Merge pull request #6165 from nextcloud/enh/noid/update-nc-30.0.7

update Nextcloud to 30.0.7

.github/dependabot.yml

@@ -7,6 +7,9 @@ updates:
     time: "12:00"
   open-pull-requests-limit: 10
   rebase-strategy: "disabled"
+  labels:
+  - 3. to review
+  - dependencies
 - package-ecosystem: composer
   directory: "/php/"
   schedule:

.github/workflows/helm-release.yml

@@ -41,7 +41,7 @@ jobs:
           helm lint ./nextcloud-aio-helm-chart
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.6.0
+        uses: helm/chart-releaser-action@v1.7.0
         with:
           mark_as_latest: false
           charts_dir: .

Containers/apache/Caddyfile

@@ -40,7 +40,7 @@ https://{$ADDITIONAL_TRUSTED_DOMAIN}:443,
     route /onlyoffice/* {
         uri strip_prefix /onlyoffice
         reverse_proxy {$ONLYOFFICE_HOST}:80 {
-            header_up X-Forwarded-Host {http.request.host}/onlyoffice
+            header_up X-Forwarded-Host {http.request.hostport}/onlyoffice
             header_up X-Forwarded-Proto https
         }
     }

Containers/apache/Dockerfile

@@ -2,7 +2,7 @@
 FROM caddy:2.9.1-alpine AS caddy
 
 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
-FROM httpd:2.4.62-alpine3.21
+FROM httpd:2.4.63-alpine3.21
 
 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
 

Containers/borgbackup/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.21.2
+FROM alpine:3.21.3
 
 RUN set -ex; \
     \

Containers/borgbackup/backupscript.sh

@@ -185,13 +185,27 @@ if [ "$BORG_MODE" = backup ]; then
     # Borg options
     # auto,zstd compression seems to has the best ratio based on:
     # https://forum.level1techs.com/t/optimal-compression-for-borg-backups/145870/6
-    BORG_OPTS=(-v --stats --compression "auto,zstd" --exclude-caches)
+    BORG_OPTS=(-v --stats --compression "auto,zstd")
     if [ "$NEW_REPOSITORY" = 1 ]; then
         BORG_OPTS+=(--progress)
     fi
 
     # Exclude the nextcloud log and audit log for GDPR reasons
     BORG_EXCLUDE=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/nextcloud.log*" --exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/audit.log")
+    BORG_INCLUDE=()
+
+    # Exclude datadir if .noaiobackup file was found
+    # shellcheck disable=SC2144
+    if [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/.noaiobackup" ]; then
+        BORG_EXCLUDE+=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/")
+        BORG_INCLUDE+=(--pattern="+/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/.noaiobackup")
+        echo "⚠️⚠️⚠️ '.noaiobackup' file was found in Nextclouds data directory. Excluding the data directory from backup!"
+    # Exclude preview folder if .noaiobackup file was found
+    elif [ -f /nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_*/preview/.noaiobackup ]; then
+        BORG_EXCLUDE+=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_*/preview/")
+        BORG_INCLUDE+=(--pattern="+/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_*/preview/.noaiobackup")
+        echo "⚠️⚠️⚠️ '.noaiobackup' file was found in the preview directory. Excluding the preview directory from backup!"
+    fi
 
     # Make sure that there is always a borg.config file before creating a new backup
     if ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
@@ -203,7 +217,7 @@ if [ "$BORG_MODE" = backup ]; then
     # Create the backup
     echo "Starting the backup..."
     get_start_time
-    if ! borg create "${BORG_OPTS[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
+    if ! borg create "${BORG_OPTS[@]}" "${BORG_INCLUDE[@]}" "${BORG_EXCLUDE[@]}" "::$CURRENT_DATE-nextcloud-aio" "/nextcloud_aio_volumes/" --exclude-from /borg_excludes; then
         echo "Deleting the failed backup archive..."
         borg delete --stats "::$CURRENT_DATE-nextcloud-aio"
         echo "Backup failed!"
@@ -320,16 +334,30 @@ if [ "$BORG_MODE" = restore ]; then
     fi
     echo "Restoring '$SELECTED_ARCHIVE'..."
 
-    # Exclude previews from restore if selected to speed up process
     ADDITIONAL_RSYNC_EXCLUDES=()
     ADDITIONAL_BORG_EXCLUDES=()
     ADDITIONAL_FIND_EXCLUDES=()
-    if [ -n "$RESTORE_EXCLUDE_PREVIEWS" ]; then
+    # Exclude datadir if .noaiobackup file was found
+    # shellcheck disable=SC2144
+    if [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/.noaiobackup" ]; then
+        # Keep these 3 in sync. Beware, the pattern syntax and the paths differ
+        ADDITIONAL_RSYNC_EXCLUDES=(--exclude "nextcloud_aio_nextcloud_data/**")
+        ADDITIONAL_BORG_EXCLUDES=(--exclude "sh:nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/**")
+        ADDITIONAL_FIND_EXCLUDES=(-o -regex 'nextcloud_aio_volumes/nextcloud_aio_nextcloud_data\(/.*\)?')
+        echo "⚠️⚠️⚠️ '.noaiobackup' file was found in Nextclouds data directory. Excluding the data directory from restore!"
+        echo "You might run into problems due to this afterwards as potentially this makes the directory go out of sync with the database."
+        echo "You might be able to fix this by running 'occ files:scan --all' and 'occ maintenance:repair' and 'occ files:scan-app-data' after the restore."
+        echo "See https://github.com/nextcloud/all-in-one#how-to-run-occ-commands"
+    # Exclude previews from restore if selected to speed up process or exclude preview folder if .noaiobackup file was found
+    elif [ -n "$RESTORE_EXCLUDE_PREVIEWS" ] || [ -f /nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_*/preview/.noaiobackup ]; then
         # Keep these 3 in sync. Beware, the pattern syntax and the paths differ
         ADDITIONAL_RSYNC_EXCLUDES=(--exclude "nextcloud_aio_nextcloud_data/appdata_*/preview/**")
         ADDITIONAL_BORG_EXCLUDES=(--exclude "sh:nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_*/preview/**")
         ADDITIONAL_FIND_EXCLUDES=(-o -regex 'nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/appdata_[^/]*/preview\(/.*\)?')
-        echo "Excluding previews from restore"
+        echo "⚠️⚠️⚠️ Excluding previews from restore!"
+        echo "You might run into problems due to this afterwards as potentially this makes the directory go out of sync with the database."
+        echo "You might be able to fix this by running 'occ files:scan-app-data preview' after the restore."
+        echo "See https://github.com/nextcloud/all-in-one#how-to-run-occ-commands"
     fi
 
     # Save Additional Backup dirs
@@ -521,7 +549,7 @@ if [ "$BORG_MODE" = check ]; then
     # Perform the check
     if ! borg check -v --verify-data; then
         echo "Some errors were found while checking the backup integrity!"
-        echo "Check the AIO interface for advices on how to proceed now!"
+        echo "Check the AIO interface for advice on how to proceed now!"
         exit 1
     fi
 

Containers/clamav/Dockerfile

@@ -1,28 +1,25 @@
 # syntax=docker/dockerfile:latest
-# Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/1.3/alpine/Dockerfile
-FROM clamav/clamav:1.4.1-21
-
-COPY clamav.conf /clamav.conf
-COPY --chmod=775 start.script /start.script
+FROM alpine:3.21.3
 
 RUN set -ex; \
     apk upgrade --no-cache -a; \
-    apk add --no-cache tzdata bash; \
-    mkdir -p /var/run/clamav /run/lock; \
-    chown -R clamav:clamav /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock; \
-    chmod 777 -R /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock /tmp; \
-    sed -i "/^set -eu/r /start.script" /init-unprivileged; \
-    rm /start.script; \
-    grep -q 'clamd --foreground &' /init-unprivileged; \
-    sed -i "s|clamd --foreground \&|clamd --foreground --config-file /tmp/clamd.conf \&|" /init-unprivileged; \
-    cat /init-unprivileged
+    apk add --no-cache tzdata clamav supervisor bash; \
+    mkdir -p /run/clamav /var/log/supervisord /var/run/supervisord; \
+    chmod 777 -R /run/clamav /var/log/clamav /var/log/supervisord /var/run/supervisord; \
+    sed -i "s|#\?MaxDirectoryRecursion.*|MaxDirectoryRecursion 30|g" /etc/clamav/clamd.conf; \
+    sed -i "s|#\?MaxFileSize.*|MaxFileSize 2G|g" /etc/clamav/clamd.conf; \
+    sed -i "s|#\?PCREMaxFileSize.*|PCREMaxFileSize aio-placeholder|g" /etc/clamav/clamd.conf; \
+    sed -i "s|#\?StreamMaxLength.*|StreamMaxLength aio-placeholder|g" /etc/clamav/clamd.conf; \
+    sed -i "s|#\?TCPSocket|TCPSocket|g" /etc/clamav/clamd.conf; \
+    freshclam --foreground --stdout
 
-VOLUME /var/lib/clamav
+COPY --chmod=775 start.sh /start.sh
+COPY --chmod=775 healthcheck.sh /healthcheck.sh
+COPY --chmod=664 supervisord.conf /supervisord.conf
 
 USER 100
-
+VOLUME /var/lib/clamav
+ENTRYPOINT ["/start.sh"]
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 LABEL com.centurylinklabs.watchtower.enable="false"
-
-HEALTHCHECK --start-period=60s --retries=9 CMD clamdcheck.sh
-
-ENTRYPOINT ["/init-unprivileged"]
+HEALTHCHECK --start-period=60s --retries=9 CMD /healthcheck.sh

Containers/clamav/clamav.conf

@@ -1,5 +0,0 @@
-# AIO settings
-MaxDirectoryRecursion 30
-MaxFileSize 16G
-PCREMaxFileSize 16G
-StreamMaxLength 16G

Containers/clamav/healthcheck.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+if [ "$(echo "PING" | nc 127.0.0.1 3310)" != "PONG" ]; then
+	echo "ERROR: Unable to contact server"
+	exit 1
+fi
+
+echo "Clamd is up"
+exit 0

Containers/clamav/start.script

@@ -1,4 +0,0 @@
-# Adjust settings
-cat /etc/clamav/clamd.conf > /tmp/clamd.conf
-CLAMAV_FILE="$(sed "s|16G|$MAX_SIZE|" /clamav.conf)"
-echo "$CLAMAV_FILE" >> /tmp/clamd.conf

Containers/clamav/start.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+sed "s|aio-placeholder|$MAX_SIZE|" /etc/clamav/clamd.conf > /tmp/clamd.conf
+
+echo "Clamav started"
+
+exec "$@"

Containers/clamav/supervisord.conf

@@ -0,0 +1,23 @@
+[supervisord]
+nodaemon=true
+nodaemon=true
+logfile=/var/log/supervisord/supervisord.log
+pidfile=/var/run/supervisord/supervisord.pid
+childlogdir=/var/log/supervisord/
+logfile_maxbytes=50MB                           
+logfile_backups=10                              
+loglevel=error
+
+[program:freshclam]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=freshclam --foreground --stdout --daemon
+
+[program:clamd]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=clamd --foreground --config-file=/tmp/clamd.conf

Containers/collabora/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:24.04.11.2.1
+FROM collabora/code:24.04.12.4.1
 
 USER root
 ARG DEBIAN_FRONTEND=noninteractive

Containers/docker-socket-proxy/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.1.2-alpine
+FROM haproxy:3.1.5-alpine
 
 # hadolint ignore=DL3002
 USER root

Containers/domaincheck/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.21.2
+FROM alpine:3.21.3
 RUN set -ex; \
     apk upgrade --no-cache -a; \
     apk add --no-cache bash lighttpd netcat-openbsd; \

Containers/fulltextsearch/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:8.17.0
+FROM elasticsearch:8.17.3
 
 USER root
 
@@ -22,3 +22,4 @@ USER 1000:0
 
 HEALTHCHECK --interval=10s --timeout=5s --start-period=1m --retries=5 CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false"
+ENV ES_JAVA_OPTS="-Xms512M -Xmx512M"

Containers/imaginary/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.23.4-alpine3.21 AS go
+FROM golang:1.24.1-alpine3.21 AS go
 
 ENV IMAGINARY_HASH=1d4e251cfcd58ea66f8361f8721d7b8cc85002a3
 
@@ -13,7 +13,7 @@ RUN set -ex; \
         build-base; \
     go install github.com/h2non/imaginary@"$IMAGINARY_HASH";
 
-FROM alpine:3.21.2
+FROM alpine:3.21.3
 RUN set -ex; \
     apk upgrade --no-cache -a; \
     apk add --no-cache \

Containers/mastercontainer/Dockerfile

@@ -1,12 +1,12 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:27.5.0-cli AS docker
+FROM docker:28.0.1-cli AS docker
 
 # Caddy is a requirement
 FROM caddy:2.9.1-alpine AS caddy
 
 # From https://github.com/docker-library/php/blob/master/8.3/alpine3.21/fpm/Dockerfile
-FROM php:8.3.15-fpm-alpine3.21
+FROM php:8.3.17-fpm-alpine3.21
 
 EXPOSE 80
 EXPOSE 8080

Containers/mastercontainer/start.sh

@@ -285,7 +285,7 @@ fi
 
 # Check if auth.docker.io is reachable
 # Solves issues like https://github.com/nextcloud/all-in-one/discussions/5268
-if ! curl https://auth.docker.io/token | grep -q token; then
+if ! curl https://auth.docker.io/token 2>&1 | grep -q token; then
     print_red "Could not reach https://auth.docker.io."
     echo "Most likely is something blocking access to it."
     echo "You should be able to fix this by using https://github.com/nextcloud/all-in-one/tree/main/manual-install"

Containers/nextcloud/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM php:8.3.15-fpm-alpine3.21
+FROM php:8.3.17-fpm-alpine3.21
 
 ENV PHP_MEMORY_LIMIT=512M
 ENV PHP_UPLOAD_LIMIT=16G
@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0
 
 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=30.0.5
+ENV NEXTCLOUD_VERSION=30.0.7
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!

Containers/nextcloud/config/s3.config.php

@@ -11,7 +11,6 @@ if (getenv('OBJECTSTORE_S3_BUCKET')) {
         'bucket' => getenv('OBJECTSTORE_S3_BUCKET'),
         'key' => getenv('OBJECTSTORE_S3_KEY') ?: '',
         'secret' => getenv('OBJECTSTORE_S3_SECRET') ?: '',
-        'sse_c_key' => getenv('OBJECTSTORE_S3_SSE_C_KEY') ?: '',
         'region' => getenv('OBJECTSTORE_S3_REGION') ?: '',
         'hostname' => getenv('OBJECTSTORE_S3_HOST') ?: '',
         'port' => getenv('OBJECTSTORE_S3_PORT') ?: '',
@@ -26,4 +25,9 @@ if (getenv('OBJECTSTORE_S3_BUCKET')) {
       )
     )
   );
-} 
+
+  $sse_c_key = getenv('OBJECTSTORE_S3_SSE_C_KEY');
+  if ($sse_c_key) {
+    $CONFIG['objectstore']['arguments']['sse_c_key'] = $sse_c_key;
+  }
+}

Containers/nextcloud/run-exec-commands.sh

@@ -2,7 +2,7 @@
 
 # Wait until the apache container is ready
 while ! nc -z "$APACHE_HOST" "$APACHE_PORT"; do
-    echo "Waiting for Apache to become available..."
+    echo "Waiting for $APACHE_HOST to become available..."
     sleep 15
 done
 

Containers/notify-push/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.21.2
+FROM alpine:3.21.3
 
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

Containers/notify-push/start.sh

@@ -60,8 +60,14 @@ elif [ "$DATABASE_TYPE" != postgres ] && [ "$DATABASE_TYPE" != mysql ]; then
     exit 1
 fi
 
+# Use the correct Postgres username
+if [ "$POSTGRES_USER" = nextcloud ]; then
+    POSTGRES_USER="oc_$POSTGRES_USER"
+    export POSTGRES_USER
+fi
+
 # Set sensitive values as env
-export DATABASE_URL="$DATABASE_TYPE://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB"
+export DATABASE_URL="$DATABASE_TYPE://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB"
 export REDIS_URL="redis://$REDIS_USER:$REDIS_HOST_PASSWORD@$REDIS_HOST/$REDIS_DB_INDEX"
 
 # Run it

Containers/onlyoffice/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:8.2.2.1
+FROM onlyoffice/documentserver:8.3.1.1
 
 # USER root is probably used
 

Containers/postgresql/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/docker-library/postgres/blob/master/16/alpine3.21/Dockerfile
-FROM postgres:16.6-alpine
+FROM postgres:16.8-alpine
 
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

Containers/talk-recording/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM python:3.13.1-alpine3.21
+FROM python:3.13.2-alpine3.21
 
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

Containers/talk/Dockerfile

@@ -1,10 +1,10 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.10.24-scratch AS nats
+FROM nats:2.10.26-scratch AS nats
 FROM eturnal/eturnal:1.12.1 AS eturnal
-FROM strukturag/nextcloud-spreed-signaling:2.0.1 AS signaling
-FROM alpine:3.21.2 AS janus
+FROM strukturag/nextcloud-spreed-signaling:2.0.2 AS signaling
+FROM alpine:3.21.3 AS janus
 
-ARG JANUS_VERSION=v1.3.0
+ARG JANUS_VERSION=v1.3.1
 WORKDIR /src
 RUN set -ex; \
     apk add --no-cache \
@@ -34,7 +34,7 @@ RUN set -ex; \
     make configs; \
     rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
 
-FROM alpine:3.21.2
+FROM alpine:3.21.3
 ENV ETURNAL_ETC_DIR="/conf"
 COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
 COPY --from=eturnal   --chmod=777 --chown=1000:1000 /opt/eturnal                        /opt/eturnal

Containers/talk/start.sh

@@ -30,14 +30,23 @@ if [ -n "$IPv4_ADDRESS_TALK" ] && [ "$IPv4_ADDRESS_TALK_RELAY" = "$IPv4_ADDRESS_
     IPv4_ADDRESS_TALK=""
 fi
 
+set -x
+IP_BINDING="::"
+if grep -q "1" /sys/module/ipv6/parameters/disable \
+|| grep -q "1" /proc/sys/net/ipv6/conf/all/disable_ipv6 \
+|| grep -q "1" /proc/sys/net/ipv6/conf/default/disable_ipv6; then
+    IP_BINDING="0.0.0.0"
+fi
+set +x
+
 # Turn
 cat << TURN_CONF > "/conf/eturnal.yml"
 eturnal:
   listen:
-    - ip: "::"
+    - ip: "$IP_BINDING"
       port: $TALK_PORT
       transport: udp
-    - ip: "::"
+    - ip: "$IP_BINDING"
       port: $TALK_PORT
       transport: tcp
   log_dir: stdout

Containers/watchtower/Dockerfile

@@ -2,7 +2,7 @@
 # From https://github.com/containrrr/watchtower/blob/main/dockerfiles/Dockerfile.self-contained
 FROM containrrr/watchtower:1.7.1 AS watchtower
 
-FROM alpine:3.21.2
+FROM alpine:3.21.3
 
 RUN set -ex; \
     apk upgrade --no-cache -a; \

Containers/whiteboard/Dockerfile

@@ -1,11 +1,12 @@
 # syntax=docker/dockerfile:latest
 # Probably from this file: https://github.com/nextcloud/whiteboard/blob/main/Dockerfile
-FROM ghcr.io/nextcloud-releases/whiteboard:v1.0.4
+FROM ghcr.io/nextcloud-releases/whiteboard:v1.0.5
 
 USER root
 RUN set -ex; \
     apk upgrade --no-cache -a; \
-    apk add --no-cache bash
+    apk add --no-cache bash; \
+    chmod 777 -R /tmp
 USER 65534
 
 COPY --chmod=775 start.sh /start.sh
@@ -13,6 +14,8 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 
 HEALTHCHECK CMD /healthcheck.sh
 
+WORKDIR /tmp
+
 ENTRYPOINT ["/start.sh"]
 
 LABEL com.centurylinklabs.watchtower.enable="false"

Containers/whiteboard/start.sh

@@ -14,4 +14,4 @@ fi
 export REDIS_URL="redis://$REDIS_USER:$REDIS_HOST_PASSWORD@$REDIS_HOST/$REDIS_DB_INDEX"
 
