increase to 2.1.2

Signed-off-by: szaimen <szaimen@e.mail.de>

.github/workflows/lint-php.yml

@@ -1,48 +1,55 @@
-# This workflow is provided via the organization template repository
-#
-# https://github.com/nextcloud/.github
-# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
-
-name: Lint
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-      - master
-      - stable*
-
-jobs:
-  php-lint:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        php-versions: ["8.0"]
-
-    name: php-lint
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-
-      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@v2
-        with:
-          php-version: ${{ matrix.php-versions }}
-          coverage: none
-
-      - name: Lint
-        run: cd php && composer run lint
-
-  summary:
-    runs-on: ubuntu-latest
-    needs: php-lint
-
-    if: always()
-
-    name: php-lint-summary
-
-    steps:
-      - name: Summary status
-        run: if ${{ needs.php-lint.result != 'success' && needs.php-lint.result != 'skipped' }}; then exit 1; fi
+# This workflow is provided via the organization template repository
+#
+# https://github.com/nextcloud/.github
+# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
+
+name: Lint
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+concurrency: 
+  group: lint-php-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  php-lint:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        php-versions: ["8.0"]
+
+    name: php-lint
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Set up php ${{ matrix.php-versions }}
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php-versions }}
+          coverage: none
+
+      - name: Lint
+        run: cd php && composer run lint
+
+  summary:
+    permissions:
+      contents: none
+    runs-on: ubuntu-latest
+    needs: php-lint
+
+    if: always()
+
+    name: php-lint-summary
+
+    steps:
+      - name: Summary status
+        run: if ${{ needs.php-lint.result != 'success' && needs.php-lint.result != 'skipped' }}; then exit 1; fi

.github/workflows/shellcheck.yml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   shellcheck:
-    name: Github Actions
+    name: Check Shell
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3

Containers/apache/Dockerfile

@@ -1,7 +1,7 @@
 # Caddy is a requirement
-FROM caddy:2.6.1-alpine as caddy
+FROM caddy:2.6.2-alpine as caddy
 
-FROM debian:bullseye-20221004-slim
+FROM debian:bullseye-20221024-slim
 
 RUN mkdir -p /mnt/data; \
     chown www-data:www-data /mnt/data;
@@ -46,6 +46,10 @@ RUN rm /etc/apache2/ports.conf; \
 RUN set -ex; \
     a2dissite 000-default && \
     a2dissite default-ssl && \
+    rm -f /etc/apache2/sites-enabled/000-default.conf && \
+    rm -f /etc/apache2/sites-enabled/default-ssl.conf && \
+    rm /etc/apache2/sites-available/000-default.conf && \
+    rm /etc/apache2/sites-available/default-ssl.conf && \
     a2ensite nextcloud.conf && \
     rm -rf /var/www/html/* && \
     chown www-data:www-data -R /var/log/apache2; \

Containers/apache/nextcloud.conf

@@ -1,5 +1,7 @@
 Listen 8000
 <VirtualHost *:8000>
+    ServerName localhost
+
     # Add error log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
     ErrorLog ${APACHE_LOG_DIR}/error.log

Containers/borgbackup/Dockerfile

@@ -1,10 +1,11 @@
-FROM debian:bullseye-20221004-slim
+FROM debian:bullseye-20221024-slim
 
 RUN set -ex; \
     \
+    echo "deb http://deb.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list; \
     apt-get update; \
+    apt-get install -y --no-install-recommends borgbackup -t bullseye-backports; \
     apt-get install -y --no-install-recommends \
-        borgbackup \
         rsync \
         fuse \
         python3-llfuse \

Containers/borgbackup/backupscript.sh

@@ -155,6 +155,13 @@ if [ "$BORG_MODE" = backup ]; then
         exit 1
     fi
 
+    # Compact archives
+    echo "Compacting the archives..."
+    if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
+        echo "Failed to compact archives!"
+        exit 1
+    fi
+
     # Back up additional directories of the host
     if [ "$ADDITIONAL_DIRECTORIES_BACKUP" = 'yes' ]; then
         if [ -d "/docker_volumes/" ]; then
@@ -172,11 +179,14 @@ if [ "$BORG_MODE" = backup ]; then
                 echo "Backup of additional docker-volumes failed!"
                 exit 1
             fi
-
             if ! borg prune --prefix '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
                 echo "Failed to prune additional docker-volumes archives!"
                 exit 1
             fi
+            if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
+                echo "Failed to compact archives!"
+                exit 1
+            fi
         fi
         if [ -d "/host_mounts/" ]; then
             EXCLUDED_DIRECTORIES=(home/*/.cache root/.cache var/cache lost+found run var/run dev tmp sys proc)
@@ -200,6 +210,10 @@ if [ "$BORG_MODE" = backup ]; then
                 echo "Failed to prune additional host-mount archives!"
                 exit 1
             fi
+            if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
+                echo "Failed to compact archives!"
+                exit 1
+            fi
         fi
     fi
 
@@ -246,6 +260,7 @@ if [ "$BORG_MODE" = restore ]; then
     --exclude "nextcloud_aio_mastercontainer/session/"** \
     --exclude "nextcloud_aio_mastercontainer/certs/"** \
     --exclude "nextcloud_aio_mastercontainer/data/daily_backup_running" \
+    --exclude "nextcloud_aio_mastercontainer/data/session_date_file" \
     --exclude "nextcloud_aio_mastercontainer/data/configuration.json" \
     /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes; then
         echo "Something failed while restoring from backup."

Containers/collabora/Dockerfile

@@ -1,5 +1,5 @@
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:22.05.6.3.1
+FROM collabora/code:22.05.7.3.1
 
 USER root
 

Containers/fulltextsearch/Dockerfile

@@ -1,5 +1,5 @@
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:7.17.6
+FROM elasticsearch:7.17.7
 
 RUN elasticsearch-plugin install --batch ingest-attachment
 

Containers/imaginary/Dockerfile

@@ -1,5 +1,5 @@
 # From https://github.com/h2non/imaginary/blob/master/Dockerfile
-FROM nextcloud/imaginary:20221003
+FROM nextcloud/imaginary:20221101
 
 USER root
 RUN set -ex; \

Containers/mastercontainer/Dockerfile

@@ -1,11 +1,11 @@
 # Docker CLI is a requirement
-FROM docker:20.10.18-dind-alpine3.16 as dind
+FROM docker:20.10.21-dind-alpine3.16 as dind
 
 # Caddy is a requirement
-FROM caddy:2.6.1-alpine as caddy
+FROM caddy:2.6.2-alpine as caddy
 
 # From https://github.com/docker-library/php/blob/master/8.0/bullseye/apache/Dockerfile
-FROM php:8.0.24-apache-bullseye
+FROM php:8.0.25-apache-bullseye
 
 EXPOSE 80
 EXPOSE 8080
@@ -52,7 +52,7 @@ RUN set -e && \
     cd ..; \
     rm -f /usr/local/bin/composer; \
     chmod 770 -R ./; \
-    chown www-data:www-data -R ./; \
+    chown www-data:www-data -R /var/www; \
     rm -r ./php/data; \
     rm -r ./php/session
 
@@ -76,8 +76,13 @@ RUN rm /etc/apache2/ports.conf; \
     sed -s -i -e "s/Include ports.conf//" /etc/apache2/apache2.conf; \
     sed -i "/^Listen /d" /etc/apache2/apache2.conf
 
