Use WORKDIR instead of cd

To fulfill DL3003

Signed-off-by: Pablo Zmdl <pablo@nextcloud.com>

.github/workflows/collabora.yml

@@ -20,6 +20,7 @@ jobs:
     - name: Create Pull Request
       uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
       with:
+        token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: collabora-seccomp-update automated change
         signoff: true
         title: collabora seccomp update

.github/workflows/dependency-updates.yml

@@ -43,9 +43,19 @@ jobs:
             | tail -1
         )"
         sed -i "s|pecl install APCu.*\;|pecl install APCu-$apcu_version\;|" ./Containers/mastercontainer/Dockerfile
+
+        # CADDY_REMOTE_HOST_HASH
+        CADDY_REMOTE_HOST_HASH="$(
+          git ls-remote https://github.com/muety/caddy-remote-host master \
+            | cut -f1 \
+            | tail -1
+        )"
+        sed -i "s|^ARG CADDY_REMOTE_HOST_HASH.*$|ARG CADDY_REMOTE_HOST_HASH=$CADDY_REMOTE_HOST_HASH|" ./Containers/mastercontainer/Dockerfile
+
     - name: Create Pull Request
       uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
       with:
+        token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: php dependency updates
         signoff: true
         title: PHP dependency updates

.github/workflows/imaginary-update.yml

@@ -24,6 +24,7 @@ jobs:
     - name: Create Pull Request
       uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
       with:
+        token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: imaginary-update automated change
         signoff: true
         title: Imaginary update

.github/workflows/lint-yaml.yml

@@ -36,7 +36,7 @@ jobs:
             line-length: warning
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
 
       - name: Check GitHub actions
         run: uvx zizmor --min-severity medium .github/workflows/*.yml

.github/workflows/nextcloud-update.yml

@@ -81,6 +81,7 @@ jobs:
     - name: Create Pull Request
       uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
       with:
+        token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: nextcloud-update automated change
         signoff: true
         title: Nextcloud dependency update

.github/workflows/playwright-on-push.yml

@@ -26,7 +26,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: lts/*
 
@@ -114,7 +114,7 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: ${{ !cancelled() }}
         with:
           name: playwright-report

.github/workflows/playwright-on-workflow-dispatch.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: lts/*
 
@@ -82,7 +82,7 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: ${{ !cancelled() }}
         with:
           name: playwright-report

.github/workflows/psalm-update-baseline.yml

@@ -18,6 +18,7 @@ jobs:
           php-version: 8.5
           extensions: apcu
           coverage: none
+          ini-file: development
 
       - name: Run script
         run: |
@@ -32,7 +33,7 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         with:
-          token: ${{ secrets.COMMAND_BOT_PAT }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Update psalm baseline
           committer: GitHub <noreply@github.com>
           author: nextcloud-command <nextcloud-command@users.noreply.github.com>

.github/workflows/psalm.yml

@@ -43,8 +43,7 @@ jobs:
           extensions: apcu
           coverage: none
           ini-file: development
-          # Temporary workaround for missing pcntl_* in PHP 8.3
-          ini-values: disable_functions=
+
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/talk.yml

@@ -47,6 +47,7 @@ jobs:
     - name: Create Pull Request
       uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
       with:
+        token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: talk-update automated change
         signoff: true
         title: talk container update

.github/workflows/watchtower-update.yml

@@ -28,6 +28,7 @@ jobs:
     - name: Create Pull Request
       uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
       with:
+        token: ${{ secrets.GITHUB_TOKEN }}
         commit-message: watchtower-update automated change
         signoff: true
         title: watchtower container update

Containers/apache/Caddyfile

@@ -15,7 +15,7 @@
 }
 
 https://{$ADDITIONAL_TRUSTED_DOMAIN}:443,
-http://{$APACHE_HOST}:23973, # For Collabora callback and WOPI requests, see containers.json
+http://{$APACHE_HOST}.nextcloud-aio:23973, # For Collabora callback and WOPI requests, see containers.json
 {$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} {
     header -Server
     header -X-Powered-By

Containers/apache/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM caddy:2.11.1-alpine AS caddy
+FROM caddy:2.11.2-alpine AS caddy
 
 # From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
 FROM httpd:2.4.66-alpine3.23

Containers/collabora/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/Dockerfile
-FROM collabora/code:25.04.8.3.1
+FROM collabora/code:25.04.9.4.1
 
 USER root
 ARG DEBIAN_FRONTEND=noninteractive

Containers/docker-socket-proxy/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:3.3.4-alpine
+FROM haproxy:3.3.6-alpine
 
 # hadolint ignore=DL3002
 USER root

Containers/fulltextsearch/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:8.19.11
+FROM elasticsearch:8.19.13
 
 USER root
 

Containers/imaginary/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.0-alpine3.23 AS go
+FROM golang:1.26.1-alpine3.23 AS go
 
 ENV IMAGINARY_HASH=6a274b488759a896aff02f52afee6e50b5e3a3ee
 

Containers/mastercontainer/Caddyfile

@@ -1,37 +0,0 @@
-{
-    # auto_https will create redirects for https://{host}:8443 instead of https://{host}
-    # https redirects are added manually in the http://:80 block
-    auto_https disable_redirects
-
-    storage file_system {
-        root /mnt/docker-aio-config/caddy/
-    }
-
-    log {
-        level ERROR
-    }
-
-    servers {
-        protocols h1 h2 h2c
-    }
-
-    on_demand_tls {
-        ask http://127.0.0.1:9876/
-    }
-}
-
-http://:80 {
-    redir https://{host}{uri} permanent
-}
-
-https://:8443 {
-
-    reverse_proxy 127.0.0.1:8000
-
-    tls {
-        on_demand
-        issuer acme {
-            disable_tlsalpn_challenge
-        }
-    }
-}

Containers/mastercontainer/Dockerfile

@@ -1,12 +1,17 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:29.2.1-cli AS docker
+FROM docker:29.3.0-cli AS docker
+
+ARG CADDY_REMOTE_HOST_HASH=b21775afa730ffb52a24ddff310c8a6d1fd37276
 
 # Caddy is a requirement
-FROM caddy:2.11.1-alpine AS caddy
+FROM caddy:2.11.2-builder-alpine AS caddy
+RUN set -ex; \
+    xcaddy build --with github.com/muety/caddy-remote-host@"$CADDY_REMOTE_HOST_HASH"; \
+    /usr/bin/caddy list-modules
 
 # From https://github.com/docker-library/php/blob/master/8.5/alpine3.23/fpm/Dockerfile
-FROM php:8.5.3-fpm-alpine3.23
+FROM php:8.5.4-fpm-alpine3.23
 
 EXPOSE 80
 EXPOSE 8080
@@ -21,9 +26,8 @@ COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker
 COPY community-containers /var/www/docker-aio/community-containers
 COPY php /var/www/docker-aio/php
 COPY --chmod=775 Containers/mastercontainer/*.sh /
-COPY --chmod=664 Containers/mastercontainer/Caddyfile /Caddyfile
+COPY --chmod=664 Containers/mastercontainer/*.Caddyfile /
 COPY --chmod=664 Containers/mastercontainer/supervisord.conf /supervisord.conf
-COPY Containers/mastercontainer/mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf
 
 WORKDIR /var/www/docker-aio
 
@@ -37,13 +41,8 @@ RUN set -ex; \
     apk add --no-cache \
         util-linux-misc \
         ca-certificates \
-        wget \
         bash \
-        apache2 \
-        apache2-proxy \
-        apache2-ssl \
         supervisor \
-        openssl \
         sudo \
         netcat-openbsd \
         curl \
@@ -67,11 +66,12 @@ RUN set -ex; \
     sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
-    grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \
+    grep -q '^listen =' /usr/local/etc/php-fpm.d/docker.conf; \
+    sed -i 's|listen =.*|listen = /run/php.sock|' /usr/local/etc/php-fpm.d/docker.conf; \
+    echo "listen.owner = www-data" | tee -a /usr/local/etc/php-fpm.d/docker.conf; \
     \
     apk add --no-cache git; \
-    wget https://getcomposer.org/installer -O - | php -- --install-dir=/usr/local/bin --filename=composer; \
+    curl https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer; \
     chmod +x /usr/local/bin/composer; \
     cd /var/www/docker-aio; \
     rm -r ./php/tests; \
@@ -86,42 +86,6 @@ RUN set -ex; \
     rm -r php/data; \
     rm -r php/session; \
     \
-    mkdir -p /etc/apache2/certs; \
-    cd /etc/apache2/certs; \
-    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout /etc/apache2/certs/ssl.key -out /etc/apache2/certs/ssl.crt; \
-    \
-    sed -i \
-            -e '/^Listen /d' \
-            -e 's/^LogLevel .*/LogLevel error/' \
-            -e 's|^ErrorLog .*|ErrorLog /proc/self/fd/2|' \
-            -e 's/User apache/User www-data/g' \
-            -e 's/Group apache/Group www-data/g' \
-            -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
-            -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
-            -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
-            -e 's/\(ScriptAlias \)/#\1/' \
-        /etc/apache2/httpd.conf; \
-        mkdir -p /etc/apache2/logs; \
-        rm /etc/apache2/conf.d/ssl.conf; \
-        echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \
-        grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \
-        sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \
-        echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \
-        echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \
-        echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \
-        echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \
-    \
-    rm -f /etc/apache2/conf.d/default.conf \
-          /etc/apache2/conf.d/userdir.conf \
-          /etc/apache2/conf.d/info.conf; \
-    \
-    rm -rf /var/www/localhost/cgi-bin/; \
     mkdir /var/log/supervisord; \
     mkdir /var/run/supervisord;
 

Containers/mastercontainer/README.md

@@ -12,8 +12,8 @@ The mastercontainer acts as the central orchestration service for the deployment
 of all other containers in the Nextcloud All-in-One stack. It hosts:
 
 - A dedicated PHP SAPI/backend (php-fpm) for AIO itself (not Nextcloud Server)
-- An Apache service for accessing the AIO interface via a self-signed HTTPS VirtualHost on 8080/tcp
-- A Caddy reverse proxy service enabling HTTPS access to the AIO frontend on port 8443/tcp.
+- A Caddy server enabling self-signed HTTPS access to the AIO frontend on port 8080/tcp.
+- A Caddy server enabling trusted HTTPS access to the AIO frontend on port 8443/tcp.
   - Caddy will automatically issue a Let's Encrypt issued certificate if port 80 and 8443
     is open/forwarded and a domain pointer is in place; then, simply open the Nextcloud AIO interface using the
     domain (`https://your-domain-that-points-to-this-server.tld:8443`). The Let's Encrypt certificate request will

Containers/mastercontainer/acme.Caddyfile

@@ -0,0 +1,52 @@
+{
+	admin off
+
+	# auto_https will create redirects for https://{host}:8443 instead of https://{host}
+	# https redirects are added manually in the http://:80 block
+	auto_https disable_redirects
+
+	storage file_system {
+		root /mnt/docker-aio-config/caddy/
+	}
+
+	log {
+		level ERROR
+		# We need to exclude the remote-host plugin from logging as it would spam the logs
+		# See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 
+		exclude http.matchers.remote_host
+	}
+
+	servers {
+		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
+		protocols h1
+	}
+
+	on_demand_tls {
+		ask http://127.0.0.1:9876/
+	}
+
+	skip_install_trust
+}
+
+http://:80 {
+	redir https://{host}{uri} permanent
+}
+
+https://:8443 {
+	@denied {
+		path /api/auth/login /api/auth/getlogin
+		remote_host nextcloud-aio-nextcloud
+	}
+	abort @denied
+
+	root * /var/www/docker-aio/php/public
+	php_fastcgi unix//run/php.sock
+	file_server
+
+	tls {
+		on_demand
+		issuer acme {
+			disable_tlsalpn_challenge
+		}
+	}
+}

Containers/mastercontainer/healthcheck.sh

@@ -2,9 +2,8 @@
 
 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
     nc -z 127.0.0.1 80 || exit 1
-    nc -z 127.0.0.1 8000 || exit 1
     nc -z 127.0.0.1 8080 || exit 1
     nc -z 127.0.0.1 8443 || exit 1
-    nc -z 127.0.0.1 9000 || exit 1
+    test -S /run/php.sock || exit 1
     nc -z 127.0.0.1 9876 || exit 1
 fi

Containers/mastercontainer/internal.Caddyfile

@@ -0,0 +1,38 @@
+{
+	admin off
+
+	storage file_system {
+		root /mnt/docker-aio-config/caddy/
+	}
+
+	log {
+		level ERROR
+		# We need to exclude the remote-host plugin from logging as it would spam the logs
+		# See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 
+		exclude http.matchers.remote_host
+	}
+
+	servers {
+		# Only h1 is allowed as we prevent `ERR_NETWORK_CHANGED` from happening
+		protocols h1
+	}
+
+	skip_install_trust
+}
+
+https://:8080 {
+	@denied {
+		path /api/auth/login /api/auth/getlogin
+		remote_host nextcloud-aio-nextcloud
+	}
+	abort @denied
+
+	root * /var/www/docker-aio/php/public
+	php_fastcgi unix//run/php.sock
+	file_server
+
+	tls {
+		on_demand
+		issuer internal
+	}
+}

Containers/mastercontainer/mastercontainer.conf

@@ -1,67 +0,0 @@
-Listen 127.0.0.1:8000
-Listen 8080 https
-
-# Deny access to .ht files
-<Files ".ht*">
-    Require all denied
-</Files>
-
-# Http host
-<VirtualHost 127.0.0.1:8000>
-    ServerName 127.0.0.1
-
-    # Add error log
-    CustomLog /proc/self/fd/1 proxy
-    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
-    ErrorLog /proc/self/fd/2
-    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
-    LogLevel warn
-
-    # PHP match
-    <FilesMatch "\.php$">
-        SetHandler "proxy:fcgi://127.0.0.1:9000"
-    </FilesMatch>
-
-    # Disable output buffering to enable streaming responses.
-    <Proxy "fcgi://127.0.0.1:9000/" flushpackets=on>
-    </Proxy>
-
-    # Master dir
-    DocumentRoot /var/www/docker-aio/php/public/
-    <Directory /var/www/docker-aio/php/public/>
-        RewriteEngine On
-        RewriteCond %{REQUEST_FILENAME} !-f
-        RewriteRule ^ index.php [QSA,L]
-        Options Indexes FollowSymLinks
-        Require all granted
-        AllowOverride All
-        Options FollowSymLinks MultiViews
-        Satisfy Any
-        <IfModule mod_dav.c>
-            Dav off
-        </IfModule>
-    </Directory>
-</VirtualHost>
-
-# Https host
-<VirtualHost *:8080>
-    # Proxy to https
-    ProxyPass / http://127.0.0.1:8000/
-    ProxyPassReverse / http://127.0.0.1:8000/
-    ProxyPreserveHost On
-    # SSL
-    SSLCertificateKeyFile /etc/apache2/certs/ssl.key
-    SSLCertificateFile /etc/apache2/certs/ssl.crt
-    SSLEngine               on
-    SSLProtocol             -all +TLSv1.2 +TLSv1.3
-    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
-    SSLHonorCipherOrder     off
-    SSLSessionTickets       off
-</VirtualHost>
-
-# Increase timeout in case e.g. the initial download takes a long time
-Timeout 7200
-ProxyTimeout 7200
-
-# See https://httpd.apache.org/docs/trunk/mod/core.html#traceenable
-TraceEnable Off