 # Run it
-exec npm run server:start
+exec npm --prefix /app run server:start

app/templates/admin.php

@@ -11,6 +11,6 @@ declare(strict_types=1);
 	/** @var array $_ */ ?>
 <div id="allinone" class="section">
 	<h2><?php p($l->t('Nextcloud All-in-One'));?></h2>
-	<a href="<?php p($_['AIOLoginUrl']);?>" class="button" target="_blank" rel="noopener">Open Nextcloud AIO Interface ↗</a><br><br>
+	<a href="<?php p($_['AIOLoginUrl']);?>" class="button" target="_blank">Open Nextcloud AIO Interface ↗</a><br><br>
 	<p><a href="https://github.com/nextcloud/all-in-one#how-to-easily-log-in-to-the-aio-interface">Click here for more infos on this feature (e.g. also on how to change the link in the button)</a></p>
 </div>

community-containers/borgbackup-viewer/borgbackup-viewer.json

@@ -0,0 +1,71 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-borgbackup-viewer",
+            "image_tag": "v1",
+            "display_name": "Borg Backup Viewer",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/borgbackup-viewer",
+            "image": "szaimen/aio-borgbackup-viewer",
+            "internal_port": "5801",
+            "ports": [
+                {
+                  "ip_binding": "",
+                  "port_number": "5801",
+                  "protocol": "tcp"
+                }
+            ],
+            "environment": [
+                "BORG_HOST_ID=nextcloud-aio-borgbackup-viewer",
+                "WEB_AUTHENTICATION_USERNAME=nextcloud",
+                "WEB_AUTHENTICATION_PASSWORD=%BORGBACKUP_VIEWER_PASSWORD%",
+                "WEB_LISTENING_PORT=5801",
+                "BORG_PASSPHRASE=%BORGBACKUP_PASSWORD%",
+                "BORG_REPO=/mnt/borgbackup/borg"
+            ],
+            "secrets": [
+                "BORGBACKUP_VIEWER_PASSWORD",
+                "BORGBACKUP_PASSWORD"
+            ],
+            "ui_secret": "BORGBACKUP_VIEWER_PASSWORD",
+            "volumes": [
+            {
+                "source": "nextcloud_aio_backup_cache",
+                "destination": "/root",
+                "writeable": true
+            },
+            {
+                "source": "%NEXTCLOUD_DATADIR%",
+                "destination": "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data",
+                "writeable": true
+            },
+            {
+                "source": "nextcloud_aio_mastercontainer",
+                "destination": "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer",
+                "writeable": true
+            },
+            {
+                "source": "%BORGBACKUP_HOST_LOCATION%",
+                "destination": "/mnt/borgbackup",
+                "writeable": true
+            },
+            {
+                "source": "nextcloud_aio_elasticsearch",
+                "destination": "/nextcloud_aio_volumes/nextcloud_aio_elasticsearch",
+                "writeable": true
+            },
+            {
+                "source": "nextcloud_aio_redis",
+                "destination": "/mnt/redis",
+                "writeable": true
+            }
+            ],
+            "devices": [
+                "/dev/fuse"
+            ],
+            "cap_add": [
+                "SYS_ADMIN"
+            ],
+            "apparmor_unconfined": true
+        }
+    ]
+}

community-containers/borgbackup-viewer/readme.md

@@ -0,0 +1,17 @@
+## Borgbackup Viewer
+This container allows to view the local borg repository in a web session. It also allows you to restore files and folders from the backup by using desktop programs in a web browser.
+
+### Notes
+- After adding and starting the container, you need to visit `https://ip.address.of.this.server:5801` in order to log in with the user `nextcloud` and the password that you can see next to the container in the AIO interface. (The web page uses a self-signed certificate, so you need to accept the warning).
+- Then, you should see a terminal. There type in `borg mount /mnt/borgbackup/borg /tmp/borg` to mount the backup archive at `/tmp/borg` inside the container. Afterwards type in `nautilus /tmp/borg` which will show a file explorer and allows you to see all the files. You can then copy files and folders back to their initial mountpoints inside `/nextcloud_aio_volumes/`, `/host_mounts/` and `/docker_volumes/`. ⚠️ Be very carefully while doing that as can break your instance!
+- After you are done with the operation, click on the terminal in the background and press `[CTRL]+[c]` multiple times to close any open application. Then run `umount /tmp/borg` to unmount the mountpoint correctly.
+- You can also delete specific archives by running `borg list`,  delete a specific archive e.g. via `borg delete --stats --progress "::20220223_174237-nextcloud-aio"` and compact the archives via `borg compact`. After doing so, make sure to update the backup archives list in the AIO interface! You can do so by clicking on the `Check backup integrity` button or `Create backup` button.
+- ⚠️ After you are done doing your operations, remove the container for better security again from the stack: https://github.com/nextcloud/all-in-one/tree/main/community-containers#how-to-remove-containers-from-aios-stack
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/szaimen/aio-borgbackup-viewer
+
+### Maintainer
+https://github.com/szaimen
+

community-containers/caddy/readme.md

@@ -1,14 +1,15 @@
 ## Caddy with geoblocking
-This container bundles caddy and auto-configures it for you. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden by listening on `bw.$NC_DOMAIN`, if installed. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart by listening on `mail.$NC_DOMAIN`, if installed. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin by listening on `media.$NC_DOMAIN`, if installed. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap by listening on `ldap.$NC_DOMAIN`, if installed. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb by listening on `tables.$NC_DOMAIN`, if installed.
+This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [jellyseerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed.
 
 ### Notes
 - This container is incompatible with the [npmplus](https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus) community container. So make sure that you do not enable both at the same time!
 - Make sure that no other service is using port 443 on your host as otherwise the containers will fail to start. You can check this with `sudo netstat -tulpn | grep 443` before installing AIO.
-- If you want to use this with https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, make sure that you point `bw.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for vaultwarden.
-- If you want to use this with https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart, make sure that you point `mail.your-nc-domain.com` to your server using an A, AAAA or CNAME record so that caddy can get a certificate automatically for stalwart.
-- If you want to use this with https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin, make sure that you point `media.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for jellyfin.
-- If you want to use this with https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap, make sure that you point `ldap.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for lldap.
-- If you want to use this with https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb, make sure that you point `tables.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nocodb.
+- If you want to use this with [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden), make sure that you point `bw.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for vaultwarden.
+- If you want to use this with [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart), make sure that you point `mail.your-nc-domain.com` to your server using an A, AAAA or CNAME record so that caddy can get a certificate automatically for stalwart.
+- If you want to use this with [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin), make sure that you point `media.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for jellyfin.
+- If you want to use this with [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap), make sure that you point `ldap.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for lldap.
+- If you want to use this with [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb), make sure that you point `tables.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nocodb.
+- If you want to use this with [jellyseerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr), make sure that you point `requests.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for jellyseerr.
 - After the container was started the first time, you should see a new `nextcloud-aio-caddy` folder and inside there an `allowed-countries.txt` file when you open the files app with the default `admin` user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. `IT FR` would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the `GeoLite2-Country.mmdb` and upload it with this exact name into the `nextcloud-aio-caddy` folder. Afterwards restart all containers from the AIO interface and your new config should be active!
 - You can add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack

community-containers/fail2ban/fail2ban.json

@@ -30,6 +30,11 @@
                     "source": "nextcloud_aio_jellyfin",
                     "destination": "/jellyfin",
                     "writeable": false
+                },
+                {
+                    "source": "nextcloud_aio_jellyseerr",
+                    "destination": "/jellyseerr",
+                    "writeable": false
                 }
             ]
         }

community-containers/fail2ban/readme.md

@@ -1,5 +1,5 @@
 ## Fail2ban
-This container bundles fail2ban and auto-configures it for you in order to block ip-addresses automatically. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden and https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin, if installed.
+This container bundles fail2ban and auto-configures it for you in order to block ip-addresses automatically. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin, and https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr, if installed.
 
 ### Notes
 - If you get an error like `"ip6tables v1.8.9 (legacy): can't initialize ip6tables table filter': Table does not exist (do you need to insmod?)"`, you need to enable ip6tables on your host via `sudo modprobe ip6table_filter`.

community-containers/helloworld/helloworld.json

@@ -0,0 +1,12 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-helloworld",
+            "display_name": "Hello world",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/helloworld",
+            "image": "ghcr.io/docjyj/aio-helloworld",
+            "image_tag": "%AIO_CHANNEL%",
+            "restart": "unless-stopped"
+        }
+    ]
+}

community-containers/helloworld/readme.md

@@ -0,0 +1,8 @@
+## Hello World
+This container is a template for creating a community container.
+
+### Repository
+https://github.com/docjyj/aio-helloworld
+
+### Maintainer
+https://github.com/docjyj

community-containers/jellyfin/jellyfin.json

@@ -25,7 +25,7 @@
                 {
                     "source": "%NEXTCLOUD_MOUNT%",
                     "destination": "%NEXTCLOUD_MOUNT%",
-                    "writeable": false
+                    "writeable": true
                 }
             ],
             "devices": [

community-containers/jellyseerr/jellyseerr.json

@@ -0,0 +1,35 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-jellyseerr",
+            "display_name": "Jellyseerr",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr",
+            "image": "fallenbagel/jellyseerr",
+            "image_tag": "latest",
+            "internal_port": "5055",
+            "restart": "unless-stopped",
+            "init": false,
+            "ports": [
+                {
+                    "ip_binding": "%APACHE_IP_BINDING%",
+                    "port_number": "5055",
+                    "protocol": "tcp"
+                }
+            ],
+            "environment": [
+                "PORT=5055",
+                "TZ=%TIMEZONE%"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_jellyseerr",
+                    "destination": "/app/config",
+                    "writeable": true
+                }
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_jellyseerr"
+            ]
+        }
+    ]
+}

community-containers/jellyseerr/readme.md

@@ -0,0 +1,16 @@
+## Jellyseerr
+This container bundles Jellyseerr and auto-configures it for you.
+
+### Notes
+- This container is only intended to be used inside home networks as it uses http for its management page by default.
+- After adding and starting the container, you can directly visit `http://ip.address.of.server:5055` and access your new Jellyseerr instance, which can be used to manage Plex, Jellyfin, and Emby.
+- In order to access your Jellyseerr outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md) and [Jellyseerr's reverse proxy documentation.](https://docs.jellyseerr.dev/extending-jellyseerr/reverse-proxy), OR use the Caddy community container that will automatically configure requests.$NC_DOMAIN to redirect to your Jellyseerr. Note that it is recommended to [enable CSRF protection in Jellyseerr](https://docs.jellyseerr.dev/using-jellyseerr/settings/general#enable-csrf-protection) for added security if you plan to use Jellyseerr outside the local network, but make sure to read up on it and understand the caveats first.
+- If you want to secure the installation with fail2ban, you might want to check out https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban. Note that [enabling the proxy support option in Jellyseerr](https://docs.jellyseerr.dev/using-jellyseerr/settings/general#enable-proxy-support) is required for this to work properly.
+- The config of Jellyseerr will be automatically included in AIO's backup solution!
+- See [here](https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers) how to add it to the AIO stack.
+
+### Repository
+https://github.com/Fallenbagel/jellyseerr
+
+### Maintainer
+https://github.com/Anvil5465

community-containers/lldap/lldap.json

@@ -27,6 +27,7 @@
         "LLDAP_JWT_SECRET",
         "LLDAP_LDAP_USER_PASS"
       ],
+      "ui_secret": "LLDAP_JWT_SECRET",
       "volumes": [
         {
           "source": "nextcloud_aio_lldap",

community-containers/lldap/readme.md

@@ -3,7 +3,7 @@ This container bundles LLDAP server and auto-configures your Nextcloud instance
 
 ### Notes
 - In order to access your LLDAP web interface outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md) OR use the [Caddy](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy) community container that will automatically configure `ldap.$NC_DOMAIN` to redirect to your Lldap. You need to point the reverse proxy at port 17170 of this server.
-- After adding and starting the container, you can log in to the lldap web interface by using the username `admin` and the password that you can retrieve via `sudo docker inspect nextcloud-aio-lldap | grep LLDAP_JWT_SECRET`.
+- After adding and starting the container, you can log in to the lldap web interface by using the username `admin` and the secret that you can see next to the container in the AIO interface.
 - To configure Nextcloud, you can use the generic configuration proposed below.
 - For advanced configurations, see how to configure a client with lldap https://github.com/lldap/lldap#client-configuration
 - Also, see how Nextcloud's LDAP application works https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html

community-containers/makemkv/makemkv.json

@@ -0,0 +1,59 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-makekv",
+            "display_name": "MakeMKV",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/makemkv",
+            "image": "jlesage/makemkv",
+            "image_tag": "latest",
+            "internal_port": "5802",
+            "restart": "unless-stopped",
+            "ports": [
+                {
+                    "ip_binding": "",
+                    "port_number": "5802",
+                    "protocol": "tcp"
+                }
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_makemkv",
+                    "destination": "/config",
+                    "writeable": true
+                },
+                {
+                    "source": "%NEXTCLOUD_DATADIR%",
+                    "destination": "/storage",
+                    "writeable": false
+                },
+                {
+                    "source": "%NEXTCLOUD_MOUNT%",
+                    "destination": "/output",
+                    "writeable": true
+                },
+                {
+                    "source": "/dev",
+                    "destination": "/dev",
+                    "writeable": false
+                }
+            ],
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "SECURE_CONNECTION=1",
+                "WEB_AUTHENTICATION=1",
+                "USER_ID=33",
+                "GROUP_ID=33",
+                "WEB_AUTHENTICATION_USERNAME=makemkv",
+                "WEB_AUTHENTICATION_PASSWORD=%MAKEMKV_PASSWORD%",
+                "WEB_LISTENING_PORT=5802"
+            ],
+            "secrets": [
+                "MAKEMKV_PASSWORD"
+            ],
+            "ui_secret": "MAKEMKV_PASSWORD",
+            "backup_volumes": [
+                "nextcloud_aio_makemkv"
+            ]
+        }
+    ]
+}

community-containers/makemkv/readme.md

@@ -0,0 +1,20 @@
+## MakeMKV
+This container bundles MakeMKV and auto-configures it for you.
+
+### Notes
+- This container should only be run in home networks
+- ⚠️ This container mounts all devices from the host inside the container in order to be able to access the external DVD/Blu-ray drives which is a security issue. However no better solution was found for the time being.
+- This container only works on Linux and not on Docker-Desktop.
+- This container requires the [`NEXTCLOUD_MOUNT` variable in AIO to be set](https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host). Otherwise the output will not be saved correctly..
+- After adding and starting the container, you need to visit `https://internal.ip.of.server:5802` in order to log in with the `makemkv` user and the password that you can see next to the container in the AIO interface. (The web page uses a self-signed certificate, so you need to accept the warning).
+- After the first login, you can adjust the `/output` directory in the MakeMKV settings to a subdirectory of the root of your chosen `NEXTCLOUD_MOUNT`. (by default `NEXTCLOUD_MOUNT` is mounted to `/output` inside the container. Thus all data is written to the root of it)
+- The configured `NEXTCLOUD_DATADIR` is getting mounted to `/storage` inside the container.
+- The config data of MakeMKV will be automatically included in AIOs backup solution!
+- ⚠️ After you are done doing your operations, remove the container for better security again from the stack: https://github.com/nextcloud/all-in-one/tree/main/community-containers#how-to-remove-containers-from-aios-stack
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/jlesage/docker-makemkv
+
+### Maintainer
+https://github.com/szaimen

community-containers/nocodb/nocodb.json

@@ -4,8 +4,8 @@
             "container_name": "nextcloud-aio-nocodb",
             "display_name": "NocoDB",
             "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb",
-            "image": "docjyj/aio-nocodb",
-            "image_tag": "%AIO_CHANNEL%",
+            "image": "nocodb/nocodb",
+            "image_tag": "latest",
             "internal_port": "10028",
             "restart": "unless-stopped",
             "ports": [
@@ -28,6 +28,7 @@
                 "NOCODB_JWT_SECRET",
                 "NOCODB_USER_PASS"
             ],
+            "ui_secret": "NOCODB_USER_PASS",
             "volumes": [
                 {
                     "source": "nextcloud_aio_nocodb",

community-containers/nocodb/readme.md

@@ -17,12 +17,12 @@ This is an alternative of **Airtable**.
 - You need to configure a reverse proxy in order to run this container since nocodb needs a dedicated (sub)domain! For that, you might have a look at https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy.
 - Currently, only `tables.$NC_DOMAIN` is supported as subdomain! So if Nextcloud is using `your-domain.com`, nocodb will use `tables.your-domain.com`.
 - The data of NocoDb will be automatically included in AIOs backup solution!
-- After adding and starting the container, you need to run `docker inspect nextcloud-aio-nocodb  | grep NC_ADMIN_PASS` to obtain the system administrator password (username: `admin@noco.db`). With this information, you can log in to the web interface at `https://tables.$NC_DOMAIN/#/signin`
+- After adding and starting the container, you can log in to the web interface at `https://tables.$NC_DOMAIN/#/signin` with the username `admin@noco.db` and the password that you can see in the AIO interface next to the container. 
 - See https://docs.nocodb.com/ for usage of NocoDb
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 
 ### Repository
-https://github.com/docjyJ/aio-nocodb
+https://github.com/nocodb/nocodb
 
 ### Maintainer
 https://github.com/docjyJ

community-containers/npmplus/npmplus.json

@@ -4,7 +4,7 @@
             "container_name": "nextcloud-aio-npmplus",
             "display_name": "NPMplus",
             "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus",
-            "image": "zoeyvid/npmplus",
+            "image": "ghcr.io/zoeyvid/npmplus",
             "image_tag": "latest",
             "internal_port": "host",
             "restart": "unless-stopped",

community-containers/npmplus/readme.md

@@ -3,7 +3,6 @@ This container contains a fork of the Nginx Proxy Manager, which is a WebUI for
 
