfile

@@ -24,4 +24,9 @@ ENTRYPOINT ["/start.sh"]
 
 LABEL com.centurylinklabs.watchtower.enable="false" \
     wud.watch="false" \
-    org.label-schema.vendor="Nextcloud"
+    org.opencontainers.image.title="Whiteboard for Nextcloud AIO" \
+    org.opencontainers.image.description="Collaborative whiteboard service for Nextcloud All-in-One" \
+    org.opencontainers.image.url="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.source="https://github.com/nextcloud/all-in-one" \
+    org.opencontainers.image.vendor="Nextcloud" \
+    org.opencontainers.image.documentation="https://github.com/nextcloud/all-in-one/blob/main/readme.md"

community-containers/caddy/caddy.json

@@ -20,7 +20,8 @@
                 "NC_DOMAIN=%NC_DOMAIN%",
                 "APACHE_PORT=%APACHE_PORT%",
                 "APACHE_IP_BINDING=%APACHE_IP_BINDING%",
-                "NEXTCLOUD_EXPORTER_CADDY_PASSWORD=%NEXTCLOUD_EXPORTER_CADDY_PASSWORD%"
+                "NEXTCLOUD_EXPORTER_CADDY_PASSWORD=%NEXTCLOUD_EXPORTER_CADDY_PASSWORD%",
+                "DESEC_TOKEN=%DESEC_TOKEN%"
             ],
             "volumes": [
                 {

community-containers/dnsmasq/dnsmasq.json

@@ -0,0 +1,17 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-dnsmasq",
+            "display_name": "Dnsmasq (Local DNS)",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/dnsmasq",
+            "image": "ghcr.io/nextcloud-releases/aio-dnsmasq",
+            "image_tag": "%AIO_CHANNEL%",
+            "internal_port": "host",
+            "restart": "unless-stopped",
+            "environment": [
+                "NC_DOMAIN=%NC_DOMAIN%",
+                "TZ=%TIMEZONE%"
+            ]
+        }
+    ]
+}

community-containers/dnsmasq/readme.md

@@ -0,0 +1,31 @@
+# Dnsmasq (Local DNS) community container
+
+This container runs [dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html) pre-configured to resolve your Nextcloud domain (`NC_DOMAIN`) to the server's local LAN IP address.
+
+## Why is this needed?
+
+By default, all devices on your LAN reach Nextcloud via the public internet (or require hairpin NAT on your router). With this container, LAN clients can resolve `NC_DOMAIN` directly to the server's private LAN IP, making local access faster and independent of your internet connection.
+
+This container is automatically enabled when you register a deSEC domain through the AIO interface.
+
+## How it works
+
+On startup the container:
+1. Detects the server's primary LAN IP address automatically.
+2. Configures dnsmasq to resolve `NC_DOMAIN` (and all its subdomains) to that IP.
+3. Forwards all other DNS queries to the upstream nameservers from the host's `/etc/resolv.conf`.
+4. Listens only on the LAN interface to avoid conflicts with any system DNS resolver (e.g. `systemd-resolved`).
+
+## Required router configuration
+
+⚠️ **You must change your router's DHCP settings** for this to take effect for LAN clients:
+
+Set the **DNS server** handed out by DHCP to the **local IP address of this server** (the same IP that is printed in the container logs on startup). After saving the change, LAN devices need to renew their DHCP lease (or be rebooted) before the new DNS setting takes effect.
+
+Most routers expose this under **DHCP settings → Primary DNS** or **LAN → DNS Server**.
+
+## Notes
+
+- The container runs in **host network mode** so it can bind directly to port 53 on the LAN interface. No additional port-forwarding is required.
+- If `systemd-resolved` (or another DNS resolver) is already listening on port 53 on the LAN IP, there will be a conflict. In that case you need to disable or reconfigure that resolver first.
+- IPv6 addresses are not handled by this container; extend the dnsmasq configuration manually if needed.

community-containers/jellyfin/jellyfin.json

@@ -34,6 +34,9 @@
             "enable_nvidia_gpu": true,
             "backup_volumes": [
                 "nextcloud_aio_jellyfin"
+            ],
+            "depends_on": [
+                "nextcloud-aio-lldap"
             ]
         }
     ]

community-containers/local-ai/readme.md

@@ -5,7 +5,6 @@ This container bundles Local AI and auto-configures it for you. It support hardw
 Documentation is available on the container repository. This documentation is regularly updated and is intended to be as simple and detailed as possible. Thanks for all your feedback!
 
 - See https://github.com/docjyJ/aio-local-ai-vulkan#getting-started for getting start with this container.
-- See [this guide](https://github.com/nextcloud/all-in-one/discussions/5430) for how to improve AI task pickup speed
 - Note that Nextcloud supports only one server for AI queries, so this container cannot be used at the same time as other AI containers.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 

community-containers/readme.md

@@ -4,6 +4,61 @@ This directory features containers that are built for AIO which allows to add ad
 ## Disclaimers
 All containers that are in this directory are community maintained so the responsibility is on the community to keep them updated and secure. There is no guarantee that this will be the case in the future.
 
+## Overview
+
+```mermaid
+flowchart TD
+    %% ── Styles ───────────────────────────────────────────────────────────────────
+    classDef community fill:#FDEBD0,stroke:#E67E22,color:#222
+    classDef group     fill:#FEF9E7,stroke:#F39C12,color:#333
+
+    subgraph COMM_AI["🤖 AI & Language"]
+        LAI(["🧠  Local AI\nPrivate AI assistant"]):::community
+        LT(["✏️  LanguageTool\nSpell & grammar check"]):::community
+        LTRANS(["🌐  LibreTranslate\nTranslation engine"]):::community
+        FACE(["🙂  FaceRecognition\nPhoto AI processor"]):::community
+    end
+
+    subgraph COMM_BACKUP["💾 Backup & Storage"]
+        BV(["📦  Borgbackup Viewer\nBrowse backups"]):::community
+        CALB(["📅  CalCardBackup\nCalendar/Contacts backup"]):::community
+        MINIO(["🗃️  MinIO\nS3-compatible storage"]):::community
+        SMB(["📂  SMB Server\nWindows file sharing"]):::community
+    end
+
+    subgraph COMM_EXTRA["🌟 Extra Services"]
+        HA(["🏠  Home Assistant\nHome automation"]):::community
+        STLW(["📧  Stalwart\nMail server"]):::community
+        NOCO(["🗂️  NocoDB\nNo-code database"]):::community
+        JSER(["🎯  Jellyseerr\nMedia request manager"]):::community
+        NOTIF(["📣  Notifications\nExternal push notify"]):::community
+    end
+
+    subgraph COMM_MEDIA["🎬 Media"]
+        PLEX(["🎞️  Plex\nMedia Server"]):::community
+        JELLY(["🎬  Jellyfin\nMedia Server"]):::community
+        DLNA(["📡  DLNA\nMedia Streaming"]):::community
+        MEMTR(["📸  Memories\nVideo Transcoder"]):::community
+        MKV(["💿  MakeMKV\nBlu-ray / DVD rip"]):::community
+    end
+
+    subgraph COMM_MONITOR["📊 Monitoring & Infra"]
+        GLAN(["📈  Glances\nSystem monitoring"]):::community
+        EXP(["📊  Nextcloud Exporter\nPrometheus metrics"]):::community
+        SCRU(["💽  Scrutiny\nDisk health (S.M.A.R.T.)"]):::community
+        CMGMT(["🐳  Container Mgmt\nDocker web console"]):::community
+    end
+
+    subgraph COMM_SEC["🔒 Security & Network"]
+        F2B(["🚫  Fail2ban\nBrute-force protection"]):::community
+        PIH(["🕳️  Pi-hole\nAd & DNS blocker"]):::community
+        VW(["🔐  Vaultwarden\nPassword Manager"]):::community
+        LDAP(["👥  LLDAP\nLight LDAP / Users"]):::community
+        CADDY(["🌐  Caddy\nReverse Proxy + Geoblocking"]):::community
+        NPMPLUS(["🌐  NPMplus\nNginx Proxy Manager"]):::community
+    end
+```
+
 ## How to use this?
 Starting with v11 of AIO, the management of Community Containers is done via the AIO interface (it is the last section in the AIO interface, so only visible if you scroll down). 
 ⚠️⚠️⚠️ Please review the folder for documentation on each of the containers before adding them! Not reviewing the documentation for each of them first might break starting the AIO containers because e.g. fail2ban only works on Linux and not on Docker Desktop! **Hint:** If the containers where running already, in order to actually start the added container, you need to click on `Stop containers` and the `Update and start containers` in order to actually start it.

compose.yaml

@@ -8,6 +8,7 @@ services:
     volumes:
       - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
       - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
+    # devices: ["/dev/dri"] # Uncomment to enable hardware acceleration. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't add this as otherwise the mastercontainer will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud
     network_mode: bridge # This adds the container to the same network as docker run would do. Comment this line and uncomment the line below and the networks section at the end of the file if you want to define a custom MTU size for the docker network
     # networks: ["nextcloud-aio"]
     ports:
@@ -33,7 +34,6 @@ services:
       # NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
       # NEXTCLOUD_ADDITIONAL_APKS: imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
       # NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
-      # NEXTCLOUD_ENABLE_DRI_DEVICE: true # This allows to enable the /dev/dri device for containers that profit from it. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud
       # NEXTCLOUD_ENABLE_NVIDIA_GPU: true # This allows to enable the NVIDIA runtime and GPU access for containers that profit from it. ⚠️⚠️⚠️ Warning: this only works if an NVIDIA gpu is installed on the server. See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud.
       # NEXTCLOUD_KEEP_DISABLED_APPS: false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps
       # SKIP_DOMAIN_VALIDATION: false # This should only be set to true if things are correctly configured. See https://github.com/nextcloud/all-in-one#how-to-skip-the-domain-validation

docker-rootless.md

@@ -1,7 +1,5 @@
 # Docker rootless
 
-**Please note:** Due to a bug in Collabora is the Collabora container currently in rootless mode not working. See https://github.com/CollaboraOnline/online/issues/2800. In that case, you need to run a separate Collabora instance on your own if you want to use this feature. The following flag will be useful https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps.
-
 You can run AIO with docker rootless by following the steps below.
 
