fix the build

Signed-off-by: szaimen <szaimen@e.mail.de>

.github/workflows/nextcloud-update.yml

@@ -60,7 +60,8 @@ jobs:
         sed -i "s|pecl install imagick.*\;|pecl install imagick-$imagick_version\;|" ./Containers/nextcloud/Dockerfile
         
         # Nextcloud
-        NCVERSION=$(curl -s -m 900 https://download.nextcloud.com/server/releases/ | sed --silent 's/.*href="nextcloud-\([^"]\+\).zip.asc".*/\1/p' | sort --version-sort | tail -1)
+        NC_MAJOR="$(grep "ENV NEXTCLOUD_VERSION" ./Containers/nextcloud/Dockerfile | grep -oP '[23][0-9]')"
+        NCVERSION=$(curl -s -m 900 https://download.nextcloud.com/server/releases/ | sed --silent 's/.*href="nextcloud-\([^"]\+\).zip.asc".*/\1/p' | grep "$NC_MAJOR" | sort --version-sort | tail -1)
         sed -i "s|^ENV NEXTCLOUD_VERSION.*|ENV NEXTCLOUD_VERSION $NCVERSION|" ./Containers/nextcloud/Dockerfile
 
     - name: Create Pull Request

.github/workflows/psalm-security.yml

@@ -20,6 +20,6 @@ jobs:
           composer_ignore_platform_reqs: false
           report_file: results.sarif
       - name: Upload Security Analysis results to GitHub
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: php/results.sarif

Containers/apache/Dockerfile

@@ -1,5 +1,5 @@
 # Caddy is a requirement
-FROM caddy:2.5.0-alpine as caddy
+FROM caddy:2.5.1-alpine as caddy
 
 FROM debian:bullseye-20220418-slim
 
@@ -40,12 +40,13 @@ RUN a2enmod rewrite \
 
 COPY nextcloud.conf /etc/apache2/sites-available/
 
-RUN a2dissite 000-default && \
+RUN set -ex; \
+    a2dissite 000-default && \
     a2dissite default-ssl && \
     a2ensite nextcloud.conf && \
     rm -rf /var/www/html/* && \
-    service apache2 restart; \
     chown www-data:www-data -R /var/log/apache2; \
+    mkdir -p /var/run/apache2; \
     chown -R www-data:www-data /var/run/apache2; \
     chown -R www-data:www-data /var/www;
 
@@ -61,7 +62,8 @@ COPY supervisord.conf /
 RUN chmod +x /usr/bin/start.sh; \
     chmod +r /supervisord.conf; \
     chmod a+w /Caddyfile; \
-    chmod a+w /
+    chmod 777 /; \
+    chmod +r -R /etc/apache2
 
 # Give root a random password
 RUN echo "root:$(openssl rand -base64 12)" | chpasswd

Containers/collabora/Dockerfile

@@ -1,2 +1,2 @@
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:21.11.4.1.1
+FROM collabora/code:21.11.4.2.1

Containers/mastercontainer/Dockerfile

@@ -1,8 +1,8 @@
 # Docker CLI is a requirement
-FROM docker:20.10.14-dind-alpine3.15 as dind
+FROM docker:20.10.15-dind-alpine3.15 as dind
 
 # Caddy is a requirement
-FROM caddy:2.5.0-alpine as caddy
+FROM caddy:2.5.1-alpine as caddy
 
 # From https://github.com/docker-library/php/blob/master/8.0/bullseye/apache/Dockerfile
 FROM php:8.0.18-apache-bullseye

Containers/mastercontainer/start.sh

@@ -31,6 +31,9 @@ elif ! sudo -u www-data test -r /var/run/docker.sock; then
         echo "Adding internal www-data to group $DOCKER_GROUP"
         usermod -aG "$DOCKER_GROUP" www-data
     else
+        # Delete the docker group for cases when the docker socket permissions changed between restarts
+        groupdel docker &>/dev/null
+
         # If the group doesn't exist, create it
         echo "Creating docker group internally with id $DOCKER_GROUP_ID"
         groupadd -g "$DOCKER_GROUP_ID" docker
@@ -64,39 +67,32 @@ fi
 
 # Check if startup command was executed correctly
 if ! sudo -u www-data docker ps | grep -q "nextcloud-aio-mastercontainer"; then
-    echo "It seems like you did not give the mastercontainer the correct name?"
+    echo "It seems like you did not give the mastercontainer the correct name?
+Using a different name is not supported!"
     exit 1
 elif ! sudo -u www-data docker volume ls | grep -q "nextcloud_aio_mastercontainer"; then
-    echo "It seems like you did not give the mastercontainer volume the correct name?"
+    echo "It seems like you did not give the mastercontainer volume the correct name?
+Using a different name is not supported!"
     exit 1
 fi
 