 ### Notes
 - This container is incompatible with the [caddy](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy) community container. So make sure that you do not enable both at the same time!
-- You can ignore the NPM configuration of the reverse-proxy.md. The NPMplus fork already contains the changes of the advanced tab.
 - Make sure that no other service is using port `443 (tcp/upd)` or `81 (tcp)` on your host as otherwise the containers will fail to start. You can check this with `sudo netstat -tulpn | grep "443\|81"` before installing AIO.
 - Please change the default login data first, after you can read inside the logs that the default config for AIO is created and there are no errors.
 - After the container was started the first time, please check the logs for errors. Then you can open NPMplus on `https://<ip>:81` and change the password. 
@@ -11,7 +10,7 @@ This container contains a fork of the Nginx Proxy Manager, which is a WebUI for
 - If you want to use NPMplus behind a domain and outside localhost just create a new proxy host inside the NPMplus which proxies to `https`, `127.0.0.1` and port `81` - all other settings should be the same as for the AIO host.
 - If you want to set env options from this [compose.yaml](https://github.com/ZoeyVid/NPMplus/blob/develop/compose.yaml), please set them inside the `.env` file which you can find in the `nextcloud_aio_npmplus` volume
 - The data (certs, configs, etc.) of NPMplus will be automatically included in AIOs backup solution!
-- **Important:** you always need to enable https for your hosts, since `DISABLE_HTTP` is set to true
+- **Important:** you always need to enable https for your hosts, since `DISABLE_HTTP` is set to true by default
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 
 ### Repository and Documentation

community-containers/pi-hole/pi-hole.json

@@ -28,9 +28,9 @@
             ],
             "environment": [
                 "TZ=%TIMEZONE%",
-                "WEBPASSWORD=%PIHOLE_WEBPASSWORD%",
-                "DNSMASQ_LISTENING=all",
-                "WEB_PORT=8573"
+                "FTLCONF_webserver_api_password=%PIHOLE_WEBPASSWORD%",
+                "FTLCONF_dns_listeningMode=all",
+                "FTLCONF_webserver_port=8573"
             ],
             "volumes": [
                 {
@@ -48,6 +48,7 @@
                 "nextcloud_aio_pihole",
                 "nextcloud_aio_pihole_dnsmasq"
             ],
+            "ui_secret": "PIHOLE_WEBPASSWORD",
             "secrets": [
                 "PIHOLE_WEBPASSWORD"
             ]

community-containers/pi-hole/readme.md

@@ -6,7 +6,7 @@ This container bundles pi-hole and auto-configures it for you.
 - Make sure that no dns server is already running by checking with `sudo netstat -tulpn | grep 53`. Otherwise the container will not be able to start!
 - The DHCP functionality of Pi-hole has been disabled!
 - The data of pi-hole will be automatically included in AIOs backup solution!
-- After adding and starting the container, you can visit `http://ip.address.of.this.server:8573/admin` in order to log in with the admin key that you can retrieve when running `sudo docker inspect nextcloud-aio-pihole | grep WEBPASSWORD`. There you can configure the pi-hole setup. Also you can add local dns records.
+- After adding and starting the container, you can visit `http://ip.address.of.this.server:8573/admin` in order to log in with the admin key that you can see next to the container in the AIO interface. There you can configure the pi-hole setup. Also you can add local dns records.
 - You can configure your home network now to use pi-hole as its dns server by configuring your router.
 - Additionally, you can configure the docker daemon to use that by editing `/etc/docker/daemon.json` and adding ` { "dns" : [ "ip.address.of.this.server" , "8.8.8.8" ] } `.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack

community-containers/scrutiny/readme.md

@@ -0,0 +1,16 @@
+## Scrutiny
+This container bundles Scrutiny which is a frontend for SMART stats and auto-configures it for you.
+
+### Notes
+- This container should only be run in home networks
+- ⚠️ This container mounts all devices from the host inside the container in order to be able to access the drives and smartctl stats which is a security issue. However no better solution was found for the time being.
+- This container only works on Linux and not on Docker-Desktop.
+- After adding and starting the container, you need to visit `http://internal.ip.of.server:8000` which will show the dashboard for your drives.
+- It currently does not support sending notifications as no good solution was found yet that makes this possible. See https://github.com/szaimen/aio-scrutiny/issues/3
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/szaimen/aio-scrutiny
+
+### Maintainer
+https://github.com/szaimen

community-containers/scrutiny/scrutiny.json

@@ -0,0 +1,56 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-scrutiny",
+            "display_name": "Scrutiny",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/scrutiny",
+            "image": "szaimen/aio-scrutiny",
+            "image_tag": "v1",
+            "internal_port": "8000",
+            "init": false,
+            "restart": "unless-stopped",
+            "ports": [
+                {
+                  "ip_binding": "",
+                  "port_number": "8000",
+                  "protocol": "tcp"
+                }
+            ],
+            "cap_add": [
+                "SYS_RAWIO",
+                "SYS_ADMIN"
+            ],
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "SCRUTINY_WEB_LISTEN_PORT=8000",
+                "COLLECTOR_API_ENDPOINT=http://127.0.0.1:8000"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_scrutiny",
+                    "destination": "/opt/scrutiny/config",
+                    "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_scrutiny_db",
+                    "destination": "/opt/scrutiny/influxdb",
+                    "writeable": true
+                },
+                {
+                    "source": "/run/udev",
+                    "destination": "/run/udev",
+                    "writeable": false
+                },
+                {
+                    "source": "/dev",
+                    "destination": "/dev",
+                    "writeable": false
+                }
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_scrutiny",
+                "nextcloud_aio_scrutiny_db"
+            ]
+        }
+    ]
+}

community-containers/smbserver/readme.md

@@ -0,0 +1,15 @@
+## SMB-server
+This container bundles an SMB-server and allows to configure it via a graphical shell script.
+
+### Notes
+- This container should only be run in home networks
+- This container currently only works on amd64. See https://github.com/szaimen/aio-smbserver/issues/3
+- After adding and starting the container, you need to visit `https://internal.ip.of.server:5803` in order to log in with the `smbserver` user and the password that you can see next to the container in the AIO interface. (The web page uses a self-signed certificate, so you need to accept the warning). Then type in `bash /smbserver.sh` and you will see a graphical UI for configuring the smb-server interactively.
+- The config data of SMB-server will be automatically included in AIOs backup solution!
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/szaimen/aio-smbserver/
+
+### Maintainer
+https://github.com/szaimen

community-containers/smbserver/smbserver.json

@@ -0,0 +1,60 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-smbserver",
+            "display_name": "SMB-server",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/smbserver",
+            "image": "szaimen/aio-smbserver",
+            "image_tag": "v1",
+            "internal_port": "5803",
+            "restart": "unless-stopped",
+            "ports": [
+                {
+                    "ip_binding": "",
+                    "port_number": "5803",
+                    "protocol": "tcp"
+                },
+                {
+                    "ip_binding": "",
+                    "port_number": "445",
+                    "protocol": "tcp"
+                },
+                {
+                    "ip_binding": "",
+                    "port_number": "139",
+                    "protocol": "tcp"
+                }
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_smbserver",
+                    "destination": "/smbserver",
+                    "writeable": true
+                },
+                {
+                    "source": "%NEXTCLOUD_DATADIR%",
+                    "destination": "/mnt/ncdata",
+                    "writeable": true
+                },
+                {
+                    "source": "%NEXTCLOUD_MOUNT%",
+                    "destination": "/mnt",
+                    "writeable": true
+                }
+            ],
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "WEB_AUTHENTICATION_USERNAME=smbserver",
+                "WEB_AUTHENTICATION_PASSWORD=%SMBSERVER_PASSWORD%",
+                "WEB_LISTENING_PORT=5803"
+            ],
+            "secrets": [
+                "SMBSERVER_PASSWORD"
+            ],
+            "ui_secret": "SMBSERVER_PASSWORD",
+            "backup_volumes": [
+                "nextcloud_aio_smbserver"
+            ]
+        }
+    ]
+}

community-containers/stalwart/stalwart.json

@@ -4,7 +4,7 @@
             "container_name": "nextcloud-aio-stalwart",
             "display_name": "Stalwart",
             "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart",
-            "image": "docjyj/aio-stalwart",
+            "image": "ghcr.io/docjyj/aio-stalwart",
             "image_tag": "%AIO_CHANNEL%",
             "internal_port": "10003",
             "restart": "unless-stopped",
@@ -53,6 +53,7 @@
             "secrets": [
                 "STALWART_USER_PASS"
             ],
+            "ui_secret": "STALWART_USER_PASS",
             "volumes": [
                 {
                     "source": "nextcloud_aio_stalwart",

community-containers/vaultwarden/readme.md

@@ -6,7 +6,7 @@ This container bundles vaultwarden and auto-configures it for you.
 - Currently, only `bw.$NC_DOMAIN` is supported as subdomain! So if Nextcloud is using `your-domain.com`, vaultwarden will use `bw.your-domain.com`. The reverse proxy and domain must be configured accordingly!
 - If you want to secure the installation with fail2ban, you might want to check out https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban
 - The data of Vaultwarden will be automatically included in AIOs backup solution!
-- After adding and starting the container, you need to visit `https://bw.your-domain.com/admin` in order to log in with the admin key that you can retrieve when running `sudo docker inspect nextcloud-aio-vaultwarden | grep ADMIN_TOKEN`. There you can configure smtp first and then invite users via mail. After this is done, you might disable the admin panel via the reverse proxy by blocking connections to the subdirectory.
+- After adding and starting the container, you need to visit `https://bw.your-domain.com/admin` in order to log in with the admin key that you can see next to the container in the AIO interface. There you can configure smtp first and then invite users via mail. After this is done, you might disable the admin panel via the reverse proxy by blocking connections to the subdirectory.
 - If using the caddy community container, the vaultwarden admin interface can be disabled by creating a `block-vaultwarden-admin` file in the `nextcloud-aio-caddy` folder when you open the Nextcloud files app with the default `admin` user. Afterwards restart all containers from the AIO interface and the admin interface should be disabled! You can unlock the admin interface by removing the file again and afterwards restarting the containers via the AIO interface.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 

community-containers/vaultwarden/vaultwarden.json

@@ -40,6 +40,7 @@
             "backup_volumes": [
                 "nextcloud_aio_vaultwarden"
             ],
+            "ui_secret": "VAULTWARDEN_ADMIN_TOKEN",
             "secrets": [
                 "VAULTWARDEN_ADMIN_TOKEN"
             ]

compose.yaml

@@ -20,6 +20,7 @@ services:
       # APACHE_ADDITIONAL_NETWORK: frontend_net # (Optional) Connect the apache container to an additional docker network. Needed when behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) running in a different docker network on same server. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
       # BORG_RETENTION_POLICY: --keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
       # COLLABORA_SECCOMP_DISABLED: false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
+      # FULLTEXTSEARCH_JAVA_OPTIONS: "-Xms1024M -Xmx1024M" # Allows to adjust the fulltextsearch java options. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-fulltextsearch-java-options
       # NEXTCLOUD_DATADIR: /mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
       # NEXTCLOUD_MOUNT: /mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
       # NEXTCLOUD_UPLOAD_LIMIT: 16G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
@@ -38,6 +39,7 @@ services:
     # security_opt: ["label:disable"] # Is needed when using SELinux
 
 #   # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/discussions/575
+#   # Alternatively, use Tailscale if you don't have a domain yet. See https://github.com/nextcloud/all-in-one/discussions/5439
 #   # Hint: You need to uncomment APACHE_PORT: 11000 above, adjust cloud.example.com to your domain and uncomment the necessary docker volumes at the bottom of this file in order to make it work
 #   # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
 #   caddy:

local-instance.md

@@ -2,14 +2,17 @@
 It is possible due to several reasons that you do not want or cannot open Nextcloud to the public internet. Perhaps you were hoping to access AIO directly from an `ip.add.r.ess` (unsupported) or without a valid domain.  However, AIO requires a valid certificate to work correctly. Below is discussed how you can achieve both: Having a valid certificate for Nextcloud and only using it locally.
 
 ### Content
-- [1. The recommended way](#1-the-recommended-way)
-- [2. Use the ACME DNS-challenge](#2-use-the-acme-dns-challenge)
-- [3. Use Cloudflare](#3-use-cloudflare)
-- [4. Buy a certificate and use that](#4-buy-a-certificate-and-use-that)
-- [5. Tailscale network](#5-tailscale-network)
+- [1. Tailscale](#1-tailscale)
+- [2. The normal way](#2-the-normal-way)
+- [3. Use the ACME DNS-challenge](#3-use-the-acme-dns-challenge)
+- [4. Use Cloudflare](#4-use-cloudflare)
+- [5. Buy a certificate and use that](#5-buy-a-certificate-and-use-that)
 
-## 1. The recommended way
-The recommended way is the following:
+## 1. Tailscale
+This is the recommended way. For a reverse proxy example guide for Tailscale, see this guide by @flll: https://github.com/nextcloud/all-in-one/discussions/5439
+
+## 2. The normal way
+The normal way is the following:
 1. Set up your domain correctly to point to your home network
 1. Set up a reverse proxy by following the [reverse proxy documentation](./reverse-proxy.md) but only open port 80 (which is needed for the ACME challenge to work - however no real traffic will use this port).
 1. Set up a local DNS-server like a pi-hole and configure it to be your local DNS-server for the whole network. Then in the Pi-hole interface, add a custom DNS-record for your domain and overwrite the A-record (and possibly the AAAA-record, too) to point to the private ip-address of your reverse proxy (see https://github.com/nextcloud/all-in-one#how-can-i-access-nextcloud-locally)
@@ -18,14 +21,11 @@ The recommended way is the following:
 
 **Hint:** You may have a look at [this video](https://youtu.be/zk-y2wVkY4c) for a more complete but possibly outdated example.
 
-## 2. Use the ACME DNS-challenge
+## 3. Use the ACME DNS-challenge
 You can alternatively use the ACME DNS-challenge to get a valid certificate for Nextcloud. Here is described how to set it up: https://github.com/nextcloud/all-in-one#how-to-get-nextcloud-running-using-the-acme-dns-challenge
 
-## 3. Use Cloudflare
+## 4. Use Cloudflare
 If you do not have any control over the network, you may think about using Cloudflare Tunnel to get a valid certificate for your Nextcloud. However it will be opened to the public internet then. See https://github.com/nextcloud/all-in-one#how-to-run-nextcloud-behind-a-cloudflare-tunnel how to set this up.
 
-## 4. Buy a certificate and use that
+## 5. Buy a certificate and use that
 If none of the above ways work for you, you may simply buy a certificate from an issuer for your domain. You then download the certificate onto your server, configure AIO in [reverse proxy mode](./reverse-proxy.md) and use the certificate for your domain in your reverse proxy config.
-
-## 5. Tailscale network
-For a reverse proxy example guide for Tailscale, see this guide by @flll: https://github.com/nextcloud/all-in-one/discussions/5439

manual-install/latest.yml

@@ -202,6 +202,7 @@ services:
     environment:
       - NC_DOMAIN
       - NEXTCLOUD_HOST=nextcloud-aio-nextcloud
+      - TZ=${TIMEZONE}
       - REDIS_HOST=nextcloud-aio-redis
       - REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
       - POSTGRES_HOST=nextcloud-aio-database
@@ -238,6 +239,7 @@ services:
       - NET_RAW
 
   nextcloud-aio-collabora:
+    command: ${ADDITIONAL_COLLABORA_OPTIONS}
     image: nextcloud/aio-collabora:latest
     init: true
     healthcheck:
@@ -251,7 +253,7 @@ services:
       - "9980"
     environment:
       - aliasgroup1=https://${NC_DOMAIN}:443
-      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true ${COLLABORA_SECCOMP_POLICY} --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
       - dictionaries=${COLLABORA_DICTIONARIES}
       - TZ=${TIMEZONE}
       - server_name=${NC_DOMAIN}
@@ -429,7 +431,7 @@ services:
       - "9200"
     environment:
       - TZ=${TIMEZONE}
-      - ES_JAVA_OPTS=-Xms512M -Xmx512M
+      - ES_JAVA_OPTS=${FULLTEXTSEARCH_JAVA_OPTIONS}
       - bootstrap.memory_lock=true
       - cluster.name=nextcloud-aio
       - discovery.type=single-node
@@ -459,6 +461,8 @@ services:
       retries: 3
     expose:
       - "3002"
+    tmpfs:
+      - /tmp
     environment:
       - TZ=${TIMEZONE}
       - NEXTCLOUD_URL=https://${NC_DOMAIN}
@@ -466,6 +470,7 @@ services:
       - STORAGE_STRATEGY=redis
       - REDIS_HOST=nextcloud-aio-redis
       - REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
+      - BACKUP_DIR=/tmp
     restart: unless-stopped
     profiles:
       - whiteboard