-RUN a2dissite 000-default && \
+RUN set -ex; \
+    a2dissite 000-default && \
     a2dissite default-ssl && \
+    rm -f /etc/apache2/sites-enabled/000-default.conf && \
+    rm -f /etc/apache2/sites-enabled/default-ssl.conf && \
+    rm /etc/apache2/sites-available/000-default.conf && \
+    rm /etc/apache2/sites-available/default-ssl.conf && \
     a2ensite mastercontainer.conf
 
 RUN mkdir /var/log/supervisord; \

Containers/mastercontainer/mastercontainer.conf

@@ -11,6 +11,8 @@ ErrorLog ${APACHE_LOG_DIR}/error.log
 
 # Http host
 <VirtualHost *:8000>
+    ServerName localhost
+
     # PHP match
     <FilesMatch "\.php$">
         SetHandler application/x-httpd-php

Containers/mastercontainer/session-deduplicator.sh

@@ -1,26 +1,22 @@
 #!/bin/bash
 
-while true; do
-    while [ "$(find "/mnt/docker-aio-config/session/" -mindepth 1 -exec grep "aio_authenticated|[a-z]:1" {} \; | wc -l)" -gt 1 ]; do
-        # First delete all session files that are not authenticated
-        unset SESSION_FILES
-        SESSION_FILES="$(find "/mnt/docker-aio-config/session/" -mindepth 1)"
-        unset SESSION_FILES_ARRAY
-        mapfile -t SESSION_FILES_ARRAY <<< "$SESSION_FILES"
-        for SESSION_FILE in "${SESSION_FILES_ARRAY[@]}"; do
-            if [ -f "$SESSION_FILE" ] && ! grep -q "aio_authenticated|[a-z]:1" "$SESSION_FILE"; then
-                rm "$SESSION_FILE"
-            fi
-        done
+deduplicate_sessions() {
+    echo "Deleting duplicate sessions"
+    find "/mnt/docker-aio-config/session/" -mindepth 1 -exec grep -qv "$NEW_SESSION_TIME" {} \; -delete
+}
 
-        # Second clean up all sessions that are authenticated
-        echo "Deleting duplicate sessions"
-        unset OLDEST_FILE
-        set -x
-        # shellcheck disable=SC2012
-        OLDEST_FILE="$(ls -t "/mnt/docker-aio-config/session/" | tail -1)"
-        rm "/mnt/docker-aio-config/session/$OLDEST_FILE"
-        set +x
-    done
-    sleep 5
+compare_times() {
+    if [ -f "/mnt/docker-aio-config/data/session_date_file" ]; then
+        unset NEW_SESSION_TIME
+        NEW_SESSION_TIME="$(cat "/mnt/docker-aio-config/data/session_date_file")"
+        if [ -n "$NEW_SESSION_TIME" ] && [ -n "$OLD_SESSION_TIME" ] && [ "$NEW_SESSION_TIME" != "$OLD_SESSION_TIME" ]; then
+            deduplicate_sessions
+        fi
+        OLD_SESSION_TIME="$NEW_SESSION_TIME"
+    fi
+}
+
+while true; do
+    compare_times
+    sleep 2
 done

Containers/mastercontainer/supervisord.conf

@@ -1,26 +1,28 @@
 [supervisord]
 nodaemon=true
-nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           
 logfile_backups=10                 
 loglevel=error
+user=root
 
 [program:apache]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
+# stdout_logfile=/dev/stdout
+# stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=apache2-foreground
+user=root
 
 [program:caddy]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=sudo -u www-data /usr/bin/caddy run --config /Caddyfile
+command=/usr/bin/caddy run --config /Caddyfile
+user=www-data
 
 [program:cron]
 stdout_logfile=/dev/stdout
@@ -35,6 +37,7 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/backup-time-file-watcher.sh
+user=root
 
 [program:session-deduplicator]
 stdout_logfile=/dev/stdout
@@ -42,3 +45,4 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/session-deduplicator.sh
+user=root

Containers/nextcloud/Dockerfile

@@ -1,5 +1,5 @@
 # From https://github.com/nextcloud/docker/blob/master/23/fpm-alpine/Dockerfile
-FROM php:8.0.24-fpm-alpine3.16
+FROM php:8.0.25-fpm-alpine3.16
 
 # Custom: change id of www-data user as it needs to be the same like on old installations
 RUN set -ex; \
@@ -107,7 +107,7 @@ RUN { \
 
 VOLUME /var/www/html
 
-ENV NEXTCLOUD_VERSION 24.0.6
+ENV NEXTCLOUD_VERSION 24.0.7
 
 RUN set -ex; \
     apk add --no-cache --virtual .fetch-deps \
@@ -202,6 +202,8 @@ RUN set -ex; \
         postgresql-client \
         tzdata \
         mawk \
+        sudo \
+        grep \
     ; \
     rm -rf /var/lib/apt/lists/*
 
@@ -225,15 +227,12 @@ RUN set -ex; \
     chown www-data:root -R /usr/src && \
     chown www-data:root -R /usr/local/etc/php/conf.d && \
     chown www-data:root -R /usr/local/etc/php-fpm.d && \
-    chown www-data:root -R /var/log/supervisord/ && \
-    chown www-data:root -R /var/run/supervisord/ && \
     rm -r /usr/src/nextcloud/apps/updatenotification
 
 COPY start.sh /
 COPY notify.sh /
 RUN set -ex; \
     chmod +x /start.sh && \
-    chmod +r /supervisord.conf && \
     chmod +x /entrypoint.sh && \
     chmod +r /upgrade.exclude && \
     chmod +x /cron.sh && \
@@ -249,7 +248,7 @@ VOLUME /mnt/ncdata
 # Give root a random password
 RUN echo "root:$(openssl rand -base64 12)" | chpasswd
 
-USER www-data
+USER root
 ENTRYPOINT ["/start.sh"]
 
-HEALTHCHECK CMD (nc -z localhost 9000 && nc -z localhost 7867) || exit 1
+HEALTHCHECK CMD (sudo -u www-data nc -z localhost 9000 && sudo -u www-data nc -z localhost 7867) || exit 1

Containers/nextcloud/entrypoint.sh

@@ -32,8 +32,8 @@ fi
 touch "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" &>/dev/null
 if ! [ -f "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" ]; then
     echo "The www-data user doesn't seem to have access rights in the datadir.
-Did you maybe change the datadir and did forget to apply the correct permissions?
-See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
+Most likely are the files located on a drive that does not follow linux permissions.
+Please adjust the permissions like mentioned below.
 The found permissions are:
 $(stat -c "%u:%g %a" "$NEXTCLOUD_DATA_DIR")
 (userID:groupID permissions)
@@ -279,6 +279,8 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
              bash /notify.sh "Your apps just got updated!" "$UPDATED_APPS"
         fi
     fi
+else
+    SKIP_UPDATE=1
 fi
 
 # Check if appdata is present
@@ -307,6 +309,8 @@ fi
 echo "Applying one-click-instance settings..."
 php /var/www/html/occ config:system:set one-click-instance --value=true --type=bool
 php /var/www/html/occ config:system:set one-click-instance.user-limit --value=100 --type=int
+php /var/www/html/occ config:system:set one-click-instance.link --value="https://nextcloud.com/all-in-one/"
+php /var/www/html/occ app:enable support
 
