Merge pull request #5781 from nextcloud/enh/5763/fix-collabora

actually fix collabora
2026-05-21 10:50:10 +00:00 · 2024-12-20 12:20:52 +01:00 · 2024-12-20 12:18:50 +01:00 · 2024-12-20 11:49:54 +01:00 · 2024-12-20 11:32:20 +01:00 · 2024-12-20 11:27:55 +01:00
94 changed files with 1334 additions and 513 deletions
--- a/.github/ISSUE_TEMPLATE/Bug_report.md
+++ b/.github/ISSUE_TEMPLATE/Bug_report.md
@@ -1,6 +1,6 @@
 ---
-name: 🐛 Bug report
-about: Help us improving by reporting a bug
+name: 🐛 Bug report - no questions and no support!
+about: Help us improving by reporting a bug - this category is not for questions and also not for support! Please use one of the options below for questions and support
 labels: 0. Needs triage
 ---

--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,14 +1,14 @@
 blank_issues_enabled: false
 contact_links:
+    - name: ⛑️ General questions and support
+      url: https://help.nextcloud.com/tag/aio
+      about: For general questions, support and help
    - name: 💡 Suggest a new feature or discuss one
      url:  https://github.com/nextcloud/all-in-one/discussions/categories/ideas
      about: For new feature requests and discussion of existing ones
-    - name: ❓ Questions on AIO
+    - name: ❓ Questions about Nextcloud AIO
      url: https://github.com/nextcloud/all-in-one/discussions/categories/questions
-      about: For questions regarding AIO
-    - name: ⛑️ Community Support and Help
-      url: https://help.nextcloud.com/tag/aio
-      about: For other types of questions
+      about: For questions specifically about AIO
    - name: 💼 Nextcloud Enterprise
      url: https://portal.nextcloud.com/
      about: If you are a Nextcloud Enterprise customer, or need Professional support, so it can be resolved directly by our dedicated engineers more quickly
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,12 +6,14 @@ updates:
    interval: "daily"
    time: "12:00"
  open-pull-requests-limit: 10
+  rebase-strategy: "disabled"
 - package-ecosystem: composer
  directory: "/php/"
  schedule:
    interval: "daily"
    time: "12:00"
  open-pull-requests-limit: 10
+  rebase-strategy: "auto"
  labels:
  - 3. to review
  - dependencies
@@ -39,6 +41,7 @@ updates:
    interval: "daily"
    time: "04:00"
  open-pull-requests-limit: 10
+  rebase-strategy: "disabled"
  labels:
  - 3. to review
  - dependencies
--- a/.github/workflows/talk.yml
+++ b/.github/workflows/talk.yml
@@ -36,7 +36,7 @@ jobs:
        
        # Janus
        janus_version="$(
-          git ls-remote https://github.com/meetecho/janus-gateway v0.*.* \
+          git ls-remote https://github.com/meetecho/janus-gateway v1.*.* \
            | cut -d/ -f3 \
            | sort -V \
            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
--- a/Containers/apache/Dockerfile
+++ b/Containers/apache/Dockerfile
@@ -2,7 +2,7 @@
 FROM caddy:2.8.4-alpine AS caddy

 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.62-alpine3.20
+FROM httpd:2.4.62-alpine3.21

 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy

--- a/Containers/borgbackup/Dockerfile
+++ b/Containers/borgbackup/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.20.3
+FROM alpine:3.21.0

 RUN set -ex; \
    \
--- a/Containers/borgbackup/backupscript.sh
+++ b/Containers/borgbackup/backupscript.sh
@@ -572,12 +572,18 @@ if [ "$BORG_MODE" = test ]; then
        fi
    fi

-    if ! borg list; then
+    if ! borg list >/dev/null; then
        echo "The entered path seems to be valid but could not open the backup archive."
        echo "Most likely the entered password was wrong so please adjust it accordingly!"
        exit 1
    else
-        echo "Everything looks fine so feel free to continue!"
-        exit 0
+        if ! borg list | grep "nextcloud-aio"; then
+            echo "The backup archive does not contain a valid Nextcloud AIO backup."
+            echo "Most likely was the archive not created via Nextcloud AIO."
+            exit 1
+        else
+            echo "Everything looks fine so feel free to continue!"
+            exit 0
+        fi
    fi
 fi
--- a/Containers/clamav/Dockerfile
+++ b/Containers/clamav/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/1.3/alpine/Dockerfile
-FROM clamav/clamav:1.4.1-12
+FROM clamav/clamav:1.4.1-17

 COPY clamav.conf /clamav.conf
 COPY --chmod=775 start.script /start.script
@@ -23,4 +23,6 @@ USER 100

 LABEL com.centurylinklabs.watchtower.enable="false"

+HEALTHCHECK --start-period=60s --retries=9 CMD clamdcheck.sh
+
 ENTRYPOINT ["/init-unprivileged"]
--- a/Containers/clamav/clamav.conf
+++ b/Containers/clamav/clamav.conf
@@ -1,5 +1,5 @@
 # AIO settings
 MaxDirectoryRecursion 30
-MaxFileSize 10G
-PCREMaxFileSize 10G
-StreamMaxLength 10G
+MaxFileSize 16G
+PCREMaxFileSize 16G
+StreamMaxLength 16G
--- a/Containers/clamav/start.script
+++ b/Containers/clamav/start.script
@@ -1,4 +1,4 @@
 # Adjust settings
 cat /etc/clamav/clamd.conf > /tmp/clamd.conf
-CLAMAV_FILE="$(sed "s|10G|$MAX_SIZE|" /clamav.conf)"
+CLAMAV_FILE="$(sed "s|16G|$MAX_SIZE|" /clamav.conf)"
 echo "$CLAMAV_FILE" >> /tmp/clamd.conf
--- a/Containers/collabora/Dockerfile
+++ b/Containers/collabora/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:24.04.9.2.1
+FROM collabora/code:24.04.10.2.1

 USER root
 ARG DEBIAN_FRONTEND=noninteractive
@@ -10,12 +10,15 @@ RUN set -ex; \
    \
    apt-get update; \
    apt-get install -y --no-install-recommends \
-        tzdata \
+#        # Disable because seems to be failing currently
+#        # tzdata \
        netcat-openbsd \
    ; \
    rm -rf /var/lib/apt/lists/*;

+COPY --chmod=775 healthcheck.sh /healthcheck.sh
+
 USER 100

-HEALTHCHECK CMD nc -z 127.0.0.1 9980 || exit 1
+HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/collabora/healthcheck.sh
+++ b/Containers/collabora/healthcheck.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+nc -z 127.0.0.1 9980 || exit 1
--- a/Containers/docker-socket-proxy/Dockerfile
+++ b/Containers/docker-socket-proxy/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.0.6-alpine
+FROM haproxy:3.1.1-alpine

 # hadolint ignore=DL3002
 USER root
--- a/Containers/docker-socket-proxy/haproxy.cfg
+++ b/Containers/docker-socket-proxy/haproxy.cfg
@@ -22,7 +22,12 @@ frontend http
    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((start)|(stop)) } METH_POST
    # container rm: DELETE containers/%s
    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE
-
+    # container update/exec: POST containers/%s/update containers/%s/exec
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((update)|(exec)) } METH_POST
+    # container put: PUT containers/%s/archive
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/archive } METH_PUT
+    # run exec instance: POST exec/%s
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/exec/[a-zA-Z0-9_.-]+/start } METH_POST

    # container create: POST containers/create?name=%s
    # ACL to restrict container name to nc_app_[a-zA-Z0-9_.-]+
--- a/Containers/domaincheck/Dockerfile
+++ b/Containers/domaincheck/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.20.3
+FROM alpine:3.21.0
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache bash lighttpd netcat-openbsd; \
--- a/Containers/fulltextsearch/Dockerfile
+++ b/Containers/fulltextsearch/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:8.15.3
+FROM elasticsearch:8.17.0

 USER root

@@ -16,7 +16,9 @@ RUN set -ex; \
    ; \
    rm -rf /var/lib/apt/lists/*;

+COPY --chmod=775 healthcheck.sh /healthcheck.sh
+
 USER 1000:0

-HEALTHCHECK CMD nc -z 127.0.0.1 9200 || exit 1
+HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/fulltextsearch/healthcheck.sh
+++ b/Containers/fulltextsearch/healthcheck.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+nc -z 127.0.0.1 9200 || exit 1
--- a/Containers/imaginary/Dockerfile
+++ b/Containers/imaginary/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.23.3-alpine3.20 AS go
+FROM golang:1.23.4-alpine3.21 AS go

 ENV IMAGINARY_HASH=8f36a26c448be8c151a3878404b75fcd1cd3cf0c

@@ -13,7 +13,7 @@ RUN set -ex; \
        build-base; \
    go install github.com/h2non/imaginary@"$IMAGINARY_HASH";

-FROM alpine:3.20.3
+FROM alpine:3.21.0
 RUN set -ex; \
    apk upgrade --no-cache -a; \
    apk add --no-cache \
@@ -30,6 +30,7 @@ RUN set -ex; \

 COPY --from=go /go/bin/imaginary /usr/local/bin/imaginary
 COPY --chmod=775 start.sh /start.sh
+COPY --chmod=775 healthcheck.sh /healthcheck.sh

 ENV PORT=9000

@@ -39,5 +40,5 @@ USER 65534
 ENV MALLOC_ARENA_MAX=2
 ENTRYPOINT ["/start.sh"]

-HEALTHCHECK CMD nc -z 127.0.0.1 "$PORT" || exit 1
+HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/imaginary/healthcheck.sh
+++ b/Containers/imaginary/healthcheck.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+nc -z 127.0.0.1 "$PORT" || exit 1
--- a/Containers/mastercontainer/Dockerfile
+++ b/Containers/mastercontainer/Dockerfile
@@ -1,12 +1,12 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:27.3.1-cli AS docker
+FROM docker:27.4.1-cli AS docker

 # Caddy is a requirement
 FROM caddy:2.8.4-alpine AS caddy

-# From https://github.com/docker-library/php/blob/master/8.3/alpine3.20/fpm/Dockerfile
-FROM php:8.3.13-fpm-alpine3.20
+# From https://github.com/docker-library/php/blob/master/8.3/alpine3.21/fpm/Dockerfile
+FROM php:8.3.14-fpm-alpine3.21

 EXPOSE 80
 EXPOSE 8080
--- a/Containers/mastercontainer/start.sh
+++ b/Containers/mastercontainer/start.sh
@@ -137,7 +137,7 @@ It is set to '$NEXTCLOUD_DATADIR'."
 fi
 if [ -n "$NEXTCLOUD_MOUNT" ]; then
    if ! echo "$NEXTCLOUD_MOUNT" | grep -q "^/" || [ "$NEXTCLOUD_MOUNT" = "/" ]; then
-        print_red "You've set NEXCLOUD_MOUNT but not to an allowed value.
+        print_red "You've set NEXTCLOUD_MOUNT but not to an allowed value.
 The string must start with '/' and must not be equal to '/'.
 It is set to '$NEXTCLOUD_MOUNT'."
        exit 1
@@ -194,7 +194,7 @@ It is set to '$APACHE_IP_BINDING'."
    fi
 fi
 if [ -n "$APACHE_ADDITIONAL_NETWORK" ]; then
-    if ! echo "$APACHE_ADDITIONAL_NETWORK" | grep -q "^[a-zA-Z0-9_-]\+$"; then
+    if ! echo "$APACHE_ADDITIONAL_NETWORK" | grep -q "^[a-zA-Z0-9._-]\+$"; then
        print_red "You've set APACHE_ADDITIONAL_NETWORK but not to an allowed value.
 It needs to be a string with letters, numbers, hyphens and underscores.
 It is set to '$APACHE_ADDITIONAL_NETWORK'."
--- a/Containers/nextcloud/Dockerfile
+++ b/Containers/nextcloud/Dockerfile
@@ -1,14 +1,14 @@
 # syntax=docker/dockerfile:latest
-FROM php:8.3.13-fpm-alpine3.20
+FROM php:8.3.14-fpm-alpine3.21

 ENV PHP_MEMORY_LIMIT=512M
-ENV PHP_UPLOAD_LIMIT=10G
+ENV PHP_UPLOAD_LIMIT=16G
 ENV PHP_MAX_TIME=3600
 ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0

 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=30.0.2
+ENV NEXTCLOUD_VERSION=30.0.4
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!
@@ -279,5 +279,5 @@ USER root
 ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

-HEALTHCHECK --start-period=60s CMD sudo -E -u www-data bash /healthcheck.sh
+HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/nextcloud/entrypoint.sh
+++ b/Containers/nextcloud/entrypoint.sh
@@ -148,13 +148,14 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
            rm -r /usr/src/tmp
            rm -r /usr/src/temp-nextcloud
            # shellcheck disable=SC2016
-            image_version="$(php -r "require $SOURCE_LOCATION/version.php; echo implode('.', \$OC_Version);")"
+            image_version="$(php -r "require '$SOURCE_LOCATION/version.php'; echo implode('.', \$OC_Version);")"
            IMAGE_MAJOR="${image_version%%.*}"
            set +ex
 # Do not skip major versions end # Do not remove or change this line!
        fi

        if [ "$installed_version" != "0.0.0.0" ]; then
+# Check connection to appstore start # Do not remove or change this line!
            while true; do
                echo -e "Checking connection to appstore"
                CURL_STATUS="$(curl -LI "https://apps.nextcloud.com/" -o /dev/null -w '%{http_code}\n' -s)"
@@ -167,6 +168,7 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                    sleep 5
                fi
            done
+# Check connection to appstore end # Do not remove or change this line!

            run_upgrade_if_needed_due_to_app_update

@@ -592,12 +594,17 @@ if [ -n "$ADDITIONAL_TRUSTED_PROXY" ]; then
    php /var/www/html/occ config:system:set trusted_proxies 2 --value="$ADDITIONAL_TRUSTED_PROXY"
 fi

-# Get ipv4-address of Nextcloud 
-IPv4_ADDRESS="$(dig nextcloud-aio-nextcloud A +short +search | head -1)" 
+# Get ipv4-address of Nextcloud
+if [ -z "$NEXTCLOUD_HOST" ]; then
+    export NEXTCLOUD_HOST="nextcloud-aio-nextcloud"
+fi
+IPv4_ADDRESS="$(dig "$NEXTCLOUD_HOST" A +short +search | head -1)" 
 # Bring it in CIDR notation 
 # shellcheck disable=SC2001
 IPv4_ADDRESS="$(echo "$IPv4_ADDRESS" | sed 's|[0-9]\+$|0/16|')" 
-php /var/www/html/occ config:system:set trusted_proxies 10 --value="$IPv4_ADDRESS"
+if [ -n "$IPv4_ADDRESS" ]; then
+    php /var/www/html/occ config:system:set trusted_proxies 10 --value="$IPv4_ADDRESS"
+fi

 if [ -n "$ADDITIONAL_TRUSTED_DOMAIN" ]; then
    php /var/www/html/occ config:system:set trusted_domains 2 --value="$ADDITIONAL_TRUSTED_DOMAIN"
@@ -779,6 +786,7 @@ fi
 # Imaginary
 if [ "$IMAGINARY_ENABLED" = 'yes' ]; then
    php /var/www/html/occ config:system:set enabledPreviewProviders 0 --value="OC\\Preview\\Imaginary"
+    php /var/www/html/occ config:system:set enabledPreviewProviders 23 --value="OC\\Preview\\ImaginaryPDF"
    php /var/www/html/occ config:system:set preview_imaginary_url --value="http://$IMAGINARY_HOST:9000"
    php /var/www/html/occ config:system:set preview_imaginary_key --value="$IMAGINARY_SECRET"
 else
@@ -788,6 +796,7 @@ else
        php /var/www/html/occ config:system:delete enabledPreviewProviders 20
        php /var/www/html/occ config:system:delete enabledPreviewProviders 21
        php /var/www/html/occ config:system:delete enabledPreviewProviders 22
+        php /var/www/html/occ config:system:delete enabledPreviewProviders 23
    fi
 fi

--- a/Containers/nextcloud/run-exec-commands.sh
+++ b/Containers/nextcloud/run-exec-commands.sh
@@ -1,7 +1,10 @@
 #!/bin/bash

-# Wait 15s for domain to be reachable
-sleep 15
+# Wait until the apache container is ready
+while ! nc -z "$APACHE_HOST" "$APACHE_PORT"; do
+    echo "Waiting for Apache to become available..."
+    sleep 15
+done

 if [ -n "$NEXTCLOUD_EXEC_COMMANDS" ]; then
    echo "#!/bin/bash" > /tmp/nextcloud-exec-commands
--- a/Containers/notify-push/Dockerfile
+++ b/Containers/notify-push/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.20.3
+FROM alpine:3.21.0

 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
--- a/Containers/onlyoffice/Dockerfile
+++ b/Containers/onlyoffice/Dockerfile
@@ -1,8 +1,10 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:8.2.0.1
+FROM onlyoffice/documentserver:8.2.2.1

 # USER root is probably used

-HEALTHCHECK CMD nc -z 127.0.0.1 80 || exit 1
+COPY --chmod=775 healthcheck.sh /healthcheck.sh
+
+HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/onlyoffice/healthcheck.sh
+++ b/Containers/onlyoffice/healthcheck.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+nc -z 127.0.0.1 80 || exit 1
--- a/Containers/postgresql/Dockerfile
+++ b/Containers/postgresql/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
-# From https://github.com/docker-library/postgres/blob/master/16/alpine3.20/Dockerfile
-FROM postgres:16.4-alpine
+# From https://github.com/docker-library/postgres/blob/master/16/alpine3.21/Dockerfile
+FROM postgres:16.6-alpine

 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
--- a/Containers/postgresql/healthcheck.sh
+++ b/Containers/postgresql/healthcheck.sh
@@ -2,4 +2,6 @@

 test -f "/mnt/data/backup-is-running" && exit 0

+psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()" && exit 0
+
 psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:5432/$POSTGRES_DB" -c "select now()" || exit 1
--- a/Containers/redis/Dockerfile
+++ b/Containers/redis/Dockerfile
@@ -14,8 +14,10 @@ RUN set -ex; \
 # Get rid of unused binaries
    rm -f /usr/local/bin/gosu;

+COPY --chmod=775 healthcheck.sh /healthcheck.sh
+
 USER 999
 ENTRYPOINT ["/start.sh"]

-HEALTHCHECK CMD redis-cli -a $REDIS_HOST_PASSWORD PING || exit 1
+HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/redis/healthcheck.sh
+++ b/Containers/redis/healthcheck.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+redis-cli -a "$REDIS_HOST_PASSWORD" PING || exit 1
--- a/Containers/talk-recording/Dockerfile
+++ b/Containers/talk-recording/Dockerfile
@@ -1,7 +1,8 @@
 # syntax=docker/dockerfile:latest
-FROM python:3.13.0-alpine3.20
+FROM python:3.13.1-alpine3.21