manual-install/readme.md

@@ -24,7 +24,7 @@ First, install docker and docker-compose (v2) if not already done. Then simply r
 git clone https://github.com/nextcloud/all-in-one.git
 cd all-in-one/manual-install
 ```
-Then copy the sample.conf to default environment file, e.g. `cp sample.conf .env`, open the new conf file, e.g. with `nano .env`, edit all values that are marked with `# TODO!`, close and save the file. (Note: there is no clamav image for arm64).<br>
+Then copy the sample.conf to default environment file, e.g. `cp sample.conf .env`, open the new conf file, e.g. with `nano .env`, edit all values that are marked with `# TODO!`, close and save the file.<br>
 ⚠️ **Warning**: Do not use the symbols `@` and `:` in your passwords. These symbols are used to build database connection strings. You will experience issues when using these symbols! Also please note that values inside the latest.yaml that are not exposed as variables are not officially supported to be changed. See for example [this report](https://github.com/nextcloud/all-in-one/issues/5612).
 
 Now copy the provided yaml file to a compose.yaml file by running `cp latest.yml compose.yaml`.
@@ -32,9 +32,9 @@ Now copy the provided yaml file to a compose.yaml file by running `cp latest.yml
 Now you should be ready to go with `sudo docker compose up`.
 
 ## Docker profiles
-The default profile of `latest.yml` only provide the minimum necessary services: nextcloud, database, redis and apache. To get optional services collabora, talk, whiteboard, talk-recording, clamav, imaginary or fulltextsearch use additional arguments for each of them, for example `--profile collabora`. (Note: there is no clamav image for arm64).
+The default profile of `latest.yml` only provide the minimum necessary services: nextcloud, database, redis and apache. To get optional services collabora, talk, whiteboard, talk-recording, clamav, imaginary or fulltextsearch use additional arguments for each of them, for example `--profile collabora`.
 
-For a complete all-in-one with collabora use `sudo docker compose --profile collabora --profile talk --profile talk-recording --profile clamav --profile imaginary --profile fulltextsearch --profile whiteboard up`. (Note: there is no clamav image for arm64).
+For a complete all-in-one with collabora use `sudo docker compose --profile collabora --profile talk --profile talk-recording --profile clamav --profile imaginary --profile fulltextsearch --profile whiteboard up`.
 
 ## How to update?
 Since the AIO containers may change in the future, it is highly recommended to strictly follow the following procedure whenever you want to upgrade your containers.

manual-install/sample.conf

@@ -24,8 +24,9 @@ WHITEBOARD_ENABLED="no"          # Setting this to "yes" (with quotes) enables t
 APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) and if that is running on the same host and using localhost to connect
 APACHE_MAX_SIZE=17179869184          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
 APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
+ADDITIONAL_COLLABORA_OPTIONS=['--o:security.seccomp=true']          # You can add additional collabora options here by using the array syntax.
 COLLABORA_DICTIONARIES="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"        # You can change this in order to enable other dictionaries for collabora
-COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.
+FULLTEXTSEARCH_JAVA_OPTIONS="-Xms512M -Xmx512M"          # Allows to adjust the fulltextsearch java options.
 INSTALL_LATEST_MAJOR=no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation
 NEXTCLOUD_ADDITIONAL_APKS=imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.
 NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick        # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value.

manual-install/update-yaml.sh

@@ -14,6 +14,7 @@ cat /tmp/containers.json
 OUTPUT="$(cat /tmp/containers.json)"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].internal_port)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].secrets)')"
+OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].ui_secrets)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].devices)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].enable_nvidia_gpu)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].backup_volumes)')"
@@ -36,6 +37,7 @@ cd manual-install || exit
 sed -i "s|'||g" containers.yml
 sed -i '/display_name:/d' containers.yml
 sed -i '/THIS_IS_AIO/d' containers.yml
+sed -i "s|%COLLABORA_SECCOMP_POLICY% ||g" containers.yml
 sed -i '/stop_grace_period:/s/$/s/' containers.yml
 sed -i '/: \[\]/d' containers.yml
 sed -i 's|- source: |- |' containers.yml
@@ -73,7 +75,7 @@ do
 done
 
 sed -i 's|_ENABLED=|_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.|' sample.conf
-sed -i 's|CLAMAV_ENABLED=no.*|CLAMAV_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically. Note: arm64 has no clamav support|' sample.conf
+sed -i 's|CLAMAV_ENABLED=no.*|CLAMAV_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.|' sample.conf
 sed -i 's|TALK_ENABLED=no|TALK_ENABLED="yes"|' sample.conf
 sed -i 's|COLLABORA_ENABLED=no|COLLABORA_ENABLED="yes"|' sample.conf
 sed -i 's|COLLABORA_DICTIONARIES=|COLLABORA_DICTIONARIES="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"        # You can change this in order to enable other dictionaries for collabora|' sample.conf
@@ -92,6 +94,7 @@ sed -i 's|NC_DOMAIN=|NC_DOMAIN=yourdomain.com          # TODO! Needs to be chang
 sed -i 's|NEXTCLOUD_PASSWORD=|NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".|' sample.conf
 sed -i 's|TIMEZONE=|TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.|' sample.conf
 sed -i 's|COLLABORA_SECCOMP_POLICY=|COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.|' sample.conf
+sed -i 's|FULLTEXTSEARCH_JAVA_OPTIONS=|FULLTEXTSEARCH_JAVA_OPTIONS="-Xms512M -Xmx512M"          # Allows to adjust the fulltextsearch java options.|' sample.conf
 sed -i 's|NEXTCLOUD_STARTUP_APPS=|NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_APKS=|NEXTCLOUD_ADDITIONAL_APKS=imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=|NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick        # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value.|' sample.conf
@@ -127,6 +130,13 @@ echo "$OUTPUT" > containers.yml
 sed -i '/container_name/d' containers.yml
 sed -i 's|^ $||' containers.yml
 
+# Additional config for collabora
+cat << EOL > /tmp/additional-collabora.config
+    command: \${ADDITIONAL_COLLABORA_OPTIONS}
+EOL
+sed -i "/^  nextcloud-aio-collabora:/r /tmp/additional-collabora.config" containers.yml
+sed -i "/^COLLABORA_DICTIONARIES.*/i ADDITIONAL_COLLABORA_OPTIONS=['--o:security.seccomp=true']          # You can add additional collabora options here by using the array syntax." sample.conf
+
 VOLUMES="$(grep -oP 'nextcloud_aio_[a-z_]+' containers.yml | sort -u)"
 mapfile -t VOLUMES <<< "$VOLUMES"
 echo "" >> containers.yml

manual-upgrade.md

@@ -7,7 +7,11 @@ The only way to fix this on your side is upgrading regularly (e.g. by enabling d
 
 ---
 
-## Method 1
+## Method 1 using `assaflavie/runlike`
+
+> [!Warning]
+> Please note that this method is apparently currently broken. See https://help.nextcloud.com/t/manual-upgrade-keeps-failing/217164/10
+> So please refer to method 2 using Portainer.
 
 1. Start all containers from the AIO interface 
     - Now, it will report that Nextcloud is restarting because it is not able to start due to the above mentioned problem
@@ -54,14 +58,11 @@ The only way to fix this on your side is upgrading regularly (e.g. by enabling d
 
 ---
 
-## Method 2
+## Method 2 using Portainer
 #### *Approach using portainer if method 1 does not work for you*
 
 Prerequisite: have all containers from AIO interface running.
 
-<details>
-<summary>Click to expand</summary>
-
 ##### 1. Install portainer if not installed:
 ```bash
 docker volume create portainer_data
@@ -119,5 +120,3 @@ docker rm portainer
 docker volume rm portainer_data
 ```
 - Make sure you close port 9443 on your firewall and delete any necessary reverse proxy hosts.
-
-</details>

nextcloud-aio-helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 10.3.0
+version: 10.7.0
 apiVersion: v2
 keywords:
   - latest

nextcloud-aio-helm-chart/readme.md

@@ -1,5 +1,11 @@
 # Nextcloud AIO Helm-chart
 
+> [!NOTE]
+> For an enterprise-ready and scalable deployment method based on Helm Charts (also available for Podman), please [contact Nextcloud GmbH](https://nextcloud.com/enterprise/).
+
+> [!IMPORTANT]
+> This Helm-Chart is not intended to be used with Ingress as it handles TLS itself via the built-in apache container and exposes a Loadbalancer port itself on the Cluster. See the [apache service](https://github.com/nextcloud/all-in-one/blob/main/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-service.yaml). However if the Cluster is used behind NAT, you can adjust `APACHE_PORT` to a different one than 443 and do the TLS offloading on an external Reverse Proxy that forwards the traffic to the configured port via http. If you really need the Ingress feature, please [contact Nextcloud GmbH](https://nextcloud.com/enterprise/) as we offer an enterprise-ready and scalable deployment method based on Helm Charts that also allows Ingress to be used.
+
 You can run the containers that are build for AIO with Kubernetes using this Helm chart. This comes with a few downsides, that are discussed below.
 
 ### Advantages

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml

@@ -61,7 +61,7 @@ spec:
               value: "{{ .Values.TIMEZONE }}"
             - name: WHITEBOARD_HOST
               value: nextcloud-aio-whiteboard
-          image: nextcloud/aio-apache:20250114_092611
+          image: nextcloud/aio-apache:20250306_093458
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml

@@ -61,7 +61,7 @@ spec:
               value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-clamav:20250114_092611
+          image: nextcloud/aio-clamav:20250306_093458
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml

@@ -21,7 +21,8 @@ spec:
         io.kompose.service: nextcloud-aio-collabora
     spec:
       containers:
-        - env:
+        - args: {{ .Values.ADDITIONAL_COLLABORA_OPTIONS | default list | toJson }}
+          env:
             - name: DONT_GEN_SSL_CERT
               value: "1"
             - name: TZ
@@ -31,10 +32,10 @@ spec:
             - name: dictionaries
               value: "{{ .Values.COLLABORA_DICTIONARIES }}"
             - name: extra_params
-              value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+              value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
             - name: server_name
               value: "{{ .Values.NC_DOMAIN }}"
-          image: nextcloud/aio-collabora:20250114_092611
+          image: nextcloud/aio-collabora:20250306_093458
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml

@@ -64,7 +64,7 @@ spec:
               value: nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-postgresql:20250114_092611
+          image: nextcloud/aio-postgresql:20250306_093458
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml

@@ -35,7 +35,7 @@ spec:
       containers:
         - env:
             - name: ES_JAVA_OPTS
-              value: -Xms512M -Xmx512M
+              value: "{{ .Values.FULLTEXTSEARCH_JAVA_OPTIONS | default "-Xms512M -Xmx512M" }}"
             - name: FULLTEXTSEARCH_PASSWORD
               value: "{{ .Values.FULLTEXTSEARCH_PASSWORD }}"
             - name: TZ
@@ -54,7 +54,7 @@ spec:
               value: basic
             - name: xpack.security.enabled
               value: "false"
-          image: nextcloud/aio-fulltextsearch:20250114_092611
+          image: nextcloud/aio-fulltextsearch:20250306_093458
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml

@@ -38,7 +38,7 @@ spec:
               value: "{{ .Values.IMAGINARY_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-imaginary:20250114_092611
+          image: nextcloud/aio-imaginary:20250306_093458
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml

@@ -180,7 +180,7 @@ spec:
               value: "{{ .Values.WHITEBOARD_ENABLED }}"
             - name: WHITEBOARD_SECRET
               value: "{{ .Values.WHITEBOARD_SECRET }}"
-          image: nextcloud/aio-nextcloud:20250114_092611
+          image: nextcloud/aio-nextcloud:20250306_093458
           {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment!
           securityContext:
             # The items below only work in container context

nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml

@@ -53,7 +53,9 @@ spec:
               value: nextcloud-aio-redis
             - name: REDIS_HOST_PASSWORD
               value: "{{ .Values.REDIS_PASSWORD }}"
-          image: nextcloud/aio-notify-push:20250114_092611
+            - name: TZ
+              value: "{{ .Values.TIMEZONE }}"
+          image: nextcloud/aio-notify-push:20250306_093458
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml

@@ -42,7 +42,7 @@ spec:
               value: "{{ .Values.ONLYOFFICE_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-onlyoffice:20250114_092611
+          image: nextcloud/aio-onlyoffice:20250306_093458
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml

@@ -39,7 +39,7 @@ spec:
               value: "{{ .Values.REDIS_PASSWORD }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-redis:20250114_092611
+          image: nextcloud/aio-redis:20250306_093458
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml

@@ -52,7 +52,7 @@ spec:
               value: "{{ .Values.TURN_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-talk:20250114_092611
+          image: nextcloud/aio-talk:20250306_093458
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml

@@ -44,7 +44,7 @@ spec:
               value: "{{ .Values.RECORDING_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-talk-recording:20250114_092611
+          image: nextcloud/aio-talk-recording:20250306_093458
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml

@@ -34,6 +34,8 @@ spec:
         {{- end }}
       containers:
         - env:
+            - name: BACKUP_DIR
+              value: /tmp
             - name: JWT_SECRET_KEY
               value: "{{ .Values.WHITEBOARD_SECRET }}"
             - name: NEXTCLOUD_URL
@@ -46,7 +48,7 @@ spec:
               value: redis
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-whiteboard:20250114_092611
+          image: nextcloud/aio-whiteboard:20250306_093458
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/update-helm.sh

@@ -42,6 +42,7 @@ sed -i "s|\${TALK_PORT}:\${TALK_PORT}/|$TALK_PORT:$TALK_PORT/|g" latest.yml
 sed -i "s|- \${APACHE_PORT}|- $APACHE_PORT|" latest.yml
 sed -i "s|- \${TALK_PORT}|- $TALK_PORT|" latest.yml
 sed -i "s|\${NEXTCLOUD_DATADIR}|$NEXTCLOUD_DATADIR|" latest.yml
+sed -i "s|\${ADDITIONAL_COLLABORA_OPTIONS}|ADDITIONAL_COLLABORA_OPTIONS_PLACEHOLDER|" latest.yml
 sed -i "/name: nextcloud-aio/,$ d" latest.yml
 sed -i "/NEXTCLOUD_DATADIR/d" latest.yml
 sed -i "/\${NEXTCLOUD_MOUNT}/d" latest.yml
@@ -306,6 +307,8 @@ cat << EOL > /tmp/additional.config
 EOL
 # shellcheck disable=SC1083
 find ./ -name '*nextcloud-deployment.yaml' -exec sed -i "/^.*\- env:/r /tmp/additional.config"  \{} \;
+# shellcheck disable=SC1083
+find ./ -name '*fulltextsearch-deployment.yaml' -exec sed -i 's/{{ .Values.FULLTEXTSEARCH_JAVA_OPTIONS }}/{{ .Values.FULLTEXTSEARCH_JAVA_OPTIONS | default "-Xms512M -Xmx512M" }}/'  \{} \;
 
 # Additional config
 cat << EOL > /tmp/additional-apache.config
@@ -465,6 +468,11 @@ EOL
 # shellcheck disable=SC1083
 find ./ \( -not -name '*collabora-deployment.yaml*' -not -name '*apache-deployment.yaml*' -not -name '*onlyoffice-deployment.yaml*' -name "*deployment.yaml" \) -exec sed -i "/^          securityContext:$/r /tmp/security.conf" \{} \; 
 
+# shellcheck disable=SC1083
+find ./ -name '*collabora-deployment.yaml*' -exec sed -i "/ADDITIONAL_COLLABORA_OPTIONS_PLACEHOLDER/d" \{} \;
+# shellcheck disable=SC1083
+find ./ -name '*collabora-deployment.yaml*' -exec sed -i "s/- args:/- args: \{\{ .Values.ADDITIONAL_COLLABORA_OPTIONS | default list | toJson \}\}/" \{} \;
+
 cat << EOL > /tmp/security.conf
             # The items below only work in container context
             allowPrivilegeEscalation: false

nextcloud-aio-helm-chart/values.yaml

@@ -23,8 +23,9 @@ WHITEBOARD_ENABLED: "no"          # Setting this to "yes" (with quotes) enables
 
 APACHE_MAX_SIZE: "17179869184"          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
 APACHE_PORT: 443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else).
+ADDITIONAL_COLLABORA_OPTIONS: ['--o:security.seccomp=true']          # You can add additional collabora options here by using the array syntax.
 COLLABORA_DICTIONARIES: de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru        # You can change this in order to enable other dictionaries for collabora
-COLLABORA_SECCOMP_POLICY: --o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.
+FULLTEXTSEARCH_JAVA_OPTIONS: -Xms512M -Xmx512M          # Allows to adjust the fulltextsearch java options.
 INSTALL_LATEST_MAJOR: no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation
 NEXTCLOUD_ADDITIONAL_APKS: imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.
 NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick        # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value.

php/composer.lock

@@ -391,32 +391,32 @@
         },
         {
             "name": "laravel/serializable-closure",
-            "version": "v1.3.7",
+            "version": "v2.0.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/serializable-closure.git",
-                "reference": "4f48ade902b94323ca3be7646db16209ec76be3d"
+                "reference": "f379c13663245f7aa4512a7869f62eb14095f23f"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/4f48ade902b94323ca3be7646db16209ec76be3d",
-                "reference": "4f48ade902b94323ca3be7646db16209ec76be3d",
+                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/f379c13663245f7aa4512a7869f62eb14095f23f",
+                "reference": "f379c13663245f7aa4512a7869f62eb14095f23f",
                 "shasum": ""
             },
             "require": {
-                "php": "^7.3|^8.0"
+                "php": "^8.1"
             },
             "require-dev": {
-                "illuminate/support": "^8.0|^9.0|^10.0|^11.0",
-                "nesbot/carbon": "^2.61|^3.0",
-                "pestphp/pest": "^1.21.3",
-                "phpstan/phpstan": "^1.8.2",
-                "symfony/var-dumper": "^5.4.11|^6.2.0|^7.0.0"
+                "illuminate/support": "^10.0|^11.0|^12.0",
+                "nesbot/carbon": "^2.67|^3.0",
+                "pestphp/pest": "^2.36|^3.0",
+                "phpstan/phpstan": "^2.0",
+                "symfony/var-dumper": "^6.2.0|^7.0.0"
             },
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "1.x-dev"
+                    "dev-master": "2.x-dev"
                 }
             },
             "autoload": {
@@ -448,7 +448,7 @@
                 "issues": "https://github.com/laravel/serializable-closure/issues",
                 "source": "https://github.com/laravel/serializable-closure"
             },
-            "time": "2024-11-14T18:34:49+00:00"
+            "time": "2025-02-11T15:03:05+00:00"
         },
         {
             "name": "nikic/fast-route",
@@ -502,16 +502,16 @@
         },
         {
             "name": "php-di/invoker",
-            "version": "2.3.4",
+            "version": "2.3.6",
             "source": {
                 "type": "git",
                 "url": "https://github.com/PHP-DI/Invoker.git",
-                "reference": "33234b32dafa8eb69202f950a1fc92055ed76a86"
+                "reference": "59f15608528d8a8838d69b422a919fd6b16aa576"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/PHP-DI/Invoker/zipball/33234b32dafa8eb69202f950a1fc92055ed76a86",
-                "reference": "33234b32dafa8eb69202f950a1fc92055ed76a86",
+                "url": "https://api.github.com/repos/PHP-DI/Invoker/zipball/59f15608528d8a8838d69b422a919fd6b16aa576",
+                "reference": "59f15608528d8a8838d69b422a919fd6b16aa576",
                 "shasum": ""
             },
             "require": {
@@ -545,7 +545,7 @@
             ],
             "support": {
                 "issues": "https://github.com/PHP-DI/Invoker/issues",
-                "source": "https://github.com/PHP-DI/Invoker/tree/2.3.4"
+                "source": "https://github.com/PHP-DI/Invoker/tree/2.3.6"
             },
             "funding": [
                 {
@@ -553,24 +553,24 @@
                     "type": "github"
                 }
             ],
-            "time": "2023-09-08T09:24:21+00:00"
+            "time": "2025-01-17T12:49:27+00:00"
         },
         {
             "name": "php-di/php-di",
-            "version": "7.0.7",
+            "version": "7.0.9",
             "source": {
                 "type": "git",
                 "url": "https://github.com/PHP-DI/PHP-DI.git",
-                "reference": "e87435e3c0e8f22977adc5af0d5cdcc467e15cf1"
+                "reference": "d8480267f5cf239650debba704f3ecd15b638cde"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/PHP-DI/PHP-DI/zipball/e87435e3c0e8f22977adc5af0d5cdcc467e15cf1",
-                "reference": "e87435e3c0e8f22977adc5af0d5cdcc467e15cf1",
+                "url": "https://api.github.com/repos/PHP-DI/PHP-DI/zipball/d8480267f5cf239650debba704f3ecd15b638cde",
+                "reference": "d8480267f5cf239650debba704f3ecd15b638cde",
                 "shasum": ""
             },
             "require": {
-                "laravel/serializable-closure": "^1.0",
+                "laravel/serializable-closure": "^1.0 || ^2.0",
                 "php": ">=8.0",
                 "php-di/invoker": "^2.0",
                 "psr/container": "^1.1 || ^2.0"
@@ -582,8 +582,8 @@
                 "friendsofphp/php-cs-fixer": "^3",
                 "friendsofphp/proxy-manager-lts": "^1",
                 "mnapoli/phpunit-easymock": "^1.3",
-                "phpunit/phpunit": "^9.5",
-                "vimeo/psalm": "^4.6"
+                "phpunit/phpunit": "^9.6",
+                "vimeo/psalm": "^5|^6"
             },
             "suggest": {
                 "friendsofphp/proxy-manager-lts": "Install it if you want to use lazy injection (version ^1)"
@@ -614,7 +614,7 @@
             ],
             "support": {
                 "issues": "https://github.com/PHP-DI/PHP-DI/issues",
-                "source": "https://github.com/PHP-DI/PHP-DI/tree/7.0.7"
+                "source": "https://github.com/PHP-DI/PHP-DI/tree/7.0.9"
             },
             "funding": [
                 {
@@ -626,7 +626,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2024-07-21T15:55:45+00:00"
+            "time": "2025-02-28T12:46:35+00:00"
         },
         {
             "name": "php-di/slim-bridge",
@@ -1633,24 +1633,23 @@
         },
         {
             "name": "twig/twig",
-            "version": "v3.18.0",
+            "version": "v3.20.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/twigphp/Twig.git",
-                "reference": "acffa88cc2b40dbe42eaf3a5025d6c0d4600cc50"
+                "reference": "3468920399451a384bef53cf7996965f7cd40183"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/twigphp/Twig/zipball/acffa88cc2b40dbe42eaf3a5025d6c0d4600cc50",
-                "reference": "acffa88cc2b40dbe42eaf3a5025d6c0d4600cc50",
+                "url": "https://api.github.com/repos/twigphp/Twig/zipball/3468920399451a384bef53cf7996965f7cd40183",
+                "reference": "3468920399451a384bef53cf7996965f7cd40183",
                 "shasum": ""
             },
             "require": {
-                "php": ">=8.0.2",
+                "php": ">=8.1.0",
                 "symfony/deprecation-contracts": "^2.5|^3",
                 "symfony/polyfill-ctype": "^1.8",
-                "symfony/polyfill-mbstring": "^1.3",
-                "symfony/polyfill-php81": "^1.29"