Containers/mastercontainer/start.sh

@@ -364,7 +364,6 @@ fi
 mkdir -p /mnt/docker-aio-config/data/
 mkdir -p /mnt/docker-aio-config/session/
 mkdir -p /mnt/docker-aio-config/caddy/
-mkdir -p /mnt/docker-aio-config/certs/ 
 
 # Adjust permissions for all instances
 chmod 770 -R /mnt/docker-aio-config
@@ -372,37 +371,6 @@ chmod 777 /mnt/docker-aio-config
 chown www-data:www-data -R /mnt/docker-aio-config/data/
 chown www-data:www-data -R /mnt/docker-aio-config/session/
 chown www-data:www-data -R /mnt/docker-aio-config/caddy/
-chown root:root -R /mnt/docker-aio-config/certs/
-
-# Don't allow access to the AIO interface from the Nextcloud container
-# Probably more cosmetic than anything but at least an attempt
-if ! grep -q '# nextcloud-aio-block' /etc/apache2/httpd.conf; then
-    cat << APACHE_CONF >> /etc/apache2/httpd.conf
-# nextcloud-aio-block-start
-<Location />
-order allow,deny
-deny from nextcloud-aio-nextcloud.nextcloud-aio
-allow from all
-</Location>
-# nextcloud-aio-block-end
-APACHE_CONF
-fi
-
-# Adjust certs
-GENERATED_CERTS="/mnt/docker-aio-config/certs"
-TMP_CERTS="/etc/apache2/certs"
-mkdir -p "$GENERATED_CERTS"
-cd "$GENERATED_CERTS" || exit 1
-if ! [ -f ./ssl.crt ] && ! [ -f ./ssl.key ]; then
-    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt
-fi
-if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then
-    cd "$TMP_CERTS" || exit 1
-    rm ./ssl.crt
-    rm ./ssl.key
-    cp "$GENERATED_CERTS/ssl.crt" ./
-    cp "$GENERATED_CERTS/ssl.key" ./
-fi
 
 print_green "Initial startup of Nextcloud All-in-One complete!
 You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
@@ -415,8 +383,11 @@ https://your-domain-that-points-to-this-server.tld:8443"
 # Set the timezone to Etc/UTC
 export TZ=Etc/UTC
 
-# Fix apache startup
-rm -f /var/run/apache2/httpd.pid
+# Remove unused certs
+rm -vrf /mnt/docker-aio-config/certs
+
+# Remove the php socket as safeguard
+rm -vf /run/php.sock
 
 # Fix caddy startup
 if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then
@@ -424,7 +395,8 @@ if [ -d "/mnt/docker-aio-config/caddy/locks" ]; then
 fi
 
 # Fix the Caddyfile format
-caddy fmt --overwrite /Caddyfile
+caddy fmt --overwrite /acme.Caddyfile
+caddy fmt --overwrite /internal.Caddyfile
 
 # Fix caddy log 
 chmod 777 /root

Containers/mastercontainer/supervisord.conf

@@ -16,20 +16,20 @@ stderr_logfile_maxbytes=0
 command=php-fpm
 user=root
 
-[program:apache]
-# Stdout logging is disabled as otherwise the logs are spammed
-stdout_logfile=NONE
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=httpd -DFOREGROUND
-user=root
-
-[program:caddy]
+[program:caddy-internal]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /Caddyfile
+command=/usr/bin/caddy run --config /internal.Caddyfile
+user=www-data
+
+[program:caddy-acme]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=/usr/bin/caddy run --config /acme.Caddyfile
 user=www-data
 
 [program:cron]

Containers/nextcloud/Dockerfile

@@ -1,4 +1,11 @@
 # syntax=docker/dockerfile:latest
+FROM docker.io/library/golang:alpine AS aio-container-tools-builder
+
+# hadolint ignore=DL3022
+COPY --from=aio-container-tools . /tmp/aio-container-tools/
+WORKDIR /tmp/aio-container-tools
+RUN go build -o /usr/local/bin/aio-pg-healthcheck ./cmd/aio-pg-healthcheck
+
 FROM php:8.3.30-fpm-alpine3.23
 
 ENV PHP_MEMORY_LIMIT=512M
@@ -17,6 +24,7 @@ COPY --chmod=775 Containers/nextcloud/*.sh /
 COPY --chmod=774 Containers/nextcloud/upgrade.exclude /upgrade.exclude
 COPY Containers/nextcloud/config/*.php /
 COPY Containers/nextcloud/supervisord.conf /supervisord.conf
+COPY --from=aio-container-tools-builder /usr/local/bin/aio-pg-healthcheck /usr/local/bin/aio-pg-healthcheck
 
 # AIO cloning start # Do not remove or change this line!
 COPY app /usr/src/nextcloud/apps/nextcloud-aio
@@ -226,7 +234,6 @@ RUN set -ex; \
         openssl \
         gnupg \
         git \
-        postgresql-client \
         tzdata \
         sudo \
         grep \

Containers/nextcloud/config/redis.config.php

@@ -24,6 +24,10 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
   if (getenv('REDIS_USER_AUTH')) {
     $CONFIG['redis']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
   }
+
+  if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) {
+    $CONFIG['redis']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt';
+  }
 } else {
   $CONFIG = array(
     'memcache.distributed' => '\OC\Memcache\Redis',
@@ -53,4 +57,8 @@ if (getenv('REDIS_MODE') !== 'rediscluster') {
   if (getenv('REDIS_USER_AUTH')) {
     $CONFIG['redis.cluster']['user'] = str_replace("&auth[]=", "", getenv('REDIS_USER_AUTH'));
   }
+
+  if (getenv('NEXTCLOUD_TRUSTED_CERTIFICATES_REDIS')) {
+    $CONFIG['redis.cluster']['ssl_context']['cafile'] = '/var/www/html/data/certificates/ca-bundle.crt';
+  }
 }

Containers/nextcloud/start.sh

@@ -25,7 +25,7 @@ fi
 # Fix false database connection on old instances
 if [ -f "/var/www/html/config/config.php" ]; then
     sleep 2
-    while ! sudo -E -u www-data psql -d "postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB" -c "select now()"; do
+    while ! sudo -E -u www-data /usr/local/bin/aio-pg-healthcheck; do
         echo "Waiting for the database to start..."
         sleep 5
     done

Containers/nextcloud/upgrade.exclude

@@ -3,3 +3,4 @@
 /custom_apps/
 /themes/
 /version.php
+/lost+found

Containers/onlyoffice/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:9.3.0.1
+FROM onlyoffice/documentserver:9.3.1.2
 
 # USER root is probably used
 

Containers/postgresql/Dockerfile

@@ -1,8 +1,18 @@
 # syntax=docker/dockerfile:latest
+FROM docker.io/library/golang:alpine AS aio-container-tools-builder
+
+# hadolint ignore=DL3022
+COPY --from=aio-container-tools . /tmp/aio-container-tools/
+WORKDIR /tmp/aio-container-tools
+RUN go build -o /usr/local/bin/aio-pg-init ./cmd/aio-pg-init \
+ && go build -o /usr/local/bin/aio-pg-healthcheck ./cmd/aio-pg-healthcheck
+
 # From https://github.com/docker-library/postgres/blob/master/17/alpine3.23/Dockerfile
-FROM postgres:17.8-alpine
+FROM postgres:17.9-alpine
 
 COPY --chmod=775 start.sh /start.sh
+COPY --from=aio-container-tools-builder /usr/local/bin/aio-pg-init /usr/local/bin/aio-pg-init
+COPY --from=aio-container-tools-builder /usr/local/bin/aio-pg-healthcheck /usr/local/bin/aio-pg-healthcheck
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
 COPY --chmod=775 init-user-db.sh /docker-entrypoint-initdb.d/init-user-db.sh
 

Containers/postgresql/healthcheck.sh

@@ -2,6 +2,4 @@
 
 test -f "/mnt/data/backup-is-running" && exit 0
 
-psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()" && exit 0
-
-psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:5432/$POSTGRES_DB" -c "select now()" || exit 1
+POSTGRES_PORT=11000 /usr/local/bin/aio-pg-healthcheck debug || exec /usr/local/bin/aio-pg-healthcheck

Containers/postgresql/init-user-db.sh

@@ -3,12 +3,7 @@ set -ex
 
 touch "$DUMP_DIR/initialization.failed"
 
-psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-	CREATE USER "oc_$POSTGRES_USER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
-	ALTER DATABASE "$POSTGRES_DB" OWNER TO "oc_$POSTGRES_USER";
-	GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "oc_$POSTGRES_USER";
-	GRANT ALL PRIVILEGES ON SCHEMA public TO "oc_$POSTGRES_USER";
-EOSQL
+POSTGRES_DB_OWNER="oc_$POSTGRES_USER" /usr/local/bin/aio-pg-init
 
 rm "$DUMP_DIR/initialization.failed"
 

Containers/postgresql/start.sh

@@ -4,6 +4,7 @@
 DATADIR="/var/lib/postgresql/data"
 export DUMP_DIR="/mnt/data"
 DUMP_FILE="$DUMP_DIR/database-dump.sql"
+# TODO: Do we need this? It's not used anywhere visible
 export PGPASSWORD="$POSTGRES_PASSWORD"
 
 # Don't start database as long as backup is running
@@ -85,7 +86,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
     exec docker-entrypoint.sh postgres &
 
     # Wait for creation
-    while ! psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()"; do
+    while ! env POSTGRES_PORT=11000 POSTGRES_USER="oc_$POSTGRES_USER" /usr/local/bin/aio-pg-healthcheck; do
         echo "Waiting for the database to start."
         sleep 5
     done
@@ -107,12 +108,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
         exit 1
     elif [ "$DB_OWNER" != "oc_$POSTGRES_USER" ]; then
         DIFFERENT_DB_OWNER=1
-        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-            CREATE USER "$DB_OWNER" WITH PASSWORD '$POSTGRES_PASSWORD' CREATEDB;
-            ALTER DATABASE "$POSTGRES_DB" OWNER TO "$DB_OWNER";
-            GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "$DB_OWNER";
-            GRANT ALL PRIVILEGES ON SCHEMA public TO "$DB_OWNER";
-EOSQL
+        POSTGRES_DB_OWNER="$DB_OWNER" /usr/local/bin/aio-pg-init
     fi
 
     # Restore database

Containers/talk-recording/Dockerfile

@@ -20,6 +20,9 @@ RUN set -ex; \
         xvfb \
         ffmpeg \
         firefox \
+        font-noto-all \
+        font-noto-cjk \
+        font-noto-cjk-extra \
         bind-tools \
         netcat-openbsd \
         git \

Containers/talk/Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.12.4-scratch AS nats
+FROM nats:2.12.5-scratch AS nats
 FROM eturnal/eturnal:1.12.2-alpine AS eturnal
-FROM strukturag/nextcloud-spreed-signaling:2.1.0 AS signaling
+FROM strukturag/nextcloud-spreed-signaling:2.1.1 AS signaling
 FROM alpine:3.23.3 AS janus
 
 ARG JANUS_VERSION=v1.4.0
@@ -70,7 +70,8 @@ RUN set -ex; \
         libwebsockets \
         \
         shadow \
-        grep; \
+        grep \
+        util-linux-misc; \
     useradd --system -u 1000 eturnal; \
     apk del --no-cache \
         shadow; \

Containers/talk/start.sh

@@ -18,6 +18,22 @@ elif [ -z "$INTERNAL_SECRET" ]; then
     exit 1
 fi
 
+# Trust additional CA certificates, if the user provided NEXTCLOUD_TRUSTED_CACERTS_DIR
+# The container is read-only, so we build a custom bundle in /tmp (tmpfs) and
+# point Go's TLS stack to it via SSL_CERT_FILE.
+if mountpoint -q /usr/local/share/ca-certificates; then
+    echo "Trusting additional CA certificates..."
+    set -x
+    cp /etc/ssl/certs/ca-certificates.crt /tmp/ca-certificates.crt
+    for cert in /usr/local/share/ca-certificates/*; do
+        if [ -f "$cert" ]; then
+            cat "$cert" >> /tmp/ca-certificates.crt
+        fi
+    done
+    export SSL_CERT_FILE=/tmp/ca-certificates.crt
+    set +x
+fi
+
 set -x
 IPv4_ADDRESS_TALK_RELAY="$(hostname -i | grep -oP '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -1)"
 # shellcheck disable=SC2153

Containers/watchtower/Dockerfile

@@ -1,13 +1,13 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.26.0-alpine3.23 AS go
+FROM golang:1.26.1-alpine3.23 AS go
 
-ENV WATCHTOWER_COMMIT_HASH=943098a670cb78a620af6499fb94b3ee2c940cf0	
+ENV WATCHTOWER_COMMIT_HASH=5a33e3c0aa3b2770c648a114b4a9d32e0a5b55ba	
 
 RUN set -ex; \
     apk upgrade --no-cache -a; \
     apk add --no-cache \
         build-base; \
-    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.14.2
+    go install github.com/nicholas-fedor/watchtower@$WATCHTOWER_COMMIT_HASH # v1.14.4
 
 FROM alpine:3.23.3
 

Containers/whiteboard/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from this file: https://github.com/nextcloud/whiteboard/blob/main/Dockerfile
-FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.6
+FROM ghcr.io/nextcloud-releases/whiteboard:v1.5.7
 