 # Check for other options
 if [ -n "$NEXTCLOUD_DATADIR" ]; then
-    if ! echo "$NEXTCLOUD_DATADIR" | grep -q "^/mnt/" \
-    && ! echo "$NEXTCLOUD_DATADIR" | grep -q "^/media/" \
-    && ! echo "$NEXTCLOUD_DATADIR" | grep -q "^/host_mnt/"
-    then
+    if ! echo "$NEXTCLOUD_DATADIR" | grep -q "^/" || [ "$NEXTCLOUD_DATADIR" = "/" ]; then
         echo "You've set NEXTCLOUD_DATADIR but not to an allowed value.
-The string must start with '/mnt/', '/media/' or '/host_mnt/'. E.g. '/mnt/ncdata'"
-        exit 1
-    elif [ "$NEXTCLOUD_DATADIR" = "/mnt/" ] || [ "$NEXTCLOUD_DATADIR" = "/media/" ] || [ "$NEXTCLOUD_DATADIR" = "/host_mnt/" ]; then
-        echo "You've set NEXTCLOUD_DATADIR but not to an allowed value.
-The string must start with '/mnt/', '/media/' or '/host_mnt/' and not be equal to these."
+The string must start with '/' and must not be equal to '/'.
+It is set to '$NEXTCLOUD_DATADIR'."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_MOUNT" ]; then
-    if ! echo "$NEXTCLOUD_MOUNT" | grep -q "^/mnt/" \
-    && ! echo "$NEXTCLOUD_MOUNT" | grep -q "^/media/" \
-    && ! echo "$NEXTCLOUD_MOUNT" | grep -q "^/host_mnt/" \
-    && ! echo "$NEXTCLOUD_MOUNT" | grep -q "^/var/backups$"
-    then
+    if ! echo "$NEXTCLOUD_MOUNT" | grep -q "^/" || [ "$NEXTCLOUD_MOUNT" = "/" ]; then
         echo "You've set NEXCLOUD_MOUNT but not to an allowed value.
-The string must be equal to/start with '/mnt/', '/media/' or '/host_mnt/' or be equal to '/var/backups'."
+The string must start with '/' and must not be equal to '/'.
+It is set to '$NEXTCLOUD_MOUNT'."
         exit 1
     elif [ "$NEXTCLOUD_MOUNT" = "/mnt/ncdata" ] || echo "$NEXTCLOUD_MOUNT" | grep -q "^/mnt/ncdata/"; then
-        echo "/mnt/ncdata and /mnt/ncdata/ are not allowed for NEXTCLOUD_MOUNT."
+        echo "'/mnt/ncdata' and '/mnt/ncdata/' are not allowed as values for NEXTCLOUD_MOUNT."
         exit 1
     fi
 fi
@@ -108,7 +104,8 @@ if [ -n "$NEXTCLOUD_DATADIR" ] && [ -n "$NEXTCLOUD_MOUNT" ]; then
 fi
 if [ -n "$APACHE_PORT" ]; then
     if ! check_if_number "$APACHE_PORT"; then
-        echo "You provided an Apache port but did not only use numbers"
+        echo "You provided an Apache port but did not only use numbers.
+It is set to '$APACHE_PORT'."
         exit 1
     elif ! [ "$APACHE_PORT" -le 65535 ] || ! [ "$APACHE_PORT" -ge 1 ]; then
         echo "The provided Apache port is invalid. It must be between 1 and 65535"
@@ -116,6 +113,16 @@ if [ -n "$APACHE_PORT" ]; then
     fi
 fi
 
+# Check DNS resolution
+# Prevents issues like https://github.com/nextcloud/all-in-one/discussions/565
+curl https://nextcloud.com &>/dev/null
+if [ "$?" = 6 ]; then
+    echo "Could not resolve the host nextcloud.com."
+    echo "Most likely the DNS resolving does not work."
+    echo "You should be able to fix this by adding the '--dns=\"ip.address.of.dns.server\"' option to the docker run command."
+    exit 1
+fi
+
 # Add important folders
 mkdir -p /mnt/docker-aio-config/data/
 mkdir -p /mnt/docker-aio-config/session/
@@ -130,6 +137,25 @@ chown www-data:www-data -R /mnt/docker-aio-config/session/
 chown www-data:www-data -R /mnt/docker-aio-config/caddy/
 chown root:root -R /mnt/docker-aio-config/certs/
 
+# Don't allow access to the AIO interface from the Nextcloud container
+# Probably more cosmetic than anything but at least an attempt
+if ! grep -q '# nextcloud-aio-block' /etc/apache2/apache2.conf; then
+    if ! NETWORK_GATEWAY="$(docker inspect nextcloud-aio-mastercontainer --format "{{.NetworkSettings.Gateway}}")" || [ -z "$NETWORK_GATEWAY" ]; then
+        echo "Could not get the gateway of the mastercontainer. Cannot continue."
+        exit 1
+    fi
+    cat << APACHE_CONF >> /etc/apache2/apache2.conf
+# nextcloud-aio-block-start
+<Location />
+order allow,deny
+deny from nextcloud-aio-nextcloud.nextcloud-aio
+deny from $NETWORK_GATEWAY
+allow from all
+</Location>
+# nextcloud-aio-block-end
+APACHE_CONF
+fi
+
 # Adjust certs
 GENERATED_CERTS="/mnt/docker-aio-config/certs"
 TMP_CERTS="/etc/apache2/certs"

Containers/nextcloud/entrypoint.sh

@@ -81,6 +81,8 @@ if ! [ -f "/mnt/ncdata/skip.update" ]; then
             mkdir -p /usr/src/tmp/nextcloud/custom_apps
             chmod +x /usr/src/tmp/nextcloud/occ
             cp /usr/src/nextcloud/config/* /usr/src/tmp/nextcloud/config/
+            mkdir -p /usr/src/tmp/nextcloud/apps/nextcloud-aio
+            cp /usr/src/nextcloud/apps/nextcloud-aio/* /usr/src/tmp/nextcloud/apps/nextcloud-aio/
             mv /usr/src/nextcloud /usr/src/temp-nextcloud
             mv /usr/src/tmp/nextcloud /usr/src/nextcloud
             rm -r /usr/src/tmp

Containers/talk/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:focal-20220415
+FROM ubuntu:focal-20220426
 
 EXPOSE 3478
 

develop.md

@@ -30,3 +30,6 @@ Go to https://github.com/nextcloud-releases/all-in-one/actions/workflows/repo-sy
 