 COPY --chmod=775 start.sh /start.sh
+COPY --chmod=775 healthcheck.sh /healthcheck.sh

 ENV RECORDING_VERSION=v0.1
 ENV ALLOW_ALL=false
@@ -54,5 +55,5 @@ USER 122
 ENTRYPOINT ["/start.sh"]
 CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.conf"]

-HEALTHCHECK CMD nc -z 127.0.0.1 1234 || exit 1
+HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/talk-recording/healthcheck.sh
+++ b/Containers/talk-recording/healthcheck.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+nc -z 127.0.0.1 1234 || exit 1
--- a/Containers/talk/Dockerfile
+++ b/Containers/talk/Dockerfile
@@ -1,10 +1,10 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.10.22-scratch AS nats
+FROM nats:2.10.24-scratch AS nats
 FROM eturnal/eturnal:1.12.1 AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:2.0.1 AS signaling
-FROM alpine:3.20.3 AS janus
+FROM alpine:3.21.0 AS janus

-ARG JANUS_VERSION=v0.14.4
+ARG JANUS_VERSION=v1.3.0
 WORKDIR /src
 RUN set -ex; \
    apk add --no-cache \
@@ -34,7 +34,7 @@ RUN set -ex; \
    make configs; \
    rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample

-FROM alpine:3.20.3
+FROM alpine:3.21.0
 ENV ETURNAL_ETC_DIR="/conf"
 COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
 COPY --from=eturnal   --chmod=777 --chown=1000:1000 /opt/eturnal                        /opt/eturnal
--- a/Containers/watchtower/Dockerfile
+++ b/Containers/watchtower/Dockerfile
@@ -2,7 +2,7 @@
 # From https://github.com/containrrr/watchtower/blob/main/dockerfiles/Dockerfile.self-contained
 FROM containrrr/watchtower:1.7.1 AS watchtower

-FROM alpine:3.20.3
+FROM alpine:3.21.0

 RUN set -ex; \
    apk upgrade --no-cache -a; \
--- a/Containers/whiteboard/Dockerfile
+++ b/Containers/whiteboard/Dockerfile
@@ -1,4 +1,5 @@
 # syntax=docker/dockerfile:latest
+# Probably from this file: https://github.com/nextcloud/whiteboard/blob/main/Dockerfile
 FROM ghcr.io/nextcloud-releases/whiteboard:v1.0.4

 USER root
@@ -8,6 +9,9 @@ RUN set -ex; \
 USER 65534

 COPY --chmod=775 start.sh /start.sh
+COPY --chmod=775 healthcheck.sh /healthcheck.sh
+
+HEALTHCHECK CMD /healthcheck.sh

 ENTRYPOINT ["/start.sh"]

--- a/Containers/whiteboard/healthcheck.sh
+++ b/Containers/whiteboard/healthcheck.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+nc -z "$REDIS_HOST" 6379 || exit 0
+nc -z 127.0.0.1 3002 || exit 1
--- a/community-containers/facerecognition/facerecognition.json
+++ b/community-containers/facerecognition/facerecognition.json
@@ -16,6 +16,10 @@
            "aio_variables": [
                "nextcloud_memory_limit=2048M"
            ],
+            "devices": [
+                "/dev/dri"
+            ],
+            "enable_nvidia_gpu": true,
            "nextcloud_exec_commands": [
                "php /var/www/html/occ app:install facerecognition",
                "php /var/www/html/occ app:enable facerecognition", 
--- a/community-containers/jellyfin/jellyfin.json
+++ b/community-containers/jellyfin/jellyfin.json
@@ -31,6 +31,7 @@
            "devices": [
                "/dev/dri"
            ],
+            "enable_nvidia_gpu": true,
            "backup_volumes": [
                "nextcloud_aio_jellyfin"
            ]
--- a/community-containers/local-ai/local-ai.json
+++ b/community-containers/local-ai/local-ai.json
@@ -29,6 +29,10 @@
                    "writeable": false
                }
            ],
+            "devices": [
+                "/dev/dri"
+            ],
+            "enable_nvidia_gpu": true,
            "nextcloud_exec_commands": [
                "mkdir '/mnt/ncdata/admin/files/nextcloud-aio-local-ai'",
                "touch '/mnt/ncdata/admin/files/nextcloud-aio-local-ai/models.yaml'",
--- a/community-containers/local-ai/readme.md
+++ b/community-containers/local-ai/readme.md
@@ -3,20 +3,12 @@ This container bundles Local AI and auto-configures it for you.

 ### Notes
 - Make sure to have enough storage space available. This container alone needs ~7GB storage. Every model that you add to `models.yaml` will of course use additional space which adds up quite fast.
- After the container was started the first time, you should see a new `nextcloud-aio-local-ai` folder when you open the files app with the default `admin` user. In there you should see a `models.yaml` config file. You can now add models in there. Please refer [here](https://github.com/go-skynet/model-gallery/blob/main/index.yaml) where you can get further urls that you can put in there. Afterwards restart all containers from the AIO interface and the models should automatically get downloaded by the local-ai container and activated.
+- After the container was started the first time, you should see a new `nextcloud-aio-local-ai` folder when you open the files app with the default `admin` user. In there you should see a `models.yaml` config file. You can now add models in there. Please refer [here](https://github.com/mudler/LocalAI/blob/master/gallery/index.yaml) where you can get further urls that you can put in there. Afterwards restart all containers from the AIO interface and the models should automatically get downloaded by the local-ai container and activated.
 - Example for content of `models.yaml` (if you add all of them, it takes around 10GB additional space):
 ```yaml
 # Stable Diffusion in NCNN with c++, supported txt2img and img2img 
- url: github:go-skynet/model-gallery/stablediffusion.yaml
+- url: github:mudler/LocalAI/gallery/stablediffusion.yaml
  name: Stable_diffusion
-
-# Port of OpenAI's Whisper model in C/C++ 
- url: github:go-skynet/model-gallery/whisper-base.yaml
-  name: whisper-1
-
-# A commercially licensable model based on GPT-J and trained by Nomic AI on the v0 GPT4All dataset.
- url: github:go-skynet/model-gallery/gpt4all-j.yaml
-  name: gpt4all-j
 ```
 -  To make it work, you first need to browse `https://your-nc-domain.com/settings/admin/ai` and enable or disable specific features for your models in the openAI settings. Afterwards using the Nextcloud Assistant should work.
 - See [this guide](https://github.com/nextcloud/all-in-one/discussions/5430) for how to improve AI task pickup speed
--- a/community-containers/memories/memories.json
+++ b/community-containers/memories/memories.json
@@ -27,6 +27,7 @@
            "devices": [
                "/dev/dri"
            ],
+            "enable_nvidia_gpu": true,
            "nextcloud_exec_commands": [
                "php /var/www/html/occ app:install memories",
                "php /var/www/html/occ app:enable memories",
--- a/community-containers/memories/readme.md
+++ b/community-containers/memories/readme.md
@@ -2,7 +2,7 @@
 This container bundles the hardware-transcoding container of memories and auto-configures it for you.

 ### Notes
- In order to actually enable the hardware transcoding, you need to add the following flag to AIO apart from adding this container: https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
+- In order to actually enable the hardware transcoding, you need to add the following flag to AIO apart from adding this container: https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack

 ### Repository
--- a/community-containers/plex/plex.json
+++ b/community-containers/plex/plex.json
@@ -33,6 +33,7 @@
            "devices": [
                "/dev/dri"
            ],
+            "enable_nvidia_gpu": true,
            "backup_volumes": [
                "nextcloud_aio_plex"
            ]
--- a/compose.yaml
+++ b/compose.yaml
@@ -22,14 +22,15 @@ services:
      # COLLABORA_SECCOMP_DISABLED: false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
      # NEXTCLOUD_DATADIR: /mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
      # NEXTCLOUD_MOUNT: /mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
-      # NEXTCLOUD_UPLOAD_LIMIT: 10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
+      # NEXTCLOUD_UPLOAD_LIMIT: 16G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
      # NEXTCLOUD_MAX_TIME: 3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
      # NEXTCLOUD_MEMORY_LIMIT: 512M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
-      # NEXTCLOUD_TRUSTED_CACERTS_DIR: /path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
+      # NEXTCLOUD_TRUSTED_CACERTS_DIR: /path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nextcloud container (Useful e.g. for LDAPS) See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
      # NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
      # NEXTCLOUD_ADDITIONAL_APKS: imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
      # NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
-      # NEXTCLOUD_ENABLE_DRI_DEVICE: true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
+      # NEXTCLOUD_ENABLE_DRI_DEVICE: true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud
+      # ENABLE_NVIDIA_GPU: true # This allows to enable the NVIDIA runtime and GPU access for containers that profit from it. ⚠️⚠️⚠️ Warning: this only works if an NVIDIA gpu is installed on the server. See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud.
      # NEXTCLOUD_KEEP_DISABLED_APPS: false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps
      # SKIP_DOMAIN_VALIDATION: false # This should only be set to true if things are correctly configured. See https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-skip-the-domain-validation
      # TALK_PORT: 3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
--- a/manual-install/latest.yml
+++ b/manual-install/latest.yml
@@ -22,6 +22,13 @@ services:
    image: nextcloud/aio-apache:latest
    user: "33"
    init: true
+    healthcheck:
+      start_period: 0s
+      test: /healthcheck.sh
+      interval: 30s
+      timeout: 30s
+      start_interval: 5s
+      retries: 3
    ports:
      - ${APACHE_IP_BINDING}:${APACHE_PORT}:${APACHE_PORT}/tcp
      - ${APACHE_IP_BINDING}:${APACHE_PORT}:${APACHE_PORT}/udp
@@ -56,6 +63,13 @@ services:
    image: nextcloud/aio-postgresql:latest
    user: "999"
    init: true
+    healthcheck:
+      start_period: 0s
+      test: /healthcheck.sh
+      interval: 30s
+      timeout: 30s
+      start_interval: 5s
+      retries: 3
    expose:
      - "5432"
    volumes:
@@ -98,6 +112,13 @@ services:
        required: false
    image: nextcloud/aio-nextcloud:latest
    init: true
+    healthcheck:
+      start_period: 0s
+      test: /healthcheck.sh
+      interval: 30s
+      timeout: 30s
+      start_interval: 5s
+      retries: 3
    expose:
      - "9000"
      - "9001"
@@ -107,6 +128,7 @@ services:
      - ${NEXTCLOUD_MOUNT}:${NEXTCLOUD_MOUNT}:rw
      - ${NEXTCLOUD_TRUSTED_CACERTS_DIR}:/usr/local/share/ca-certificates:ro
    environment:
+      - NEXTCLOUD_HOST=nextcloud-aio-nextcloud
      - POSTGRES_HOST=nextcloud-aio-database
      - POSTGRES_PORT=5432
      - POSTGRES_PASSWORD=${DATABASE_PASSWORD}
@@ -114,6 +136,8 @@ services:
      - POSTGRES_USER=nextcloud
      - REDIS_HOST=nextcloud-aio-redis
      - REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
+      - APACHE_HOST=nextcloud-aio-apache
+      - APACHE_PORT
      - NC_DOMAIN
      - ADMIN_USER=admin
      - ADMIN_PASSWORD=${NEXTCLOUD_PASSWORD}
@@ -152,7 +176,6 @@ services:
      - TALK_RECORDING_HOST=nextcloud-aio-talk-recording
      - FULLTEXTSEARCH_PASSWORD
      - REMOVE_DISABLED_APPS
-      - APACHE_PORT
      - IMAGINARY_SECRET
      - WHITEBOARD_SECRET
      - WHITEBOARD_ENABLED
@@ -165,6 +188,13 @@ services:
    image: nextcloud/aio-notify-push:latest
    user: "33"
    init: true
+    healthcheck:
+      start_period: 0s
+      test: /healthcheck.sh
+      interval: 30s
+      timeout: 30s
+      start_interval: 5s
+      retries: 3
    expose:
      - "7867"
    volumes:
@@ -188,6 +218,13 @@ services:
    image: nextcloud/aio-redis:latest
    user: "999"
    init: true
+    healthcheck:
+      start_period: 0s
+      test: /healthcheck.sh
+      interval: 30s
+      timeout: 30s
+      start_interval: 5s
+      retries: 3
    expose:
      - "6379"
    environment:
@@ -202,13 +239,19 @@ services:

  nextcloud-aio-collabora:
    image: nextcloud/aio-collabora:latest
-    user: "100"
    init: true
+    healthcheck:
+      start_period: 60s
+      test: /healthcheck.sh
+      interval: 30s
+      timeout: 30s
+      start_interval: 5s
+      retries: 9
    expose:
      - "9980"
    environment:
      - aliasgroup1=https://${NC_DOMAIN}:443
-      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true ${COLLABORA_SECCOMP_POLICY} --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json
+      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true ${COLLABORA_SECCOMP_POLICY} --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow_host[0]=0.0.0.0/0 --o:net.post_allow_host[1]=::/0
      - dictionaries=${COLLABORA_DICTIONARIES}
      - TZ=${TIMEZONE}
      - server_name=${NC_DOMAIN}
@@ -226,6 +269,13 @@ services:
    image: nextcloud/aio-talk:latest
    user: "1000"
    init: true
+    healthcheck:
+      start_period: 0s
+      test: /healthcheck.sh
+      interval: 30s
+      timeout: 30s
+      start_interval: 5s
+      retries: 3
    ports:
      - ${TALK_PORT}:${TALK_PORT}/tcp
      - ${TALK_PORT}:${TALK_PORT}/udp
@@ -257,6 +307,13 @@ services:
    image: nextcloud/aio-talk-recording:latest
    user: "122"
    init: true
+    healthcheck:
+      start_period: 0s
+      test: /healthcheck.sh
+      interval: 30s
+      timeout: 30s
+      start_interval: 5s
+      retries: 3
    expose:
      - "1234"
    environment:
@@ -264,13 +321,14 @@ services:
      - TZ=${TIMEZONE}
      - RECORDING_SECRET
      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
+    volumes:
+      - nextcloud_aio_talk_recording:/tmp:rw
    shm_size: 2147483648
    restart: unless-stopped
    profiles:
      - talk-recording
    read_only: true
    tmpfs:
-      - /tmp
      - /conf
    cap_drop:
      - NET_RAW
@@ -279,6 +337,13 @@ services:
    image: nextcloud/aio-clamav:latest
    user: "100"
    init: false
+    healthcheck:
+      start_period: 60s
+      test: clamdcheck.sh
+      interval: 30s
+      timeout: 30s
+      start_interval: 5s
+      retries: 9
    expose:
      - "3310"
    environment:
@@ -301,6 +366,13 @@ services:
  nextcloud-aio-onlyoffice:
    image: nextcloud/aio-onlyoffice:latest
    init: true
+    healthcheck:
+      start_period: 60s
+      test: /healthcheck.sh
+      interval: 30s
+      timeout: 30s
+      start_interval: 5s
+      retries: 9
    expose:
      - "80"
    environment:
@@ -320,6 +392,13 @@ services:
    image: nextcloud/aio-imaginary:latest
    user: "65534"
    init: true
+    healthcheck:
+      start_period: 0s
+      test: /healthcheck.sh
+      interval: 30s
+      timeout: 30s
+      start_interval: 5s
+      retries: 3
    expose:
      - "9000"
    environment:
@@ -339,6 +418,13 @@ services:
  nextcloud-aio-fulltextsearch:
    image: nextcloud/aio-fulltextsearch:latest
    init: false
+    healthcheck:
+      start_period: 60s
+      test: /healthcheck.sh
+      interval: 10s
+      timeout: 5s
+      start_interval: 5s
+      retries: 5
    expose:
      - "9200"
    environment:
@@ -364,6 +450,13 @@ services:
    image: nextcloud/aio-whiteboard:latest
    user: "65534"
    init: true
+    healthcheck:
+      start_period: 0s
+      test: /healthcheck.sh
+      interval: 30s
+      timeout: 30s
+      start_interval: 5s
+      retries: 3
    expose:
      - "3002"
    environment:
@@ -397,6 +490,8 @@ volumes:
    name: nextcloud_aio_onlyoffice
  nextcloud_aio_redis:
    name: nextcloud_aio_redis
+  nextcloud_aio_talk_recording:
+    name: nextcloud_aio_talk_recording
  nextcloud_aio_nextcloud_data:
    name: nextcloud_aio_nextcloud_data

--- a/manual-install/sample.conf
+++ b/manual-install/sample.conf
@@ -22,7 +22,7 @@ TALK_RECORDING_ENABLED="no"          # Setting this to "yes" (with quotes) enabl
 WHITEBOARD_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.

 APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) and if that is running on the same host and using localhost to connect
-APACHE_MAX_SIZE=10737418240          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
+APACHE_MAX_SIZE=17179869184          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
 APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
 COLLABORA_DICTIONARIES="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"        # You can change this in order to enable other dictionaries for collabora
 COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.
@@ -35,7 +35,7 @@ NEXTCLOUD_MEMORY_LIMIT=512M          # This allows to change the PHP memory limi
 NEXTCLOUD_MOUNT=/mnt/          # This allows the Nextcloud container to access directories on the host. It must never be equal to the value of NEXTCLOUD_DATADIR!
 NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time
 NEXTCLOUD_TRUSTED_CACERTS_DIR=/usr/local/share/ca-certificates/my-custom-ca          # Nextcloud container will trust all the Certification Authorities, whose certificates are included in the given directory.
-NEXTCLOUD_UPLOAD_LIMIT=10G          # This allows to change the upload limit of the Nextcloud container
+NEXTCLOUD_UPLOAD_LIMIT=16G          # This allows to change the upload limit of the Nextcloud container
 REMOVE_DISABLED_APPS=yes        # Setting this to no keep Nextcloud apps that are disabled via their switch and not uninstall them if they should be installed in Nextcloud.
 TALK_PORT=3478          # This allows to adjust the port that the talk container is using.
 UPDATE_NEXTCLOUD_APPS="no"          # When setting to "yes" (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.
--- a/manual-install/update-yaml.sh
+++ b/manual-install/update-yaml.sh
@@ -15,6 +15,7 @@ OUTPUT="$(cat /tmp/containers.json)"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].internal_port)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].secrets)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].devices)')"
+OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].enable_nvidia_gpu)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].backup_volumes)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].nextcloud_exec_commands)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].image_tag)')"
@@ -78,9 +79,9 @@ sed -i 's|COLLABORA_ENABLED=no|COLLABORA_ENABLED="yes"|' sample.conf
 sed -i 's|COLLABORA_DICTIONARIES=|COLLABORA_DICTIONARIES="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"        # You can change this in order to enable other dictionaries for collabora|' sample.conf
 sed -i 's|NEXTCLOUD_DATADIR=|NEXTCLOUD_DATADIR=nextcloud_aio_nextcloud_data          # You can change this to e.g. "/mnt/ncdata" to map it to a location on your host. It needs to be adjusted before the first startup and never afterwards!|' sample.conf
 sed -i 's|NEXTCLOUD_MOUNT=|NEXTCLOUD_MOUNT=/mnt/          # This allows the Nextcloud container to access directories on the host. It must never be equal to the value of NEXTCLOUD_DATADIR!|' sample.conf
-sed -i 's|NEXTCLOUD_UPLOAD_LIMIT=|NEXTCLOUD_UPLOAD_LIMIT=10G          # This allows to change the upload limit of the Nextcloud container|' sample.conf
+sed -i 's|NEXTCLOUD_UPLOAD_LIMIT=|NEXTCLOUD_UPLOAD_LIMIT=16G          # This allows to change the upload limit of the Nextcloud container|' sample.conf
 sed -i 's|NEXTCLOUD_MEMORY_LIMIT=|NEXTCLOUD_MEMORY_LIMIT=512M          # This allows to change the PHP memory limit of the Nextcloud container|' sample.conf
-sed -i 's|APACHE_MAX_SIZE=|APACHE_MAX_SIZE=10737418240          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT|' sample.conf
+sed -i 's|APACHE_MAX_SIZE=|APACHE_MAX_SIZE=17179869184          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT|' sample.conf
 sed -i 's|NEXTCLOUD_MAX_TIME=|NEXTCLOUD_MAX_TIME=3600          # This allows to change the upload time limit of the Nextcloud container|' sample.conf
 sed -i 's|NEXTCLOUD_TRUSTED_CACERTS_DIR=|NEXTCLOUD_TRUSTED_CACERTS_DIR=/usr/local/share/ca-certificates/my-custom-ca          # Nextcloud container will trust all the Certification Authorities, whose certificates are included in the given directory.|' sample.conf
 sed -i 's|UPDATE_NEXTCLOUD_APPS=|UPDATE_NEXTCLOUD_APPS="no"          # When setting to "yes" (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.|' sample.conf
--- a/migration.md
+++ b/migration.md
@@ -1,6 +1,6 @@
 # How to migrate from an already existing Nextcloud installation to Nextcloud AIO?

-There are basically three ways how to migrate from an already existing Nextcloud installation to Nextcloud AIO:
+There are basically three ways how to migrate from an already existing Nextcloud installation to Nextcloud AIO (if you ran AIO on the former installation already, you can follow [these steps](https://github.com/nextcloud/all-in-one#how-to-migrate-from-aio-to-aio)):

 1. Migrate only the files which is the easiest way (this excludes all calendar data for example)
 1. Migrate the files and the database which is much more complicated (and doesn't work on former snap installations)
--- a/nextcloud-aio-helm-chart/Chart.yaml
+++ b/nextcloud-aio-helm-chart/Chart.yaml
@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 9.8.0
+version: 10.1.1
 apiVersion: v2
 keywords:
  - latest
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml
@@ -2,8 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-apache
  name: nextcloud-aio-apache
@@ -18,24 +17,22 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-        kompose.version: 1.34.0 (cbf2835db)
+        kompose.version: 1.35.0 (9532ceef3)
      labels:
        io.kompose.service: nextcloud-aio-apache
    spec:
-      initContainers:
-        - name: init-volumes
-          image: "alpine:3.20"
-          command:
-            - chmod
-            - "777"
-            - /nextcloud-aio-nextcloud
-            - /nextcloud-aio-apache
-          volumeMounts:
-            - name: nextcloud-aio-apache
-              mountPath: /nextcloud-aio-apache
-            - name: nextcloud-aio-nextcloud
-              mountPath: /nextcloud-aio-nextcloud
+      securityContext:
+        # The items below only work in pod context
+        fsGroup: 33
+        fsGroupChangePolicy: "OnRootMismatch"
+        # The items below work in both contexts
+        runAsUser: 33
+        runAsGroup: 33
+        runAsNonRoot: true
+        {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+        seccompProfile:
+          type: RuntimeDefault
+        {{- end }}
      containers:
        - env:
            - name: ADDITIONAL_TRUSTED_DOMAIN
@@ -64,7 +61,21 @@ spec:
              value: "{{ .Values.TIMEZONE }}"
            - name: WHITEBOARD_HOST
              value: nextcloud-aio-whiteboard
-          image: "nextcloud/aio-apache:20241106_101604"
+          image: nextcloud/aio-apache:20241216_102930
+          readinessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
+          livenessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
          name: nextcloud-aio-apache
          ports:
            - containerPort: {{ .Values.APACHE_PORT }}
@@ -72,12 +83,15 @@ spec:
            - containerPort: {{ .Values.APACHE_PORT }}
              protocol: UDP
          securityContext:
+            # The items below only work in container context
            allowPrivilegeEscalation: false
-            runAsNonRoot: true
            capabilities:
-              drop:
-                - NET_RAW
-            runAsUser: 33
+              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+              drop: ["ALL"]
+              {{- else }}
+              drop: ["NET_RAW"]
+              {{- end }}
+              add: ["NET_BIND_SERVICE"]
          volumeMounts:
            - mountPath: /var/www/html
              name: nextcloud-aio-nextcloud
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-service.yaml
@@ -2,8 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-apache
  name: nextcloud-aio-apache
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml
@@ -3,8 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-clamav
  name: nextcloud-aio-clamav
@@ -19,11 +18,22 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-        kompose.version: 1.34.0 (cbf2835db)
+        kompose.version: 1.35.0 (9532ceef3)
      labels:
        io.kompose.service: nextcloud-aio-clamav
    spec:
+      securityContext:
+        # The items below only work in pod context
+        fsGroup: 100
+        fsGroupChangePolicy: "OnRootMismatch"
+        # The items below work in both contexts
+        runAsUser: 100
+        runAsGroup: 100
+        runAsNonRoot: true
+        {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+        seccompProfile:
+          type: RuntimeDefault
+        {{- end }}
      initContainers:
        - name: init-subpath
          image: "alpine:3.20"
@@ -31,20 +41,19 @@ spec:
            - mkdir
            - "-p"
            - /nextcloud-aio-clamav/data
-            - /nextcloud-aio-clamav
-          volumeMounts:
-            - name: nextcloud-aio-clamav
-              mountPath: /nextcloud-aio-clamav
-        - name: init-volumes
-          image: "alpine:3.20"
-          command:
-            - chown
-            - 100:100
-            - "-R"
-            - /nextcloud-aio-clamav
          volumeMounts:
            - name: nextcloud-aio-clamav
              mountPath: /nextcloud-aio-clamav
+          securityContext:
+            # The items below only work in container context
+            allowPrivilegeEscalation: false
+            capabilities:
+              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+              drop: ["ALL"]
+              {{- else }}
+              drop: ["NET_RAW"]
+              {{- end }}
+              add: ["NET_BIND_SERVICE"]
      containers:
        - env:
            - name: CLAMD_STARTUP_TIMEOUT
@@ -53,18 +62,37 @@ spec:
              value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: "nextcloud/aio-clamav:20241106_101604"
+          image: nextcloud/aio-clamav:20241216_102930
+          readinessProbe:
+            exec:
+              command:
+                - clamdcheck.sh
+            failureThreshold: 9
+            initialDelaySeconds: 60
+            periodSeconds: 30
+            timeoutSeconds: 30
+          livenessProbe:
+            exec:
+              command:
+                - clamdcheck.sh
+            failureThreshold: 9
+            initialDelaySeconds: 60
+            periodSeconds: 30
+            timeoutSeconds: 30
          name: nextcloud-aio-clamav
          ports:
            - containerPort: 3310
              protocol: TCP
          securityContext:
+            # The items below only work in container context
            allowPrivilegeEscalation: false
-            runAsNonRoot: true
            capabilities:
-              drop:
-                - NET_RAW
-            runAsUser: 100
+              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+              drop: ["ALL"]
+              {{- else }}
+              drop: ["NET_RAW"]
+              {{- end }}
+              add: ["NET_BIND_SERVICE"]
          volumeMounts:
            - mountPath: /var/lib/clamav
              subPath: data
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-service.yaml
@@ -3,8 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-clamav
  name: nextcloud-aio-clamav
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml
@@ -3,8 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-collabora
  name: nextcloud-aio-collabora
@@ -17,8 +16,7 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-        kompose.version: 1.34.0 (cbf2835db)
+        kompose.version: 1.35.0 (9532ceef3)
      labels:
        io.kompose.service: nextcloud-aio-collabora
    spec:
@@ -33,22 +31,33 @@ spec:
            - name: dictionaries
              value: "{{ .Values.COLLABORA_DICTIONARIES }}"
            - name: extra_params
-              value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json
+              value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow_host[0]=0.0.0.0/0 --o:net.post_allow_host[1]=::/0
            - name: server_name
              value: "{{ .Values.NC_DOMAIN }}"
-          image: "nextcloud/aio-collabora:20241106_101604"
+          image: nextcloud/aio-collabora:20241216_102930
+          readinessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 9
+            initialDelaySeconds: 60
+            periodSeconds: 30
+            timeoutSeconds: 30
+          livenessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 9
+            initialDelaySeconds: 60
+            periodSeconds: 30
+            timeoutSeconds: 30
          name: nextcloud-aio-collabora
          ports:
            - containerPort: 9980
              protocol: TCP
          securityContext:
-            allowPrivilegeEscalation: false
-            runAsNonRoot: true
            capabilities:
              add:
                - MKNOD
-                - SYS_ADMIN
-              drop:
-                - NET_RAW
-            runAsUser: 100
+                - CAP_SYS_ADMIN
 {{- end }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-service.yaml
@@ -3,8 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-collabora
  name: nextcloud-aio-collabora
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml
@@ -2,8 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-database
  name: nextcloud-aio-database
@@ -18,11 +17,22 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-        kompose.version: 1.34.0 (cbf2835db)
+        kompose.version: 1.35.0 (9532ceef3)
      labels:
        io.kompose.service: nextcloud-aio-database
    spec:
+      securityContext:
+        # The items below only work in pod context
+        fsGroup: 999
+        fsGroupChangePolicy: "OnRootMismatch"
+        # The items below work in both contexts
+        runAsUser: 999
+        runAsGroup: 999
+        runAsNonRoot: true
+        {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+        seccompProfile:
+          type: RuntimeDefault
+        {{- end }}
      initContainers:
        - name: init-subpath
          image: "alpine:3.20"
@@ -30,26 +40,19 @@ spec:
            - mkdir
            - "-p"
            - /nextcloud-aio-database/data
-            - /nextcloud-aio-database
-            - /nextcloud-aio-database-dump
          volumeMounts:
-            - name: nextcloud-aio-database-dump
-              mountPath: /nextcloud-aio-database-dump
-            - name: nextcloud-aio-database
-              mountPath: /nextcloud-aio-database
-        - name: init-volumes
-          image: "alpine:3.20"
-          command:
-            - chown
-            - 999:999
-            - "-R"
-            - /nextcloud-aio-database
-            - /nextcloud-aio-database-dump
-          volumeMounts:
-            - name: nextcloud-aio-database-dump
-              mountPath: /nextcloud-aio-database-dump
            - name: nextcloud-aio-database
              mountPath: /nextcloud-aio-database
+          securityContext:
+            # The items below only work in container context
+            allowPrivilegeEscalation: false
+            capabilities:
+              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+              drop: ["ALL"]
+              {{- else }}
+              drop: ["NET_RAW"]
+              {{- end }}
+              add: ["NET_BIND_SERVICE"]
      containers:
        - env:
            - name: PGTZ
@@ -62,18 +65,35 @@ spec:
              value: nextcloud
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: "nextcloud/aio-postgresql:20241106_101604"
+          image: nextcloud/aio-postgresql:20241216_102930
+          readinessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
+          livenessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
          name: nextcloud-aio-database
          ports:
            - containerPort: 5432
              protocol: TCP
          securityContext:
+            # The items below only work in container context
            allowPrivilegeEscalation: false
-            runAsNonRoot: true
            capabilities:
-              drop:
-                - NET_RAW
-            runAsUser: 999
+              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+              drop: ["ALL"]
+              {{- else }}
+              drop: ["NET_RAW"]
+              {{- end }}
+              add: ["NET_BIND_SERVICE"]
          volumeMounts:
            - mountPath: /var/lib/postgresql/data
              subPath: data
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-service.yaml
@@ -2,8 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-database
  name: nextcloud-aio-database
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml
@@ -3,8 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-fulltextsearch
  name: nextcloud-aio-fulltextsearch
@@ -19,8 +18,7 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-        kompose.version: 1.34.0 (cbf2835db)
+        kompose.version: 1.35.0 (9532ceef3)
      labels:
        io.kompose.service: nextcloud-aio-fulltextsearch
    spec:
@@ -56,17 +54,27 @@ spec:
              value: basic
            - name: xpack.security.enabled
              value: "false"
-          image: "nextcloud/aio-fulltextsearch:20241106_101604"
+          image: nextcloud/aio-fulltextsearch:20241216_102930
+          readinessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 5
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            timeoutSeconds: 5
+          livenessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 5
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            timeoutSeconds: 5
          name: nextcloud-aio-fulltextsearch
          ports:
            - containerPort: 9200
              protocol: TCP
-          securityContext:
-            allowPrivilegeEscalation: false
-            runAsNonRoot: true
-            capabilities:
-              drop:
-                - NET_RAW
          volumeMounts:
            - mountPath: /usr/share/elasticsearch/data
              name: nextcloud-aio-elasticsearch
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-service.yaml
@@ -3,8 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-fulltextsearch
  name: nextcloud-aio-fulltextsearch
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml
@@ -3,8 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-imaginary
  name: nextcloud-aio-imaginary
@@ -17,29 +16,56 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-        kompose.version: 1.34.0 (cbf2835db)
+        kompose.version: 1.35.0 (9532ceef3)
      labels:
        io.kompose.service: nextcloud-aio-imaginary
    spec:
+      securityContext:
+        # The items below only work in pod context
+        fsGroup: 65534
+        fsGroupChangePolicy: "OnRootMismatch"
+        # The items below work in both contexts
+        runAsUser: 65534
+        runAsGroup: 65534
+        runAsNonRoot: true
+        {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+        seccompProfile:
+          type: RuntimeDefault
+        {{- end }}
      containers:
        - env:
            - name: IMAGINARY_SECRET
              value: "{{ .Values.IMAGINARY_SECRET }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: "nextcloud/aio-imaginary:20241106_101604"
+          image: nextcloud/aio-imaginary:20241216_102930
+          readinessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
+          livenessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
          name: nextcloud-aio-imaginary
          ports:
            - containerPort: 9000
              protocol: TCP
          securityContext:
+            # The items below only work in container context
            allowPrivilegeEscalation: false
-            runAsNonRoot: true
            capabilities:
+              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+              drop: ["ALL"]
+              {{- else }}
+              drop: ["NET_RAW"]
+              {{- end }}
              add:
-                - SYS_NICE
-              drop:
-                - NET_RAW
-            runAsUser: 65534
+                - NET_BIND_SERVICE
 {{- end }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-service.yaml
@@ -3,8 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-imaginary
  name: nextcloud-aio-imaginary
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml
@@ -2,8 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-nextcloud
  name: nextcloud-aio-nextcloud
@@ -18,23 +17,26 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-        kompose.version: 1.34.0 (cbf2835db)
+        kompose.version: 1.35.0 (9532ceef3)
      labels:
        io.kompose.service: nextcloud-aio-nextcloud
    spec:
+      {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment!
+      securityContext:
+        # The items below only work in pod context
+        fsGroup: 33
+        fsGroupChangePolicy: "OnRootMismatch"
+        # The items below work in both contexts
+        runAsUser: 33
+        runAsGroup: 33
+        runAsNonRoot: true
+        {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+        seccompProfile:
+          type: RuntimeDefault
+        {{- end }}
+      {{- end }} # AIO-config - do not change this comment!
+# AIO settings start # Do not remove or change this line!
      initContainers:
-        - name: "delete-lost-found"
-          image: "alpine:3.20"
-          command:
-            - rm
-            - "-rf"
-            - "/nextcloud-aio-nextcloud/lost+found"
-          volumeMounts:
-            - name: nextcloud-aio-nextcloud-trusted-cacerts
-              mountPath: /nextcloud-aio-nextcloud-trusted-cacerts
-            - name: nextcloud-aio-nextcloud
-              mountPath: /nextcloud-aio-nextcloud
        - name: init-volumes
          image: "alpine:3.20"
          command:
@@ -47,6 +49,7 @@ spec:
              mountPath: /nextcloud-aio-nextcloud-trusted-cacerts
            - name: nextcloud-aio-nextcloud
              mountPath: /nextcloud-aio-nextcloud
+# AIO settings end # Do not remove or change this line!
      containers:
        - env:
            - name: SMTP_HOST
@@ -117,6 +120,8 @@ spec:
              value: "{{ .Values.NC_DOMAIN }}"
            - name: NEXTCLOUD_DATA_DIR
              value: /mnt/ncdata
+            - name: NEXTCLOUD_HOST
+              value: nextcloud-aio-nextcloud
            - name: ONLYOFFICE_ENABLED
              value: "{{ .Values.ONLYOFFICE_ENABLED }}"
            - name: ONLYOFFICE_HOST
@@ -173,17 +178,39 @@ spec:
              value: "{{ .Values.WHITEBOARD_ENABLED }}"
            - name: WHITEBOARD_SECRET
              value: "{{ .Values.WHITEBOARD_SECRET }}"
-          image: "nextcloud/aio-nextcloud:20241106_101604"
+          image: nextcloud/aio-nextcloud:20241216_102930
+          {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment!
+          securityContext:
+            # The items below only work in container context
+            allowPrivilegeEscalation: false
+            capabilities:
+              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+              drop: ["ALL"]
+              {{- else }}
+              drop: ["NET_RAW"]
+              {{- end }}
+              add: ["NET_BIND_SERVICE"]
+          {{- end }} # AIO-config - do not change this comment!
+          readinessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
+          livenessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
          name: nextcloud-aio-nextcloud
          ports:
            - containerPort: 9000
              protocol: TCP
            - containerPort: 9001
              protocol: TCP
-          securityContext:
-            capabilities:
-              drop:
-                - NET_RAW
          volumeMounts:
            - mountPath: /var/www/html
              name: nextcloud-aio-nextcloud
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-service.yaml
@@ -2,8 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-nextcloud
  name: nextcloud-aio-nextcloud
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml
@@ -2,8 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-notify-push
  name: nextcloud-aio-notify-push
@@ -18,21 +17,22 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-        kompose.version: 1.34.0 (cbf2835db)
+        kompose.version: 1.35.0 (9532ceef3)
      labels:
        io.kompose.service: nextcloud-aio-notify-push
    spec:
-      initContainers:
-        - name: init-volumes
-          image: "alpine:3.20"
-          command:
-            - chmod
-            - "777"
-            - /nextcloud-aio-nextcloud
-          volumeMounts:
-            - name: nextcloud-aio-nextcloud
-              mountPath: /nextcloud-aio-nextcloud
+      securityContext:
+        # The items below only work in pod context
+        fsGroup: 33
+        fsGroupChangePolicy: "OnRootMismatch"
+        # The items below work in both contexts
+        runAsUser: 33
+        runAsGroup: 33
+        runAsNonRoot: true
+        {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+        seccompProfile:
+          type: RuntimeDefault
+        {{- end }}
      containers:
        - env:
            - name: NC_DOMAIN
@@ -53,18 +53,35 @@ spec:
              value: nextcloud-aio-redis
            - name: REDIS_HOST_PASSWORD
              value: "{{ .Values.REDIS_PASSWORD }}"
-          image: "nextcloud/aio-notify-push:20241106_101604"
+          image: nextcloud/aio-notify-push:20241216_102930
+          readinessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
+          livenessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
          name: nextcloud-aio-notify-push
          ports:
            - containerPort: 7867
              protocol: TCP
          securityContext:
+            # The items below only work in container context
            allowPrivilegeEscalation: false
-            runAsNonRoot: true
            capabilities:
-              drop:
-                - NET_RAW
-            runAsUser: 33
+              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+              drop: ["ALL"]
+              {{- else }}
+              drop: ["NET_RAW"]
+              {{- end }}
+              add: ["NET_BIND_SERVICE"]
          volumeMounts:
            - mountPath: /nextcloud
              name: nextcloud-aio-nextcloud
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-service.yaml
@@ -2,8 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-notify-push
  name: nextcloud-aio-notify-push
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml
@@ -3,8 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-onlyoffice
  name: nextcloud-aio-onlyoffice
@@ -19,8 +18,7 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-        kompose.version: 1.34.0 (cbf2835db)
+        kompose.version: 1.35.0 (9532ceef3)
      labels:
        io.kompose.service: nextcloud-aio-onlyoffice
    spec:
@@ -44,15 +42,27 @@ spec:
              value: "{{ .Values.ONLYOFFICE_SECRET }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: "nextcloud/aio-onlyoffice:20241106_101604"
+          image: nextcloud/aio-onlyoffice:20241216_102930
+          readinessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 9
+            initialDelaySeconds: 60
+            periodSeconds: 30
+            timeoutSeconds: 30
+          livenessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 9
+            initialDelaySeconds: 60
+            periodSeconds: 30
+            timeoutSeconds: 30
          name: nextcloud-aio-onlyoffice
          ports:
            - containerPort: 80
              protocol: TCP
-          securityContext:
-            capabilities:
-              drop:
-                - NET_RAW
          volumeMounts:
            - mountPath: /var/lib/onlyoffice
              name: nextcloud-aio-onlyoffice
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-service.yaml
@@ -3,8 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-onlyoffice
  name: nextcloud-aio-onlyoffice
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml
@@ -2,8 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-redis
  name: nextcloud-aio-redis
@@ -18,39 +17,57 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-        kompose.version: 1.34.0 (cbf2835db)
+        kompose.version: 1.35.0 (9532ceef3)
      labels:
        io.kompose.service: nextcloud-aio-redis
    spec:
-      initContainers:
-        - name: init-volumes
-          image: "alpine:3.20"
-          command:
-            - chmod
-            - "777"
-            - /nextcloud-aio-redis
-          volumeMounts:
-            - name: nextcloud-aio-redis
-              mountPath: /nextcloud-aio-redis
+      securityContext:
+        # The items below only work in pod context
+        fsGroup: 999
+        fsGroupChangePolicy: "OnRootMismatch"
+        # The items below work in both contexts
+        runAsUser: 999
+        runAsGroup: 999
+        runAsNonRoot: true
+        {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+        seccompProfile:
+          type: RuntimeDefault
+        {{- end }}
      containers:
        - env:
            - name: REDIS_HOST_PASSWORD
              value: "{{ .Values.REDIS_PASSWORD }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: "nextcloud/aio-redis:20241106_101604"
+          image: nextcloud/aio-redis:20241216_102930
+          readinessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
+          livenessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
          name: nextcloud-aio-redis
          ports:
            - containerPort: 6379
              protocol: TCP
          securityContext:
+            # The items below only work in container context
            allowPrivilegeEscalation: false
-            runAsNonRoot: true
            capabilities:
-              drop:
-                - NET_RAW
-            runAsUser: 999
+              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+              drop: ["ALL"]
+              {{- else }}
+              drop: ["NET_RAW"]
+              {{- end }}
+              add: ["NET_BIND_SERVICE"]
          volumeMounts:
            - mountPath: /data
              name: nextcloud-aio-redis
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-service.yaml
@@ -2,8 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-redis
  name: nextcloud-aio-redis
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml
@@ -3,8 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-talk
  name: nextcloud-aio-talk
@@ -17,11 +16,22 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-        kompose.version: 1.34.0 (cbf2835db)
+        kompose.version: 1.35.0 (9532ceef3)
      labels:
        io.kompose.service: nextcloud-aio-talk
    spec:
+      securityContext:
+        # The items below only work in pod context
+        fsGroup: 1000
+        fsGroupChangePolicy: "OnRootMismatch"
+        # The items below work in both contexts
+        runAsUser: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
+        {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+        seccompProfile:
+          type: RuntimeDefault
+        {{- end }}
      containers:
        - env:
            - name: TALK_MAX_STREAM_BITRATE
@@ -42,7 +52,21 @@ spec:
              value: "{{ .Values.TURN_SECRET }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: "nextcloud/aio-talk:20241106_101604"
+          image: nextcloud/aio-talk:20241216_102930
+          readinessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
+          livenessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
          name: nextcloud-aio-talk
          ports:
            - containerPort: {{ .Values.TALK_PORT }}
@@ -52,10 +76,13 @@ spec:
            - containerPort: 8081
              protocol: TCP
          securityContext:
+            # The items below only work in container context
            allowPrivilegeEscalation: false
-            runAsNonRoot: true
            capabilities:
-              drop:
-                - NET_RAW
-            runAsUser: 1000
+              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+              drop: ["ALL"]
+              {{- else }}
+              drop: ["NET_RAW"]
+              {{- end }}
+              add: ["NET_BIND_SERVICE"]
 {{- end }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml
@@ -3,8 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-talk-recording
  name: nextcloud-aio-talk-recording
@@ -14,14 +13,27 @@ spec:
  selector:
    matchLabels:
      io.kompose.service: nextcloud-aio-talk-recording
+  strategy:
+    type: Recreate
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-        kompose.version: 1.34.0 (cbf2835db)
+        kompose.version: 1.35.0 (9532ceef3)
      labels:
        io.kompose.service: nextcloud-aio-talk-recording
    spec:
+      securityContext:
+        # The items below only work in pod context
+        fsGroup: 122
+        fsGroupChangePolicy: "OnRootMismatch"
+        # The items below work in both contexts
+        runAsUser: 122
+        runAsGroup: 122
+        runAsNonRoot: true
+        {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+        seccompProfile:
+          type: RuntimeDefault
+        {{- end }}
      containers:
        - env:
            - name: INTERNAL_SECRET
@@ -32,16 +44,40 @@ spec:
              value: "{{ .Values.RECORDING_SECRET }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: "nextcloud/aio-talk-recording:20241106_101604"
+          image: nextcloud/aio-talk-recording:20241216_102930
+          readinessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
+          livenessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
          name: nextcloud-aio-talk-recording
          ports:
            - containerPort: 1234
              protocol: TCP
          securityContext:
+            # The items below only work in container context
            allowPrivilegeEscalation: false
-            runAsNonRoot: true
            capabilities:
-              drop:
-                - NET_RAW
-            runAsUser: 122
+              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+              drop: ["ALL"]
+              {{- else }}
+              drop: ["NET_RAW"]
+              {{- end }}
+              add: ["NET_BIND_SERVICE"]
+          volumeMounts:
+            - mountPath: /tmp
+              name: nextcloud-aio-talk-recording
+      volumes:
+        - name: nextcloud-aio-talk-recording
+          persistentVolumeClaim:
+            claimName: nextcloud-aio-talk-recording
 {{- end }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-persistentvolumeclaim.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-persistentvolumeclaim.yaml
@@ -0,0 +1,18 @@
+{{- if eq .Values.TALK_RECORDING_ENABLED "yes" }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    io.kompose.service: nextcloud-aio-talk-recording
+  name: nextcloud-aio-talk-recording
+  namespace: "{{ .Values.NAMESPACE }}"
+spec:
+  {{- if .Values.STORAGE_CLASS }}
+  storageClassName: {{ .Values.STORAGE_CLASS }}
+  {{- end }}
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.TALK_RECORDING_STORAGE_SIZE }}
+{{- end }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-service.yaml
@@ -3,8 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-talk-recording
  name: nextcloud-aio-talk-recording
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-service.yaml
@@ -4,8 +4,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-talk
  name: nextcloud-aio-talk-public
@@ -29,8 +28,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-talk
  name: nextcloud-aio-talk
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml
@@ -3,8 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-whiteboard
  name: nextcloud-aio-whiteboard
@@ -17,11 +16,22 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-        kompose.version: 1.34.0 (cbf2835db)
+        kompose.version: 1.35.0 (9532ceef3)
      labels:
        io.kompose.service: nextcloud-aio-whiteboard
    spec:
+      securityContext:
+        # The items below only work in pod context
+        fsGroup: 65534
+        fsGroupChangePolicy: "OnRootMismatch"
+        # The items below work in both contexts
+        runAsUser: 65534
+        runAsGroup: 65534
+        runAsNonRoot: true
+        {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+        seccompProfile:
+          type: RuntimeDefault
+        {{- end }}
      containers:
        - env:
            - name: JWT_SECRET_KEY
@@ -36,16 +46,33 @@ spec:
              value: redis
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: "nextcloud/aio-whiteboard:20241106_101604"
+          image: nextcloud/aio-whiteboard:20241216_102930
+          readinessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
+          livenessProbe:
+            exec:
+              command:
+                - /healthcheck.sh
+            failureThreshold: 3
+            periodSeconds: 30
+            timeoutSeconds: 30
          name: nextcloud-aio-whiteboard
          ports:
            - containerPort: 3002
              protocol: TCP
          securityContext:
+            # The items below only work in container context
            allowPrivilegeEscalation: false
-            runAsNonRoot: true
            capabilities:
-              drop:
-                - NET_RAW
-            runAsUser: 65534
+              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+              drop: ["ALL"]
+              {{- else }}
+              drop: ["NET_RAW"]
+              {{- end }}
+              add: ["NET_BIND_SERVICE"]
 {{- end }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-service.yaml
@@ -3,8 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
-    kompose.version: 1.34.0 (cbf2835db)
+    kompose.version: 1.35.0 (9532ceef3)
  labels:
    io.kompose.service: nextcloud-aio-whiteboard
  name: nextcloud-aio-whiteboard
--- a/nextcloud-aio-helm-chart/update-helm.sh
+++ b/nextcloud-aio-helm-chart/update-helm.sh
@@ -25,6 +25,8 @@ set -ex
 cd manual-install
 cp latest.yml latest.yml.backup