 USER root
 RUN set -ex; \

aio-container-tools/README.md

@@ -0,0 +1,42 @@
+# aio-container-tools
+
+Standalone tools for Nextcloud AIO containers, for tasks that shouldn't be executed in a shell environment
+(e.g. due to string handling issues).
+
+Golang was chosen because it doesn't require additional runtimes in the containers, and has a pretty easy
+syntax that is comprehensible even for people without much experience with the language.
+
+The tools should be built in the container image build process, so they are built for the correct target
+platform in multi-arch builds. See below for an example.
+
+## Build process
+
+To include the binary of `aio-pg-healhcheck` into your container image, include such a snippet into your Containerfile:
+
+```dockerfile
+FROM docker.io/library/golang:alpine AS golang-builder
+
+# hadolint ignore=DL3022
+COPY --from=aio-container-tools . /tmp/aio-container-tools/
+RUN cd /tmp/aio-container-tools \
+ && go build -o /usr/local/bin/aio-pg-healthcheck ./cmd/aio-pg-healthcheck
+
+FROM your-base-image
+COPY --from=golang-builder /usr/local/bin/aio-pg-healthcheck /usr/local/bin/
+```
+
+To build it you now have to pass the aio-container-tools directory as additional, named build-context like this:
+
+```bash
+docker build \
+  --build-context aio-container-tools=/path/to/all-in-one/aio-container-tools \
+  .
+```
+
+#### Remote git variant (without local clone of this repo)
+
+```bash
+docker build \
+  --build-context aio-container-tools="https://github.com/nextcloud-releases/all-in-one.git#main:aio-container-tools" \
+  .
+```

aio-container-tools/cmd/aio-pg-healthcheck/main.go

@@ -0,0 +1,92 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"os"
+	"strconv"
+
+	"github.com/jackc/pgx/v5"
+	"github.com/nextcloud/aio-container-tools/internal/util"
+)
+
+// tryConnect opens a TCP connection to the given database host:port and runs SELECT 1.
+// Returns nil on success, an error otherwise.
+func tryConnect(ctx context.Context, host string, port uint16, user, password, database string) error {
+	util.Debugf("attempting connection: host=%s port=%d user=%s database=%s", host, port, user, database)
+
+	cfg, err := pgx.ParseConfig("")
+	if err != nil {
+		return err
+	}
+	cfg.Host = host
+	cfg.Port = port
+	cfg.User = user
+	cfg.Password = password
+	cfg.Database = database
+
+	conn, err := pgx.ConnectConfig(ctx, cfg)
+	if err != nil {
+		util.Debugf("connection failed: %v", err)
+		return err
+	}
+	defer conn.Close(ctx)
+
+	util.Debugf("connection established, running SELECT 1")
+	var result string
+	if err := conn.QueryRow(ctx, "SELECT 1").Scan(&result); err != nil {
+		util.Debugf("SELECT 1 failed: %v", err)
+		return err
+	}
+	util.Debugf("SELECT 1 returned %q", result)
+	return nil
+}
+
+// envOrDefault returns the value of the named environment variable,
+// or the provided default if the variable is unset or empty.
+func envOrDefault(key, defaultVal string) string {
+	if v := os.Getenv(key); v != "" {
+		util.Debugf("env %s = %q", key, v)
+		return v
+	}
+	util.Debugf("env %s not set, using default %q", key, defaultVal)
+	return defaultVal
+}
+
+func main() {
+	debug := flag.Bool("debug", false, "enable debug output")
+	flag.Parse()
+	util.SetDebug(*debug)
+
+	util.Debugf("reading required environment variables")
+	pgUser := util.RequireEnv("POSTGRES_USER")
+	pgPassword := util.RequireEnv("POSTGRES_PASSWORD")
+	pgDB := util.RequireEnv("POSTGRES_DB")
+
+	ctx := context.Background()
+
+	pgHost := envOrDefault("POSTGRES_HOST", "127.0.0.1")
+
+	var pgPort uint16 = 5432
+	if portStr := os.Getenv("POSTGRES_PORT"); portStr != "" {
+		util.Debugf("env POSTGRES_PORT = %q", portStr)
+		p, err := strconv.ParseUint(portStr, 10, 16)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "invalid POSTGRES_PORT %q: %v\n", portStr, err)
+			os.Exit(1)
+		}
+		pgPort = uint16(p)
+	} else {
+		util.Debugf("env POSTGRES_PORT not set, using default port %d", pgPort)
+	}
+
+	util.Debugf("connecting to: host=%s port=%d user=%s", pgHost, pgPort, pgUser)
+	if err := tryConnect(ctx, pgHost, pgPort, pgUser, pgPassword, pgDB); err == nil {
+		util.Debugf("connection succeeded, exiting 0")
+		os.Exit(0)
+	}
+
+	util.Debugf("connection failed, exiting 1")
+	os.Exit(1)
+}

aio-container-tools/cmd/aio-pg-init/main.go

@@ -0,0 +1,78 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"strings"
+
+	"github.com/jackc/pgx/v5"
+	"github.com/nextcloud/aio-container-tools/internal/util"
+)
+
+// quoteLiteral safely quotes a string as a PostgreSQL string literal.
+// Single quotes are escaped by doubling them. This is safe with
+// standard_conforming_strings=on (default since PostgreSQL 9.1).
+func quoteLiteral(s string) string {
+	return "'" + strings.ReplaceAll(s, "'", "''") + "'"
+}
+
+// main reimplements init-user-db.sh:
+//   - Creates $POSTGRES_DB_OWNER (falling back to $POSTGRES_USER) with $POSTGRES_PASSWORD and CREATEDB
+//   - Transfers ownership of $POSTGRES_DB to that user
+//   - Grants all privileges on the database and public schema
+//   - Connects using $POSTGRES_USER in all cases
+func main() {
+	debug := flag.Bool("debug", false, "enable debug output")
+	flag.Parse()
+	util.SetDebug(*debug)
+
+	util.Debugf("reading required environment variables")
+	pgUser := util.RequireEnv("POSTGRES_USER")
+	pgPassword := util.RequireEnv("POSTGRES_PASSWORD")
+	pgDB := util.RequireEnv("POSTGRES_DB")
+	pgDBOwner := util.OptionalEnv("POSTGRES_DB_OWNER", pgUser)
+
+	util.Debugf("building connection config: host=/var/run/postgresql port=5432 user=%s database=%s", pgUser, pgDB)
+	cfg, err := pgx.ParseConfig("")
+	if err != nil {
+		util.ErrorOut(fmt.Errorf("building connection config: %w", err))
+	}
+	cfg.Host = "/var/run/postgresql"
+	cfg.Port = 5432
+	cfg.User = pgUser
+	cfg.Password = pgPassword
+	cfg.Database = pgDB
+
+	ctx := context.Background()
+	util.Debugf("connecting to postgres via unix socket")
+	conn, err := pgx.ConnectConfig(ctx, cfg)
+	if err != nil {
+		util.ErrorOut(fmt.Errorf("connecting to postgres: %w", err))
+	}
+	defer conn.Close(ctx)
+	util.Debugf("connected successfully")
+
+	dbOwner := pgDBOwner
+	util.Debugf("dbOwner = %q (from POSTGRES_DB_OWNER=%q, POSTGRES_USER=%q)", dbOwner, pgDBOwner, pgUser)
+	// pgx.Identifier.Sanitize() double-quotes and escapes the identifier safely.
+	dbOwnerIdent := pgx.Identifier{dbOwner}.Sanitize()
+	dbIdent := pgx.Identifier{pgDB}.Sanitize()
+	util.Debugf("quoted dbOwnerIdent = %s, dbIdent = %s", dbOwnerIdent, dbIdent)
+
+	statements := []string{
+		fmt.Sprintf("CREATE USER %s WITH PASSWORD %s CREATEDB", dbOwnerIdent, quoteLiteral(pgPassword)),
+		fmt.Sprintf("ALTER DATABASE %s OWNER TO %s", dbIdent, dbOwnerIdent),
+		fmt.Sprintf("GRANT ALL PRIVILEGES ON DATABASE %s TO %s", dbIdent, dbOwnerIdent),
+		fmt.Sprintf("GRANT ALL PRIVILEGES ON SCHEMA public TO %s", dbOwnerIdent),
+	}
+
+	for i, stmt := range statements {
+		util.Debugf("executing statement %d/%d: %s", i+1, len(statements), stmt)
+		if _, err := conn.Exec(ctx, stmt); err != nil {
+			util.ErrorOut(fmt.Errorf("executing statement: %w", err))
+		}
+		util.Debugf("statement %d/%d succeeded", i+1, len(statements))
+	}
+	util.Debugf("all statements executed successfully")
+}

aio-container-tools/go.mod

@@ -0,0 +1,10 @@
+module github.com/nextcloud/aio-container-tools
+
+go 1.25.1
+
+require (
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/pgx/v5 v5.8.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
+)

aio-container-tools/go.sum

@@ -0,0 +1,15 @@
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
+github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo=
+github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

aio-container-tools/internal/util/util.go

@@ -0,0 +1,49 @@
+package util
+
+import (
+	"fmt"
+	"log"
+	"os"
+)
+
+var debugEnabled bool
+
+// SetDebug enables or disables debug output.
+func SetDebug(enabled bool) {
+	debugEnabled = enabled
+}
+
+// Debugf prints a formatted debug message to stdout when debug mode is enabled.
+func Debugf(format string, args ...any) {
+	if debugEnabled {
+		fmt.Printf("[debug] "+format+"\n", args...)
+	}
+}
+
+// RequireEnv returns the value of the named environment variable.
+// It writes an error to stderr and exits with code 1 if the variable is unset or empty.
+func RequireEnv(key string) string {
+	v := os.Getenv(key)
+	if v == "" {
+		fmt.Fprintf(os.Stderr, "required environment variable %q is not set\n", key)
+		os.Exit(1)
+	}
+	Debugf("env %s = %q", key, v)
+	return v
+}
+
+// OptionalEnv returns the value of the named environment variable, or fallback if it is unset or empty.
+func OptionalEnv(key, fallback string) string {
+	v := os.Getenv(key)
+	if v == "" {
+		Debugf("env %s unset, using fallback %q", key, fallback)
+		return fallback
+	}
+	Debugf("env %s = %q", key, v)
+	return v
+}
+
+// ErrorOut logs the error with a standard prefix and exits with code 1.
+func ErrorOut(err error) {
+	log.Fatalf("error: %v", err)
+}

community-containers/glances/glances.json

@@ -0,0 +1,38 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-glances",
+            "display_name": "Glances",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/glances",
+            "image": "nicolargo/glances",
+            "image_tag": "latest-full",
+            "internal_port": "61208",
+            "restart": "unless-stopped",
+            "ports": [
+                {
+                  "ip_binding": "",
+                  "port_number": "61208",
+                  "protocol": "tcp"
+                }
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_glances",
+                    "destination": "/etc/glances",
+                    "writeable": true
+                },
+                {
+                    "source": "%WATCHTOWER_DOCKER_SOCKET_PATH%",
+                    "destination": "/var/run/docker.sock",
+                    "writeable": false
+                }
+            ],
+            "environment": [
+                "GLANCES_OPT=-w"
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_glances"
+            ]
+        }
+    ]
+}

community-containers/glances/readme.md

@@ -0,0 +1,18 @@
+## Glances
+This container starts Glances, a web-based info-board, and auto-configures it for you.
+
+> [!CAUTION]
+> This container mounts the docker-socket from the host-system.
+
+### Notes
+- After adding and starting the container, you can directly visit http://ip.address.of.server:61208/ and access your new Glances instance!
+- It is recommended to start this container only in home networks, because there is no built-in authentication. But you can do a http-auth with your proxy.
+- In order to access your Glances outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md).
+- The data of Glances will be automatically included in AIO's backup solution!
+- See [here](https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers) how to add it to the AIO stack.
+
+### Repository
+https://github.com/nicolargo/glances
+
+### Maintainer
+https://github.com/pi-farm

community-containers/jellyseerr/readme.md

@@ -2,6 +2,7 @@
 This container bundles Seerr and auto-configures it for you.
 
 ### Notes
+- **Migration from Jellyseerr**: Jellyseer previously ran as the root user. With the migration to Seerr, the container now runs rootless with userid 1000, meaning that if you previously used Jellyseerr, Seerr will not be able to access the config files generated by the old Jellyseerr container. To migrate, execute the following steps: 1. stop all containers using the AIO-interface, 2. run `sudo docker run --rm -v nextcloud_aio_jellyseerr:/data alpine chown -R 1000:1000 /data`
 - This container is only intended to be used inside home networks as it uses http for its management page by default.
 - After adding and starting the container, you can directly visit `http://ip.address.of.server:5055` and access your new Seerr instance, which can be used to manage Plex, Jellyfin, and Emby.
 - In order to access your Seerr outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md) and [Seerr's reverse proxy documentation.](https://docs.seerr.dev/extending-Seerr/reverse-proxy), OR use the Caddy community container that will automatically configure requests.$NC_DOMAIN to redirect to your Seerr. Note that it is recommended to [enable CSRF protection in Seerr](https://docs.seerr.dev/using-Seerr/settings/general#enable-csrf-protection) for added security if you plan to use Seerr outside the local network, but make sure to read up on it and understand the caveats first.

community-containers/languagetool/readme.md

@@ -1,9 +1,9 @@
-## LanguageTool for Collabora
-This container bundles a LanguageTool for Collabora which adds spell checking functionality to Collabora.
+## LanguageTool for Nextcloud Office
+This container bundles a LanguageTool for Nextcloud Office which adds spell checking functionality to Nextcloud Office.
 