 0. If docker is already installed, you should consider disabling it first: (`sudo systemctl disable --now docker.service docker.socket`)

manual-install/latest.yml

@@ -186,6 +186,7 @@ services:
       - WHITEBOARD_ENABLED
     stop_grace_period: 600s
     restart: unless-stopped
+    shm_size: 134217728
     cap_drop:
       - NET_RAW
 
@@ -258,6 +259,9 @@ services:
     restart: unless-stopped
     profiles:
       - collabora
+    shm_size: 268435456
+    tmpfs:
+      - /tmp
     cap_add:
       - SYS_ADMIN
       - SYS_CHROOT
@@ -441,6 +445,9 @@ services:
       - http.port=9200
       - xpack.license.self_generated.type=basic
       - xpack.security.enabled=false
+      - indices.fielddata.cache.size=20%
+      - indices.memory.index_buffer_size=20%
+      - thread_pool.write.queue_size=1000
       - FULLTEXTSEARCH_PASSWORD
     volumes:
       - nextcloud_aio_elasticsearch:/usr/share/elasticsearch/data:rw

manual-install/sample.conf

@@ -34,7 +34,7 @@ NEXTCLOUD_DATADIR=nextcloud_aio_nextcloud_data          # You can change this to
 NEXTCLOUD_MAX_TIME=3600          # This allows to change the upload time limit of the Nextcloud container
 NEXTCLOUD_MEMORY_LIMIT=512M          # This allows to change the PHP memory limit of the Nextcloud container
 NEXTCLOUD_MOUNT=/mnt/          # This allows the Nextcloud container to access directories on the host. It must never be equal to the value of NEXTCLOUD_DATADIR!
-NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time
+NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. You can also disable apps by using a hyphen in front of them. E.g. "-app_api"
 NEXTCLOUD_TRUSTED_CACERTS_DIR=/usr/local/share/ca-certificates/my-custom-ca          # Nextcloud container will trust all the Certification Authorities, whose certificates are included in the given directory.
 NEXTCLOUD_UPLOAD_LIMIT=16G          # This allows to change the upload limit of the Nextcloud container
 REMOVE_DISABLED_APPS=yes        # Setting this to no keep Nextcloud apps that are disabled via their switch and not uninstall them if they should be installed in Nextcloud.

manual-install/update-yaml.sh

@@ -101,7 +101,7 @@ sed -i 's|NEXTCLOUD_PASSWORD=|NEXTCLOUD_PASSWORD=          # TODO! This is the p
 sed -i 's|TIMEZONE=|TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.|' sample.conf
 sed -i 's|COLLABORA_SECCOMP_POLICY=|COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.|' sample.conf
 sed -i 's|FULLTEXTSEARCH_JAVA_OPTIONS=|FULLTEXTSEARCH_JAVA_OPTIONS="-Xms512M -Xmx512M"          # Allows to adjust the fulltextsearch java options.|' sample.conf
-sed -i 's|NEXTCLOUD_STARTUP_APPS=|NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time|' sample.conf
+sed -i 's|NEXTCLOUD_STARTUP_APPS=|NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. You can also disable apps by using a hyphen in front of them. E.g. "-app_api"|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_APKS=|NEXTCLOUD_ADDITIONAL_APKS=imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=|NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick        # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value.|' sample.conf
 sed -i 's|INSTALL_LATEST_MAJOR=|INSTALL_LATEST_MAJOR=no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation|' sample.conf

php/composer.lock

@@ -2520,16 +2520,16 @@
         },
         {
             "name": "amphp/socket",
-            "version": "v2.3.1",
+            "version": "v2.4.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/amphp/socket.git",
-                "reference": "58e0422221825b79681b72c50c47a930be7bf1e1"
+                "reference": "dadb63c5d3179fd83803e29dfeac27350e619314"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/amphp/socket/zipball/58e0422221825b79681b72c50c47a930be7bf1e1",
-                "reference": "58e0422221825b79681b72c50c47a930be7bf1e1",
+                "url": "https://api.github.com/repos/amphp/socket/zipball/dadb63c5d3179fd83803e29dfeac27350e619314",
+                "reference": "dadb63c5d3179fd83803e29dfeac27350e619314",
                 "shasum": ""
             },
             "require": {
@@ -2538,17 +2538,17 @@
                 "amphp/dns": "^2",
                 "ext-openssl": "*",
                 "kelunik/certificate": "^1.1",
-                "league/uri": "^6.5 | ^7",
-                "league/uri-interfaces": "^2.3 | ^7",
+                "league/uri": "^7",
+                "league/uri-interfaces": "^7",
                 "php": ">=8.1",
-                "revolt/event-loop": "^1 || ^0.2"
+                "revolt/event-loop": "^1"
             },
             "require-dev": {
                 "amphp/php-cs-fixer-config": "^2",
                 "amphp/phpunit-util": "^3",
                 "amphp/process": "^2",
                 "phpunit/phpunit": "^9",
-                "psalm/phar": "5.20"
+                "psalm/phar": "6.16.1"
             },
             "type": "library",
             "autoload": {
@@ -2592,7 +2592,7 @@
             ],
             "support": {
                 "issues": "https://github.com/amphp/socket/issues",
-                "source": "https://github.com/amphp/socket/tree/v2.3.1"
+                "source": "https://github.com/amphp/socket/tree/v2.4.0"
             },
             "funding": [
                 {
@@ -2600,7 +2600,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2024-04-21T14:33:03+00:00"
+            "time": "2026-04-19T15:09:56+00:00"
         },
         {
             "name": "amphp/sync",

php/containers.json

@@ -267,6 +267,7 @@
       ],
       "stop_grace_period": 600,
       "restart": "unless-stopped",
+      "shm_size": 134217728,
       "devices": [
         "/dev/dri"
       ],
@@ -394,6 +395,10 @@
       "profiles": [
         "collabora"
       ],
+      "shm_size": 268435456,
+      "tmpfs": [
+        "/tmp"
+      ],
       "cap_add": [
         "SYS_ADMIN",
         "SYS_CHROOT",
@@ -809,6 +814,9 @@
         "http.port=9200",
         "xpack.license.self_generated.type=basic",
         "xpack.security.enabled=false",
+        "indices.fielddata.cache.size=20%",
+        "indices.memory.index_buffer_size=20%",
+        "thread_pool.write.queue_size=1000",
         "FULLTEXTSEARCH_PASSWORD=%FULLTEXTSEARCH_PASSWORD%"
       ],
       "volumes": [

php/public/click-handlers.js

@@ -9,8 +9,8 @@ document.addEventListener("DOMContentLoaded", () => {
 
 
     document.querySelectorAll('input[data-input-show-password]').forEach((element) => {
-        element.addEventListener('input', (element) => {
-            let passwordField = element
+        element.addEventListener('input', (event) => {
+            let passwordField = event.target;
             if (passwordField.type === "password" && passwordField.value !== "") {
                 passwordField.type = "text";
             } else if (passwordField.type === "text" && passwordField.value === "") {

php/public/disable-clamav.js

@@ -1,5 +0,0 @@
-document.addEventListener("DOMContentLoaded", function(event) {
-    // Clamav
-    let clamav = document.getElementById("clamav");
-    clamav.disabled = true;
-});

php/public/disable-collabora.js

@@ -1,5 +0,0 @@
-document.addEventListener("DOMContentLoaded", function(event) {
-    // Collabora
-    const collabora = document.getElementById("office-collabora");
-    collabora.disabled = true;
-});

php/public/disable-containers.js

@@ -0,0 +1,44 @@
+document.addEventListener("DOMContentLoaded", function(event) {
+    // Clamav
+    let clamav = document.getElementById("clamav");
+    clamav.disabled = true;
+
+    // Docker socket proxy
+    let dockerSocketProxy = document.getElementById("docker-socket-proxy");
+    if (dockerSocketProxy) {
+        dockerSocketProxy.disabled = true;
+    }
+
+    // HaRP
+    let harp = document.getElementById("harp");
+    if (harp) {
+        harp.disabled = true;
+    }
+
+    // Talk
+    let talk = document.getElementById("talk");
+    talk.disabled = true;
+
+    // Collabora
+    const collabora = document.getElementById("office-collabora");
+    collabora.disabled = true;
+
+    // OnlyOffice
+    const onlyoffice = document.getElementById("office-onlyoffice");
+    onlyoffice.disabled = true;
+
+    // Imaginary
+    let imaginary = document.getElementById("imaginary");
+    imaginary.disabled = true;
+
+    // Fulltextsearch
+    let fulltextsearch = document.getElementById("fulltextsearch");
+    fulltextsearch.disabled = true;
+
+    // Talk-recording
+    document.getElementById("talk-recording").disabled = true;
+
+    // Whiteboard
+    let whiteboard = document.getElementById("whiteboard");
+    whiteboard.disabled = true;
+});

php/public/disable-docker-socket-proxy.js

@@ -1,7 +0,0 @@
-document.addEventListener("DOMContentLoaded", function(event) {
-    // Docker socket proxy
-    let dockerSocketProxy = document.getElementById("docker-socket-proxy");
-    if (dockerSocketProxy) {
-        dockerSocketProxy.disabled = true;
-    }
-});

php/public/disable-fulltextsearch.js

@@ -1,5 +0,0 @@
-document.addEventListener("DOMContentLoaded", function(event) {
-    // Fulltextsearch
-    let fulltextsearch = document.getElementById("fulltextsearch");
-    fulltextsearch.disabled = true;
-}); 

php/public/disable-harp.js

@@ -1,7 +0,0 @@
-document.addEventListener("DOMContentLoaded", function(event) {
-    // HaRP
-    let harp = document.getElementById("harp");
-    if (harp) {
-        harp.disabled = true;
-    }
-});

php/public/disable-imaginary.js

@@ -1,5 +0,0 @@
-document.addEventListener("DOMContentLoaded", function(event) {
-    // Imaginary
-    let imaginary = document.getElementById("imaginary");
-    imaginary.disabled = true;
-});

php/public/disable-onlyoffice.js

@@ -1,5 +0,0 @@
-document.addEventListener("DOMContentLoaded", function(event) {
-    // OnlyOffice
-    const onlyoffice = document.getElementById("office-onlyoffice");
-    onlyoffice.disabled = true;
-});

php/public/disable-talk-recording.js

@@ -1,4 +0,0 @@
-document.addEventListener("DOMContentLoaded", function(event) {
-    // Talk-recording
-    document.getElementById("talk-recording").disabled = true;
-});

php/public/disable-talk.js

@@ -1,5 +0,0 @@
-document.addEventListener("DOMContentLoaded", function(event) {
-    // Talk
-    let talk = document.getElementById("talk");
-    talk.disabled = true;
-});

php/public/disable-whiteboard.js

@@ -1,5 +0,0 @@
-document.addEventListener("DOMContentLoaded", function(event) {
-    // Whiteboard
-    let whiteboard = document.getElementById("whiteboard");
-    whiteboard.disabled = true;
-});

php/public/index.php

@@ -10,6 +10,9 @@ ini_set('max_execution_time', '7200');
 // Log whole log messages
 ini_set('log_errors_max_len', '0');
 