+# Additional config
+# shellcheck disable=SC1083
 sed -i -E '/^( *- )(NET_RAW|SYS_NICE|MKNOD|SYS_ADMIN)$/!s/( *- )([A-Z_]+)$/\1\2=${\2}/' latest.yml
 cp sample.conf /tmp/
 sed -i 's|^|export |' /tmp/sample.conf
@@ -50,6 +52,13 @@ yq -i 'del(.services.[].profiles)' latest.yml
 # Delete read_only and tmpfs setting while https://github.com/kubernetes/kubernetes/issues/48912 is not fixed
 yq -i 'del(.services.[].read_only)' latest.yml
 yq -i 'del(.services.[].tmpfs)' latest.yml
+# Remove cap_drop in order to add it later again easier
+yq -i 'del(.services.[].cap_drop)' latest.yml
+# Remove SYS_NICE for imaginary as it is not supported with RPSS
+sed -i "s|- SYS_NICE$|- NET_BIND_SERVICE|" latest.yml
+# cap SYS_ADMIN is called CAP_SYS_ADMIN in k8s
+sed -i "s|- SYS_ADMIN$|- CAP_SYS_ADMIN|" latest.yml
+
 cat latest.yml
 kompose convert -c -f latest.yml --namespace nextcloud-aio-namespace
 cd latest
@@ -76,14 +85,10 @@ cat << EOL > /tmp/initcontainers.database
            - mkdir
            - "-p"
            - /nextcloud-aio-database/data
-          volumeMountsInitContainer:
-        - name: init-volumes
-          image: "alpine:3.20"
-          command:
-            - chown
-            - 999:999
-            - "-R"
-          volumeMountsInitContainer:
+          volumeMounts:
+            - name: nextcloud-aio-database
+              mountPath: /nextcloud-aio-database
+          securityContext:
 EOL
 cat << EOL > /tmp/initcontainers.clamav
      initContainers:
@@ -93,35 +98,33 @@ cat << EOL > /tmp/initcontainers.clamav
            - mkdir
            - "-p"
            - /nextcloud-aio-clamav/data
-          volumeMountsInitContainer:
-        - name: init-volumes
-          image: "alpine:3.20"
-          command:
-            - chown
-            - 100:100
-            - "-R"
-          volumeMountsInitContainer:
+          volumeMounts:
+            - name: nextcloud-aio-clamav
+              mountPath: /nextcloud-aio-clamav
+          securityContext:
 EOL
 cat << EOL > /tmp/initcontainers.nextcloud
+# AIO settings start # Do not remove or change this line!
      initContainers:
-        - name: "delete-lost-found"
-          image: "alpine:3.20"
-          command:
-            - rm
-            - "-rf"
-            - "/nextcloud-aio-nextcloud/lost+found"
-          volumeMountsInitRmLostFound:
        - name: init-volumes
          image: "alpine:3.20"
          command:
            - chmod
            - "777"
          volumeMountsInitContainer:
+# AIO settings end # Do not remove or change this line!
 EOL
+
 # shellcheck disable=SC1083
 DEPLOYMENTS="$(find ./ -name '*deployment.yaml')"
 mapfile -t DEPLOYMENTS <<< "$DEPLOYMENTS"
 for variable in "${DEPLOYMENTS[@]}"; do
+    if grep -q livenessProbe "$variable"; then
+        sed -n "/.*livenessProbe/,/timeoutSeconds.*/p" "$variable" > /tmp/liveness.probe
+        cat /tmp/liveness.probe
+        sed -i "s|livenessProbe|readinessProbe|" /tmp/liveness.probe
+        sed -i "/^          image:/r /tmp/liveness.probe" "$variable"
+    fi
    if grep -q volumeMounts "$variable"; then
        if echo "$variable" | grep -q database; then
            sed -i "/^    spec:/r /tmp/initcontainers.database" "$variable"
@@ -129,7 +132,7 @@ for variable in "${DEPLOYMENTS[@]}"; do
            sed -i "/^    spec:/r /tmp/initcontainers.clamav" "$variable"
        elif echo "$variable" | grep -q "nextcloud-deployment.yaml"; then
            sed -i "/^    spec:/r /tmp/initcontainers.nextcloud" "$variable"
-        else
+        elif echo "$variable" | grep -q "fulltextsearch" || echo "$variable" | grep -q "onlyoffice" || echo "$variable" | grep -q "collabora"; then
            sed -i "/^    spec:/r /tmp/initcontainers" "$variable"
        fi
        volumeNames="$(grep -A1 mountPath "$variable" | grep -v mountPath | sed 's|.*name: ||' | sed '/^--$/d')"
@@ -139,7 +142,6 @@ for variable in "${DEPLOYMENTS[@]}"; do
            if [ "$volumeName" != "nextcloud-aio-nextcloud-data" ]; then
                sed -i "/^.*volumeMountsInitContainer:/i\ \ \ \ \ \ \ \ \ \ \ \ - /$volumeName" "$variable"
                sed -i "/volumeMountsInitContainer:/a\ \ \ \ \ \ \ \ \ \ \ \ - name: $volumeName\n\ \ \ \ \ \ \ \ \ \ \ \ \ \ mountPath: /$volumeName" "$variable"
-                sed -i "/volumeMountsInitRmLostFound:/a\ \ \ \ \ \ \ \ \ \ \ \ - name: $volumeName\n\ \ \ \ \ \ \ \ \ \ \ \ \ \ mountPath: /$volumeName" "$variable"
                # Workaround for the database volume
                if [ "$volumeName" = nextcloud-aio-database ]; then
                    sed -i "/mountPath: \/var\/lib\/postgresql\/data/a\ \ \ \ \ \ \ \ \ \ \ \ \ \ subPath: data" "$variable"
@@ -150,7 +152,6 @@ for variable in "${DEPLOYMENTS[@]}"; do
            fi
        done
        sed -i "s|volumeMountsInitContainer:|volumeMounts:|" "$variable"
-        sed -i "s|volumeMountsInitRmLostFound:|volumeMounts:|" "$variable"
        if grep -q claimName "$variable"; then
            claimNames="$(grep claimName "$variable")"
            mapfile -t claimNames <<< "$claimNames"
@@ -161,6 +162,39 @@ for variable in "${DEPLOYMENTS[@]}"; do
            done
        fi
    fi
+    if grep -q runAsUser "$variable" || echo "$variable" | grep -q "nextcloud-deployment.yaml"; then
+        if echo "$variable" | grep -q "nextcloud-deployment.yaml"; then
+            USER=33
+            GROUP=33
+            echo '      {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment!' > /tmp/pod.securityContext
+        else
+            USER="$(grep runAsUser "$variable" | grep -oP '[0-9]+')"
+            GROUP="$USER"
+            rm -f /tmp/pod.securityContext
+        fi
+        sed -i "/runAsUser:/d" "$variable"
+        sed -i "/capabilities:/d" "$variable"
+        if [ -n "$USER" ]; then
+            cat << EOL >> /tmp/pod.securityContext
+      securityContext:
+        # The items below only work in pod context
+        fsGroup: $USER
+        fsGroupChangePolicy: "OnRootMismatch"
+        # The items below work in both contexts
+        runAsUser: $USER
+        runAsGroup: $GROUP
+        runAsNonRoot: true
+        {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+        seccompProfile:
+          type: RuntimeDefault
+        {{- end }}
+EOL
+            if echo "$variable" | grep -q "nextcloud-deployment.yaml"; then
+                echo "      {{- end }} # AIO-config - do not change this comment!" >> /tmp/pod.securityContext
+            fi
+            sed -i "/^    spec:$/r /tmp/pod.securityContext" "$variable"
+        fi
+    fi
 done
 # shellcheck disable=SC1083
 find ./ -name '*.yaml' -exec sed -i 's|nextcloud-aio-namespace|"\{\{ .Values.NAMESPACE \}\}"|' \{} \; 
@@ -171,6 +205,8 @@ find ./ -name '*deployment.yaml' -exec sed -i "s|manual-install-nextcloud-aio|ne
 # shellcheck disable=SC1083
 find ./ -name '*deployment.yaml' -exec sed -i "/medium: Memory/d" \{} \;
 # shellcheck disable=SC1083
+find ./ -name '*.yaml' -exec sed -i "/kompose.cmd/d" \{} \;
+# shellcheck disable=SC1083
 find ./ -name '*deployment.yaml' -exec sed -i "s|emptyDir:|emptyDir: \{\}|" \{} \; 
 # shellcheck disable=SC1083
 find ./ -name '*deployment.yaml' -exec sed -i "/hostPort:/d" \{} \; 
@@ -352,7 +388,7 @@ sed -i '/^NEXTCLOUD_MOUNT/d' /tmp/sample.conf
 sed -i '/_ENABLED.*/s/ yes / "yes" /' /tmp/sample.conf
 sed -i '/_ENABLED.*/s/ no / "no" /' /tmp/sample.conf
 sed -i 's|^NEXTCLOUD_TRUSTED_CACERTS_DIR: .*|NEXTCLOUD_TRUSTED_CACERTS_DIR:        # Setting this to any value allows to automatically import root certificates into the Nextcloud container|' /tmp/sample.conf
-sed -i 's|10737418240|"10737418240"|' /tmp/sample.conf
+sed -i 's|17179869184|"17179869184"|' /tmp/sample.conf
 # shellcheck disable=SC2129
 echo "" >> /tmp/sample.conf
 # shellcheck disable=SC2129
@@ -416,12 +452,49 @@ find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec se
 # shellcheck disable=SC1083
 find ./ -name "*nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml" -exec sed -i "$ a {{- end }}" \{} \; 