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
@@ -339,7 +343,7 @@ if ! [ -d "/var/www/html/custom_apps/notify_push" ]; then
     php /var/www/html/occ app:install notify_push
 elif [ "$(php /var/www/html/occ config:app:get notify_push enabled)" = "no" ]; then
     php /var/www/html/occ app:enable notify_push
-else
+elif [ "$SKIP_UPDATE" != 1 ]; then
     php /var/www/html/occ app:update notify_push
 fi
 php /var/www/html/occ config:system:set trusted_proxies 0 --value="127.0.0.1"
@@ -352,7 +356,7 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
         php /var/www/html/occ app:install richdocuments
     elif [ "$(php /var/www/html/occ config:app:get richdocuments enabled)" = "no" ]; then
         php /var/www/html/occ app:enable richdocuments
-    else
+    elif [ "$SKIP_UPDATE" != 1 ]; then
         php /var/www/html/occ app:update richdocuments
     fi
     php /var/www/html/occ config:app:set richdocuments wopi_url --value="https://$NC_DOMAIN/"
@@ -374,7 +378,7 @@ if [ "$ONLYOFFICE_ENABLED" = 'yes' ]; then
         php /var/www/html/occ app:install onlyoffice
     elif [ "$(php /var/www/html/occ config:app:get onlyoffice enabled)" = "no" ]; then
         php /var/www/html/occ app:enable onlyoffice
-    else
+    elif [ "$SKIP_UPDATE" != 1 ]; then
         php /var/www/html/occ app:update onlyoffice
     fi
     php /var/www/html/occ config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
@@ -393,15 +397,20 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
         php /var/www/html/occ app:install spreed
     elif [ "$(php /var/www/html/occ config:app:get spreed enabled)" = "no" ]; then
         php /var/www/html/occ app:enable spreed
-    else
+    elif [ "$SKIP_UPDATE" != 1 ]; then
         php /var/www/html/occ app:update spreed
     fi
-    STUN_SERVERS="[\"$NC_DOMAIN:$TALK_PORT\"]"
-    TURN_SERVERS="[{\"server\":\"$NC_DOMAIN:$TALK_PORT\",\"secret\":\"$TURN_SECRET\",\"protocols\":\"udp,tcp\"}]"
-    SIGNALING_SERVERS="{\"servers\":[{\"server\":\"https://$NC_DOMAIN/standalone-signaling/\",\"verify\":true}],\"secret\":\"$SIGNALING_SECRET\"}"
-    php /var/www/html/occ config:app:set spreed stun_servers --value="$STUN_SERVERS" --output json
-    php /var/www/html/occ config:app:set spreed turn_servers --value="$TURN_SERVERS" --output json
-    php /var/www/html/occ config:app:set spreed signaling_servers --value="$SIGNALING_SERVERS" --output json
+    # Based on https://github.com/nextcloud/spreed/issues/960#issuecomment-416993435
+    if [ -z "$(php /var/www/html/occ talk:turn:list --output="plain")" ]; then
+        php /var/www/html/occ talk:turn:add "$NC_DOMAIN:$TALK_PORT" "udp,tcp" --secret="$TURN_SECRET"
+    fi
+    if php /var/www/html/occ talk:stun:list --output="plain" | grep -oP '[a-zA-Z.:0-9]+' | grep -q "^stun.nextcloud.com:443$"; then
+        php /var/www/html/occ talk:stun:add "$NC_DOMAIN:$TALK_PORT"
+        php /var/www/html/occ talk:stun:delete "stun.nextcloud.com:443"
+    fi
+    if ! php /var/www/html/occ talk:signaling:list --output="plain" | grep -q "https://$NC_DOMAIN/standalone-signaling/"; then
+        php /var/www/html/occ talk:signaling:add "https://$NC_DOMAIN/standalone-signaling/" "$SIGNALING_SECRET" --verify
+    fi
 else
     if [ -d "/var/www/html/custom_apps/spreed" ]; then
         php /var/www/html/occ app:remove spreed
@@ -418,7 +427,7 @@ if [ "$CLAMAV_ENABLED" = 'yes' ]; then
         php /var/www/html/occ app:install files_antivirus
     elif [ "$(php /var/www/html/occ config:app:get files_antivirus enabled)" = "no" ]; then
         php /var/www/html/occ app:enable files_antivirus
-    else
+    elif [ "$SKIP_UPDATE" != 1 ]; then
         php /var/www/html/occ app:update files_antivirus
     fi
     php /var/www/html/occ config:app:set files_antivirus av_mode --value="daemon"
@@ -454,21 +463,21 @@ if [ "$FULLTEXTSEARCH_ENABLED" = 'yes' ]; then
         php /var/www/html/occ app:install fulltextsearch
     elif [ "$(php /var/www/html/occ config:app:get fulltextsearch enabled)" = "no" ]; then
         php /var/www/html/occ app:enable fulltextsearch
-    else
+    elif [ "$SKIP_UPDATE" != 1 ]; then
         php /var/www/html/occ app:update fulltextsearch
     fi    
     if ! [ -d "/var/www/html/custom_apps/fulltextsearch_elasticsearch" ]; then
         php /var/www/html/occ app:install fulltextsearch_elasticsearch
     elif [ "$(php /var/www/html/occ config:app:get fulltextsearch_elasticsearch enabled)" = "no" ]; then
         php /var/www/html/occ app:enable fulltextsearch_elasticsearch
-    else
+    elif [ "$SKIP_UPDATE" != 1 ]; then
         php /var/www/html/occ app:update fulltextsearch_elasticsearch
     fi    
     if ! [ -d "/var/www/html/custom_apps/files_fulltextsearch" ]; then
         php /var/www/html/occ app:install files_fulltextsearch
     elif [ "$(php /var/www/html/occ config:app:get files_fulltextsearch enabled)" = "no" ]; then
         php /var/www/html/occ app:enable files_fulltextsearch
-    else
+    elif [ "$SKIP_UPDATE" != 1 ]; then
         php /var/www/html/occ app:update files_fulltextsearch
     fi
     php /var/www/html/occ fulltextsearch:configure '{"search_platform":"OCA\\FullTextSearch_Elasticsearch\\Platform\\ElasticSearchPlatform"}'

Containers/nextcloud/notify.sh

@@ -1,19 +1,25 @@
 #!/bin/bash
 
+if [[ "$EUID" = 0 ]]; then
+    COMMAND=(sudo -E -u www-data php /var/www/html/occ)
+else
+    COMMAND=(php /var/www/html/occ)
+fi
+
 SUBJECT="$1"
 MESSAGE="$2"
 
-if [ "$(php /var/www/html/occ config:app:get notifications enabled)" = "no" ]; then
+if [ "$("${COMMAND[@]}" config:app:get notifications enabled)" = "no" ]; then
     echo "Cannot send notification as notification app is not enabled."
     exit 1
 fi
 
 echo "Posting notifications to users that are admins..."
-NC_USERS=$(php /var/www/html/occ user:list | sed 's|^  - ||g' | sed 's|:.*||')
+NC_USERS=$("${COMMAND[@]}" user:list | sed 's|^  - ||g' | sed 's|:.*||')
 mapfile -t NC_USERS <<< "$NC_USERS"
 for user in "${NC_USERS[@]}"
 do
-    if php /var/www/html/occ user:info "$user" | cut -d "-" -f2 | grep -x -q " admin"
+    if "${COMMAND[@]}" user:info "$user" | cut -d "-" -f2 | grep -x -q " admin"
     then
         NC_ADMIN_USER+=("$user")
     fi
@@ -22,7 +28,7 @@ done
 for admin in "${NC_ADMIN_USER[@]}"
 do
     echo "Posting '$SUBJECT' to: $admin"
-    php /var/www/html/occ notification:generate "$admin" "$NC_DOMAIN: $SUBJECT" -l "$MESSAGE"
+    "${COMMAND[@]}" notification:generate "$admin" "$NC_DOMAIN: $SUBJECT" -l "$MESSAGE"
 done
 
 echo "Done!"