+                "symfony/polyfill-mbstring": "^1.3"
             },
             "require-dev": {
                 "phpstan/phpstan": "^2.0",
@@ -1697,7 +1696,7 @@
             ],
             "support": {
                 "issues": "https://github.com/twigphp/Twig/issues",
-                "source": "https://github.com/twigphp/Twig/tree/v3.18.0"
+                "source": "https://github.com/twigphp/Twig/tree/v3.20.0"
             },
             "funding": [
                 {
@@ -1709,7 +1708,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2024-12-29T10:51:50+00:00"
+            "time": "2025-02-13T08:34:43+00:00"
         }
     ],
     "packages-dev": [
@@ -2700,16 +2699,16 @@
         },
         {
             "name": "phpstan/phpdoc-parser",
-            "version": "2.0.0",
+            "version": "2.1.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/phpstan/phpdoc-parser.git",
-                "reference": "c00d78fb6b29658347f9d37ebe104bffadf36299"
+                "reference": "9b30d6fd026b2c132b3985ce6b23bec09ab3aa68"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/c00d78fb6b29658347f9d37ebe104bffadf36299",
-                "reference": "c00d78fb6b29658347f9d37ebe104bffadf36299",
+                "url": "https://api.github.com/repos/phpstan/phpdoc-parser/zipball/9b30d6fd026b2c132b3985ce6b23bec09ab3aa68",
+                "reference": "9b30d6fd026b2c132b3985ce6b23bec09ab3aa68",
                 "shasum": ""
             },
             "require": {
@@ -2741,9 +2740,9 @@
             "description": "PHPDoc parser with support for nullable, intersection and generic types",
             "support": {
                 "issues": "https://github.com/phpstan/phpdoc-parser/issues",
-                "source": "https://github.com/phpstan/phpdoc-parser/tree/2.0.0"
+                "source": "https://github.com/phpstan/phpdoc-parser/tree/2.1.0"
             },
-            "time": "2024-10-13T11:29:49+00:00"
+            "time": "2025-02-19T13:28:12+00:00"
         },
         {
             "name": "sebastian/diff",

php/containers-schema.json

@@ -15,7 +15,7 @@
 					"image": {
 						"type": "string",
 						"minLength": 1,
-						"pattern": "^[a-z0-9/-]+$"
+						"pattern": "^(ghcr.io/)?[a-z0-9/-]+$"
 					},
 					"expose": {
 						"type": "array",
@@ -145,6 +145,10 @@
 							"pattern": "^[A-Z_]+$"
 						}
 					},
+					"ui_secret": {
+						"type": "string",
+						"pattern": "^[A-Z_]+$"
+					},
 					"image_tag": {
 						"type": "string",
 						"pattern": "^([a-z0-9.-]+|%AIO_CHANNEL%)$"
@@ -213,7 +217,7 @@
 								},
 								"source": {
 									"type": "string",
-									"pattern": "^((nextcloud_aio_[a-z_]+)|(%[A-Z_]+%))$"
+									"pattern": "^((nextcloud_aio_[a-z_]+)|(%[A-Z_]+%)|(/dev)|(/run/udev))$"
 								},
 								"writeable": {
 									"type": "boolean"

php/containers.json

@@ -3,6 +3,7 @@
     {
       "container_name": "nextcloud-aio-apache",
       "image_tag": "%AIO_CHANNEL%",
+      "documentation": "https://github.com/nextcloud/all-in-one/discussions/2105",
       "depends_on": [
         "nextcloud-aio-onlyoffice",
         "nextcloud-aio-collabora",
@@ -299,6 +300,7 @@
       "environment": [
         "NC_DOMAIN=%NC_DOMAIN%",
         "NEXTCLOUD_HOST=nextcloud-aio-nextcloud",
+        "TZ=%TIMEZONE%",
         "REDIS_HOST=nextcloud-aio-redis",
         "REDIS_HOST_PASSWORD=%REDIS_PASSWORD%",
         "POSTGRES_HOST=nextcloud-aio-database",
@@ -640,7 +642,7 @@
       "init": false,
       "healthcheck": {
         "start_period": "60s",
-        "test": "clamdcheck.sh",
+        "test": "/healthcheck.sh",
         "interval": "30s",
         "timeout": "30s",
         "start_interval": "5s",
@@ -652,8 +654,7 @@
       "internal_port": "3310",
       "environment": [
         "TZ=%TIMEZONE%",
-        "MAX_SIZE=%NEXTCLOUD_UPLOAD_LIMIT%",
-        "CLAMD_STARTUP_TIMEOUT=90"
+        "MAX_SIZE=%NEXTCLOUD_UPLOAD_LIMIT%"
       ],
       "volumes": [
         {
@@ -668,9 +669,11 @@
       ],
       "read_only": true,
       "tmpfs": [
-        "/var/lock",
+        "/tmp",
         "/var/log/clamav",
-        "/tmp"
+        "/run/clamav",
+        "/var/log/supervisord",
+        "/var/run/supervisord"
       ],
       "cap_drop": [
         "NET_RAW"
@@ -784,7 +787,7 @@
       "internal_port": "9200",
       "environment": [
         "TZ=%TIMEZONE%",
-        "ES_JAVA_OPTS=-Xms512M -Xmx512M",
+        "ES_JAVA_OPTS=%FULLTEXTSEARCH_JAVA_OPTIONS%",
         "bootstrap.memory_lock=true",
         "cluster.name=nextcloud-aio",
         "discovery.type=single-node",
@@ -856,6 +859,9 @@
       "expose": [
         "3002"
       ],
+      "tmpfs": [
+        "/tmp"
+      ],
       "internal_port": "3002",
       "environment": [
         "TZ=%TIMEZONE%",
@@ -863,7 +869,8 @@
         "JWT_SECRET_KEY=%WHITEBOARD_SECRET%",
         "STORAGE_STRATEGY=redis",
         "REDIS_HOST=nextcloud-aio-redis",
-        "REDIS_HOST_PASSWORD=%REDIS_PASSWORD%"
+        "REDIS_HOST_PASSWORD=%REDIS_PASSWORD%",
+        "BACKUP_DIR=/tmp"
       ],
       "secrets": [
         "WHITEBOARD_SECRET",

php/public/index.php

@@ -102,7 +102,6 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'last_backup_time' => $configurationManager->GetLastBackupTime(),
         'backup_times' => $configurationManager->GetBackupTimes(),
         'current_channel' => $dockerActionManger->GetCurrentChannel(),
-        'is_x64_platform' => $configurationManager->isx64Platform(),
         'is_clamav_enabled' => $configurationManager->isClamavEnabled(),
         'is_onlyoffice_enabled' => $configurationManager->isOnlyofficeEnabled(),
         'is_collabora_enabled' => $configurationManager->isCollaboraEnabled(),
@@ -114,6 +113,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'skip_domain_validation' => $configurationManager->shouldDomainValidationBeSkipped(),
         'talk_port' => $configurationManager->GetTalkPort(),
         'collabora_dictionaries' => $configurationManager->GetCollaboraDictionaries(),
+        'collabora_additional_options' => $configurationManager->GetAdditionalCollaboraOptions(),
         'automatic_updates' => $configurationManager->areAutomaticUpdatesEnabled(),
         'is_backup_section_enabled' => $configurationManager->isBackupSectionEnabled(),
         'is_imaginary_enabled' => $configurationManager->isImaginaryEnabled(),

php/src/Container/Container.php

@@ -21,6 +21,7 @@ readonly class Container {
         private array                         $dependsOn,
         /** @var string[] */
         private array                         $secrets,
+        private string                        $uiSecret,
         /** @var string[] */
         private array                         $devices,
         private bool                          $enableNvidiaGpu,
@@ -85,6 +86,10 @@ readonly class Container {
         return $this->secrets;
     }
 
+    public function GetUiSecret() : string {
+        return $this->dockerActionManager->GetAndGenerateSecretWrapper($this->uiSecret);
+    }
+
     public function GetTmpfs() : array {
         return $this->tmpfs;
     }

php/src/ContainerDefinitionFetcher.php

@@ -244,6 +244,11 @@ readonly class ContainerDefinitionFetcher {
                 $secrets = $entry['secrets'];
             }
 
+            $uiSecret = '';
+            if (isset($entry['ui_secret'])) {
+                $uiSecret = $entry['ui_secret'];
+            }
+
             $devices = [];
             if (isset($entry['devices'])) {
                 $devices = $entry['devices'];
@@ -316,6 +321,7 @@ readonly class ContainerDefinitionFetcher {
                 $variables,
                 $dependsOn,
                 $secrets,
+                $uiSecret,
                 $devices,
                 $enableNvidiaGpu,
                 $capAdd,

php/src/Controller/ConfigurationController.php

@@ -134,6 +134,15 @@ readonly class ConfigurationController {
                 $this->configurationManager->SetCollaboraDictionaries($collaboraDictionaries);
             }
 
+            if (isset($request->getParsedBody()['delete_collabora_additional_options'])) {
+                $this->configurationManager->DeleteAdditionalCollaboraOptions();
+            }
+
+            if (isset($request->getParsedBody()['collabora_additional_options'])) {
+                $additionalCollaboraOptions = $request->getParsedBody()['collabora_additional_options'] ?? '';
+                $this->configurationManager->SetAdditionalCollaboraOptions($additionalCollaboraOptions);
+            }
+
             if (isset($request->getParsedBody()['delete_borg_backup_location_vars'])) {
                 $this->configurationManager->DeleteBorgBackupLocationVars();
             }

php/src/Controller/DockerController.php

@@ -46,7 +46,7 @@ readonly class DockerController {
         if ($pullImage) {
             if (!$this->dockerActionManager->isDockerHubReachable($container)) {
                 $pullImage = false;
-                error_log('Not pulling the image for the ' . $container->GetContainerName() . ' container because docker hub does not seem to be reachable.');
+                error_log('Not pulling the ' . $container->GetContainerName() . ' image for the ' . $container->GetIdentifier() . ' container because docker hub does not seem to be reachable.');
             }
         }
 
@@ -171,7 +171,7 @@ readonly class DockerController {
         }
 
         if (isset($request->getParsedBody()['install_latest_major'])) {
-            $installLatestMajor = 30;
+            $installLatestMajor = 31;
         } else {
             $installLatestMajor = "";
         }

php/src/Data/ConfigurationManager.php

@@ -33,6 +33,10 @@ class ConfigurationManager
     }
 
     public function GetAndGenerateSecret(string $secretId) : string {
+        if ($secretId === '') {
+            return '';
+        }
+
         $config = $this->GetConfig();
         if(!isset($config['secrets'][$secretId])) {
             $config['secrets'][$secretId] = bin2hex(random_bytes(24));
@@ -128,7 +132,7 @@ class ConfigurationManager
         }
     }
 
-    public function isx64Platform() : bool {
+    private function isx64Platform() : bool {
         if (php_uname('m') === 'x86_64') {
             return true;
         } else {
@@ -136,11 +140,7 @@ class ConfigurationManager
         }
     }
 
-    public function isClamavEnabled() : bool {
-        if (!$this->isx64Platform()) {
-            return false;
-        }
-        
+    public function isClamavEnabled() : bool {        
         $config = $this->GetConfig();
         if (isset($config['isClamavEnabled']) && $config['isClamavEnabled'] === 1) {
             return true;
@@ -166,10 +166,10 @@ class ConfigurationManager
 
     public function isWhiteboardEnabled() : bool {
         $config = $this->GetConfig();
-        if (isset($config['isWhiteboardEnabled']) && $config['isWhiteboardEnabled'] === 1) {
-            return true;
-        } else {
+        if (isset($config['isWhiteboardEnabled']) && $config['isWhiteboardEnabled'] === 0) {
             return false;
+        } else {
+            return true;
         }
     }
 
@@ -210,7 +210,7 @@ class ConfigurationManager
     }
 
     public function SetFulltextsearchEnabledState(int $value) : void {
-        # Elasticsearch does not work on kernels without seccomp anymore. See https://github.com/nextcloud/all-in-one/discussions/5768
+        // Elasticsearch does not work on kernels without seccomp anymore. See https://github.com/nextcloud/all-in-one/discussions/5768
         if ($this->GetCollaboraSeccompDisabledState() === 'true') {
             $value = 0;
         }
@@ -281,6 +281,12 @@ class ConfigurationManager
         if (!$this->isTalkEnabled()) {
             $value = 0;
         }
+
+        // Currently only works on x64. See https://github.com/nextcloud/nextcloud-talk-recording/issues/17
+        if (!$this->isx64Platform()) {
+            $value = 0;
+        }
+
         $config = $this->GetConfig();
         $config['isTalkRecordingEnabled'] = $value;
         $this->WriteConfig($config);
@@ -704,6 +710,13 @@ class ConfigurationManager
         return $this->GetEnvironmentalVariableOrConfig($envVariableName, $configName, $defaultValue);
     }
 
+    public function GetFulltextsearchJavaOptions() : string {
+        $envVariableName = 'FULLTEXTSEARCH_JAVA_OPTIONS';
+        $configName = 'fulltextsearch_java_options';
+        $defaultValue = '-Xms512M -Xmx512M';
+        return $this->GetEnvironmentalVariableOrConfig($envVariableName, $configName, $defaultValue);
+    }
+
     public function GetDockerSocketPath() : string {
         $envVariableName = 'WATCHTOWER_DOCKER_SOCKET_PATH';
         $configName = 'docker_socket_path';
@@ -933,6 +946,38 @@ class ConfigurationManager
         $this->WriteConfig($config);
     }
 
+    /**
+     * @throws InvalidSettingConfigurationException
+     */
+    public function SetAdditionalCollaboraOptions(string $additionalCollaboraOptions) : void {
+        if ($additionalCollaboraOptions === "") {
+            throw new InvalidSettingConfigurationException("The additional options must not be empty!");
+        }
+
+        if (!preg_match("#^--o:#", $additionalCollaboraOptions)) {
+            throw new InvalidSettingConfigurationException("The entered options must start with '--o:'. So the config does not seem to be a valid!");
+        }
+
+        $config = $this->GetConfig();
+        $config['collabora_additional_options'] = $additionalCollaboraOptions;
+        $this->WriteConfig($config);
+    }
+
+    public function GetAdditionalCollaboraOptions() : string {
+        $config = $this->GetConfig();
+        if(!isset($config['collabora_additional_options'])) {
+            $config['collabora_additional_options'] = '';
+        }
+
+        return $config['collabora_additional_options'];
+    }
+
+    public function DeleteAdditionalCollaboraOptions() : void {
+        $config = $this->GetConfig();
+        $config['collabora_additional_options'] = '';
+        $this->WriteConfig($config);
+    }
+
     public function GetApacheAdditionalNetwork() : string {
         $envVariableName = 'APACHE_ADDITIONAL_NETWORK';
         $configName = 'apache_additional_network';

php/src/DependencyInjection.php

@@ -4,6 +4,7 @@ namespace AIO;
 
 use AIO\Docker\DockerHubManager;
 use DI\Container;
+use AIO\Docker\GitHubContainerRegistryManager;
 
 class DependencyInjection
 {
@@ -15,6 +16,11 @@ class DependencyInjection
             new DockerHubManager()
         );
 
+        $container->set(
+            GitHubContainerRegistryManager::class,
+            new GitHubContainerRegistryManager()
+        );
+
         $container->set(
             \AIO\Data\ConfigurationManager::class,
             new \AIO\Data\ConfigurationManager()
@@ -24,7 +30,8 @@ class DependencyInjection
             new \AIO\Docker\DockerActionManager(
                 $container->get(\AIO\Data\ConfigurationManager::class),
                 $container->get(\AIO\ContainerDefinitionFetcher::class),
-                $container->get(DockerHubManager::class)
+                $container->get(DockerHubManager::class),
+                $container->get(GitHubContainerRegistryManager::class)
             )
         );
         $container->set(

php/src/Docker/DockerActionManager.php

@@ -3,12 +3,12 @@
 namespace AIO\Docker;
 
 use AIO\Container\Container;
-use AIO\Container\VersionState;
 use AIO\Container\ContainerState;
+use AIO\Container\VersionState;
+use AIO\ContainerDefinitionFetcher;
 use AIO\Data\ConfigurationManager;
 use GuzzleHttp\Client;
 use GuzzleHttp\Exception\RequestException;
-use AIO\ContainerDefinitionFetcher;
 use http\Env\Response;
 
 readonly class DockerActionManager {
@@ -16,18 +16,19 @@ readonly class DockerActionManager {
     private Client $guzzleClient;
 
     public function __construct(
-        private ConfigurationManager  $configurationManager,
-        private ContainerDefinitionFetcher $containerDefinitionFetcher,
-        private DockerHubManager $dockerHubManager
+        private ConfigurationManager           $configurationManager,
+        private ContainerDefinitionFetcher     $containerDefinitionFetcher,
+        private DockerHubManager               $dockerHubManager,
+        private GitHubContainerRegistryManager $gitHubContainerRegistryManager
     ) {
         $this->guzzleClient = new Client(['curl' => [CURLOPT_UNIX_SOCKET_PATH => '/var/run/docker.sock']]);
     }
 
-    private function BuildApiUrl(string $url) : string {
+    private function BuildApiUrl(string $url): string {
         return sprintf('http://127.0.0.1/%s/%s', self::API_VERSION, $url);
     }
 
-    private function BuildImageName(Container $container) : string {
+    private function BuildImageName(Container $container): string {
         $tag = $container->GetImageTag();
         if ($tag === '%AIO_CHANNEL%') {
             $tag = $this->GetCurrentChannel();
@@ -35,8 +36,7 @@ readonly class DockerActionManager {
         return $container->GetContainerName() . ':' . $tag;
     }
 
-    public function GetContainerRunningState(Container $container) : ContainerState
-    {
+    public function GetContainerRunningState(Container $container): ContainerState {
         $url = $this->BuildApiUrl(sprintf('containers/%s/json', urlencode($container->GetIdentifier())));
         try {
             $response = $this->guzzleClient->get($url);
@@ -56,8 +56,7 @@ readonly class DockerActionManager {
         }
     }
 
-    public function GetContainerRestartingState(Container $container) : ContainerState
-    {
+    public function GetContainerRestartingState(Container $container): ContainerState {
         $url = $this->BuildApiUrl(sprintf('containers/%s/json', urlencode($container->GetIdentifier())));
         try {
             $response = $this->guzzleClient->get($url);
@@ -77,8 +76,7 @@ readonly class DockerActionManager {
         }
     }
 
-    public function GetContainerUpdateState(Container $container) : VersionState
-    {
+    public function GetContainerUpdateState(Container $container): VersionState {
         $tag = $container->GetImageTag();
         if ($tag === '%AIO_CHANNEL%') {
             $tag = $this->GetCurrentChannel();
@@ -88,12 +86,12 @@ readonly class DockerActionManager {
         if ($runningDigests === null) {
             return VersionState::Different;
         }
-        $remoteDigest = $this->dockerHubManager->GetLatestDigestOfTag($container->GetContainerName(), $tag);
+        $remoteDigest = $this->GetLatestDigestOfTag($container->GetContainerName(), $tag);
         if ($remoteDigest === null) {
             return VersionState::Equal;
         }
 
-        foreach($runningDigests as $runningDigest) {
+        foreach ($runningDigests as $runningDigest) {
             if ($runningDigest === $remoteDigest) {
                 return VersionState::Equal;
             }
@@ -101,8 +99,7 @@ readonly class DockerActionManager {
         return VersionState::Different;
     }
 
-    public function GetContainerStartingState(Container $container) : ContainerState
-    {
+    public function GetContainerStartingState(Container $container): ContainerState {
         $runningState = $this->GetContainerRunningState($container);
         if ($runningState === ContainerState::Stopped || $runningState === ContainerState::ImageDoesNotExist) {
             return $runningState;
@@ -110,9 +107,9 @@ readonly class DockerActionManager {
 
         $containerName = $container->GetIdentifier();
         $internalPort = $container->GetInternalPort();
-        if($internalPort === '%APACHE_PORT%') {
+        if ($internalPort === '%APACHE_PORT%') {
             $internalPort = $this->configurationManager->GetApachePort();
-        } elseif($internalPort === '%TALK_PORT%') {
+        } elseif ($internalPort === '%TALK_PORT%') {
             $internalPort = $this->configurationManager->GetTalkPort();
         }
 
@@ -129,7 +126,7 @@ readonly class DockerActionManager {
         }
     }
 
-    public function DeleteContainer(Container $container) : void {
+    public function DeleteContainer(Container $container): void {
         $url = $this->BuildApiUrl(sprintf('containers/%s?v=true', urlencode($container->GetIdentifier())));
         try {
             $this->guzzleClient->delete($url);
@@ -140,8 +137,7 @@ readonly class DockerActionManager {
         }
     }
 
-    public function GetLogs(string $id) : string
-    {
+    public function GetLogs(string $id): string {
         $url = $this->BuildApiUrl(
             sprintf(
                 'containers/%s/logs?stdout=true&stderr=true&timestamps=true',
@@ -162,19 +158,18 @@ readonly class DockerActionManager {
         return $response;
     }
 
-    public function StartContainer(Container $container) : void {
+    public function StartContainer(Container $container): void {
         $url = $this->BuildApiUrl(sprintf('containers/%s/start', urlencode($container->GetIdentifier())));
         try {
             $this->guzzleClient->post($url);
         } catch (RequestException $e) {
-            throw new \Exception("Could not start container " . $container->GetIdentifier() . ": " . $e->getMessage());
+            throw new \Exception("Could not start container " . $container->GetIdentifier() . ": " . $e->getResponse()?->getBody()->getContents());
         }
     }
 
-    public function CreateVolumes(Container $container): void
-    {
+    public function CreateVolumes(Container $container): void {
         $url = $this->BuildApiUrl('volumes/create');
-        foreach($container->GetVolumes()->GetVolumes() as $volume) {
+        foreach ($container->GetVolumes()->GetVolumes() as $volume) {
             $forbiddenChars = [
                 '/',
             ];
@@ -184,7 +179,7 @@ readonly class DockerActionManager {
             }
 
             $firstChar = substr($volume->name, 0, 1);
-            if(!in_array($firstChar, $forbiddenChars)) {
+            if (!in_array($firstChar, $forbiddenChars)) {
                 $this->guzzleClient->request(
                     'POST',
                     $url,
@@ -198,7 +193,7 @@ readonly class DockerActionManager {
         }
     }
 
-    public function CreateContainer(Container $container) : void {
+    public function CreateContainer(Container $container): void {
         $volumes = [];
         foreach ($container->GetVolumes()->GetVolumes() as $volume) {
             // // NEXTCLOUD_MOUNT gets added via bind-mount later on
@@ -226,12 +221,12 @@ readonly class DockerActionManager {
             $requestBody['HostConfig']['Binds'] = $volumes;
         }
 
-        foreach($container->GetSecrets() as $secret) {
+        foreach ($container->GetSecrets() as $secret) {
             $this->configurationManager->GetAndGenerateSecret($secret);
         }
 
         $aioVariables = $container->GetAioVariables()->GetVariables();
-        foreach($aioVariables as $variable) {
+        foreach ($aioVariables as $variable) {
             $config = $this->configurationManager->GetConfig();
             $variableArray = explode('=', $variable);
             $config[$variableArray[0]] = $variableArray[1];
@@ -244,7 +239,7 @@ readonly class DockerActionManager {
         if ($container->GetIdentifier() === 'nextcloud-aio-nextcloud') {
             $envs[] = $this->GetAllNextcloudExecCommands();
         }
-        foreach($envs as $key => $env) {
+        foreach ($envs as $key => $env) {
             // TODO: This whole block below is a hack and needs to get reworked in order to support multiple substitutions per line by default for all envs
             if (str_starts_with($env, 'extra_params=')) {
                 $env = str_replace('%COLLABORA_SECCOMP_POLICY%', $this->configurationManager->GetCollaboraSeccompPolicy(), $env);
@@ -256,12 +251,12 @@ readonly class DockerActionManager {
             // Original implementation
             $patterns = ['/%(.*)%/'];
 
-            if(preg_match($patterns[0], $env, $out) === 1) {
+            if (preg_match($patterns[0], $env, $out) === 1) {
                 $replacements = array();
 
-                if($out[1] === 'NC_DOMAIN') {