 1. Verify that no job is running here: https://github.com/nextcloud-releases/all-in-one/actions/workflows/promote-to-beta.yml
 2. Go to https://github.com/nextcloud-releases/all-in-one/actions/workflows/promote-to-latest.yml, click on `Run workflow`.
+
+## Where to find the VPS builds?
+This is documented here: https://github.com/nextcloud-releases/all-in-one/tree/main/.build

docker-compose.yml

@@ -6,13 +6,31 @@ volumes:
 
 services:
   nextcloud:
-    image: nextcloud/all-in-one:latest
-    restart: unless-stopped
+    image: nextcloud/all-in-one:latest # Must be changed to 'nextcloud/all-in-one:latest-arm64' when used with an arm64 CPU
+    restart: always
     container_name: nextcloud-aio-mastercontainer
     volumes:
       - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
       - /var/run/docker.sock:/var/run/docker.sock:ro
     ports:
-      - 80:80
+      - 80:80 # Can be removed when running behind a reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
       - 8080:8080
-      - 8443:8443
+      - 8443:8443 # Can be removed when running behind a reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+    # environment: # Is needed when using any of the options below
+      # - APACHE_PORT=11000 # Is needed when running behind a reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      # - NEXTCLOUD_DATADIR="/mnt/ncdata" # Allows to set the host directory for Nextcloud's datadir. See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
+      # - NEXTCLOUD_MOUNT="/mnt/" # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
+
+  # # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+  # # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
+  # caddy:
+  #   image: caddy:alpine
+  #   restart: always
+  #   container_name: caddy
+  #   volumes:
+  #     - ./Caddyfile:/etc/caddy/Caddyfile
+  #     - ./certs:/certs
+  #     - ./config:/config
+  #     - ./data:/data
+  #     - ./sites:/srv
+  #   network_mode: "host"

php/psalm-baseline.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<files psalm-version="4.22.0@fc2c6ab4d5fa5d644d8617089f012f3bb84b8703">
+<files psalm-version="4.23.0@f1fe6ff483bf325c803df9f510d09a03fd796f88">
   <file src="public/index.php">
     <MissingClosureParamType occurrences="10">
       <code>$args</code>

php/public/forms.js

@@ -12,7 +12,7 @@
     }
     lastError = toast
     body.prepend(toast)
-    setTimeout(toast.remove.bind(toast), 3000)
+    setTimeout(toast.remove.bind(toast), 7000)
   }
 
   function handleEvent(e) {

php/src/Data/ConfigurationManager.php

@@ -282,26 +282,13 @@ class ConfigurationManager
      * @throws InvalidSettingConfigurationException
      */
     public function SetBorgBackupHostLocation(string $location) : void {
-        $allowedPrefixes = [
-            '/mnt/',
-            '/media/',
-            '/host_mnt/',
-        ];
-
         $isValidPath = false;
-        foreach($allowedPrefixes as $allowedPrefix) {
-            if(str_starts_with($location, $allowedPrefix) && !str_ends_with($location, '/')) {
-                $isValidPath = true;
-                break;
-            }
-            if ($location === '/var/backups') {
-                $isValidPath = true;
-                break;
-            }
+        if (str_starts_with($location, '/') && !str_ends_with($location, '/')) {
+            $isValidPath = true;
         }
 
-        if(!$isValidPath) {
-            throw new InvalidSettingConfigurationException("The path must start with '/mnt/', '/media/' or '/host_mnt/' or be equal to '/var/backups'.");
+        if (!$isValidPath) {
+            throw new InvalidSettingConfigurationException("The path must start with '/', and must not end with '/'!");
         }
 
 
@@ -323,8 +310,8 @@ class ConfigurationManager
             $isValidPath = true;
         }
 
-        if(!$isValidPath) {
-            throw new InvalidSettingConfigurationException("The path may start with '/mnt/', '/media/' or '/host_mnt/' or may be equal to '/var/backups'.");
+        if (!$isValidPath) {
+            throw new InvalidSettingConfigurationException("The path must start with '/', and must not end with '/'!");
         }
 
         if ($password === '') {

php/templates/containers.twig

@@ -16,7 +16,7 @@
     </header>
 
     <div class="content">
-        <h1>Nextcloud AIO v1.1.0</h1>
+        <h1>Nextcloud AIO v1.2.0</h1>
 
         {% set isAnyRunning = false %}
         {% set isAnyRestarting = false %}
@@ -141,7 +141,10 @@
                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                 <input class="button" type="submit" value="Submit" />
                             </form>
-                            The folder path that you enter may start with <b>/mnt/</b>, <b>/media/</b> or <b>/host_mnt/</b> or may be equal to <b>/var/backups</b>.<br><br>So e.g. <b>/mnt/backup</b> on Linux and macOS or <b>/host_mnt/c/backup/directory</b> on Windows. (This Windows example would be equivalent to 'C:\backup\directory' on the Windows host. So you need to translate the path that you want to use into the correct format.)<br><br>
+                            The folder path that you enter must start with <b>/</b> and must <b>not</b> end with <b>/</b>.<br><br>
+                            An example for Linux is <b>/mnt/backup</b>.<br>
+                            For macOS it may be <b>/var/backup</b>.<br>
+                            On Windows it might be <b>/host_mnt/c/backup</b>. (This Windows example would be equivalent to 'C:\backup' on the Windows host. So you need to translate the path that you want to use into the correct format.)<br><br>
                             ⚠ Note that the backup archive must be located in a subfolder of the folder that you enter here and the subfolder which contains the archive must be named 'borg'. Otherwise will the backup container not find the backup archive!<br><br>
                         {% endif %}
                     {% else %}
@@ -291,7 +294,10 @@
                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                             <input class="button" type="submit" value="Submit" />
                         </form>
-                        The folder path that you enter must start with <b>/mnt/</b>, <b>/media/</b> or <b>/host_mnt/</b> or be equal to <b>/var/backups</b>.<br><br>So e.g. <b>/mnt/backup</b> on Linux and macOS or <b>/host_mnt/c/backup/directory</b> on Windows. (This Windows example would be equivalent to 'C:\backup\directory' on the Windows host. So you need to translate the path that you want to use into the correct format.)
+                            The folder path that you enter must start with <b>/</b> and must <b>not</b> end with <b>/</b>.<br><br>
+                            An example for Linux is <b>/mnt/backup</b>.<br>
+                            For macOS it may be <b>/var/backup</b>.<br>
+                            On Windows it might be <b>/host_mnt/c/backup</b>. (This Windows example would be equivalent to 'C:\backup' on the Windows host. So you need to translate the path that you want to use into the correct format.)<br><br>
                     {% endif %}
 