-cat << EOL >> /tmp/security.conf
+cat << EOL > /tmp/security.conf
+            # The items below only work in container context
            allowPrivilegeEscalation: false
-            runAsNonRoot: true
+            capabilities:
+              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+              drop: ["ALL"]
+              {{- else }}
+              drop: ["NET_RAW"]
+              {{- end }}
+              add: ["NET_BIND_SERVICE"]
 EOL
 # shellcheck disable=SC1083
-find ./ \( -not -name '*nextcloud-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^.*securityContext:$/r /tmp/security.conf" \{} \; 
+find ./ \( -not -name '*collabora-deployment.yaml*' -not -name '*imaginary-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^          securityContext:$/r /tmp/security.conf" \{} \; 
+
+cat << EOL > /tmp/security.conf
+            # The items below only work in container context
+            allowPrivilegeEscalation: false
+            capabilities:
+              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+              drop: ["ALL"]
+              {{- else }}
+              drop: ["NET_RAW"]
+              {{- end }}
+EOL
+# shellcheck disable=SC1083
+find ./ -name '*imaginary-deployment.yaml*' -exec sed -i "/^          securityContext:$/r /tmp/security.conf" \{} \; 
+
+cat << EOL > /tmp/security.conf
+          {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment!
+          securityContext:
+            # The items below only work in container context
+            allowPrivilegeEscalation: false
+            capabilities:
+              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
+              drop: ["ALL"]
+              {{- else }}
+              drop: ["NET_RAW"]
+              {{- end }}
+              add: ["NET_BIND_SERVICE"]
+          {{- end }} # AIO-config - do not change this comment!
+EOL
+# shellcheck disable=SC1083
+find ./ -name '*nextcloud-deployment.yaml*' -exec sed -i "/nextcloud\/aio-nextcloud:.*/r /tmp/security.conf" \{} \; 

 chmod 777 -R ./

--- a/nextcloud-aio-helm-chart/values.yaml
+++ b/nextcloud-aio-helm-chart/values.yaml
@@ -21,7 +21,7 @@ TALK_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the op
 TALK_RECORDING_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 WHITEBOARD_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.

-APACHE_MAX_SIZE: "10737418240"          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
+APACHE_MAX_SIZE: "17179869184"          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
 APACHE_PORT: 443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
 COLLABORA_DICTIONARIES: de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru        # You can change this in order to enable other dictionaries for collabora
 COLLABORA_SECCOMP_POLICY: --o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.
@@ -32,7 +32,7 @@ NEXTCLOUD_MAX_TIME: 3600          # This allows to change the upload time limit
 NEXTCLOUD_MEMORY_LIMIT: 512M          # This allows to change the PHP memory limit of the Nextcloud container
 NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time
 NEXTCLOUD_TRUSTED_CACERTS_DIR:        # Setting this to any value allows to automatically import root certificates into the Nextcloud container
-NEXTCLOUD_UPLOAD_LIMIT: 10G          # This allows to change the upload limit of the Nextcloud container
+NEXTCLOUD_UPLOAD_LIMIT: 16G          # This allows to change the upload limit of the Nextcloud container
 REMOVE_DISABLED_APPS: yes        # Setting this to no keep Nextcloud apps that are disabled via their switch and not uninstall them if they should be installed in Nextcloud.
 TALK_PORT: 3478          # This allows to adjust the port that the talk container is using.
 UPDATE_NEXTCLOUD_APPS: no          # When setting to yes (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.
@@ -48,6 +48,7 @@ NEXTCLOUD_DATA_STORAGE_SIZE: 5Gi       # You can change the size of the nextclou
 NEXTCLOUD_TRUSTED_CACERTS_STORAGE_SIZE: 1Gi       # You can change the size of the nextcloud-trusted-cacerts volume that default to 1Gi with this value
 ONLYOFFICE_STORAGE_SIZE: 1Gi       # You can change the size of the onlyoffice volume that default to 1Gi with this value
 REDIS_STORAGE_SIZE: 1Gi       # You can change the size of the redis volume that default to 1Gi with this value
+TALK_RECORDING_STORAGE_SIZE: 1Gi       # You can change the size of the talk-recording volume that default to 1Gi with this value