+// Path for the Twig compiled-template cache (created at container startup by start.sh)
+const TWIG_CACHE_PATH = '/tmp/twig-cache';
+
 use DI\Container;
 use DI\NotFoundException;
 use Slim\Csrf\Guard;
@@ -37,22 +40,52 @@ $container->set(Guard::class, function () use ($responseFactory) {
 });
 
 // Register Middleware To Be Executed On All Routes
+
+// Migrate from the old PHPSESSID cookie to the new __Host-Http-PHPSESSID cookie.
+// This is needed because the session cookie was renamed in a previous release. Without this,
+// users that were logged in before the update would be logged out after the container restarts.
+$wasAuthenticated = false;
+$oldSessionTimestamp = null;
+if (!isset($_COOKIE['__Host-Http-PHPSESSID']) && isset($_COOKIE['PHPSESSID'])) {
+    session_name('PHPSESSID');
+    if (session_start(['save_path' => $dataConst->GetSessionDirectory(), 'use_strict_mode' => true])) {
+        $wasAuthenticated = isset($_SESSION[\AIO\Auth\AuthManager::SESSION_KEY]) && $_SESSION[\AIO\Auth\AuthManager::SESSION_KEY] === true;
+        $oldSessionTimestamp = isset($_SESSION['date_time']) ? (int)$_SESSION['date_time'] : null;
+        // Do not destroy the old session: if the response carrying the new __Host-Http-PHPSESSID
+        // cookie is lost (e.g., due to a 502 during a mastercontainer update), the client can
+        // retry with the old PHPSESSID cookie and still be authenticated.
+        session_write_close();
+    }
+}
+
 session_start([
     "name" => "__Host-Http-PHPSESSID", // Set cookie prefix to prevent other pages from overwriting this cookie. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#cookie_prefixes
     "save_path" => $dataConst->GetSessionDirectory(), // Where to save the session files
     "cookie_lifetime" => 0, // Delete the session cookie whenever the browser is closed. See https://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
     "gc_maxlifetime" => 86400, // Delete sessions after 24 hours. See https://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
-    "gc_probability" => 1, // Probability that the session cleanup starts. See https://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability
-    "gc_divisor" => 1, // gc_probability/gc_divisor = 1/1 = 100%, meaning that *all* outdated sessions get deleted when the cleanup job runs. See https://www.php.net/manual/en/session.configuration.php#ini.session.gc-divisor
+    "gc_probability" => 0, // Probability that the session cleanup starts. The sessions are cleaned up by a cron job instead, see /cron.sh. See https://www.php.net/manual/en/session.configuration.php#ini.session.gc-probability
+    "gc_divisor" => 100, // gc_probability/gc_divisor = 0/100 = 0%, meaning that PHP will never run session GC itself (cron.sh handles cleanup instead). See https://www.php.net/manual/en/session.configuration.php#ini.session.gc-divisor
     "use_strict_mode" => true, // Only allow initialized session IDs. See https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
     "cookie_secure" => true, // Only send cookies over https (not http). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#secure
     "cookie_httponly" => true, // Block the cookie from being read with js in the browser, will still be send for fetch request triggered by js. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#httponly
     "cookie_samesite" => "Strict", // Only send the cookie with requests triggered by AIO itself. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value
 ]);
+
+if ($wasAuthenticated) {
+    if ($oldSessionTimestamp !== null) {
+        // Use MigrateAuthState to preserve the original login timestamp. This prevents the
+        // session deduplicator from running and keeps the old PHPSESSID session file alive,
+        // so the client can retry with the old cookie if the 502 response causes the new
+        // __Host-Http-PHPSESSID cookie to not be received.
+        $container->get(\AIO\Auth\AuthManager::class)->MigrateAuthState($oldSessionTimestamp);
+    } else {
+        $container->get(\AIO\Auth\AuthManager::class)->SetAuthState(true);
+    }
+}
 $app->add(Guard::class);
 
 // Create Twig
-$twig = Twig::create(__DIR__ . '/../templates/', ['cache' => false]);
+$twig = Twig::create(__DIR__ . '/../templates/', ['cache' => TWIG_CACHE_PATH]);
 $app->add(TwigMiddleware::create($app, $twig));
 $twig->addExtension(new \AIO\Twig\CsrfExtension($container->get(Guard::class)));
 
@@ -70,11 +103,13 @@ $app->post('/api/docker/backup-check-repair', AIO\Controller\DockerController::c
 $app->post('/api/docker/backup-test', AIO\Controller\DockerController::class . ':StartBackupContainerTest');
 $app->post('/api/docker/restore', AIO\Controller\DockerController::class . ':StartBackupContainerRestore');
 $app->post('/api/docker/stop', AIO\Controller\DockerController::class . ':StopContainer');
+$app->post('/api/docker/prune', AIO\Controller\DockerController::class . ':SystemPrune');
 $app->get('/api/docker/logs', AIO\Controller\DockerController::class . ':GetLogs');
 $app->post('/api/auth/login', AIO\Controller\LoginController::class . ':TryLogin');
 $app->get('/api/auth/getlogin', AIO\Controller\LoginController::class . ':GetTryLogin');
 $app->post('/api/auth/logout', AIO\Controller\LoginController::class . ':Logout');
 $app->post('/api/configuration', \AIO\Controller\ConfigurationController::class . ':SetConfig');
+$app->post('/api/desec/register', \AIO\Controller\DesecController::class . ':Register');
 
 // Views
 $app->get('/containers', function (Request $request, Response $response, array $args) use ($container) {
@@ -146,6 +181,10 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'community_containers' => $configurationManager->listAvailableCommunityContainers(),
         'community_containers_enabled' => $configurationManager->aioCommunityContainers,
         'bypass_container_update' => $bypass_container_update,
+        'desec_email' => $configurationManager->desecEmail,
+        'desec_password' => $configurationManager->getDesecPassword(),
+        'is_desec_domain' => $configurationManager->isDesecDomain(),
+        'desec_account_registered' => $configurationManager->isDesecAccountRegistered(),
     ]);
 })->setName('profile');
 $app->get('/login', function (Request $request, Response $response, array $args) use ($container) {

php/src/Auth/AuthManager.php

@@ -8,7 +8,7 @@ use AIO\Data\DataConst;
 use \DateTime;
 
 readonly class AuthManager {
-    private const string SESSION_KEY = 'aio_authenticated';
+    public const string SESSION_KEY = 'aio_authenticated';
 
     public function __construct(
         private ConfigurationManager $configurationManager
@@ -42,6 +42,18 @@ readonly class AuthManager {
         $_SESSION[self::SESSION_KEY] = $isLoggedIn;
     }
 
+    /**
+     * Migrates the authenticated state from an old session (different cookie name) to the new session.
+     * Unlike SetAuthState, this method preserves the original login timestamp and does not update
+     * the session_date_file, so the session deduplicator is not triggered. This keeps the old session
+     * file alive in case the response carrying the new cookie is lost (e.g., due to a 502 error during
+     * a mastercontainer update), allowing the client to retry with the old cookie.
+     */
+    public function MigrateAuthState(int $oldTimestamp) : void {
+        $_SESSION[self::SESSION_KEY] = true;
+        $_SESSION['date_time'] = $oldTimestamp;
+    }
+
     public function IsAuthenticated() : bool {
         return isset($_SESSION[self::SESSION_KEY]) && $_SESSION[self::SESSION_KEY] === true;
     }

php/src/ContainerDefinitionFetcher.php

@@ -39,7 +39,17 @@ readonly class ContainerDefinitionFetcher {
      */
     private function GetDefinition(): array
     {
-        $data = json_decode((string)file_get_contents(DataConst::GetContainersDefinitionPath()), true, 512, JSON_THROW_ON_ERROR);
+        $containersDefinitionPath = DataConst::GetContainersDefinitionPath();
+        $cacheKey = 'containers-json-' . $containersDefinitionPath;
+        $cachedJson = apcu_fetch($cacheKey);
+        if (!is_string($cachedJson)) {
+            $cachedJson = (string)file_get_contents($containersDefinitionPath);
+            apcu_add($cacheKey, $cachedJson);
+        }
+        $data = json_decode($cachedJson, true, 512, JSON_THROW_ON_ERROR);
+
+        // We store this information for later because we need to use it to distinct between community containers and default containers.
+        $standardContainerNames = array_column($data['aio_services_v1'], 'container_name');
 