                     {% if borg_backup_host_location != "" %}
@@ -398,8 +404,10 @@
                 {% endif %}
                 {% if is_backup_container_running == false %}
                     <h2>Optional addons</h2>
-                    In this section you can find optional addons.<br>
-                    You can enable or disable them when your containers are stopped.<br><br>
+                    In this section you can enable or disable optional addons.<br><br>
+                    {% if isAnyRunning == true %}
+                        <b>Note:</b> You can enable or disable them when your containers are stopped.<br><br>
+                    {% endif %}
                     <form id="options-form" method="POST" action="/api/configuration" class="xhr">
                         <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                         <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
@@ -410,9 +418,9 @@
                             <input type="checkbox" id="clamav" name="clamav"><label for="clamav">ClamAV (only supported on x64, needs ~1GB additional RAM)</label><br>
                         {% endif %}
                         {% if is_collabora_enabled == true %}
-                            <input type="checkbox" id="collabora" name="collabora" checked="checked"><label for="collabora">Collabora</label><br>
+                            <input type="checkbox" id="collabora" name="collabora" checked="checked"><label for="collabora">Collabora (Nextcloud Office)</label><br>
                         {% else %}
-                            <input type="checkbox" id="collabora" name="collabora"><label for="collabora">Collabora</label><br>
+                            <input type="checkbox" id="collabora" name="collabora"><label for="collabora">Collabora (Nextcloud Office)</label><br>
                         {% endif %}
                         {% if is_talk_enabled == true %}
                             <input type="checkbox" id="talk" name="talk" checked="checked"><label for="talk">Nextcloud Talk (needs ports 3478/TCP and 3478/UDP open in your firewall/router)</label><br><br>
@@ -426,6 +434,7 @@
                         {% endif %}
                         <input id="options-form-submit" class="button" type="submit" value="Save changes" />
                     </form>
+                    <b>System requirements:</b> When any optional addon is enabled, at least 2GB RAM, a dual-core CPU and 40GB system storage are required. When enabling ClamAV, at least 3GB RAM are required.<br><br>
                     {% if isAnyRunning == true or is_x64_platform == false %}
                         <script type="text/javascript" src="disable-clamav.js"></script>
                         <script type="text/javascript" src="disable-onlyoffice.js"></script>

php/templates/login.twig

@@ -8,7 +8,7 @@
             {% if is_login_allowed == true %}
                 <p>Log in using your Nextcloud AIO password:</p>
                 <form method="POST" action="/api/auth/login">
-                    <input type="text" name="password" placeholder="Password" />
+                    <input type="text" autocomplete="off" name="password" placeholder="Password" />
                     <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                     <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                     <input type="submit" class="button" value="Login" />

readme.md

@@ -50,14 +50,14 @@ The following instructions are especially meant for Linux. For macOS see [this](
     </details>
 
 3. After the initial startup, you should be able to open the Nextcloud AIO Interface now on port 8080 of this server.<br>
-E.g. `https://internal.ip.of.this.server:8080`<br>
+E.g. `https://ip.address.of.this.server:8080`<br>
 If your firewall/router has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatially by opening the Nextcloud AIO Interface via:<br>
 `https://your-domain-that-points-to-this-server.tld:8443`
 4. Please do not forget to open port `3478/TCP` and `3478/UDP` in your firewall/router for the Talk container!
 
 ## FAQ
 ### How does it work?
-Nextcloud AIO is inspired by projects like Portainer that allow to manage the docker daemon by talking to the docker socket directly. This concept allows to install only one container with a single command that does the heavy lifting of creating and managing all containers that are needed in order to provide a Nextcloud installation with most features included. It also makes updating a breeze and is not bound to the host system (and its slow updates) anymore as everything is in containers. Additionally, it is very easy to handle from a user perspective because a simple interface for managing your Nextcloud AIO installation is provided.
+Nextcloud AIO is inspired by projects like Portainer that manage the docker daemon by talking to it through the docker socket directly. This concept allows a user to install only one container with a single command that does the heavy lifting of creating and managing all containers that are needed in order to provide a Nextcloud installation with most features included. It also makes updating a breeze and is not bound to the host system (and its slow updates) anymore as everything is in containers. Additionally, it is very easy to handle from a user perspective because a simple interface for managing your Nextcloud AIO installation is provided.
 