Containers/nextcloud/start.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # Only start container if database is accessible
-while ! nc -z "$POSTGRES_HOST" 5432; do
+while ! sudo -u www-data nc -z "$POSTGRES_HOST" 5432; do
     echo "Waiting for database to start..."
     sleep 5
 done
@@ -13,7 +13,7 @@ export POSTGRES_USER
 # Fix false database connection on old instances
 if [ -f "/var/www/html/config/config.php" ]; then
     sleep 2
-    while ! psql -d "postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:5432/$POSTGRES_DB" -c "select now()"; do
+    while ! sudo -u www-data psql -d "postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:5432/$POSTGRES_DB" -c "select now()"; do
         echo "Waiting for the database to start..."
         sleep 5
     done
@@ -24,12 +24,20 @@ fi
 
 # Trust additional Cacerts, if the user provided $TRUSTED_CACERTS_DIR
 if [ -n "$TRUSTED_CACERTS_DIR" ]; then
-    echo "User required to trust additional CA certificates, running 'update-ca-certificates."
+    echo "User required to trust additional CA certificates, running 'update-ca-certificates.'"
     update-ca-certificates
 fi
 
+# Check datadir permissions
+sudo -u www-data touch "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" &>/dev/null
+if ! [ -f "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" ]; then
+    chown -R www-data:root "$NEXTCLOUD_DATA_DIR"
+    chmod 750 -R "$NEXTCLOUD_DATA_DIR"
+fi
+sudo -u www-data rm -f "$NEXTCLOUD_DATA_DIR/this-is-a-test-file"
+
 # Run original entrypoint
-if ! bash /entrypoint.sh; then
+if ! sudo -E -u www-data bash /entrypoint.sh; then
     exit 1
 fi
 

Containers/nextcloud/supervisord.conf

@@ -7,13 +7,15 @@ childlogdir=/var/log/supervisord/
 logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
 logfile_backups=10                              ; number of backed up logfiles
 loglevel=error
+user=root
 
 [program:php-fpm]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
+# stderr_logfile=/dev/stderr
+# stderr_logfile_maxbytes=0
 command=php-fpm
+user=root
 
 [program:cron]
 stdout_logfile=/dev/stdout
@@ -21,6 +23,7 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/cron.sh
+user=www-data
 
 [program:notify-push]
 stdout_logfile=/dev/stdout
@@ -28,6 +31,7 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/var/www/html/custom_apps/notify_push/bin/%(ENV_CPU_ARCH)s/notify_push /var/www/html/config/config.php --port 7867 --redis-url redis://:%(ENV_REDIS_HOST_PASSWORD)s@%(ENV_REDIS_HOST)s
+user=www-data
 
 [program:activate-collabora]
 stdout_logfile=/dev/stdout
@@ -35,3 +39,4 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/activate-collabora.sh
+user=www-data

Containers/onlyoffice/Dockerfile

@@ -1,4 +1,4 @@
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:7.2.0.204
+FROM onlyoffice/documentserver:7.2.1.34
 
 HEALTHCHECK CMD curl -skfI localhost || exit 1

Containers/talk/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:focal-20220922
+FROM ubuntu:focal-20221019
 
 RUN set -ex; \
     \

docker-rootless.md

@@ -11,4 +11,4 @@ You can run AIO with docker rootless by following the steps below.
 1. Use the official AIO startup command but use `--volume $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro` instead of `--volume /var/run/docker.sock:/var/run/docker.sock:ro` and also add `-e DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock` to the initial container startup (which is needed for mastercontainer updates to work correctly).
 1. Now everything should work like without docker rootless. You can consider using docker-compose for this or running it behind a reverse proxy. Basically the only thing that needs to be adjusted always in the startup command or docker-compose file (after installing docker rootles) are things that are mentioned in point 3.
 
-**Please note:** All files outside the containers get created, written to and accessed as the user that is running the docker daemon or a subuid of it. So for the built-in backup to work you need to allow this user to write to the target directory. For changing Nextcloud's datadir, you need to adjust the permissions of the chosen folders to be accessible/writeable by the userid `100032:100032` (if running `grep ^$(whoami): /etc/subuid` as the user that is running the docker daemon returns 100000 as first value). This logically also applies to the NEXTCLOUD_MOUNT option.
+**Please note:** All files outside the containers get created, written to and accessed as the user that is running the docker daemon or a subuid of it. So for the built-in backup to work you need to allow this user to write to the target directory. E.g. with `sudo chown -R USERNAME:GROUPNAME /mnt/backup`. The same applies when changing Nextcloud's datadir. E.g. `sudo chown -R USERNAME:GROUPNAME /mnt/ncdata`. When you want to use the NEXTCLOUD_MOUNT option for local external storage, you need to adjust the permissions of the chosen folders to be accessible/writeable by the userid `100032:100032` (if running `grep ^$(whoami): /etc/subuid` as the user that is running the docker daemon returns 100000 as first value). 

local-instance.md

@@ -5,7 +5,7 @@ It is possible due to several reasons that you do not want or cannot open Nextcl
 The recommended way is the following:
 1. Set up your domain correctly to point to your home network
 1. Set up a reverse proxy by following the [reverse proxy documentation](./reverse-proxy.md) but only open port 80 (which is needed for the ACME challenge to work - however no real traffic will use this port).
-1. Set up a local DNS-server like a pi-hole and configure it to be your local DNS-server for the whole network. Then in the Pi-hole interface, add a custom DNS-record for your domain and overwrite the A-record (and possibly the AAAA-record, too) to point to the local ip-address of your reverse proxy 
+1. Set up a local DNS-server like a pi-hole and configure it to be your local DNS-server for the whole network. Then in the Pi-hole interface, add a custom DNS-record for your domain and overwrite the A-record (and possibly the AAAA-record, too) to point to the local ip-address of your reverse proxy (see https://github.com/nextcloud/all-in-one#how-can-i-access-nextcloud-locally)
 1. Enter the the ip-address of your local dns-server in the deamon.json file for docker so that you are sure that all docker containers use the correct local dns-server.
 1. Now, entering the domain in the AIO-interface should work as expected and should allow you to continue with the setup
 

manual-install/latest-arm64.yml

@@ -4,6 +4,7 @@ services:
   nextcloud-aio-apache:
     container_name: nextcloud-aio-apache
     depends_on:
+      - nextcloud-aio-onlyoffice
       - nextcloud-aio-collabora
       - nextcloud-aio-talk
       - nextcloud-aio-nextcloud
@@ -16,6 +17,7 @@ services:
       - COLLABORA_HOST=nextcloud-aio-collabora
       - TALK_HOST=nextcloud-aio-talk
       - APACHE_PORT=${APACHE_PORT}
+      - ONLYOFFICE_HOST=nextcloud-aio-onlyoffice
       - TZ=${TIMEZONE}
       - APACHE_MAX_SIZE=${APACHE_MAX_SIZE}
       - APACHE_MAX_TIME=${NEXTCLOUD_MAX_TIME}
@@ -73,11 +75,14 @@ services:
       - OVERWRITEPROTOCOL=https
       - TURN_SECRET=${TURN_SECRET}
       - SIGNALING_SECRET=${SIGNALING_SECRET}
+      - ONLYOFFICE_SECRET=${ONLYOFFICE_SECRET}
       - AIO_URL=${AIO_URL}
       - NEXTCLOUD_MOUNT=${NEXTCLOUD_MOUNT}
+      - ONLYOFFICE_ENABLED=${ONLYOFFICE_ENABLED}
       - COLLABORA_ENABLED=${COLLABORA_ENABLED}
       - COLLABORA_HOST=nextcloud-aio-collabora
       - TALK_ENABLED=${TALK_ENABLED}
+      - ONLYOFFICE_HOST=nextcloud-aio-onlyoffice
       - UPDATE_NEXTCLOUD_APPS=${UPDATE_NEXTCLOUD_APPS}
       - TZ=${TIMEZONE}
       - TALK_PORT=${TALK_PORT}
@@ -135,6 +140,21 @@ services:
     networks:
       - nextcloud-aio
  
+  nextcloud-aio-onlyoffice:
+    container_name: nextcloud-aio-onlyoffice
+    image: nextcloud/aio-onlyoffice:latest-arm64
+    environment:
+      - TZ=${TIMEZONE}
+      - JWT_ENABLED=true
+      - JWT_HEADER=AuthorizationJwt
+      - JWT_SECRET=${ONLYOFFICE_SECRET}
+    volumes:
+      - nextcloud_aio_onlyoffice:/var/lib/onlyoffice:rw
+    stop_grace_period: 10s
+    restart: unless-stopped
+    networks:
+      - nextcloud-aio
+ 
   nextcloud-aio-imaginary:
     container_name: nextcloud-aio-imaginary
     image: nextcloud/aio-imaginary:latest-arm64
@@ -170,6 +190,8 @@ volumes:
     name: nextcloud_aio_elasticsearch
   nextcloud_aio_nextcloud:
     name: nextcloud_aio_nextcloud
+  nextcloud_aio_onlyoffice:
+    name: nextcloud_aio_onlyoffice
   nextcloud_aio_nextcloud_data:
     name: nextcloud_aio_nextcloud_data
 

migration.md

@@ -17,7 +17,7 @@ The procedure for migrating only the files works like this:
 1. Restore the datadirectory of your former instance into the following directory: `/var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/`
 1. Next, run `sudo chown -R 33:0 /var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/*` and `sudo chmod -R 750 /var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/*` to apply the correct permissions
 1. Start the containers again and wait until all containers are running
-1. Run `sudo docker exec -it nextcloud-aio-nextcloud php occ files:scan-app-data && sudo docker exec -it nextcloud-aio-nextcloud php occ files:scan --all` in order to scan all files in the datadirectory.
+1. Run `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ files:scan-app-data && sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ files:scan --all` in order to scan all files in the datadirectory.
 
 ## Migrate the files and the database
 **Please note**: this is much more complicated than migrating only the files and also not as failproof so be warned!
@@ -72,8 +72,8 @@ The procedure for migrating the files and the database works like this:
     sudo chmod 777 /var/lib/docker/volumes/nextcloud_aio_database_dump/_data/database-dump.sql
     sudo rm /var/lib/docker/volumes/nextcloud_aio_database_dump/_data/initial-cleanup-done
     ```
-1. If the commands above were executed successfully, restore the datadirectory of your former instance into the following directory: `/var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/`
-1. Next, run `sudo chown -R 33:0 /var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/*` and `sudo chmod -R 750 /var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/*`to apply the correct permissions
+1. If the commands above were executed successfully, restore the datadirectory of your former instance into your datadirectory: `/var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/`. Be aware if you have changed the standard path of your datadirectory like described [here](https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir).
+1. Next, run `sudo chown -R 33:0 /var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/*` and `sudo chmod -R 750 /var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/*`to apply the correct permissions on the datadirectory.
 1. Edit the Nextcloud AIO config.php file that is stored in `/var/lib/docker/volumes/nextcloud_aio_nextcloud/_data/config/config.php` and modify only `passwordsalt`, `secret`, `instanceid` and set it to the old values that you used on your old installation. If you are brave, feel free to modify further values e.g. add your old LDAP config or S3 storage config. (Some things like Mail server config can be added back using Nextcloud's webinterface later on).
 1. When you are done and saved your changes to the file, finally start the containers again and wait until all containers are running.
 1. As last step, install all apps again that were installed before on your old instance by using the webinterface.

php/composer.lock

@@ -220,16 +220,16 @@
         },
         {
             "name": "guzzlehttp/psr7",
-            "version": "2.4.1",
+            "version": "2.4.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/psr7.git",
-                "reference": "69568e4293f4fa993f3b0e51c9723e1e17c41379"
+                "reference": "67c26b443f348a51926030c83481b85718457d3d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/psr7/zipball/69568e4293f4fa993f3b0e51c9723e1e17c41379",
-                "reference": "69568e4293f4fa993f3b0e51c9723e1e17c41379",
+                "url": "https://api.github.com/repos/guzzle/psr7/zipball/67c26b443f348a51926030c83481b85718457d3d",
+                "reference": "67c26b443f348a51926030c83481b85718457d3d",
                 "shasum": ""
             },
             "require": {
@@ -319,7 +319,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/psr7/issues",
-                "source": "https://github.com/guzzle/psr7/tree/2.4.1"
+                "source": "https://github.com/guzzle/psr7/tree/2.4.3"
             },
             "funding": [
                 {
@@ -335,7 +335,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2022-08-28T14:45:39+00:00"
+            "time": "2022-10-26T14:07:24+00:00"
         },
         {
             "name": "http-interop/http-factory-guzzle",

php/psalm-baseline.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<files psalm-version="4.27.0@faf106e717c37b8c81721845dba9de3d8deed8ff">
+<files psalm-version="4.29.0@7ec5ffbd5f68ae03782d7fd33fff0c45a69f95b3">
   <file src="public/index.php">
     <MissingClosureParamType occurrences="10">
       <code>$args</code>
@@ -30,12 +30,6 @@
       <code>$args</code>
       <code>$args</code>
     </MissingParamType>
-    <PossiblyInvalidArrayAccess occurrences="1">
-      <code>$request-&gt;getParsedBody()['selected_restore_time']</code>
-    </PossiblyInvalidArrayAccess>
-    <PossiblyNullArrayAccess occurrences="1">
-      <code>$request-&gt;getParsedBody()['selected_restore_time']</code>
-    </PossiblyNullArrayAccess>
   </file>
   <file src="src/Controller/LoginController.php">
     <MissingParamType occurrences="3">
@@ -43,15 +37,6 @@
       <code>$args</code>
       <code>$args</code>
     </MissingParamType>
-    <PossiblyInvalidArrayAccess occurrences="1">
-      <code>$request-&gt;getParsedBody()['password']</code>
-    </PossiblyInvalidArrayAccess>
-    <PossiblyNullArgument occurrences="1">
-      <code>$password</code>
-    </PossiblyNullArgument>
-    <PossiblyNullArrayAccess occurrences="1">
-      <code>$request-&gt;getParsedBody()['password']</code>
-    </PossiblyNullArrayAccess>
   </file>
   <file src="src/Docker/DockerActionManager.php">
     <InvalidReturnType occurrences="1">
@@ -64,11 +49,6 @@
       <code>$container-&gt;GetInternalPorts() !== null</code>
     </RedundantCondition>
   </file>
-  <file src="src/Middleware/AuthMiddleware.php">
-    <UndefinedInterfaceMethod occurrences="1">
-      <code>withStatus</code>
-    </UndefinedInterfaceMethod>
-  </file>
   <file src="src/Twig/ClassExtension.php">
     <MissingParamType occurrences="1">
       <code>$object</code>

php/public/second-tab-warning.js

@@ -0,0 +1,12 @@
+const channel = new BroadcastChannel('tab')
+
+channel.postMessage('second-tab')
+// note that listener is added after posting the message
+
+channel.addEventListener('message', (msg) => {
+    if (msg.data === 'second-tab') {
+        // message received from 2nd tab
+        document.getElementById('overlay').classList.add('loading')
+        alert('Cannot open multiple instances. You can use AIO here by reloading the page.')
+    }
+});

php/src/Auth/AuthManager.php

@@ -3,6 +3,8 @@
 namespace AIO\Auth;
 
 use AIO\Data\ConfigurationManager;
+use AIO\Data\DataConst;
+use \DateTime;
 
 class AuthManager {
     private const SESSION_KEY = 'aio_authenticated';
@@ -21,6 +23,14 @@ class AuthManager {
     }
 
     public function SetAuthState(bool $isLoggedIn) : void {
+
+        if (!$this->IsAuthenticated() && $isLoggedIn === true) {
+            $date = new DateTime();
+            $dateTime = $date->getTimestamp();
+            $_SESSION['date_time'] = $dateTime;
+            file_put_contents(DataConst::GetSessionDateFile(), (string)$dateTime);
+        }
+
         $_SESSION[self::SESSION_KEY] = $isLoggedIn;
     }
 

php/src/Controller/DockerController.php

@@ -101,7 +101,7 @@ class DockerController
     public function StartBackupContainerRestore(Request $request, Response $response, $args) : Response {
         $config = $this->configurationManager->GetConfig();
         $config['backup-mode'] = 'restore';
-        $config['selected-restore-time'] = $request->getParsedBody()['selected_restore_time'];
+        $config['selected-restore-time'] = $request->getParsedBody()['selected_restore_time'] ?? '';
         $this->configurationManager->WriteConfig($config);
 
         $id = self::TOP_CONTAINER;

php/src/Controller/LoginController.php

@@ -23,7 +23,7 @@ class LoginController
         if (!$this->dockerActionManager->isLoginAllowed()) {
             return $response->withHeader('Location', '/')->withStatus(302);
         }
-        $password = $request->getParsedBody()['password'];
+        $password = $request->getParsedBody()['password'] ?? '';
         if($this->authManager->CheckCredentials($password)) {
             $this->authManager->SetAuthState(true);
             return $response->withHeader('Location', '/')->withStatus(302);
@@ -33,7 +33,7 @@ class LoginController
     }
 
     public function GetTryLogin(Request $request, Response $response, $args) : Response {
-        $token = $request->getQueryParams()['token'];
+        $token = $request->getQueryParams()['token'] ?? '';
         if($this->authManager->CheckToken($token)) {
             $this->authManager->SetAuthState(true);
             return $response->withHeader('Location', '/')->withStatus(302);

php/src/Data/ConfigurationManager.php

@@ -443,7 +443,7 @@ class ConfigurationManager
         if ($df !== false && (int)$df < 10240) {
             throw new InvalidSettingConfigurationException(DataConst::GetDataDirectory() . " does not have enough space for writing the config file! Not writing it back!");
         }
-        file_put_contents(DataConst::GetConfigFile(), json_encode($config));
+        file_put_contents(DataConst::GetConfigFile(), json_encode($config, JSON_UNESCAPED_SLASHES|JSON_PRETTY_PRINT));
     }
 
     private function GetEnvironmentalVariableOrConfig(string $envVariableName, string $configName, string $defaultValue) : string {

php/src/Data/DataConst.php

@@ -46,4 +46,8 @@ class DataConst {
     public static function GetBackupArchivesList() : string {
         return self::GetDataDirectory() . '/backup_archives.list';
     }
+
+    public static function GetSessionDateFile() : string {
+        return self::GetDataDirectory() . '/session_date_file';
+    }
 }

php/src/Middleware/AuthMiddleware.php

@@ -28,10 +28,10 @@ class AuthMiddleware
 
         if(!in_array($request->getUri()->getPath(), $publicRoutes)) {
             if(!$this->authManager->IsAuthenticated()) {
-                $response = new Response();
-                return $response
-                    ->withHeader('Location', '/')
-                    ->withStatus(302);
+                $status = 302;
+                $headers = ['Location' => '/'];
+                $response = new Response($status, $headers);
+                return $response;
             }
         }
 

php/templates/containers.twig

@@ -16,7 +16,10 @@
     </header>
 
     <div class="content">
-        <h1>Nextcloud AIO v2.0.4</h1>
+        <h1>Nextcloud AIO v2.1.2</h1>
+
+        {# Add 2nd tab warning #}
+        <script type="text/javascript" src="second-tab-warning.js"></script>
 
         {% set isAnyRunning = false %}
         {% set isAnyRestarting = false %}

readme.md

@@ -134,7 +134,9 @@ No and they will not be. Please use a dedicated domain for Nextcloud and set it
 No and it will not be added. Please use a dedicated domain for Nextcloud and set it up correctly by following the [reverse proxy documentation](./reverse-proxy.md).
 
 ### How can I access Nextcloud locally?
-The recommended way is to set up a local dns-server like a pi-hole and set up a custom dns-record for that domain that points to the internal ip-adddress of your server that runs Nextcloud AIO.
+The recommended way is to set up a local dns-server like a pi-hole and set up a custom dns-record for that domain that points to the internal ip-adddress of your server that runs Nextcloud AIO. Below are some guides:
+- https://www.howtogeek.com/devops/how-to-run-your-own-dns-server-on-your-local-network/
+- https://howchoo.com/pi/pi-hole-setup together with https://docs.callitkarma.me/posts/PiHole-Local-DNS/
 
 ### How to skip the domain validation?
 If you are completely sure that you've configured everything correctly and are not able to pass the domain validation, you may skip the domain validation by adding `-e SKIP_DOMAIN_VALIDATION=true` to the docker run command of the mastercontainer.
@@ -150,16 +152,16 @@ Afterwards it should work.<br>
 See https://dev.to/ozorest/fedora-32-how-to-solve-docker-internal-network-issue-22me for more details on this. This limitation is even mentioned on the official firewalld website: https://firewalld.org/#who-is-using-it
 
 ### How to run `occ` commands?
-Simply run the following: `sudo docker exec -it nextcloud-aio-nextcloud php occ your-command`. Of course `your-command` needs to be exchanged with the command that you want to run.
+Simply run the following: `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ your-command`. Of course `your-command` needs to be exchanged with the command that you want to run.
 
 ### How to resolve `Security & setup warnings displays the "missing default phone region" after initial install`?
-Simply run the following command: `sudo docker exec -it nextcloud-aio-nextcloud php occ config:system:set default_phone_region --value="yourvalue"`. Of course you need to modify `yourvalue` based on your location. Examples are `DE`, `EN` and `GB`. See this list for more codes: https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
+Simply run the following command: `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:system:set default_phone_region --value="yourvalue"`. Of course you need to modify `yourvalue` based on your location. Examples are `DE`, `EN` and `GB`. See this list for more codes: https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
 
 ### How to run multiple AIO instances on one server?
 See [multiple-instances.md](./multiple-instances.md) for some documentation on this.
 
 ### Bruteforce protection FAQ
-Nextcloud features a built-in bruteforce protection which may get triggered and will block an ip-address or disable a user. You can unblock an ip-address by running `sudo docker exec -it nextcloud-aio-nextcloud php occ security:bruteforce:reset <ip-address>` and enable a disabled user by running `sudo docker exec -it nextcloud-aio-nextcloud php occ user:enable <name of user>`. See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#security for further information.
+Nextcloud features a built-in bruteforce protection which may get triggered and will block an ip-address or disable a user. You can unblock an ip-address by running `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ security:bruteforce:reset <ip-address>` and enable a disabled user by running `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ user:enable <name of user>`. See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#security for further information.
 
 ### Update policy
 This project values stability over new features. That means that when a new major Nextcloud update gets introduced, we will wait at least until the first patch release, e.g. `24.0.1` is out before upgrading to it. Also we will wait with the upgrade until all important apps are compatible with the new major version. Minor or patch releases for Nextcloud and all dependencies as well as all containers will be updated to new versions as soon as possible but we try to give all updates first a good test round before pushing them. That means that it can take around 2 weeks before new updates reach the `latest` channel. If you want to help testing, you can switch to the `beta` channel by following [this documentation](#how-to-switch-the-channel) which will also give you the updates earlier.
@@ -270,6 +272,12 @@ sudo borg list "/mnt/backup/borg"
 # An example backup archive might be called 20220223_174237-nextcloud-aio
 # Then you can simply delete the archive with:
 sudo borg delete --stats --progress "/mnt/backup/borg::20220223_174237-nextcloud-aio"
+
+# If borg 1.2.0 or higher is installed, you then need to run borg compact in order to clean up the freed space
+sudo borg version
+# If version number of the command above is higher than 1.2.0 you need to run the command below:
+sudo borg compact "/mnt/backup/"
+
 ```
 
 After doing so, make sure to update the backup archives list in the AIO interface!<br>
@@ -409,13 +417,6 @@ You can configure the Nextcloud container to use a specific directory on your ho
     ```
     (The value `/host_mnt/c/your/data/path` in this example would be equivalent to `C:\your\data\path` on the Windows host. So you need to translate the path that you want to use into the correct format.) ⚠️️ **Attention**: Make sure that the path exists on the host before you create the volume! Otherwise everything will bug out!
 
-⚠️ Please make sure to apply the correct permissions to the chosen directory before starting Nextcloud the first time (not needed on Windows). 
-
-- In this example for Linux, the command for this would be `sudo chown -R 33:0 /mnt/ncdata` and `sudo chmod -R 750 /mnt/ncdata`. 
-- On macOS, the command for this would be `sudo chown -R 33:0 /var/nextcloud-data` and `sudo chmod -R 750 /var/nextcloud-data`.
-- For Synology, the command for this example would be `sudo chown -R 33:0 /volume1/docker/nextcloud/data` and `sudo chmod -R 750 /volume1/docker/nextcloud/data`
-- On Windows, this command is not needed.
-
 ### How to allow the Nextcloud container to access directories on the host?
 By default, the Nextcloud container is confined and cannot access directories on the host OS. You might want to change this when you are planning to use local external storage in Nextcloud to store some files outside the data directory and can do so by adding the environmental variable `NEXTCLOUD_MOUNT` to the initial startup of the mastercontainer. Allowed values for that variable are strings that start with `/` and are not equal to `/`.
 
@@ -450,7 +451,7 @@ When your containers run for a few days without a restart, the container logs th
 ### Access/Edit Nextcloud files/folders manually
 The files and folders that you add to Nextcloud are by default stored in the following directory: `/var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/` on the host. If needed, you can modify/add/delete files/folders there but **ATTENTION**: be very careful when doing so because you might corrupt your AIO installation! Best is to create a backup using the built-in backup solution before editing/changing files/folders in there because you will then be able to restore your instance to the backed up state.
 
-After you are done modifying/adding/deleting files/folders, don't forget to apply the correct permissions by running: `sudo chown -R 33:0 /var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/*` and `sudo chmod -R 750 /var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/*` and rescan the files with `sudo docker exec -it nextcloud-aio-nextcloud php occ files:scan --all`.
+After you are done modifying/adding/deleting files/folders, don't forget to apply the correct permissions by running: `sudo chown -R 33:0 /var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/*` and `sudo chmod -R 750 /var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/*` and rescan the files with `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ files:scan --all`.
 
 ### How to store the files/installation on a separate drive?
 You can move the whole docker library and all its files including all Nextcloud AIO files and folders to a separate drive by first mounting the drive in the host OS (NTFS is not supported) and then following this tutorial: https://www.guguweb.com/2019/02/07/how-to-move-docker-data-directory-to-another-location-on-ubuntu/<br>
@@ -460,7 +461,7 @@ You can move the whole docker library and all its files including all Nextcloud
 You can edit Nextclouds config.php file directly from the host with your favorite text editor. E.g. like this: `sudo nano /var/lib/docker/volumes/nextcloud_aio_nextcloud/_data/config/config.php`. Make sure to not break the file though which might corrupt your Nextcloud instance otherwise. In best case, create a backup using the built-in backup solution before editing the file.
 
 ### Custom skeleton directory
-If you want to define a custom skeleton directory, you can do so by putting your skeleton files into `/var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/skeleton/`, applying the correct permissions with `sudo chown -R 33:0 /var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/skeleton` and and `sudo chmod -R 750 /var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/*` and setting the skeleton directory option with `sudo docker exec -it nextcloud-aio-nextcloud php occ config:system:set skeletondirectory --value="/mnt/ncdata/skeleton"`. You can read further on this option here: [click here](https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html?highlight=skeletondir#:~:text=adding%20%3Fdirect%3D1-,'skeletondirectory',-%3D%3E%20'%2Fpath%2Fto%2Fnextcloud)
+If you want to define a custom skeleton directory, you can do so by putting your skeleton files into `/var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/skeleton/`, applying the correct permissions with `sudo chown -R 33:0 /var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/skeleton` and and `sudo chmod -R 750 /var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/*` and setting the skeleton directory option with `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:system:set skeletondirectory --value="/mnt/ncdata/skeleton"`. You can read further on this option here: [click here](https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html?highlight=skeletondir#:~:text=adding%20%3Fdirect%3D1-,'skeletondirectory',-%3D%3E%20'%2Fpath%2Fto%2Fnextcloud)
 
 ### Fail2ban
 You can configure your server to block certain ip-addresses using fail2ban as bruteforce protection. Here is how to set it up: https://docs.nextcloud.com/server/stable/admin_manual/installation/harden_server.html#setup-fail2ban. The logpath of AIO is by default `/var/lib/docker/volumes/nextcloud_aio_nextcloud/_data/data/nextcloud.log`. Do not forget to add `chain=DOCKER-USER` to your nextcloud jail config (`nextcloud.local`) otherwise the nextcloud service running on docker will still be accessible even if the IP is banned. Also, you may change the blocked ports to cover all AIO ports: by default `80,443,8080,8443,3478` (see [this](https://github.com/nextcloud/all-in-one#explanation-of-used-ports))

reverse-proxy.md

@@ -21,7 +21,7 @@ In order to run Nextcloud behind a reverse proxy, you need to specify the port t
 
 <summary>click here to expand</summary>
 
-**Disclaimer:** It might be possible that the config below is not working 100% correctly, yet. See e.g. https://github.com/nextcloud/all-in-one/issues/834. Improvements to it are very welcome!
+**Disclaimer:** It might be possible that the config below is not working 100% correctly, yet. Improvements to it are very welcome!
 
 Add this as a new Apache site config:
 
@@ -41,14 +41,14 @@ Add this as a new Apache site config:
 <VirtualHost *:443>
     ServerName <your-nc-domain>
 
-    # Reverse proxy
+    # Reverse proxy based on https://httpd.apache.org/docs/current/mod/mod_proxy_wstunnel.html
     RewriteEngine On
     ProxyPreserveHost On
+    AllowEncodedSlashes NoDecode
+    ProxyPass / http://localhost:11000/
     RewriteCond %{HTTP:Upgrade} websocket [NC]
     RewriteCond %{HTTP:Connection} upgrade [NC]
-    RewriteRule ^/(.*) "ws://localhost:11000/$1" [P,L]
-    ProxyPass / http://localhost:11000/
-    ProxyPassReverse / http://localhost:11000/
+    RewriteRule ^/?(.*) "ws://localhost:11000/$1" [P,QSA,B=?:;]
 
     # Enable h2, h2c and http1.1
     Protocols h2 h2c http/1.1
@@ -118,7 +118,7 @@ You can get AIO running using the ACME DNS-challenge. Here is how to do it.
     Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. You also need to adjust `<provider>` and `<key>` to match your case. Also make sure to adjust the port 11000 to match the chosen APACHE_PORT. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `localhost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
 1. Now continue with [point 2](#2-use-this-startup-command) but additionally, add `-e SKIP_DOMAIN_VALIDATION=true` to the docker run command which will disable the dommain validation (because it is known that the domain validation will not when using the DNS-challenge since no port is publicly opened.
 
-**Advice:** In order to make it work in your home network, you may add the internal ipv4-address of your reverse proxy as A DNS-record to your domain and disable the dns-rebind-protection in your router. Another way it to set up a local dns-server like a pi-hole and set up a custom dns-record for that domain that points to the internal ip-adddress of your reverse proxy. If both is not possible, you may add the domain to the hosts file which is needed then for any devices that shall use the server.
+**Advice:** In order to make it work in your home network, you may add the internal ipv4-address of your reverse proxy as A DNS-record to your domain and disable the dns-rebind-protection in your router. Another way it to set up a local dns-server like a pi-hole and set up a custom dns-record for that domain that points to the internal ip-adddress of your reverse proxy (see https://github.com/nextcloud/all-in-one#how-can-i-access-nextcloud-locally). If both is not possible, you may add the domain to the hosts file which is needed then for any devices that shall use the server.
 
 </details>
 
@@ -135,6 +135,96 @@ Although it does not seems like it is the case but from AIO perspective a Cloudf
 
 </details>
 
+### HaProxy
+
+<details>
+
+<summary>click here to expand</summary>
+
+**Disclaimer:** It might be possible that the config below is not working 100% correctly, yet. Improvements to it are very welcome!
+
+Here is an example HaProxy config:
+
+```
+global
+    chroot                      /var/haproxy
+    log                         /var/run/log audit debug
+    lua-prepend-path            /tmp/haproxy/lua/?.lua
+
+defaults
+    log     global
+    option redispatch -1
+    retries 3
+    default-server init-addr last,libc
+
+# Frontend: LetsEncrypt_443 ()
+frontend LetsEncrypt_443
+    bind 0.0.0.0:443 name 0.0.0.0:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 crt-list /tmp/haproxy/ssl/605f6609f106d1.17683543.certlist 
+    mode http
+    option http-keep-alive
+    default_backend acme_challenge_backend
+    option forwardfor
+    # tuning options
+    timeout client 30s
+
+    # logging options
+    # ACL: find_acme_challenge
+    acl acl_605f6d4b6453d2.03059920 path_beg -i /.well-known/acme-challenge/
+    # ACL: Nextcloud
+    acl acl_60604e669c3ca4.13013327 hdr(host) -i <your-nc-domain>
+
+    # ACTION: redirect_acme_challenges
+    use_backend acme_challenge_backend if acl_605f6d4b6453d2.03059920
+    # ACTION: Nextcloud
+    use_backend Nextcloud if acl_60604e669c3ca4.13013327
+
+
+# Frontend: LetsEncrypt_80 ()
+frontend LetsEncrypt_80
+    bind 0.0.0.0:80 name 0.0.0.0:80 
+    mode tcp
+    default_backend acme_challenge_backend
+    # tuning options
+    timeout client 30s
+
+    # logging options
+    # ACL: find_acme_challenge
+    acl acl_605f6d4b6453d2.03059920 path_beg -i /.well-known/acme-challenge/
+
+    # ACTION: redirect_acme_challenges
+    use_backend acme_challenge_backend if acl_605f6d4b6453d2.03059920
+
+# Frontend (DISABLED): 1_HTTP_frontend ()
+
+# Frontend (DISABLED): 1_HTTPS_frontend ()
+
+# Frontend (DISABLED): 0_SNI_frontend ()
+
+# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
+backend acme_challenge_backend
+    # health checking is DISABLED
+    mode http
+    balance source
+    # stickiness
+    stick-table type ip size 50k expire 30m  
+    stick on src
+    # tuning options
+    timeout connect 30s
+    timeout server 30s
+    http-reuse safe
+    server acme_challenge_host 127.0.0.1:43580 
+
+# Backend: Nextcloud ()
+backend Nextcloud
+    mode http
+    balance source
+    server Nextcloud localhost:11000 
+```
+
+Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. Also make sure to adjust the port 11000 to match the chosen APACHE_PORT. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `localhost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
+
+</details>
+
 ### Nginx
 
 <details>
@@ -146,10 +236,29 @@ Although it does not seems like it is the case but from AIO perspective a Cloudf
 Add this to you nginx config:
 
 ```
-location / {
-        proxy_pass http://localhost:11000;
-        proxy_set_header X-Real-IP $remote_addr;
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
+server {
+    listen 80;
+#    listen [::]:80;            # uncomment to use IPv6
+
+    if ($scheme = "http") {
+        return 301 https://$host$request_uri;
+    }
+
+    listen 443 ssl http2;
+#    listen [::]:443 ssl http2; # uncomment to use IPv6
+
+    server_name <your-nc-domain>;
+
+    location / {
+        proxy_pass http://localhost:11000$request_uri;
+
         proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         client_max_body_size 0;
 
@@ -158,8 +267,21 @@ location / {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
     }
-```
 
+    ssl_certificate /etc/letsencrypt/live/<your-nc-domain>/fullchain.pem;   # managed by certbot on host machine
+    ssl_certificate_key /etc/letsencrypt/live/<your-nc-domain>/privkey.pem; # managed by certbot on host machine
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+    ssl_session_tickets off;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+}
+
+```
+    
 Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. Also make sure to adjust the port 11000 to match the chosen APACHE_PORT. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. If that is not an option for you, you can alternatively instead of `localhost` use the ip-address that is displayed after running the following command on the host OS: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'` (the command only works on Linux)
 
 **Advice:** You may have a look at [this](https://github.com/nextcloud/all-in-one/discussions/588#discussioncomment-2811152) for a more complete example.