 ### Notes
-- Make sure to have collabora enabled via the AIO interface
-- After adding this container via the AIO Interface, while all containers are still stopped, you need to scroll down to the `Additional Collabora options` section and enter `--o:languagetool.enabled=true --o:languagetool.base_url=http://nextcloud-aio-languagetool:8010/v2`.
+- Make sure to have Nextcloud Office enabled via the AIO interface
+- After adding this container via the AIO Interface, while all containers are still stopped, you need to scroll down to the `Additional Nextcloud Office options` section and enter `--o:languagetool.enabled=true --o:languagetool.base_url=http://nextcloud-aio-languagetool:8010/v2`.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 
 ### Repository

compose.yaml

@@ -11,9 +11,9 @@ services:
     network_mode: bridge # This adds the container to the same network as docker run would do. Comment this line and uncomment the line below and the networks section at the end of the file if you want to define a custom MTU size for the docker network
     # networks: ["nextcloud-aio"]
     ports:
-      - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-      - 8080:8080 # This is the AIO interface, served via https and self-signed certificate. See https://github.com/nextcloud/all-in-one#explanation-of-used-ports
-      - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      - "80:80" # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      - "8080:8080" # This is the AIO interface, served via https and self-signed certificate. See https://github.com/nextcloud/all-in-one#explanation-of-used-ports
+      - "8443:8443" # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
     # security_opt: ["label:disable"] # Is needed when using SELinux. See https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled
     # environment: # Is needed when using any of the options below
       # AIO_DISABLE_BACKUP_SECTION: false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section

manual-install/latest.yml

@@ -45,6 +45,7 @@ services:
       - APACHE_MAX_TIME=${NEXTCLOUD_MAX_TIME}
       - NOTIFY_PUSH_HOST=nextcloud-aio-notify-push
       - WHITEBOARD_HOST=nextcloud-aio-whiteboard
+      - HARP_HOST=nextcloud-aio-harp
     volumes:
       - nextcloud_aio_nextcloud:/var/www/html:ro
       - nextcloud_aio_apache:/mnt/data:rw
@@ -202,19 +203,10 @@ services:
     expose:
       - "7867"
     volumes:
-      - nextcloud_aio_nextcloud:/nextcloud:ro
+      - nextcloud_aio_nextcloud:/var/www/html:ro
     environment:
-      - NC_DOMAIN
       - NEXTCLOUD_HOST=nextcloud-aio-nextcloud
       - TZ=${TIMEZONE}
-      - REDIS_HOST=nextcloud-aio-redis
-      - REDIS_PORT=6379
-      - REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
-      - POSTGRES_HOST=nextcloud-aio-database
-      - POSTGRES_PORT=5432
-      - POSTGRES_PASSWORD=${DATABASE_PASSWORD}
-      - POSTGRES_DB=nextcloud_database
-      - POSTGRES_USER=nextcloud
     restart: unless-stopped
     read_only: true
     cap_drop:

multiple-instances.md

@@ -180,6 +180,7 @@ apt install --no-install-recommends qemu-system qemu-utils libvirt-clients libvi
     # Virtual machine #1 - "example1-com"
     https://[DOMAIN_NAME_1]:8443 {
         reverse_proxy https://[IP_ADDRESS_1]:8080 {
+            header_up Host {host}
             transport http {
                 tls_insecure_skip_verify
             }
@@ -192,6 +193,7 @@ apt install --no-install-recommends qemu-system qemu-utils libvirt-clients libvi
     # Virtual machine #2 - "example2-com"
     https://[DOMAIN_NAME_2]:8443 {
         reverse_proxy https://[IP_ADDRESS_2]:8080 {
+            header_up Host {host}
             transport http {
                 tls_insecure_skip_verify
             }

nextcloud-aio-helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 12.7.0
+version: 12.8.0
 apiVersion: v2
 keywords:
   - latest

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml

@@ -63,7 +63,7 @@ spec:
               value: "{{ .Values.TIMEZONE }}"
             - name: WHITEBOARD_HOST
               value: nextcloud-aio-whiteboard
-          image: ghcr.io/nextcloud-releases/aio-apache:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-apache:20260306_081319
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml

@@ -36,7 +36,7 @@ spec:
         {{- end }}
       initContainers:
         - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
           command:
             - mkdir
             - "-p"
@@ -59,7 +59,7 @@ spec:
               value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-clamav:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-clamav:20260306_081319
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml

@@ -36,9 +36,9 @@ spec:
             - name: server_name
               value: "{{ .Values.NC_DOMAIN }}"
           {{- if contains "--o:support_key=" (join " " (.Values.ADDITIONAL_COLLABORA_OPTIONS | default list)) }}
-          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-collabora-online:20260306_081319
           {{- else }}
-          image: ghcr.io/nextcloud-releases/aio-collabora:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-collabora:20260306_081319
           {{- end }}
           readinessProbe:
             exec:

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml

@@ -35,7 +35,7 @@ spec:
         {{- end }}
       initContainers:
         - name: init-subpath
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
           command:
             - mkdir
             - "-p"
@@ -64,7 +64,7 @@ spec:
               value: nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-postgresql:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-postgresql:20260306_081319
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
           command:
             - chmod
             - "777"
@@ -54,7 +54,7 @@ spec:
               value: basic
             - name: xpack.security.enabled
               value: "false"
-          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-fulltextsearch:20260306_081319
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml

@@ -38,7 +38,7 @@ spec:
               value: "{{ .Values.IMAGINARY_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-imaginary:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-imaginary:20260306_081319
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml

@@ -38,7 +38,7 @@ spec:
 # AIO settings start # Do not remove or change this line!
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
           command:
             - chmod
             - "777"
@@ -190,7 +190,7 @@ spec:
               value: "{{ .Values.WHITEBOARD_ENABLED }}"
             - name: WHITEBOARD_SECRET
               value: "{{ .Values.WHITEBOARD_SECRET }}"
-          image: ghcr.io/nextcloud-releases/aio-nextcloud:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-nextcloud:20260306_081319
           {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }} # AIO-config - do not change this comment!
           securityContext:
             # The items below only work in container context

nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml

@@ -39,7 +39,7 @@ spec:
               value: nextcloud-aio-nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-notify-push:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-notify-push:20260306_081319
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       initContainers:
         - name: init-volumes
-          image: ghcr.io/nextcloud-releases/aio-alpine:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-alpine:20260306_081319
           command:
             - chmod
             - "777"
@@ -42,7 +42,7 @@ spec:
               value: "{{ .Values.ONLYOFFICE_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-onlyoffice:20260306_081319
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml

@@ -39,7 +39,7 @@ spec:
               value: "{{ .Values.REDIS_PASSWORD }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-redis:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-redis:20260306_081319
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml

@@ -52,7 +52,7 @@ spec:
               value: "{{ .Values.TURN_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-talk:20260306_081319
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml

@@ -44,7 +44,7 @@ spec:
               value: "{{ .Values.RECORDING_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-talk-recording:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-talk-recording:20260306_081319
           readinessProbe:
             exec:
               command:

nextcloud-aio-helm-chart/templates/nextcloud-aio-whiteboard-deployment.yaml

@@ -50,7 +50,7 @@ spec:
               value: redis
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: ghcr.io/nextcloud-releases/aio-whiteboard:20260218_123804
+          image: ghcr.io/nextcloud-releases/aio-whiteboard:20260306_081319
           readinessProbe:
             exec:
               command:

php/composer.lock

@@ -273,16 +273,16 @@
         },
         {
             "name": "guzzlehttp/psr7",
-            "version": "2.8.0",
+            "version": "2.9.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/psr7.git",
-                "reference": "21dc724a0583619cd1652f673303492272778051"
+                "reference": "7d0ed42f28e42d61352a7a79de682e5e67fec884"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/psr7/zipball/21dc724a0583619cd1652f673303492272778051",
-                "reference": "21dc724a0583619cd1652f673303492272778051",
+                "url": "https://api.github.com/repos/guzzle/psr7/zipball/7d0ed42f28e42d61352a7a79de682e5e67fec884",
+                "reference": "7d0ed42f28e42d61352a7a79de682e5e67fec884",
                 "shasum": ""
             },
             "require": {
@@ -298,6 +298,7 @@
             "require-dev": {
                 "bamarni/composer-bin-plugin": "^1.8.2",
                 "http-interop/http-factory-tests": "0.9.0",
+                "jshttp/mime-db": "1.54.0.1",
                 "phpunit/phpunit": "^8.5.44 || ^9.6.25"
             },
             "suggest": {
@@ -369,7 +370,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/psr7/issues",
-                "source": "https://github.com/guzzle/psr7/tree/2.8.0"
+                "source": "https://github.com/guzzle/psr7/tree/2.9.0"
             },
             "funding": [
                 {
@@ -385,7 +386,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-08-23T21:21:41+00:00"
+            "time": "2026-03-10T16:41:02+00:00"
         },
         {
             "name": "http-interop/http-factory-guzzle",
@@ -1779,16 +1780,16 @@
         },
         {
             "name": "twig/twig",
-            "version": "v3.23.0",
+            "version": "v3.24.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/twigphp/Twig.git",
-                "reference": "a64dc5d2cc7d6cafb9347f6cd802d0d06d0351c9"
+                "reference": "a6769aefb305efef849dc25c9fd1653358c148f0"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/twigphp/Twig/zipball/a64dc5d2cc7d6cafb9347f6cd802d0d06d0351c9",
-                "reference": "a64dc5d2cc7d6cafb9347f6cd802d0d06d0351c9",
+                "url": "https://api.github.com/repos/twigphp/Twig/zipball/a6769aefb305efef849dc25c9fd1653358c148f0",
+                "reference": "a6769aefb305efef849dc25c9fd1653358c148f0",
                 "shasum": ""
             },
             "require": {
@@ -1798,7 +1799,8 @@
                 "symfony/polyfill-mbstring": "^1.3"
             },
             "require-dev": {
-                "phpstan/phpstan": "^2.0",
+                "php-cs-fixer/shim": "^3.0@stable",
+                "phpstan/phpstan": "^2.0@stable",
                 "psr/container": "^1.0|^2.0",
                 "symfony/phpunit-bridge": "^5.4.9|^6.4|^7.0"
             },
@@ -1842,7 +1844,7 @@
             ],
             "support": {
                 "issues": "https://github.com/twigphp/Twig/issues",
-                "source": "https://github.com/twigphp/Twig/tree/v3.23.0"
+                "source": "https://github.com/twigphp/Twig/tree/v3.24.0"
             },
             "funding": [
                 {
@@ -1854,7 +1856,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-01-23T21:00:41+00:00"
+            "time": "2026-03-17T21:31:11+00:00"
         }
     ],
     "packages-dev": [
@@ -3246,20 +3248,20 @@
         },
         {
             "name": "league/uri",
-            "version": "7.8.0",
+            "version": "7.8.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/thephpleague/uri.git",
-                "reference": "4436c6ec8d458e4244448b069cc572d088230b76"
+                "reference": "08cf38e3924d4f56238125547b5720496fac8fd4"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/thephpleague/uri/zipball/4436c6ec8d458e4244448b069cc572d088230b76",
-                "reference": "4436c6ec8d458e4244448b069cc572d088230b76",
+                "url": "https://api.github.com/repos/thephpleague/uri/zipball/08cf38e3924d4f56238125547b5720496fac8fd4",
+                "reference": "08cf38e3924d4f56238125547b5720496fac8fd4",
                 "shasum": ""
             },
             "require": {
-                "league/uri-interfaces": "^7.8",
+                "league/uri-interfaces": "^7.8.1",
                 "php": "^8.1",
                 "psr/http-factory": "^1"
             },
@@ -3332,7 +3334,7 @@
                 "docs": "https://uri.thephpleague.com",
                 "forum": "https://thephpleague.slack.com",
                 "issues": "https://github.com/thephpleague/uri-src/issues",
-                "source": "https://github.com/thephpleague/uri/tree/7.8.0"
+                "source": "https://github.com/thephpleague/uri/tree/7.8.1"
             },
             "funding": [
                 {
@@ -3340,20 +3342,20 @@
                     "type": "github"
                 }
             ],
-            "time": "2026-01-14T17:24:56+00:00"
+            "time": "2026-03-15T20:22:25+00:00"
         },
         {
             "name": "league/uri-interfaces",
-            "version": "7.8.0",
+            "version": "7.8.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/thephpleague/uri-interfaces.git",
-                "reference": "c5c5cd056110fc8afaba29fa6b72a43ced42acd4"
+                "reference": "85d5c77c5d6d3af6c54db4a78246364908f3c928"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/thephpleague/uri-interfaces/zipball/c5c5cd056110fc8afaba29fa6b72a43ced42acd4",
-                "reference": "c5c5cd056110fc8afaba29fa6b72a43ced42acd4",
+                "url": "https://api.github.com/repos/thephpleague/uri-interfaces/zipball/85d5c77c5d6d3af6c54db4a78246364908f3c928",
+                "reference": "85d5c77c5d6d3af6c54db4a78246364908f3c928",
                 "shasum": ""
             },
             "require": {
@@ -3416,7 +3418,7 @@
                 "docs": "https://uri.thephpleague.com",
                 "forum": "https://thephpleague.slack.com",
                 "issues": "https://github.com/thephpleague/uri-src/issues",
-                "source": "https://github.com/thephpleague/uri-interfaces/tree/7.8.0"
+                "source": "https://github.com/thephpleague/uri-interfaces/tree/7.8.1"
             },
             "funding": [
                 {
@@ -3424,7 +3426,7 @@
                     "type": "github"
                 }
             ],
-            "time": "2026-01-15T06:54:53+00:00"
+            "time": "2026-03-08T20:05:35+00:00"
         },
         {
             "name": "netresearch/jsonmapper",
@@ -3590,16 +3592,16 @@
         },
         {
             "name": "phpdocumentor/reflection-docblock",
-            "version": "6.0.1",
+            "version": "6.0.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/phpDocumentor/ReflectionDocBlock.git",
-                "reference": "2f5cbed597cb261d1ea458f3da3a9ad32e670b1e"
+                "reference": "7bae67520aa9f5ecc506d646810bd40d9da54582"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/phpDocumentor/ReflectionDocBlock/zipball/2f5cbed597cb261d1ea458f3da3a9ad32e670b1e",
-                "reference": "2f5cbed597cb261d1ea458f3da3a9ad32e670b1e",
+                "url": "https://api.github.com/repos/phpDocumentor/ReflectionDocBlock/zipball/7bae67520aa9f5ecc506d646810bd40d9da54582",
+                "reference": "7bae67520aa9f5ecc506d646810bd40d9da54582",
                 "shasum": ""
             },
             "require": {
@@ -3649,9 +3651,9 @@
             "description": "With this component, a library can provide support for annotations via DocBlocks or otherwise retrieve information that is embedded in a DocBlock.",
             "support": {
                 "issues": "https://github.com/phpDocumentor/ReflectionDocBlock/issues",
-                "source": "https://github.com/phpDocumentor/ReflectionDocBlock/tree/6.0.1"
+                "source": "https://github.com/phpDocumentor/ReflectionDocBlock/tree/6.0.3"
             },
-            "time": "2026-01-20T15:30:42+00:00"
+            "time": "2026-03-18T20:49:53+00:00"
         },
         {
             "name": "phpdocumentor/type-resolver",
@@ -4037,16 +4039,16 @@
         },
         {
             "name": "symfony/console",
-            "version": "v6.4.32",
+            "version": "v6.4.35",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/console.git",
-                "reference": "0bc2199c6c1f05276b05956f1ddc63f6d7eb5fc3"
+                "reference": "49257c96304c508223815ee965c251e7c79e614e"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/console/zipball/0bc2199c6c1f05276b05956f1ddc63f6d7eb5fc3",
-                "reference": "0bc2199c6c1f05276b05956f1ddc63f6d7eb5fc3",
+                "url": "https://api.github.com/repos/symfony/console/zipball/49257c96304c508223815ee965c251e7c79e614e",
+                "reference": "49257c96304c508223815ee965c251e7c79e614e",
                 "shasum": ""
             },
             "require": {
@@ -4111,7 +4113,7 @@
                 "terminal"
             ],
             "support": {
-                "source": "https://github.com/symfony/console/tree/v6.4.32"
+                "source": "https://github.com/symfony/console/tree/v6.4.35"
             },
             "funding": [
                 {
@@ -4131,20 +4133,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-01-13T08:45:59+00:00"
+            "time": "2026-03-06T13:31:08+00:00"
         },
         {
             "name": "symfony/filesystem",
-            "version": "v8.0.1",
+            "version": "v8.0.6",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/filesystem.git",
-                "reference": "d937d400b980523dc9ee946bb69972b5e619058d"
+                "reference": "7bf9162d7a0dff98d079b72948508fa48018a770"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/filesystem/zipball/d937d400b980523dc9ee946bb69972b5e619058d",
-                "reference": "d937d400b980523dc9ee946bb69972b5e619058d",
+                "url": "https://api.github.com/repos/symfony/filesystem/zipball/7bf9162d7a0dff98d079b72948508fa48018a770",
+                "reference": "7bf9162d7a0dff98d079b72948508fa48018a770",
                 "shasum": ""
             },
             "require": {
@@ -4181,7 +4183,7 @@
             "description": "Provides basic utilities for the filesystem",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/filesystem/tree/v8.0.1"
+                "source": "https://github.com/symfony/filesystem/tree/v8.0.6"
             },
             "funding": [
                 {
@@ -4201,20 +4203,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2025-12-01T09:13:36+00:00"
+            "time": "2026-02-25T16:59:43+00:00"
         },
         {
             "name": "symfony/finder",
-            "version": "v6.4.33",
+            "version": "v6.4.34",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/finder.git",
-                "reference": "24965ca011dac87431729640feef8bcf7b5523e0"
+                "reference": "9590e86be1d1c57bfbb16d0dd040345378c20896"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/finder/zipball/24965ca011dac87431729640feef8bcf7b5523e0",
-                "reference": "24965ca011dac87431729640feef8bcf7b5523e0",
+                "url": "https://api.github.com/repos/symfony/finder/zipball/9590e86be1d1c57bfbb16d0dd040345378c20896",
+                "reference": "9590e86be1d1c57bfbb16d0dd040345378c20896",
                 "shasum": ""
             },
             "require": {
@@ -4249,7 +4251,7 @@
             "description": "Finds files and directories via an intuitive fluent interface",
             "homepage": "https://symfony.com",
             "support": {
-                "source": "https://github.com/symfony/finder/tree/v6.4.33"
+                "source": "https://github.com/symfony/finder/tree/v6.4.34"
             },
             "funding": [
                 {
@@ -4269,7 +4271,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-01-26T13:03:48+00:00"
+            "time": "2026-01-28T15:16:37+00:00"
         },
         {
             "name": "symfony/polyfill-intl-grapheme",
@@ -4607,16 +4609,16 @@
         },
         {
             "name": "symfony/string",
-            "version": "v7.4.4",
+            "version": "v7.4.6",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/string.git",
-                "reference": "1c4b10461bf2ec27537b5f36105337262f5f5d6f"
+                "reference": "9f209231affa85aa930a5e46e6eb03381424b30b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/string/zipball/1c4b10461bf2ec27537b5f36105337262f5f5d6f",
-                "reference": "1c4b10461bf2ec27537b5f36105337262f5f5d6f",
+                "url": "https://api.github.com/repos/symfony/string/zipball/9f209231affa85aa930a5e46e6eb03381424b30b",
+                "reference": "9f209231affa85aa930a5e46e6eb03381424b30b",
                 "shasum": ""
             },
             "require": {
@@ -4674,7 +4676,7 @@
                 "utf8"
             ],
             "support": {
-                "source": "https://github.com/symfony/string/tree/v7.4.4"
+                "source": "https://github.com/symfony/string/tree/v7.4.6"
             },
             "funding": [
                 {
@@ -4694,20 +4696,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-01-12T10:54:30+00:00"
+            "time": "2026-02-09T09:33:46+00:00"
         },
         {
             "name": "vimeo/psalm",
-            "version": "6.15.1",
+            "version": "6.16.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/vimeo/psalm.git",
-                "reference": "28dc127af1b5aecd52314f6f645bafc10d0e11f9"
+                "reference": "f1f5de594dc76faf8784e02d3dc4716c91c6f6ac"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/vimeo/psalm/zipball/28dc127af1b5aecd52314f6f645bafc10d0e11f9",
-                "reference": "28dc127af1b5aecd52314f6f645bafc10d0e11f9",
+                "url": "https://api.github.com/repos/vimeo/psalm/zipball/f1f5de594dc76faf8784e02d3dc4716c91c6f6ac",
+                "reference": "f1f5de594dc76faf8784e02d3dc4716c91c6f6ac",
                 "shasum": ""
             },
             "require": {
@@ -4812,7 +4814,7 @@
                 "issues": "https://github.com/vimeo/psalm/issues",
                 "source": "https://github.com/vimeo/psalm"
             },
-            "time": "2026-02-07T19:27:16+00:00"
+            "time": "2026-03-19T10:56:09+00:00"
         },
         {
             "name": "wapmorgan/php-deprecation-detector",
@@ -4883,16 +4885,16 @@
         },
         {
             "name": "webmozart/assert",
-            "version": "2.1.5",
+            "version": "2.1.6",
             "source": {
                 "type": "git",
                 "url": "https://github.com/webmozarts/assert.git",
-                "reference": "79155f94852fa27e2f73b459f6503f5e87e2c188"
+                "reference": "ff31ad6efc62e66e518fbab1cde3453d389bcdc8"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/webmozarts/assert/zipball/79155f94852fa27e2f73b459f6503f5e87e2c188",
-                "reference": "79155f94852fa27e2f73b459f6503f5e87e2c188",
+                "url": "https://api.github.com/repos/webmozarts/assert/zipball/ff31ad6efc62e66e518fbab1cde3453d389bcdc8",
+                "reference": "ff31ad6efc62e66e518fbab1cde3453d389bcdc8",
                 "shasum": ""
             },
             "require": {
@@ -4939,9 +4941,9 @@
             ],
             "support": {
                 "issues": "https://github.com/webmozarts/assert/issues",
-                "source": "https://github.com/webmozarts/assert/tree/2.1.5"
+                "source": "https://github.com/webmozarts/assert/tree/2.1.6"
             },
-            "time": "2026-02-18T14:09:36+00:00"
+            "time": "2026-02-27T10:28:38+00:00"
         }
     ],
     "aliases": [],