 ### Are reverse proxies supported?
 Yes. Please refer to the following documentation on this: [reverse-proxy.md](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md)
@@ -68,7 +68,7 @@ Only those (if you acces the Mastercontainer Interface internally via port 8080)
 - `3478/TCP` and `3478/UDP` for the Talk container
 
 ### Explanation of used ports:
-- `8080/TCP`: Mastercontainer Interface with self-signed certificate (works always, also if only access via IP-address is possible, e.g. `https://internal.ip.address:8080/`)
+- `8080/TCP`: Mastercontainer Interface with self-signed certificate (works always, also if only access via IP-address is possible, e.g. `https://ip.address.of.this.server:8080/`)
 - `80/TCP`: redirects to Nextcloud (is used for getting the certificate via ACME http-challenge for the Mastercontainer)
 - `8443/TCP`: Mastercontainer Interface with valid certificate (only works if port 80 and 8443 are open in your firewall/router and you point a domain to your server. It generates a valid certificate then automatically and access via e.g. `https://public.domain.com:8443/` is possible.)
 - `443/TCP`: will be used by the Apache container later on and needs to be open in your firewall/router
@@ -94,6 +94,8 @@ docker run -it ^
 nextcloud/all-in-one:latest
 ```
 
+**Please note:** AIO works on Windows in general but due to a bug in `Docker for Windows`, it currently does not support mounting directories from the host into AIO which means that `NEXTCLOUD_DATADIR`, `NEXTCLOUD_MOUNT` do not work and the built-in backup solution is not able to write to the host OS. See https://github.com/nextcloud/all-in-one/discussions/600.
+
 </details>
 
 ### How to run `occ` commands?
@@ -102,6 +104,9 @@ Simply run the following: `sudo docker exec -it nextcloud-aio-nextcloud php occ
 ### How to resolve `Security & setup warnings displays the "missing default phone region" after initial install`?
 Simply run the following command: `sudo docker exec -it nextcloud-aio-nextcloud php occ config:system:set default_phone_region --value="yourvalue"`. Of course you need to modify `yourvalue` based on your location. Examples are `DE`, `EN` and `GB`. See this list for more codes: https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
 
+### Update policy
+This project values stability over new features. That means that when a new major Nextcloud update gets introduced, we will wait at least until the first patch release, e.g. `24.0.1` is out before upgrading to it. Also we will wait with the upgrade until all important apps are compatible with the new major version. Minor or patch releases for Nextcloud and all dependencies as well as all containers will be updated to new versions as soon as possible but we try to give all updates first a good test round before pushing them. That means that it can take around 2 weeks before new updates reach the `latest` channel. If you want to help testing, you can switch to the `beta` channel by following [this documentation](#how-to-switch-the-channel) which will also give you the updates earlier.
+
 ### How to switch the channel?
 You can switch to a different channel like e.g. the beta channel or from the beta channel back to the latest channel by stopping the mastercontainer, removing it (no data will be lost) and recreating the container using the same command that you used initially to create the mastercontainer. For the beta channel on x64 you need to change the last line `nextcloud/all-in-one:latest` to `nextcloud/all-in-one:beta` and vice versa. For arm64 it is `nextcloud/all-in-one:latest-arm64` and `nextcloud/all-in-one:beta-arm64`, respectively.
 
@@ -275,13 +280,42 @@ fi
 
 You can simply copy and past the script into a file e.g. named `backup-script.sh` e.g. here: `/root/backup-script.sh`. Do not forget to modify the variables to your needings though!
 
-Afterwards apply the correct permissions with `sudo chown root:root /root/backup-script.sh` and `sudo chmod 700 /root/backup-script.sh`. Then you can create a cronjob that runs e.g. at `20:00` each week on sundays like this: `crontab -u root -l | { cat; echo "0 20 * * 7 /root/backup-script.sh"; } | crontab -u root -`. Make sure that it does not collidate with the daily backups from AIO (if configured) since the target backup repository might get into an inconsistent state. (There is no check in place that checks this.)
+Afterwards apply the correct permissions with `sudo chown root:root /root/backup-script.sh` and `sudo chmod 700 /root/backup-script.sh`. Then you can create a cronjob that runs e.g. at `20:00` each week on sundays like this: 
+1. Open the cronjob with `sudo crontab -u root -e` (and choose your editor of choice if not already done. I'd recommend nano). 
+1. Add the following new line to the crontab if not alreaddy present: `0 20 * * 7 /root/backup-script.sh` which will run the script at 20:00 on sundays each week. 
+1. save and close the crontab (when using nano are the shortcouts for this `Ctrl + o` -> `Enter` and close the editor with `Ctrl + x`).
+
+⚠ **Attention:** Make sure that the execution of the script does not collidate with the daily backups from AIO (if configured) since the target backup repository might get into an inconsistent state. (There is no check in place that checks this.)
 
 ### How to change the default location of Nextcloud's Datadir?
-You can configure the Nextcloud container to use a specific directory on your host as data directory. You can do so by adding the environmental variable `NEXTCLOUD_DATADIR` to the initial startup of the mastercontainer. Allowed values for that variable are strings that start with `/mnt/`, `/media/` or `/host_mnt/`. An example for Linux and macOS is `-e NEXTCLOUD_DATADIR="/mnt/ncdata"`. On Windows it might be `-e NEXTCLOUD_DATADIR="/host_mnt/c/your/data/path"` (This Windows example would be equivalent to `C:\your\data\path` on the Windows host. So you need to translate the path that you want to use into the correct format.) Please make sure to apply the correct permissions to the chosen directory before starting Nextcloud the first time (not needed on Windows). In this example would the command for this be: `sudo chown -R 33:0 /mnt/ncdata`. ⚠ **Attention:** It is very important to change the datadir **before** Nextcloud is installed/started the first time and not to change it afterwards!
+You can configure the Nextcloud container to use a specific directory on your host as data directory. You can do so by adding the environmental variable `NEXTCLOUD_DATADIR` to the initial startup of the mastercontainer. Allowed values for that variable are strings that start with `/` and are not equal to `/`.
+
+- An example for Linux is `-e NEXTCLOUD_DATADIR="/mnt/ncdata"`.
+- On macOS it might be `-e NEXTCLOUD_DATADIR="/var/nextcloud-data"`
+- For Synology it may be `/volume1/docker/nextcloud/data`. 