         $additionalContainerNames = [];
         foreach ($this->configurationManager->aioCommunityContainers as $communityContainer) {
@@ -212,6 +222,15 @@ readonly class ContainerDefinitionFetcher {
                         if (!$this->configurationManager->isWhiteboardEnabled) {
                             continue;
                         }
+                    } else {
+                        // Skip dependencies on community containers that are not currently enabled.
+                        // Only apply this when the current entry is itself a community container,
+                        // and the dependency is not an enabled community container or a standard built-in container.
+                        if (in_array($entry['container_name'], $additionalContainerNames, true)
+                            && !in_array($value, $additionalContainerNames, true)
+                            && !in_array($value, $standardContainerNames, true)) {
+                            continue;
+                        }
                     }
                     $dependsOn[] = $value;
                 }

php/src/Controller/DesecController.php

@@ -0,0 +1,273 @@
+<?php
+declare(strict_types=1);
+
+namespace AIO\Controller;
+
+use AIO\Data\ConfigurationManager;
+use AIO\Data\InvalidSettingConfigurationException;
+use GuzzleHttp\Client;
+use GuzzleHttp\Exception\TransferException;
+use Psr\Http\Message\ResponseInterface as Response;
+use Psr\Http\Message\ServerRequestInterface as Request;
+
+readonly class DesecController {
+    private const string DESEC_API_BASE = 'https://desec.io/api/v1';
+    private const string DEDYN_SUFFIX = '.dedyn.io';
+    private const int MAX_SLUG_ATTEMPTS = 5;
+    private const int SLUG_BYTES = 5; // 10-char hex slug
+    private const string SLUG_PATTERN = '/^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/';
+
+    private Client $guzzleClient;
+
+    public function __construct(
+        private ConfigurationManager $configurationManager,
+    ) {
+        $this->guzzleClient = new Client([
+            'timeout' => 15,
+            'connect_timeout' => 10,
+            'http_errors' => false,
+        ]);
+    }
+
+    public function Register(Request $request, Response $response, array $args): Response {
+        // Only allow registration when no domain is configured yet
+        if ($this->configurationManager->domain !== '') {
+            $response->getBody()->write('A domain is already configured. Reset the AIO instance first to register a new domain.');
+            return $response->withStatus(422);
+        }
+
+        // When a deSEC account was already registered (token exists) but domain creation previously
+        // failed, we skip account registration and re-use the stored token and email.
+        $accountAlreadyRegistered = $this->configurationManager->isDesecAccountRegistered();
+
+        if ($accountAlreadyRegistered) {
+            $token = $this->configurationManager->getDesecToken();
+            // email is already stored; no need to validate or update it
+        } else {
+            $email = trim((string)($request->getParsedBody()['desec_email'] ?? ''));
+            if ($email === '' || filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
+                $response->getBody()->write('Please provide a valid email address.');
+                return $response->withStatus(422);
+            }
+        }
+
+        $slug = trim((string)($request->getParsedBody()['desec_slug'] ?? ''));
+        if ($slug !== '' && !preg_match(self::SLUG_PATTERN, $slug)) {
+            $response->getBody()->write(
+                'The desired subdomain must contain only lowercase letters, digits and hyphens, '
+                . 'be between 1 and 63 characters long, and must not start or end with a hyphen.'
+            );
+            return $response->withStatus(422);
+        }
+
+        try {
+            if (!$accountAlreadyRegistered) {
+                // Register an account at deSEC and obtain an API token.
+                // The password is stored so the user can log in to desec.io directly if needed.
+                // 24 random bytes encoded as hex produce a 48-character password.
+                $password = bin2hex(random_bytes(24));
+                $token = $this->registerDesecAccount($email, $password);
+
+                // Persist the token, password and email immediately so that a subsequent
+                // domain-registration failure leaves the account credentials stored and allows
+                // the user to retry.
+                $this->configurationManager->startTransaction();
+                $this->configurationManager->setDesecToken($token);
+                $this->configurationManager->setDesecPassword($password);
+                $this->configurationManager->desecEmail = $email;
+                $this->configurationManager->commitTransaction();
+            }
+
+            // Register a free dedyn.io subdomain
+            $domain = $this->registerDesecDomain($token, $slug);
+
+            // Auto-enable caddy and dnsmasq (idempotent — safe to call even on retry)
+            $this->configurationManager->startTransaction();
+            $enabled = array_values(array_filter(
+                $this->configurationManager->aioCommunityContainers,
+                fn(string $cc): bool => $cc !== '',
+            ));
+            if (!in_array('caddy', $enabled, true)) {
+                $enabled[] = 'caddy';
+            }
+            if (!in_array('dnsmasq', $enabled, true)) {
+                $enabled[] = 'dnsmasq';
+            }
+            $this->configurationManager->aioCommunityContainers = $enabled;
+            $this->configurationManager->commitTransaction();
+
+            // Set the domain; skip the reachability validation because the domain was just
+            // created and DNS propagation may not have completed yet.
+            $this->configurationManager->setDomain($domain, true);
+
+            // Perform the first DNS IP update so the record is populated immediately
+            $this->updateIpIfDesecDomain();
+
+            return $response->withStatus(201)->withHeader('Location', '.');
+        } catch (InvalidSettingConfigurationException $ex) {
+            $response->getBody()->write($ex->getMessage());
+            return $response->withStatus(422);
+        } catch (\Exception $ex) {
+            $response->getBody()->write($ex->getMessage());
+            return $response->withStatus(422);
+        }
+    }
+
+    /**
+     * Updates the deSEC DNS A/AAAA record with the current public IP of this host.
+     * Uses deSEC's DynDNS2-compatible update endpoint, which auto-detects the requester's IP.
+     * Safe to call frequently; the endpoint returns "nochg" when the IP has not changed.
+     * Errors are logged but never thrown, so callers are not interrupted.
+     */
+    public function updateIpIfDesecDomain(): void {
+        if (!$this->configurationManager->isDesecDomain()) {
+            return;
+        }
+
+        $domain = $this->configurationManager->domain;
+        $token  = $this->configurationManager->getDesecToken();
+
+        try {
+            $res    = $this->guzzleClient->get('https://update.dedyn.io/', [
+                'query'   => ['hostname' => $domain],
+                'headers' => ['Authorization' => 'Token ' . $token],
+            ]);
+            $status = trim($res->getBody()->getContents());
+            if (str_starts_with($status, 'good') || str_starts_with($status, 'nochg')) {
+                error_log('deSEC IP update for ' . $domain . ': ' . $status);
+            } else {
+                error_log('deSEC IP update for ' . $domain . ' returned unexpected response: ' . $status);
+            }
+        } catch (\Exception $e) {
+            error_log('Could not update deSEC DNS record for ' . $domain . ': ' . $e->getMessage());
+        }
+    }
+
+    /**
+     * Creates a new deSEC account and returns the API token from the response.
+     *
+     * @throws \Exception on network failure or an unexpected API response
+     */
+    private function registerDesecAccount(string $email, string $password): string {
+        try {
+            $res = $this->guzzleClient->post(self::DESEC_API_BASE . '/auth/', [
+                'json' => ['email' => $email, 'password' => $password],
+            ]);
+        } catch (TransferException $e) {
+            throw new \Exception('Could not reach the deSEC API: ' . $e->getMessage());
+        }
+
+        $httpCode = $res->getStatusCode();
+        $body = $res->getBody()->getContents();
+
+        if ($httpCode === 400) {
+            $data = json_decode($body, true, 512, JSON_THROW_ON_ERROR);
+            if (is_array($data) && isset($data['email'])) {
+                throw new \Exception(
+                    'This email address is already registered at deSEC. '
+                    . 'Please log in at https://desec.io to retrieve your token and set up your domain manually.',
+                );
+            }
+            throw new \Exception('Registration at deSEC failed (HTTP 400): ' . $body);
+        }
+
+        if ($httpCode !== 201) {
+            throw new \Exception(
+                'Unexpected response from deSEC during account registration '
+                . '(HTTP ' . $httpCode . '): ' . $body,
+            );
+        }
+
+        $data = json_decode($body, true, 512, JSON_THROW_ON_ERROR);
+        if (!is_array($data) || !isset($data['token']['token']) || !is_string($data['token']['token'])) {
+            throw new \Exception(
+                'Could not extract the API token from the deSEC response. Please try again.',
+            );
+        }
+
+        return $data['token']['token'];
+    }
+
+    /**
+     * Registers a new dedyn.io subdomain and returns its full name.
+     *
+     * When $requestedSlug is non-empty the caller's preferred slug is tried once; a 409
+     * conflict returns an actionable error immediately (no silent retry).
+     * When $requestedSlug is empty a random 10-char hex slug is generated and retried up
+     * to MAX_SLUG_ATTEMPTS times on 409 conflicts.
+     *
+     * @throws \Exception when all attempts fail or a network/API error occurs
+     */
+    private function registerDesecDomain(string $token, string $requestedSlug = ''): string {
+        if ($requestedSlug !== '') {
+            // User chose a specific slug — try it exactly once.
+            $domain = $requestedSlug . self::DEDYN_SUFFIX;
+            try {
+                $res = $this->guzzleClient->post(self::DESEC_API_BASE . '/domains/', [
+                    'headers' => ['Authorization' => 'Token ' . $token],
+                    'json' => ['name' => $domain],
+                ]);
+            } catch (TransferException $e) {
+                throw new \Exception('Could not reach the deSEC API: ' . $e->getMessage());
+            }
+
+            $httpCode = $res->getStatusCode();
+
+            if ($httpCode === 201) {
+                return $domain;
+            }
+
+            if ($httpCode === 409) {
+                throw new \Exception(
+                    '"' . $domain . '" is already taken. Please choose a different subdomain and try again.',
+                );
+            }
+
+            $body = $res->getBody()->getContents();
+            throw new \Exception(
+                'Unexpected response from deSEC during domain registration '
+                . '(HTTP ' . $httpCode . '): ' . $body,
+            );
+        }
+
+        // No slug provided — generate random slugs and retry on conflicts.
+        $lastError = '';
+
+        for ($attempt = 0; $attempt < self::MAX_SLUG_ATTEMPTS; $attempt++) {
+            $slug = bin2hex(random_bytes(self::SLUG_BYTES));
+            $domain = $slug . self::DEDYN_SUFFIX;
+
+            try {
+                $res = $this->guzzleClient->post(self::DESEC_API_BASE . '/domains/', [
+                    'headers' => ['Authorization' => 'Token ' . $token],
+                    'json' => ['name' => $domain],
+                ]);
+            } catch (TransferException $e) {
+                throw new \Exception('Could not reach the deSEC API: ' . $e->getMessage());
+            }
+
+            $httpCode = $res->getStatusCode();
+
+            if ($httpCode === 201) {
+                return $domain;
+            }
+
+            if ($httpCode === 409) {
+                // Slug already taken — try another one
+                $lastError = '"' . $domain . '" is already taken';
+                continue;
+            }
+
+            $body = $res->getBody()->getContents();
+            throw new \Exception(
+                'Unexpected response from deSEC during domain registration '
+                . '(HTTP ' . $httpCode . '): ' . $body,
+            );
+        }
+
+        throw new \Exception(
+            'Could not register a free dedyn.io domain after ' . self::MAX_SLUG_ATTEMPTS . ' attempts'
+            . ($lastError !== '' ? ' (' . $lastError . ')' : '') . '. Please try again.',
+        );
+    }
+}

php/src/Controller/DockerController.php

@@ -18,7 +18,8 @@ readonly class DockerController {
     public function __construct(
         private DockerActionManager           $dockerActionManager,
         private ContainerDefinitionFetcher    $containerDefinitionFetcher,
-        private ConfigurationManager $configurationManager
+        private ConfigurationManager $configurationManager,
+        private DesecController $desecController,
     ) {
     }
 