php/containers-schema.json

@@ -49,6 +49,9 @@
 						"type": "string",
 						"pattern": "^[()A-Za-z &0-9-]+$"
 					},
+					"hide_from_list": {
+						"type": "boolean"
+					},
 					"environment": {
 						"type": "array",
 						"items": {
@@ -229,4 +232,4 @@
 			}
 		}
 	}
-}
+}

php/containers.json

@@ -379,8 +379,8 @@
       ],
       "internal_port": "9980",
       "environment": [
-        "aliasgroup1=https://%NC_DOMAIN%:443,http://nextcloud-aio-apache:23973",
-        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+",
+        "aliasgroup1=https://%NC_DOMAIN%:443,http://nextcloud-aio-apache.nextcloud-aio:23973",
+        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.disable_server_audit=true --o:logging.level=warning --o:logging.level_startup=warning --o:welcome.enable=false --o:fetch_update_check=0 --o:allow_update_popup=false %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+",
         "dictionaries=%COLLABORA_DICTIONARIES%",
         "TZ=%TIMEZONE%",
         "server_name=%NC_DOMAIN%",
@@ -389,13 +389,12 @@
       "restart": "unless-stopped",
       "nextcloud_exec_commands": [
         "echo 'Activating Collabora config...'",
-        "php /var/www/html/occ richdocuments:activate-config --wopi-url='http://nextcloud-aio-apache:23973' --callback-url='http://nextcloud-aio-apache:23973'"
+        "php /var/www/html/occ richdocuments:activate-config --wopi-url='http://nextcloud-aio-apache.nextcloud-aio:23973' --callback-url='http://nextcloud-aio-apache.nextcloud-aio:23973'"
       ],
       "profiles": [
         "collabora"
       ],
       "cap_add": [
-        "MKNOD",
         "SYS_ADMIN",
         "SYS_CHROOT",
         "FOWNER",
@@ -437,6 +436,13 @@
         "8081"
       ],
       "internal_port": "%TALK_PORT%",
+      "volumes": [
+        {
+          "source": "%NEXTCLOUD_TRUSTED_CACERTS_DIR%",
+          "destination": "/usr/local/share/ca-certificates",
+          "writeable": false
+        }
+      ],
       "environment": [
         "NC_DOMAIN=%NC_DOMAIN%",
         "TALK_HOST=nextcloud-aio-talk",
@@ -523,6 +529,8 @@
     },
     {
       "container_name": "nextcloud-aio-borgbackup",
+      "display_name": "Borgbackup",
+      "hide_from_list": true,
       "image_tag": "%AIO_CHANNEL%",
       "image": "ghcr.io/nextcloud-releases/aio-borgbackup",
       "init": true,
@@ -591,6 +599,8 @@
     },
     {
       "container_name": "nextcloud-aio-watchtower",
+      "display_name": "Watchtower",
+      "hide_from_list": true,
       "image_tag": "%AIO_CHANNEL%",
       "image": "ghcr.io/nextcloud-releases/aio-watchtower",
       "init": true,
@@ -611,6 +621,8 @@
     },
     {
       "container_name": "nextcloud-aio-domaincheck",
+      "display_name": "Domaincheck",
+      "hide_from_list": true,
       "image_tag": "%AIO_CHANNEL%",
       "image": "ghcr.io/nextcloud-releases/aio-domaincheck",
       "init": true,

php/domain-validator.php

@@ -7,15 +7,15 @@ if (isset($_GET['domain']) && is_string($_GET['domain'])) {
 }
 
 if (!str_contains($domain, '.')) { 
-    http_response_code(400); 
+    http_response_code(400);
 } elseif (str_contains($domain, '/')) { 
-    http_response_code(400);  
+    http_response_code(400);
 } elseif (str_contains($domain, ':')) { 
-    http_response_code(400);  
+    http_response_code(400);
 } elseif (filter_var($domain, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) === false) { 
-    http_response_code(400); 
+    http_response_code(400);
 } elseif (filter_var($domain, FILTER_VALIDATE_IP)) { 
-    http_response_code(400); 
+    http_response_code(400);
 } else {
     // Commented because logging is disabled as otherwise all attempts will be logged which spams the logs
     // error_log($domain . ' was accepted as valid domain.');

php/psalm-baseline.xml

@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<files psalm-version="6.15.1@28dc127af1b5aecd52314f6f645bafc10d0e11f9"/>
+<files psalm-version="6.16.1@f1f5de594dc76faf8784e02d3dc4716c91c6f6ac"/>

php/public/style.css

@@ -483,8 +483,8 @@ input[type="checkbox"]:disabled:not(:checked) + label {
     visibility: hidden;
     opacity: 0;
     align-self: start;
-    width: 20%;
-    height: 7rem;
+    width: 300px;
+    height: 200px;
     border-radius: var(--border-radius-large);
     border: solid thin rgb(192, 192, 192);
 }

php/src/Container/Container.php

@@ -38,6 +38,7 @@ readonly class Container {
         public string                        $imageTag,
         public AioVariables                  $aioVariables,
         public string                        $documentation,
+        public bool                          $hideFromList,
         private DockerActionManager           $dockerActionManager
     ) {
     }

php/src/ContainerDefinitionFetcher.php

@@ -324,6 +324,8 @@ readonly class ContainerDefinitionFetcher {
                 $documentation = $entry['documentation'];
             }
 
+            $hideFromList = $entry['hide_from_list'] ?? false;
+
             $containers[] = new Container(
                 $entry['container_name'],
                 $displayName,
@@ -349,6 +351,7 @@ readonly class ContainerDefinitionFetcher {
                 $imageTag,
                 $aioVariables,
                 $documentation,
+                $hideFromList,
                 $this->container->get(DockerActionManager::class)
             );
         }

php/src/Controller/DockerController.php

@@ -87,43 +87,64 @@ readonly class DockerController {
     }
 
     public function StartBackupContainerBackup(Request $request, Response $response, array $args) : Response {
+        // Get streaming response start and closure
+        $nonbufResp = $this->startStreamingResponse($response);
+        $addToStreamingResponseBody = $this->getAddToStreamingResponseBody($nonbufResp);
+
         $forceStopNextcloud = true;
-        $this->startBackup($forceStopNextcloud);
-        return $response->withStatus(201)->withHeader('Location', '.');
+        $this->startBackup($forceStopNextcloud, $addToStreamingResponseBody);
+
+        // End streaming response
+        $this->finalizeStreamingResponse($nonbufResp);
+        return $nonbufResp;
     }
 
-    public function startBackup(bool $forceStopNextcloud = false) : void {
+    public function startBackup(bool $forceStopNextcloud = false, ?\Closure $addToStreamingResponseBody = null) : void {
         $this->configurationManager->backupMode = 'backup';
 
         $id = self::TOP_CONTAINER;
-        $this->PerformRecursiveContainerStop($id, $forceStopNextcloud);
+        $this->PerformRecursiveContainerStop($id, $forceStopNextcloud, $addToStreamingResponseBody);
 
         $id = 'nextcloud-aio-borgbackup';
-        $this->PerformRecursiveContainerStart($id);
+        $this->PerformRecursiveContainerStart($id, true, $addToStreamingResponseBody);
     }
 
     public function StartBackupContainerCheck(Request $request, Response $response, array $args) : Response {
-        $this->checkBackup();
-        return $response->withStatus(201)->withHeader('Location', '.');
+        // Get streaming response start and closure
+        $nonbufResp = $this->startStreamingResponse($response);
+        $addToStreamingResponseBody = $this->getAddToStreamingResponseBody($nonbufResp);
+
+        $this->checkBackup($addToStreamingResponseBody);
+
+        // End streaming response
+        $this->finalizeStreamingResponse($nonbufResp);
+        return $nonbufResp;
     }
 
     public function StartBackupContainerList(Request $request, Response $response, array $args) : Response {
-        $this->listBackup();
-        return $response->withStatus(201)->withHeader('Location', '.');
+        // Get streaming response start and closure
+        $nonbufResp = $this->startStreamingResponse($response);
+        $addToStreamingResponseBody = $this->getAddToStreamingResponseBody($nonbufResp);
+
+        $this->listBackup($addToStreamingResponseBody);
+
+        // End streaming response
+        $this->finalizeStreamingResponse($nonbufResp);
+        return $nonbufResp;
     }
 
-    public function checkBackup() : void {
+    public function checkBackup(?\Closure $addToStreamingResponseBody = null) : void {
         $this->configurationManager->backupMode = 'check';
 