+- On Windows it might be `-e NEXTCLOUD_DATADIR="/host_mnt/c/your/data/path"` (This Windows example would be equivalent to `C:\your\data\path` on the Windows host. So you need to translate the path that you want to use into the correct format.) 
+
+⚠ Please make sure to apply the correct permissions to the chosen directory before starting Nextcloud the first time (not needed on Windows). 
+
+- In this example for Linux, the command for this would be `sudo chown -R 33:0 /mnt/ncdata`. 
+- On macOS, the command for this would be `sudo chown -R 33:0 /var/nextcloud-data`.
+- For Synology, the command for this example would be `sudo chown -R 33:0 /volume1/docker/nextcloud/data` 
+- On Windows, this command is not needed.
+
+⚠ **Attention:** It is very important to change the datadir **before** Nextcloud is installed/started the first time and not to change it afterwards!
 
 ### How to allow the Nextcloud container to access directories on the host?
-By default, the Nextcloud container is confined and cannot access directories on the host OS. You might want to change this when you are planning to use local external storage in Nextcloud to store some files outside the data directory and can do so by adding the environmental variable `NEXTCLOUD_MOUNT` to the initial startup of the mastercontainer. Allowed values for that variable are strings that are equal to or start with `/mnt/`, `/media/` or `/host_mnt/` or are equal to `/var/backups` and unequal to `/mnt/ncdata`. Two examples for Linux and macOS are: `-e NEXTCLOUD_MOUNT="/mnt/"` or `-e NEXTCLOUD_MOUNT="/media/"`. On Windows it might be `-e NEXTCLOUD_DATADIR="/host_mnt/c"` (This Windows example would be equivalent to `C:\` on the Windows host. So you need to translate the path that you want to use into the correct format.) After using this option, please make sure to apply the correct permissions to the directories that you want to use in Nextcloud (not needed on Windows). E.g. `sudo chown -R 33:0 /mnt/your-drive-mountpoint` should make it work. You can then navigate to the apps management page, activate the external storage app, navigate to `https://your-nc-domain.com/settings/admin/externalstorages` and add a local external storage directory that will be accessible inside the container at the same place that you've entered. E.g. `/mnt/your-drive-mountpoint` will be mounted to `/mnt/your-drive-mountpoint` inside the container, etc. Be aware though that these locations will not be covered by the built-in backup solution!
+By default, the Nextcloud container is confined and cannot access directories on the host OS. You might want to change this when you are planning to use local external storage in Nextcloud to store some files outside the data directory and can do so by adding the environmental variable `NEXTCLOUD_MOUNT` to the initial startup of the mastercontainer. Allowed values for that variable are strings that start with `/` and are not equal to `/`.
+
+- Two examples for Linux are `-e NEXTCLOUD_MOUNT="/mnt/"` and `-e NEXTCLOUD_MOUNT="/media/"`.
+- For Synology it may be `/volume1/`.
+- On Windows it might be `-e NEXTCLOUD_MOUNT="/host_mnt/c"` (This Windows example would be equivalent to `C:\` on the Windows host. So you need to translate the path that you want to use into the correct format.) 
+
+After using this option, please make sure to apply the correct permissions to the directories that you want to use in Nextcloud (not needed on Windows). E.g. `sudo chown -R 33:0 /mnt/your-drive-mountpoint` should make it work on Linux when you have used `-e NEXTCLOUD_MOUNT="/mnt/"`. 
+
+You can then navigate to the apps management page, activate the external storage app, navigate to `https://your-nc-domain.com/settings/admin/externalstorages` and add a local external storage directory that will be accessible inside the container at the same place that you've entered. E.g. `/mnt/your-drive-mountpoint` will be mounted to `/mnt/your-drive-mountpoint` inside the container, etc. 
+
+Be aware though that these locations will not be covered by the built-in backup solution!
 
 ### Huge docker logs
 When your containers run for a few days without a restart, the container logs that you can view from the AIO interface can get really huge. You can limit the loge sizes by enabling logrotate for docker container logs. Feel free to enable this by following those instructions: https://sandro-keil.de/blog/logrotate-for-docker-container/

reverse-proxy.md

@@ -1,19 +1,25 @@
 ## Reverse Proxy Documentation
 
-Basically, you need to specify the port that the apache container shall use and modify the startup command a bit.
+**Please note:** Publishing the AIO interface with a valid certificate to the public internet is **not** the goal of this documentation! Instead, the main goal is to publish Nextcloud with a valid certificate to the public internet which is **not** running inside the mastercontainer but in a different container! If you need a valid certificate for the AIO interface, see [point 3](#3-optional-get-a-valid-certificate-for-the-aio-interface). 
 
-All examples below will use port `11000` as example apache port. Also it is supposed that the reverse proxy runs on the same server like AIO, hence `localhost` is used and not an internal ip-address to point to the AIO instance. Modify both to your needings.
+In order to run Nextcloud behind a reverse proxy, you need to specify the port that the Apache container shall use, add a specific config to your reverse proxy and modify the startup command a bit. All examples below will use port `11000` as example Apache port which will be exposed on the host. Modify it to your needings.
 
-**Info:** The instructions below assume that your reverse proxy is installed directly on the host, not inside a separate docker container. If you want to run the reverse proxy inside a docker container, you can do so by using the `--network host` option when starting the reverse proxy container.
+**Attention** The process to run Nextcloud behind a reverse proxy consists of at least these 2 steps:
+1. **Configure the reverse proxy! See [point 1](#1-add-this-to-your-reverse-proxy-config)**
+1. **Use the in this document provided startup command! See [point 2](#2-use-this-startup-command)**
+- Optional: get a valid certificate for the AIO interface! See [point 3](#3-optional-get-a-valid-certificate-for-the-aio-interface)
+- How to debug things? See [point 4](#4-how-to-debug-things)
 
-### Reverse proxy config examples
+### 1. Add this to your reverse proxy config
+
+**Please note:** Since the Apache container gets spawned by the mastercontainer, there is **NO** way to provide custom docker labels or custom environmental variables for the Apache container. So please do not attempt to do this because you will fail! Only the documented way will work!
 
 #### Caddy
 
 <details>
 
 <summary>click here to expand</summary>
-<br>
+
 Add this to your Caddyfile:
 