+                if ($out[1] === 'NC_DOMAIN') {
                     $replacements[1] = $this->configurationManager->GetDomain();
-                } elseif($out[1] === 'NC_BASE_DN') {
+                } elseif ($out[1] === 'NC_BASE_DN') {
                     $replacements[1] = $this->configurationManager->GetBaseDN();
                 } elseif ($out[1] === 'AIO_TOKEN') {
                     $replacements[1] = $this->configurationManager->GetToken();
@@ -357,6 +352,8 @@ readonly class DockerActionManager {
                     $replacements[1] = $this->configurationManager->GetNextcloudMaxTime();
                 } elseif ($out[1] === 'BORG_RETENTION_POLICY') {
                     $replacements[1] = $this->configurationManager->GetBorgRetentionPolicy();
+                } elseif ($out[1] === 'FULLTEXTSEARCH_JAVA_OPTIONS') {
+                    $replacements[1] = $this->configurationManager->GetFulltextsearchJavaOptions();
                 } elseif ($out[1] === 'NEXTCLOUD_TRUSTED_CACERTS_DIR') {
                     $replacements[1] = $this->configurationManager->GetTrustedCacertsDir();
                 } elseif ($out[1] === 'ADDITIONAL_DIRECTORIES_BACKUP') {
@@ -389,10 +386,10 @@ readonly class DockerActionManager {
                     } else {
                         $replacements[1] = '';
                     }
-                // Allow to get local ip-address of database container which allows to talk to it even in host mode (the container that requires this needs to be started first then)
+                    // Allow to get local ip-address of database container which allows to talk to it even in host mode (the container that requires this needs to be started first then)
                 } elseif ($out[1] === 'AIO_DATABASE_HOST') {
                     $replacements[1] = gethostbyname('nextcloud-aio-database');
-                // Allow to get local ip-address of caddy container and add it to trusted proxies automatically
+                    // Allow to get local ip-address of caddy container and add it to trusted proxies automatically
                 } elseif ($out[1] === 'CADDY_IP_ADDRESS') {
                     $replacements[1] = '';
                     $communityContainers = $this->configurationManager->GetEnabledCommunityContainers();
@@ -417,7 +414,7 @@ readonly class DockerActionManager {
             }
         }
 
-        if(count($envs) > 0) {
+        if (count($envs) > 0) {
             $requestBody['Env'] = $envs;
         }
 
@@ -427,7 +424,7 @@ readonly class DockerActionManager {
 
         $exposedPorts = [];
         if ($container->GetInternalPort() !== 'host') {
-            foreach($container->GetPorts()->GetPorts() as $value) {
+            foreach ($container->GetPorts()->GetPorts() as $value) {
                 $port = $value->port;
                 $protocol = $value->protocol;
                 if ($port === '%APACHE_PORT%') {
@@ -447,7 +444,7 @@ readonly class DockerActionManager {
             $requestBody['HostConfig']['NetworkMode'] = 'host';
         }
 
-        if(count($exposedPorts) > 0) {
+        if (count($exposedPorts) > 0) {
             $requestBody['ExposedPorts'] = $exposedPorts;
             foreach ($container->GetPorts()->GetPorts() as $value) {
                 $port = $value->port;
@@ -472,16 +469,16 @@ readonly class DockerActionManager {
                 $portWithProtocol = $port . '/' . $protocol;
                 $requestBody['HostConfig']['PortBindings'][$portWithProtocol] = [
                     [
-                    'HostPort' => $port,
-                    'HostIp' => $ipBinding,
+                        'HostPort' => $port,
+                        'HostIp' => $ipBinding,
                     ]
                 ];
             }
         }
 
         $devices = [];
-        foreach($container->GetDevices() as $device) {
-            if ($device === '/dev/dri' && ! $this->configurationManager->isDriDeviceEnabled()) {
+        foreach ($container->GetDevices() as $device) {
+            if ($device === '/dev/dri' && !$this->configurationManager->isDriDeviceEnabled()) {
                 continue;
             }
             $devices[] = ["PathOnHost" => $device, "PathInContainer" => $device, "CgroupPermissions" => "rwm"];
@@ -508,7 +505,7 @@ readonly class DockerActionManager {
         }
 
         $tmpfs = [];
-        foreach($container->GetTmpfs() as $tmp) {
+        foreach ($container->GetTmpfs() as $tmp) {
             $mode = "";
             if (str_contains($tmp, ':')) {
                 $mode = explode(':', $tmp)[1];
@@ -517,7 +514,7 @@ readonly class DockerActionManager {
             $tmpfs[$tmp] = $mode;
         }
         if (count($tmpfs) > 0) {
-            $requestBody['HostConfig']['Tmpfs'] =  $tmpfs;
+            $requestBody['HostConfig']['Tmpfs'] = $tmpfs;
         }
 
         $requestBody['HostConfig']['Init'] = $container->GetInit();
@@ -541,37 +538,46 @@ readonly class DockerActionManager {
         $mounts = [];
 
         // Special things for the backup container which should not be exposed in the containers.json
-        if ($container->GetIdentifier() === 'nextcloud-aio-borgbackup') {
+        if (str_starts_with($container->GetIdentifier(), 'nextcloud-aio-borgbackup')) {
             // Additional backup directories
             foreach ($this->getAllBackupVolumes() as $additionalBackupVolumes) {
                 if ($additionalBackupVolumes !== '') {
                     $mounts[] = ["Type" => "volume", "Source" => $additionalBackupVolumes, "Target" => "/nextcloud_aio_volumes/" . $additionalBackupVolumes, "ReadOnly" => false];
                 }
             }
+
+            // Make volumes read only in case of borgbackup container. The viewer makes them writeable
+            $isReadOnly = $container->GetIdentifier() === 'nextcloud-aio-borgbackup';
+
             foreach ($this->configurationManager->GetAdditionalBackupDirectoriesArray() as $additionalBackupDirectories) {
                 if ($additionalBackupDirectories !== '') {
                     if (!str_starts_with($additionalBackupDirectories, '/')) {
-                        $mounts[] = ["Type" => "volume", "Source" => $additionalBackupDirectories, "Target" => "/docker_volumes/" . $additionalBackupDirectories, "ReadOnly" => true];
+                        $mounts[] = ["Type" => "volume", "Source" => $additionalBackupDirectories, "Target" => "/docker_volumes/" . $additionalBackupDirectories, "ReadOnly" => $isReadOnly];
                     } else {
-                        $mounts[] = ["Type" => "bind", "Source" => $additionalBackupDirectories, "Target" => "/host_mounts" . $additionalBackupDirectories, "ReadOnly" => true, "BindOptions" => ["NonRecursive" => true]];
+                        $mounts[] = ["Type" => "bind", "Source" => $additionalBackupDirectories, "Target" => "/host_mounts" . $additionalBackupDirectories, "ReadOnly" => $isReadOnly, "BindOptions" => ["NonRecursive" => true]];
                     }
                 }
             }
-        // Special things for the talk container which should not be exposed in the containers.json
+            // Special things for the talk container which should not be exposed in the containers.json
         } elseif ($container->GetIdentifier() === 'nextcloud-aio-talk') {
             // This is needed due to a bug in libwebsockets which cannot handle unlimited ulimits
             $requestBody['HostConfig']['Ulimits'] = [["Name" => "nofile", "Hard" => 200000, "Soft" => 200000]];
-        // // Special things for the nextcloud container which should not be exposed in the containers.json
-        // } elseif ($container->GetIdentifier() === 'nextcloud-aio-nextcloud') {
-        //     foreach ($container->GetVolumes()->GetVolumes() as $volume) {
-        //         if ($volume->name !== $this->configurationManager->GetNextcloudMount()) {
-        //             continue;
-        //         }
-        //         $mounts[] = ["Type" => "bind", "Source" => $volume->name, "Target" => $volume->mountPoint, "ReadOnly" => !$volume->isWritable, "BindOptions" => [ "Propagation" => "rshared"]];
-        //     }
-        // Special things for the caddy community container
+            // // Special things for the nextcloud container which should not be exposed in the containers.json
+            // } elseif ($container->GetIdentifier() === 'nextcloud-aio-nextcloud') {
+            //     foreach ($container->GetVolumes()->GetVolumes() as $volume) {
+            //         if ($volume->name !== $this->configurationManager->GetNextcloudMount()) {
+            //             continue;
+            //         }
+            //         $mounts[] = ["Type" => "bind", "Source" => $volume->name, "Target" => $volume->mountPoint, "ReadOnly" => !$volume->isWritable, "BindOptions" => [ "Propagation" => "rshared"]];
+            //     }
+            // Special things for the caddy community container
         } elseif ($container->GetIdentifier() === 'nextcloud-aio-caddy') {
             $requestBody['HostConfig']['ExtraHosts'] = ['host.docker.internal:host-gateway'];
+            // Special things for the collabora container which should not be exposed in the containers.json
+        } elseif ($container->GetIdentifier() === 'nextcloud-aio-collabora') {
+            if ($this->configurationManager->GetAdditionalCollaboraOptions() !== '') {
+                $requestBody['Cmd'] = [$this->configurationManager->GetAdditionalCollaboraOptions()];
+            }
         }
 
         if (count($mounts) > 0) {
@@ -588,18 +594,18 @@ readonly class DockerActionManager {
                 ]
             );
         } catch (RequestException $e) {
-            throw new \Exception("Could not create container " . $container->GetIdentifier() . ": " . $e->getMessage());
+            throw new \Exception("Could not create container " . $container->GetIdentifier() . ": " . $e->getResponse()?->getBody()->getContents());
         }
 
     }
 
-    public function isDockerHubReachable(Container $container) : bool {
+    public function isDockerHubReachable(Container $container): bool {
         $tag = $container->GetImageTag();
         if ($tag === '%AIO_CHANNEL%') {
             $tag = $this->GetCurrentChannel();
         }
 
-        $remoteDigest = $this->dockerHubManager->GetLatestDigestOfTag($container->GetContainerName(), $tag);
+        $remoteDigest = $this->GetLatestDigestOfTag($container->GetContainerName(), $tag);
 
         if ($remoteDigest === null) {
             return false;
@@ -608,8 +614,7 @@ readonly class DockerActionManager {
         }
     }
 
-    public function PullImage(Container $container) : void
-    {
+    public function PullImage(Container $container): void {
         $imageName = $this->BuildImageName($container);
         $encodedImageName = urlencode($imageName);
         $url = $this->BuildApiUrl(sprintf('images/create?fromImage=%s', $encodedImageName));
@@ -623,7 +628,7 @@ readonly class DockerActionManager {
         try {
             $this->guzzleClient->post($url);
         } catch (RequestException $e) {
-            $message = "Could not pull image " . $imageName . ". Please run 'sudo docker exec -it nextcloud-aio-mastercontainer docker pull " . $imageName . "' in order to find out why it failed.";
+            $message = "Could not pull image " . $imageName . ": " . $e->getResponse()?->getBody()->getContents();
             if ($imageIsThere === false) {
                 throw new \Exception($message);
             } else {
@@ -632,8 +637,7 @@ readonly class DockerActionManager {
         }
     }
 
-    private function isContainerUpdateAvailable(string $id) : string
-    {
+    private function isContainerUpdateAvailable(string $id): string {
         $container = $this->containerDefinitionFetcher->GetContainerById($id);
 
         $updateAvailable = "";
@@ -646,7 +650,7 @@ readonly class DockerActionManager {
         return $updateAvailable;
     }
 
-    public function isAnyUpdateAvailable() : bool {
+    public function isAnyUpdateAvailable(): bool {
         // return early if instance is not installed
         if (!$this->configurationManager->wasStartButtonClicked()) {
             return false;
@@ -660,8 +664,7 @@ readonly class DockerActionManager {
         }
     }
 
-    private function getBackupVolumes(string $id) : string
-    {
+    private function getBackupVolumes(string $id): string {
         $container = $this->containerDefinitionFetcher->GetContainerById($id);
 
         $backupVolumes = '';
@@ -674,14 +677,13 @@ readonly class DockerActionManager {
         return $backupVolumes;
     }
 
-    private function getAllBackupVolumes() : array {
+    private function getAllBackupVolumes(): array {
         $id = 'nextcloud-aio-apache';
         $backupVolumesArray = explode(' ', $this->getBackupVolumes($id));
         return array_unique($backupVolumesArray);
     }
 
-    private function GetNextcloudExecCommands(string $id) : string
-    {
+    private function GetNextcloudExecCommands(string $id): string {
         $container = $this->containerDefinitionFetcher->GetContainerById($id);
 
         $nextcloudExecCommands = '';
@@ -694,13 +696,12 @@ readonly class DockerActionManager {
         return $nextcloudExecCommands;
     }
 
-    private function GetAllNextcloudExecCommands() : string
-    {
+    private function GetAllNextcloudExecCommands(): string {
         $id = 'nextcloud-aio-apache';
         return 'NEXTCLOUD_EXEC_COMMANDS=' . $this->GetNextcloudExecCommands($id);
     }
 
-    private function GetRepoDigestsOfContainer(string $containerName) : ?array {
+    private function GetRepoDigestsOfContainer(string $containerName): ?array {
         try {
             $containerUrl = $this->BuildApiUrl(sprintf('containers/%s/json', $containerName));
             $containerOutput = json_decode($this->guzzleClient->get($containerUrl)->getBody()->getContents(), true);
@@ -721,7 +722,7 @@ readonly class DockerActionManager {
 
             $repoDigestArray = [];
             $oneDigestGiven = false;
-            foreach($imageOutput['RepoDigests'] as $repoDigest) {
+            foreach ($imageOutput['RepoDigests'] as $repoDigest) {
                 $digestPosition = strpos($repoDigest, '@');
                 if ($digestPosition === false) {
                     error_log('Somehow the RepoDigest of ' . $containerName . ' does not contain a @.');
@@ -741,10 +742,10 @@ readonly class DockerActionManager {
         }
     }
 
-    public function GetCurrentChannel() : string {
+    public function GetCurrentChannel(): string {
         $cacheKey = 'aio-ChannelName';
         $channelName = apcu_fetch($cacheKey);
-        if($channelName !== false && is_string($channelName)) {
+        if ($channelName !== false && is_string($channelName)) {
             return $channelName;
         }
 
@@ -754,7 +755,7 @@ readonly class DockerActionManager {
             $output = json_decode($this->guzzleClient->get($url)->getBody()->getContents(), true);
             $containerChecksum = $output['Image'];
             $tagArray = explode(':', $output['Config']['Image']);
-            if (count($tagArray) ===  2) {
+            if (count($tagArray) === 2) {
                 $tag = $tagArray[1];
             } else {
                 error_log("No tag was found when getting the current channel. You probably did not follow the documentation correctly. Changing the channel to the default 'latest'.");
@@ -769,8 +770,7 @@ readonly class DockerActionManager {
         return 'latest';
     }
 
-    public function IsMastercontainerUpdateAvailable() : bool
-    {
+    public function IsMastercontainerUpdateAvailable(): bool {
         $imageName = 'nextcloud/all-in-one';
         $containerName = 'nextcloud-aio-mastercontainer';
 
@@ -780,7 +780,7 @@ readonly class DockerActionManager {
         if ($runningDigests === null) {
             return true;
         }
-        $remoteDigest = $this->dockerHubManager->GetLatestDigestOfTag($imageName, $tag);
+        $remoteDigest = $this->GetLatestDigestOfTag($imageName, $tag);
         if ($remoteDigest === null) {
             return false;
         }
@@ -793,8 +793,7 @@ readonly class DockerActionManager {
         return true;
     }
 
-    public function sendNotification(Container $container, string $subject, string $message, string $file = '/notify.sh') : void
-    {
+    public function sendNotification(Container $container, string $subject, string $message, string $file = '/notify.sh'): void {
         if ($this->GetContainerStartingState($container) === ContainerState::Running) {
 
             $containerName = $container->GetIdentifier();
@@ -838,8 +837,7 @@ readonly class DockerActionManager {
         }
     }
 
-    private function DisconnectContainerFromBridgeNetwork(string $id) : void
-    {
+    private function DisconnectContainerFromBridgeNetwork(string $id): void {
 
         $url = $this->BuildApiUrl(
             sprintf('networks/%s/disconnect', 'bridge')
@@ -859,8 +857,7 @@ readonly class DockerActionManager {
         }
     }
 
-    private function ConnectContainerIdToNetwork(string $id, string $internalPort, string $network = 'nextcloud-aio', bool $createNetwork = true, string $alias =  '') : void
-    {
+    private function ConnectContainerIdToNetwork(string $id, string $internalPort, string $network = 'nextcloud-aio', bool $createNetwork = true, string $alias = ''): void {
         if ($internalPort === 'host') {
             return;
         }
@@ -883,7 +880,7 @@ readonly class DockerActionManager {
             } catch (RequestException $e) {
                 // 409 is undocumented and gets thrown if the network already exists.
                 if ($e->getCode() !== 409) {
-                    throw new \Exception("Could not create the nextcloud-aio network: " . $e->getMessage());
+                    throw new \Exception("Could not create the nextcloud-aio network: " . $e->getResponse()?->getBody()->getContents());
                 }
             }
         }
@@ -891,9 +888,9 @@ readonly class DockerActionManager {
         $url = $this->BuildApiUrl(
             sprintf('networks/%s/connect', $network)
         );
-        $jsonPayload = [ 'Container' => $id ];
-        if ($alias !== ''  ) {
-            $jsonPayload['EndpointConfig'] = ['Aliases' => [ $alias ]];
+        $jsonPayload = ['Container' => $id];
+        if ($alias !== '') {
+            $jsonPayload['EndpointConfig'] = ['Aliases' => [$alias]];
         }
 
         try {
@@ -912,15 +909,13 @@ readonly class DockerActionManager {
         }
     }
 
-    public function ConnectMasterContainerToNetwork() : void
-    {
+    public function ConnectMasterContainerToNetwork(): void {
         $this->ConnectContainerIdToNetwork('nextcloud-aio-mastercontainer', '');
         // Don't disconnect here since it slows down the initial login by a lot. Is getting done during cron.sh instead.
         // $this->DisconnectContainerFromBridgeNetwork('nextcloud-aio-mastercontainer');
     }
 
-    public function ConnectContainerToNetwork(Container $container) : void
-    {
+    public function ConnectContainerToNetwork(Container $container): void {
         // Add a secondary alias for domaincheck container, to keep it as similar to actual apache controller as possible.
         // If a reverse-proxy is relying on container name as hostname this allows it to operate as usual and still validate the domain
         // The domaincheck container and apache container are never supposed to be active at the same time because they use the same APACHE_PORT anyway, so this doesn't add any new constraints.
@@ -936,7 +931,7 @@ readonly class DockerActionManager {
         }
     }
 
-    public function StopContainer(Container $container) : void {
+    public function StopContainer(Container $container): void {
         $url = $this->BuildApiUrl(sprintf('containers/%s/stop?t=%s', urlencode($container->GetIdentifier()), $container->GetMaxShutdownTime()));
         try {
             $this->guzzleClient->post($url);
@@ -947,8 +942,7 @@ readonly class DockerActionManager {
         }
     }
 
-    public function GetBackupcontainerExitCode() : int
-    {
+    public function GetBackupcontainerExitCode(): int {
         $containerName = 'nextcloud-aio-borgbackup';
         $url = $this->BuildApiUrl(sprintf('containers/%s/json', urlencode($containerName)));
         try {
@@ -970,8 +964,7 @@ readonly class DockerActionManager {
         }
     }
 
-    public function GetDatabasecontainerExitCode() : int
-    {
+    public function GetDatabasecontainerExitCode(): int {
         $containerName = 'nextcloud-aio-database';
         $url = $this->BuildApiUrl(sprintf('containers/%s/json', urlencode($containerName)));
         try {
@@ -993,7 +986,7 @@ readonly class DockerActionManager {
         }
     }
 
-    public function isLoginAllowed() : bool {
+    public function isLoginAllowed(): bool {
         $id = 'nextcloud-aio-apache';
         $apacheContainer = $this->containerDefinitionFetcher->GetContainerById($id);
         if ($this->GetContainerStartingState($apacheContainer) === ContainerState::Running) {
@@ -1002,7 +995,7 @@ readonly class DockerActionManager {
         return true;
     }
 
-    public function isBackupContainerRunning() : bool {
+    public function isBackupContainerRunning(): bool {
         $id = 'nextcloud-aio-borgbackup';
         $backupContainer = $this->containerDefinitionFetcher->GetContainerById($id);
         if ($this->GetContainerRunningState($backupContainer) === ContainerState::Running) {
@@ -1011,7 +1004,7 @@ readonly class DockerActionManager {
         return false;
     }
 
-    private function GetCreatedTimeOfNextcloudImage() : ?string {
+    private function GetCreatedTimeOfNextcloudImage(): ?string {
         $imageName = 'nextcloud/aio-nextcloud' . ':' . $this->GetCurrentChannel();
         try {
             $imageUrl = $this->BuildApiUrl(sprintf('images/%s/json', $imageName));
@@ -1028,7 +1021,11 @@ readonly class DockerActionManager {
         }
     }
 
-    public function isNextcloudImageOutdated() : bool {
+    public function GetAndGenerateSecretWrapper(string $secretId): string {
+        return $this->configurationManager->GetAndGenerateSecret($secretId);
+    }
+
+    public function isNextcloudImageOutdated(): bool {
         $createdTime = $this->GetCreatedTimeOfNextcloudImage();
 
         if ($createdTime === null) {
@@ -1042,4 +1039,13 @@ readonly class DockerActionManager {
 
         return false;
     }
+
+    public function GetLatestDigestOfTag(string $imageName, string $tag): ?string {
+        $prefix = 'ghcr.io/';
+        if (str_starts_with($imageName, $prefix)) {
+            return $this->gitHubContainerRegistryManager->GetLatestDigestOfTag(str_replace($prefix, '', $imageName), $tag);
+        } else {
+            return $this->dockerHubManager->GetLatestDigestOfTag($imageName, $tag);
+        }
+    }
 }

php/src/Docker/GitHubContainerRegistryManager.php

@@ -0,0 +1,62 @@
+<?php
+
+
+namespace AIO\Docker;
+
+use GuzzleHttp\Client;
+
+readonly class GitHubContainerRegistryManager
+{
+    private Client $guzzleClient;
+
+    public function __construct()
+    {
+        $this->guzzleClient = new Client();
+    }
+
+    public function GetLatestDigestOfTag(string $name, string $tag): ?string
+    {
+        $cacheKey = 'ghcr-manifest-' . $name . $tag;
+
+        $cachedVersion = apcu_fetch($cacheKey);
+        if ($cachedVersion !== false && is_string($cachedVersion)) {
+            return $cachedVersion;
+        }
+
+        // If one of the links below should ever become outdated, we can still upgrade the mastercontainer via the webinterface manually by opening '/api/docker/getwatchtower'
+
+        try {
+            $authTokenRequest = $this->guzzleClient->request(
+                'GET',
+                'https://ghcr.io/token?scope=repository:' . $name . ':pull'
+            );
+            $body = $authTokenRequest->getBody()->getContents();
+            $decodedBody = json_decode($body, true);
+            if (isset($decodedBody['token'])) {
+                $authToken = $decodedBody['token'];
+                $manifestRequest = $this->guzzleClient->request(
+                    'HEAD',
+                    'https://ghcr.io/v2/' . $name . '/manifests/' . $tag,
+                    [
+                        'headers' => [
+                            'Accept' => 'application/vnd.oci.image.index.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.docker.distribution.manifest.v2+json',
+                            'Authorization' => 'Bearer ' . $authToken,
+                        ],
+                    ]
+                );
+                $responseHeaders = $manifestRequest->getHeader('docker-content-digest');
+                if (count($responseHeaders) === 1) {
+                    $latestVersion = $responseHeaders[0];
+                    apcu_add($cacheKey, $latestVersion, 600);
+                    return $latestVersion;
+                }
+            }
+
+            error_log('Could not get digest of container ' . $name . ':' . $tag);
+            return null;
+        } catch (\Exception $e) {
+            error_log('Could not get digest of container ' . $name . ':' . $tag . ' ' . $e->getMessage());
+            return null;
+        }
+    }
+}

php/templates/components/container-state.twig

@@ -0,0 +1,27 @@
+{# @var c \App\Containers\Container #}
+<li>
+  <span>
+    {% if c.GetStartingState().value == 'starting' %}
+      <span class="status running"></span>
+      {{ c.GetDisplayName() }}
+      (<a href="/api/docker/logs?id={{ c.GetIdentifier() }}" target="_blank">Starting</a>)
+    {% elseif c.GetRunningState().value == 'running' %}
+      <span class="status success"></span>
+      {{ c.GetDisplayName() }}
+      (<a href="/api/docker/logs?id={{ c.GetIdentifier() }}" target="_blank">Running</a>)
+    {% else %}
+      <span class="status error"></span>
+      {{ c.GetDisplayName() }}
+      (<a href="/api/docker/logs?id={{ c.GetIdentifier() }}" target="_blank">Stopped</a>)
+    {% endif %}
+    {% if c.GetDocumentation() != '' %}
+      (<a target="_blank" href="{{ c.GetDocumentation() }}">docs</a>)
+    {% endif %}
+  </span>
+  {% if c.GetUiSecret() != '' %}
+    <details>
+      <summary>Show password for {{ c.GetDisplayName() }}</summary>
+      <input type="text" value="{{ c.GetUiSecret() }}" readonly>
+    </details>
+  {% endif %}
+</li>

php/templates/containers.twig

@@ -17,7 +17,7 @@
 
     <div class="container">
         <main>
-            <h1>Nextcloud AIO v10.4.0</h1>
+            <h1>Nextcloud AIO v10.8.0</h1>
 
             {# Add 2nd tab warning #}
             <script type="text/javascript" src="second-tab-warning.js"></script>
@@ -33,7 +33,7 @@
             {% set isBackupOrRestoreRunning = false %}
             {% set isApacheStarting = false %}
             {# Setting newMajorVersion to '' will hide corresponding options/elements, can be set to an integer like 26 in order to show corresponding elements. If set, also increase installLatestMajor in https://github.com/nextcloud/all-in-one/blob/main/php/src/Controller/DockerController.php #}
-            {% set newMajorVersion = '' %}
+            {% set newMajorVersion = 31 %}
 
             {% if is_backup_container_running == true %}
                 {% if borg_backup_mode == 'backup' or borg_backup_mode == 'restore' %}
@@ -60,11 +60,11 @@
             {% endfor %}
 
             {% if is_daily_backup_running == true %}
-                <p><span class="status running"></span> Daily backup currently running. (<a href="/api/docker/logs?id=nextcloud-aio-mastercontainer" target="_blank" rel="noopener">Logs</a>)</p>
+                <p><span class="status running"></span> Daily backup currently running. (<a href="/api/docker/logs?id=nextcloud-aio-mastercontainer" target="_blank">Logs</a>)</p>
                 {% if automatic_updates == true %}
                     <p>This will update your containers, the mastercontainer and, on Saturdays, your Nextcloud apps if the backup is successful.</p>
                     {% if is_mastercontainer_update_available == true %}
-                        <p>When the mastercontainer is updated it will restart, making it unavailable for a moment. (<a href="/api/docker/logs?id=nextcloud-aio-watchtower" target="_blank" rel="noopener">Logs</a>)</p>
+                        <p>When the mastercontainer is updated it will restart, making it unavailable for a moment. (<a href="/api/docker/logs?id=nextcloud-aio-watchtower" target="_blank">Logs</a>)</p>
                     {% endif %}
                 {% endif %}
                 {% if has_update_available == false %}
@@ -75,13 +75,13 @@
                 <p><a href="" class="button reload">Reload ↻</a></p>
                 <p>If the daily backup is stuck somehow, you can unstick it by running <strong>sudo docker exec nextcloud-aio-mastercontainer rm /mnt/docker-aio-config/data/daily_backup_running</strong> and afterwards reloading this interface.</p>
             {% elseif isWatchtowerRunning == true %}
-                <p><span class="status running"></span> Mastercontainer update currently running. Once the update is complete the mastercontainer will restart, making it unavailable for a moment. Please wait until it's done. (<a href="/api/docker/logs?id=nextcloud-aio-watchtower" target="_blank" rel="noopener">Logs</a>)</p>
+                <p><span class="status running"></span> Mastercontainer update currently running. Once the update is complete the mastercontainer will restart, making it unavailable for a moment. Please wait until it's done. (<a href="/api/docker/logs?id=nextcloud-aio-watchtower" target="_blank">Logs</a>)</p>
                 <p><a href="" class="button reload">Reload ↻</a></p>
             {% else %}
                 {% if is_backup_container_running == false and domain == "" %}
                     {% if isDomaincheckRunning == false %}
                         <h2>Domaincheck container is not running</h2>
-                        <p>This is not expected. Most likely this happened because port {{ apache_port }} is already in use on your server. You can check the mastercontainer logs and domaincheck container logs for further clues. You should be able to resolve this by adjusting the APACHE_PORT by following the <strong><a href="https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md">reverse proxy documentation</a></strong>. Advice: have a detailed look at the changed docker run command for AIO.</p>
+                        <p>This is not expected. Most likely this happened because port {{ apache_port }} is already in use on your server. You can check the mastercontainer logs and domaincheck container logs for further clues. You should be able to resolve this by adjusting the APACHE_PORT by following the <strong><a target="_blank" href="https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md">reverse proxy documentation</a></strong>. Advice: have a detailed look at the changed docker run command for AIO.</p>
                     {% elseif is_mastercontainer_update_available == true %}
                         <h2>Mastercontainer update</h2>
                         <p>⚠️ A mastercontainer update is available. Please click on the button below to update it. Afterwards, you will be able to proceed with the setup.</p>
@@ -97,11 +97,11 @@
                             {{ include('includes/aio-config.twig') }}
                             <h2>New AIO instance</h2>
                             {% if apache_port == '443' %}
-                                <p>AIO is currently in "normal mode" which means that it handles the TLS proxying itself. This also means that it cannot be installed behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). If you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else), see the <strong><a href="https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md">reverse proxy documentation</a></strong>. Advice: have a detailed look at the changed docker run command for AIO.</p>
+                                <p>AIO is currently in "normal mode" which means that it handles the TLS proxying itself. This also means that it cannot be installed behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). If you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else), see the <strong><a target="_blank" href="https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md">reverse proxy documentation</a></strong>. Advice: have a detailed look at the changed docker run command for AIO.</p>
                             {% else %}
                                 <p>AIO is currently in "reverse proxy mode" which means that it can be installed behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else) and does not do the TLS proxying itself.</p>
                             {% endif %}
-                            <p>Please type the domain that will be used for Nextcloud below in order to create a new AIO instance.</p>
+                            <p>Please type the domain that will be used for Nextcloud.</p>
                             {% if skip_domain_validation == true %}
                                 <p><strong>Please note:</strong> The domain validation is disabled so any domain will be accepted here! Make sure you do not make a typo here as you will not be able to change it afterwards!</p>
                             {% endif %}
@@ -115,14 +115,14 @@
                                 <p>Make sure that this server is reachable on port 443 (port 443/tcp is open/forwarded in your firewall/router and 443/udp as well if you want to enable http3) and that you've correctly set up the DNS config for the domain that you enter (set the A record to your public ipv4-address and if you need ipv6, set the AAAA record to your public ipv6-address. A CNAME record is, of course, also possible). You should see hints on what went wrong in the top right corner if your domain is not accepted.</p>
                                 <details>
                                     <summary>Click here for further hints</summary>
-                                    <p>If you do not have a domain yet, you can get one for free e.g. from duckdns.org and others.</p>
-                                    <p>If you have a dynamic public IP-address, you can use e.g. <a href="https://ddclient.net/">DDclient</a> with a compatible domain provider for DNS updates.</p>
-                                    <p>If you only want to install AIO locally without exposing it to the public internet or if you cannot do so, feel free to follow <a href="https://github.com/nextcloud/all-in-one/blob/main/local-instance.md">this documentation</a>.</p>
+                                    <p>If you do not have a domain yet, you can get one for free e.g. from duckdns.org and others. Recommended is to use <a target="_blank" href="https://github.com/nextcloud/all-in-one/discussions/5439">Tailscale</a></p>
+                                    <p>If you have a dynamic public IP-address, you can use e.g. <a target="_blank" href="https://ddclient.net/">DDclient</a> with a compatible domain provider for DNS updates.</p>
+                                    <p>If you only want to install AIO locally without exposing it to the public internet or if you cannot do so, feel free to follow <a target="_blank" href="https://github.com/nextcloud/all-in-one/blob/main/local-instance.md">this documentation</a>.</p>
                                     <p>If you should be using Cloudflare Proxy for your domain, make sure to disable the Proxy feature temporarily as it might block the domain validation attempts.</p>
                                     {% if apache_port != '443' %}
-                                        <p>If you run into issues with your domain being accepted, see <a href="https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things">these steps</a> for how to debug things.</p>
+                                        <p>If you run into issues with your domain being accepted, see <a target="_blank" href="https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things">these steps</a> for how to debug things.</p>
                                     {% endif %}
-                                    <p><strong>Hint:</strong> If the domain validation fails but you are completely sure that you've configured everything correctly, you may skip the domain validation by following <a href="https://github.com/nextcloud/all-in-one#how-to-skip-the-domain-validation">this documentation</a>.</p>
+                                    <p><strong>Hint:</strong> If the domain validation fails but you are completely sure that you've configured everything correctly, you may skip the domain validation by following <a target="_blank" href="https://github.com/nextcloud/all-in-one#how-to-skip-the-domain-validation">this documentation</a>.</p>
                                 </details>
                             {% endif %}
 
@@ -134,11 +134,11 @@
                             {% if hasBackupLocation %}
                                 {% if borg_backup_mode in ['test', 'check'] %}
                                     {% if backup_exit_code > 0 %}
-                                        <p><span class="status error"></span> Last {{ borg_backup_mode }} failed! (<a href="/api/docker/logs?id=nextcloud-aio-borgbackup" target="_blank" rel="noopener">Logs</a>)</p>
+                                        <p><span class="status error"></span> Last {{ borg_backup_mode }} failed! (<a href="/api/docker/logs?id=nextcloud-aio-borgbackup" target="_blank">Logs</a>)</p>
                                         {% if borg_backup_mode == 'test' %}
                                             <p>Please adjust the path and/or the encryption password in order to make it work!</p>
                                         {% elseif borg_backup_mode == 'check' %}
-                                            <p>The backup archive seems to be corrupt. Please try to use a different intact backup archive or try to fix it by following <a href="https://borgbackup.readthedocs.io/en/stable/faq.html#i-get-an-integrityerror-or-similar-what-now"><strong>this documentation</strong></a></p>
+                                            <p>The backup archive seems to be corrupt. Please try to use a different intact backup archive or try to fix it by following <a target="_blank" href="https://borgbackup.readthedocs.io/en/stable/faq.html#i-get-an-integrityerror-or-similar-what-now"><strong>this documentation</strong></a></p>
                                             <details>
                                                 <summary>Reveal repair option</summary>
                                                 <p>Below is the option to repair the integrity of your backup. <strong>Please note:</strong> Please only use this after you have read the documentation above! (It will run the command 'borg check --repair' for you.)</p>
@@ -150,7 +150,7 @@
                                             </details>
                                         {% endif %}
                                     {% elseif backup_exit_code == 0 %}
-                                        <p><span class="status success"></span> Last {{ borg_backup_mode }} successful! (<a href="/api/docker/logs?id=nextcloud-aio-borgbackup" target="_blank" rel="noopener">Logs</a>)</p>
+                                        <p><span class="status success"></span> Last {{ borg_backup_mode }} successful! (<a href="/api/docker/logs?id=nextcloud-aio-borgbackup" target="_blank">Logs</a>)</p>
                                         {% if borg_backup_mode == 'test' %}
                                             <p>Feel free to check the integrity of the backup archive below before starting the restore process in order to make ensure that the restore will work. This can take a long time though depending on the size of the backup archive and is thus not required.</p>
                                             <form method="POST" action="/api/docker/backup-check" class="xhr">
@@ -160,7 +160,7 @@
                                             </form>
                                         {% endif %}
                                         <p>Choose the backup that you want to restore and click on the button below to restore the selected backup. This will restore the whole AIO instance. Please note that the current AIO passphrase will be kept and the previous AIO passphrase will not be restored from backup!</p>
-                                        <p><strong>Please note:</strong> If the backup that you want to restore contained any <a href="https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers">community container</a>, but you did not specify the same community containers via environmental variable while creating this new AIO instance, you need to restore the same backup a second time after this attempt so that the community container data is also correctly restored.</p>
+                                        <p><strong>Please note:</strong> If the backup that you want to restore contained any <a target="_blank" href="https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers">community container</a>, but you did not specify the same community containers via environmental variable while creating this new AIO instance, you need to restore the same backup a second time after this attempt so that the community container data is also correctly restored.</p>
                                         <form method="POST" action="/api/docker/restore" class="xhr" id="restore_selection">
                                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
@@ -175,7 +175,7 @@
                                     {% endif %}
                                 {% elseif borg_backup_mode == 'restore' %}
                                     {% if backup_exit_code > 0 %}
-                                        <p><span class="status error"></span> Last restore failed! (<a href="/api/docker/logs?id=nextcloud-aio-borgbackup" target="_blank" rel="noopener">Logs</a>)</p>
+                                        <p><span class="status error"></span> Last restore failed! (<a href="/api/docker/logs?id=nextcloud-aio-borgbackup" target="_blank">Logs</a>)</p>
                                         <p>The restore process has unexpectedly failed! Please adjust the path and encryption password, test it and try to restore again!</p>
                                     {% endif %}
                                 {% endif %}
@@ -191,7 +191,7 @@
 
                                 <p>
                                 Please enter the location of the backup archive on your host or a
-                                <a href="https://borgbackup.readthedocs.io/en/stable/usage/general.html#repository-urls">remote borg repo url</a>
+                                <a target="_blank" href="https://borgbackup.readthedocs.io/en/stable/usage/general.html#repository-urls">remote borg repo url</a>
                                 if stored remotely; and the encryption password of the backup archive below:
                                 </p>
                                 <form method="POST" action="/api/configuration" class="xhr">
@@ -215,19 +215,19 @@
                         {% endif %}
                     {% endif %}
                     <h2>How to reset the AIO instance?</h2>
-                    <p>If something should be going wrong, for example during the initial installation, you can reset the instance by following <a href="https://github.com/nextcloud/all-in-one#how-to-properly-reset-the-instance">this documentation</a>.</p>
+                    <p>If something should be going wrong, for example during the initial installation, you can reset the instance by following <a target="_blank" href="https://github.com/nextcloud/all-in-one#how-to-properly-reset-the-instance">this documentation</a>.</p>
                 {% endif %}
 
                 {% if was_start_button_clicked == true %}
                     {% if current_channel starts with 'latest' or current_channel starts with 'beta' or current_channel starts with 'develop' %}
-                        <p>You are running the <a href="https://github.com/nextcloud/all-in-one#how-to-switch-the-channel"><strong>{{ current_channel }}</strong></a> channel. (<a href="/api/docker/logs?id=nextcloud-aio-mastercontainer" target="_blank" rel="noopener">Logs</a>)</p>
+                        <p>You are running the <a target="_blank" href="https://github.com/nextcloud/all-in-one#how-to-switch-the-channel"><strong>{{ current_channel }}</strong></a> channel. (<a href="/api/docker/logs?id=nextcloud-aio-mastercontainer" target="_blank">Logs</a>)</p>
                     {% else %}
                         <p>No channel was found. This means that AIO is not able to update itself and its component and will also not be able to report about updates. Updates need to be done externally.</p>
                     {% endif %}
                 {% endif %}
 
                 {% if is_backup_container_running == true %}
-                    <p><span class="status running"></span> Backup container is currently running: {{ borg_backup_mode }} (<a href="/api/docker/logs?id=nextcloud-aio-borgbackup" target="_blank" rel="noopener">Logs</a>)</p>
+                    <p><span class="status running"></span> Backup container is currently running: {{ borg_backup_mode }} (<a href="/api/docker/logs?id=nextcloud-aio-borgbackup" target="_blank">Logs</a>)</p>
                     <p><a href="" class="button reload">Reload ↻</a></p>
                 {% endif %}
 
@@ -245,9 +245,9 @@
                             {% else %}
                                 <p>Initial Nextcloud password: <strong>{{ nextcloud_password }}</strong></p>
                             {% endif %}
-                            <p><a href="https://{{ domain }}" class="button" target="_blank" rel="noopener">Open your Nextcloud ↗</a></p>
+                            <p><a href="https://{{ domain }}" class="button" target="_blank">Open your Nextcloud ↗</a></p>
                             {% if not hasBackupLocation %}
-                                <p>If your Nextcloud does not open when clicking the button above, see <strong><a href="https://github.com/nextcloud/all-in-one/discussions/2105">this documentation</a></strong></p>
+                                <p>If your Nextcloud does not open when clicking the button above, see <strong><a target="_blank" href="https://github.com/nextcloud/all-in-one/discussions/2105">this documentation</a></strong></p>
                             {% endif %}
                         {% else %}
                             {% if isAnyRestarting == false %}
@@ -275,30 +275,7 @@
                             {# @var containers \AIO\Container\Container[] #}
                             {% for container in containers %}
                                 {% if container.GetDisplayName() != '' %}
-                                    <li>
-                                        {% if container.GetStartingState().value == 'starting' %}
-                                            <span class="status running"></span>
-                                            <span>{{ container.GetDisplayName() }} (<a href="/api/docker/logs?id={{ container.GetIdentifier() }}" target="_blank" rel="noopener">Starting</a>)
-                                            {% if container.GetDocumentation() != '' %}
-                                                (<a href="{{ container.GetDocumentation() }}">docs</a>)
-                                            {% endif %}
-                                            </span>
-                                        {% elseif container.GetRunningState().value == 'running' %}
-                                            <span class="status success"></span>
-                                            <span>{{ container.GetDisplayName() }} (<a href="/api/docker/logs?id={{ container.GetIdentifier() }}" target="_blank" rel="noopener">Running</a>)
-                                            {% if container.GetDocumentation() != '' %}
-                                                (<a href="{{ container.GetDocumentation() }}">docs</a>)
-                                            {% endif %}
-                                            </span>
-                                        {% else %}
-                                            <span class="status error"></span>
-                                            <span>{{ container.GetDisplayName() }} (<a href="/api/docker/logs?id={{ container.GetIdentifier() }}" target="_blank" rel="noopener">Stopped</a>)
-                                            {% if container.GetDocumentation() != '' %}
-                                                (<a href="{{ container.GetDocumentation() }}">docs</a>)
-                                            {% endif %}
-                                            </span>
-                                        {% endif %}
-                                    </li>
+                                    {% include 'components/container-state.twig'  with {'c': container} only %}
                                 {% endif %}
                             {% endfor %}
                         </ul>
@@ -313,7 +290,7 @@
                                 {% if newMajorVersion != '' and isAnyRunning == true and isApacheStarting != true %}
                                     <details>
                                     <summary>Note about <strong>Nextcloud Hub {{ newMajorVersion - 21 }}</strong></summary>
-                                        <p>If you haven't upgraded to Nextcloud Hub {{ newMajorVersion - 21 }} yet and want to do that now, feel free to follow <strong><a href="https://github.com/nextcloud/all-in-one/discussions/5133">this documentation</a></strong></p>
+                                        <p>If you haven't upgraded to Nextcloud Hub {{ newMajorVersion - 21 }} yet and want to do that now, feel free to follow <strong><a target="_blank" href="https://github.com/nextcloud/all-in-one/discussions/6053">this documentation</a></strong></p>
                                     </details>
                                 {% endif %}
                             {% endif %}
@@ -325,11 +302,11 @@
                             {% if is_mastercontainer_update_available == true %}
                                 <p>⚠️ A mastercontainer update is available. Please click on the button below to stop your containers in order to update the mastercontainer.</p>
                                 {% if current_channel starts with 'latest' %}
-                                    <p>You can find the changelog <a href="https://github.com/nextcloud/all-in-one/releases/latest"><strong>here</strong></a></p>
+                                    <p>You can find the changelog <a target="_blank" href="https://github.com/nextcloud/all-in-one/releases/latest"><strong>here</strong></a></p>
                                 {% elseif current_channel starts with 'beta' %}
-                                    <p>You can find the changelog <a href="https://github.com/nextcloud/all-in-one/releases"><strong>here</strong></a></p>
+                                    <p>You can find the changelog <a target="_blank" href="https://github.com/nextcloud/all-in-one/releases"><strong>here</strong></a></p>
                                 {% elseif current_channel starts with 'develop' %}
-                                    <p>You can find all changes <a href="https://github.com/nextcloud-releases/all-in-one/commits/main"><strong>here</strong></a></p>
+                                    <p>You can find all changes <a target="_blank" href="https://github.com/nextcloud-releases/all-in-one/commits/main"><strong>here</strong></a></p>
                                 {% endif %}
                             {% endif %}
                             <form method="POST" action="/api/docker/stop" class="xhr">
@@ -390,7 +367,7 @@
                                 <p>Please enter the directory path below where backups will be created on the host system. It's best to choose a location on a separate drive and not on your root drive.</p>
                                 <p>
                                 To store backups remotely instead, fill in the
-                                <a href="https://borgbackup.readthedocs.io/en/stable/usage/general.html#repository-urls">remote borg repo url</a>.
+                                <a target="_blank" href="https://borgbackup.readthedocs.io/en/stable/usage/general.html#repository-urls">remote borg repo url</a>.
                                 </p>
                                 <form method="POST" action="/api/configuration" class="xhr">
                                     <label>Local backup location</label> <input type="text" name="borg_backup_host_location" placeholder="/mnt/backup"/><br>
@@ -409,9 +386,9 @@
                                 {% if is_backup_container_running == false %}
                                     <h2>Backup and restore</h2>
                                     {% if backup_exit_code > 0 %}
-                                        <p><span class="status error"></span> Last {{ borg_backup_mode }} failed! (<a href="/api/docker/logs?id=nextcloud-aio-borgbackup" target="_blank" rel="noopener">Logs</a>)</p>
+                                        <p><span class="status error"></span> Last {{ borg_backup_mode }} failed! (<a href="/api/docker/logs?id=nextcloud-aio-borgbackup" target="_blank">Logs</a>)</p>
                                         {% if borg_backup_mode == "check" %}
-                                            <p>The backup check was not successful. This might indicate a corrupt archive (look at the logs). If that should be the case, you can try to fix it by following <a href="https://borgbackup.readthedocs.io/en/stable/faq.html#i-get-an-integrityerror-or-similar-what-now"><strong>this documentation</strong></a></p>
+                                            <p>The backup check was not successful. This might indicate a corrupt archive (look at the logs). If that should be the case, you can try to fix it by following <a target="_blank" href="https://borgbackup.readthedocs.io/en/stable/faq.html#i-get-an-integrityerror-or-similar-what-now"><strong>this documentation</strong></a></p>
                                             <details>
                                                 <summary>Reveal repair option</summary>
                                                 <p>Below is the option to repair the integrity of your backup. <strong>Please note:</strong> Please only use this after you have read the documentation above! (It will run the command 'borg check --repair' for you.)</p>
@@ -443,9 +420,9 @@
                                         {% endif %}
                                     {% elseif backup_exit_code == 0 %}
                                         {% if borg_backup_mode == "backup" %}
-                                            <p><span class="status success"></span> Last {{ borg_backup_mode }} successful on {{ last_backup_time }} UTC! (<a href="/api/docker/logs?id=nextcloud-aio-borgbackup" target="_blank" rel="noopener">Logs</a>)</p>
+                                            <p><span class="status success"></span> Last {{ borg_backup_mode }} successful on {{ last_backup_time }} UTC! (<a href="/api/docker/logs?id=nextcloud-aio-borgbackup" target="_blank">Logs</a>)</p>
                                         {% else %}
-                                            <p><span class="status success"></span> Last {{ borg_backup_mode }} successful! (<a href="/api/docker/logs?id=nextcloud-aio-borgbackup" target="_blank" rel="noopener">Logs</a>)</p>
+                                            <p><span class="status success"></span> Last {{ borg_backup_mode }} successful! (<a href="/api/docker/logs?id=nextcloud-aio-borgbackup" target="_blank">Logs</a>)</p>
                                         {% endif %}
                                     {% endif %}
                                 {% endif %}
@@ -459,7 +436,7 @@
                                     <p>This is your encryption password for backups: <strong>{{ borgbackup_password }}</strong></p>
                                     <p>Please save this password in a safe place. You won't be able to restore from backup if you lose this password!</p>
                                     <p>All important data from your Nextcloud AIO instance such as the database, your files and the mastercontainer's configuration files, will be backed up.</p>
-                                    <p>The backup uses a tool called <a href="https://github.com/borgbackup/borg#what-is-borgbackup"><strong>BorgBackup</strong></a>, a well-known server backup tool that efficiently backs up your files and encrypts them on the fly.</p>
+                                    <p>The backup uses a tool called <a target="_blank" href="https://github.com/borgbackup/borg#what-is-borgbackup"><strong>BorgBackup</strong></a>, a well-known server backup tool that efficiently backs up your files and encrypts them on the fly.</p>
                                     <p>By using this tool, backups are incremental, differential, compressed and encrypted – so only the first backup will take a while. Further backups should be fast as only changes are taken into account.</p>
                                     {% if borg_remote_repo != '' %}
                                         <p>
@@ -473,9 +450,9 @@
                                         <p>Backups will be created in the following directory on the host: <strong>{{ borg_backup_host_location }}/borg</strong></p>
                                     {% endif %}
                                     <p>Be aware that this solution does not backup files and folders that are mounted into Nextcloud using the external storage app, but you can add further Docker volumes and host paths that you want to back up after the initial backup is done.</p>
-                                    <p>For information about backup retention, see <strong><a href="https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy">this</a></strong>.</p>
+                                    <p>For information about backup retention, see <strong><a target="_blank" href="https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy">this</a></strong>.</p>
                                     <p>Daily backups can be enabled after the initial backup is done. Enabling this also allows you to enable an option to update all containers, Nextcloud, and its apps automatically.</p>
-                                    <p>For further documentation and options on this backup solution refer to <strong><a href="https://github.com/nextcloud/all-in-one#backup-solution">this section</a></strong> and below.</p>
+                                    <p>For further documentation and options on this backup solution refer to <strong><a target="_blank" href="https://github.com/nextcloud/all-in-one#backup">this section</a></strong> and below.</p>
 
                                     {% if isApacheStarting != true %}
                                         <h3>Backup creation</h3>
@@ -504,6 +481,9 @@
                                         {% endif %}
 
                                         {% if has_backup_run_once == true %}
+                                            <h3>Backup Viewer</h3>
+                                            <p>There is now a community container that allows to access your backups in a web session. See <a target="_blank" href="https://github.com/nextcloud/all-in-one/tree/main/community-containers/borgbackup-viewer"><strong>this documentation</strong></a>.</p>
+
                                             <h3>Backup check</h3>
                                             <p>Click on the button below to perform a backup integrity check. This is an option that verifies that your backup is intact. It shouldn't be needed in most situations.</p>
                                             <form method="POST" action="/api/docker/backup-check" class="xhr">
@@ -559,7 +539,7 @@
                                                 <input type="submit" value="Submit additional backup locations" />
                                             </form>
                                             <p>Each line and entry needs to start with a slash or letter/digit. Only <strong>a-z</strong>, <strong>A-Z</strong>, <strong>.</strong>, <strong>0-9</strong>, <strong>_</strong>, <strong>-</strong>, and <strong>/</strong> are allowed. If the entry begins with a letter/digit slashes are not supported. Two valid entries are <strong>/directory/on/the/host</strong> and <strong>my_custom_docker_volume</strong>. You need to make sure that all given directories exist or the backup container will fail to start!</p>
-                                            <p>Be sure to individually specify all storage that you want to back up as storage will not be mounted recursively. E.g. providing <strong>/</strong> as additional backup directory will only back up files and folders that are stored on the root partition and not on the EFI partition or any other. Excluded by the backup will be caches and a few other directories. If you want to back up the root partition you should make sure to stop all services before the backup so it can run correctly. For automating this see <a href="https://github.com/nextcloud/all-in-one#how-to-stopstartupdate-containers-or-trigger-the-daily-backup-from-a-script-externally">this documentation</a></p>
+                                            <p>Be sure to individually specify all storage that you want to back up as storage will not be mounted recursively. E.g. providing <strong>/</strong> as additional backup directory will only back up files and folders that are stored on the root partition and not on the EFI partition or any other. Excluded by the backup will be caches and a few other directories. If you want to back up the root partition you should make sure to stop all services before the backup so it can run correctly. For automating this see <a target="_blank" href="https://github.com/nextcloud/all-in-one#how-to-stopstartupdate-containers-or-trigger-the-daily-backup-from-a-script-externally">this documentation</a></p>
                                             <p>Please note that the chosen directories/volumes will not be restored when you restore your instance, so this would need to be done manually.</p>
                                             {% if additional_backup_directories != "" %}
                                                 <p>This option is currently set. You can disable it again by clearing the field and submitting your changes.</p>
@@ -586,7 +566,7 @@
                                         <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                         <input type="submit" value="Submit passphrase change" />
                                     </form>
-                                    <p>The new passphrase needs to be at least 24 characters long. Allowed characters are the <a href="https://en.wikipedia.org/wiki/Latin_alphabet#/media/File:Abecedarium.png"><strong>latin characters</strong></a> <strong>a-z</strong>, <strong>A-Z</strong>, <strong>0-9</strong> and <strong>spaces</strong>.</p>
+                                    <p>The new passphrase needs to be at least 24 characters long. Allowed characters are the <a target="_blank" href="https://en.wikipedia.org/wiki/Latin_alphabet#/media/File:Abecedarium.png"><strong>latin characters</strong></a> <strong>a-z</strong>, <strong>A-Z</strong>, <strong>0-9</strong> and <strong>spaces</strong>.</p>
                                 </details>
                             {% endif %}
                         {% endif %}
@@ -611,7 +591,7 @@
                                     <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                     <input type="submit" value="Submit timezone" onclick="return confirm('Are you sure that this is a valid timezone? Please double check by following the wikipedia article and checking the correct column. If the timezone is not valid, it will break the startup since the database will not be correctly initialized and you will end up in a startup loop.')" />
                                 </form>
-                                <p>You need to make sure that the timezone that you enter is valid. An example is <strong>Europe/Berlin</strong>. You can get valid values by looking at the 'TZ identifier' column of this list: <a href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List"><strong>click here</strong></a>. The default is <strong>Etc/UTC</strong> if nothing is entered.</p>
+                                <p>You need to make sure that the timezone that you enter is valid. An example is <strong>Europe/Berlin</strong>. You can get valid values by looking at the 'TZ identifier' column of this list: <a target="_blank" href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List"><strong>click here</strong></a>. The default is <strong>Etc/UTC</strong> if nothing is entered.</p>
                             {% else %}
                                 <p>The timezone for Nextcloud is currently set to <strong>{{ timezone }}</strong>. You can change the timezone by clicking on the button below.</p>
                                 <form method="POST" action="/api/configuration" class="xhr">

php/templates/includes/aio-config.twig

@@ -1,8 +1,8 @@
 <details>
     <summary>Click here to view the current AIO config and documentation links</summary>
     {% if was_start_button_clicked == true %}
-        <p>Nextcloud's config.php file is stored in the nextcloud_aio_nextcloud Docker volume and can be edited by following the <a href="https://github.com/nextcloud/all-in-one#how-to-edit-nextclouds-configphp-file-with-a-texteditor">config.php documentation</a>.</p>
-        <p>You can run Nextcloud's usual occ commands by following the <a href="https://github.com/nextcloud/all-in-one#how-to-run-occ-commands">occ documentation</a></strong>.</p>
+        <p>Nextcloud's config.php file is stored in the nextcloud_aio_nextcloud Docker volume and can be edited by following the <a target="_blank" href="https://github.com/nextcloud/all-in-one#how-to-edit-nextclouds-configphp-file-with-a-texteditor">config.php documentation</a>.</p>
+        <p>You can run Nextcloud's usual occ commands by following the <a target="_blank" href="https://github.com/nextcloud/all-in-one#how-to-run-occ-commands">occ documentation</a></strong>.</p>
     {% endif %}
 
     <p>
@@ -11,7 +11,7 @@
         {% else %}
             Nextcloud's datadir is getting stored in the {{ nextcloud_datadir }} Docker volume.
         {% endif %}
-        See the <a href="https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir">NEXTCLOUD_DATADIR documentation</a> on how to change this.
+        See the <a target="_blank" href="https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir">NEXTCLOUD_DATADIR documentation</a> on how to change this.
     </p>
 
     <p>
@@ -20,13 +20,13 @@
         {% else %}
             The Nextcloud container is getting access to the {{ nextcloud_mount }} directory and local external storage in Nextcloud is enabled.
         {% endif %}
-        See the <a href="https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host">NEXTCLOUD_MOUNT documentation</a> on how to change this.</p>
+        See the <a target="_blank" href="https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host">NEXTCLOUD_MOUNT documentation</a> on how to change this.</p>
 
-    <p>Nextcloud has an upload limit of {{ nextcloud_upload_limit }} configured (for public link uploads. Bigger uploads are always possible when users are logged in). See the <a href="https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud">NEXTCLOUD_UPLOAD_LIMIT documentation</a> on how to change this.</p>
+    <p>Nextcloud has an upload limit of {{ nextcloud_upload_limit }} configured (for public link uploads. Bigger uploads are always possible when users are logged in). See the <a target="_blank" href="https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud">NEXTCLOUD_UPLOAD_LIMIT documentation</a> on how to change this.</p>
 
-    <p>For Nextcloud, a memory limit of {{ nextcloud_memory_limit }} per PHP process is configured. See the <a href="https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud">NEXTCLOUD_MEMORY_LIMIT documentation</a> on how to change this.</p>
+    <p>For Nextcloud, a memory limit of {{ nextcloud_memory_limit }} per PHP process is configured. See the <a target="_blank" href="https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud">NEXTCLOUD_MEMORY_LIMIT documentation</a> on how to change this.</p>
 
-    <p>Nextcloud has a timeout of {{ nextcloud_max_time }} seconds configured (important for big file uploads). See the <a href="https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud">NEXTCLOUD_MAX_TIME documentation</a> on how to change this.</p>
+    <p>Nextcloud has a timeout of {{ nextcloud_max_time }} seconds configured (important for big file uploads). See the <a target="_blank" href="https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud">NEXTCLOUD_MAX_TIME documentation</a> on how to change this.</p>
 
     <p>
         {% if is_dri_device_enabled == true and is_nvidia_gpu_enabled == true %}
@@ -38,7 +38,7 @@
         {% else %}
             Hardware acceleration is not enabled. It's recommended to enable hardware transcoding for better performance.
         {% endif %}
-        See the <a href="https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud">hardware acceleration documentation</a> on how to change this.</p>
+        See the <a target="_blank" href="https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud">hardware acceleration documentation</a> on how to change this.</p>
 
-    <p>For further documentation on AIO, refer to <strong><a href="https://github.com/nextcloud/all-in-one#nextcloud-all-in-one">this page</a></strong>. You can use the browser search [CTRL]+[F] to search through the documentation. Additional documentation can be found <strong><a href="https://github.com/nextcloud/all-in-one/discussions/categories/wiki">here</a></strong>.</p>
+    <p>For further documentation on AIO, refer to <strong><a target="_blank" href="https://github.com/nextcloud/all-in-one#nextcloud-all-in-one">this page</a></strong>. You can use the browser search [CTRL]+[F] to search through the documentation. Additional documentation can be found <strong><a target="_blank" href="https://github.com/nextcloud/all-in-one/discussions/categories/wiki">here</a></strong>.</p>
 </details>

php/templates/includes/backup-dirs.twig

@@ -3,4 +3,4 @@
 <p>On Synology it could be <strong>/volume1/docker/nextcloud/backup</strong>.</p>
 <p>For macOS it may be <strong>/var/backup</strong>.</p>
 <p>On Windows it might be <strong>/run/desktop/mnt/host/c/backup</strong>. (This path is equivalent to 'C:\backup' on your Windows host so you need to translate the path accordingly. Hint: the path that you enter needs to start with '/run/desktop/mnt/host/'. Append to that the exact location on your windows host, e.g. 'c/backup' which is equivalent to 'C:\backup'.) ⚠️ <strong>Please note</strong>: This does not work with external drives like USB or network drives and only with internal drives like SATA or NVME drives.</p>
-<p>Another option is to enter a specific volume name here: <strong>nextcloud_aio_backupdir</strong>. This volume needs to be created beforehand manually by you in order to be able to use it. See <a href="https://github.com/nextcloud/all-in-one#how-to-create-the-backup-volume-on-windows">this documentation</a> for an example.</p>
+<p>Another option is to enter a specific volume name here: <strong>nextcloud_aio_backupdir</strong>. This volume needs to be created beforehand manually by you in order to be able to use it. See <a target="_blank" href="https://github.com/nextcloud/all-in-one#how-to-create-the-backup-volume-on-windows">this documentation</a> for an example.</p>