 NAMESPACE: default        # By changing this, you can adjust the namespace of the installation which allows to install multiple instances on one kubernetes cluster
 NAMESPACE_DISABLED: "no"        # By setting this to "yes", you can disabled the creation of the namespace so that you can use a pre-created one
--- a/php/composer.lock
+++ b/php/composer.lock
@@ -391,16 +391,16 @@
        },
        {
            "name": "laravel/serializable-closure",
-            "version": "v1.3.5",
+            "version": "v1.3.7",
            "source": {
                "type": "git",
                "url": "https://github.com/laravel/serializable-closure.git",
-                "reference": "1dc4a3dbfa2b7628a3114e43e32120cce7cdda9c"
+                "reference": "4f48ade902b94323ca3be7646db16209ec76be3d"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/1dc4a3dbfa2b7628a3114e43e32120cce7cdda9c",
-                "reference": "1dc4a3dbfa2b7628a3114e43e32120cce7cdda9c",
+                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/4f48ade902b94323ca3be7646db16209ec76be3d",
+                "reference": "4f48ade902b94323ca3be7646db16209ec76be3d",
                "shasum": ""
            },
            "require": {
@@ -448,7 +448,7 @@
                "issues": "https://github.com/laravel/serializable-closure/issues",
                "source": "https://github.com/laravel/serializable-closure"
            },
-            "time": "2024-09-23T13:33:08+00:00"
+            "time": "2024-11-14T18:34:49+00:00"
        },
        {
            "name": "nikic/fast-route",
@@ -630,16 +630,16 @@
        },
        {
            "name": "php-di/slim-bridge",
-            "version": "3.4.0",
+            "version": "3.4.1",
            "source": {
                "type": "git",
                "url": "https://github.com/PHP-DI/Slim-Bridge.git",
-                "reference": "d14c95b34b3c5ba2e8c40020dd93fdcc8f3ba875"
+                "reference": "02ab0274a19d104d74561164f8915b62d93f3cf0"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/PHP-DI/Slim-Bridge/zipball/d14c95b34b3c5ba2e8c40020dd93fdcc8f3ba875",
-                "reference": "d14c95b34b3c5ba2e8c40020dd93fdcc8f3ba875",
+                "url": "https://api.github.com/repos/PHP-DI/Slim-Bridge/zipball/02ab0274a19d104d74561164f8915b62d93f3cf0",
+                "reference": "02ab0274a19d104d74561164f8915b62d93f3cf0",
                "shasum": ""
            },
            "require": {
@@ -650,6 +650,7 @@
            },
            "require-dev": {
                "laminas/laminas-diactoros": "^2.1",
+                "mnapoli/hard-mode": "^0.3.0",
                "phpunit/phpunit": ">= 7.0 < 10"
            },
            "type": "library",
@@ -665,9 +666,9 @@
            "description": "PHP-DI integration in Slim",
            "support": {
                "issues": "https://github.com/PHP-DI/Slim-Bridge/issues",
-                "source": "https://github.com/PHP-DI/Slim-Bridge/tree/3.4.0"
+                "source": "https://github.com/PHP-DI/Slim-Bridge/tree/3.4.1"
            },
-            "time": "2023-06-29T14:08:47+00:00"
+            "time": "2024-06-19T15:47:45+00:00"
        },
        {
            "name": "psr/container",
@@ -1330,16 +1331,16 @@
        },
        {
            "name": "symfony/deprecation-contracts",
-            "version": "v3.5.0",
+            "version": "v3.5.1",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/deprecation-contracts.git",
-                "reference": "0e0d29ce1f20deffb4ab1b016a7257c4f1e789a1"
+                "reference": "74c71c939a79f7d5bf3c1ce9f5ea37ba0114c6f6"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/0e0d29ce1f20deffb4ab1b016a7257c4f1e789a1",
-                "reference": "0e0d29ce1f20deffb4ab1b016a7257c4f1e789a1",
+                "url": "https://api.github.com/repos/symfony/deprecation-contracts/zipball/74c71c939a79f7d5bf3c1ce9f5ea37ba0114c6f6",
+                "reference": "74c71c939a79f7d5bf3c1ce9f5ea37ba0114c6f6",
                "shasum": ""
            },
            "require": {
@@ -1377,7 +1378,7 @@
            "description": "A generic function and convention to trigger deprecation notices",
            "homepage": "https://symfony.com",
            "support": {
-                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.5.0"
+                "source": "https://github.com/symfony/deprecation-contracts/tree/v3.5.1"
            },
            "funding": [
                {
@@ -1393,7 +1394,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2024-04-18T09:32:20+00:00"
+            "time": "2024-09-25T14:20:29+00:00"
        },
        {
            "name": "symfony/polyfill-ctype",
@@ -1421,8 +1422,8 @@
            "type": "library",
            "extra": {
                "thanks": {
-                    "name": "symfony/polyfill",
-                    "url": "https://github.com/symfony/polyfill"
+                    "url": "https://github.com/symfony/polyfill",
+                    "name": "symfony/polyfill"
                }
            },
            "autoload": {
@@ -1500,8 +1501,8 @@
            "type": "library",
            "extra": {
                "thanks": {
-                    "name": "symfony/polyfill",
-                    "url": "https://github.com/symfony/polyfill"
+                    "url": "https://github.com/symfony/polyfill",
+                    "name": "symfony/polyfill"
                }
            },
            "autoload": {
@@ -1574,8 +1575,8 @@
            "type": "library",
            "extra": {
                "thanks": {
-                    "name": "symfony/polyfill",
-                    "url": "https://github.com/symfony/polyfill"
+                    "url": "https://github.com/symfony/polyfill",
+                    "name": "symfony/polyfill"
                }
            },
            "autoload": {
@@ -1632,16 +1633,16 @@
        },
        {
            "name": "twig/twig",
-            "version": "v3.14.2",
+            "version": "v3.17.1",
            "source": {
                "type": "git",
                "url": "https://github.com/twigphp/Twig.git",
-                "reference": "0b6f9d8370bb3b7f1ce5313ed8feb0fafd6e399a"
+                "reference": "677ef8da6497a03048192aeeb5aa3018e379ac71"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/twigphp/Twig/zipball/0b6f9d8370bb3b7f1ce5313ed8feb0fafd6e399a",
-                "reference": "0b6f9d8370bb3b7f1ce5313ed8feb0fafd6e399a",
+                "url": "https://api.github.com/repos/twigphp/Twig/zipball/677ef8da6497a03048192aeeb5aa3018e379ac71",
+                "reference": "677ef8da6497a03048192aeeb5aa3018e379ac71",
                "shasum": ""
            },
            "require": {
@@ -1652,6 +1653,7 @@
                "symfony/polyfill-php81": "^1.29"
            },
            "require-dev": {
+                "phpstan/phpstan": "^2.0",
                "psr/container": "^1.0|^2.0",
                "symfony/phpunit-bridge": "^5.4.9|^6.4|^7.0"
            },
@@ -1695,7 +1697,7 @@
            ],
            "support": {
                "issues": "https://github.com/twigphp/Twig/issues",
-                "source": "https://github.com/twigphp/Twig/tree/v3.14.2"
+                "source": "https://github.com/twigphp/Twig/tree/v3.17.1"
            },
            "funding": [
                {
@@ -1707,7 +1709,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2024-11-07T12:36:22+00:00"
+            "time": "2024-12-12T09:58:10+00:00"
        }
    ],
    "packages-dev": [
@@ -1946,16 +1948,16 @@
        },
        {
            "name": "composer/pcre",
-            "version": "3.3.1",
+            "version": "3.3.2",
            "source": {
                "type": "git",
                "url": "https://github.com/composer/pcre.git",
-                "reference": "63aaeac21d7e775ff9bc9d45021e1745c97521c4"
+                "reference": "b2bed4734f0cc156ee1fe9c0da2550420d99a21e"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/composer/pcre/zipball/63aaeac21d7e775ff9bc9d45021e1745c97521c4",
-                "reference": "63aaeac21d7e775ff9bc9d45021e1745c97521c4",
+                "url": "https://api.github.com/repos/composer/pcre/zipball/b2bed4734f0cc156ee1fe9c0da2550420d99a21e",
+                "reference": "b2bed4734f0cc156ee1fe9c0da2550420d99a21e",
                "shasum": ""
            },
            "require": {
@@ -1965,8 +1967,8 @@
                "phpstan/phpstan": "<1.11.10"
            },
            "require-dev": {
-                "phpstan/phpstan": "^1.11.10",
-                "phpstan/phpstan-strict-rules": "^1.1",
+                "phpstan/phpstan": "^1.12 || ^2",
+                "phpstan/phpstan-strict-rules": "^1 || ^2",
                "phpunit/phpunit": "^8 || ^9"
            },
            "type": "library",
@@ -2005,7 +2007,7 @@
            ],
            "support": {
                "issues": "https://github.com/composer/pcre/issues",
-                "source": "https://github.com/composer/pcre/tree/3.3.1"
+                "source": "https://github.com/composer/pcre/tree/3.3.2"
            },
            "funding": [
                {
@@ -2021,7 +2023,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2024-08-27T18:44:43+00:00"
+            "time": "2024-11-12T16:29:46+00:00"
        },
        {
            "name": "composer/semver",
@@ -2209,29 +2211,27 @@
        },
        {
            "name": "doctrine/deprecations",
-            "version": "1.1.3",
+            "version": "1.1.4",
            "source": {
                "type": "git",
                "url": "https://github.com/doctrine/deprecations.git",
-                "reference": "dfbaa3c2d2e9a9df1118213f3b8b0c597bb99fab"
+                "reference": "31610dbb31faa98e6b5447b62340826f54fbc4e9"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/doctrine/deprecations/zipball/dfbaa3c2d2e9a9df1118213f3b8b0c597bb99fab",
-                "reference": "dfbaa3c2d2e9a9df1118213f3b8b0c597bb99fab",
+                "url": "https://api.github.com/repos/doctrine/deprecations/zipball/31610dbb31faa98e6b5447b62340826f54fbc4e9",
+                "reference": "31610dbb31faa98e6b5447b62340826f54fbc4e9",
                "shasum": ""
            },
            "require": {
                "php": "^7.1 || ^8.0"
            },
            "require-dev": {
-                "doctrine/coding-standard": "^9",
-                "phpstan/phpstan": "1.4.10 || 1.10.15",
-                "phpstan/phpstan-phpunit": "^1.0",
+                "doctrine/coding-standard": "^9 || ^12",
+                "phpstan/phpstan": "1.4.10 || 2.0.3",
+                "phpstan/phpstan-phpunit": "^1.0 || ^2",
                "phpunit/phpunit": "^7.5 || ^8.5 || ^9.5",
-                "psalm/plugin-phpunit": "0.18.4",
-                "psr/log": "^1 || ^2 || ^3",
-                "vimeo/psalm": "4.30.0 || 5.12.0"
+                "psr/log": "^1 || ^2 || ^3"
            },
            "suggest": {
                "psr/log": "Allows logging deprecations via PSR-3 logger implementation"
@@ -2239,7 +2239,7 @@
            "type": "library",
            "autoload": {
                "psr-4": {
-                    "Doctrine\\Deprecations\\": "lib/Doctrine/Deprecations"
+                    "Doctrine\\Deprecations\\": "src"
                }
            },
            "notification-url": "https://packagist.org/downloads/",
@@ -2250,9 +2250,9 @@
            "homepage": "https://www.doctrine-project.org/",
            "support": {
                "issues": "https://github.com/doctrine/deprecations/issues",
-                "source": "https://github.com/doctrine/deprecations/tree/1.1.3"
+                "source": "https://github.com/doctrine/deprecations/tree/1.1.4"
            },
-            "time": "2024-01-30T19:34:25+00:00"
+            "time": "2024-12-07T21:18:45+00:00"
        },
        {
            "name": "felixfbecker/advanced-json-rpc",
@@ -2578,16 +2578,16 @@
        },
        {
            "name": "phpdocumentor/reflection-docblock",
-            "version": "5.6.0",
+            "version": "5.6.1",
            "source": {
                "type": "git",
                "url": "https://github.com/phpDocumentor/ReflectionDocBlock.git",
-                "reference": "f3558a4c23426d12bffeaab463f8a8d8b681193c"
+                "reference": "e5e784149a09bd69d9a5e3b01c5cbd2e2bd653d8"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/phpDocumentor/ReflectionDocBlock/zipball/f3558a4c23426d12bffeaab463f8a8d8b681193c",
-                "reference": "f3558a4c23426d12bffeaab463f8a8d8b681193c",
+                "url": "https://api.github.com/repos/phpDocumentor/ReflectionDocBlock/zipball/e5e784149a09bd69d9a5e3b01c5cbd2e2bd653d8",
+                "reference": "e5e784149a09bd69d9a5e3b01c5cbd2e2bd653d8",
                "shasum": ""
            },
            "require": {
@@ -2636,9 +2636,9 @@
            "description": "With this component, a library can provide support for annotations via DocBlocks or otherwise retrieve information that is embedded in a DocBlock.",
            "support": {
                "issues": "https://github.com/phpDocumentor/ReflectionDocBlock/issues",
-                "source": "https://github.com/phpDocumentor/ReflectionDocBlock/tree/5.6.0"
+                "source": "https://github.com/phpDocumentor/ReflectionDocBlock/tree/5.6.1"
            },
-            "time": "2024-11-12T11:25:25+00:00"
+            "time": "2024-12-07T09:39:29+00:00"
        },
        {
            "name": "phpdocumentor/type-resolver",
@@ -2814,16 +2814,16 @@
        },
        {
            "name": "spatie/array-to-xml",
-            "version": "3.3.0",
+            "version": "3.4.0",
            "source": {
                "type": "git",
                "url": "https://github.com/spatie/array-to-xml.git",
-                "reference": "f56b220fe2db1ade4c88098d83413ebdfc3bf876"
+                "reference": "7dcfc67d60b0272926dabad1ec01f6b8a5fb5e67"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/spatie/array-to-xml/zipball/f56b220fe2db1ade4c88098d83413ebdfc3bf876",
-                "reference": "f56b220fe2db1ade4c88098d83413ebdfc3bf876",
+                "url": "https://api.github.com/repos/spatie/array-to-xml/zipball/7dcfc67d60b0272926dabad1ec01f6b8a5fb5e67",
+                "reference": "7dcfc67d60b0272926dabad1ec01f6b8a5fb5e67",
                "shasum": ""
            },
            "require": {
@@ -2866,7 +2866,7 @@
                "xml"
            ],
            "support": {
-                "source": "https://github.com/spatie/array-to-xml/tree/3.3.0"
+                "source": "https://github.com/spatie/array-to-xml/tree/3.4.0"
            },
            "funding": [
                {
@@ -2878,7 +2878,7 @@
                    "type": "github"
                }
            ],
-            "time": "2024-05-01T10:20:27+00:00"
+            "time": "2024-12-16T12:45:15+00:00"
        },
        {
            "name": "sserbin/twig-linter",
@@ -2940,16 +2940,16 @@
        },
        {
            "name": "symfony/console",
-            "version": "v6.4.14",
+            "version": "v6.4.15",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/console.git",
-                "reference": "897c2441ed4eec8a8a2c37b943427d24dba3f26b"
+                "reference": "f1fc6f47283e27336e7cebb9e8946c8de7bff9bd"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/console/zipball/897c2441ed4eec8a8a2c37b943427d24dba3f26b",
-                "reference": "897c2441ed4eec8a8a2c37b943427d24dba3f26b",
+                "url": "https://api.github.com/repos/symfony/console/zipball/f1fc6f47283e27336e7cebb9e8946c8de7bff9bd",
+                "reference": "f1fc6f47283e27336e7cebb9e8946c8de7bff9bd",
                "shasum": ""
            },
            "require": {
@@ -3014,7 +3014,7 @@
                "terminal"
            ],
            "support": {
-                "source": "https://github.com/symfony/console/tree/v6.4.14"
+                "source": "https://github.com/symfony/console/tree/v6.4.15"
            },
            "funding": [
                {
@@ -3030,20 +3030,20 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2024-11-05T15:34:40+00:00"
+            "time": "2024-11-06T14:19:14+00:00"
        },
        {
            "name": "symfony/filesystem",
-            "version": "v7.1.6",
+            "version": "v7.2.0",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/filesystem.git",
-                "reference": "c835867b3c62bb05c7fe3d637c871c7ae52024d4"
+                "reference": "b8dce482de9d7c9fe2891155035a7248ab5c7fdb"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/filesystem/zipball/c835867b3c62bb05c7fe3d637c871c7ae52024d4",
-                "reference": "c835867b3c62bb05c7fe3d637c871c7ae52024d4",
+                "url": "https://api.github.com/repos/symfony/filesystem/zipball/b8dce482de9d7c9fe2891155035a7248ab5c7fdb",
+                "reference": "b8dce482de9d7c9fe2891155035a7248ab5c7fdb",
                "shasum": ""
            },
            "require": {
@@ -3080,7 +3080,7 @@
            "description": "Provides basic utilities for the filesystem",
            "homepage": "https://symfony.com",
            "support": {
-                "source": "https://github.com/symfony/filesystem/tree/v7.1.6"
+                "source": "https://github.com/symfony/filesystem/tree/v7.2.0"
            },
            "funding": [
                {
@@ -3096,7 +3096,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2024-10-25T15:11:02+00:00"
+            "time": "2024-10-25T15:15:23+00:00"
        },
        {
            "name": "symfony/finder",
@@ -3185,8 +3185,8 @@
            "type": "library",
            "extra": {
                "thanks": {
-                    "name": "symfony/polyfill",
-                    "url": "https://github.com/symfony/polyfill"
+                    "url": "https://github.com/symfony/polyfill",
+                    "name": "symfony/polyfill"
                }
            },
            "autoload": {
@@ -3263,8 +3263,8 @@
            "type": "library",
            "extra": {
                "thanks": {
-                    "name": "symfony/polyfill",
-                    "url": "https://github.com/symfony/polyfill"
+                    "url": "https://github.com/symfony/polyfill",
+                    "name": "symfony/polyfill"
                }
            },
            "autoload": {
@@ -3323,16 +3323,16 @@
        },
        {
            "name": "symfony/service-contracts",
-            "version": "v3.5.0",
+            "version": "v3.5.1",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/service-contracts.git",
-                "reference": "bd1d9e59a81d8fa4acdcea3f617c581f7475a80f"
+                "reference": "e53260aabf78fb3d63f8d79d69ece59f80d5eda0"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/service-contracts/zipball/bd1d9e59a81d8fa4acdcea3f617c581f7475a80f",
-                "reference": "bd1d9e59a81d8fa4acdcea3f617c581f7475a80f",
+                "url": "https://api.github.com/repos/symfony/service-contracts/zipball/e53260aabf78fb3d63f8d79d69ece59f80d5eda0",
+                "reference": "e53260aabf78fb3d63f8d79d69ece59f80d5eda0",
                "shasum": ""
            },
            "require": {
@@ -3386,7 +3386,7 @@
                "standards"
            ],
            "support": {
-                "source": "https://github.com/symfony/service-contracts/tree/v3.5.0"
+                "source": "https://github.com/symfony/service-contracts/tree/v3.5.1"
            },
            "funding": [
                {
@@ -3402,20 +3402,20 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2024-04-18T09:32:20+00:00"
+            "time": "2024-09-25T14:20:29+00:00"
        },
        {
            "name": "symfony/string",
-            "version": "v7.1.6",
+            "version": "v7.2.0",
            "source": {
                "type": "git",
                "url": "https://github.com/symfony/string.git",
-                "reference": "61b72d66bf96c360a727ae6232df5ac83c71f626"
+                "reference": "446e0d146f991dde3e73f45f2c97a9faad773c82"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/symfony/string/zipball/61b72d66bf96c360a727ae6232df5ac83c71f626",
-                "reference": "61b72d66bf96c360a727ae6232df5ac83c71f626",
+                "url": "https://api.github.com/repos/symfony/string/zipball/446e0d146f991dde3e73f45f2c97a9faad773c82",
+                "reference": "446e0d146f991dde3e73f45f2c97a9faad773c82",
                "shasum": ""
            },
            "require": {
@@ -3473,7 +3473,7 @@
                "utf8"
            ],
            "support": {
-                "source": "https://github.com/symfony/string/tree/v7.1.6"
+                "source": "https://github.com/symfony/string/tree/v7.2.0"
            },
            "funding": [
                {
@@ -3489,7 +3489,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2024-09-25T14:20:29+00:00"
+            "time": "2024-11-13T13:31:26+00:00"
        },
        {
            "name": "vimeo/psalm",
@@ -3566,11 +3566,11 @@
            "type": "project",
            "extra": {
                "branch-alias": {
-                    "dev-master": "5.x-dev",
-                    "dev-4.x": "4.x-dev",
-                    "dev-3.x": "3.x-dev",
+                    "dev-1.x": "1.x-dev",
                    "dev-2.x": "2.x-dev",
-                    "dev-1.x": "1.x-dev"
+                    "dev-3.x": "3.x-dev",
+                    "dev-4.x": "4.x-dev",
+                    "dev-master": "5.x-dev"
                }
            },
            "autoload": {
@@ -3635,18 +3635,18 @@
            "type": "package",
            "extra": {
                "phar-builder": {
-                    "compression": "BZip2",
                    "name": "phpdd-dev.phar",
-                    "output-dir": "./",
-                    "entry-point": "bin/phpdd",
+                    "events": {
+                        "command.package.end": "cp phpdd-dev.phar phpdd-`cat bin/version.txt`.phar && chmod +x phpdd-`cat bin/version.txt`.phar && rm bin/version.txt",
+                        "command.package.start": "git describe --tags > bin/version.txt"
+                    },
                    "include": [
                        "bin",
                        "data"
                    ],
-                    "events": {
-                        "command.package.start": "git describe --tags > bin/version.txt",
-                        "command.package.end": "cp phpdd-dev.phar phpdd-`cat bin/version.txt`.phar && chmod +x phpdd-`cat bin/version.txt`.phar && rm bin/version.txt"
-                    }
+                    "output-dir": "./",
+                    "compression": "BZip2",
+                    "entry-point": "bin/phpdd"
                }
            },
            "autoload": {
--- a/php/containers-schema.json
+++ b/php/containers-schema.json
@@ -94,6 +94,36 @@
 							}
 						}
 					},
+					"healthcheck": {
+						"type": "object",
+						"additionalProperties": false,
+						"minProperties": 6,
+						"properties": {
+							"interval": {
+								"type": "string",
+								"pattern": "^[0-9]+s$"
+							},
+							"timeout": {
+								"type": "string",
+								"pattern": "^[0-9]+s$"
+							},
+							"retries": {
+								"type": "integer"
+							},
+							"start_period": {
+								"type": "string",
+								"pattern": "^[0-9]+s$"
+							},
+							"start_interval": {
+								"type": "string",
+								"pattern": "^[0-9]+s$"
+							},
+							"test": {
+								"type": "string",
+								"pattern": "^.*$"
+							}
+						}
+					},
 					"aio_variables": {
 						"type": "array",
 						"items": {
@@ -130,6 +160,9 @@
 							"pattern": "^/dev/[a-z]+$"
 						}
 					},
+					"enable_nvidia_gpu": {
+						"type": "boolean"
+					},
 					"apparmor_unconfined": {
 						"type": "boolean"
 					},
--- a/php/containers.json
+++ b/php/containers.json
@@ -15,6 +15,14 @@
      "image": "nextcloud/aio-apache",
      "user": "33",
      "init": true,
+      "healthcheck": {
+        "start_period": "0s",
+        "test": "/healthcheck.sh",
+        "interval": "30s",
+        "timeout": "30s",
+        "start_interval": "5s",
+        "retries": 3
+      },
      "ports": [
        {
          "ip_binding": "%APACHE_IP_BINDING%",
@@ -81,6 +89,14 @@
      "image": "nextcloud/aio-postgresql",
      "user": "999",
      "init": true,
+      "healthcheck": {
+        "start_period": "0s",
+        "test": "/healthcheck.sh",
+        "interval": "30s",
+        "timeout": "30s",
+        "start_interval": "5s",
+        "retries": 3
+      },
      "expose": [
        "5432"
      ],
@@ -140,6 +156,14 @@
      "display_name": "Nextcloud",
      "image": "nextcloud/aio-nextcloud",
      "init": true,
+      "healthcheck": {
+        "start_period": "0s",
+        "test": "/healthcheck.sh",
+        "interval": "30s",
+        "timeout": "30s",
+        "start_interval": "5s",
+        "retries": 3
+      },
      "expose": [
        "9000",
        "9001"
@@ -178,6 +202,7 @@
        }
      ],
      "environment": [
+        "NEXTCLOUD_HOST=nextcloud-aio-nextcloud",
        "POSTGRES_HOST=nextcloud-aio-database",
        "POSTGRES_PORT=5432",
        "POSTGRES_PASSWORD=%DATABASE_PASSWORD%",
@@ -185,6 +210,8 @@
        "POSTGRES_USER=nextcloud",
        "REDIS_HOST=nextcloud-aio-redis",
        "REDIS_HOST_PASSWORD=%REDIS_PASSWORD%",
+        "APACHE_HOST=nextcloud-aio-apache",
+        "APACHE_PORT=%APACHE_PORT%",
        "AIO_TOKEN=%AIO_TOKEN%",
        "NC_DOMAIN=%NC_DOMAIN%",
        "ADMIN_USER=admin",
@@ -226,7 +253,6 @@
        "FULLTEXTSEARCH_PASSWORD=%FULLTEXTSEARCH_PASSWORD%",
        "DOCKER_SOCKET_PROXY_ENABLED=%DOCKER_SOCKET_PROXY_ENABLED%",
        "REMOVE_DISABLED_APPS=%REMOVE_DISABLED_APPS%",
-        "APACHE_PORT=%APACHE_PORT%",
        "ADDITIONAL_TRUSTED_PROXY=%CADDY_IP_ADDRESS%",
        "THIS_IS_AIO=true",
        "IMAGINARY_SECRET=%IMAGINARY_SECRET%",
@@ -238,6 +264,7 @@
      "devices": [
        "/dev/dri"
      ],
+      "enable_nvidia_gpu": true,
      "backup_volumes": [
        "nextcloud_aio_nextcloud"
      ],
@@ -255,6 +282,14 @@
      "image": "nextcloud/aio-notify-push",
      "user": "33",
      "init": true,
+      "healthcheck": {
+        "start_period": "0s",
+        "test": "/healthcheck.sh",
+        "interval": "30s",
+        "timeout": "30s",
+        "start_interval": "5s",
+        "retries": 3
+      },
      "expose": [
        "7867"
      ],
@@ -297,6 +332,14 @@
      "image": "nextcloud/aio-redis",
      "user": "999",
      "init": true,
+      "healthcheck": {
+        "start_period": "0s",
+        "test": "/healthcheck.sh",
+        "interval": "30s",
+        "timeout": "30s",
+        "start_interval": "5s",
+        "retries": 3
+      },
      "expose": [
        "6379"
      ],
@@ -332,15 +375,22 @@
      "documentation": "https://github.com/nextcloud/all-in-one/discussions/1358",
      "display_name": "Collabora",
      "image": "nextcloud/aio-collabora",
-      "user": "100",
      "init": true,
+      "healthcheck": {
+        "start_period": "60s",
+        "test": "/healthcheck.sh",
+        "interval": "30s",
+        "timeout": "30s",
+        "start_interval": "5s",
+        "retries": 9
+      },
      "expose": [
        "9980"
      ],
      "internal_port": "9980",
      "environment": [
        "aliasgroup1=https://%NC_DOMAIN%:443",
-        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json",
+        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+",
        "dictionaries=%COLLABORA_DICTIONARIES%",
        "TZ=%TIMEZONE%",
        "server_name=%NC_DOMAIN%",
@@ -373,6 +423,14 @@
      "image": "nextcloud/aio-talk",
      "user": "1000",
      "init": true,
+      "healthcheck": {
+        "start_period": "0s",
+        "test": "/healthcheck.sh",
+        "interval": "30s",
+        "timeout": "30s",
+        "start_interval": "5s",
+        "retries": 3
+      },
      "ports": [
        {
          "ip_binding": "",
@@ -430,6 +488,14 @@
      "image": "nextcloud/aio-talk-recording",
      "user": "122",
      "init": true,
+      "healthcheck": {
+        "start_period": "0s",
+        "test": "/healthcheck.sh",
+        "interval": "30s",
+        "timeout": "30s",
+        "start_interval": "5s",
+        "retries": 3
+      },
      "expose": [
        "1234"
      ],
@@ -456,6 +522,10 @@
      "profiles": [
        "talk-recording"
      ],
+      "devices": [
+        "/dev/dri"
+      ],
+      "enable_nvidia_gpu": true,
      "networks": [
        "nextcloud-aio"
      ],
@@ -592,6 +662,14 @@
      "image": "nextcloud/aio-clamav",
      "user": "100",
      "init": false,
+      "healthcheck": {
+        "start_period": "60s",
+        "test": "clamdcheck.sh",
+        "interval": "30s",
+        "timeout": "30s",
+        "start_interval": "5s",
+        "retries": 9
+      },
      "expose": [
        "3310"
      ],
@@ -631,6 +709,14 @@
      "display_name": "OnlyOffice",
      "image": "nextcloud/aio-onlyoffice",
      "init": true,
+      "healthcheck": {
+        "start_period": "60s",
+        "test": "/healthcheck.sh",
+        "interval": "30s",
+        "timeout": "30s",
+        "start_interval": "5s",
+        "retries": 9
+      },
      "expose": [
        "80"
      ],
@@ -673,6 +759,14 @@
      "image": "nextcloud/aio-imaginary",
      "user": "65534",
      "init": true,
+      "healthcheck": {
+        "start_period": "0s",
+        "test": "/healthcheck.sh",
+        "interval": "30s",
+        "timeout": "30s",
+        "start_interval": "5s",
+        "retries": 3
+      },
      "expose": [
        "9000"
      ],
@@ -709,6 +803,14 @@
      "display_name": "Fulltextsearch",
      "image": "nextcloud/aio-fulltextsearch",
      "init": false,
+      "healthcheck": {
+        "start_period": "60s",
+        "test": "/healthcheck.sh",
+        "interval": "10s",
+        "timeout": "5s",
+        "start_interval": "5s",
+        "retries": 5
+      },
      "expose": [
        "9200"
      ],
@@ -779,6 +881,14 @@
      "image": "nextcloud/aio-whiteboard",
      "user": "65534",
      "init": true,
+      "healthcheck": {
+        "start_period": "0s",
+        "test": "/healthcheck.sh",
+        "interval": "30s",
+        "timeout": "30s",
+        "start_interval": "5s",
+        "retries": 3
+      },
      "expose": [
        "3002"
      ],
--- a/php/public/index.php
+++ b/php/public/index.php
@@ -125,6 +125,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
        'nextcloud_max_time' => $configurationManager->GetNextcloudMaxTime(),
        'nextcloud_memory_limit' => $configurationManager->GetNextcloudMemoryLimit(),
        'is_dri_device_enabled' => $configurationManager->isDriDeviceEnabled(),
+        'is_nvidia_gpu_enabled' => $configurationManager->isNvidiaGpuEnabled(),
        'is_talk_recording_enabled' => $configurationManager->isTalkRecordingEnabled(),
        'is_docker_socket_proxy_enabled' => $configurationManager->isDockerSocketProxyEnabled(),
        'is_whiteboard_enabled' => $configurationManager->isWhiteboardEnabled(),        
--- a/php/public/style.css
+++ b/php/public/style.css
@@ -11,8 +11,12 @@
    --color-error-text: #c20505;
    --color-success: #46ba61;
    --color-running: #ffd000;
-    --color-info: #0071ad;
-    --color-info-hover: #00aaef;
+    --color-primary-element: #00679e;
+    --color-primary-element-hover: #005a8a;
+    --color-primary-element-text: #ffffff;
+    --color-primary-element-light: #e5eff5;
+    --color-primary-element-light-hover: #dbe4ea;
+    --color-primary-element-light-text: #00293f;
    --color-border-maxcontrast: #7d7d7d;
    --color-loader: #f3f3f3;
    --color-disabled: #d3d3d3; /* light gray background for disabled checkboxes */
@@ -52,8 +56,12 @@ Note: Unfortunately, it's not possible to calculate this dynamically using CSS v
    --color-error: #ff3333;
    --color-error-hover: #ff6666;
    --color-error-text: #ff8080;
-    --color-info: #00aeff;
-    --color-info-hover: #33beff;
+    --color-primary-element:#0091f2;
+    --color-primary-element-hover:#079cff;
+    --color-primary-element-text:#000000;
+    --color-primary-element-light:#14232c;
+    --color-primary-element-light-hover:#1e2d35;
+    --color-primary-element-light-text:#99d3f9;
    --color-loader: var(--color-border-maxcontrast);
    --border-hover: var(--border);
 }
@@ -68,11 +76,11 @@ html, body {

 a {
    text-decoration: none;
-    color: var(--color-info);
+    color: var(--color-primary-element);
 }

 a:hover {
-    color: var(--color-info-hover);
+    color: var(--color-primary-element-hover);
 }

 a.button,
@@ -81,26 +89,52 @@ input[type="submit"] {
    width: auto;
    height: 34px;
    cursor: pointer;
-    background-color: var(--color-nextcloud-blue);
+    background-color: var(--color-primary-element);
    font-weight: bold;
    border-radius: var(--border-radius);
    margin: 3px 3px 3px 0;
    font-size: var(--default-font-size);
-    color: white;
-    border: .5px solid var(--color-main-border);
+    color: var(--color-primary-element-text);
+    border: none;
    outline: none;
 }

 a.button:focus,
 input[type="submit"]:focus {
-    border: 1px solid var(--color-main-border);
+    outline: 2px solid var(--color-main-border);
 }

 a.button:hover,
 input[type="submit"]:hover {
-    background-color: var(--color-info-hover);
+    background-color: var(--color-primary-element-hover);
 }