 ```
@@ -23,7 +29,7 @@ https://<your-nc-domain>:443 {
 }
 ```
 
-Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud.
+Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `locahost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
 
 </details>
 
@@ -32,7 +38,6 @@ Of course you need to modify `<your-nc-domain>` to the domain on which you want
 <details>
 
 <summary>click here to expand</summary>
-<br>
 
 **Disclaimer:** the config below is not working 100% correctly, yet. See e.g. https://github.com/nextcloud/all-in-one/issues/450, https://github.com/nextcloud/all-in-one/issues/447 and https://github.com/nextcloud/all-in-one/issues/491. Improvements to it are very welcome!
 
@@ -44,6 +49,7 @@ location / {
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        client_max_body_size 0;
 
         # Websocket
         proxy_http_version 1.1;
@@ -52,13 +58,88 @@ location / {
     }
 ```
 
-Of course SSL needs to be set up as well e.g. by using certbot and your domain must be also added inside the nginx config.
+Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `locahost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
 
 </details>
 
-### Startup command
+#### Nginx-Proxy
 
-After adjusting your reverse proxy config, use the following command to start AIO:
+<details>
+
+<summary>click here to expand</summary>
+
+Unfortunately it is not possible to configure nginx-proxy in a way that works because it completely relies on environmental variables of the docker containers itself. Providing these variables does not work as stated above.
+
+If you really want to use AIO, we recommend you to switch to caddy. It is simply amazing!<br>
+Of course understandable if that is not possible for you.
+
+Apart from that, there is this idea: https://github.com/nextcloud/all-in-one/issues/557<br>
+Pull requests are very welcome!
+
+</details>
+
+#### Traefik 2
+
+<details>
+
+<summary>click here to expand</summary>
+
+**Disclaimer:** It might be possible that the config below is not working 100% correctly, yet. Improvements to it are very welcome!
+
+1. Add a `nextcloud.toml` to the Treafik rules folder with the following content:
+
+    ```toml
+    [http.routers]
+        [http.routers.nc-rtr]
+            entryPoints = ["https"]
+            rule = "Host(<your-nc-domain>)"
+            service = "nc-svc"
+            middlewares = ["chain-no-auth"]
+            [http.routers.nc-rtr.tls]
+                certresolver = "le"
+
+    [http.services]
+        [http.services.nc-svc]
+            [http.services.nc-svc.loadBalancer]
+                passHostHeader = true
+                [[http.services.nc-svc.loadBalancer.servers]]
+                    url = "http://locahost:11000"
+    ```
+
+2. Add to the bottom of the `middlewares.toml` file in the Treafik rules folder the following content:
+
+    ```toml
+    [http.middlewares.nc-middlewares-secure-headers]
+        [http.middlewares.nc-middlewares-secure-headers.headers]
+            hostsProxyHeaders = ["X-Forwarded-Host"]
+            sslRedirect = true
+            stsSeconds = 63072000
+            stsIncludeSubdomains = true
+            stsPreload = true
+            forceSTSHeader = true
+            referrerPolicy = "same-origin"
+            X-Robots-Tag = "none"
+    ```
+
+3. Add to the bottom of the `middleware-chains.toml` file in the Traefik rules folder the following content:
+
+    ```toml
+    [http.middlewares.chain-nc]
+        [http.middlewares.chain-nc.chain]
+            middlewares = [ "middlewares-rate-limit", "nc-middlewares-secure-headers"]
+    ```
+
+---
+
+Of course you need to modify `<your-nc-domain>` in the nextcloud.toml to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `locahost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
+
+</details>
+
+### 2. Use this startup command
+
+After adjusting your reverse proxy config, use the following command to start AIO:<br>
+
+(For an docker-compose example, see the example further [below](#inspiration-for-a-docker-compose-file).)
 
 ```
 # For x64 CPUs:
@@ -109,9 +190,16 @@ nextcloud/all-in-one:latest
 
 </details>
 
-After doing so, you should be able to access the AIO Interface via `https://internal.ip.of.this.server:8080`. Enter your domain that you've entered in the reverse proxy config and you should be done. Please do not forget to open port `3478/TCP` and `3478/UDP` in your firewall/router for the Talk container!
+#### Inspiration for a docker-compose file
 
-### Optional
+Simply translate the docker run command into a docker-compose file. You can have a look at [this file](https://github.com/nextcloud/all-in-one/blob/main/docker-compose.yml) for some inspiration but you will need to modify it either way. You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
+
+---
+
+#### How to continue? 
+After using the above command, you should be able to access the AIO Interface via `https://ip.address.of.the.host:8080`. Enter your domain that you've entered in the reverse proxy config and you should be done. Please do not forget to open port `3478/TCP` and `3478/UDP` in your firewall/router for the Talk container!
+
+### 3. Optional: get a valid certificate for the AIO interface
 
 If you want to also access your AIO interface publicly with a valid certificate, you can add e.g. the following config to your Caddyfile:
 
@@ -125,4 +213,14 @@ https://<your-nc-domain>:8443 {
 }
 ```
 