         $id = 'nextcloud-aio-borgbackup';
-        $this->PerformRecursiveContainerStart($id);
+        $this->PerformRecursiveContainerStart($id, true, $addToStreamingResponseBody);
     }
 
-    private function listBackup() : void {
+    private function listBackup(?\Closure $addToStreamingResponseBody = null) : void {
         $this->configurationManager->backupMode = 'list';
 
         $id = 'nextcloud-aio-borgbackup';
-        $this->PerformRecursiveContainerStart($id);
+        $this->PerformRecursiveContainerStart($id, true, $addToStreamingResponseBody);
     }
 
     public function StartBackupContainerRestore(Request $request, Response $response, array $args) : Response {
@@ -133,26 +154,38 @@ readonly class DockerController {
         $this->configurationManager->restoreExcludePreviews = isset($request->getParsedBody()['restore-exclude-previews']);
         $this->configurationManager->commitTransaction();
 
+        // Get streaming response start and closure
+        $nonbufResp = $this->startStreamingResponse($response);
+        $addToStreamingResponseBody = $this->getAddToStreamingResponseBody($nonbufResp);
+
         $id = self::TOP_CONTAINER;
         $forceStopNextcloud = true;
-        $this->PerformRecursiveContainerStop($id, $forceStopNextcloud);
+        $this->PerformRecursiveContainerStop($id, $forceStopNextcloud, $addToStreamingResponseBody);
 
         $id = 'nextcloud-aio-borgbackup';
-        $this->PerformRecursiveContainerStart($id);
+        $this->PerformRecursiveContainerStart($id, true, $addToStreamingResponseBody);
 
-        return $response->withStatus(201)->withHeader('Location', '.');
+        // End streaming response
+        $this->finalizeStreamingResponse($nonbufResp);
+        return $nonbufResp;
     }
 
     public function StartBackupContainerCheckRepair(Request $request, Response $response, array $args) : Response {
         $this->configurationManager->backupMode = 'check-repair';
 
+        // Get streaming response start and closure
+        $nonbufResp = $this->startStreamingResponse($response);
+        $addToStreamingResponseBody = $this->getAddToStreamingResponseBody($nonbufResp);
+
         $id = 'nextcloud-aio-borgbackup';
-        $this->PerformRecursiveContainerStart($id);
+        $this->PerformRecursiveContainerStart($id, true, $addToStreamingResponseBody);
 
         // Restore to backup check which is needed to make the UI logic work correctly
         $this->configurationManager->backupMode = 'check';
 
-        return $response->withStatus(201)->withHeader('Location', '.');
+        // End streaming response
+        $this->finalizeStreamingResponse($nonbufResp);
+        return $nonbufResp;
     }
 
     public function StartBackupContainerTest(Request $request, Response $response, array $args) : Response {
@@ -161,13 +194,19 @@ readonly class DockerController {
         $this->configurationManager->instanceRestoreAttempt = false;
         $this->configurationManager->commitTransaction();
 
+        // Get streaming response start and closure
+        $nonbufResp = $this->startStreamingResponse($response);
+        $addToStreamingResponseBody = $this->getAddToStreamingResponseBody($nonbufResp);
+
         $id = self::TOP_CONTAINER;
-        $this->PerformRecursiveContainerStop($id);
+        $this->PerformRecursiveContainerStop($id, true, $addToStreamingResponseBody);
 
         $id = 'nextcloud-aio-borgbackup';
-        $this->PerformRecursiveContainerStart($id);
+        $this->PerformRecursiveContainerStart($id, true, $addToStreamingResponseBody);
 
-        return $response->withStatus(201)->withHeader('Location', '.');
+        // End streaming response
+        $this->finalizeStreamingResponse($nonbufResp);
+        return $nonbufResp;
     }
 
     public function StartContainer(Request $request, Response $response, array $args) : Response
@@ -202,23 +241,9 @@ readonly class DockerController {
             error_log('WARNING: Not pulling container images. Instead, using local ones.');
         }
         
-        $nonbufResp = $response
-            ->withBody(new NonBufferedBody())
-            ->withHeader('Content-Type', 'text/html; charset=utf-8')
-            ->withHeader('X-Accel-Buffering', 'no')
-            ->withHeader('Cache-Control', 'no-cache');
-            
-        // Text written into this body is immediately sent to the client, without waiting for later content.
-        $streamingResponseBody = $nonbufResp->getBody();
-        
-        $streamingResponseBody->write($this->getStreamingResponseHtmlStart());
-        
-        // Create a closure to pass around to the code, which should to the logging (because it e.g. decides
-        // if it'll actually pull an image), but which should not need to know anything about the
-        // wanted markup or formatting.
-        $addToStreamingResponseBody = function (Container $container, string $message) use ($streamingResponseBody) : void {
-            $streamingResponseBody->write("<div>{$container->displayName}: {$message}</div>");
-        };
+        // Get streaming response start and closure
+        $nonbufResp = $this->startStreamingResponse($response);
+        $addToStreamingResponseBody = $this->getAddToStreamingResponseBody($nonbufResp);
         
         // Start container
         $this->startTopContainer($pullImage, $addToStreamingResponseBody);
@@ -227,7 +252,8 @@ readonly class DockerController {
         // Temporarily disabled as it leads much faster to docker rate limits
         // apcu_clear_cache();
 
-        $streamingResponseBody->write($this->getStreamingResponseHtmlEnd());
+        // End streaming response
+        $this->finalizeStreamingResponse($nonbufResp);
         return $nonbufResp;
     }
 
@@ -243,17 +269,24 @@ readonly class DockerController {
     }
 
     public function StartWatchtowerContainer(Request $request, Response $response, array $args) : Response {
-        $this->startWatchtower();
-        return $response->withStatus(201)->withHeader('Location', '.');
+        // Get streaming response start and closure
+        $nonbufResp = $this->startStreamingResponse($response);
+        $addToStreamingResponseBody = $this->getAddToStreamingResponseBody($nonbufResp);
+
+        $this->startWatchtower($addToStreamingResponseBody);
+
+        // End streaming response
+        $this->finalizeStreamingResponse($nonbufResp);
+        return $nonbufResp;
     }
 
-    public function startWatchtower() : void {
+    public function startWatchtower(?\Closure $addToStreamingResponseBody = null) : void {
         $id = 'nextcloud-aio-watchtower';
 
-        $this->PerformRecursiveContainerStart($id);
+        $this->PerformRecursiveContainerStart($id, true, $addToStreamingResponseBody);
     }
 
-    private function PerformRecursiveContainerStop(string $id, bool $forceStopNextcloud = false) : void
+    private function PerformRecursiveContainerStop(string $id, bool $forceStopNextcloud = false, ?\Closure $addToStreamingResponseBody = null) : void
     {
         $container = $this->containerDefinitionFetcher->GetContainerById($id);
 
@@ -261,7 +294,11 @@ readonly class DockerController {
         // Stop Collabora first to make sure it force-saves
         // See https://github.com/nextcloud/richdocuments/issues/3799
         if ($id === self::TOP_CONTAINER && $this->configurationManager->isCollaboraEnabled) {
-            $this->PerformRecursiveContainerStop('nextcloud-aio-collabora');
+            $this->PerformRecursiveContainerStop('nextcloud-aio-collabora', false, $addToStreamingResponseBody);
+        }
+
+        if ($addToStreamingResponseBody !== null) {
+            $addToStreamingResponseBody($container, "Stopping container");
         }
 
         // Stop itself first and then all the dependencies
@@ -272,17 +309,23 @@ readonly class DockerController {
             $this->dockerActionManager->StopContainer($container, $forceStopNextcloud);
         }
         foreach($container->dependsOn as $dependency) {
-            $this->PerformRecursiveContainerStop($dependency, $forceStopNextcloud);
+            $this->PerformRecursiveContainerStop($dependency, $forceStopNextcloud, $addToStreamingResponseBody);
         }
     }
 
     public function StopContainer(Request $request, Response $response, array $args) : Response
     {
+        // Get streaming response start and closure
+        $nonbufResp = $this->startStreamingResponse($response);
+        $addToStreamingResponseBody = $this->getAddToStreamingResponseBody($nonbufResp);
+
         $id = self::TOP_CONTAINER;
         $forceStopNextcloud = true;
-        $this->PerformRecursiveContainerStop($id, $forceStopNextcloud);
+        $this->PerformRecursiveContainerStop($id, $forceStopNextcloud, $addToStreamingResponseBody);
 
-        return $response->withStatus(201)->withHeader('Location', '.');
+        // End streaming response
+        $this->finalizeStreamingResponse($nonbufResp);
+        return $nonbufResp;
     }
 
     public function stopTopContainer() : void {
@@ -354,7 +397,38 @@ readonly class DockerController {
             
         END;
     }
-    
+
+    private function startStreamingResponse(Response $response) : Response {
+        $nonbufResp = $response
+            ->withBody(new NonBufferedBody())
+            ->withHeader('Content-Type', 'text/html; charset=utf-8')
+            ->withHeader('X-Accel-Buffering', 'no')
+            ->withHeader('Content-Length', '-1')
+            ->withHeader('Cache-Control', 'no-cache');
+            
+        // Text written into this body is immediately sent to the client, without waiting for later content.
+        $streamingResponseBody = $nonbufResp->getBody();
+        
+        $streamingResponseBody->write($this->getStreamingResponseHtmlStart());
+
+        return $nonbufResp;
+    }
+
+    private function getAddToStreamingResponseBody(Response $nonbufResp) : ?\Closure {
+        // Create a closure to pass around to the code, which should to the logging (because it e.g. decides
+        // if it'll actually pull an image), but which should not need to know anything about the
+        // wanted markup or formatting.
+        $addToStreamingResponseBody = function (Container $container, string $message) use ($nonbufResp) : void {
+            $nonbufResp->getBody()->write("<div>{$container->displayName}: {$message}</div>");
+        };
+
+        return $addToStreamingResponseBody;
+    }
+
+    private function finalizeStreamingResponse(Response $nonbufResp) : void {
+        $nonbufResp->getBody()->write($this->getStreamingResponseHtmlEnd());
+    }
+
     private function getStreamingResponseHtmlEnd() : string {
         return "\n  </body>\n</html>";
     }

php/templates/containers.twig

@@ -47,10 +47,10 @@
             {% endif %}
 
             {% for container in containers %}
-                {% if container.displayName != '' and container.GetRunningState().value == 'running' %}
+                {% if container.hideFromList != true and container.GetRunningState().value == 'running' %}
                     {% set isAnyRunning = true %}
                 {% endif %}
-                {% if container.displayName != '' and container.GetRestartingState().value == 'restarting' %}
+                {% if container.hideFromList != true and container.GetRestartingState().value == 'restarting' %}
                     {% set isAnyRestarting = true %}
                 {% endif %}
                 {% if container.identifier == 'nextcloud-aio-watchtower' and container.GetRunningState().value == 'running' %}
@@ -90,7 +90,7 @@
                     {% elseif is_mastercontainer_update_available == true %}
                         <h2>Mastercontainer update</h2>
                         <p>⚠️ A mastercontainer update is available. Please click on the button below to update it. Afterwards, you will be able to proceed with the setup.</p>
-                        <form method="POST" action="api/docker/watchtower" class="xhr">
+                        <form method="POST" action="api/docker/watchtower" target="overlay-log">
                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                             <input type="submit" value="Update mastercontainer" />
@@ -150,7 +150,7 @@
                                             <details>
                                                 <summary>Reveal repair option</summary>
                                                 <p>Below is the option to repair the integrity of your backup. <strong>Please note:</strong> Please only use this after you have read the documentation above! (It will run the command 'borg check --repair' for you.)</p>
-                                                <form method="POST" action="api/docker/backup-check-repair" class="xhr">
+                                                <form method="POST" action="api/docker/backup-check-repair" target="overlay-log">
                                                     <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                                     <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                                     <input type="submit" value="Check and repair backup integrity" onclick="return confirm('Check and repair backup integrity? Are you sure that you want to check and repair the backup integrity? This should only be done after reading the mentioned documentation.')"/>
@@ -161,7 +161,7 @@
                                         <p><span class="status success"></span> Last {{ borg_backup_mode }} successful! (<a href="log?id=nextcloud-aio-borgbackup" target="_blank">Logs</a>)</p>
                                         {% if borg_backup_mode == 'test' %}
                                             <p>Feel free to check the integrity of the backup archive below before starting the restore process in order to make ensure that the restore will work. This can take a long time though depending on the size of the backup archive and is thus not required.</p>
-                                            <form method="POST" action="api/docker/backup-check" class="xhr">
+                                            <form method="POST" action="api/docker/backup-check" target="overlay-log">
                                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                                 <input type="submit" value="Check backup integrity"/>
@@ -169,7 +169,7 @@
                                         {% endif %}
                                         <p>Choose the backup that you want to restore and click on the button below to restore the selected backup. This will restore the whole AIO instance. Please note that the current AIO passphrase will be kept and the previous AIO passphrase will not be restored from backup!</p>
                                         <p><strong>Important:</strong> If the backup that you want to restore contained any <a target="_blank" href="https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers">community container</a>, you need to restore the same backup a second time after this attempt so that the community container data is also correctly restored.</p>
-                                        <form method="POST" action="api/docker/restore" class="xhr" id="restore_selection">
+                                        <form method="POST" action="api/docker/restore" target="overlay-log" id="restore_selection">
                                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                             <select id="selected_restore_time" name="selected_restore_time" form="restore_selection">
@@ -215,7 +215,7 @@
                             {% endif %}
                         {% else %}
                             <p><strong>Everything set!</strong> Click on the button below to test the path and encryption password:</p>
-                            <form method="POST" action="api/docker/backup-test" class="xhr">
+                            <form method="POST" action="api/docker/backup-test" target="overlay-log">
                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                 <input type="submit" value="Test path and encryption password"/>
@@ -264,7 +264,7 @@
                             {% else %}
                                 <p>It seems at least one container was not able to start correctly and is currently restarting.</p>
                                 <p>To break this endless loop, you can stop the containers below and investigate the issue in the container logs before starting the containers again.</p>
-                                <form method="POST" action="api/docker/stop" class="xhr">
+                                <form method="POST" action="api/docker/stop" target="overlay-log">
                                     <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                     <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                     <input type="submit" value="Stop containers" />
@@ -282,7 +282,7 @@
                         <ul>
                             {# @var containers \AIO\Container\Container[] #}
                             {% for container in containers %}
-                                {% if container.displayName != '' %}
+                                {% if container.hideFromList != true %}
                                     {% include 'components/container-state.twig'  with {'c': container} only %}
                                 {% endif %}
                             {% endfor %}
@@ -317,7 +317,7 @@
                                     <p>You can find all changes <a target="_blank" href="https://github.com/nextcloud-releases/all-in-one/commits/main"><strong>here</strong></a></p>
                                 {% endif %}
                             {% endif %}
-                            <form method="POST" action="api/docker/stop" class="xhr">
+                            <form method="POST" action="api/docker/stop" target="overlay-log">
                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                 <input type="submit" value="Stop containers" />
@@ -332,7 +332,7 @@
                             {% endif %}
                             {% if is_mastercontainer_update_available == true %}
                                 <p>⚠️ A mastercontainer update is available. Please click on the button below to update it.</p>
-                                <form method="POST" action="api/docker/watchtower" class="xhr">
+                                <form method="POST" action="api/docker/watchtower" target="overlay-log">
                                     <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                     <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                     <input type="submit" value="Update mastercontainer" />
@@ -353,6 +353,9 @@
                                         <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                         <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                         <input id="base_path" type="hidden" name="base_path" value="">
+                                        {% if bypass_container_update == true %}
+                                            <input type="hidden" name="bypass_container_update" value="true">
+                                        {% endif %}
                                         <input type="submit" value="Start containers" />
                                     </form>
                                 {% else %}
@@ -361,7 +364,7 @@
                                         <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                         <input id="base_path" type="hidden" name="base_path" value="">
                                         {% if bypass_container_update == true %}
-                                            <input type="hidden" name="bypass_container_update" value="{{bypass_container_update}}">
+                                            <input type="hidden" name="bypass_container_update" value="true">
                                         {% endif %}
                                         <input class="button " type="submit" value="Start and update containers" onclick="return confirm('Start and update containers? You should consider creating a backup first.')" />
                                     </form>
@@ -407,7 +410,7 @@
                                             <details>
                                                 <summary>Reveal repair option</summary>
                                                 <p>Below is the option to repair the integrity of your backup. <strong>Please note:</strong> Please only use this after you have read the documentation above! (It will run the command 'borg check --repair' for you.)</p>
-                                                <form method="POST" action="api/docker/backup-check-repair" class="xhr">
+                                                <form method="POST" action="api/docker/backup-check-repair" target="overlay-log">
                                                     <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                                     <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                                     <input type="submit" value="Check and repair backup integrity" onclick="return confirm('Check and repair backup integrity? Are you sure that you want to check and repair the backup integrity? This should only be done after reading the mentioned documentation.')"/>
@@ -472,7 +475,7 @@
                                     {% if isApacheStarting != true %}
                                         <h3>Backup creation</h3>
                                         <p>Clicking on the button below will create a backup.</p>
-                                        <form method="POST" action="api/docker/backup" class="xhr">
+                                        <form method="POST" action="api/docker/backup" target="overlay-log">
                                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                             <input type="submit" value="Create backup" onclick="return confirm('Create backup? Are you sure that you want to create a backup? This will stop all running containers and create the backup.')" />
@@ -484,7 +487,7 @@
 