+
+a.button.light:hover,
+input[type="submit"].light:hover {
+    background-color: var(--color-primary-element-light);
+    color: var(--color-primary-element-light-text);
+}
+
+
+a.button.light,
+input[type="submit"].light {
+    background-color: var(--color-primary-element-light);
+}
+
+a.button.error,
+input[type="submit"].error {
+    background-color: var(--color-error);
+}
+
+a.button.error:hover,
+input[type="submit"].error:hover {
+    background-color: var(--color-error-hover);
+}
+
+
+
+
 summary {
    cursor: pointer;
 }
@@ -352,7 +386,7 @@ input[type="checkbox"]:not(:disabled) {
    -webkit-appearance: none; /* remove default styling */
    -moz-appearance: none;
    appearance: none;
-    border: 1px solid var(--color-nextcloud-blue);
+    border: 1px solid var(--color-primary-element);
    border-radius: 2px;
    cursor: pointer;
    position: relative;
@@ -362,12 +396,12 @@ input[type="checkbox"]:not(:disabled) {

 /* Hover effects for enabled checkboxes */
 input[type="checkbox"]:not(:disabled):hover {
-    border-color: var(--color-info-hover);
+    border-color: var(--color-primary-element-hover);
 }

 /* Checkmark styling for enabled checkboxes */
 input[type="checkbox"]:checked:not(:disabled) {
-    background-color: var(--color-nextcloud-blue);
+    background-color: var(--color-primary-element);
    border-color: var(--color-border-maxcontrast);
 }

--- a/php/src/Container/Container.php
+++ b/php/src/Container/Container.php
@@ -23,6 +23,7 @@ readonly class Container {
        private array                         $secrets,
        /** @var string[] */
        private array                         $devices,
+        private bool                          $enable_nvidia_gpu,
        /** @var string[] */
        private array                         $capAdd,
        private int                           $shmSize,
@@ -92,6 +93,10 @@ readonly class Container {
        return $this->devices;
    }

+    public function isNvidiaGpuEnabled() : bool {
+        return $this->enable_nvidia_gpu;
+    }
+
    public function GetCapAdds() : array {
        return $this->capAdd;
    }
--- a/php/src/ContainerDefinitionFetcher.php
+++ b/php/src/ContainerDefinitionFetcher.php
@@ -249,6 +249,11 @@ readonly class ContainerDefinitionFetcher {
                $devices = $entry['devices'];
            }

+            $enableNvidiaGpu = false;
+            if (isset($entry['enable_nvidia_gpu'])) {
+                $enableNvidiaGpu = $entry['enable_nvidia_gpu'];
+            }
+
            $capAdd = [];
            if (isset($entry['cap_add'])) {
                $capAdd = $entry['cap_add'];
@@ -312,6 +317,7 @@ readonly class ContainerDefinitionFetcher {
                $dependsOn,
                $secrets,
                $devices,
+                $enableNvidiaGpu,
                $capAdd,
                $shmSize,
                $apparmorUnconfined,
--- a/php/src/Data/ConfigurationManager.php
+++ b/php/src/Data/ConfigurationManager.php
@@ -210,6 +210,11 @@ class ConfigurationManager
    }

    public function SetFulltextsearchEnabledState(int $value) : void {
+        # Elasticsearch does not work on kernels without seccomp anymore. See https://github.com/nextcloud/all-in-one/discussions/5768
+        if ($this->GetCollaboraSeccompDisabledState() === 'true') {
+            $value = 0;
+        }
+
        $config = $this->GetConfig();
        $config['isFulltextsearchEnabled'] = $value;
        $this->WriteConfig($config);
@@ -669,7 +674,7 @@ class ConfigurationManager
    public function GetNextcloudUploadLimit() : string {
        $envVariableName = 'NEXTCLOUD_UPLOAD_LIMIT';
        $configName = 'nextcloud_upload_limit';
-        $defaultValue = '10G';
+        $defaultValue = '16G';
        return $this->GetEnvironmentalVariableOrConfig($envVariableName, $configName, $defaultValue);
    }

@@ -983,6 +988,17 @@ class ConfigurationManager
        }
    }

+    private function GetEnabledNvidiaGpu() : string {
+        $envVariableName = 'ENABLE_NVIDIA_GPU';
+        $configName = 'enable_nvidia_gpu';
+        $defaultValue = '';
+        return $this->GetEnvironmentalVariableOrConfig($envVariableName, $configName, $defaultValue);
+    }
+
+    public function isNvidiaGpuEnabled() : bool {
+        return $this->GetEnabledNvidiaGpu() === 'true';
+    }
+
    private function GetKeepDisabledApps() : string {
        $envVariableName = 'NEXTCLOUD_KEEP_DISABLED_APPS';
        $configName = 'nextcloud_keep_disabled_apps';
--- a/php/src/Docker/DockerActionManager.php
+++ b/php/src/Docker/DockerActionManager.php
@@ -491,6 +491,17 @@ readonly class DockerActionManager {
            $requestBody['HostConfig']['Devices'] = $devices;
        }

+        if ($container->isNvidiaGpuEnabled() && $this->configurationManager->isNvidiaGpuEnabled()) {
+            $requestBody['HostConfig']['Runtime'] = 'nvidia';
+            $requestBody['HostConfig']['DeviceRequests'] = [
+                [
+                    "Driver" => "nvidia",
+                    "Count" => 1,
+                    "Capabilities" => [["gpu"]],
+                ]
+            ];
+        }
+
        $shmSize = $container->GetShmSize();
        if ($shmSize > 0) {
            $requestBody['HostConfig']['ShmSize'] = $shmSize;
@@ -612,8 +623,11 @@ readonly class DockerActionManager {
        try {
            $this->guzzleClient->post($url);
        } catch (RequestException $e) {
+            $message = "Could not pull image " . $imageName . ". Please run 'sudo docker exec -it nextcloud-aio-mastercontainer docker pull " . $imageName . "' in order to find out why it failed.";
            if ($imageIsThere === false) {
-                throw new \Exception("Could not pull image " . $imageName . ". Please run 'sudo docker exec -it nextcloud-aio-mastercontainer docker pull " . $imageName . "' in order to find out why it failed.");
+                throw new \Exception($message);
+            } else {
+                error_log($message);
            }
        }
    }
--- a/php/templates/containers.twig
+++ b/php/templates/containers.twig
@@ -17,7 +17,7 @@

    <div class="container">
        <main>
-            <h1>Nextcloud AIO v10.0.0</h1>
+            <h1>Nextcloud AIO v10.2.0</h1>

            {# Add 2nd tab warning #}
            <script type="text/javascript" src="second-tab-warning.js"></script>
@@ -196,7 +196,7 @@
                                </p>
                                <form method="POST" action="/api/configuration" class="xhr">
                                    <label>Local backup location</label> <input type="text" name="borg_restore_host_location" value="{{borg_backup_host_location}}" placeholder="/mnt/backup"/><br>
-                                    <label>Remote borg repo</label> <input type="text" name="borg_restore_remote_repo" value="{{borg_remote_repo}}" placeholder="user@host:/path/to/repo"/><br>
+                                    <label>Remote borg repo</label> <input type="text" name="borg_restore_remote_repo" value="{{borg_remote_repo}}" placeholder="ssh://user@host:/path/to/repo"/><br>
                                    <label>Borg passphrase</label> <input type="text" name="borg_restore_password" value="{{borg_restore_password}}" placeholder="encryption password"/><br>
                                    <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                    <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
@@ -394,7 +394,7 @@
                                </p>
                                <form method="POST" action="/api/configuration" class="xhr">
                                    <label>Local backup location</label> <input type="text" name="borg_backup_host_location" placeholder="/mnt/backup"/><br>
-                                    <label>Remote borg repo</label> <input type="text" name="borg_remote_repo" placeholder="user@host:/path/to/repo"/><br>
+                                    <label>Remote borg repo</label> <input type="text" name="borg_remote_repo" placeholder="ssh://user@host:/path/to/repo"/><br>
                                    <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                    <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                    <input type="submit" value="Submit backup location" />
@@ -435,7 +435,7 @@
                                            <p>You may change the backup path again since the initial backup was not successful. After submitting the new value, you need to click on <strong>Create Backup</strong> to test the new value.</p>
                                            <form method="POST" action="/api/configuration" class="xhr">
                                                <label>Local backup location</label> <input type="text" name="borg_backup_host_location" placeholder="/mnt/backup"/><br>
-                                                <label>Remote borg repo</label> <input type="text" name="borg_remote_repo" placeholder="user@host:/path/to/repo"/><br>
+                                                <label>Remote borg repo</label> <input type="text" name="borg_remote_repo" placeholder="ssh://user@host:/path/to/repo"/><br>
                                                <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                                <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                                <input type="submit" value="Set backup location again" />
--- a/php/templates/includes/aio-config.twig
+++ b/php/templates/includes/aio-config.twig
@@ -1,7 +1,7 @@
 <details>
    <summary>Click here to view the current AIO config and documentation links</summary>
    {% if was_start_button_clicked == true %}
-        <p>Nextclouds config.php file is stored in the nextcloud_aio_nextcloud Docker volume and can be edited by following the <a href="https://github.com/nextcloud/all-in-one#how-to-edit-nextclouds-configphp-file-with-a-texteditor">config.php documentation</a>.</p>
+        <p>Nextcloud's config.php file is stored in the nextcloud_aio_nextcloud Docker volume and can be edited by following the <a href="https://github.com/nextcloud/all-in-one#how-to-edit-nextclouds-configphp-file-with-a-texteditor">config.php documentation</a>.</p>
        <p>You can run Nextcloud's usual occ commands by following the <a href="https://github.com/nextcloud/all-in-one#how-to-run-occ-commands">occ documentation</a></strong>.</p>
    {% endif %}

@@ -18,7 +18,7 @@
        {% if nextcloud_mount == '' %}
            The Nextcloud container is confied and local external storage in Nextcloud is disabled.
        {% else %}
-            The Nextcloud container is getting gets access to the {{ nextcloud_mount }} directory and local external storage in Nextcloud is enabled.
+            The Nextcloud container is getting access to the {{ nextcloud_mount }} directory and local external storage in Nextcloud is enabled.
        {% endif %}
        See the <a href="https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host">NEXTCLOUD_MOUNT documentation</a> on how to change this.</p>

@@ -29,12 +29,16 @@
    <p>Nextcloud has a timeout of {{ nextcloud_max_time }} seconds configured (important for big file uploads). See the <a href="https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud">NEXTCLOUD_MAX_TIME documentation</a> on how to change this.</p>

    <p>
-        {% if is_dri_device_enabled == true %}
-            The /dev/dri device which is needed for hardware transcoding is getting attached to the Nextcloud container.
+        {% if is_dri_device_enabled == true and is_nvidia_gpu_enabled == true %}
+            Hardware acceleration is enabled with the /dev/dri device and the Nvidia runtime.
+        {% elseif is_dri_device_enabled == true %}
+            Hardware acceleration is enabled with the /dev/dri device.
+        {% elseif is_nvidia_gpu_enabled == true %}
+            Hardware acceleration is enabled with the Nvidia runtime.
        {% else %}
-            The /dev/dri device which is needed for hardware transcoding is not attached to the Nextcloud container.
+            Hardware acceleration is not enabled. It's recommended to enable hardware transcoding for better performance.
        {% endif %}
-        See the <a href="https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud">NEXTCLOUD_ENABLE_DRI_DEVICE documentation</a> on how to change this.</p>
+        See the <a href="https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud">hardware acceleration documentation</a> on how to change this.</p>

    <p>For further documentation on AIO, refer to <strong><a href="https://github.com/nextcloud/all-in-one#nextcloud-all-in-one">this page</a></strong>. You can use the browser search [CTRL]+[F] to search through the documentation. Additional documentation can be found <strong><a href="https://github.com/nextcloud/all-in-one/discussions/categories/wiki">here</a></strong>.</p>
 </details>
--- a/php/templates/includes/optional-containers.twig
+++ b/php/templates/includes/optional-containers.twig
@@ -50,7 +50,7 @@
            {% endif %}
        >
        <label for="fulltextsearch">
-            Fulltextsearch (needs ~1GB additional RAM)
+            Fulltextsearch (needs ~1GB additional RAM, <a href="https://github.com/nextcloud/all-in-one/discussions/5768">does not work on Kernels without Seccomp</a>)
            {% if is_fulltextsearch_enabled == false %}
                . <strong>Please note:</strong> the initial indexing can take a long time during which Nextcloud will be unavailable
            {% endif %}
@@ -98,6 +98,7 @@
        >
        <label for="talk-recording">Nextcloud Talk Recording-server (needs Nextcloud Talk being enabled and ~1GB additional RAM and ~2 additional vCPUs)</label>
    </p>
+    {% if is_onlyoffice_enabled == true %}
    <p>
        <input
            type="checkbox"
@@ -112,6 +113,7 @@
        >
        <label for="onlyoffice">OnlyOffice</label>
    </p>
+    {% endif %}
    <p>
        <input
            type="checkbox"
--- a/php/templates/layout.twig
+++ b/php/templates/layout.twig
@@ -1,7 +1,7 @@
 <html>
    <head>
        <title>AIO</title>
-        <link rel="stylesheet" href="/style.css?v3" media="all" />
+        <link rel="stylesheet" href="/style.css?v4" media="all" />
        <link rel="icon" href="/img/favicon.png">
        <script type="text/javascript" src="forms.js"></script>
        <script type="text/javascript" src="toggle-dark-mode.js"></script>
--- a/readme.md
+++ b/readme.md
@@ -44,7 +44,7 @@ Included are:
 - `ffmpeg`, `smbclient`, `libreoffice` and `nodejs` are included by default
 - Possibility included to [permanently add additional OS packages into the Nextcloud container](https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup) without having to build your own Docker image
 - Possibility included to [permanently add additional PHP extensions into the Nextcloud container](https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container) without having to build your own Docker image
- Possibility included to [pass the needed device for hardware transcoding](https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud) to the Nextcloud container
+- Possibility included to [pass the needed device for hardware transcoding](https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud) to the Nextcloud container
 - Possibility included to [store all docker related files on a separate drive](https://github.com/nextcloud/all-in-one#how-to-store-the-filesinstallation-on-a-separate-drive)
 - [Additional features can be added very easily](https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers)
 - [LDAP can be used as user backend for Nextcloud](https://github.com/nextcloud/all-in-one/tree/main#ldap)
@@ -144,6 +144,9 @@ Nextcloud AIO is inspired by projects like Portainer that manage the docker daem
 ### How to contribute?
 See [this issue](https://github.com/nextcloud/all-in-one/issues/5251) for a list of feature requests that need help by contributors.

+### How many users are possible?
+Up to 100 users are free, more are possible with [Nextcloud Enterprise](https://nextcloud.com/all-in-one/)
+
 ### Are reverse proxies supported?
 Yes. Please refer to the following documentation on this: [reverse-proxy.md](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md)

@@ -285,7 +288,7 @@ No and it will not be added. However you can use [this feature](https://github.c
 No and they will not be. Please use a dedicated domain for Nextcloud and set it up correctly by following the [reverse proxy documentation](./reverse-proxy.md). If port 443 and/or 80 is blocked for you, you may use the a Cloudflare Tunnel if you want to publish it online. You could also use the ACME DNS-challenge to get a valid certificate. However in all cases the Nextcloud interface will redirect you to port 443.

 ### Can I run Nextcloud in a subdirectory on my domain?
-No and it will not be added. Please use a dedicated domain for Nextcloud and set it up correctly by following the [reverse proxy documentation](./reverse-proxy.md).
+No and it will not be added. Please use a dedicated (sub-)domain for Nextcloud and set it up correctly by following the [reverse proxy documentation](./reverse-proxy.md).