-Of course, you also need to modify `<your-nc-domain>` to the domain that you want to use. Afterwards should the AIO interface be accessible via `https://<your-nc-domain>:8443`. You can alternatively change the domain to a different subdomain by using `https://<your-alternative-domain>:443` in the Caddyfile and use that to access the AIO interface.
+Of course you need to modify `<your-nc-domain>` in the nextcloud.toml to the domain on which you want to run Nextcloud. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `locahost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
+
+Afterwards should the AIO interface be accessible via `https://ip.address.of.the.host:8443`. You can alternatively change the domain to a different subdomain by using `https://<your-alternative-domain>:443` instead of `https://<your-nc-domain>:8443` in the Caddyfile and use that to access the AIO interface.
+
+### 4. How to debug things?
+If something does not work, follow the steps below:
+1. Make sure to exactly follow the whole reverse proxy documentation step-for-step from top to bottom!
+1. Make sure that the reverse proxy is running on the host OS or if running in a container, connected to the host network. If that is not possible, substitute `localhost` in the default configurations by the ip-address that you can easily get when running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (The command only works on Linux)
+1. Make sure that the mastercontainer is able to spawn other containers. You can do so by checking that the mastercontainer indeed has access to the Docker socket which might not be positioned in one of the suggested directories like `/var/run/docker.sock` but in a different directory, based on your OS and the way how you installed Docker. The mastercontainer logs should help figuring this out. You can have a look at them by running `sudo docker logs nextcloud-aio-mastercontainer` after the container is started the first time.
+1. Check if after the mastercontainer was started, the reverse proxy if running inside a container, can reach the provided apache port. You can test this by running `nc -z locahost 11000; echo $?` from inside the reverse proxy container. If the output is `0`, everything works. Alternatively you can of course use instead of `locahost` the ip-address of the host here for the test.
+1. Try to configure everything from scratch if it still does not work!

tests/QA/assets/backup-archive/borg/.gitattributes

@@ -1 +0,0 @@
-data/** filter=lfs diff=lfs merge=lfs -text

tests/QA/assets/backup-archive/borg/README

@@ -1,2 +0,0 @@
-This is a Borg Backup repository.
-See https://borgbackup.readthedocs.io/

tests/QA/assets/backup-archive/borg/config

@@ -1,20 +0,0 @@
-[repository]
-version = 1
-segments_per_dir = 1000
-max_segment_size = 524288000
-append_only = 0
-storage_quota = 0
-additional_free_space = 2G
-id = 341f36bcb3656a000339ea3fb75f9e1645bbad6ee5299b38a9fd9d9e9412125b
-key = hqlhbGdvcml0aG2mc2hhMjU2pGRhdGHaAZ4HfIjdJek4CCc15EJdZ5IPdhMgSKu1RDimS1
-	C6Xj/zZtbmLXp9wTzDJzVq2DAhM9Vl2wZo766gyywzz5oUuVocbIlLD2JNEHsWL08W8QYC
-	mEjufkvRPCgupuz/ZOjfJmtKzKm56t1K4jUf0oaYtt3pKlEY7RQStdYTq43JNYFI23bNH4
-	u+OnGDEYa/Y4XZkl6K4yDZgc1jpDf5uHzNTX1MiJpCWJlBQbJQC03i1bVqBlZpAo+x23Z3
-	4Hg5Is5n24f2+AhFtdeD4NY6CzoHa+HQR7K67ZGIA6hUOHo7xPKaKKBlBvORgWppItq7j6
-	Ch+K1Z+/N1MBn4ltCSNtTmsCe2QT+4Xz7je7DzUNhmt3yx9Kuxe/e8NBSXXRb3eMuyGovT
-	Cs8JCWwQStDMgt+4s88wwaTfbt93f5d9W65tw+Z7x0gNUz0bZAzM3wld8vFqk3Vc2EQ5t0
-	azBuOzCFTL7sdyNqns+sgIs83sEfpyi872+IRX+bMBrXPwGL+J1+yaLvTuShjuq3Wv1Q9l
-	wqFMDUMB/ELSPYWS8Bj+Lix0dqmkaGFzaNoAINdDmXejBcvEcHa7qq0m3IzSyjhSDwpjgg
-	i7o64njD73qml0ZXJhdGlvbnPOAAGGoKRzYWx02gAgAYrIc2bmhIDmLmiQi2oFFrmQ3TlH
-	AW0UIpa4AtxkdXindmVyc2lvbgE=
-

tests/QA/assets/backup-archive/borg/data/0/1

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0a2e55f51c5d5125dfd8d4677af5c80d5d366b65ff70838d7ced6ef3bc152361
-size 17

tests/QA/assets/backup-archive/borg/data/0/2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:565329299be8c85dc70d1231f365d210829785b67ff5edefee8ec37db324ad86
-size 217476296

tests/QA/assets/backup-archive/borg/data/0/3

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0a2e55f51c5d5125dfd8d4677af5c80d5d366b65ff70838d7ced6ef3bc152361
-size 17

tests/QA/assets/backup-archive/borg/data/0/4

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0a2e55f51c5d5125dfd8d4677af5c80d5d366b65ff70838d7ced6ef3bc152361
-size 17

tests/QA/assets/backup-archive/borg/hints.4

@@ -1 +0,0 @@
-„§version¨segments<74>ÍR§compact<63>)±storage_quota_useÎöl—

tests/QA/assets/backup-archive/borg/nonce

@@ -1 +0,0 @@
-0000000020000082

tests/QA/assets/backup-archive/readme.md

@@ -1,6 +1,4 @@
 # Backup archive
 
-This is a backup archive only for testing.
-
-You need to copy the archive onto your test machine.
-The password is `65e5feb92b9765f7de003151b59fd1fc46f5bdc1f16c0c48`.
+The backup archive was moved here because of Git LFS limitations:
+https://github.com/szaimen/AIO-backup-archive