                                             <h3>Backup check</h3>
                                             <p>Click on the button below to perform a backup integrity check. This is an option that verifies that your backup is intact. It shouldn't be needed in most situations.</p>
-                                            <form method="POST" action="api/docker/backup-check" class="xhr">
+                                            <form method="POST" action="api/docker/backup-check" target="overlay-log">
                                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                                 <input type="submit" value="Check backup integrity" onclick="return confirm('Check backup integrity? Are you sure that you want to check the backup? This can take a long time depending on the size of your backup.')" />
@@ -492,7 +495,7 @@
 
                                             <h3>Backup restore</h3>
                                             <p>Choose the backup that you want to restore and click on the button below to restore the selected backup. This will overwrite all your files with the chosen backup so you should consider creating a backup first. You can run an integrity check before restoring your files but this shouldn't be needed in most situations. Please note that this will not restore additionally chosen backup directories! The restore process should be pretty fast as rsync, which only transfers changed files, is used to restore the chosen backup.</p>
-                                            <form method="POST" action="api/docker/restore" class="xhr" id="restore_selection">
+                                            <form method="POST" action="api/docker/restore" target="overlay-log" id="restore_selection">
                                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                                 <select id="selected_restore_time" name="selected_restore_time" form="restore_selection">
@@ -507,7 +510,7 @@
                                             <details>
                                                 <summary>Click here to reveal this option</summary>
                                                 <p>If you use an external snapshot tool to restore the server that runs AIO, you might run into a problem that the above listed available backups are not up-to-date to restore your server from. You can click the button below to update this list.</p>
-                                                <form method="POST" action="api/docker/backup-list" class="xhr">
+                                                <form method="POST" action="api/docker/backup-list" target="overlay-log">
                                                     <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                                     <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                                     <input type="submit" value="Update backup list" />

php/templates/includes/aio-version.twig

@@ -1 +1 @@
-12.8.0
+12.9.0

php/templates/layout.twig

@@ -1,7 +1,7 @@
 <html>
     <head>
         <title>AIO</title>
-        <link rel="stylesheet" href="style.css?v8" media="all" />
+        <link rel="stylesheet" href="style.css?v9" media="all" />
         <link rel="icon" href="img/favicon.png">
         <script type="text/javascript" src="forms.js?v1"></script>
         <script type="text/javascript" src="toggle-dark-mode.js?v1"></script>

php/templates/log.twig

@@ -1,13 +1,15 @@
 <html lang="en">
     <head>
+        <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
         <link rel="stylesheet" href="style.css">
         <style>
             body {
                 padding: 1rem;
             }
             #floating-box {
-                position: fixed;
+                position: sticky;
                 top: 1rem;
+                float: right;
                 right: 1rem;
                 width: 20rem;
                 display: flex;

readme.md

@@ -221,6 +221,7 @@ https://your-domain-that-points-to-this-server.tld:8443
     - [How to adjust the internally used docker api version?](#how-to-adjust-the-internally-used-docker-api-version)
     - [How to change the default location of Nextcloud's Datadir?](#how-to-change-the-default-location-of-nextclouds-datadir)
     - [How to configure custom UID/GID?](#how-to-configure-custom-uidgid)
+    - [How to move the appdata folder from the datadir to an ssd to improve the performance?](#how-to-move-the-appdata-folder-from-the-datadir-to-an-ssd-to-improve-the-performance)
     - [How to store the files/installation on a separate drive?](#how-to-store-the-filesinstallation-on-a-separate-drive)
     - [How to limit the resource usage of AIO?](#how-to-limit-the-resource-usage-of-aio)
     - [How to allow the Nextcloud container to access directories on the host?](#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host)
@@ -475,7 +476,26 @@ Another solution if you really need to use host mounts is to use a bind mount to
 /source/path  /target/path/where/the/source/directory/will/be/mounted/on/the/server  fuse.bindfs  force-user=33,force-group=33,allow_other  0  0
 ```
 
-You can then use `--env NEXTCLOUD_DATADIR="/target/path/where/the/source/directory/will/be/mounted/on/the/server"` as described in the section above.
+Then use `sudo mount /target/path/where/the/source/directory/will/be/mounted/on/the/server` to mount it directly.
+
+You can afterwards use `--env NEXTCLOUD_DATADIR="/target/path/where/the/source/directory/will/be/mounted/on/the/server"` as described in the section above.
+
+### How to move the appdata folder from the datadir to an ssd to improve the performance?
+If the datadir in your setup is configured to be placed on an HDD or network FS like SMB or NFS, you can follow the steps below to change the location of the appdata folder to be located on an SSD in order to improve the performance of the setup.
+
+> [!NOTE]  
+> The following steps only work if you already configured and used NEXTCLOUD_DATADIR as mentioned [two sections above](#how-to-change-the-default-location-of-nextclouds-datadir). 
+> In this example here, we assume that you used `NEXTCLOUD_DATADIR="/target/path/`.
+
+After the initial installation is done and all datadir files of Nextcloud are stored inside the configured `/target/path` directory, you will also see an `appdata_*` folder in there that stores app-related data. You can now move that folder to a faster SSD if the target dir is not already positioned on an SSD by first using `rsync` to sync the files a location on an SSD. Afterwards rename the appdata folder in the datadir to something like `appdata_*-backup`. Afterwards add the following line to `/etc/fstab`:
+```
+/source/path/on/ssd  /target/path/<appdata-path>  fuse.bindfs  force-user=33,force-group=33,allow_other  0  0
+```
+Do not forget to adjust `<appdata-path>` to the correct `appdata_*` name that your installation initially created automatically.
+
+Then use `sudo mount /target/path/<appdata-path>` to mount it directly.
+
+Afterwards things should be speed up.
 
 ### How to store the files/installation on a separate drive?
 You can move the whole docker library and all its files including all Nextcloud AIO files and folders to a separate drive by first mounting the drive in the host OS (NTFS is not supported and ext4 is recommended as FS) and then following this tutorial: https://www.guguweb.com/2019/02/07/how-to-move-docker-data-directory-to-another-location-on-ubuntu/<br>
@@ -634,7 +654,7 @@ Additionally, you might need to create a custom user script to start all sibling
 sleep 120
 
 # Execute the actual command
-docker exec --env START_CONTAINERS=1 nextcloud-aio-mastercontainer /daily-backup.sh`
+docker exec --env START_CONTAINERS=1 nextcloud-aio-mastercontainer /daily-backup.sh
 ```
 
 Apart from that, the installation of AIO should work like on "normal" Linux. So refer to the Linux instructions for installation.
@@ -748,7 +768,10 @@ password=<password>
 ```
 (Of course you need to modify `<smb/cifs username>` and `<password>` for your specific case.)
 
-Now you can use `/mnt/storagebox` as Nextcloud's datadir like described in the section above this one.
+Now you can use `/mnt/storagebox` as Nextcloud's datadir like described in the section [here](#how-to-change-the-default-location-of-nextclouds-datadir).
+
+> [!NOTE]  
+> You also might want to move the appdata dir after the initial installation is done to improve the performance. See [this section](#how-to-move-the-appdata-folder-from-the-datadir-to-an-ssd-to-improve-the-performance)
 
 ### Can I run this with Docker swarm?
 Yes. For that to work, you need to use and follow the [manual-install documentation](./manual-install/).

reverse-proxy.md

@@ -169,8 +169,8 @@ The process to run Nextcloud AIO behind a reverse proxy has three required steps
 
     The reverse-proxy container needs to be connected to the nextcloud containers. This can be achieved one of these 3 ways:
     1. Utilize host networking instead of docker bridge networking: Specify `--network host` option (or `network_mode: host` for docker-compose) as setting for the reverse proxy container to connect it to the host network. If you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy manually. With this setup, the default sample configurations with reverse-proxy pointing to `localhost:$APACHE_PORT` should work directly.
-    1. Connect nextcloud's external-facing containers to the reverse-proxy's docker network by specifying env variable APACHE_ADDITIONAL_NETWORK. With this setup, the reverse proxy can utilize Docker bridge network's DNS name resolution to access nextcloud at `http://nextcloud-aio-apache:$APACHE_PORT`. ⚠️⚠️⚠️ Note, the specified network must already exist before Nextcloud AIO is started. Otherwise it will fail to start the container because the network is not existing.
-    1. Connect the reverse-proxy container to the `nextcloud-aio` network by specifying it as a secondary (external) network for the reverse proxy container. With this setup also, the reverse proxy can utilize Docker bridge network's DNS name resolution to access nextcloud at `http://nextcloud-aio-apache:$APACHE_PORT` .
+    1. Connect nextcloud's external-facing containers to the reverse-proxy's docker network by specifying env variable APACHE_ADDITIONAL_NETWORK. With this setup, the reverse proxy can utilize Docker bridge network's DNS name resolution to access nextcloud at `http://nextcloud-aio-apache.nextcloud-aio:$APACHE_PORT`. ⚠️⚠️⚠️ Note, the specified network must already exist before Nextcloud AIO is started. Otherwise it will fail to start the container because the network is not existing.
+    1. Connect the reverse-proxy container to the `nextcloud-aio` network by specifying it as a secondary (external) network for the reverse proxy container. With this setup also, the reverse proxy can utilize Docker bridge network's DNS name resolution to access nextcloud at `http://nextcloud-aio-apache.nextcloud-aio:$APACHE_PORT` .
 
     </details>
 
@@ -1106,12 +1106,9 @@ After starting AIO, you should be able to access the AIO Interface via `https://
 ⚠️ **Important:** do always use an ip-address if you access this port and not a domain as HSTS might block access to it later! (It is also expected that this port uses a self-signed certificate due to security concerns which you need to accept in your browser)<br>
 Enter your domain in the AIO interface that you've used in the reverse proxy config and you should be done. Please do not forget to open/forward port `3478/TCP` and `3478/UDP` in your firewall/router for the Talk container!
 
-### 5. Optional: Configure AIO for reverse proxies that connect to nextcloud using an ip-address and not localhost nor 127.0.0.1
-If your reverse proxy connects to nextcloud using an ip-address and not localhost or 127.0.0.1<sup>*</sup> you must make the following configuration changes
+### 5. Optional: Configure AIO for reverse proxies that connect to nextcloud not using localhost nor 127.0.0.1
+If your reverse proxy connects to nextcloud not using localhost or 127.0.0.1, you must add said IP as trusted proxy to the installation. See the step below:
 
-<small>*: The IP address it uses to connect to AIO is not in a private IP range such as these: `127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,100.64.0.0/10,fd00::/8,::1/128`</small>
-
-#### Nextcloud trusted proxies
 Add the IP it uses connect to AIO to the Nextcloud trusted_proxies like this:
 