@@ -263,6 +264,9 @@ readonly class DockerController {
         // Stop domaincheck since apache would not be able to start otherwise
         $this->StopDomaincheckContainer();
 
+        // Refresh the deSEC DNS record with the current public IP before starting containers
+        $this->desecController->updateIpIfDesecDomain();
+
         $id = self::TOP_CONTAINER;
 
         $this->PerformRecursiveContainerStart($id, $pullImage, $addToStreamingResponseBody);
@@ -328,6 +332,22 @@ readonly class DockerController {
         return $nonbufResp;
     }
 
+    public function SystemPrune(Request $request, Response $response, array $args) : Response {
+        // Get streaming response start and closure
+        $nonbufResp = $this->startStreamingResponse($response);
+
+        $body = $nonbufResp->getBody();
+        $addToStreamingResponseBody = function (string $message) use ($body) : void {
+            $body->write("<div>$message</div>");
+        };
+
+        $this->dockerActionManager->SystemPrune($addToStreamingResponseBody);
+
+        // End streaming response
+        $this->finalizeStreamingResponse($nonbufResp);
+        return $nonbufResp;
+    }
+
     public function stopTopContainer() : void {
         $id = self::TOP_CONTAINER;
         $this->PerformRecursiveContainerStop($id);

php/src/Cron/UpdateDesecIp.php

@@ -0,0 +1,17 @@
+<?php
+declare(strict_types=1);
+
+// increase memory limit to 2GB
+ini_set('memory_limit', '2048M');
+
+// Log whole log messages
+ini_set('log_errors_max_len', '0');
+
+require __DIR__ . '/../../vendor/autoload.php';
+
+$container = \AIO\DependencyInjection::GetContainer();
+
+/** @var \AIO\Controller\DesecController $desecController */
+$desecController = $container->get(\AIO\Controller\DesecController::class);
+
+$desecController->updateIpIfDesecDomain();

php/src/Data/ConfigurationManager.php

@@ -14,6 +14,10 @@ class ConfigurationManager
 
     private bool $noWrite = false;
 
+    private string $dailyBackupFileCache = '';
+
+    private int $dailyBackupFileMtime = 0;
+
     public string $aioToken {
         get => $this->get('AIO_TOKEN', '');
         set { $this->set('AIO_TOKEN', $value); }
@@ -194,6 +198,61 @@ class ConfigurationManager
         set { $this->set('turn_domain', $value); }
     }
 
+    public string $desecEmail {
+        get => $this->get('desec_email', '');
+        set { $this->set('desec_email', $value); }
+    }
+
+    /**
+     * Stores a deSEC API token in the secrets store.
+     * Unlike randomly-generated secrets, this token is obtained from the deSEC REST API and
+     * must be set explicitly; it is never auto-generated.
+     */
+    public function setDesecToken(string $token): void {
+        $secrets = $this->get('secrets', []);
+        $secrets['DESEC_TOKEN'] = $token;
+        $this->set('secrets', $secrets);
+    }
+
+    public function getDesecToken(): string {
+        $secrets = $this->get('secrets', []);
+        return isset($secrets['DESEC_TOKEN']) && is_string($secrets['DESEC_TOKEN'])
+            ? $secrets['DESEC_TOKEN']
+            : '';
+    }
+
+    /**
+     * Stores the deSEC account password in the secrets store so the user can log in at desec.io.
+     */
+    public function setDesecPassword(string $password): void {
+        $secrets = $this->get('secrets', []);
+        $secrets['DESEC_PASSWORD'] = $password;
+        $this->set('secrets', $secrets);
+    }
+
+    public function getDesecPassword(): string {
+        $secrets = $this->get('secrets', []);
+        return isset($secrets['DESEC_PASSWORD']) && is_string($secrets['DESEC_PASSWORD'])
+            ? $secrets['DESEC_PASSWORD']
+            : '';
+    }
+
+    /**
+     * Returns true when the configured domain is a deSEC dedyn.io subdomain and a token is stored.
+     */
+    public function isDesecDomain(): bool {
+        return str_ends_with($this->domain, '.dedyn.io') && $this->getDesecToken() !== '';
+    }
+
+    /**
+     * Returns true when a deSEC account token is stored but no domain has been configured yet.
+     * This happens when account registration succeeded but domain registration subsequently failed.
+     * In this state the user can retry domain registration with a different slug.
+     */
+    public function isDesecAccountRegistered(): bool {
+        return $this->getDesecToken() !== '' && $this->desecEmail !== '' && $this->domain === '';
+    }
+
     public string $apachePort {
         get => $this->getEnvironmentalVariableOrConfig('APACHE_PORT', 'apache_port', '443');
         set { $this->set('apache_port', $value); }
@@ -279,6 +338,10 @@ class ConfigurationManager
         set { $this->set('nextcloud_enable_dri_device', $value); }
     }
 
+    public string $driDeviceGid {
+        get => getenv('NEXTCLOUD_DRI_GID') ?: '';
+    }
+
     public bool $enableNvidiaGpu {
         get => $this->booleanize($this->getEnvironmentalVariableOrConfig('NEXTCLOUD_ENABLE_NVIDIA_GPU', 'enable_nvidia_gpu', ''));
         set { $this->set('enable_nvidia_gpu', $value); }
@@ -294,6 +357,9 @@ class ConfigurationManager
         if ($this->config === [] && file_exists(DataConst::GetConfigFile()))
         {
             $configContent = (string)file_get_contents(DataConst::GetConfigFile());
+            if ($configContent === '') {
+                throw new \RuntimeException("The config file " . DataConst::GetConfigFile() . " is empty. It may have been truncated due to low disk space. Please restore it from a backup.");
+            }
             $this->config = json_decode($configContent, true, 512, JSON_THROW_ON_ERROR);
         }
 
@@ -352,7 +418,7 @@ class ConfigurationManager
     }
 
     public function getRegisteredSecret(string $secretId) : string {
-        if ($this->secrets[$secretId]) {
+        if (isset($this->secrets[$secretId])) {
             return $this->getAndGenerateSecret($secretId);
         }
         throw new \Exception("The secret " . $secretId . " was not registered. Please check if it is defined in secrets of containers.json.");
@@ -552,7 +618,6 @@ class ConfigurationManager
         $this->set('domain', $domain);
         // Reset the borg restore password when setting the domain
         $this->borgRestorePassword = '';
-        $this->startTransaction();
         $this->commitTransaction();
     }
 
@@ -694,7 +759,21 @@ class ConfigurationManager
         if ($df !== false && (int)$df < $size) {
             throw new InvalidSettingConfigurationException(DataConst::GetDataDirectory() . " does not have enough space for writing the config file! Not writing it back!");
         }
-        file_put_contents(DataConst::GetConfigFile(), $content);
+        // Write to a temp file first to avoid truncating the config file if the
+        // disk fills up mid-write. rename() is atomic on POSIX filesystems, so the
+        // original config is never touched until the new content is fully on disk.
+        $tempFile = DataConst::GetConfigFile() . '.tmp';
+        if (file_put_contents($tempFile, $content) === false) {
+            // The file probably wasn't created, but better check nonetheless.
+            if (file_exists($tempFile)) {
+                unlink($tempFile);
+            }
+            throw new InvalidSettingConfigurationException("Failed to write temporary config file: " . $tempFile);
+        }
+        if (!rename($tempFile, DataConst::GetConfigFile())) {
+            unlink($tempFile);
+            throw new InvalidSettingConfigurationException("Failed to rename " . $tempFile . " to " . DataConst::GetConfigFile());
+        }
         $this->config = [];
     }
 