 ### How can I access Nextcloud locally?
 Please note that local access is not possible if you are running AIO behind Cloudflare Tunnel since TLS proxying is in that case offloaded to Cloudflares infrastructure. You can fix this by setting up your own reverse proxy that handles TLS proxying locally and will make the steps below work.
@@ -394,8 +397,6 @@ If you connect an external drive to your host, and choose the backup directory t
 <details>
 <summary>How to do the above step for step</summary>

-<br>
-
 1. Mount an external/backup HDD to the host OS using the built-in functionality or udev rules or whatever way you prefer. (E.g. follow this video: https://www.youtube.com/watch?v=2lSyX4D3v_s) and mount the drive in best case in `/mnt/backup`.
 2. If not already done, fire up the docker container and set up Nextcloud as per the guide.
 3. Now open the AIO interface.
@@ -406,12 +407,17 @@ If you connect an external drive to your host, and choose the backup directory t

 If you want to back up directly to a remote borg repository:

+<details>
+<summary>How to do the above step for step</summary>
+
 1. Create your borg repository at the remote. Note down the repository URL for later.
 2. Open the AIO interface
 3. Under backup section, leave the local path blank and fill in the url to your borg repository that you noted down earlier.
 4. Click on `Create backup`, this will create an ssh key pair and fail because the remote doesn't trust this key yet. Copy the public key shown in AIO and add it to your authorized keys on the remote.
 5. Try again to create a backup, this time it should succeed.

+</details>
+
 Backups can be created and restored in the AIO interface using the buttons `Create Backup` and `Restore selected backup`. Additionally, a backup check is provided that checks the integrity of your backups but it shouldn't be needed in most situations. 

 The backups themselves get encrypted with an encryption key that gets shown to you in the AIO interface. Please save that at a safe place as you will not be able to restore from backup without this key.
@@ -428,6 +434,30 @@ Backed up will get all important data of your Nextcloud AIO instance like the da
 #### How to adjust borgs retention policy?
 The built-in borg-based backup solution has by default a retention policy of `--keep-within=7d --keep-weekly=4 --keep-monthly=6`. See https://borgbackup.readthedocs.io/en/stable/usage/prune.html for what these values mean. You can adjust the retention policy by providing `--env BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and customize the value to your fitting. ⚠️ Please make sure that this value is valid, otherwise backup pruning will bug out!

+#### How to migrate from AIO to AIO?
+If you have the borg backup feature enabled, you can copy it over to the new host and restore from the backup. This guide assumes the new installation data dir will be on `/mnt/datadir`, you can adjust the steps if it's elsewhere.
+
+1. Set the DNS entry to 60 seconds TTL if applicable
+1. On your current installation, use the AIO interface to:
+    1. Update AIO and all containers
+    1. Stop all containers (from now on, your cloud is down)
+    1. Create a current borg backup
+    1. Note the path where the backups are stored and the encryption password
+1. Navigate to the backup folder
+1. Create archive of the backup so it's easier to copy: `tar -czvf borg.tar.gz borg`
+1. Copy the archive over to the new host: `cp borg.tar.gz user@new.host:/mnt`. Make sure to replace `user` with your actual user and `new.host` with the IP or domain of the actual host. You can also use another way to copy the archive.
+1. Switch to the new host
+1. Go to the folder you put the backup archive and extract it with `tar -xf borg.tar.gz`
+1. Follow the installation guide to create a new aio instance, but do not start the containers yet (the `docker run` or `docker compose up -d` command)
+1. Change the DNS entry to the new host's IP
+1. Configure your reverse proxy if you use one
+1. Start the AIO container and open the new AIO interface in your browser
+1. Make sure to save the newly generated passphrase and enter it in the next step
+1. Select the "Restore former AIO instance from backup" option and enter the encryption password from the old backup and the path in which the extracted `borg` folder lies in (without the borg part) and hit `Submit location and password`
+1. Choose the latest backup in the dropdown and hit `Restore selected backup`
+1. Wait until the backup is restored
+1. Start the containers in the AIO interface
+
 #### Are remote borg backups supported?
 Backing up directly to a remote borg repository is supported. This avoids having to store a local copy of your backups, supports append-only borg keys to counter ransomware and allows using the AIO interface to manage your backups.

@@ -602,7 +632,7 @@ rm "$TARGET_DIRECTORY/aio-lockfile"
 umount "$DRIVE_MOUNTPOINT"

 if docker ps --format "{{.Names}}" | grep "^nextcloud-aio-nextcloud$"; then
-    docker exec -it nextcloud-aio-nextcloud bash /notify.sh "Rsync backup successful!" "Synced the backup repository successfully."
+    docker exec nextcloud-aio-nextcloud bash /notify.sh "Rsync backup successful!" "Synced the backup repository successfully."
 else
    echo "Synced the backup repository successfully."
 fi
@@ -696,7 +726,7 @@ Be aware though that these locations will not be covered by the built-in backup
 By default will the talk container use port `3478/UDP` and `3478/TCP` for connections. You can adjust the port by adding e.g. `--env TALK_PORT=3478` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and adjusting the port to your desired value. Best is to use a port over 1024, so e.g. 3479 to not run into this: https://github.com/nextcloud/all-in-one/discussions/2517

 ### How to adjust the upload limit for Nextcloud?
-By default, public uploads to Nextcloud are limited to a max of 10G (logged in users can upload much bigger files using the webinterface or the mobile/desktop clients, since chunking is used in that case). You can adjust the upload limit by providing `--env NEXTCLOUD_UPLOAD_LIMIT=10G` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and customize the value to your fitting. It must start with a number and end with `G` e.g. `10G`.
+By default, public uploads to Nextcloud are limited to a max of 16G (logged in users can upload much bigger files using the webinterface or the mobile/desktop clients, since chunking is used in that case). You can adjust the upload limit by providing `--env NEXTCLOUD_UPLOAD_LIMIT=16G` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and customize the value to your fitting. It must start with a number and end with `G` e.g. `16G`.

 ### How to adjust the max execution time for Nextcloud?
 By default, uploads to Nextcloud are limited to a max of 3600s. You can adjust the upload time limit by providing `--env NEXTCLOUD_MAX_TIME=3600` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and customize the value to your fitting. It must be a number e.g. `3600`.
@@ -725,7 +755,7 @@ You might want to adjust the Nextcloud apps that are installed upon the first st
 ### How to add OS packages permanently to the Nextcloud container?
 Some Nextcloud apps require additional external dependencies that must be bundled within Nextcloud container in order to work correctly. As we cannot put each and every dependency for all apps into the container - as this would make the project quickly unmaintainable - there is an official way in which you can add additional dependencies into the Nextcloud container. However note that doing this is disrecommended since we do not test Nextcloud apps that require external dependencies. 

-You can do so by adding `--env NEXTCLOUD_ADDITIONAL_APKS="imagemagick dependency2 dependency3"` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and customize the value to your fitting. It must be a string with small letters a-z, digits 0-9, spaces, dots and hyphens or '_'. You can find available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.20. By default `imagemagick` is added. If you want to keep it, you need to specify it as well.
+You can do so by adding `--env NEXTCLOUD_ADDITIONAL_APKS="imagemagick dependency2 dependency3"` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and customize the value to your fitting. It must be a string with small letters a-z, digits 0-9, spaces, dots and hyphens or '_'. You can find available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21. By default `imagemagick` is added. If you want to keep it, you need to specify it as well.

 ### How to add PHP extensions permanently to the Nextcloud container?
 Some Nextcloud apps require additional php extensions that must be bundled within Nextcloud container in order to work correctly. As we cannot put each and every dependency for all apps into the container - as this would make the project quickly unmaintainable - there is an official way in which you can add additional php extensions into the Nextcloud container. However note that doing this is disrecommended since we do not test Nextcloud apps that require additional php extensions. 
@@ -735,11 +765,33 @@ You can do so by adding `--env NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS="imagick exte
 ### What about the pdlib PHP extension for the facerecognition app?
 The [facerecognition app](https://apps.nextcloud.com/apps/facerecognition) requires the pdlib PHP extension to be installed. Unfortunately, it is not available on PECL nor via PHP core, so there is no way to add this into AIO currently. However you can use [this community container](https://github.com/nextcloud/all-in-one/tree/main/community-containers/facerecognition) in order to run facerecognition.

-### How to enable hardware-transcoding for Nextcloud?
-> [!WARNING]  
-> This only works if the `/dev/dri` device is present on the host! If it does not exists on your host, don't proceed as otherwise the Nextcloud container will fail to start! If you are unsure about this, better do not proceed with the instructions below.
+### How to enable hardware acceleration for Nextcloud?
+Some container can use GPU acceleration to increase performance like [memories app](https://apps.nextcloud.com/apps/memories) allows to enable hardware transcoding for videos.

-The [memories app](https://apps.nextcloud.com/apps/memories) allows to enable hardware transcoding for videos. In order to use that, you need to add `--env NEXTCLOUD_ENABLE_DRI_DEVICE=true` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) which will mount the `/dev/dri` device into the container. There is now a community container which allows to easily add the transcoding container of Memories to AIO: https://github.com/nextcloud/all-in-one/tree/main/community-containers/memories
+#### With open source drivers MESA for AMD, Intel and **new** drivers `Nouveau` for Nvidia
+
+> [!WARNING]  
+> This only works if the `/dev/dri` device is present on the host! If it does not exist on your host, don't proceed as otherwise the Nextcloud container will fail to start! If you are unsure about this, better do not proceed with the instructions below. Make sure that your driver is correctly configured on the host.
+
+A list of supported device can be fond in [MESA 3D documentation](https://docs.mesa3d.org/systems.html).
+
+This method use the [Direct Rendering Infrastructure](https://dri.freedesktop.org/wiki/) with the access to the `/dev/dri` device.
+
+In order to use that, you need to add `--env NEXTCLOUD_ENABLE_DRI_DEVICE=true` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) which will mount the `/dev/dri` device into the container.
+
+
+#### With proprietary drivers for Nvidia :warning: BETA
+
+> [!WARNING]
+> This only works if the Nvidia Toolkit is installed on the host and an NVIDIA GPU is enabled! Make sure that it is correctly configured on the host. If it does not exist on your host, don't proceed as otherwise the Nextcloud container will fail to start! If you are unsure about this, better do not proceed with the instructions below.
+> 
+> This feature is in beta. Since the proprietary, we haven't a lot of user using proprietary drivers, we can't guarantee the stability of this feature. Your feedback is welcome.
+
+This method use the [Nvidia Container Toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/index.html) with the nvidia runtime.
+
+In order to use that, you need to add `--env ENABLE_NVIDIA_GPU=true` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) which will enable the nvidia runtime.
+
+If you're using WSL2 and want to use the NVIDIA runtime, please follow the instructions to [install the NVIDIA Container Toolkit meta-version in WSL](https://docs.nvidia.com/cuda/wsl-user-guide/index.html#cuda-support-for-wsl-2).

 ### How to keep disabled apps?
 In certain situations you might want to keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed in Nextcloud. You can do so by adding `--env NEXTCLOUD_KEEP_DISABLED_APPS=true` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used). 
--- a/reverse-proxy.md
+++ b/reverse-proxy.md
@@ -93,13 +93,13 @@ Add this as a new Apache site config:
    RequestHeader set X-Real-IP %{REMOTE_ADDR}s
    AllowEncodedSlashes NoDecode
    
-    ProxyPass / http://localhost:11000/ nocanon
-    ProxyPassReverse / http://localhost:11000/
+    ProxyPass / http://localhost:11000/ nocanon # Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below
+    ProxyPassReverse / http://localhost:11000/ # Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below
    
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteCond %{THE_REQUEST} "^[a-zA-Z]+ /(.*) HTTP/\d+(\.\d+)?$"
-    RewriteRule .? "ws://localhost:11000/%1" [P,L,UnsafeAllow3F]
+    RewriteRule .? "ws://localhost:11000/%1" [P,L,UnsafeAllow3F] # Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below

    # Enable h2, h2c and http1.1
    Protocols h2 h2c http/1.1
@@ -152,7 +152,7 @@ Add this to your Caddyfile:

 ```
 https://<your-nc-domain>:443 {
-    reverse_proxy localhost:11000
+    reverse_proxy localhost:11000 # Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below
 }
 ```
 The Caddyfile is a text file called `Caddyfile` (no extension) which – if you should be running Caddy inside a container – should usually be created in the same location as your `compose.yaml` file prior to starting the container.
@@ -175,7 +175,7 @@ You can get AIO running using the ACME DNS-challenge. Here is how to do it.
 1. Add this to your Caddyfile:
    ```
    https://<your-nc-domain>:443 {
-        reverse_proxy localhost:11000
+        reverse_proxy localhost:11000 # Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below
        tls {
            dns <provider> <key>
        }
@@ -310,14 +310,14 @@ backend acme_challenge_backend
 backend Nextcloud
    mode http
    balance source
-    server Nextcloud localhost:11000 
+    server Nextcloud localhost:11000 # Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below
 ```

 ⚠️ **Please note:** Look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration.

 </details>

-### Nginx, Freenginx, Openresty
+### Nginx, Freenginx, Openresty, Angie

 <details>

@@ -344,24 +344,37 @@ server {
    if ($scheme = "http") {
        return 301 https://$host$request_uri;
    }
+    if ($http_x_forwarded_proto = "http") {
+        return 301 https://$host$request_uri;
+    }

    listen 443 ssl http2;      # for nginx versions below v1.25.1
    listen [::]:443 ssl http2; # for nginx versions below v1.25.1 - comment to disable IPv6

    # listen 443 ssl;      # for nginx v1.25.1+
    # listen [::]:443 ssl; # for nginx v1.25.1+ - keep comment to disable IPv6
-	
-    # http2 on;                                 # uncomment to enable HTTP/2        - supported on nginx v1.25.1+
-    # http3 on;                                 # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
-    # quic_retry on;                            # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
-    # add_header Alt-Svc 'h3=":443"; ma=86400'; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
+    # http2 on;            # uncomment to enable HTTP/2 - supported on nginx v1.25.1+
+
    # listen 443 quic reuseport;       # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport
    # listen [::]:443 quic reuseport;  # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport - keep comment to disable IPv6
+    # http3 on;                                 # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
+    # quic_gso on;                              # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
+    # quic_retry on;                            # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
+    # quic_bpf on;                              # improves  HTTP/3 / QUIC - supported on nginx v1.25.0+, if nginx runs as a docker container you need to give it privileged permission to use this option
+    # add_header Alt-Svc 'h3=":443"; ma=86400'; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
+
+    proxy_buffering off;
+    proxy_request_buffering off;
+
+    client_max_body_size 0;
+    client_body_buffer_size 512k;
+    http3_stream_buffer_size 512k;
+    proxy_read_timeout 86400s;

    server_name <your-nc-domain>;

    location / {
-        proxy_pass http://127.0.0.1:11000$request_uri;
+        proxy_pass http://127.0.0.1:11000$request_uri; # Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $server_port;
@@ -369,10 +382,7 @@ server {
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
-    
-        proxy_request_buffering off;
-        proxy_read_timeout 86400s;
-        client_max_body_size 0;
+        proxy_set_header Early-Data $ssl_early_data;

        # Websocket
        proxy_http_version 1.1;
@@ -386,23 +396,18 @@ server {
    ssl_certificate /etc/letsencrypt/live/<your-nc-domain>/fullchain.pem;   # managed by certbot on host machine
    ssl_certificate_key /etc/letsencrypt/live/<your-nc-domain>/privkey.pem; # managed by certbot on host machine

+    ssl_dhparam /etc/dhparam; # curl -L https://ssl-config.mozilla.org/ffdhe2048.txt -o /etc/dhparam
+
+    ssl_early_data on;
    ssl_session_timeout 1d;
-    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
-    ssl_session_tickets off;
+    ssl_session_cache shared:SSL:10m;

    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+    ssl_ecdh_curve x25519:x448:secp521r1:secp384r1:secp256r1;
+
    ssl_prefer_server_ciphers on;
-
-    # Optional settings:
-
-    # OCSP stapling
-    # ssl_stapling on;
-    # ssl_stapling_verify on;
-    # ssl_trusted_certificate /etc/letsencrypt/live/<your-nc-domain>/chain.pem;
-
-    # replace with the IP address of your resolver
-    # resolver 127.0.0.1; # needed for oscp stapling: e.g. use 94.140.15.15 for adguard / 1.1.1.1 for cloudflared or 8.8.8.8 for google - you can use the same nameserver as listed in your /etc/resolv.conf file
+    ssl_conf_command Options PrioritizeChaCha;
+    ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256;
 }

 ```
@@ -411,6 +416,33 @@ server {

 </details>

+### NPMplus (Fork of Nginx-Proxy-Manager - NPM)
+
+<details>
+
+<summary>click here to expand</summary>
+
+⚠️ **Please note:** This is not needed when running NPMplus as a community container.
+
+First, make sure the environmental variables `PUID` and `PGID` in the `compose.yaml` file for NPM are either unset or set to `0`. <br>
+If you need to change the GID/PID then please add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf`. <br>
+Note: this will cause that a non root user can bind privileged ports.
+
+Second, see these screenshots for a working config:
+
+![grafik](https://github.com/user-attachments/assets/c32c8fe8-7417-4f8f-9625-24b95651e630)
+
+![grafik](https://github.com/user-attachments/assets/a26c53fd-6cc8-4a6b-a86f-c2f94b70088f)
+
+![grafik](https://github.com/user-attachments/assets/75d7f539-35d1-4a3e-8c51-43123f698893)
+
+![grafik](https://github.com/user-attachments/assets/e494edb5-8b70-4d45-bc9b-374219230041)
+
+⚠️ **Please note:** Nextcloud will complain that X-XXS-Protection is set to the wrong value, this is intended by NPMplus. <br>
+⚠️ **Please note:** look into [this](#adapting-the-sample-web-server-configurations-below) to adapt the above example configuration.
+
+</details>
+
 ### Nginx-Proxy-Manager - NPM

 <details>
@@ -419,8 +451,9 @@ server {

 **Hint:** You may have a look at [this guide](https://github.com/nextcloud/all-in-one/discussions/588#discussioncomment-3040493) for a more complete but possibly oudated example.

-First, make sure the environmental variables `PUID` and `PGID` in the `compose.yaml` file for NPM are either unset or set to `0`.
-If you need to change the GID/PID then please add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf`. Note: this will cause that non root users can bind privileged ports.
+First, make sure the environmental variables `PUID` and `PGID` in the `compose.yaml` file for NPM are either unset or set to `0`. <br>
+If you need to change the GID/PID then please add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf`. <br>
+Note: this will cause that a non root user can bind privileged ports.

 Second, see these screenshots for a working config:

@@ -476,7 +509,7 @@ const http = require('http');

 const app = express();
 const proxy = HttpProxy.createProxyServer({
-	target: 'http://localhost:11000',
+	target: 'http://localhost:11000', // Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below
 	// Timeout can be changed to your liking.
 	timeout: 1000 * 60 * 3,
 	proxyTimeout: 1000 * 60 * 3,
@@ -624,7 +657,7 @@ The examples below define the dynamic configuration in YAML files. If you rather
        nextcloud:
          loadBalancer:
            servers:
-              - url: "http://localhost:11000" # Use the host's IP address if Traefik runs outside the host network
+              - url: "http://localhost:11000" # Adjust to match APACHE_PORT and APACHE_IP_BINDING. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#adapting-the-sample-web-server-configurations-below

      middlewares:
        nextcloud-secure-headers: