Merge pull request #7254 from nextcloud/dependabot/github_actions/dot-github/workflows/actions/checkout-6.0.1

build(deps): bump actions/checkout from 6.0.0 to 6.0.1 in /.github/workflows

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -33,3 +33,5 @@ labels: 0. Needs triage
 #### Output of `sudo docker logs nextcloud-aio-mastercontainer`
 
 #### Other valuable info <!--- (like additional logs, screenshots & Co.) -->
+
+#### A picture of a cute animal <!--- (not mandatory but encouraged) -->

.github/workflows/codespell.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.1
       - name: Check spelling
         uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2
         with:

.github/workflows/collabora.yml

@@ -10,7 +10,7 @@ jobs:
     name: update collabora
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v6.0.1
     - name: Run collabora-profile-update
       run: |
         rm -f php/cool-seccomp-profile.json
@@ -18,7 +18,7 @@ jobs:
         mv cool-seccomp-profile.json php/
         
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
       with:
         commit-message: collabora-seccomp-update automated change
         signoff: true

.github/workflows/community-containers.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.1
       - name: Validate structure
         run: |
           CONTAINERS="$(find ./community-containers -mindepth 1 -maxdepth 1 -type d)"

.github/workflows/dependency-updates.yml

@@ -10,8 +10,8 @@ jobs:
     name: Run dependency update script
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
-    - uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # v2
+    - uses: actions/checkout@v6.0.1
+    - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
       with:
         php-version: 8.4
         extensions: apcu
@@ -44,7 +44,7 @@ jobs:
         )"
         sed -i "s|pecl install APCu.*\;|pecl install APCu-$apcu_version\;|" ./Containers/mastercontainer/Dockerfile
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
       with:
         commit-message: php dependency updates
         signoff: true

.github/workflows/docker-lint.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.1
 
       - name: Install hadolint
         run: |

.github/workflows/helm-release.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.1
 
       - name: Turnstyle
         uses: softprops/turnstyle@2e4451ef94c5969eee533c487092052d4d1a53af # v2

.github/workflows/imaginary-update.yml

@@ -10,7 +10,7 @@ jobs:
     name: update to latest imaginary commit on master branch
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v6.0.1
     - name: Run imaginary-update
       run: |
         # Imaginary
@@ -22,7 +22,7 @@ jobs:
         sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH=$imaginary_version|" ./Containers/imaginary/Dockerfile
         
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
       with:
         commit-message: imaginary-update automated change
         signoff: true

.github/workflows/json-validator.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.1
       - name: Validate Json
         run: |
           sudo apt-get update

.github/workflows/lint-helm.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.1
         with:
           fetch-depth: 0
 

.github/workflows/lint-php.yml

@@ -36,12 +36,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.1
         with:
           persist-credentials: false
 
       - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # v2.35.5
+        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
         with:
           php-version: ${{ matrix.php-versions }}
           coverage: none

.github/workflows/nextcloud-update.yml

@@ -11,7 +11,7 @@ jobs:
     name: Run nextcloud-update script
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v6.0.1
     - name: Run nextcloud-update script
       run: |
         # Inspired by https://github.com/nextcloud/docker/blob/master/update.sh
@@ -79,7 +79,7 @@ jobs:
         fi
 
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
       with:
         commit-message: nextcloud-update automated change
         signoff: true

.github/workflows/php-deprecation-detector.yml

@@ -16,9 +16,9 @@ jobs:
     name: PHP Deprecation Detector
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.1
       - name: Set up php
-        uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # v2
+        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
         with:
           php-version: 8.4
           extensions: apcu

.github/workflows/playwright.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.1
 
       - uses: actions/setup-node@v6
         with:

.github/workflows/psalm-update-baseline.yml

@@ -10,10 +10,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.1
 
       - name: Set up php
-        uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # v2
+        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
         with:
           php-version: 8.4
           extensions: apcu
@@ -30,7 +30,7 @@ jobs:
         continue-on-error: true
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}
           commit-message: Update psalm baseline

.github/workflows/psalm.yml

@@ -32,12 +32,12 @@ jobs:
     name: static-psalm-analysis
     steps:
       - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.1
         with:
           persist-credentials: false
 
       - name: Set up php
-        uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # v2.35.5
+        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2.36.0
         with:
           php-version: 8.4
           extensions: apcu

.github/workflows/shellcheck.yml

@@ -15,7 +15,7 @@ jobs:
     name: Check Shell
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v6.0.1
     - name: Run Shellcheck
       uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
       with:

.github/workflows/talk.yml

@@ -10,7 +10,7 @@ jobs:
     name: update talk
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v6.0.1
     - name: Run talk-container-update
       run: |
         # Recording
@@ -45,7 +45,7 @@ jobs:
         sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
         
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
       with:
         commit-message: talk-update automated change
         signoff: true

.github/workflows/twig-lint.yml

@@ -24,10 +24,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.1
 
       - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # v2
+        uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2
         with:
           php-version: 8.4
           extensions: apcu

.github/workflows/update-copyright.yml

@@ -8,4 +8,4 @@ jobs:
     name: update copyright
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.1

.github/workflows/update-helm.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.1
       - name: update helm chart
         run: |
           set -x
@@ -23,7 +23,7 @@ jobs:
             sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"
           fi
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
         with:
           commit-message: Helm Chart updates
           signoff: true

.github/workflows/update-yaml.yml

@@ -11,12 +11,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.1
       - name: update yaml files
         run: |
           sudo bash manual-install/update-yaml.sh
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
         with:
           commit-message: Yaml updates
           signoff: true

.github/workflows/watchtower-update.yml

@@ -10,7 +10,7 @@ jobs:
     name: update watchtower
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v6.0.1
     - name: Run watchtower-container-update
       run: |
         # Watchtower
@@ -26,7 +26,7 @@ jobs:
         sed -i "s|\$WATCHTOWER_COMMIT_HASH.*$|\$WATCHTOWER_COMMIT_HASH # $watchtower_version|" ./Containers/watchtower/Dockerfile
         
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
       with:
         commit-message: watchtower-update automated change
         signoff: true

Containers/borgbackup/backupscript.sh

@@ -612,3 +612,12 @@ if [ "$BORG_MODE" = test ]; then
         fi
     fi
 fi
+
+if [ "$BORG_MODE" = list ]; then
+    echo "Updating backup list..."
+    if ! borg info > /dev/null; then
+        echo "Could not update the backup list."
+        exit 1
+    fi
+    # The update gets done automatically in the wrapper start.sh script.
+fi

Containers/borgbackup/start.sh

@@ -32,8 +32,8 @@ else
 fi
 
 # Validate BORG_MODE
-if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != restore ] && [ "$BORG_MODE" != check ] && [ "$BORG_MODE" != "check-repair" ] && [ "$BORG_MODE" != test ]; then
-    echo "No correct BORG_MODE mode applied. Valid are 'backup', 'check', 'restore' and 'test'."
+if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != restore ] && [ "$BORG_MODE" != check ] && [ "$BORG_MODE" != "check-repair" ] && [ "$BORG_MODE" != "test" ] && [ "$BORG_MODE" != "list" ]; then
+    echo "No correct BORG_MODE mode applied. Valid are 'backup', 'check', 'restore', 'test' and 'list'."
     exit 1
 fi
 

Containers/collabora/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile
-FROM collabora/code:25.04.7.2.1
+FROM collabora/code:25.04.7.3.1
 
 USER root
 ARG DEBIAN_FRONTEND=noninteractive

Containers/docker-socket-proxy/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.2.9-alpine
+FROM haproxy:3.3.0-alpine
 
 # hadolint ignore=DL3002
 USER root

Containers/fulltextsearch/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:8.19.7
+FROM elasticsearch:8.19.8
 
 USER root
 

Containers/imaginary/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.25.4-alpine3.22 AS go
+FROM golang:1.25.5-alpine3.22 AS go
 
 ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
 

Containers/mastercontainer/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.0.2-cli AS docker
+FROM docker:29.1.1-cli AS docker
 
 # Caddy is a requirement
 FROM caddy:2.10.2-alpine AS caddy
@@ -125,7 +125,9 @@ RUN set -ex; \
     mkdir /var/log/supervisord; \
     mkdir /var/run/supervisord;
 
-LABEL org.label-schema.vendor="Nextcloud"
+# hadolint ignore=DL3048
+LABEL org.label-schema.vendor="Nextcloud" \
+    com.docker.compose.project="nextcloud-aio"
 
 # hadolint ignore=DL3002
 USER root

Containers/mastercontainer/start.sh

@@ -75,18 +75,15 @@ elif ! sudo -E -u www-data test -r /var/run/docker.sock; then
     fi
 fi
 
-# Check if api version is supported
-if ! sudo -E -u www-data docker info &>/dev/null; then
-    print_red "Cannot connect to the docker socket. Cannot proceed."
-    echo "Did you maybe remove group read permissions for the docker socket? AIO needs them in order to access the docker socket."
-    echo "If SELinux is enabled on your host, see https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled"
-    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
+# Get default docker api version
+API_VERSION_FILE="$(find ./ -name DockerActionManager.php | head -1)"
+API_VERSION="$(grep -oP 'const string API_VERSION.*\;' "$API_VERSION_FILE" | grep -oP '[0-9]+.[0-9]+' | head -1)"
+if [ -z "$API_VERSION" ]; then
+    print_red "Could not get API_VERSION. Something is wrong!"
     exit 1
 fi
 
-# Docker api version check
-API_VERSION_FILE="$(find ./ -name DockerActionManager.php | head -1)"
-API_VERSION="$(grep -oP 'const string API_VERSION.*\;' "$API_VERSION_FILE" | grep -oP '[0-9]+.[0-9]+' | head -1)"
+# Check if DOCKER_API_VERSION is set globally
 if [ -n "$DOCKER_API_VERSION" ]; then
     if ! echo "$DOCKER_API_VERSION" | grep -q '^[0-9].[0-9]\+$'; then
         print_red "You've set DOCKER_API_VERSION but not to an allowed value.
@@ -98,23 +95,45 @@ It is set to '$DOCKER_API_VERSION'."
     print_red "Please note that only v$API_VERSION is officially supported and tested by the maintainers of Nextcloud AIO."
     print_red "So you run on your own risk and things might break without warning."
 else
-    # shellcheck disable=SC2001
-    API_VERSION_NUMB="$(echo "$API_VERSION" | sed 's/\.//')"
-    LOCAL_API_VERSION_NUMB="$(sudo -E -u www-data docker version | grep -i "api version" | grep -oP '[0-9]+.[0-9]+' | head -1 | sed 's/\.//')"
-    if [ -n "$LOCAL_API_VERSION_NUMB" ] && [ -n "$API_VERSION_NUMB" ]; then
-        if ! [ "$LOCAL_API_VERSION_NUMB" -ge "$API_VERSION_NUMB" ]; then
-            print_red "Docker API v$API_VERSION is not supported by your docker engine. Cannot proceed. Please upgrade your docker engine if you want to run Nextcloud AIO!"
-            echo "Alternatively, set the DOCKER_API_VERSION environmental variable to a compatible version."
-            echo "However please note that only v$API_VERSION is officially supported and tested by the maintainers of Nextcloud AIO."
-            echo "See https://github.com/nextcloud/all-in-one#how-to-adjust-the-internally-used-docker-api-version"
-            exit 1
-        fi
-    else
-        echo "LOCAL_API_VERSION_NUMB or API_VERSION_NUMB are not set correctly. Cannot check if the API version is supported."
-        sleep 10
+    # Export docker api version to use it everywhere
+    export DOCKER_API_VERSION="$API_VERSION"
+fi
+
+# Set a fallback docker api version. Needed for api version check. 
+# The check will not work otherwise on old docker versions
+FALLBACK_DOCKER_API_VERSION="1.41"
+
+# Check if docker info can be used
+if ! sudo -E -u www-data docker info &>/dev/null; then
+    if ! sudo -E -u www-data DOCKER_API_VERSION="$FALLBACK_DOCKER_API_VERSION" docker info &>/dev/null; then
+        print_red "Cannot connect to the docker socket. Cannot proceed."
+        echo "Did you maybe remove group read permissions for the docker socket? AIO needs them in order to access the docker socket."
+        echo "If SELinux is enabled on your host, see https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled"
+        echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
+        exit 1
     fi
 fi
 
+# Docker api version check
+# shellcheck disable=SC2001
+API_VERSION_NUMB="$(echo "$API_VERSION" | sed 's/\.//')"
+LOCAL_API_VERSION_NUMB="$(sudo -E -u www-data docker version | grep -i "api version" | grep -oP '[0-9]+.[0-9]+' | head -1 | sed 's/\.//')"
+if [ -z "$LOCAL_API_VERSION_NUMB" ]; then
+    LOCAL_API_VERSION_NUMB="$(sudo -E -u www-data DOCKER_API_VERSION="$FALLBACK_DOCKER_API_VERSION" docker version | grep -i "api version" | grep -oP '[0-9]+.[0-9]+' | head -1 | sed 's/\.//')"
+fi
+if [ -n "$LOCAL_API_VERSION_NUMB" ] && [ -n "$API_VERSION_NUMB" ]; then
+    if ! [ "$LOCAL_API_VERSION_NUMB" -ge "$API_VERSION_NUMB" ]; then
+        print_red "Docker API v$API_VERSION is not supported by your docker engine. Cannot proceed. Please upgrade your docker engine if you want to run Nextcloud AIO!"
+        echo "Alternatively, set the DOCKER_API_VERSION environmental variable to a compatible version."
+        echo "However please note that only v$API_VERSION is officially supported and tested by the maintainers of Nextcloud AIO."
+        echo "See https://github.com/nextcloud/all-in-one#how-to-adjust-the-internally-used-docker-api-version"
+        exit 1
+    fi
+else
+    echo "LOCAL_API_VERSION_NUMB or API_VERSION_NUMB are not set correctly. Cannot check if the API version is supported."
+    sleep 10
+fi
+
 # Check Storage drivers
 STORAGE_DRIVER="$(sudo -E -u www-data docker info | grep "Storage Driver")"
 # Check if vfs is used: https://github.com/nextcloud/all-in-one/discussions/1467

Containers/nextcloud/Dockerfile

@@ -86,7 +86,7 @@ RUN set -ex; \
     pecl install APCu-5.1.27; \
     pecl install -D 'enable-memcached-igbinary="yes"' memcached-3.4.0; \
     pecl install -oD 'enable-redis-igbinary="yes" enable-redis-zstd="yes" enable-redis-lz4="yes"' redis-6.3.0; \
-   pecl install -o imagick-3.8.0; \
+   pecl install -o imagick-3.8.1; \
     \
     docker-php-ext-enable \
         igbinary \

Containers/nextcloud/config/postgres.config.php

@@ -7,3 +7,11 @@ if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_POSTGRES')) {
     ),
   );
 }
+if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_MYSQL')) {
+  $CONFIG = array(
+    'dbdriveroptions' => array(
+      'PDO::MYSQL_ATTR_SSL_CA' => '/var/www/html/data/certificates/MYSQL',
+    ),
+  );
+}
+

Containers/nextcloud/entrypoint.sh

@@ -283,6 +283,10 @@ EOF
             if [ -n "$NEXTCLOUD_TRUSTED_CERTIFICATES_POSTGRES" ]; then
                 mkdir /var/www/html/data/certificates
                 echo "$NEXTCLOUD_TRUSTED_CERTIFICATES_POSTGRES" > "/var/www/html/data/certificates/POSTGRES"
+            # Write out mysql root cert
+            elif [ -n "$NEXTCLOUD_TRUSTED_CERTIFICATES_MYSQL" ]; then
+                mkdir /var/www/html/data/certificates
+                echo "$NEXTCLOUD_TRUSTED_CERTIFICATES_MYSQL" > "/var/www/html/data/certificates/MYSQL"
             fi
 
             echo "Installing with $DATABASE_TYPE database"
@@ -741,7 +745,7 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
         echo "No IPv6 address found for $COLLABORA_HOST."
     fi
     if [ -n "$COLLABORA_ALLOW_LIST" ]; then
-        PRIVATE_IP_RANGES='127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,fd00::/8,::1'
+        PRIVATE_IP_RANGES='127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,100.64.0.0/10,fd00::/8,::1/128'
         if ! echo "$COLLABORA_ALLOW_LIST" | grep -q "$PRIVATE_IP_RANGES"; then
             COLLABORA_ALLOW_LIST+=",$PRIVATE_IP_RANGES"
         fi

Containers/notify-push/start.sh

@@ -68,11 +68,14 @@ fi
 
 # Postgres root cert
 if [ -f "/nextcloud/data/certificates/POSTGRES" ]; then
-    POSTGRES_CERT="?sslmode=verify-ca&sslrootcert=/nextcloud/data/certificates/POSTGRES"
+    CERT_OPTIONS="?sslmode=verify-ca&sslrootcert=/nextcloud/data/certificates/POSTGRES"
+# Mysql root cert
+elif [ -f "/nextcloud/data/certificates/MYSQL" ]; then
+    CERT_OPTIONS="?sslmode=verify-ca&ssl-ca=/nextcloud/data/certificates/MYSQL"
 fi
 
 # Set sensitive values as env
-export DATABASE_URL="$DATABASE_TYPE://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB$POSTGRES_CERT"
+export DATABASE_URL="$DATABASE_TYPE://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB$CERT_OPTIONS"
 export REDIS_URL="redis://$REDIS_USER:$REDIS_HOST_PASSWORD@$REDIS_HOST/$REDIS_DB_INDEX"
 
 # Run it

Containers/onlyoffice/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:9.1.0.1
+FROM onlyoffice/documentserver:9.2.0.1
 
 # USER root is probably used
 

Containers/watchtower/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.25.4-alpine3.22 AS go
+FROM golang:1.25.5-alpine3.22 AS go
 