@@ -756,23 +835,47 @@ class ConfigurationManager
             $time .= PHP_EOL;
         }
         file_put_contents(DataConst::GetDailyBackupTimeFile(), $time);
+        $this->dailyBackupFileCache = '';
+        $this->dailyBackupFileMtime = 0;
+    }
+
+    private function getDailyBackupFileContent() : string {
+        $file = DataConst::GetDailyBackupTimeFile();
+        if (!file_exists($file)) {
+            $this->dailyBackupFileCache = '';
+            $this->dailyBackupFileMtime = 0;
+            return '';
+        }
+        $mtime = filemtime($file);
+        if ($mtime !== false && $this->dailyBackupFileMtime === $mtime && $this->dailyBackupFileCache !== '') {
+            return $this->dailyBackupFileCache;
+        }
+        $content = file_get_contents($file);
+        if ($content === false || $content === '') {
+            return '';
+        }
+        if ($mtime !== false) {
+            $this->dailyBackupFileCache = $content;
+            $this->dailyBackupFileMtime = $mtime;
+        }
+        return $content;
     }
 
     public function getDailyBackupTime() : string {
-        if (!file_exists(DataConst::GetDailyBackupTimeFile())) {
+        $content = $this->getDailyBackupFileContent();
+        if ($content === '') {
             return '';
         }
-        $dailyBackupFile = (string)file_get_contents(DataConst::GetDailyBackupTimeFile());
-        $dailyBackupFileArray = explode("\n", $dailyBackupFile);
+        $dailyBackupFileArray = explode("\n", $content);
         return $dailyBackupFileArray[0];
     }
 
     public function areAutomaticUpdatesEnabled() : bool {
-        if (!file_exists(DataConst::GetDailyBackupTimeFile())) {
+        $content = $this->getDailyBackupFileContent();
+        if ($content === '') {
             return false;
         }
-        $dailyBackupFile = (string)file_get_contents(DataConst::GetDailyBackupTimeFile());
-        $dailyBackupFileArray = explode("\n", $dailyBackupFile);
+        $dailyBackupFileArray = explode("\n", $content);
         if (isset($dailyBackupFileArray[1]) && $dailyBackupFileArray[1] === 'automaticUpdatesAreNotEnabled') {
             return false;
         } else {
@@ -784,11 +887,10 @@ class ConfigurationManager
         if (file_exists(DataConst::GetDailyBackupTimeFile())) {
             unlink(DataConst::GetDailyBackupTimeFile());
         }
+        $this->dailyBackupFileCache = '';
+        $this->dailyBackupFileMtime = 0;
     }
 
-    /**
-     * @throws InvalidSettingConfigurationException
-     */
     public function setAdditionalBackupDirectories(string $additionalBackupDirectories) : void {
         $additionalBackupDirectoriesArray = explode("\n", $additionalBackupDirectories);
         $validDirectories = '';
@@ -1062,6 +1164,7 @@ class ConfigurationManager
             'CADDY_IP_ADDRESS' => in_array('caddy', $this->aioCommunityContainers, true) ? gethostbyname('nextcloud-aio-caddy') : '',
             'WHITEBOARD_ENABLED' => $this->isWhiteboardEnabled ? 'yes' : '',
             'AIO_VERSION' => $this->getAioVersion(),
+            'DESEC_TOKEN' => $this->getDesecToken(),
             default => $this->getRegisteredSecret($placeholder),
         };
     }

php/src/Docker/DockerActionManager.php

@@ -157,11 +157,12 @@ readonly class DockerActionManager {
         $response = "";
         $separator = "\r\n";
         $line = strtok($responseBody, $separator);
-        $response = substr((string)$line, 8) . $separator;
+        if ($line !== false) {
+            $response = substr($line, 8) . $separator;
+        }
 
-        while ($line !== false) {
-            $line = strtok($separator);
-            $response .= substr((string)$line, 8) . $separator;
+        while (($line = strtok($separator)) !== false) {
+            $response .= substr($line, 8) . $separator;
         }
 
         return $response;
@@ -187,7 +188,7 @@ readonly class DockerActionManager {
             ];
 
             if ($volume->name === 'nextcloud_aio_nextcloud_datadir' || $volume->name === 'nextcloud_aio_backupdir') {
-                return;
+                continue;
             }
 
             $firstChar = substr($volume->name, 0, 1);
@@ -311,17 +312,31 @@ readonly class DockerActionManager {
         }
 
         $devices = [];
+        $groupAdd = [];
         foreach ($container->devices as $device) {
             if ($device === '/dev/dri' && !$this->configurationManager->nextcloudEnableDriDevice) {
                 continue;
             }
             $devices[] = ["PathOnHost" => $device, "PathInContainer" => $device, "CgroupPermissions" => "rwm"];
+            if ($device === '/dev/dri') {
+                // Add the render device's group as a supplemental group so that non-root
+                // containers (e.g. nextcloud-aio-talk-recording) can access the device.
+                // The GID is detected during mastercontainer startup when /dev/dri is bind-mounted.
+                $gid = $this->configurationManager->driDeviceGid;
+                if ($gid !== '' && !in_array($gid, $groupAdd, true)) {
+                    $groupAdd[] = $gid;
+                }
+            }
         }
 
         if (count($devices) > 0) {
             $requestBody['HostConfig']['Devices'] = $devices;
         }
 
+        if (count($groupAdd) > 0) {
+            $requestBody['HostConfig']['GroupAdd'] = $groupAdd;
+        }
+
         if ($container->enableNvidiaGpu && $this->configurationManager->enableNvidiaGpu) {
             $requestBody['HostConfig']['Runtime'] = 'nvidia';
             $requestBody['HostConfig']['DeviceRequests'] = [
@@ -411,6 +426,13 @@ readonly class DockerActionManager {
             //         $mounts[] = ["Type" => "bind", "Source" => $volume->name, "Target" => $volume->mountPoint, "ReadOnly" => !$volume->isWritable, "BindOptions" => [ "Propagation" => "rshared"]];
             //     }
 
+        // Special things for the jellyfin community container
+        } elseif ($container->identifier === 'nextcloud-aio-jellyfin') {
+            $lldapIp = gethostbyname('nextcloud-aio-lldap');
+            if ($lldapIp !== 'nextcloud-aio-lldap') {
+                $requestBody['HostConfig']['ExtraHosts'] = ['nextcloud-aio-lldap:' . $lldapIp];
+            }
+
         // Special things for the caddy community container
         } elseif ($container->identifier === 'nextcloud-aio-caddy') {
             $requestBody['HostConfig']['ExtraHosts'] = ['host.docker.internal:host-gateway'];
@@ -845,7 +867,15 @@ readonly class DockerActionManager {
         // Add a secondary alias for domaincheck container, to keep it as similar to actual apache controller as possible.
         // If a reverse-proxy is relying on container name as hostname this allows it to operate as usual and still validate the domain
         // The domaincheck container and apache container are never supposed to be active at the same time because they use the same APACHE_PORT anyway, so this doesn't add any new constraints.
-        $alias = ($container->identifier === 'nextcloud-aio-domaincheck') ? 'nextcloud-aio-apache' : '';
+        if ($container->identifier === 'nextcloud-aio-domaincheck') {
+            $alias = 'nextcloud-aio-apache';
+        }
+
+        // Add NC_DOMAIN as a Docker network alias so that intra-network traffic for the Nextcloud
+        // domain is forwarded directly to the aio-caddy container without leaving the Docker network.
+        if ($container->identifier === 'nextcloud-aio-caddy') {
+            $alias = $this->configurationManager->domain;
+        }
 
         $this->ConnectContainerIdToNetwork($container->identifier, $container->internalPorts, alias: $alias);
 
@@ -983,4 +1013,71 @@ readonly class DockerActionManager {
             return $this->dockerHubManager->GetLatestDigestOfTag($imageName, $tag);
         }
     }
+
+    public function SystemPrune(?\Closure $addToStreamingResponseBody = null): void {
+        $endpoints = [
+            // Remove stopped containers
+            'containers/prune',
+            // Remove unused images
+            'images/prune',
+            // Remove unused volumes
+            'volumes/prune',
+            // Remove unused networks
+            'networks/prune',
+            // Prune build cache
+            'build/prune',
+        ];
+
+        foreach ($endpoints as $endpoint) {
+            // Special-case images prune to include the dangling filter as requested
+            if ($endpoint === 'images/prune') {
+                $filters = json_encode(['dangling' => ['false']]);
+                $url = $this->BuildApiUrl($endpoint . '?filters=' . urlencode((string) $filters));
+            } else {
+                $url = $this->BuildApiUrl($endpoint);
+            }
+
+            if ($addToStreamingResponseBody !== null) {
+                $addToStreamingResponseBody("Running $endpoint...");
+            }
+
+            try {
+                $response = $this->guzzleClient->post($url);
+                if ($addToStreamingResponseBody !== null) {
+                    $data = json_decode((string)$response->getBody(), true);
+                    $deleted = 0;
+                    foreach (['ContainersDeleted', 'ImagesDeleted', 'VolumesDeleted', 'NetworksDeleted', 'CachesDeleted'] as $key) {
+                        if (isset($data[$key]) && is_array($data[$key])) {
+                            $deleted += count($data[$key]);
+                        }
+                    }
+                    $reclaimed = $data['SpaceReclaimed'] ?? 0;
+                    $parts = [];
+                    if ($deleted > 0) {
+                        $parts[] = "$deleted item(s) deleted";
+                    }
+                    if ($reclaimed > 0) {
+                        $i = (int)floor(log($reclaimed, 1024));
+                        $parts[] = 'Space reclaimed: ' . (string)round($reclaimed / (1024 ** $i), 2) . ' ' . ['B','KB','MB','GB'][$i];
+                    }
+                    $addToStreamingResponseBody(!empty($parts) ? implode('. ', $parts) . '.' : 'Nothing to prune.');
+                }
+            } catch (RequestException $e) {
+                error_log(sprintf('Docker prune (%s) failed: %s', $endpoint, $e->getMessage()));
+                if ($addToStreamingResponseBody !== null) {
+                    $addToStreamingResponseBody('Error: ' . $e->getMessage());
+                }
+                // continue with next prune step
+            }
+        }
+
+        if ($addToStreamingResponseBody !== null) {
+            $addToStreamingResponseBody("Docker system prune completed.");
+            sleep(1);
+
+            // We automatically reload after 10s so that the output can be read or copied if necessary
+            $addToStreamingResponseBody("Automatically reloading the page after 10s.");
+            sleep(10);
+        }
+    }
 }

php/templates/containers.twig

@@ -132,6 +132,30 @@
                                     {% endif %}
                                     <p><strong>Hint:</strong> If the domain validation fails but you are completely sure that you've configured everything correctly, you may skip the domain validation by following <a target="_blank" href="https://github.com/nextcloud/all-in-one#how-to-skip-the-domain-validation">this documentation</a>.</p>
                                 </details>
+                                <details{% if desec_account_registered %} open{% endif %}>
+                                    <summary>Don't have a domain? Get a free one from deSEC</summary>
+                                    <p><a target="_blank" href="https://desec.io">deSEC</a> offers free dynamic DNS subdomains under <strong>dedyn.io</strong>. AIO can register an account and a subdomain for you automatically. The <strong>caddy</strong> community container will be enabled as a reverse proxy, the <strong>dnsmasq</strong> container will be enabled for local DNS resolution, and the mastercontainer will keep your DNS record up to date automatically.</p>
+                                    {% if desec_account_registered %}
+                                        <p>Your deSEC account (<strong>{{ desec_email }}</strong>) was registered successfully but the domain could not be registered. Please enter a desired subdomain slug (the part before <code>.dedyn.io</code>) and try again, or leave it blank for a random one.</p>
+                                        <p>Your deSEC login credentials (for <a target="_blank" href="https://desec.io">desec.io</a>): Email: <strong>{{ desec_email }}</strong>. <details style="display:inline"><summary>Reveal deSEC password</summary><strong>{{ desec_password }}</strong></details>. Please save these in a safe place.</p>
+                                        <form method="POST" action="api/desec/register" class="xhr">
+                                            <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
+                                            <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
+                                            <input type="text" name="desec_slug" placeholder="my-nextcloud (optional)" pattern="[a-z0-9]([a-z0-9\-]{0,61}[a-z0-9])?" title="Only lowercase letters, digits and hyphens (1–63 characters). No leading or trailing hyphen." />
+                                            <input type="submit" value="Register free domain via deSEC" />
+                                        </form>
+                                    {% else %}
+                                        <p>Please enter your email address. You can also enter a desired subdomain slug (the part before <code>.dedyn.io</code>); leave it blank for a random one.</p>
+                                        <form method="POST" action="api/desec/register" class="xhr">
+                                            <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
+                                            <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
+                                            <input type="email" name="desec_email" placeholder="your@email.com" required />
+                                            <input type="text" name="desec_slug" placeholder="my-nextcloud (optional)" pattern="[a-z0-9]([a-z0-9\-]{0,61}[a-z0-9])?" title="Only lowercase letters, digits and hyphens (1–63 characters). No leading or trailing hyphen." />
+                                            <input type="submit" value="Register free domain via deSEC" />
+                                        </form>
+                                        <p><strong>Note:</strong> By submitting this form you agree to the <a target="_blank" href="https://desec.io/terms">deSEC terms of service</a>. The registered domain and your deSEC account credentials are stored in the AIO configuration. After registration, set your router's DHCP DNS server to this machine's local IP address so LAN devices resolve the domain locally (see the <a target="_blank" href="https://github.com/nextcloud/all-in-one/tree/main/community-containers/dnsmasq">dnsmasq documentation</a>). Alternatively adjust the hosts files on your clients so that they can reach the server using the local ip-address.</p>
+                                    {% endif %}
+                                </details>
                             {% endif %}
 
                             <h2>Restore former AIO instance from backup</h2>
@@ -375,6 +399,14 @@
 
                     {% if was_start_button_clicked == true %}
 
+                        {% if is_desec_domain %}
+                            <h2>deSEC account credentials</h2>
+                            <p>Your domain <strong>{{ domain }}</strong> is managed via <a target="_blank" href="https://desec.io">deSEC</a>. Below are your deSEC account credentials. You can use them to log in at <a target="_blank" href="https://desec.io">desec.io</a> to manage your domain directly.</p>
+                            <p>Email: <strong>{{ desec_email }}</strong></p>
+                            <p>Password: <details style="display:inline"><summary>Reveal deSEC password</summary><strong>{{ desec_password }}</strong></details></p>
+                            <p>Please save these credentials in a safe place.</p>
+                        {% endif %}
+
                         {% if is_backup_section_enabled == false %}
                             <h2>Backup and restore</h2>
                             <p>The backup section is disabled via environmental variable.</p>
@@ -582,13 +614,25 @@
 
                         {% if is_backup_container_running == false %}
                             {% if isApacheStarting == false %}
+                                {% if isAnyRunning == true %}
+                                    <h2>Docker System Prune</h2>
+                                    <details>
+                                        <summary>Click here to reveal a button to prune the docker system.</summary>
+                                        <p>By clicking the button below you can run "docker system prune -a". This will remove unused images, containers, networks, volumes and build cache. It will not delete data of running containers.</p>
+                                        <form method="POST" action="api/docker/prune" target="overlay-log">
+                                            <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
+                                            <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
+                                            <input type="submit" value="Prune docker system" data-confirm="Run docker system prune -a? This will remove unused images, containers, networks, volumes and build cache. It will not delete data of running containers. Continue?" />
+                                        </form>
+                                    </details>
+                                {% endif %}
                                 <h2>AIO passphrase change</h2>
                                 <details>
                                     <summary>Click here to change your AIO passphrase</summary>
                                     <p>You can change your AIO passphrase below:</p>
                                     <form method="POST" action="api/configuration" class="xhr">
-                                        <input type="password" autocomplete="current-password" name="current-master-password" placeholder="Your current AIO passphrase" id="current-master-password" data-input-show-password="showPassword('current-master-password')">
-                                        <input type="password" autocomplete="new-password" name="new-master-password" placeholder="Your new AIO passphrase" id="new-master-password" data-input-show-password="showPassword('new-master-password')">
+                                        <input type="password" autocomplete="current-password" name="current-master-password" placeholder="Your current AIO passphrase" id="current-master-password" data-input-show-password>
+                                        <input type="password" autocomplete="new-password" name="new-master-password" placeholder="Your new AIO passphrase" id="new-master-password" data-input-show-password>
                                         <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                         <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                         <input type="submit" value="Submit passphrase change" />

php/templates/includes/community-containers.twig

@@ -1,6 +1,9 @@
 <h2>Community Containers</h2>
 <p>In this section you can enable or disable optional Community Containers that are not included by default in the main installation. These containers are provided by the community and can be useful for various purposes and are automatically integrated in AIOs backup solution and update mechanisms.</p>
 <p><strong>⚠️ Caution: </strong>Community Containers are maintained by the community and not officially by Nextcloud. Some containers may not be compatible with your system, may not work as expected or may discontinue. Use them at your own risk. Please read the documentation for each container first before adding any as some are also incompatible between each other! Never add all of them at the same time!</p>
+{% if is_desec_domain == true %}
+    <p>ℹ️ Your Nextcloud domain (<strong>{{ domain }}</strong>) was registered via deSEC. The <strong>caddy</strong> community container has been automatically enabled as a reverse proxy and the <strong>dnsmasq</strong> container has been automatically enabled so that LAN devices can resolve your Nextcloud domain to the server's local IP address. Please <a target="_blank" href="https://github.com/nextcloud/all-in-one/tree/main/community-containers/dnsmasq"><strong>read the dnsmasq documentation</strong></a> for the required router change.</p>
+{% endif %}
 {% if isAnyRunning == true %}
     <p><strong>Please note:</strong> You can enable or disable the options below only when your containers are stopped.</p>
 {% else %}

php/templates/includes/optional-containers.twig

@@ -224,16 +224,7 @@
 </form>
 <p><strong>Minimal system requirements:</strong> When any optional container is enabled, at least 2GB RAM, a dual-core CPU and 40GB system storage are required. When enabling ClamAV,  Nextcloud Talk Recording-server or Fulltextsearch, at least 3GB RAM are required. For Talk Recording-server additional 2 vCPUs are required. When enabling everything, at least 5GB RAM and a quad-core CPU are required. Recommended are at least 1GB more RAM than the minimal requirement. For further advice and recommendations see <strong><a target="_blank" href="https://github.com/nextcloud/all-in-one/discussions/1335">this documentation</a></strong></p>
 {% if isAnyRunning == true %}
-    <script type="text/javascript" src="disable-clamav.js"></script>
-    <script type="text/javascript" src="disable-docker-socket-proxy.js"></script>
-    <script type="text/javascript" src="disable-harp.js"></script>
-    <script type="text/javascript" src="disable-talk.js"></script>
-    <script type="text/javascript" src="disable-collabora.js?v2"></script>
-    <script type="text/javascript" src="disable-onlyoffice.js?v2"></script>
-    <script type="text/javascript" src="disable-imaginary.js"></script>
-    <script type="text/javascript" src="disable-fulltextsearch.js"></script>
-    <script type="text/javascript" src="disable-talk-recording.js"></script>
-    <script type="text/javascript" src="disable-whiteboard.js"></script>
+    <script type="text/javascript" src="disable-containers.js"></script>
 {% endif %}
 
 {% if is_collabora_enabled == true and isAnyRunning == false and was_start_button_clicked == true %}

php/templates/layout.twig

@@ -6,7 +6,7 @@
         <link rel="icon" href="img/favicon.png">
         <script type="text/javascript" src="forms.js?v2"></script>
         <script type="text/javascript" src="toggle-dark-mode.js?v1"></script>
-        <script type="text/javascript" src="click-handlers.js?v1"></script>
+        <script type="text/javascript" src="click-handlers.js?v2"></script>
     </head>
 
     <body>

php/templates/login.twig

@@ -11,7 +11,7 @@
         {% if is_login_allowed == true %}
             <p>Log in using your Nextcloud AIO passphrase:</p>
             <form method="POST" action="api/auth/login" class="xhr">
-                <input type="password" autocomplete="current-password" name="password" placeholder="Password" id="master-password" data-input-show-password="showPassword('master-password')">
+                <input type="password" autocomplete="current-password" name="password" placeholder="Password" id="master-password" data-input-show-password>
                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                 <input type="submit" class="button" value="Log in" />

readme.md

@@ -87,6 +87,70 @@ Included are:
 |---|---|
 | ![image](https://github.com/user-attachments/assets/6ef5d7b5-86f2-402c-bc6c-b633af2ca7dd) | ![image](https://github.com/user-attachments/assets/939d0fdf-436f-433d-82d3-27548263a040) |
 