 ```
@@ -1134,6 +1131,7 @@ If you want to also access your AIO interface publicly with a valid certificate,
 ```
 https://<your-nc-domain>:8443 {
     reverse_proxy https://localhost:8080 {
+        header_up Host {host}
         transport http {
             tls_insecure_skip_verify
         }

tests/QA/001-initial-setup.md

@@ -1,10 +1,10 @@
 # Initial setup
 
 - [ ] Verify that after starting the test container, you can access the AIO interface using https://internal.ip.address:8080
-- [ ] After clicking the self-signed-certificate warning away, it should show the setup page with an explanation what AIO is and the initial password and a button that contains a link to the AIO login page
-- [ ] After copying the password and clicking on this button, it should open a new tab with the login page
-- [ ] The login page should show an input field that allows to enter the AIO password and a `Log in` button
-- [ ] After pasting the new password into the input field and clicking on this button button, you should be logged in
+- [ ] After clicking the self-signed-certificate warning away, it should show the setup page with an explanation what AIO is and the initial passphrase and a button that contains a link to the AIO login page
+- [ ] After copying the passphrase and clicking on this button, it should open a new tab with the login page
+- [ ] The login page should show an input field that allows to enter the AIO passphrase and a `Log in` button
+- [ ] After pasting the passphrase into the input field and clicking on this button, you should be logged in
 - [ ] You should now see the containers page and you should see three sections: one general section which explains what AIO is, one `New AIO instance` section and one section that allows to restore the whole AIO instance from backup.
 
 You can now continue with [002-new-instance.md](./002-new-instance.md) or [010-restore-instance.md](./010-restore-instance.md).

tests/QA/002-new-instance.md

@@ -11,7 +11,7 @@ For the below to work, it is important that you have a domain that you point ont
     - [ ] Entering the domain that does point to your server e.g. `yourdomain.com` should finally redirect you to the next screen (if you did not configure your domain yet or did not open port 443, it should report that to you)
 - [ ] Now you should see a button `Start containers` and an explanation which points out that clicking on the button will start the containers and that this can take a long time.
 - [ ] Below that you should see a section `Optional addons` which shows a checkbox list with addons that can be enabled or disabled.
-    - [ ] Collabora and Nextcloud Talk should be enabled, the rest disabled
+    - [ ] Collabora, Imaginary, Talk and Whiteboard should be enabled, the rest disabled
     - [ ] Unchecking/Checking any of these should insert a button that allows to save the set config
     - [ ] Checking OnlyOffice and Collabora at the same time should show a warning that this is not supported and should  not saving the new config
     - [ ] Recommended is to uncheck all options now

tests/QA/004-initial-backup.md

@@ -1,18 +1,32 @@
 # Initial backup
 
-- [ ] In the Backup and restore section, you should now see and input box where you should type in the path where the backup should get created and some explanation below
+- [ ] In the Backup and restore section, you should now see two input boxes where for one you should type in the path where the backup should get created and some explanation below or the other type in a remote ssh location
+- [ ] First, check a local backup:
     - [ ] Enter `/` which should send an error
     - [ ] Enter `/mnt/` or  `/media/` or `/host_mnt/` or `/var/backups/` should send an error as well
     - [ ] Accepted should be `/mnt/backup`, `/media/backup`, `/host_mnt/c/backup` and `/var/backups`.
     - [ ] The side should now reload
+    - [ ] In the Backup restore section you should now see a Backup information section with important info like the encryption password, the backup location and more.
+    - [ ] Also you should see a Backup creation section that contains a `Create backup` button.
+    - [ ] Clicking on the `Create backup` button should open a window prompt that allows to cancel the operation.
+    - [ ] Canceling should return to the website, confirming should reveal the big spinner again which should block the website again.
+    - [ ] After a while you should see the information that Backup container is currently running
+- [ ] another option are remote backups via SSH using borgbackup. The remote borg repo URL must contain both `@` and `:`. The process works as follows:
+    1. You enter a remote borg repo URL (e.g. `ssh://user@host:port/path/to/repo` or `user@host:/path/to/repo`).
+    2. On the first connection attempt, a SSH key pair is generated automatically and the public key is displayed.
+    3. You add the public key to the `~/.ssh/authorized_keys` file on the remote server so that AIO can connect to it.
+    4. Once authorized, AIO can create and restore backups on the remote server.
+    - [ ] Enter `user` (no `@` and no `:`) which should send an error
+    - [ ] Enter `user@host` (no `:`) which should send an error
+    - [ ] Enter `userhost:/path` (no `@`) which should send an error
+    - [ ] Accepted should be `ssh://user@host:22/path/to/repo` or `user@host:/path/to/repo`
+    - [ ] Both a local backup location and a remote repo URL should not be accepted at the same time
+    - [ ] The page should now reload
+    - [ ] Now click on `Create backup`
+    - [ ] After the first failed backup attempt with a remote repo, the SSH public key for borg should be shown so it can be authorized on the remote server
+    - [ ] After authorizing the server on the remote, scroll down and click on `Create backup` again to create another backup. This time it should succeed.
 - [ ] The initial Nextcloud credentials on top of the page that are visible when the containers are running should now be hidden in a details tag
-- [ ] In the Backup restore section you should now see a Backup information section with important info like the encryption password, the backup location and more.
-- [ ] Also you should see a Backup cretion section that contains a `Create backup` button.
-- [ ] Clicking on the `Create backup` button should open a window prompt that allows to cancel the operation.
-- [ ] Canceling should return to the website, confirming should reveal the big spinner again which should block the website again.
-- [ ] After a while you should see the information that Backup container is currently running
-- [ ] Below the Containers section you should see the option to `Start containers` again.
 - [ ] After a while and a few automatic reloads (as long as the side is focused), you should be redirected to the usual page and seen in the Backup and restore section that the last backup was successful.
-- [ ] Below thhat you should see a details tag that allows to reveal all backup options
+- [ ] Below that you should see a details tag that allows to reveal all backup options
 
 You can now continue with [020-backup-and-restore.md](.//020-backup-and-restore.md)

tests/QA/010-restore-instance.md

@@ -2,17 +2,34 @@
 
 For the below to work, you need a backup archive of an AIO instance and the location on the test machine and the password for the backup archive. You can get one here: [backup-archive](./assets/backup-archive/)
 
-- [ ] The section that allows to restore the whole AIO instance from backup should show two input fields: one that allows to enter a location where the backup archive is located and one that allows to enter password of the archive. It should also show a short explanation regarding the path requirements
-- [ ] Entering an incorrect path and/or password should let you continue and test your settings in the next step
-    - [ ] Clicking on the test button should after a reload bring you back to the initial screen where it should say that the test was unsuccessful. Also you should be able to have a look at the backup container logs for investigation what exactly failed.
-    - [ ] You should also now see the input boxes again where you can change the path and password, confirm it and bring you again to the screen where you can test your settings.
-- [ ] Entering the correct path to the backup archive and the correct password here should:
-    - [ ] Should reload and should hide all options except the option to test the path and password
-    - [ ] After the test you should see the options to check the integrity of the backup and a list of backup archives that you can choose from to restore your instance
-    - [ ] Clicking on either option should show a window prompt that lets you cancel the operation
-    - [ ] Clicking on the integrity check option should check the integrity and report that the backup integrity is good after a while which should then only show the option to choose the backup archive that should be restored
-    - [ ] Choosing the restore option should finally restore your files. 
-    - [ ] After waiting a while it should reload the page and should show the usual container interface again with the state of your containers (stopped) and the option to start and update the containers again.
+- [ ] The section that allows to restore the whole AIO instance from backup should show three input fields: one that allows to enter a location where the backup archive is located and one that allows to enter a remote ssh path and one that allows to enter password of the archive. It should also show a short explanation regarding the path requirements
+- [ ] First, check restoring from a local backup location:
+    - [ ] Entering an incorrect path and/or password should let you continue and test your settings in the next step
+        - [ ] Clicking on the test button should after a reload bring you back to the initial screen where it should say that the test was unsuccessful. Also you should be able to have a look at the backup container logs for investigation what exactly failed.
+        - [ ] You should also now see the input boxes again where you can change the path and password, confirm it and bring you again to the screen where you can test your settings.
+    - [ ] Entering the correct path to the backup archive and the correct password here should:
+        - [ ] Should reload and should hide all options except the option to test the path and password
+        - [ ] After the test you should see the options to check the integrity of the backup and a list of backup archives that you can choose from to restore your instance
+        - [ ] Clicking on either option should show a window prompt that lets you cancel the operation
+        - [ ] Clicking on the integrity check option should check the integrity and report that the backup integrity is good after a while which should then only show the option to choose the backup archive that should be restored
+        - [ ] Choosing the restore option should finally restore your files.
+        - [ ] After waiting a while it should reload the page and should show the usual container interface again with the state of your containers (stopped) and the option to start and update the containers again.
+- [ ] Next, check restoring from a remote backup location via SSH. The remote borg repo URL must contain both `@` and `:`. The restore process works as follows:
+    1. You enter a remote borg repo URL (e.g. `ssh://user@host:port/path/to/repo` or `user@host:/path/to/repo`) and the backup password.
+    2. On the first connection attempt, a SSH key pair is generated automatically and the public key is displayed.
+    3. You add the public key to the `~/.ssh/authorized_keys` file on the remote server so that AIO can connect to it.
+    4. Once authorized, AIO can list and restore backups from the remote server.
+    - [ ] Enter an invalid remote repo URL (e.g. `user` without `@` and `:`) which should send an error
+    - [ ] Enter a valid remote borg repo URL and the correct backup password:
+        - [ ] Should reload and should hide all options except the option to test the path and password
+        - [ ] After the first failed connection attempt, the SSH public key for borg should be shown so it can be authorized on the remote server
+        - [ ] After authorizing the key on the remote server, scroll down and click on the test button again. This time it should succeed and show the options to check the integrity and list backup archives
+        - [ ] After the test you should see the options to check the integrity of the backup and a list of backup archives that you can choose from to restore your instance
+        - [ ] Clicking on either option should show a window prompt that lets you cancel the operation
+        - [ ] Clicking on the integrity check option should check the integrity and report that the backup integrity is good after a while which should then only show the option to choose the backup archive that should be restored
+        - [ ] Choosing the restore option should finally restore your files.
+        - [ ] After waiting a while it should reload the page and should show the usual container interface again with the state of your containers (stopped) and the option to start and update the containers again.
+
 - [ ] Clicking on `Start and update containers` should show a window prompt that you should create a backup. Canceling should cancel the operation, confirming should reveal the big spinner again.
 - [ ] After waiting a bit, all containers should be green and your instance should be fully functional again
 

tests/QA/020-backup-and-restore.md

@@ -1,6 +1,6 @@
 # Backup and restore
 
-- [ ] Expanding all backup options in the Backup and restore sectioin should reveal a Backup information section, Backup creation section, Backup check section, Backup restore section and a Daily backup section.
+- [ ] Expanding all backup options in the Backup and restore sectioin should reveal a Backup information section, Backup creation section, Backup check section, Backup restore section and a Daily backup section as well as a additional backup location section
 - [ ] The backup restore section should list all available backup archives and list them from most recent to least recent.
 - [ ] Clicking on either option of Create backup, Check backup integrity or Restore selected backup should run the corresponding action and report after a while in the last check, backup or restore was successful.
 - [ ] Daily backup creatio should allow to enter a time in 24h format e.g. `04:00` should be accepted, `24:00` or `dfjlk` not.

tests/QA/030-aio-password-change.md

@@ -1,12 +1,12 @@
-# AIO password change
+# AIO passphrase change
 
-- [ ] In the AIO password change section you should see two input fields. And below the requirements for a new password
-- [ ] When entering nothing it should report that you need to enter your current aio password
-- [ ] When entering a false password, it should report that to you
-- [ ] After entering your current password and leaving the new password empty it should report that you need to enter a new password
-- [ ] After entering a new passwort shorter than 24 characters or not allowed characters, it should report that the password requirements are not met.
+- [ ] In the AIO passphrase change section you should see two input fields. And below the requirements for a new passphrase
+- [ ] When entering nothing it should report that you need to enter your current AIO passphrase
+- [ ] When entering a false passphrase, it should report that to you
+- [ ] After entering your current passphrase and leaving the new passphrase empty it should report that you need to enter a new passphrase
+- [ ] After entering a new passphrase shorter than 24 characters or not allowed characters, it should report that the passphrase requirements are not met.
 - [ ] `sdfjlksj` should not be accepted
 - [ ] `jdsfklöjiroewoäsadjkfölk` should not be accepted
-- [ ] `sdjlfj SDJFLK 32489 sdjklf` should which should reload the page
+- [ ] `sdjlfj SDJFLK 32489 sdjklf` should be accepted, which should reload the page
 
 You can now continue with [040-login-behavior.md](./040-login-behavior.md)

tests/QA/040-login-behavior.md

@@ -1,7 +1,7 @@
 # Login behavior
 
 - [ ] When opening the AIO interface in a new tab while the apache container is running, it should report on the login page that Nextcloud is running and you should use the automatic login
-- [ ] When the apache container is stopped, you should see here an input field that allows you to enter the AIO password which should log you in
+- [ ] When the apache container is stopped, you should see here an input field that allows you to enter the AIO passphrase which should log you in
 - [ ] Starting and stopping the containers multiple times should every time produce a new token that is used in the admin overview in Nextcloud as link in the button to log you into the AIO interface. (see [003-automatic-login.md](./003-automatic-login.md))
 
 You can now continue with [050-optional-addons.md](./050-optional-addons.md)

tests/QA/050-optional-addons.md

@@ -10,6 +10,8 @@
     - [ ] Imaginary by having a look if when uploading a new picture in Nextcloud, it adds some log entries to the container
     - [ ] Fulltextsearch by trying to search for a heading inside a file in Nextcloud
     - [ ] Talk-recording by starting a call and trying to record something
-- [ ] When Collabora is enabled, it should show below the Optional Addons section a section where you can change the dictionaries for collabora. `de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru` should be a valid setting. E.g. `de.De` not. If already set, it should show a button that allows to remove the setting again.
+- [ ] When Collabora is enabled
+    - [ ] It should show below the Optional Addons section a section where you can change the dictionaries for collabora. `de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru` should be a valid setting. E.g. `de.De` not. If already set, it should show a button that allows to remove the setting again.
+    - [ ] Also, you should see an input field that allows to enter additional collabora options. E.g. `net.content_security_policy=false` should not be accepted, but `--o:net.content_security_policy="frame-ancestors *.example.com:*;"` should.
 
-You can now continue with [060-environmental-variables.md](./060-environmental-variables.md)
+You can now continue with [055-community-containers.md](./055-community-containers.md)

tests/QA/055-community-containers.md

@@ -0,0 +1,13 @@
+# Community Containers
+
+- [ ] At the very bottom of the page, there should be a Community Containers section
+- [ ] The section should show a details element that allows to reveal the list of available community containers
+- [ ] When containers are running, the checkboxes should be disabled and a notice should inform the user that changes can only be made when containers are stopped
+- [ ] When containers are stopped, checkboxes should be enabled
+    - [ ] Enabling a community container and clicking `Save changes` should show a confirmation dialog
+    - [ ] Canceling the confirmation dialog should not save the changes
+    - [ ] Confirming should save the changes and reload the page
+    - [ ] After saving, the enabled community container should appear in the containers section and start along with the other containers when `Start containers` is clicked
+    - [ ] Disabling a previously enabled community container and saving should remove it from the containers section after stopping and starting containers
+
+You can now continue with [060-environmental-variables.md](./060-environmental-variables.md)

zizmor.yml

@@ -6,3 +6,9 @@ rules:
       - build_images.yml
   artipacked:
     disable: true
+  secrets-outside-env:
+    ignore:
+      - promote-to-beta.yml
+      - promote-to-latest.yml
+      - publish-to-aws.yml
+      - publish-to-digitalocean.yml