 ENV WATCHTOWER_COMMIT_HASH=6c5a1b0bea65cea1d4cc1de5196789a01617957a	
 

Containers/whiteboard/Dockerfile

@@ -1,14 +1,12 @@
 # syntax=docker/dockerfile:latest
 # Probably from this file: https://github.com/nextcloud/whiteboard/blob/main/Dockerfile
-FROM ghcr.io/nextcloud-releases/whiteboard:v1.4.1
+FROM ghcr.io/nextcloud-releases/whiteboard:v1.4.2
 
 USER root
 RUN set -ex; \
-    apk upgrade --no-cache -a; \
     apk add --no-cache bash; \
     chmod 777 -R /tmp; \
-    if [ -f /usr/lib/chromium/chrome_crashpad_handler ]; then \
-        rm -f /usr/lib/chromium/chrome_crashpad_handler.real; \
+    if [ -f /usr/lib/chromium/chrome_crashpad_handler ] && [ ! -f /usr/lib/chromium/chrome_crashpad_handler.real ]; then \
         mv /usr/lib/chromium/chrome_crashpad_handler /usr/lib/chromium/chrome_crashpad_handler.real; \
         printf '%s\n' '#!/bin/sh' "exec /usr/lib/chromium/chrome_crashpad_handler.real --no-periodic-tasks --database=\"\${CRASHPAD_DATABASE:-/tmp/chrome-crashpad}\" \"\$@\"" >/usr/lib/chromium/chrome_crashpad_handler; \
         chmod +x /usr/lib/chromium/chrome_crashpad_handler; \

community-containers/borgbackup-viewer/readme.md

@@ -5,7 +5,7 @@ This container allows to view the local borg repository in a web session. It als
 - After adding and starting the container, you need to visit `https://ip.address.of.this.server:5801` in order to log in with the user `nextcloud` and the password that you can see next to the container in the AIO interface. (The web page uses a self-signed certificate, so you need to accept the warning).
 - Then, you should see a terminal. There type in `borg mount /mnt/borgbackup/borg /tmp/borg` to mount the backup archive at `/tmp/borg` inside the container. Afterwards type in `nautilus /tmp/borg` which will show a file explorer and allows you to see all the files. You can then copy files and folders back to their initial mountpoints inside `/nextcloud_aio_volumes/`, `/host_mounts/` and `/docker_volumes/`. ⚠️ Be very carefully while doing that as can break your instance!
 - After you are done with the operation, click on the terminal in the background and press `[CTRL]+[c]` multiple times to close any open application. Then run `umount /tmp/borg` to unmount the mountpoint correctly.
-- You can also delete specific archives by running `borg list`,  delete a specific archive e.g. via `borg delete --stats --progress "::20220223_174237-nextcloud-aio"` and compact the archives via `borg compact`. After doing so, make sure to update the backup archives list in the AIO interface! You can do so by clicking on the `Check backup integrity` button or `Create backup` button.
+- You can also delete specific archives by running `borg list`,  delete a specific archive e.g. via `borg delete --stats --progress "::20220223_174237-nextcloud-aio"` and compact the archives via `borg compact`. After doing so, make sure to update the backup archives list in the AIO interface! You can do so by clicking on the `Update backup list` button in the `Update backup list` section inside the `Backup and restore` section.
 - ⚠️ After you are done doing your operations, remove the container for better security again from the stack: https://github.com/nextcloud/all-in-one/tree/main/community-containers#how-to-remove-containers-from-aios-stack
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 

community-containers/caddy/caddy.json

@@ -5,7 +5,7 @@
             "display_name": "Caddy with geoblocking",
             "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy",
             "image": "ghcr.io/szaimen/aio-caddy",
-            "image_tag": "v3",
+            "image_tag": "v4",
             "internal_port": "443",
             "restart": "unless-stopped",
             "ports": [
@@ -19,6 +19,7 @@
                 "TZ=%TIMEZONE%",
                 "NC_DOMAIN=%NC_DOMAIN%",
                 "APACHE_PORT=%APACHE_PORT%",
+                "APACHE_IP_BINDING=%APACHE_IP_BINDING%",
                 "NEXTCLOUD_EXPORTER_CADDY_PASSWORD=%NEXTCLOUD_EXPORTER_CADDY_PASSWORD%"
             ],
             "volumes": [

community-containers/caddy/readme.md

@@ -3,9 +3,10 @@ This container bundles caddy and auto-configures it for you. It also covers [vau
 
 ### Notes
 - This container is incompatible with the [npmplus](https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus) community container. So make sure that you do not enable both at the same time!
-- Make sure that no other service is using port 443 on your host as otherwise the containers will fail to start. You can check this with `sudo netstat -tulpn | grep 443` before installing AIO.
+- Make sure that no other service is using port 443/tcp on your host as otherwise the containers will fail to start. You can check this with `sudo netstat -tulpn | grep 443` before installing AIO.
 - Starting with AIO v12, the Talk port that was usually exposed on port 3478 is now set to port 443 udp and tcp and reachable via `your-nc-domain.com`. For the changes to become activated, you need to go to `https://your-nc-domain.com/settings/admin/talk` and delete all turn and stun servers. Then restart the containers and the new config should become active.
 - Starting with AIO v12, you can also limit vaultwarden, stalwart and lldap to certain ip-addresses. You can do so by creating a `allowed-IPs-vaultwarden.txt`, `allowed-IPs-stalwart.txt`, or `allowed-IPs-lldap.txt` file in the `nextcloud-aio-caddy` directory of your admin user and adding the ip-addresses in these files.
+- The container also supports the proxy protocol inside caddy. That means that you can run a supported web server in front of port 443/tcp and use the proxy protocol. You can enable this by configuring the `APACHE_IP_BINDING` environmental variable for the mastercontainer and set it to an ip-address from which the protocol shall be accepted. ⚠️ Note that the initial domain validation will not work correctly if you want to use the proxy protocol. So make sure to skip the domain validation in that case. See the [documentation](https://github.com/nextcloud/all-in-one#how-to-skip-the-domain-validation).
 - If you want to use this with [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden), make sure that you point `bw.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for vaultwarden.
 - If you want to use this with [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart), make sure that you point `mail.your-nc-domain.com` to your server using an A, AAAA or CNAME record so that caddy can get a certificate automatically for stalwart.
 - If you want to use this with [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin), make sure that you point `media.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for jellyfin.

community-containers/makemkv/readme.md

@@ -5,7 +5,7 @@ This container bundles MakeMKV and auto-configures it for you.
 - This container should only be run in home networks
 - ⚠️ This container mounts all devices from the host inside the container in order to be able to access the external DVD/Blu-ray drives which is a security issue. However no better solution was found for the time being.
 - This container only works on Linux and not on Docker-Desktop.
-- This container requires the [`NEXTCLOUD_MOUNT` variable in AIO to be set](https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host). Otherwise the output will not be saved correctly..
+- This container requires the [`NEXTCLOUD_MOUNT` variable in AIO to be set](https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host). Otherwise the output will not be saved correctly..
 - After adding and starting the container, you need to visit `https://internal.ip.of.server:5802` in order to log in with the `makemkv` user and the password that you can see next to the container in the AIO interface. (The web page uses a self-signed certificate, so you need to accept the warning).
 - After the first login, you can adjust the `/output` directory in the MakeMKV settings to a subdirectory of the root of your chosen `NEXTCLOUD_MOUNT`. (by default `NEXTCLOUD_MOUNT` is mounted to `/output` inside the container. Thus all data is written to the root of it)
 - The configured `NEXTCLOUD_DATADIR` is getting mounted to `/storage` inside the container.

community-containers/notifications/notifications.json

@@ -0,0 +1,23 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-notifications",
+            "display_name": "Notifications",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/notifications",
+            "image": "ghcr.io/szaimen/aio-notifications",
+            "image_tag": "v1",
+            "internal_port": "10000",
+            "restart": "unless-stopped",
+            "volumes": [
+                {
+                  "source": "%WATCHTOWER_DOCKER_SOCKET_PATH%",
+                  "destination": "/var/run/docker.sock",
+                  "writeable": false
+                }
+            ],
+            "environment": [
+                "TZ=%TIMEZONE%"
+            ]
+        }
+    ]
+}

community-containers/notifications/readme.md

@@ -0,0 +1,12 @@
+## Notifications
+This container allows other AIO community containers to send admin notifications to Nextcloud users. 
+
+### Notes
+- It needs to be enabled for the [scrutiny container](https://github.com/nextcloud/all-in-one/tree/main/community-containers/scrutiny) for example to make use of admin notifications that are sent if a smartctl failure was found.
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/szaimen/aio-notifications
+
+### Maintainer
+https://github.com/szaimen

community-containers/scrutiny/readme.md

@@ -6,7 +6,7 @@ This container bundles Scrutiny which is a frontend for SMART stats and auto-con
 - ⚠️ This container mounts all devices from the host inside the container in order to be able to access the drives and smartctl stats which is a security issue. However no better solution was found for the time being.
 - This container only works on Linux and not on Docker-Desktop.
 - After adding and starting the container, you need to visit `http://internal.ip.of.server:8000` which will show the dashboard for your drives.
-- It currently does not support sending notifications as no good solution was found yet that makes this possible. See https://github.com/szaimen/aio-scrutiny/issues/3
+- It supports sending notifications in case of a smartctl failure if you enable the notifications community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/notifications
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 
 ### Repository

community-containers/scrutiny/scrutiny.json

@@ -5,7 +5,7 @@
             "display_name": "Scrutiny",
             "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/scrutiny",
             "image": "ghcr.io/szaimen/aio-scrutiny",
-            "image_tag": "v1",
+            "image_tag": "v2",
             "internal_port": "8000",
             "init": false,
             "restart": "unless-stopped",

community-containers/smbserver/readme.md

@@ -3,7 +3,6 @@ This container bundles an SMB-server and allows to configure it via a graphical
 
 ### Notes
 - This container should only be run in home networks
-- This container currently only works on amd64. See https://github.com/szaimen/aio-smbserver/issues/3
 - After adding and starting the container, you need to visit `https://internal.ip.of.server:5803` in order to log in with the `smbserver` user and the password that you can see next to the container in the AIO interface. (The web page uses a self-signed certificate, so you need to accept the warning). Then type in `bash /smbserver.sh` and you will see a graphical UI for configuring the smb-server interactively.
 - The config data of SMB-server will be automatically included in AIOs backup solution!
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack

compose.yaml

@@ -1,3 +1,4 @@
+name: nextcloud-aio # Add the container to the same compose project like all the sibling containers are added to automatically.
 services:
   nextcloud-aio-mastercontainer:
     image: ghcr.io/nextcloud-releases/all-in-one:latest # This is the container image used. You can switch to ghcr.io/nextcloud-releases/all-in-one:beta if you want to help testing new releases. See https://github.com/nextcloud/all-in-one#how-to-switch-the-channel
@@ -35,7 +36,7 @@ services:
       # NEXTCLOUD_ENABLE_DRI_DEVICE: true # This allows to enable the /dev/dri device for containers that profit from it. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud
       # NEXTCLOUD_ENABLE_NVIDIA_GPU: true # This allows to enable the NVIDIA runtime and GPU access for containers that profit from it. ⚠️⚠️⚠️ Warning: this only works if an NVIDIA gpu is installed on the server. See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-acceleration-for-nextcloud.
       # NEXTCLOUD_KEEP_DISABLED_APPS: false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps
-      # SKIP_DOMAIN_VALIDATION: false # This should only be set to true if things are correctly configured. See https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-skip-the-domain-validation
+      # SKIP_DOMAIN_VALIDATION: false # This should only be set to true if things are correctly configured. See https://github.com/nextcloud/all-in-one#how-to-skip-the-domain-validation
       # TALK_PORT: 3478 # This allows to adjust the port that the talk container is using which is exposed on the host. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
       # WATCHTOWER_DOCKER_SOCKET_PATH: /var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
 

manual-install/latest.yml

@@ -160,7 +160,6 @@ services:
       - TALK_PORT
       - IMAGINARY_ENABLED
       - IMAGINARY_HOST=nextcloud-aio-imaginary
-      - CLAMAV_MAX_SIZE=${APACHE_MAX_SIZE}
       - PHP_UPLOAD_LIMIT=${NEXTCLOUD_UPLOAD_LIMIT}
       - PHP_MEMORY_LIMIT=${NEXTCLOUD_MEMORY_LIMIT}
       - FULLTEXTSEARCH_ENABLED
@@ -256,7 +255,7 @@ services:
       - "9980"
     environment:
       - aliasgroup1=https://${NC_DOMAIN}:443,http://nextcloud-aio-apache:23973
-      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:logging.level_startup=warning --o:home_mode.enable=true --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:remote_font_config.url=https://${NC_DOMAIN}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
       - dictionaries=${COLLABORA_DICTIONARIES}
       - TZ=${TIMEZONE}
       - server_name=${NC_DOMAIN}

nextcloud-aio-helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 11.11.0
+version: 12.1.4
 apiVersion: v2
 keywords:
   - latest

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml

@@ -61,7 +61,7 @@ spec:
               value: "{{ .Values.TIMEZONE }}"
             - name: WHITEBOARD_HOST
               value: nextcloud-aio-whiteboard
-          image: ghcr.io/nextcloud-releases/aio-apache:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-apache:20251128_084214
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml

@@ -36,7 +36,7 @@ spec:
         {{- end }}
       initContainers:
         - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-alpine:20251128_084214
           command:
             - mkdir
             - "-p"
@@ -59,7 +59,7 @@ spec:
               value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-clamav:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-clamav:20251128_084214
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml

@@ -32,10 +32,14 @@ spec:
             - name: dictionaries
               value: "{{ .Values.COLLABORA_DICTIONARIES }}"
             - name: extra_params
-              value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:logging.level_startup=warning --o:home_mode.enable=true --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
+              value: --o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
             - name: server_name
               value: "{{ .Values.NC_DOMAIN }}"
-          image: ghcr.io/nextcloud-releases/aio-collabora:20251031_122139
+          {{- if contains "--o:support_key=" (join " " (.Values.ADDITIONAL_COLLABORA_OPTIONS | default list)) }}
+          image: ghcr.io/nextcloud-releases/aio-collabora-online:20251128_084214
+          {{- else }}
+          image: ghcr.io/nextcloud-releases/aio-collabora:20251128_084214
+          {{- end }}
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml

@@ -35,7 +35,7 @@ spec:
         {{- end }}
       initContainers:
         - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-alpine:20251128_084214
           command:
             - mkdir
             - "-p"
@@ -64,7 +64,7 @@ spec:
               value: nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-postgresql:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-postgresql:20251128_084214
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-alpine:20251128_084214
           command:
             - chmod
             - "777"
@@ -54,7 +54,7 @@ spec:
               value: basic
             - name: xpack.security.enabled
               value: "false"
-          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20251128_084214
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml

@@ -38,7 +38,7 @@ spec:
               value: "{{ .Values.IMAGINARY_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-imaginary:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-imaginary:20251128_084214
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml

@@ -38,7 +38,7 @@ spec:
 # AIO settings start # Do not remove or change this line!
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-alpine:20251128_084214
           command:
             - chmod
             - "777"
@@ -100,8 +100,6 @@ spec:
               value: "{{ .Values.CLAMAV_ENABLED }}"
             - name: CLAMAV_HOST
               value: nextcloud-aio-clamav
-            - name: CLAMAV_MAX_SIZE
-              value: "{{ .Values.APACHE_MAX_SIZE }}"
             - name: COLLABORA_ENABLED
               value: "{{ .Values.COLLABORA_ENABLED }}"
             - name: COLLABORA_HOST
@@ -188,7 +186,7 @@ spec:
               value: "{{ .Values.WHITEBOARD_ENABLED }}"
             - name: WHITEBOARD_SECRET
               value: "{{ .Values.WHITEBOARD_SECRET }}"
-          image: ghcr.io/nextcloud-releases/aio-nextcloud:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-nextcloud:20251128_084214
           {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment!
           securityContext:
             # The items below only work in container context

nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml

@@ -55,7 +55,7 @@ spec:
               value: "{{ .Values.REDIS_PASSWORD }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-notify-push:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-notify-push:20251128_084214
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-alpine:20251128_084214
           command:
             - chmod
             - "777"
@@ -42,7 +42,7 @@ spec:
               value: "{{ .Values.ONLYOFFICE_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20251128_084214
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml

@@ -39,7 +39,7 @@ spec:
               value: "{{ .Values.REDIS_PASSWORD }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-redis:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-redis:20251128_084214
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml

@@ -52,7 +52,7 @@ spec:
               value: "{{ .Values.TURN_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-talk:20251128_084214
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml

@@ -44,7 +44,7 @@ spec:
               value: "{{ .Values.RECORDING_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk-recording:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-talk-recording:20251128_084214
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml

@@ -48,7 +48,7 @@ spec:
               value: redis
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-whiteboard:20251031_122139
+          image: ghcr.io/nextcloud-releases/aio-whiteboard:20251128_084214
           readinessProbe:
             exec:
               command:

php/composer.lock

@@ -391,16 +391,16 @@
         },
         {
             "name": "laravel/serializable-closure",
-            "version": "v2.0.6",
+            "version": "v2.0.7",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/serializable-closure.git",
-                "reference": "038ce42edee619599a1debb7e81d7b3759492819"
+                "reference": "cb291e4c998ac50637c7eeb58189c14f5de5b9dd"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/038ce42edee619599a1debb7e81d7b3759492819",
-                "reference": "038ce42edee619599a1debb7e81d7b3759492819",
+                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/cb291e4c998ac50637c7eeb58189c14f5de5b9dd",
+                "reference": "cb291e4c998ac50637c7eeb58189c14f5de5b9dd",
                 "shasum": ""
             },
             "require": {
@@ -409,7 +409,7 @@
             "require-dev": {
                 "illuminate/support": "^10.0|^11.0|^12.0",
                 "nesbot/carbon": "^2.67|^3.0",
-                "pestphp/pest": "^2.36|^3.0",
+                "pestphp/pest": "^2.36|^3.0|^4.0",
                 "phpstan/phpstan": "^2.0",
                 "symfony/var-dumper": "^6.2.0|^7.0.0"
             },
@@ -448,7 +448,7 @@
                 "issues": "https://github.com/laravel/serializable-closure/issues",
                 "source": "https://github.com/laravel/serializable-closure"
             },
-            "time": "2025-10-09T13:42:30+00:00"
+            "time": "2025-11-21T20:52:36+00:00"
         },
         {
             "name": "nikic/fast-route",
@@ -1644,16 +1644,16 @@
         },
         {
             "name": "twig/twig",
-            "version": "v3.22.0",
+            "version": "v3.22.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/twigphp/Twig.git",
-                "reference": "4509984193026de413baf4ba80f68590a7f2c51d"
+                "reference": "1de2ec1fc43ab58a4b7e80b214b96bfc895750f3"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/twigphp/Twig/zipball/4509984193026de413baf4ba80f68590a7f2c51d",
-                "reference": "4509984193026de413baf4ba80f68590a7f2c51d",
+                "url": "https://api.github.com/repos/twigphp/Twig/zipball/1de2ec1fc43ab58a4b7e80b214b96bfc895750f3",
+                "reference": "1de2ec1fc43ab58a4b7e80b214b96bfc895750f3",
                 "shasum": ""
             },
             "require": {
@@ -1707,7 +1707,7 @@
             ],
             "support": {
                 "issues": "https://github.com/twigphp/Twig/issues",
-                "source": "https://github.com/twigphp/Twig/tree/v3.22.0"
+                "source": "https://github.com/twigphp/Twig/tree/v3.22.1"
             },
             "funding": [
                 {
@@ -1719,7 +1719,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-10-29T15:56:47+00:00"
+            "time": "2025-11-16T16:01:12+00:00"
         }
     ],
     "packages-dev": [
@@ -3455,16 +3455,16 @@
         },
         {
             "name": "phpdocumentor/reflection-docblock",
-            "version": "5.6.4",
+            "version": "5.6.5",
             "source": {
                 "type": "git",
                 "url": "https://github.com/phpDocumentor/ReflectionDocBlock.git",
-                "reference": "90a04bcbf03784066f16038e87e23a0a83cee3c2"
+                "reference": "90614c73d3800e187615e2dd236ad0e2a01bf761"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/phpDocumentor/ReflectionDocBlock/zipball/90a04bcbf03784066f16038e87e23a0a83cee3c2",
-                "reference": "90a04bcbf03784066f16038e87e23a0a83cee3c2",
+                "url": "https://api.github.com/repos/phpDocumentor/ReflectionDocBlock/zipball/90614c73d3800e187615e2dd236ad0e2a01bf761",
+                "reference": "90614c73d3800e187615e2dd236ad0e2a01bf761",
                 "shasum": ""
             },
             "require": {
@@ -3513,22 +3513,22 @@
             "description": "With this component, a library can provide support for annotations via DocBlocks or otherwise retrieve information that is embedded in a DocBlock.",
             "support": {
                 "issues": "https://github.com/phpDocumentor/ReflectionDocBlock/issues",
-                "source": "https://github.com/phpDocumentor/ReflectionDocBlock/tree/5.6.4"
+                "source": "https://github.com/phpDocumentor/ReflectionDocBlock/tree/5.6.5"
             },
-            "time": "2025-11-17T21:13:10+00:00"
+            "time": "2025-11-27T19:50:05+00:00"
         },
         {
             "name": "phpdocumentor/type-resolver",
-            "version": "1.11.1",
+            "version": "1.12.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/phpDocumentor/TypeResolver.git",
-                "reference": "f626740b38009078de0dc8b2b9dc4e7f749c6eba"
+                "reference": "92a98ada2b93d9b201a613cb5a33584dde25f195"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/phpDocumentor/TypeResolver/zipball/f626740b38009078de0dc8b2b9dc4e7f749c6eba",
-                "reference": "f626740b38009078de0dc8b2b9dc4e7f749c6eba",
+                "url": "https://api.github.com/repos/phpDocumentor/TypeResolver/zipball/92a98ada2b93d9b201a613cb5a33584dde25f195",
+                "reference": "92a98ada2b93d9b201a613cb5a33584dde25f195",
                 "shasum": ""
             },
             "require": {
@@ -3571,9 +3571,9 @@
             "description": "A PSR-5 based resolver of Class names, Types and Structural Element Names",
             "support": {
                 "issues": "https://github.com/phpDocumentor/TypeResolver/issues",
-                "source": "https://github.com/phpDocumentor/TypeResolver/tree/1.11.1"
+                "source": "https://github.com/phpDocumentor/TypeResolver/tree/1.12.0"
             },
-            "time": "2025-11-21T11:31:57+00:00"
+            "time": "2025-11-21T15:09:14+00:00"
         },
         {
             "name": "phpstan/phpdoc-parser",
@@ -3624,16 +3624,16 @@
         },
         {
             "name": "revolt/event-loop",
-            "version": "v1.0.7",
+            "version": "v1.0.8",
             "source": {
                 "type": "git",
                 "url": "https://github.com/revoltphp/event-loop.git",
-                "reference": "09bf1bf7f7f574453efe43044b06fafe12216eb3"
+                "reference": "b6fc06dce8e9b523c9946138fa5e62181934f91c"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/revoltphp/event-loop/zipball/09bf1bf7f7f574453efe43044b06fafe12216eb3",
-                "reference": "09bf1bf7f7f574453efe43044b06fafe12216eb3",
+                "url": "https://api.github.com/repos/revoltphp/event-loop/zipball/b6fc06dce8e9b523c9946138fa5e62181934f91c",
+                "reference": "b6fc06dce8e9b523c9946138fa5e62181934f91c",
                 "shasum": ""
             },
             "require": {
@@ -3690,9 +3690,9 @@
             ],
             "support": {
                 "issues": "https://github.com/revoltphp/event-loop/issues",
-                "source": "https://github.com/revoltphp/event-loop/tree/v1.0.7"
+                "source": "https://github.com/revoltphp/event-loop/tree/v1.0.8"
             },
-            "time": "2025-01-25T19:27:39+00:00"
+            "time": "2025-08-27T21:33:23+00:00"
         },
         {
             "name": "sebastian/diff",
@@ -3763,16 +3763,16 @@
         },
         {
             "name": "spatie/array-to-xml",
-            "version": "3.4.1",
+            "version": "3.4.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/spatie/array-to-xml.git",
-                "reference": "6a740f39415aee8886aea10333403adc77d50791"
+                "reference": "7b9202dccfe18d4e3a13303156d6bbcc1c61dabf"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/spatie/array-to-xml/zipball/6a740f39415aee8886aea10333403adc77d50791",
-                "reference": "6a740f39415aee8886aea10333403adc77d50791",
+                "url": "https://api.github.com/repos/spatie/array-to-xml/zipball/7b9202dccfe18d4e3a13303156d6bbcc1c61dabf",
+                "reference": "7b9202dccfe18d4e3a13303156d6bbcc1c61dabf",
                 "shasum": ""
             },
             "require": {
@@ -3815,7 +3815,7 @@
                 "xml"
             ],
             "support": {
-                "source": "https://github.com/spatie/array-to-xml/tree/3.4.1"
+                "source": "https://github.com/spatie/array-to-xml/tree/3.4.3"
             },
             "funding": [
                 {
@@ -3827,7 +3827,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2025-11-12T10:32:50+00:00"
+            "time": "2025-11-27T09:08:26+00:00"
         },
         {
             "name": "sserbin/twig-linter",
@@ -3987,16 +3987,16 @@
         },
         {
             "name": "symfony/filesystem",
-            "version": "v7.3.6",
+            "version": "v7.4.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/filesystem.git",
-                "reference": "e9bcfd7837928ab656276fe00464092cc9e1826a"
+                "reference": "d551b38811096d0be9c4691d406991b47c0c630a"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/filesystem/zipball/e9bcfd7837928ab656276fe00464092cc9e1826a",
-                "reference": "e9bcfd7837928ab656276fe00464092cc9e1826a",
+                "url": "https://api.github.com/repos/symfony/filesystem/zipball/d551b38811096d0be9c4691d406991b47c0c630a",
+                "reference": "d551b38811096d0be9c4691d406991b47c0c630a",
                 "shasum": ""
             },
             "require": {
@@ -4005,7 +4005,7 @@
                 "symfony/polyfill-mbstring": "~1.8"
             },
             "require-dev": {
-                "symfony/process": "^6.4|^7.0"
+                "symfony/process": "^6.4|^7.0|^8.0"
             },
             "type": "library",
             "autoload": {
@@ -4033,7 +4033,7 @@
             "description": "Provides basic utilities for the filesystem",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/filesystem/tree/v7.3.6"
+                "source": "https://github.com/symfony/filesystem/tree/v7.4.0"
             },
             "funding": [
                 {
@@ -4053,7 +4053,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-11-05T09:52:27+00:00"
+            "time": "2025-11-27T13:27:24+00:00"
         },
         {
             "name": "symfony/finder",
@@ -4459,22 +4459,23 @@
         },
         {
             "name": "symfony/string",
-            "version": "v7.3.4",
+            "version": "v7.4.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/string.git",
-                "reference": "f96476035142921000338bad71e5247fbc138872"
+                "reference": "d50e862cb0a0e0886f73ca1f31b865efbb795003"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/string/zipball/f96476035142921000338bad71e5247fbc138872",
-                "reference": "f96476035142921000338bad71e5247fbc138872",
+                "url": "https://api.github.com/repos/symfony/string/zipball/d50e862cb0a0e0886f73ca1f31b865efbb795003",
+                "reference": "d50e862cb0a0e0886f73ca1f31b865efbb795003",
                 "shasum": ""
             },
             "require": {
                 "php": ">=8.2",
+                "symfony/deprecation-contracts": "^2.5|^3.0",
                 "symfony/polyfill-ctype": "~1.8",
-                "symfony/polyfill-intl-grapheme": "~1.0",
+                "symfony/polyfill-intl-grapheme": "~1.33",
                 "symfony/polyfill-intl-normalizer": "~1.0",
                 "symfony/polyfill-mbstring": "~1.0"
             },
@@ -4482,11 +4483,11 @@
                 "symfony/translation-contracts": "<2.5"
             },
             "require-dev": {
-                "symfony/emoji": "^7.1",
-                "symfony/http-client": "^6.4|^7.0",
-                "symfony/intl": "^6.4|^7.0",
+                "symfony/emoji": "^7.1|^8.0",
+                "symfony/http-client": "^6.4|^7.0|^8.0",
+                "symfony/intl": "^6.4|^7.0|^8.0",
                 "symfony/translation-contracts": "^2.5|^3.0",
-                "symfony/var-exporter": "^6.4|^7.0"
+                "symfony/var-exporter": "^6.4|^7.0|^8.0"
             },
             "type": "library",
             "autoload": {
@@ -4525,7 +4526,7 @@
                 "utf8"
             ],
             "support": {
-                "source": "https://github.com/symfony/string/tree/v7.3.4"
+                "source": "https://github.com/symfony/string/tree/v7.4.0"
             },
             "funding": [
                 {
@@ -4545,7 +4546,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-09-11T14:36:48+00:00"
+            "time": "2025-11-27T13:27:24+00:00"
         },
         {
             "name": "vimeo/psalm",

php/containers.json

@@ -380,7 +380,7 @@
       "internal_port": "9980",
       "environment": [
         "aliasgroup1=https://%NC_DOMAIN%:443,http://nextcloud-aio-apache:23973",
-        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+",
+        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+",
         "dictionaries=%COLLABORA_DICTIONARIES%",
         "TZ=%TIMEZONE%",
         "server_name=%NC_DOMAIN%",
@@ -399,10 +399,7 @@
         "SYS_ADMIN",
         "SYS_CHROOT",
         "FOWNER",
-        "CHOWN",
-        "MAC_OVERRIDE",
-        "BLOCK_SUSPEND",
-        "AUDIT_READ"
+        "CHOWN"
       ],
       "cap_drop": [
         "NET_RAW"
@@ -797,7 +794,7 @@
       "environment": [
         "TZ=%TIMEZONE%",
         "ES_JAVA_OPTS=%FULLTEXTSEARCH_JAVA_OPTIONS%",
-        "bootstrap.memory_lock=true",
+        "bootstrap.memory_lock=false",
         "cluster.name=nextcloud-aio",
         "discovery.type=single-node",
         "logger.level=WARN",

php/psalm-baseline.xml

@@ -1,34 +1,2 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<files psalm-version="6.13.1@1e3b7f0a8ab32b23197b91107adc0a7ed8a05b51">
-  <file src="src/Controller/DockerController.php">
-    <InvalidOperand>
-      <code><![CDATA[$port]]></code>
-    </InvalidOperand>
-  </file>
-  <file src="src/Data/ConfigurationManager.php">
-    <PossiblyFalseArgument>
-      <code><![CDATA[$ch]]></code>
-      <code><![CDATA[$ch]]></code>
-      <code><![CDATA[$ch]]></code>
-      <code><![CDATA[$ch]]></code>
-      <code><![CDATA[$ch]]></code>
-      <code><![CDATA[$ch]]></code>
-    </PossiblyFalseArgument>
-  </file>
-  <file src="src/Docker/DockerActionManager.php">
-    <PossiblyFalseArgument>
-      <code><![CDATA[$line]]></code>
-      <code><![CDATA[$line]]></code>
-    </PossiblyFalseArgument>
-  </file>
-  <file src="src/Twig/ClassExtension.php">
-    <MissingOverrideAttribute>
-      <code><![CDATA[public function getFunctions() : array]]></code>
-    </MissingOverrideAttribute>
-  </file>
-  <file src="src/Twig/CsrfExtension.php">
-    <MissingOverrideAttribute>
-      <code><![CDATA[public function getGlobals() : array]]></code>
-    </MissingOverrideAttribute>
-  </file>
-</files>
+<files psalm-version="6.13.1@1e3b7f0a8ab32b23197b91107adc0a7ed8a05b51"/>

php/public/index.php

@@ -60,6 +60,7 @@ $app->get('/api/docker/getwatchtower', AIO\Controller\DockerController::class .
 $app->post('/api/docker/start', AIO\Controller\DockerController::class . ':StartContainer');
 $app->post('/api/docker/backup', AIO\Controller\DockerController::class . ':StartBackupContainerBackup');
 $app->post('/api/docker/backup-check', AIO\Controller\DockerController::class . ':StartBackupContainerCheck');
+$app->post('/api/docker/backup-list', AIO\Controller\DockerController::class . ':StartBackupContainerList');
 $app->post('/api/docker/backup-check-repair', AIO\Controller\DockerController::class . ':StartBackupContainerCheckRepair');
 $app->post('/api/docker/backup-test', AIO\Controller\DockerController::class . ':StartBackupContainerTest');
 $app->post('/api/docker/restore', AIO\Controller\DockerController::class . ':StartBackupContainerRestore');
@@ -103,7 +104,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'is_backup_container_running' => $dockerActionManger->isBackupContainerRunning(),
         'backup_exit_code' => $dockerActionManger->GetBackupcontainerExitCode(),
         'is_instance_restore_attempt' => $configurationManager->isInstanceRestoreAttempt(),
-        'borg_backup_mode' => $configurationManager->GetBorgBackupMode(),
+        'borg_backup_mode' => $configurationManager->GetBackupMode(),
         'was_start_button_clicked' => $configurationManager->wasStartButtonClicked(),
         'has_update_available' => $dockerActionManger->isAnyUpdateAvailable(),
         'last_backup_time' => $configurationManager->GetLastBackupTime(),

php/src/Controller/ConfigurationController.php

@@ -159,7 +159,7 @@ readonly class ConfigurationController {
             }
 
             if (isset($request->getParsedBody()['delete_borg_backup_location_vars'])) {
-                $this->configurationManager->DeleteBorgBackupLocationVars();
+                $this->configurationManager->DeleteBorgBackupLocationItems();
             }
 
             return $response->withStatus(201)->withHeader('Location', '.');

php/src/Controller/DockerController.php

@@ -89,9 +89,7 @@ readonly class DockerController {
     }
 
     public function startBackup(bool $forceStopNextcloud = false) : void {
-        $config = $this->configurationManager->GetConfig();
-        $config['backup-mode'] = 'backup';
-        $this->configurationManager->WriteConfig($config);
+        $this->configurationManager->SetBackupMode('backup');
 
         $id = self::TOP_CONTAINER;
         $this->PerformRecursiveContainerStop($id, $forceStopNextcloud);
@@ -105,18 +103,28 @@ readonly class DockerController {
         return $response->withStatus(201)->withHeader('Location', '.');
     }
 
+    public function StartBackupContainerList(Request $request, Response $response, array $args) : Response {
+        $this->listBackup();
+        return $response->withStatus(201)->withHeader('Location', '.');
+    }
+
     public function checkBackup() : void {
-        $config = $this->configurationManager->GetConfig();
-        $config['backup-mode'] = 'check';
-        $this->configurationManager->WriteConfig($config);
+        $this->configurationManager->SetBackupMode('check');
+
+        $id = 'nextcloud-aio-borgbackup';
+        $this->PerformRecursiveContainerStart($id);
+    }
+
+        private function listBackup() : void {
+        $this->configurationManager->SetBackupMode('list');
 
         $id = 'nextcloud-aio-borgbackup';
         $this->PerformRecursiveContainerStart($id);
     }
 
     public function StartBackupContainerRestore(Request $request, Response $response, array $args) : Response {
+        $this->configurationManager->SetBackupMode('restore');
         $config = $this->configurationManager->GetConfig();
-        $config['backup-mode'] = 'restore';
         $config['selected-restore-time'] = $request->getParsedBody()['selected_restore_time'] ?? '';
         if (isset($request->getParsedBody()['restore-exclude-previews'])) {
             $config['restore-exclude-previews'] = 1;
@@ -136,24 +144,20 @@ readonly class DockerController {
     }
 
     public function StartBackupContainerCheckRepair(Request $request, Response $response, array $args) : Response {
-        $config = $this->configurationManager->GetConfig();
-        $config['backup-mode'] = 'check-repair';
-        $this->configurationManager->WriteConfig($config);
+        $this->configurationManager->SetBackupMode('check-repair');
 
         $id = 'nextcloud-aio-borgbackup';
         $this->PerformRecursiveContainerStart($id);
 
         // Restore to backup check which is needed to make the UI logic work correctly
-        $config = $this->configurationManager->GetConfig();
-        $config['backup-mode'] = 'check';
-        $this->configurationManager->WriteConfig($config);
+        $this->configurationManager->SetBackupMode('check');
 
         return $response->withStatus(201)->withHeader('Location', '.');
     }
 
     public function StartBackupContainerTest(Request $request, Response $response, array $args) : Response {
+        $this->configurationManager->SetBackupMode('test');
         $config = $this->configurationManager->GetConfig();
-        $config['backup-mode'] = 'test';
         $config['instance_restore_attempt'] = 0;
         $this->configurationManager->WriteConfig($config);
 
@@ -185,7 +189,7 @@ readonly class DockerController {
 
         $config = $this->configurationManager->GetConfig();
         // set AIO_URL
-        $config['AIO_URL'] = $host . ':' . $port . $path;
+        $config['AIO_URL'] = $host . ':' . strval($port) . $path;
         // set wasStartButtonClicked
         $config['wasStartButtonClicked'] = 1;
         // set install_latest_major

php/src/Data/ConfigurationManager.php

@@ -164,10 +164,10 @@ class ConfigurationManager
 
     public function isWhiteboardEnabled() : bool {
         $config = $this->GetConfig();
-        if (isset($config['isWhiteboardEnabled']) && $config['isWhiteboardEnabled'] === 1) {
-            return true;
-        } else {
+        if (isset($config['isWhiteboardEnabled']) && $config['isWhiteboardEnabled'] === 0) {
             return false;
+        } else {
+            return true;
         }
     }
 
@@ -366,6 +366,9 @@ class ConfigurationManager
 
             // Check if response is correct
             $ch = curl_init();
+            if ($ch === false) {
+                throw new InvalidSettingConfigurationException('Could not init curl! Please check the logs!');
+            }
             $testUrl = $protocol . $domain . ':443';
             curl_setopt($ch, CURLOPT_URL, $testUrl);
             curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
@@ -423,6 +426,12 @@ class ConfigurationManager
         return $config['backup-mode'];
     }
 
+    public function SetBackupMode(string $mode) : void {
+        $config = $this->GetConfig();
+        $config['backup-mode'] = $mode;
+        $this->WriteConfig($config);
+    }
+
     public function GetSelectedRestoreTime() : string {
         $config = $this->GetConfig();
         if(!isset($config['selected-restore-time'])) {
@@ -503,11 +512,19 @@ class ConfigurationManager
         }
     }
 
-    public function DeleteBorgBackupLocationVars() : void {
+    public function DeleteBorgBackupLocationItems() : void {
+        // Delete the variables
         $config = $this->GetConfig();
         $config['borg_backup_host_location'] = '';
         $config['borg_remote_repo'] = '';
         $this->WriteConfig($config);
+
+        // Also delete the borg config file to be able to start over
+        if (file_exists(DataConst::GetBackupKeyFile())) {
+            if (unlink(DataConst::GetBackupKeyFile())) {
+                error_log('borg.config file deleted to be able to start over.');
+            }
+        }
     }
 
     /**
@@ -664,15 +681,6 @@ class ConfigurationManager
         return false;
     }
 
-    public function GetBorgBackupMode() : string {
-        $config = $this->GetConfig();
-        if(!isset($config['backup-mode'])) {
-            $config['backup-mode'] = '';
-        }
-
-        return $config['backup-mode'];
-    }
-
     public function GetNextcloudMount() : string {
         $envVariableName = 'NEXTCLOUD_MOUNT';
         $configName = 'nextcloud_mount';

php/src/Docker/DockerActionManager.php

@@ -155,11 +155,11 @@ readonly class DockerActionManager {
         $response = "";
         $separator = "\r\n";
         $line = strtok($responseBody, $separator);
-        $response = substr($line, 8) . $separator;
+        $response = substr((string)$line, 8) . $separator;
 
         while ($line !== false) {
             $line = strtok($separator);
-            $response .= substr($line, 8) . $separator;
+            $response .= substr((string)$line, 8) . $separator;
         }
 
         return $response;
@@ -433,7 +433,8 @@ readonly class DockerActionManager {
 
         // All AIO-managed containers should not be updated externally via watchtower but gracefully by AIO's backup and update feature.
         // Also DIUN should not send update notifications. See https://crazymax.dev/diun/providers/docker/#docker-labels 
-        $requestBody['Labels'] = ["com.centurylinklabs.watchtower.enable" => "false", "diun.enable" => "false", "org.label-schema.vendor" => "Nextcloud"];
+        // Additionally set a default org.label-schema.vendor and com.docker.compose.project
+        $requestBody['Labels'] = ["com.centurylinklabs.watchtower.enable" => "false", "diun.enable" => "false", "org.label-schema.vendor" => "Nextcloud", "com.docker.compose.project" => "nextcloud-aio"];
 
         // Containers should have a fixed host name. See https://github.com/nextcloud/all-in-one/discussions/6589
         $requestBody['Hostname'] = $container->GetIdentifier();
@@ -550,6 +551,7 @@ readonly class DockerActionManager {
             'SELECTED_RESTORE_TIME' => $this->configurationManager->GetSelectedRestoreTime(),
             'RESTORE_EXCLUDE_PREVIEWS' => $this->configurationManager->GetRestoreExcludePreviews(),
             'APACHE_PORT' => $this->configurationManager->GetApachePort(),
+            'APACHE_IP_BINDING' => $this->configurationManager->GetApacheIPBinding(),
             'TALK_PORT' => $this->configurationManager->GetTalkPort(),
             'TURN_DOMAIN' => $this->configurationManager->GetTurnDomain(),
             'NEXTCLOUD_MOUNT' => $this->configurationManager->GetNextcloudMount(),

php/src/Twig/ClassExtension.php

@@ -7,6 +7,7 @@ use Twig\TwigFunction;
 
 class ClassExtension extends TwigExtension
 {
+    #[\Override]
     public function getFunctions() : array
     {
         return array(

php/src/Twig/CsrfExtension.php

@@ -12,6 +12,7 @@ class CsrfExtension extends AbstractExtension implements GlobalsInterface {
     ) {
     }
 
+    #[\Override]
     public function getGlobals() : array
     {
         // CSRF token name and value

php/templates/containers.twig

@@ -17,7 +17,7 @@
 
     <div class="container">
         <main>
-            <h1>Nextcloud AIO v12.1.3</h1>
+            <h1>Nextcloud AIO v12.2.0</h1>
 
             {# Add 2nd tab warning #}
             <script type="text/javascript" src="second-tab-warning.js"></script>
@@ -476,23 +476,6 @@
                                             <input type="submit" value="Create backup" onclick="return confirm('Create backup? Are you sure that you want to create a backup? This will stop all running containers and create the backup.')" />
                                         </form>
 
-                                        {% if has_backup_run_once == false %}
-                                            <h3>Reset backup location</h3>
-                                            <p>
-                                            If the configured backup host location <strong>{{ borg_backup_host_location }}</strong>
-                                            {% if borg_remote_repo %}
-                                                or the remote repo <strong>{{ borg_remote_repo }}</strong>
-                                            {% endif %}
-                                            is wrong, you can reset it by clicking on the button below.
-                                            </p>
-                                            <form method="POST" action="api/configuration" class="xhr">
-                                                <input type="hidden" name="delete_borg_backup_location_vars" value="yes"/>
-                                                <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
-                                                <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                                <input type="submit" value="Reset backup location" />
-                                            </form>
-                                        {% endif %}
-
                                         {% if has_backup_run_once == true %}
                                             <h3>Backup Viewer</h3>
                                             <p>There is now a community container that allows to access your backups in a web session. See <a target="_blank" href="https://github.com/nextcloud/all-in-one/tree/main/community-containers/borgbackup-viewer"><strong>this documentation</strong></a>.</p>
@@ -518,6 +501,17 @@
                                                 <input type="submit" value="Restore selected backup" onclick="return confirm('Restore the selected backup? Are you sure that you want to restore the selected backup? This will stop all running containers and restore the selected backup. It is recommended to create a backup first. You might also want to check the backup integrity.')" />
                                             </form>
 
+                                            <h3>Update backup list</h3>
+                                            <details>
+                                                <summary>Click here to reveal this option</summary>
+                                                <p>If you use an external snapshot tool to restore the server that runs AIO, you might run into a problem that the above listed available backups are not up-to-date to restore your server from. You can click the button below to update this list.</p>
+                                                <form method="POST" action="api/docker/backup-list" class="xhr">
+                                                    <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
+                                                    <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
+                                                    <input type="submit" value="Update backup list" />
+                                                </form>
+                                            </details>
+
                                             <h3>Daily backup and automatic updates</h3>
                                             {% if daily_backup_time == "" %}
                                                 <p>By entering a time below and submitting it, you can enable daily backups. It will create them at the entered time in 24h format. E.g. <strong>04:00</strong> will create backups at 4 am UTC and <strong>16:00</strong> at 4 pm UTC. When creating the backup, containers will be stopped and restarted after the backup is complete.</p>
@@ -558,6 +552,21 @@
                                                 <p>This option is currently set. You can disable it again by clearing the field and submitting your changes.</p>
                                             {% endif %}
                                         {% endif %}
+
+                                        <h3>Reset backup location</h3>
+                                        <p>
+                                        If the configured backup host location <strong>{{ borg_backup_host_location }}</strong>
+                                        {% if borg_remote_repo %}
+                                            or the remote repo <strong>{{ borg_remote_repo }}</strong>
+                                        {% endif %}
+                                        is wrong or if you want to reset the backup location due to other reasons, you can do so by clicking on the button below.
+                                        </p>
+                                        <form method="POST" action="api/configuration" class="xhr">
+                                            <input type="hidden" name="delete_borg_backup_location_vars" value="yes"/>
+                                            <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
+                                            <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
+                                            <input type="submit" value="Reset backup location" onclick="return confirm('Are you sure that you want to reset the backup location?')" />
+                                        </form>
                                     {% endif %}
                                     {% if has_backup_run_once == true %}
                                         </details>

readme.md

@@ -641,7 +641,7 @@ See [multiple-instances.md](./multiple-instances.md) for some documentation on t
 Nextcloud features a built-in bruteforce protection which may get triggered and will block an ip-address or disable a user. You can unblock an ip-address by running `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ security:bruteforce:reset <ip-address>` and enable a disabled user by running `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ user:enable <name of user>`. See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#security for further information. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 
 ### How to switch the channel?
-You can switch to a different channel like e.g. the beta channel or from the beta channel back to the latest channel by stopping the mastercontainer, removing it (no data will be lost) and recreating the container using the same command that you used initially to create the mastercontainer. You simply need to change the last line `ghcr.io/nextcloud-releases/all-in-one:latest` to `ghcr.io/nextcloud-releases/all-in-one:beta` and vice versa.
+You can switch to a different channel like e.g. the beta channel or from the beta channel back to the latest channel by stopping the mastercontainer, removing it (no data will be lost) and recreating the container using the same command that you used initially to create the mastercontainer. You simply need to change the last line `ghcr.io/nextcloud-releases/all-in-one:latest` to `ghcr.io/nextcloud-releases/all-in-one:beta` and vice versa. ⚠️ In some rare occurrences, you might need to run `docker pull ghcr.io/nextcloud-releases/all-in-one:latest` or `docker pull ghcr.io/nextcloud-releases/all-in-one:beta` first before being able to use the image.
 
 ### How to update the containers?
 If we push new containers to `latest`, you will see in the AIO interface below the `containers` section that new container updates were found. In this case, just press `Stop containers` and `Start and update containers` in order to update the containers. The mastercontainer has its own update procedure though. See below. And don't forget to back up the current state of your instance using the built-in backup solution before starting the containers again! Otherwise you won't be able to restore your instance easily if something should break during the update. 
@@ -970,7 +970,7 @@ sudo borg compact
 ```
 
 After doing so, make sure to update the backup archives list in the AIO interface!<br>
-You can do so by clicking on the `Check backup integrity` button or `Create backup` button.
+You can do so by clicking on the `Update backup list` button in the `Update backup list` section inside the `Backup and restore` section.
 
 ---
 

reverse-proxy.md

@@ -36,7 +36,7 @@ Requirements:
 - A public IP address that is reachable from the Internet (it does **not** need to be static, but it must not be behind carrier-grade NAT, which some ISPs use to share IP addresses among multiple customers).
 - Port `443/tcp` on that IP must be available for AIO's exclusive use, and it must be opened/forwarded on your internet-facing firewall/router to the AIO host.[^talkPort]
 
-**If AIO's integrated HTTPS support and internal reverse proxy meet your requirements, you do not need to proceed further. Follow the [standard Nextcloud AIO instructions](https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-use-this).**
+**If AIO's integrated HTTPS support and internal reverse proxy meet your requirements, you do not need to proceed further. Follow the [standard Nextcloud AIO instructions](https://github.com/nextcloud/all-in-one#how-to-use-this).**
 
 ### External: Using AIO with an external reverse proxy (e.g., *Caddy, Nginx, Cloudflare Proxy*)
 
@@ -95,7 +95,7 @@ To make your Nextcloud AIO instance accessible from the public Internet (not jus
 | **Tailscale Funnel** | Public Internet | None | Public access through Tailscale |
 
 > [!TIP]
-> Because of how [Cloudflare's Tunnel/Proxy operate](https://github.com/nextcloud/all-in-one/tree/main?tab=readme-ov-file#notes-on-cloudflare-proxytunnel), we recommend using Tailscale with Nextcloud when possible. Tailscale typically offers better performance and fewer trade-offs/limitations for Nextcloud.
+> Because of how [Cloudflare's Tunnel/Proxy operate](https://github.com/nextcloud/all-in-one/tree/main#notes-on-cloudflare-proxytunnel), we recommend using Tailscale with Nextcloud when possible. Tailscale typically offers better performance and fewer trade-offs/limitations for Nextcloud.
 >
 > **For private/personal use**: [Tailscale Serve](https://tailscale.com/kb/1312/serve) is ideal - it keeps your Nextcloud completely private to your tailnet.
 >
@@ -1108,7 +1108,7 @@ Enter your domain in the AIO interface that you've used in the reverse proxy con
 ### 5. Optional: Configure AIO for reverse proxies that connect to nextcloud using an ip-address and not localhost nor 127.0.0.1
 If your reverse proxy connects to nextcloud using an ip-address and not localhost or 127.0.0.1<sup>*</sup> you must make the following configuration changes
 
-<small>*: The IP address it uses to connect to AIO is not in a private IP range such as these: `127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,fd00::/8,::1`</small>
+<small>*: The IP address it uses to connect to AIO is not in a private IP range such as these: `127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,100.64.0.0/10,fd00::/8,::1/128`</small>
 
 #### Nextcloud trusted proxies
 Add the IP it uses connect to AIO to the Nextcloud trusted_proxies like this:
@@ -1120,7 +1120,7 @@ sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:syst
 #### Collabora WOPI allow list
 If your reverse proxy connects to Nextcloud with an IP address that is different from the one for your domain<sup>*</sup> and you are using the Collabora server then you must also add the IP to the WOPI request allow list via `Administration Settings > Administration > Office > Allow list for WOPI requests`.
 
-<small>*: For example, the reverse proxy has a public globally routable IP and connects to your AIO instance via Tailscale with an IP in the `100.64.0.0/10` range, or you are using a Cloudflare tunnel ([cloudflare notes](https://github.com/nextcloud/all-in-one?tab=readme-ov-file#notes-on-cloudflare-proxytunnel): You must add all [Cloudflare IP-Ranges](https://www.cloudflare.com/ips/) to the WOPI allowlist.)</small>
+<small>*: For example, the reverse proxy has a public globally routable IP and connects to your AIO instance via Tailscale with an IP in the `100.64.0.0/10` range, or you are using a Cloudflare tunnel ([cloudflare notes](https://github.com/nextcloud/all-in-one#notes-on-cloudflare-proxytunnel): You must add all [Cloudflare IP-Ranges](https://www.cloudflare.com/ips/) to the WOPI allowlist.)</small>
 
 #### External reverse proxies connecting via VPN (e.g. Tailscale)
 
@@ -1174,7 +1174,7 @@ If you, at some point, want to remove the reverse proxy, here are some general s
     sudo docker rm nextcloud-aio-mastercontainer  
     ```
 3. Remove the software and configuration file that you used for the reverse proxy (see section 1).
-4. Restart the mastercontainer with the [docker run command from the main readme](https://github.com/nextcloud/all-in-one?tab=readme-ov-file#how-to-use-this) but add the two options:
+4. Restart the mastercontainer with the [docker run command from the main readme](https://github.com/nextcloud/all-in-one#how-to-use-this) but add the two options:
    ```
    --env APACHE_IP_BINDING=0.0.0.0 \
    --env APACHE_PORT=443 \