+## Architecture overview
+
+```mermaid
+flowchart TB
+    %% ── Styles ───────────────────────────────────────────────────────────────────
+    classDef user      fill:#FFF3CD,stroke:#F0AD4E,color:#333
+    classDef master    fill:#E8D5F5,stroke:#9B59B6,color:#222
+    classDef core      fill:#D6EAF8,stroke:#2E86C1,color:#222
+    classDef opt       fill:#D5F5E3,stroke:#27AE60,color:#222
+    classDef community fill:#FDEBD0,stroke:#E67E22,color:#222
+    classDef access    fill:#EAFAF1,stroke:#1E8449,color:#222
+
+    %% ── Top row: people ─────────────────────────────────────────────────────────
+    YOU(["🧑‍💻 Admin\n(You)"]):::user
+    ENDUSER(["🧑‍🤝‍🧑 Users\n(family / team)"]):::user
+
+    %% ── Everything that runs inside AIO ─────────────────────────────────────────
+    subgraph AIO["  🐳  Nextcloud AIO  "]
+        MC(["🧠 Mastercontainer\n─────────────────────────\n▸ AIO interface :8080 / :8443\n▸ Manages & updates containers\n▸ Handles backups"]):::master
+
+        subgraph CORE["  📦  Core Stack  (auto-started)  "]
+            PROXY(["🔀 Apache\nProxy & HTTPS"]):::core
+            NC(["☁️ Nextcloud\nApp Server"]):::core
+            DB(["🗄️ PostgreSQL\nDatabase"]):::core
+            CACHE(["⚡ Redis\nCache"]):::core
+            PUSH(["🔔 Notify Push\nReal-time sync"]):::core
+        end
+
+        subgraph OPT["  🧩  Optional Built-in Containers  (enable in AIO interface)  "]
+            COLLA(["📄 Nextcloud Office"]):::opt
+            OO(["📄 OnlyOffice\nDocument Server"]):::opt
+            TALK(["🎙️ Talk\nVideo & Voice calls"]):::opt
+            TALKREC(["🎬 Talk Recording"]):::opt
+            FTS(["🔎 Full-text Search\n(Elasticsearch)"]):::opt
+            IMAG(["🖼️ Imaginary\nImage previews"]):::opt
+            CLAM(["🦠 ClamAV\nAntivirus"]):::opt
+            WB(["🖊️ Whiteboard"]):::opt
+        end
+
+        COMM(["🌍 Community Containers\n──────────────────────\n30+ optional add-ons\nSee community-containers/"]):::community
+        click COMM "https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers" "Browse community containers"
+    end
+
+    %% ── Result node (outside AIO) ────────────────────────────────────────────────
+    NC_URL(["🌐 https://your-domain.com\n✅ Nextcloud — ready to use!"]):::access
+
+    %% ── Flows ────────────────────────────────────────────────────────────────────
+    YOU -->|"① open :8080 or :8443 in browser"| MC
+    MC -->|"② auto-starts & wires up"| CORE
+    MC -. "③ enable in AIO interface" .-> OPT
+    MC -. "④ add via AIO interface" .-> COMM
+
+    PROXY --> NC
+    NC --- DB
+    NC --- CACHE
+    NC --- PUSH
+    OPT -->|"integrate with"| NC
+    COMM -.->|"integrate with"| NC
+
+    CORE -->|"⑤ stack is ready!"| NC_URL
+    ENDUSER -->|"⑥ browser / app"| NC_URL
+    YOU -->|"⑥ use normally"| NC_URL
+```
+
 ## How to use this?
 
 The steps below are written for Linux. For platform-specific guidance see:
@@ -564,14 +628,15 @@ Some container can use GPU acceleration to increase performance like [memories a
 #### With open source drivers MESA for AMD, Intel and **new** drivers `Nouveau` for Nvidia
 
 > [!WARNING]  
-> This only works if the `/dev/dri` device is present on the host! If it does not exist on your host, don't proceed as otherwise the Nextcloud container will fail to start! If you are unsure about this, better do not proceed with the instructions below. Make sure that your driver is correctly configured on the host.
+> This only works if the `/dev/dri` device is present on the host! If it does not exist on your host, don't proceed as otherwise the mastercontainer will fail to start! If you are unsure about this, better do not proceed with the instructions below. Make sure that your driver is correctly configured on the host.
 
 A list of supported device can be fond in [MESA 3D documentation](https://docs.mesa3d.org/systems.html).
 
 This method use the [Direct Rendering Infrastructure](https://dri.freedesktop.org/wiki/) with the access to the `/dev/dri` device.
 
-In order to use that, you need to add `--env NEXTCLOUD_ENABLE_DRI_DEVICE=true` to the docker run command of the mastercontainer (but before the last line `ghcr.io/nextcloud-releases/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) which will mount the `/dev/dri` device into the container.
+In order to use that, you need to pass the `/dev/dri` device into the mastercontainer by adding `--device=/dev/dri` to the docker run command (but before the last line `ghcr.io/nextcloud-releases/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used). The `/dev/dri` device gets mounted into the containers that benefit from it.
 
+With this device in place, the AIO mastercontainer automatically detects the `/dev/dri` device, enables hardware acceleration for the relevant containers and passes the correct render device group to the talk-recording container so that VA-API hardware transcoding (`h264_vaapi`) is used when recording calls.
 
 #### With proprietary drivers for Nvidia :warning: BETA
 
@@ -584,6 +649,8 @@ This method use the [Nvidia Container Toolkit](https://docs.nvidia.com/datacente
 
 In order to use that, you need to add `--env NEXTCLOUD_ENABLE_NVIDIA_GPU=true` to the docker run command of the mastercontainer (but before the last line `ghcr.io/nextcloud-releases/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) which will enable the nvidia runtime.
 
+The talk-recording container automatically detects the NVIDIA GPU at startup and uses `h264_nvenc` hardware encoding when available. No additional steps are required beyond enabling the NVIDIA runtime.
+
 If you're using WSL2 and want to use the NVIDIA runtime, please follow the instructions to [install the NVIDIA Container Toolkit meta-version in WSL](https://docs.nvidia.com/cuda/wsl-user-guide/index.html#cuda-support-for-wsl-2).
 
 ### How to keep disabled apps?

reverse-proxy.md

@@ -573,13 +573,21 @@ Note: this will cause that a non root user can bind privileged ports.
 
 Second, see these screenshots for a working config:
 
-<img width="675" height="695" alt="image" src="https://github.com/user-attachments/assets/196f53f9-ff86-4da2-960e-f7b7a2ceac0c" />
+<img width="672" height="982" alt="grafik" src="https://github.com/user-attachments/assets/e8914a63-58d2-4a47-ac51-981d21979495" />
 
-<img width="675" height="355" alt="image" src="https://github.com/user-attachments/assets/8a45a6d8-fbaf-4519-86f7-c7424ed780da" />
+<img width="675" height="355" alt="grafik" src="https://github.com/user-attachments/assets/c4a006f5-f8c4-4898-9ea6-ec33ee7e5bd3" />
 
-<img width="675" height="542" alt="image" src="https://github.com/user-attachments/assets/7e880d02-0f4f-459a-a3f6-216bcb1b04ca" />
+<img width="675" height="650" alt="grafik" src="https://github.com/user-attachments/assets/a4f80ecc-c539-4972-91ed-7b078c269dd1" />
+
+<img width="675" height="570" alt="grafik" src="https://github.com/user-attachments/assets/8ea357c2-11d5-48af-abf7-f249bc677213" />
+
+
+- The "Enable compression by upstream, not recommended" Button can stay unchecked if you don't use Collabora. (https://github.com/CollaboraOnline/online/issues/10157) <br>
+- You may need to check the "Disable Crowdsec Appsec" Button if you use crowdsec and uploads or downloads fail. <br>
+- You may want to enable the "Disable Request/Response Buffering" Button since it could improve uploads and downloads. <br>
+- You can check the "Send noindex header and block some user agents" Button If you don't want your Nextcloud to be indexed by web crawlers like google. <br>
+- If you want/need you can also configure Auth Request/mTLS if needed or change the X-Frame-Options header if you want to embed Nextcloud.
 
-<img width="675" height="570" alt="image" src="https://github.com/user-attachments/assets/2812ecc1-ecf0-44bd-9249-b76b30f8c25e" />
 
 ⚠️ **Please note:** look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration.
 
@@ -599,22 +607,22 @@ Note: this will cause that a non root user can bind privileged ports.
 
 Second, see these screenshots for a working config:
 
-![grafik](https://user-images.githubusercontent.com/75573284/213889707-b7841ca0-3ea7-4321-acf6-50e1c1649442.png)
+<img width="675" height="806" alt="grafik" src="https://github.com/user-attachments/assets/a7395147-62fd-415f-b04e-db92b50b1ff0" />
 
-![grafik](https://user-images.githubusercontent.com/75573284/213889724-1ab32264-3e0c-4d83-b067-9fe9d1672fb2.png)
+<img width="675" height="355" alt="grafik" src="https://github.com/user-attachments/assets/b36c79ba-7c7f-4334-a27f-89de6c11a30a" />
 
-![grafik](https://github.com/nextcloud/all-in-one/assets/24786786/fecbb5ef-d2f4-4e0f-bc4b-82207e2c2809)
+<img width="675" height="532" alt="grafik" src="https://github.com/user-attachments/assets/a3f3fa8c-9805-4c53-b573-c7428404f28c" />
+
+<img width="675" height="570" alt="grafik" src="https://github.com/user-attachments/assets/188e6541-6805-4374-866e-8c9bf9e80693" />
 
-![grafik](https://user-images.githubusercontent.com/75573284/213889746-87dbe8c5-4d1f-492f-b251-bbf82f1510d0.png)
 
 ```
-client_body_buffer_size 512k;
-client_max_body_size 0;
-
 # The default NEXTCLOUD_MAX_TIME value is 3600 seconds. 
 # By setting proxy_read_timeout 10 seconds higher than that, we make sure that always Nextcloud times out and not NPM. 
 # If you increased NEXTCLOUD_MAX_TIME, increase the timeout below accordingly.
 proxy_read_timeout 3610s;
+
+client_max_body_size 0; # This controls the maximum upload size, 0 means unlimited
 ```
 
 ⚠️ **Please note:** look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration.