Merge pull request #2814 from nextcloud/dependabot/github_actions/codespell-project/actions-codespell-2

Bump codespell-project/actions-codespell from 1 to 2

.github/workflows/codespell.yml

@@ -0,0 +1,20 @@
+name: 'Codespell'
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  codespell:
+    name: Check spelling
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+      - name: Check spelling
+        uses: codespell-project/actions-codespell@v2
+        with:
+          check_filenames: true
+          check_hidden: true

.github/workflows/command-rebase.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Add reaction on start
-        uses: peter-evans/create-or-update-comment@ca08ebd5dc95aa0cd97021e9708fcd6b87138c9b # v3.0.1
+        uses: peter-evans/create-or-update-comment@c6c9a1a66007646a28c153e2a8580a5bad27bcfa # v3.0.2
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}
           repository: ${{ github.event.repository.full_name }}
@@ -42,7 +42,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.COMMAND_BOT_PAT }}
 
       - name: Add reaction on failure
-        uses: peter-evans/create-or-update-comment@ca08ebd5dc95aa0cd97021e9708fcd6b87138c9b # v3.0.1
+        uses: peter-evans/create-or-update-comment@c6c9a1a66007646a28c153e2a8580a5bad27bcfa # v3.0.2
         if: failure()
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}

.github/workflows/imaginary-update.yml

@@ -19,7 +19,7 @@ jobs:
             | cut -f1 \
             | tail -1
         )"
-        sed -i "s|^ENV IMAGINARY_HASH.*|ENV IMAGINARY_HASH $imaginary_version|" ./Containers/imaginary/Dockerfile
+        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH $imaginary_version|" ./Containers/imaginary/Dockerfile
         
     - name: Create Pull Request
       uses: peter-evans/create-pull-request@v5

.github/workflows/spellcheck.yml

@@ -1,23 +0,0 @@
-name: 'Spellcheck'
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-
-jobs:
-  spellcheck:
-    name: Check spelling
-    runs-on: ubuntu-latest
-    steps:
-      - name: spelling or typos
-        uses: actions/checkout@v3
-      - name: fix permission for reviewdog
-        run: sudo chown -R root:root $GITHUB_WORKSPACE
-      - name: misspell
-        uses: reviewdog/action-misspell@v1
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          locale: "US"
-          fail_on_error: true

.github/workflows/talk.yml

@@ -21,7 +21,7 @@ jobs:
             | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
             | tail -1
         )"
-        sed -i "s|^ENV RECORDING_VERSION.*|ENV RECORDING_VERSION $spreed_version|" ./Containers/talk-recording/Dockerfile
+        sed -i "s|^ENV RECORDING_VERSION.*$|ENV RECORDING_VERSION $spreed_version|" ./Containers/talk-recording/Dockerfile
         curl -L "https://raw.githubusercontent.com/nextcloud/spreed/$spreed_version/recording/server.conf.in" -o Containers/talk-recording/recording.conf
         
         # Signaling

Containers/apache/Caddyfile

@@ -30,7 +30,7 @@
     # Notify Push
     route /push/* {
         uri strip_prefix /push
-        reverse_proxy {$NEXTCLOUD_HOST}:7867
+        reverse_proxy {$NOTIFY_PUSH_HOST}:7867
     }
 
     # Onlyoffice

Containers/apache/Dockerfile

@@ -1,6 +1,6 @@
 FROM caddy:2.6.4-alpine as caddy
 
-FROM httpd:2.4.57-alpine3.17
+FROM httpd:2.4.57-alpine3.18
 
 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
 

Containers/apache/nextcloud.conf

@@ -3,17 +3,20 @@ Listen 8000
     ServerName localhost
 
     # Add error log
-    CustomLog /proc/self/fd/1 combined
+    CustomLog /proc/self/fd/1 proxy
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
     ErrorLog /proc/self/fd/2
+    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
+    LogLevel warn
 
     # PHP match
     <FilesMatch "\.php$">
         SetHandler "proxy:fcgi://${NEXTCLOUD_HOST}:9000"
     </FilesMatch>
 
-    # Enable Brotli compression for js files
+    # Enable Brotli compression for js, css and svg files - other plain files are compressed by Nextcloud by default
     <IfModule mod_brotli.c>
-        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript
+        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
         BrotliCompressionQuality 0
     </IfModule>
 

Containers/borgbackup/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.17.3
+FROM alpine:3.18.2
 
 RUN set -ex; \
     \

Containers/borgbackup/backupscript.sh

@@ -137,6 +137,9 @@ if [ "$BORG_MODE" = backup ]; then
     # auto,zstd compression seems to has the best ratio based on:
     # https://forum.level1techs.com/t/optimal-compression-for-borg-backups/145870/6
     BORG_OPTS=(-v --stats --compression "auto,zstd" --exclude-caches)
+    if [ "$NEW_REPOSITORY" = 1 ]; then
+        BORG_OPTS+=(--progress)
+    fi
 
     # Exclude the nextcloud log and audit log for GDPR reasons
     BORG_EXCLUDE=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/nextcloud.log*" --exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/audit.log")
@@ -294,7 +297,7 @@ if [ "$BORG_MODE" = restore ]; then
     --exclude "nextcloud_aio_mastercontainer/data/daily_backup_running" \
     --exclude "nextcloud_aio_mastercontainer/data/session_date_file" \
     --exclude "nextcloud_aio_mastercontainer/session/**" \
-    /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes; then
+    /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes/; then
         RESTORE_FAILED=1
         echo "Something failed while restoring from backup."
     fi

Containers/clamav/Dockerfile

@@ -6,8 +6,13 @@ COPY clamav.conf /tmp/clamav.conf
 RUN set -ex; \
     apk add --no-cache tzdata; \
     cat /tmp/clamav.conf | tee -a /etc/clamav/clamd.conf; \
-    rm /tmp/clamav.conf
+    rm /tmp/clamav.conf; \
+    mkdir -p /var/run/clamav /run/lock; \
+    chown -R clamav:clamav /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock; \
+    chmod 777 -R /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock /tmp
 
-# USER root is probably used
+VOLUME /var/lib/clamav
+
+USER clamav
 
 LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/collabora/Dockerfile

@@ -1,5 +1,5 @@
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:22.05.14.3.1
+FROM collabora/code:23.05.0.5.1
 
 USER root
 
@@ -9,11 +9,11 @@ RUN set -ex; \
     export DEBIAN_FRONTEND=noninteractive; \
     apt-get install -y --no-install-recommends \
         tzdata \
-        netcat \
+        netcat-openbsd \
     ; \
     rm -rf /var/lib/apt/lists/*
 
-USER 104
+USER 100
 
 HEALTHCHECK CMD nc -z localhost 9980 || exit 1
 LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/domaincheck/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.17.3
+FROM alpine:3.18.2
 RUN set -ex; \
     apk add --no-cache bash lighttpd netcat-openbsd; \
     adduser -S www-data -G www-data; \

Containers/imaginary/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.20.4-alpine3.17 as go
+FROM golang:1.20.5-alpine3.18 as go
 
 ENV IMAGINARY_HASH b632dae8cc321452c3f85bcae79c580b1ae1ed84
 
@@ -12,7 +12,7 @@ RUN set -ex; \
         build-base; \
     go install github.com/h2non/imaginary@"$IMAGINARY_HASH";
 
-FROM alpine:3.17.3
+FROM alpine:3.18.2
 RUN set -ex; \
     apk add --no-cache \
         tzdata \

Containers/mastercontainer/Dockerfile

@@ -4,8 +4,8 @@ FROM docker:24.0.2-cli as docker
 # Caddy is a requirement
 FROM caddy:2.6.4-alpine as caddy
 
-# From https://github.com/docker-library/php/blob/master/8.2/alpine3.17/fpm/Dockerfile
-FROM php:8.2.6-fpm-alpine3.17
+# From https://github.com/docker-library/php/blob/master/8.2/alpine3.18/fpm/Dockerfile
+FROM php:8.2.7-fpm-alpine3.18
 
 EXPOSE 80
 EXPOSE 8080
@@ -62,7 +62,7 @@ RUN set -ex; \
     chmod +x /usr/local/bin/composer; \
     cd /var/www/docker-aio; \
     git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
-    find ./ -not -path ./php -maxdepth 1 -mindepth 1 -delete; \
+    find ./ -maxdepth 1 -mindepth 1 -not -path ./php -exec rm -r {} \; ; \
     chown www-data:www-data -R /var/www/docker-aio; \
     cd php; \
     sudo -u www-data composer install --no-dev; \
@@ -80,6 +80,8 @@ RUN set -ex; \
     \
     sed -i \
             -e '/^Listen /d' \
+            -e 's/^LogLevel .*/LogLevel error/' \
+            -e 's|^ErrorLog .*|ErrorLog /proc/self/fd/2|' \
             -e 's/User apache/User www-data/g' \
             -e 's/Group apache/Group www-data/g' \
             -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
@@ -95,6 +97,9 @@ RUN set -ex; \
         mkdir -p /etc/apache2/logs; \
         rm /etc/apache2/conf.d/ssl.conf; \
         echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \
+        grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \
+        sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \
+        echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \
         echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \
         echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \
         echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \

Containers/mastercontainer/mastercontainer.conf

@@ -11,8 +11,11 @@ Listen 8080
     ServerName localhost
 
     # Add error log
-    CustomLog /proc/self/fd/1 combined
+    CustomLog /proc/self/fd/1 proxy
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
     ErrorLog /proc/self/fd/2
+    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
+    LogLevel warn
 
     # PHP match
     <FilesMatch "\.php$">

Containers/mastercontainer/start.sh

@@ -29,10 +29,13 @@ fi
 # Check if socket is available and readable
 if ! [ -a "/var/run/docker.sock" ]; then
     print_red "Docker socket is not available. Cannot continue."
+    echo "Please make sure to mount the docker socket into /var/run/docker.sock inside the container!"
     echo "If you did this by purpose because you don't want the container to have access to the docker socket, see https://github.com/nextcloud/all-in-one/tree/main/manual-install."
     exit 1
 elif ! mountpoint -q "/mnt/docker-aio-config"; then
     print_red "/mnt/docker-aio-config is not a mountpoint. Cannot proceed!"
+    echo "Please make sure to mount the nextcloud_aio_mastercontainer docker volume into /mnt/docker-aio-config inside the container!"
+    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
     exit 1
 elif ! sudo -u www-data test -r /var/run/docker.sock; then
     echo "Trying to fix docker.sock permissions internally..."
@@ -63,6 +66,7 @@ if ! sudo -u www-data docker info &>/dev/null; then
     print_red "Cannot connect to the docker socket. Cannot proceed."
     echo "If you are on Docker Desktop v4.19 or higher, see https://github.com/nextcloud/all-in-one/issues/2450"
     echo "If SELinux is enabled on your host, see https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled"
+    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
     exit 1
 fi
 API_VERSION_FILE="$(find ./ -name DockerActionManager.php | head -1)"

Containers/nextcloud/Dockerfile

@@ -1,4 +1,4 @@
-FROM php:8.1.19-fpm-alpine3.17
+FROM php:8.1.20-fpm-alpine3.18
 
 ENV PHP_MEMORY_LIMIT 512M
 ENV PHP_UPLOAD_LIMIT 10G
@@ -91,11 +91,12 @@ RUN set -ex; \
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
     { \
-        echo 'opcache.interned_strings_buffer=32'; \
+        echo 'opcache.memory_consumption=256'; \
+        echo 'opcache.interned_strings_buffer=64'; \
         echo 'opcache.save_comments=1'; \
         echo 'opcache.revalidate_freq=60'; \
         echo 'opcache.jit=1255'; \
-        echo 'opcache.jit_buffer_size=128M'; \
+        echo 'opcache.jit_buffer_size=8M'; \
     } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
     \
     echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \

Containers/nextcloud/entrypoint.sh

@@ -10,6 +10,15 @@ directory_empty() {
     [ -z "$(ls -A "$1/")" ]
 }
 
+run_upgrade_if_needed_due_to_app_update() {
+    if php /var/www/html/occ status | grep needsDbUpgrade | grep -q true; then
+        # Disable integrity check temporarily until next update
+        php /var/www/html/occ config:system:set integrity.check.disabled --type bool --value true
+        php /var/www/html/occ upgrade
+        php /var/www/html/occ app:enable nextcloud-aio --force
+    fi
+}
+
 echo "Configuring Redis as session handler..."
 cat << REDIS_CONF > /usr/local/etc/php/conf.d/redis-session.ini
 session.save_handler = redis
@@ -147,6 +156,8 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                 fi
             done
 
+            run_upgrade_if_needed_due_to_app_update
+
             php /var/www/html/occ maintenance:mode --off
 
             echo "Getting and backing up the status of apps for later, this might take a while..."
@@ -170,6 +181,8 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
 
             php /var/www/html/occ app:update --all
 
+            run_upgrade_if_needed_due_to_app_update
+
             # Fix removing the updatenotification for old instances
             UPDATENOTIFICATION_STATUS="$(php /var/www/html/occ config:app:get updatenotification enabled)"
             if [ -d "/var/www/html/apps/updatenotification" ]; then
@@ -343,6 +356,7 @@ DATADIR_PERMISSION_CONF
         else
             touch "$NEXTCLOUD_DATA_DIR/update.failed"
             echo "Upgrading nextcloud from $installed_version to $image_version..."
+            php /var/www/html/occ config:system:delete integrity.check.disabled
             if ! php /var/www/html/occ upgrade || ! php /var/www/html/occ -V; then
                 echo "Upgrade failed. Please restore from backup."
                 bash /notify.sh "Nextcloud update to $image_version failed!" "Please restore from backup!"
@@ -354,6 +368,8 @@ DATADIR_PERMISSION_CONF
 
             php /var/www/html/occ app:update --all
 
+            run_upgrade_if_needed_due_to_app_update
+
             # Restore app status
             if [ "${APPSTORAGE[0]}" != "no-export-done" ]; then
                 echo "Restoring the status of apps. This can take a while..."
@@ -367,6 +383,7 @@ DATADIR_PERMISSION_CONF
                                     rm -r "/var/www/html/custom_apps/$app"
                                     php /var/www/html/occ maintenance:mode --off
                                 fi
+                                run_upgrade_if_needed_due_to_app_update
                                 echo "The $app app could not get enabled. Probably because it is not compatible with the new Nextcloud version."
                                 if [ "$app" = apporder ]; then
                                     CUSTOM_HINT="The apporder app was deprecated. A possible replacement is the side_menu app, aka 'Custom menu'."
@@ -387,6 +404,8 @@ DATADIR_PERMISSION_CONF
 
             php /var/www/html/occ app:update --all
 
+            run_upgrade_if_needed_due_to_app_update
+
             # Apply optimization
             echo "Doing some optimizations..."
             php /var/www/html/occ maintenance:repair
@@ -402,8 +421,7 @@ DATADIR_PERMISSION_CONF
     # Performing update of all apps if daily backups are enabled, running and successful and if it is saturday
     if [ "$UPDATE_NEXTCLOUD_APPS" = 'yes' ] && [ "$(date +%u)" = 6 ]; then
         UPDATED_APPS="$(php /var/www/html/occ app:update --all)"
-        # Update all apps again and try to prevent something like https://github.com/nextcloud/polls/issues/2793 from happening
-        php /var/www/html/occ app:update --all
+        run_upgrade_if_needed_due_to_app_update
         if [ -n "$UPDATED_APPS" ]; then
              bash /notify.sh "Your apps just got updated!" "$UPDATED_APPS"
         fi
@@ -412,12 +430,15 @@ else
     SKIP_UPDATE=1
 fi
 
+run_upgrade_if_needed_due_to_app_update
+
 if [ -z "$OBJECTSTORE_S3_BUCKET" ] && [ -z "$OBJECTSTORE_SWIFT_URL" ]; then
     # Check if appdata is present
     # If not, something broke (e.g. changing ncdatadir after aio was first started)
     if [ -z "$(find "$NEXTCLOUD_DATA_DIR/" -maxdepth 1 -mindepth 1 -type d -name "appdata_*")" ]; then
-        echo "Appdata is not present. Did you maybe change the datadir after aio was first started?"
+        echo "Appdata is not present. Did you maybe change the datadir after the initial Nextcloud installation? This is not supported!"
         echo "See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir"
+        echo "If you adjusted the datadir to be located on an external drive, make sure that the drive is still mounted!"
         echo "In the datadir was found:"
         ls -la "$NEXTCLOUD_DATA_DIR/"
         exit 1
@@ -446,6 +467,7 @@ php /var/www/html/occ app:enable support
 
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
+php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
 php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
 php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
 php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"

Containers/nextcloud/healthcheck.sh

@@ -2,6 +2,6 @@
 
 nc -z "$POSTGRES_HOST" 5432 || exit 0
 
-if ! nc -z localhost 9000 || ! nc -z localhost 7867; then
+if ! nc -z localhost 9000; then
     exit 1
 fi

Containers/nextcloud/start.sh

@@ -131,14 +131,4 @@ if ! sudo -E -u www-data bash /entrypoint.sh; then
     exit 1
 fi
 
-# Correctly set CPU_ARCH for notify_push
-CPU_ARCH="$(uname -m)"
-export CPU_ARCH
-if [ -z "$CPU_ARCH" ]; then
-    echo "Could not get processor architecture. Exiting."
-    exit 1
-elif [ "$CPU_ARCH" != "x86_64" ]; then
-    export CPU_ARCH="aarch64"
-fi
-
 exec "$@"

Containers/nextcloud/supervisord.conf

@@ -25,14 +25,6 @@ stderr_logfile_maxbytes=0
 command=/cron.sh
 user=www-data
 
-[program:notify-push]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=/var/www/html/custom_apps/notify_push/bin/%(ENV_CPU_ARCH)s/notify_push /var/www/html/config/config.php --port 7867 --redis-url redis://:%(ENV_REDIS_HOST_PASSWORD)s@%(ENV_REDIS_HOST)s
-user=www-data
-
 [program:run-exec-commands]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0

Containers/notify-push/Dockerfile

@@ -0,0 +1,21 @@
+FROM alpine:3.18.2
+
+COPY --chmod=775 start.sh /start.sh
+
+RUN set -ex; \
+    apk add --no-cache \
+        ca-certificates \
+        netcat-openbsd \
+        tzdata \
+        bash \
+        openssl; \
+# Give root a random password
+    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    apk del --no-cache \
+        openssl;
+
+USER 33
+ENTRYPOINT ["/start.sh"]
+
+HEALTHCHECK CMD nc -z localhost 7867 || exit 1
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/notify-push/start.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+if [ -z "$NEXTCLOUD_HOST" ]; then
+    echo "NEXTCLOUD_HOST need to be provided. Exiting!"
+    exit 1
+elif [ -z "$POSTGRES_HOST" ]; then
+    echo "POSTGRES_HOST need to be provided. Exiting!"
+    exit 1
+elif [ -z "$REDIS_HOST" ]; then
+    echo "REDIS_HOST need to be provided. Exiting!"
+    exit 1
+fi
+
+# Only start container if nextcloud is accessible
+while ! nc -z "$NEXTCLOUD_HOST" 9000; do
+    echo "Waiting for Nextcloud to start..."
+    sleep 5
+done
+
+# Correctly set CPU_ARCH for notify_push
+CPU_ARCH="$(uname -m)"
+export CPU_ARCH
+if [ -z "$CPU_ARCH" ]; then
+    echo "Could not get processor architecture. Exiting."
+    exit 1
+elif [ "$CPU_ARCH" != "x86_64" ]; then
+    export CPU_ARCH="aarch64"
+fi
+
+# Run it
+/nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
+    --database-prefix="oc_" \
+    --nextcloud-url "https://$NC_DOMAIN" \
+    --port 7867 \
+    --redis-url "redis://:$REDIS_HOST_PASSWORD@$REDIS_HOST" \
+    --database-url "postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST/$POSTGRES_DB"
+
+exec "$@"

Containers/onlyoffice/Dockerfile

@@ -1,5 +1,5 @@
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:7.3.3.50
+FROM onlyoffice/documentserver:7.4.0.1
 
 # USER root is probably used
 

Containers/postgresql/Dockerfile

@@ -6,7 +6,11 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 COPY --chmod=775 init-user-db.sh /docker-entrypoint-initdb.d/init-user-db.sh
 
 RUN set -ex; \
-    apk add --no-cache bash openssl shadow grep; \
+    apk add --no-cache \
+        bash \
+        openssl \
+        shadow \
+        grep; \
     \
 # We need to use the same gid and uid as on old installations
     deluser postgres; \
@@ -24,7 +28,8 @@ RUN set -ex; \
     chown postgres:postgres /mnt/data; \
     \
 # Give root a random password
-    echo "root:$(openssl rand -base64 12)" | chpasswd
+    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    apk --no-cache del openssl;
 
 VOLUME /mnt/data
 

Containers/postgresql/start.sh

@@ -146,11 +146,19 @@ if ! [ -f "$DATADIR/PG_VERSION" ] && ! [ -f "$DUMP_FILE" ]; then
     rm -rf "${DATADIR:?}/"*
 fi
 
-echo "Setting max connections..."
-MEMORY=$(awk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
-MAX_CONNECTIONS=$((MEMORY/50+3))
-if [ -n "$MAX_CONNECTIONS" ]; then
-    sed -i "s|^max_connections =.*|max_connections = $MAX_CONNECTIONS|" "/var/lib/postgresql/data/postgresql.conf"
+# Modify postgresql.conf
+if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
+    echo "Setting max connections..."
+    MEMORY=$(awk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
+    MAX_CONNECTIONS=$((MEMORY/50+3))
+    if [ -n "$MAX_CONNECTIONS" ]; then
+        sed -i "s|^max_connections =.*|max_connections = $MAX_CONNECTIONS|" "/var/lib/postgresql/data/postgresql.conf"
+    fi
+
+    # Modify conf
+    if grep -q "#log_checkpoints" /var/lib/postgresql/data/postgresql.conf; then
+        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' /var/lib/postgresql/data/postgresql.conf
+    fi
 fi
 
 # Catch docker stop attempts

Containers/redis/Dockerfile

@@ -1,7 +1,7 @@
 # From https://github.com/docker-library/redis/blob/master/7.0/alpine/Dockerfile
 FROM redis:7.0.11-alpine
 
-COPY --chmod=775 start.sh /usr/bin/start.sh
+COPY --chmod=775 start.sh /start.sh
 
 RUN set -ex; \
     apk add --no-cache openssl bash; \
@@ -10,7 +10,7 @@ RUN set -ex; \
     echo "root:$(openssl rand -base64 12)" | chpasswd
 
 USER redis
-ENTRYPOINT ["start.sh"]
+ENTRYPOINT ["/start.sh"]
 
 HEALTHCHECK CMD redis-cli -a $REDIS_HOST_PASSWORD PING || exit 1
 LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/redis/start.sh

@@ -8,9 +8,9 @@ fi
 
 # Run redis with a password if provided
 if [ -n "$REDIS_HOST_PASSWORD" ]; then
-    exec redis-server --requirepass "$REDIS_HOST_PASSWORD"
+    exec redis-server --requirepass "$REDIS_HOST_PASSWORD" --loglevel warning
 else
-    exec redis-server
+    exec redis-server --loglevel warning
 fi
 
 exec "$@"

Containers/talk-recording/Dockerfile

@@ -1,8 +1,8 @@
-FROM python:3.11.3-alpine3.18
+FROM python:3.11.4-alpine3.18
 
 COPY --chmod=775 start.sh /start.sh
 
-ENV RECORDING_VERSION v16.0.4
+ENV RECORDING_VERSION v17.0.0
 
 RUN set -ex; \
     apk add --no-cache \

Containers/talk/Dockerfile

@@ -1,19 +1,23 @@
-FROM nats:2.9.17-scratch as nats
+FROM nats:2.9.18-scratch as nats
 FROM strukturag/nextcloud-spreed-signaling:1.1.2 as signaling
-FROM coturn/coturn:4.6.2-r0-alpine
+FROM coturn/coturn:4.6.2-r3-alpine
 USER root
+# Pin alpine version manually as long as https://github.com/coturn/coturn/issues/1226 is not done
+ENV ALPINE_VERSION=3.18
 
 COPY --from=nats /nats-server /usr/local/bin/nats-server
 COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
 
-COPY --chmod=775 start.sh /usr/bin/start.sh
+COPY --chmod=775 start.sh /start.sh
 COPY --chmod=664 supervisord.conf /supervisord.conf
 
 RUN set -ex; \
+    grep VERSION_ID /etc/os-release | grep -q "$ALPINE_VERSION.[0-9]\+$"; \
     apk add --no-cache \
         ca-certificates \
         tzdata \
         bash \
+        janus-gateway \
         openssl \
         supervisor \
         bind-tools \
@@ -21,9 +25,9 @@ RUN set -ex; \
         shadow \
         util-linux \
         build-base \
+        wget \
         lua5.3-dev \
         luarocks5.3; \
-    apk add --no-cache janus-gateway --repository http://dl-cdn.alpinelinux.org/alpine/edge/community; \
     useradd --system talk; \
     luarocks-5.3 install luajson; \
     luarocks-5.3 install ansicolors; \
@@ -32,6 +36,7 @@ RUN set -ex; \
         shadow \
         util-linux \
         build-base \
+        wget \
         lua5.3-dev \
         luarocks5.3; \
     \
@@ -62,7 +67,7 @@ RUN set -ex; \
 ENV TALK_PORT=3478
 
 USER talk
-ENTRYPOINT ["start.sh"]
+ENTRYPOINT ["/start.sh"]
 CMD ["supervisord", "-c", "/supervisord.conf"]
 
 HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost "$TALK_PORT" && nc -z "$NC_DOMAIN" "$TALK_PORT") || exit 1

Containers/talk/supervisord.conf

@@ -27,7 +27,7 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=janus --config=/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle
+command=janus --config=/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
 
 [program:signaling]
 stdout_logfile=/dev/stdout

Containers/watchtower/Dockerfile

@@ -1,7 +1,7 @@
 # From https://github.com/containrrr/watchtower/blob/main/dockerfiles/Dockerfile.self-contained
 FROM containrrr/watchtower:1.5.3 as watchtower
 
-FROM alpine:3.17.3
+FROM alpine:3.18.2
 
 RUN apk add --no-cache bash
 COPY --from=watchtower /watchtower /watchtower

compose.yaml

@@ -7,26 +7,26 @@ services:
       - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
       - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
     ports:
-      - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
       - 8080:8080
-      - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
     # environment: # Is needed when using any of the options below
-      # - AIO_DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface.
-      # - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-      # - APACHE_IP_BINDING=127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      # - AIO_DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
+      # - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      # - APACHE_IP_BINDING=127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
       # - BORG_RETENTION_POLICY=--keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
       # - COLLABORA_SECCOMP_DISABLED=false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
-      # - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
+      # - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
       # - NEXTCLOUD_MOUNT=/mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
       # - NEXTCLOUD_UPLOAD_LIMIT=10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
       # - NEXTCLOUD_MAX_TIME=3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
       # - NEXTCLOUD_MEMORY_LIMIT=512M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
-      # - NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defiend-certification-authorities-ca
+      # - NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
       # - NEXTCLOUD_STARTUP_APPS=deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
       # - NEXTCLOUD_ADDITIONAL_APKS=imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
       # - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
-      # - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container which is needed for hardware-transcoding. See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
-      # - TALK_PORT=3478 # This allows to adjust the port that the talk container is using.
+      # - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
+      # - TALK_PORT=3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
       # - WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
     # networks: # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
       # - nextcloud-aio # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
@@ -51,7 +51,6 @@ volumes:
 
 # # Optional: If you need ipv6, follow step 1 and 2 of https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md first and then uncomment the below config in order to activate ipv6 for the internal nextcloud-aio network.
 # # Please make sure to uncomment also the networking lines of the mastercontainer above in order to actually create the network with docker-compose
-# # Inspired by https://github.com/mailcow/mailcow-dockerized/blob/master/docker-compose.yml
 # networks:
 #   nextcloud-aio:
 #     name: nextcloud-aio # This line is not allowed to be changed as otherwise the created network will not be used by the other containers of AIO

local-instance.md

@@ -6,14 +6,14 @@ The recommended way is the following:
 1. Set up your domain correctly to point to your home network
 1. Set up a reverse proxy by following the [reverse proxy documentation](./reverse-proxy.md) but only open port 80 (which is needed for the ACME challenge to work - however no real traffic will use this port).
 1. Set up a local DNS-server like a pi-hole and configure it to be your local DNS-server for the whole network. Then in the Pi-hole interface, add a custom DNS-record for your domain and overwrite the A-record (and possibly the AAAA-record, too) to point to the private ip-address of your reverse proxy (see https://github.com/nextcloud/all-in-one#how-can-i-access-nextcloud-locally)
-1. Enter the ip-address of your local dns-server in the deamon.json file for docker so that you are sure that all docker containers use the correct local dns-server.
+1. Enter the ip-address of your local dns-server in the daemon.json file for docker so that you are sure that all docker containers use the correct local dns-server.
 1. Now, entering the domain in the AIO-interface should work as expected and should allow you to continue with the setup
 
 ## 2. Use the ACME DNS-challenge
 You can alternatively use the ACME DNS-challenge to get a valid certificate for Nextcloud. Here is described how to set it up: https://github.com/nextcloud/all-in-one#how-to-get-nextcloud-running-using-the-acme-dns-challenge
 
 ## 3. Use Cloudflare
-If you do not have any contol over the network, you may think about using Cloudflare Tunnel to get a valid certificate for your Nextcloud. However it will be opened to the public internet then. See https://github.com/nextcloud/all-in-one#how-to-run-nextcloud-behind-a-cloudflare-tunnel how to set this up.
+If you do not have any control over the network, you may think about using Cloudflare Tunnel to get a valid certificate for your Nextcloud. However it will be opened to the public internet then. See https://github.com/nextcloud/all-in-one#how-to-run-nextcloud-behind-a-cloudflare-tunnel how to set this up.
 
 ## 4. Buy a certificate and use that
 If none of the above ways work for you, you may simply buy a certificate from an issuer for your domain. You then download the certificate onto your server, configure AIO in [reverse proxy mode](./reverse-proxy.md) and use the certificate for your domain in your reverse proxy config.

manual-install/latest.yml

@@ -40,9 +40,9 @@ services:
       - PGTZ=${TIMEZONE}
     stop_grace_period: 1800s
     restart: unless-stopped
+    shm_size: 268435456
     networks:
       - nextcloud-aio
-    shm_size: 268435456
 
   nextcloud-aio-nextcloud:
     depends_on:
@@ -50,6 +50,7 @@ services:
       - nextcloud-aio-redis
       - nextcloud-aio-clamav
       - nextcloud-aio-fulltextsearch
+      - nextcloud-aio-talk-recording
       - nextcloud-aio-imaginary
     image: nextcloud/aio-nextcloud:latest
     expose:
@@ -67,7 +68,6 @@ services:
       - POSTGRES_USER=nextcloud
       - REDIS_HOST=nextcloud-aio-redis
       - REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
-      - AIO_TOKEN=${AIO_TOKEN}
       - NC_DOMAIN=${NC_DOMAIN}
       - ADMIN_USER=admin
       - ADMIN_PASSWORD=${NEXTCLOUD_PASSWORD}
@@ -77,7 +77,6 @@ services:
       - TURN_SECRET=${TURN_SECRET}
       - SIGNALING_SECRET=${SIGNALING_SECRET}
       - ONLYOFFICE_SECRET=${ONLYOFFICE_SECRET}
-      - AIO_URL=${AIO_URL}
       - NEXTCLOUD_MOUNT=${NEXTCLOUD_MOUNT}
       - CLAMAV_ENABLED=${CLAMAV_ENABLED}
       - CLAMAV_HOST=nextcloud-aio-clamav
@@ -101,6 +100,9 @@ services:
       - ADDITIONAL_APKS=${NEXTCLOUD_ADDITIONAL_APKS}
       - ADDITIONAL_PHP_EXTENSIONS=${NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS}
       - INSTALL_LATEST_MAJOR=${INSTALL_LATEST_MAJOR}
+      - TALK_RECORDING_ENABLED=${TALK_RECORDING_ENABLED}
+      - RECORDING_SECRET=${RECORDING_SECRET}
+      - TALK_RECORDING_HOST=nextcloud-aio-talk-recording
     restart: unless-stopped
     networks:
       - nextcloud-aio
@@ -117,9 +119,9 @@ services:
     restart: unless-stopped
     networks:
       - nextcloud-aio
+    read_only: true
 
   nextcloud-aio-collabora:
-    profiles: ["collabora"]
     image: nextcloud/aio-collabora:latest
     expose:
       - "9980"
@@ -130,14 +132,13 @@ services:
       - TZ=${TIMEZONE}
       - server_name=${NC_DOMAIN}
       - DONT_GEN_SSL_CERT=1
-    volumes:
-      - nextcloud_aio_collabora_fonts:/opt/cool/systemplate/tmpfonts:rw
     restart: unless-stopped
+    profiles:
+      - collabora
     networks:
       - nextcloud-aio
 
   nextcloud-aio-talk:
-    profiles: ["talk"]
     image: nextcloud/aio-talk:latest
     ports:
       - ${TALK_PORT}:${TALK_PORT}/tcp
@@ -150,12 +151,31 @@ services:
       - SIGNALING_SECRET=${SIGNALING_SECRET}
       - TZ=${TIMEZONE}
       - TALK_PORT=${TALK_PORT}
+      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
     restart: unless-stopped
+    profiles:
+      - talk
+      - talk-recording
+    networks:
+      - nextcloud-aio
+
+  nextcloud-aio-talk-recording:
+    image: nextcloud/aio-talk-recording:latest
+    expose:
+      - "1234"
+    environment:
+      - NC_DOMAIN=${NC_DOMAIN}
+      - TZ=${TIMEZONE}
+      - RECORDING_SECRET=${RECORDING_SECRET}
+      - INTERNAL_SECRET=${TALK_INTERNAL_SECRET}
+    shm_size: 2147483648
+    restart: unless-stopped
+    profiles:
+      - talk-recording
     networks:
       - nextcloud-aio
 
   nextcloud-aio-clamav:
-    profiles: ["clamav"]
     image: nextcloud/aio-clamav:latest
     expose:
       - "3310"
@@ -165,11 +185,12 @@ services:
     volumes:
       - nextcloud_aio_clamav:/var/lib/clamav:rw
     restart: unless-stopped
+    profiles:
+      - clamav
     networks:
       - nextcloud-aio
 
   nextcloud-aio-onlyoffice:
-    profiles: ["onlyoffice"]
     image: nextcloud/aio-onlyoffice:latest
     expose:
       - "80"
@@ -181,24 +202,26 @@ services:
     volumes:
       - nextcloud_aio_onlyoffice:/var/lib/onlyoffice:rw
     restart: unless-stopped
+    profiles:
+      - onlyoffice
     networks:
       - nextcloud-aio
 
   nextcloud-aio-imaginary:
-    profiles: ["imaginary"]
     image: nextcloud/aio-imaginary:latest
     expose:
       - "9000"
     environment:
       - TZ=${TIMEZONE}
     restart: unless-stopped
-    networks:
-      - nextcloud-aio
     cap_add:
       - SYS_NICE
+    profiles:
+      - imaginary
+    networks:
+      - nextcloud-aio
 
   nextcloud-aio-fulltextsearch:
-    profiles: ["fulltextsearch"]
     image: nextcloud/aio-fulltextsearch:latest
     expose:
       - "9200"
@@ -210,6 +233,8 @@ services:
     volumes:
       - nextcloud_aio_elasticsearch:/usr/share/elasticsearch/data:rw
     restart: unless-stopped
+    profiles:
+      - fulltextsearch
     networks:
       - nextcloud-aio
 
@@ -218,8 +243,6 @@ volumes:
     name: nextcloud_aio_apache
   nextcloud_aio_clamav:
     name: nextcloud_aio_clamav
-  nextcloud_aio_collabora_fonts:
-    name: nextcloud_aio_collabora_fonts
   nextcloud_aio_database:
     name: nextcloud_aio_database
   nextcloud_aio_database_dump:

manual-install/readme.md

@@ -28,9 +28,9 @@ Now copy the provided yaml file to a compose.yaml file by running `cp latest.yml
 Now you should be ready to go with `sudo docker-compose up`.
 
 ## Docker profiles
-The default profile of `latest.yml` only provide the minimum necessary services: nextcloud, database, redis and apache. To get optional services collabora, onlyoffice, talk, clamav, imaginary or fulltextsearch use additional arguments for each of them, for example `--profile collabora`. (Note: there is no clamav image for arm64).
+The default profile of `latest.yml` only provide the minimum necessary services: nextcloud, database, redis and apache. To get optional services collabora, talk, talk-recording, clamav, imaginary or fulltextsearch use additional arguments for each of them, for example `--profile collabora`. (Note: there is no clamav image for arm64).
 
-For a complete all-in-one with collabora use `sudo docker-compose --profile collabora --profile talk --profile clamav --profile imaginary --profile fulltextsearch up`. (Note: there is no clamav image for arm64).
+For a complete all-in-one with collabora use `sudo docker-compose --profile collabora --profile talk --profile talk-recording --profile clamav --profile imaginary --profile fulltextsearch up`. (Note: there is no clamav image for arm64).
 
 ## How to update?
 Since the AIO containers may change in the future, it is highly recommended to strictly follow the following procedure whenever you want to upgrade your containers.

manual-install/sample.conf

@@ -2,8 +2,10 @@ DATABASE_PASSWORD=          # TODO! This needs to be a unique and good password!
 NC_DOMAIN=yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.
 NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".
 ONLYOFFICE_SECRET=          # TODO! This needs to be a unique and good password!
+RECORDING_SECRET=          # TODO! This needs to be a unique and good password!
 REDIS_PASSWORD=          # TODO! This needs to be a unique and good password!
 SIGNALING_SECRET=          # TODO! This needs to be a unique and good password!
+TALK_INTERNAL_SECRET=          # TODO! This needs to be a unique and good password!
 TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.
 TURN_SECRET=          # TODO! This needs to be a unique and good password!
 
@@ -13,12 +15,11 @@ FULLTEXTSEARCH_ENABLED="no"          # Setting this to "yes" (with quotes) enabl
 IMAGINARY_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 ONLYOFFICE_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 TALK_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+TALK_RECORDING_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 
-AIO_TOKEN=123456          # Has no function but needs to be set!
-AIO_URL=localhost          # Has no function but needs to be set!
-APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx and else) and if that is running on the same host and using localhost to connect
+APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) and if that is running on the same host and using localhost to connect
 APACHE_MAX_SIZE=10737418240          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
-APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx and else).
+APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else).
 COLLABORA_DICTIONARIES="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"        # You can change this in order to enable other dictionaries for collabora
 COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.
 INSTALL_LATEST_MAJOR=no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation

manual-install/update-yaml.sh

@@ -78,8 +78,8 @@ sed -i 's|APACHE_MAX_SIZE=|APACHE_MAX_SIZE=10737418240          # This needs to
 sed -i 's|NEXTCLOUD_MAX_TIME=|NEXTCLOUD_MAX_TIME=3600          # This allows to change the upload time limit of the Nextcloud container|' sample.conf
 sed -i 's|NEXTCLOUD_TRUSTED_CACERTS_DIR=|NEXTCLOUD_TRUSTED_CACERTS_DIR=/usr/local/share/ca-certificates/my-custom-ca          # Nextcloud container will trust all the Certification Authorities, whose certificates are included in the given directory.|' sample.conf
 sed -i 's|UPDATE_NEXTCLOUD_APPS=|UPDATE_NEXTCLOUD_APPS="no"          # When setting to "yes" (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.|' sample.conf
-sed -i 's|APACHE_PORT=|APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx and else).|' sample.conf
-sed -i 's|APACHE_IP_BINDING=|APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx and else) and if that is running on the same host and using localhost to connect|' sample.conf
+sed -i 's|APACHE_PORT=|APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else).|' sample.conf
+sed -i 's|APACHE_IP_BINDING=|APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) and if that is running on the same host and using localhost to connect|' sample.conf
 sed -i 's|TALK_PORT=|TALK_PORT=3478          # This allows to adjust the port that the talk container is using.|' sample.conf
 sed -i 's|NC_DOMAIN=|NC_DOMAIN=yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.|' sample.conf
 sed -i 's|NEXTCLOUD_PASSWORD=|NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".|' sample.conf

nextcloud-aio-helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 6.0.0
+version: 6.1.1
 apiVersion: v2
 keywords:
   - latest

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml

@@ -54,7 +54,7 @@ spec:
               value: nextcloud-aio-talk
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-apache:20230606_070951-latest
+          image: nextcloud/aio-apache:20230613_120442-latest
           name: nextcloud-aio-apache
           ports:
             - containerPort: {{ .Values.APACHE_PORT }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml

@@ -38,7 +38,7 @@ spec:
               value: "90"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-clamav:20230606_070951-latest
+          image: nextcloud/aio-clamav:20230613_120442-latest
           name: nextcloud-aio-clamav
           ports:
             - containerPort: 3310

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml

@@ -22,16 +22,6 @@ spec:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-collabora
     spec:
-      initContainers:
-        - name: init-volumes
-          image: alpine
-          command:
-            - chmod
-            - "777"
-            - /nextcloud-aio-collabora-fonts
-          volumeMounts:
-            - name: nextcloud-aio-collabora-fonts
-              mountPath: /nextcloud-aio-collabora-fonts
       containers:
         - env:
             - name: DONT_GEN_SSL_CERT
@@ -46,15 +36,8 @@ spec:
               value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json
             - name: server_name
               value: "{{ .Values.NC_DOMAIN }}"
-          image: nextcloud/aio-collabora:20230606_070951-latest
+          image: nextcloud/aio-collabora:20230613_120442-latest
           name: nextcloud-aio-collabora
           ports:
             - containerPort: 9980
-          volumeMounts:
-            - mountPath: /opt/cool/systemplate/tmpfonts
-              name: nextcloud-aio-collabora-fonts
-      volumes:
-        - name: nextcloud-aio-collabora-fonts
-          persistentVolumeClaim:
-            claimName: nextcloud-aio-collabora-fonts
 {{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-fonts-persistentvolumeclaim.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  labels:
-    io.kompose.service: nextcloud-aio-collabora-fonts
-  name: nextcloud-aio-collabora-fonts
-spec:
-  {{- if .Values.STORAGE_CLASS }}
-  storageClassName: {{ .Values.STORAGE_CLASS }}
-  {{- end }}
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: {{ .Values.COLLABORA_FONTS_STORAGE_SIZE }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml

@@ -60,7 +60,7 @@ spec:
               value: nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-postgresql:20230606_070951-latest
+          image: nextcloud/aio-postgresql:20230613_120442-latest
           name: nextcloud-aio-database
           ports:
             - containerPort: 5432

nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml

@@ -42,7 +42,7 @@ spec:
               value: "{{ .Values.TIMEZONE }}"
             - name: discovery.type
               value: single-node
-          image: nextcloud/aio-fulltextsearch:20230606_070951-latest
+          image: nextcloud/aio-fulltextsearch:20230613_120442-latest
           name: nextcloud-aio-fulltextsearch
           ports:
             - containerPort: 9200

nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml

@@ -26,7 +26,7 @@ spec:
         - env:
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-imaginary:20230606_070951-latest
+          image: nextcloud/aio-imaginary:20230613_120442-latest
           name: nextcloud-aio-imaginary
           ports:
             - containerPort: 9000

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml

@@ -44,10 +44,6 @@ spec:
               value: "{{ .Values.NEXTCLOUD_PASSWORD }}"
             - name: ADMIN_USER
               value: admin
-            - name: AIO_TOKEN
-              value: "{{ .Values.AIO_TOKEN }}"
-            - name: AIO_URL
-              value: "{{ .Values.AIO_URL }}"
             - name: CLAMAV_ENABLED
               value: "{{ .Values.CLAMAV_ENABLED }}"
             - name: CLAMAV_HOST
@@ -94,6 +90,8 @@ spec:
               value: "{{ .Values.DATABASE_PASSWORD }}"
             - name: POSTGRES_USER
               value: nextcloud
+            - name: RECORDING_SECRET
+              value: "{{ .Values.RECORDING_SECRET }}"
             - name: REDIS_HOST
               value: nextcloud-aio-redis
             - name: REDIS_HOST_PASSWORD
@@ -106,6 +104,10 @@ spec:
               value: "{{ .Values.TALK_ENABLED }}"
             - name: TALK_PORT
               value: "{{ .Values.TALK_PORT }}"
+            - name: TALK_RECORDING_ENABLED
+              value: "{{ .Values.TALK_RECORDING_ENABLED }}"
+            - name: TALK_RECORDING_HOST
+              value: nextcloud-aio-talk-recording
             - name: TRUSTED_CACERTS_DIR
               value: "{{ .Values.NEXTCLOUD_TRUSTED_CACERTS_DIR }}"
             - name: TURN_SECRET
@@ -114,7 +116,7 @@ spec:
               value: "{{ .Values.TIMEZONE }}"
             - name: UPDATE_NEXTCLOUD_APPS
               value: "{{ .Values.UPDATE_NEXTCLOUD_APPS }}"
-          image: nextcloud/aio-nextcloud:20230606_070951-latest
+          image: nextcloud/aio-nextcloud:20230613_120442-latest
           name: nextcloud-aio-nextcloud
           ports:
             - containerPort: 9000

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml

@@ -42,7 +42,7 @@ spec:
               value: "{{ .Values.ONLYOFFICE_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-onlyoffice:20230606_070951-latest
+          image: nextcloud/aio-onlyoffice:20230613_120442-latest
           name: nextcloud-aio-onlyoffice
           ports:
             - containerPort: 80

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml

@@ -37,7 +37,7 @@ spec:
               value: "{{ .Values.REDIS_PASSWORD }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-redis:20230606_070951-latest
+          image: nextcloud/aio-redis:20230613_120442-latest
           name: nextcloud-aio-redis
           ports:
             - containerPort: 6379

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml

@@ -24,6 +24,8 @@ spec:
     spec:
       containers:
         - env:
+            - name: INTERNAL_SECRET
+              value: "{{ .Values.TALK_INTERNAL_SECRET }}"
             - name: NC_DOMAIN
               value: "{{ .Values.NC_DOMAIN }}"
             - name: SIGNALING_SECRET
@@ -34,7 +36,7 @@ spec:
               value: "{{ .Values.TURN_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-talk:20230606_070951-latest
+          image: nextcloud/aio-talk:20230613_120442-latest
           name: nextcloud-aio-talk
           ports:
             - containerPort: {{ .Values.TALK_PORT }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml

@@ -0,0 +1,39 @@
+{{- if eq .Values.TALK_RECORDING_ENABLED "yes" }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    kompose.cmd: kompose convert -c -f latest.yml
+    kompose.version: 1.28.0 (c4137012e)
+  labels:
+    io.kompose.service: nextcloud-aio-talk-recording
+  name: nextcloud-aio-talk-recording
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      io.kompose.service: nextcloud-aio-talk-recording
+  template:
+    metadata:
+      annotations:
+        kompose.cmd: kompose convert -c -f latest.yml
+        kompose.version: 1.28.0 (c4137012e)
+      labels:
+        io.kompose.network/nextcloud-aio: "true"
+        io.kompose.service: nextcloud-aio-talk-recording
+    spec:
+      containers:
+        - env:
+            - name: INTERNAL_SECRET
+              value: "{{ .Values.TALK_INTERNAL_SECRET }}"
+            - name: NC_DOMAIN
+              value: "{{ .Values.NC_DOMAIN }}"
+            - name: RECORDING_SECRET
+              value: "{{ .Values.RECORDING_SECRET }}"
+            - name: TZ
+              value: "{{ .Values.TIMEZONE }}"
+          image: nextcloud/aio-talk-recording:20230613_120442-latest
+          name: nextcloud-aio-talk-recording
+          ports:
+            - containerPort: 1234
+{{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-service.yaml

@@ -0,0 +1,18 @@
+{{- if eq .Values.TALK_RECORDING_ENABLED "yes" }}
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kompose.cmd: kompose convert -c -f latest.yml
+    kompose.version: 1.28.0 (c4137012e)
+  labels:
+    io.kompose.service: nextcloud-aio-talk-recording
+  name: nextcloud-aio-talk-recording
+spec:
+  ports:
+    - name: "1234"
+      port: 1234
+      targetPort: 1234
+  selector:
+    io.kompose.service: nextcloud-aio-talk-recording
+{{- end }}

nextcloud-aio-helm-chart/update-helm.sh

@@ -113,6 +113,10 @@ find ./ -name '*service.yaml' -exec sed -i "/^status:/,$ d" \{} \;
 # shellcheck disable=SC1083
 find ./ -name '*deployment.yaml' -exec sed -i "s|manual-install-nextcloud-aio|nextcloud-aio|" \{} \; 
 # shellcheck disable=SC1083
+find ./ -name '*deployment.yaml' -exec sed -i "/medium: Memory/d" \{} \;
+# shellcheck disable=SC1083
+find ./ -name '*deployment.yaml' -exec sed -i "s|emptyDir:|emptyDir: {}|" \{} \; 
+# shellcheck disable=SC1083
 find ./ -name '*persistentvolumeclaim.yaml' -exec sed -i "s|ReadOnlyMany|ReadWriteOnce|" \{} \;   
 # shellcheck disable=SC1083
 find ./ -name '*persistentvolumeclaim.yaml' -exec sed -i "/accessModes:/i\ \ {{- if .Values.STORAGE_CLASS }}" \{} \;  
@@ -193,6 +197,7 @@ sed -i '/_ENABLED.*/s/ yes / "yes" /' /tmp/sample.conf
 sed -i '/_ENABLED.*/s/ no / "no" /' /tmp/sample.conf
 sed -i 's|^NEXTCLOUD_TRUSTED_CACERTS_DIR: .*|NEXTCLOUD_TRUSTED_CACERTS_DIR:        # Setting this to any value allows to automatically import root certificates into the Nextcloud container|' /tmp/sample.conf
 sed -i 's|10737418240|"10737418240"|' /tmp/sample.conf
+echo "" >> /tmp/sample.conf
 # shellcheck disable=SC2129
 echo 'STORAGE_CLASS:        # By setting this, you can adjust the storage class for your volumes' >> /tmp/sample.conf
 for variable in "${VOLUME_VARIABLE[@]}"; do
@@ -200,12 +205,12 @@ for variable in "${VOLUME_VARIABLE[@]}"; do
 done
 mv /tmp/sample.conf ../helm-chart/values.yaml
 
-ENABLED_VARIABLES="$(grep -oP '^[A-Z]+_ENABLED' ../helm-chart/values.yaml)"
+ENABLED_VARIABLES="$(grep -oP '^[A-Z_]+_ENABLED' ../helm-chart/values.yaml)"
 mapfile -t ENABLED_VARIABLES <<< "$ENABLED_VARIABLES"
 
 cd ../helm-chart/
 for variable in "${ENABLED_VARIABLES[@]}"; do
-    name="$(echo "$variable" | sed 's|_ENABLED||g' | tr '[:upper:]' '[:lower:]')"
+    name="$(echo "$variable" | sed 's|_ENABLED||g;s|_|-|g' | tr '[:upper:]' '[:lower:]')"
     # shellcheck disable=SC1083
     find ./ -name "*nextcloud-aio-$name-deployment.yaml" -exec sed -i "1i\\{{- if eq .Values.$variable \"yes\" }}" \{} \; 
     # shellcheck disable=SC1083

nextcloud-aio-helm-chart/values.yaml

@@ -2,8 +2,10 @@ DATABASE_PASSWORD:           # TODO! This needs to be a unique and good password
 NC_DOMAIN: yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.
 NEXTCLOUD_PASSWORD:           # TODO! This is the password of the initially created Nextcloud admin with username admin.
 ONLYOFFICE_SECRET:           # TODO! This needs to be a unique and good password!
+RECORDING_SECRET:           # TODO! This needs to be a unique and good password!
 REDIS_PASSWORD:           # TODO! This needs to be a unique and good password!
 SIGNALING_SECRET:           # TODO! This needs to be a unique and good password!
+TALK_INTERNAL_SECRET:           # TODO! This needs to be a unique and good password!
 TIMEZONE: Europe/Berlin          # TODO! This is the timezone that your containers will use.
 TURN_SECRET:           # TODO! This needs to be a unique and good password!
 
@@ -13,11 +15,10 @@ FULLTEXTSEARCH_ENABLED: "no"          # Setting this to "yes" (with quotes) enab
 IMAGINARY_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 ONLYOFFICE_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 TALK_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
+TALK_RECORDING_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 
-AIO_TOKEN: 123456          # Has no function but needs to be set!
-AIO_URL: localhost          # Has no function but needs to be set!
 APACHE_MAX_SIZE: "10737418240"          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
-APACHE_PORT: 443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx and else).
+APACHE_PORT: 443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else).
 COLLABORA_DICTIONARIES: de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru        # You can change this in order to enable other dictionaries for collabora
 COLLABORA_SECCOMP_POLICY: --o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.
 INSTALL_LATEST_MAJOR: no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation
@@ -33,7 +34,6 @@ UPDATE_NEXTCLOUD_APPS: no          # When setting to yes (with quotes), it will
 STORAGE_CLASS:        # By setting this, you can adjust the storage class for your volumes
 APACHE_STORAGE_SIZE: 1Gi       # You can change the size of the apache volume that default to 1Gi with this value
 CLAMAV_STORAGE_SIZE: 1Gi       # You can change the size of the clamav volume that default to 1Gi with this value
-COLLABORA_FONTS_STORAGE_SIZE: 1Gi       # You can change the size of the collabora-fonts volume that default to 1Gi with this value
 DATABASE_STORAGE_SIZE: 1Gi       # You can change the size of the database volume that default to 1Gi with this value
 DATABASE_DUMP_STORAGE_SIZE: 1Gi       # You can change the size of the database-dump volume that default to 1Gi with this value
 ELASTICSEARCH_STORAGE_SIZE: 1Gi       # You can change the size of the elasticsearch volume that default to 1Gi with this value

php/composer.lock

@@ -626,16 +626,16 @@
         },
         {
             "name": "php-di/php-di",
-            "version": "7.0.2",
+            "version": "7.0.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/PHP-DI/PHP-DI.git",
-                "reference": "5d1a8664e24f23b25e0426bbcb1288287fb49181"
+                "reference": "d5dad2500f409d8b78371823c8b382fe9b5d0917"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/PHP-DI/PHP-DI/zipball/5d1a8664e24f23b25e0426bbcb1288287fb49181",
-                "reference": "5d1a8664e24f23b25e0426bbcb1288287fb49181",
+                "url": "https://api.github.com/repos/PHP-DI/PHP-DI/zipball/d5dad2500f409d8b78371823c8b382fe9b5d0917",
+                "reference": "d5dad2500f409d8b78371823c8b382fe9b5d0917",
                 "shasum": ""
             },
             "require": {
@@ -649,13 +649,13 @@
             },
             "require-dev": {
                 "friendsofphp/php-cs-fixer": "^3",
+                "friendsofphp/proxy-manager-lts": "^1",
                 "mnapoli/phpunit-easymock": "^1.3",
-                "ocramius/proxy-manager": "^2.11.2",
                 "phpunit/phpunit": "^9.5",
                 "vimeo/psalm": "^4.6"
             },
             "suggest": {
-                "ocramius/proxy-manager": "Install it if you want to use lazy injection (version ^2.3)"
+                "friendsofphp/proxy-manager-lts": "Install it if you want to use lazy injection (version ^1)"
             },
             "type": "library",
             "autoload": {
@@ -683,7 +683,7 @@
             ],
             "support": {
                 "issues": "https://github.com/PHP-DI/PHP-DI/issues",
-                "source": "https://github.com/PHP-DI/PHP-DI/tree/7.0.2"
+                "source": "https://github.com/PHP-DI/PHP-DI/tree/7.0.3"
             },
             "funding": [
                 {
@@ -695,7 +695,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2023-02-07T17:34:03+00:00"
+            "time": "2023-06-17T10:21:14+00:00"
         },
         {
             "name": "php-di/slim-bridge",
@@ -1709,16 +1709,16 @@
         },
         {
             "name": "twig/twig",
-            "version": "v3.6.0",
+            "version": "v3.6.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/twigphp/Twig.git",
-                "reference": "106c170d08e8415d78be2d16c3d057d0d108262b"
+                "reference": "7e7d5839d4bec168dfeef0ac66d5c5a2edbabffd"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/twigphp/Twig/zipball/106c170d08e8415d78be2d16c3d057d0d108262b",
-                "reference": "106c170d08e8415d78be2d16c3d057d0d108262b",
+                "url": "https://api.github.com/repos/twigphp/Twig/zipball/7e7d5839d4bec168dfeef0ac66d5c5a2edbabffd",
+                "reference": "7e7d5839d4bec168dfeef0ac66d5c5a2edbabffd",
                 "shasum": ""
             },
             "require": {
@@ -1764,7 +1764,7 @@
             ],
             "support": {
                 "issues": "https://github.com/twigphp/Twig/issues",
-                "source": "https://github.com/twigphp/Twig/tree/v3.6.0"
+                "source": "https://github.com/twigphp/Twig/tree/v3.6.1"
             },
             "funding": [
                 {
@@ -1776,7 +1776,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2023-05-03T19:06:57+00:00"
+            "time": "2023-06-08T12:52:13+00:00"
         }
     ],
     "packages-dev": [],

php/containers-schema.json

@@ -137,6 +137,13 @@
 					"read_only": {
 						"type": "boolean"
 					},
+					"tmpfs": {
+						"type": "array",
+						"items": {
+							"type": "string",
+							"pattern": "^/[a-z/_]+$"
+						}
+					},
 					"volumes": {
 						"type": "array",
 						"items": {

php/containers.json

@@ -6,7 +6,8 @@
         "nextcloud-aio-onlyoffice",
         "nextcloud-aio-collabora",
         "nextcloud-aio-talk",
-        "nextcloud-aio-nextcloud"
+        "nextcloud-aio-nextcloud",
+        "nextcloud-aio-notify-push"
       ],
       "display_name": "Apache",
       "image": "nextcloud/aio-apache",
@@ -27,7 +28,8 @@
         "ONLYOFFICE_HOST=nextcloud-aio-onlyoffice",
         "TZ=%TIMEZONE%",
         "APACHE_MAX_SIZE=%APACHE_MAX_SIZE%",
-        "APACHE_MAX_TIME=%NEXTCLOUD_MAX_TIME%"
+        "APACHE_MAX_TIME=%NEXTCLOUD_MAX_TIME%",
+        "NOTIFY_PUSH_HOST=nextcloud-aio-notify-push"
       ],
       "volumes": [
         {
@@ -104,8 +106,7 @@
       "display_name": "Nextcloud",
       "image": "nextcloud/aio-nextcloud",
       "expose": [
-        "9000",
-        "7867"
+        "9000"
       ],
       "internal_port": "9000",
       "secrets": [
@@ -193,6 +194,41 @@
         "nextcloud-aio"
       ]
     },
+    {
+      "container_name": "nextcloud-aio-notify-push",
+      "display_name": "Notify Push",
+      "image": "nextcloud/aio-notify-push",
+      "expose": [
+        "7867"
+      ],
+      "internal_port": "7867",
+      "secrets": [
+        "REDIS_PASSWORD",
+        "DATABASE_PASSWORD"
+      ],
+      "volumes": [
+        {
+          "source": "nextcloud_aio_nextcloud",
+          "destination": "/nextcloud",
+          "writeable": false
+        }
+      ],
+      "environment": [
+        "NC_DOMAIN=%NC_DOMAIN%",
+        "NEXTCLOUD_HOST=nextcloud-aio-nextcloud",
+        "REDIS_HOST=nextcloud-aio-redis",
+        "REDIS_HOST_PASSWORD=%REDIS_PASSWORD%",
+        "POSTGRES_HOST=nextcloud-aio-database",
+        "POSTGRES_PASSWORD=%DATABASE_PASSWORD%",
+        "POSTGRES_DB=nextcloud_database",
+        "POSTGRES_USER=nextcloud"
+      ],
+      "restart": "unless-stopped",
+      "networks": [
+        "nextcloud-aio"
+      ],
+      "read_only": true
+    },
     {
       "container_name": "nextcloud-aio-redis",
       "display_name": "Redis",
@@ -374,7 +410,12 @@
       "cap_add": [
         "SYS_ADMIN"
       ],
-      "apparmor_unconfined": true
+      "apparmor_unconfined": true,
+      "read_only": true,
+      "tmpfs": [
+        "/tmp",
+        "/nextcloud_aio_volumes"
+      ]
     },
     {
       "container_name": "nextcloud-aio-watchtower",
@@ -388,7 +429,8 @@
           "destination": "/var/run/docker.sock",
           "writeable": false
         }
-      ]
+      ],
+      "read_only": true
     },
     {
       "container_name": "nextcloud-aio-domaincheck",
@@ -434,6 +476,12 @@
       ],
       "networks": [
         "nextcloud-aio"
+      ],
+      "read_only": true,
+      "tmpfs": [
+        "/var/lock",
+        "/var/log/clamav",
+        "/tmp"
       ]
     },
     {
@@ -488,7 +536,8 @@
       ],
       "networks": [
         "nextcloud-aio"
-      ]
+      ],
+      "read_only": true
     },
     {
       "container_name": "nextcloud-aio-fulltextsearch",

php/src/Container/Container.php

@@ -31,6 +31,7 @@ class Container {
     private array $backupVolumes;
     private array $nextcloudExecCommands;
     private bool $readOnlyRootFs;
+    private array $tmpfs;
     private DockerActionManager $dockerActionManager;
 
     public function __construct(
@@ -52,6 +53,7 @@ class Container {
         array $backupVolumes,
         array $nextcloudExecCommands,
         bool $readOnlyRootFs,
+        array $tmpfs,
         DockerActionManager $dockerActionManager
     ) {
         $this->identifier = $identifier;
@@ -72,6 +74,7 @@ class Container {
         $this->backupVolumes = $backupVolumes;
         $this->nextcloudExecCommands = $nextcloudExecCommands;
         $this->readOnlyRootFs = $readOnlyRootFs;
+        $this->tmpfs = $tmpfs;
         $this->dockerActionManager = $dockerActionManager;
     }
 
@@ -111,6 +114,10 @@ class Container {
         return $this->secrets;
     }
 
+    public function GetTmpfs() : array {
+        return $this->tmpfs;
+    }
+
     public function GetDevices() : array {
         return $this->devices;
     }

php/src/ContainerDefinitionFetcher.php

@@ -267,6 +267,11 @@ class ContainerDefinitionFetcher
                 $readOnlyRootFs = $entry['read_only'];
             }
 
+            $tmpfs = [];
+            if (isset($entry['tmpfs'])) {
+                $tmpfs = $entry['tmpfs'];
+            }
+
             $containers[] = new Container(
                 $entry['container_name'],
                 $displayName,
@@ -286,6 +291,7 @@ class ContainerDefinitionFetcher
                 $backupVolumes,
                 $nextcloudExecCommands,
                 $readOnlyRootFs,
+                $tmpfs,
                 $this->container->get(DockerActionManager::class)
             );
         }

php/src/Controller/ConfigurationController.php

@@ -121,6 +121,10 @@ class ConfigurationController
                 $this->configurationManager->SetCollaboraDictionaries($collaboraDictionaries);
             }
 
+            if (isset($request->getParsedBody()['delete_borg_backup_host_location'])) {
+                $this->configurationManager->DeleteBorgBackupHostLocation();
+            }
+
             return $response->withStatus(201)->withHeader('Location', '/');
         } catch (InvalidSettingConfigurationException $ex) {
             $response->getBody()->write($ex->getMessage());

php/src/Data/ConfigurationManager.php

@@ -413,6 +413,12 @@ class ConfigurationManager
         $this->WriteConfig($config);
     }
 
+    public function DeleteBorgBackupHostLocation() : void {
+        $config = $this->GetConfig();
+        $config['borg_backup_host_location'] = '';
+        $this->WriteConfig($config);
+    }
+
         /**
      * @throws InvalidSettingConfigurationException
      */

php/src/Docker/DockerActionManager.php

@@ -369,7 +369,7 @@ class DockerActionManager
                 } else {
                     $secret = $this->configurationManager->GetSecret($out[1]);
                     if ($secret === "") {
-                        throw new \Exception("The secret " . $out[1] . " is empty. Cannot substitute its value. Pleas check if it is defined in secrets of containers.json.");
+                        throw new \Exception("The secret " . $out[1] . " is empty. Cannot substitute its value. Please check if it is defined in secrets of containers.json.");
                     }
                     $replacements[1] = $secret;
                 }
@@ -430,6 +430,14 @@ class DockerActionManager
             $requestBody['HostConfig']['ShmSize'] = $shmSize;
         }
 
+        $tmpfs = [];
+        foreach($container->GetTmpfs() as $tmp) {
+            $tmpfs[$tmp] = "";
+        }
+        if (count($tmpfs) > 0) {
+            $requestBody['HostConfig']['Tmpfs'] =  $tmpfs;
+        }
+
         $capAdds = $container->GetCapAdds();
         if (count($capAdds) > 0) {
             $requestBody['HostConfig']['CapAdd'] = $capAdds;

php/templates/containers.twig

@@ -16,7 +16,7 @@
     </header>
 
     <div class="content">
-        <h1>Nextcloud AIO v6.1.0</h1>
+        <h1>Nextcloud AIO v6.2.0</h1>
 
         {# Add 2nd tab warning #}
         <script type="text/javascript" src="second-tab-warning.js"></script>
@@ -84,9 +84,9 @@
                         {{ include('includes/aio-config.twig') }}
                         <h2>New AIO instance</h2>
                         {% if apache_port == '443' %}
-                            AIO is currently in "normal mode" which means that it handles the TLS proxying itself. This also means that it cannot be installed behind a web server or reverse proxy (like Apache, Nginx and else). If you want to run AIO behind a web server or reverse proxy (like Apache, Nginx and else), see the <b><a href="https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md">reverse proxy documentation</a></b>. Advice: have a detailed look at the changed docker run command for AIO.<br><br>
+                            AIO is currently in "normal mode" which means that it handles the TLS proxying itself. This also means that it cannot be installed behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). If you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else), see the <b><a href="https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md">reverse proxy documentation</a></b>. Advice: have a detailed look at the changed docker run command for AIO.<br><br>
                         {% else %}
-                            AIO is currently in "reverse proxy mode" which means that it can be installed behind a web server or reverse proxy (like Apache Nginx and else) and does not do the TLS proxying itself.<br><br>
+                            AIO is currently in "reverse proxy mode" which means that it can be installed behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) and does not do the TLS proxying itself.<br><br>
                         {% endif %}
                         Please type in the domain into the input field below that will be used for Nextcloud in order to create a new AIO instance.<br><br />
                         {% if skip_domain_validation == true %}
@@ -96,7 +96,7 @@
                             <input type="text" name="domain" value="{{ domain }}" placeholder="nextcloud.yourdomain.com"/>
                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                            <input class="button" type="submit" value="Submit" />
+                            <input class="button" type="submit" value="Submit domain" />
                         </form>
                         {% if skip_domain_validation == false %}
                             Make sure that this server is reachable on port 443 (port 443/tcp is open/forwarded in your firewall/router) and that you've correctly set up the DNS config for the domain that you enter (set the A record to your public ipv4-address and if you need ipv6, set the AAAA record to your public ipv6-address. A CNAME record if of course also possible). You should see hints on what went wrong if your domain does not get accepted in the top right corner.<br><br>
@@ -110,7 +110,7 @@
                                     If you run into issues getting your domain accepted, see <a href="https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things">these steps</a> for how to debug things. <br /><br/>
                                 {% endif %}
                                 <b>Hint:</b> If the domain validation fails but you are completely sure that you've configured everything correctly, you may skip the domain validation by following <a href="https://github.com/nextcloud/all-in-one#how-to-skip-the-domain-validation">this documentation</a>.<br />
-                            </details><br />
+                            </details>
                         {% endif %}
 
                         <h2>Restore former AIO instance from backup</h2>
@@ -173,7 +173,7 @@
                                 <input type="text" name="borg_restore_password" value="{{borg_restore_password}}" placeholder="enter the borg password"/>
                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                <input class="button" type="submit" value="Submit" />
+                                <input class="button" type="submit" value="Submit location and password" />
                             </form>
                             {{ include('includes/backup-dirs.twig') }}
                             ⚠️ Please note that the backup archive must be located in a subfolder of the folder that you enter here and the subfolder which contains the archive must be named 'borg'. Otherwise will the backup container not find the backup archive!<br><br>
@@ -265,7 +265,7 @@
 
                     {% if has_update_available == true %}
                         {% if is_mastercontainer_update_available == false %}
-                            ⚠️ Container updates are available. Click on <b>Stop Containers</b> and <b>Start Containers</b> to update them. You should consider creating a backup first.<br><br>
+                            ⚠️ Container updates are available. Click on <b>Stop containers</b> and <b>Start and update containers</b> to update them. You should consider creating a backup first.<br><br>
                         {% endif %}
                     {% else %}
                         {% if is_mastercontainer_update_available == false %}
@@ -352,7 +352,7 @@
                                 <input type="text" name="borg_backup_host_location" placeholder="/mnt/backup"/>
                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                <input class="button" type="submit" value="Submit" />
+                                <input class="button" type="submit" value="Submit backup location" />
                             </form>
                             {{ include('includes/backup-dirs.twig') }}
                         {% endif %}
@@ -378,12 +378,12 @@
                                         </details><br />
                                     {% endif %}
                                     {% if has_backup_run_once == false %}
-                                        You may change the backup path again since the initial backup was not successful. After submitting the new value, you need to click on 'Create Backup' for testing the new value.<br /><br />
+                                        You may change the backup path again since the initial backup was not successful. After submitting the new value, you need to click on <b>Create Backup</b> for testing the new value.<br /><br />
                                         <form method="POST" action="/api/configuration" class="xhr">
-                                            <input type="text" value="{{borg_backup_host_location}}" name="borg_backup_host_location" placeholder="/mnt/backup"/>
+                                            <input type="text" value="{{borg_backup_host_location}}" name="borg_backup_host_location" placeholder="/mnt/backup" />
                                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                            <input class="button" type="submit" value="Submit" />
+                                            <input class="button" type="submit" value="Set backup location again" />
                                         </form>
                                     {% endif %}
                                 {% elseif backup_exit_code == 0 %}
@@ -420,9 +420,20 @@
                                         <input class="button" type="submit" value="Create backup" onclick="return confirm('Create backup? Are you sure that you want to create a backup? This will stop all running containers and create the backup.')" />
                                     </form>
 
+                                    {% if has_backup_run_once == false %}
+                                        <h3>Reset backup host location</h3>
+                                        If the configured backup host location <b>{{ borg_backup_host_location }}</b> is wrong, you can reset it by clicking on the button below.<br><br/>
+                                        <form method="POST" action="/api/configuration" class="xhr">
+                                            <input type="hidden" name="delete_borg_backup_host_location" value="yes"/>
+                                            <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
+                                            <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
+                                            <input class="button" type="submit" value="Reset backup location" />
+                                        </form>
+                                    {% endif %}
+
                                     {% if has_backup_run_once == true %}
                                         <h3>Backup check</h3>
-                                        Click on the button below to perform a backup integrity check. This is an option that verifies that your backup is intact but it should't be needed in most situtations.<br><br/>
+                                        Click on the button below to perform a backup integrity check. This is an option that verifies that your backup is intact but it shouldn't be needed in most situations.<br><br/>
                                         <form method="POST" action="/api/docker/backup-check" class="xhr">
                                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
@@ -449,7 +460,7 @@
                                                 <input type="text" name="daily_backup_time" value="04:00" placeholder="04:00"/>
                                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                                <input class="button" type="submit" value="Submit" /><br>
+                                                <input class="button" type="submit" value="Submit backup time" /><br>
                                                 <input type="checkbox" id="automatic_updates" name="automatic_updates" checked="checked"><label for="automatic_updates">Automatically update all containers, the mastercontainer and on saturdays your Nextcloud apps</label><br>
                                             </form>
                                         {% else %}
@@ -472,7 +483,7 @@
                                             <textarea id="additional_backup_directories" name="additional_backup_directories" rows="4" cols="50" placeholder="/directory/on/the/host&#10;my_custom_docker_volume">{{ additional_backup_directories }}</textarea>
                                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                            <input class="button" type="submit" value="Submit" /><br>
+                                            <input class="button" type="submit" value="Submit additional backup locations" /><br>
                                         </form>
                                         Each line and entry needs to start with a slash or letter/digit. Allowed are only <b>a-z</b>, <b>A-Z</b>, <b>.</b>, <b>0-9</b>, <b>_</b>, <b>-</b>, and <b>/</b>. If the entry begins with a letter/digit are slashes not supported. Two valid entries are <b>/directory/on/the/host</b> and <b>my_custom_docker_volume</b>. You need to make sure yourself that all given directories exist. Otherwise the backup container will fail starting!<br><br/>
                                         Make sure to specify all storages that you want to back up separately since storages will not be mounted recursively. E.g. providing <b>/</b> as additional backup directory will only back up files and folders that are stored on the root partition and not on the EFI partition or any other. Excluded by the backup will be caches and a few other directories. You should make sure to stop all services before the backup can run correctly if you want to back up the root partition. For automating this see <a href="https://github.com/nextcloud/all-in-one#how-to-stopstartupdate-containers-or-trigger-the-daily-backup-from-a-script-externally">this documentation</a><br><br/>
@@ -485,7 +496,7 @@
                                 {% if has_backup_run_once == false %}
                                     <br />
                                 {% else %}
-                                    </details><br />
+                                    </details>
                                 {% endif %}
                             {% endif %}
                         {% endif %}
@@ -502,10 +513,10 @@
                                     <input type="text" autocomplete="new-password" name="new-master-password" placeholder="Your new AIO password"/>
                                     <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                     <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                    <input class="button" type="submit" value="Submit" />
+                                    <input class="button" type="submit" value="Submit password change" />
                                 </form>
                                 The new password needs to be at least 24 characters long. Allowed characters are the <a href="https://en.wikipedia.org/wiki/Latin_alphabet#/media/File:Abecedarium.png"><b>latin characters</b></a> <b>a-z</b>, <b>A-Z</b>, <b>0-9</b> and <b>spaces</b>.<br>
-                            </details><br>
+                            </details>
                         {% endif %}
                     {% endif %}
                 {% endif %}
@@ -514,15 +525,17 @@
                     In this section you can enable or disable optional addons.<br><br>
                     {% if isAnyRunning == true %}
                         <b>Please note:</b> You can enable or disable them when your containers are stopped.<br><br>
+                    {% else %}
+                        <b>Please note:</b> Make sure to save your changes by clicking on the button <b>Save changes</b> that is positioned below the list of optional addons. The changes will not be auto-saved.<br><br>
                     {% endif %}
                     <form id="options-form" method="POST" action="/api/configuration" class="xhr">
                         <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                         <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                         <input type="hidden" name="options-form" value="options-form">
                         {% if is_clamav_enabled == true %}
-                            <input type="checkbox" id="clamav" name="clamav" checked="checked"><label for="clamav">ClamAV (Antivirus backend for Nextcloud, only supported on x64, needs ~1GB additional RAM)</label><br>
+                            <input type="checkbox" id="clamav" name="clamav" checked="checked"><label for="clamav">ClamAV (Antivirus backend for Nextcloud, only supported on x64, needs ~1GB additional RAM)</label><br><br>
                         {% else %}
-                            <input type="checkbox" id="clamav" name="clamav"><label for="clamav">ClamAV (Antivirus backend for Nextcloud, only supported on x64, needs ~1GB additional RAM)</label><br>
+                            <input type="checkbox" id="clamav" name="clamav"><label for="clamav">ClamAV (Antivirus backend for Nextcloud, only supported on x64, needs ~1GB additional RAM)</label><br><br>
                         {% endif %}
                         {% if is_collabora_enabled == true %}
                             <input type="checkbox" id="collabora" name="collabora" checked="checked"><label for="collabora">Collabora (Nextcloud Office)</label><br>
@@ -535,9 +548,9 @@
                             <input type="checkbox" id="fulltextsearch" name="fulltextsearch"><label for="fulltextsearch">Fulltextsearch (needs ~1GB additional RAM)</label><br>
                         {% endif %}
                         {% if is_imaginary_enabled == true %}
-                            <input type="checkbox" id="imaginary" name="imaginary" checked="checked"><label for="imaginary">Imaginary (for previews of heic, heif, illustrator, pdf, svg, tiff and webp)</label><br>
+                            <input type="checkbox" id="imaginary" name="imaginary" checked="checked"><label for="imaginary">Imaginary (for previews of heic, heif, illustrator, pdf, svg, tiff and webp)</label><br><br>
                         {% else %}
-                            <input type="checkbox" id="imaginary" name="imaginary"><label for="imaginary">Imaginary (for previews of heic, heif, illustrator, pdf, svg, tiff and webp)</label><br>
+                            <input type="checkbox" id="imaginary" name="imaginary"><label for="imaginary">Imaginary (for previews of heic, heif, illustrator, pdf, svg, tiff and webp)</label><br><br>
                         {% endif %}
                         {% if is_talk_enabled == true %}
                             <input type="checkbox" id="talk" name="talk" checked="checked"><label for="talk">Nextcloud Talk (needs ports {{ talk_port }}/TCP and {{ talk_port }}/UDP open/forwarded in your firewall/router)</label><br><br>
@@ -545,9 +558,9 @@
                             <input type="checkbox" id="talk" name="talk"><label for="talk">Nextcloud Talk (needs ports {{ talk_port }}/TCP and {{ talk_port }}/UDP open/forwarded in your firewall/router)</label><br><br>
                         {% endif %}
                         {% if is_talk_recording_enabled == true %}
-                            <input type="checkbox" id="talk-recording" name="talk-recording" checked="checked"><label for="talk-recording">Nextcloud Talk Recording-server (needs Nextcloud Talk being enabled and ~1GB additional RAM and ~2 additional vCPUs)</label><br>
+                            <input type="checkbox" id="talk-recording" name="talk-recording" checked="checked"><label for="talk-recording">Nextcloud Talk Recording-server (needs Nextcloud Talk being enabled and ~1GB additional RAM and ~2 additional vCPUs)</label><br><br>
                         {% else %}
-                            <input type="checkbox" id="talk-recording" name="talk-recording"><label for="talk-recording">Nextcloud Talk Recording-server (needs Nextcloud Talk being enabled and ~1GB additional RAM ~2 additional vCPUs)</label><br>
+                            <input type="checkbox" id="talk-recording" name="talk-recording"><label for="talk-recording">Nextcloud Talk Recording-server (needs Nextcloud Talk being enabled and ~1GB additional RAM ~2 additional vCPUs)</label><br><br>
                         {% endif %}
                         {% if is_onlyoffice_enabled == true %}
                             <input type="checkbox" id="onlyoffice" name="onlyoffice" checked="checked"><label for="onlyoffice">OnlyOffice</label><br>
@@ -557,7 +570,7 @@
                         <input id="options-form-submit" class="button" type="submit" value="Save changes" />
                         <script type="text/javascript" src="options-form-submit.js"></script>
                     </form>
-                    <b>Minimal system requirements:</b> When any optional addon is enabled, at least 2GB RAM, a dual-core CPU and 40GB system storage are required. When enabling ClamAV,  Nextcloud Talk Recording-server or Fulltextsearch, at least 3GB RAM are required. For Talk Recording-server additional 2 vCPUs are required. When enabling everything, at least 5GB RAM and a quad-core CPU are required. Recommended are at least 1GB more RAM than the minimal requirement. For further advices and recommendations see <b><a href="https://github.com/nextcloud/all-in-one/discussions/1335">this documentation</a></b><br><br>
+                    <b>Minimal system requirements:</b> When any optional addon is enabled, at least 2GB RAM, a dual-core CPU and 40GB system storage are required. When enabling ClamAV,  Nextcloud Talk Recording-server or Fulltextsearch, at least 3GB RAM are required. For Talk Recording-server additional 2 vCPUs are required. When enabling everything, at least 5GB RAM and a quad-core CPU are required. Recommended are at least 1GB more RAM than the minimal requirement. For further advices and recommendations see <b><a href="https://github.com/nextcloud/all-in-one/discussions/1335">this documentation</a></b><br>
                     {% if isAnyRunning == true or is_x64_platform == false %}
                         <script type="text/javascript" src="disable-clamav.js"></script>
                     {% endif %}
@@ -579,7 +592,7 @@
                                 <input type="text" name="collabora_dictionaries" placeholder="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru" />
                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                <input class="button" type="submit" value="Submit" />
+                                <input class="button" type="submit" value="Submit collabora dictionaries" />
                             </form>
                             You need to make sure that the dictionaries that you enter are valid. An example is <b>de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru</b>.<br><br>
                         {% else %}
@@ -607,7 +620,7 @@
                                 <input type="text" name="timezone" placeholder="Europe/Berlin" />
                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                 <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
-                                <input class="button" type="submit" value="Submit" onclick="return confirm('Are you sure that this is a valid timezone? Please double check by following the wikipedia article and checking the correct column since if not, it will break the startup since the database will not get correctly initialized and you will end in a startup loop.')" />
+                                <input class="button" type="submit" value="Submit timezone" onclick="return confirm('Are you sure that this is a valid timezone? Please double check by following the wikipedia article and checking the correct column since if not, it will break the startup since the database will not get correctly initialized and you will end in a startup loop.')" />
                             </form>
                             You need to make sure that the timezone that you enter is valid. An example is <b>Europe/Berlin</b>. You can get valid values by looking at the 'TZ database name' column of this list: <a href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List"><b>click here</b></a>.<br><br>
                         {% else %}

php/templates/includes/aio-config.twig

@@ -33,4 +33,4 @@
     See the <a href="https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud">NEXTCLOUD_ENABLE_DRI_DEVICE documentation</a> on how to change this.<br><br>
 
     For further documentation on AIO, refer to <b><a href="https://github.com/nextcloud/all-in-one#nextcloud-all-in-one">this page</a></b>. You can use the browser search [CTRL]+[F] to search through the documentation. Additional documentation can be found <b><a href="https://github.com/nextcloud/all-in-one/discussions/categories/wiki">here</a></b>.<br>
-</details><br />
+</details>

readme.md

@@ -29,7 +29,7 @@ Included are:
 - PHP and web server timeouts set to 3600s, [adjustable](https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud) (important for big file uploads)
 - Defaults to a max of 512 MB RAM per PHP process, [adjustable](https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud)
 - Automatic TLS included (by using Let's Encrypt)
-- Brotli compression enabled by default for javascript files which reduces Nextcloud load times
+- Brotli compression enabled by default for javascript, css and svg files which reduces Nextcloud load times
 - HTTP/2 and HTTP/3 enabled
 - "Pretty URLs" for Nextcloud are enabled by default (removes the index.php from all links)
 - Video previews work out of the box and when Imaginary is enabled, many recent image formats as well!
@@ -41,7 +41,7 @@ Included are:
 - `ffmpeg`, `smbclient` and `nodejs` are included by default
 - Possibility included to [permanently add additional OS packages into the Nextcloud container](https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup) without having to build your own Docker image
 - Possibility included to [permanently add additional PHP extensions into the Nextcloud container](https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container) without having to build your own Docker image
-- Possibility included to [pass the needed device for hardware transcoding](https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud) to the Nextcloud containe
+- Possibility included to [pass the needed device for hardware transcoding](https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud) to the Nextcloud container
 - Possibility included to [store all docker related files on a separate drive](https://github.com/nextcloud/all-in-one#how-to-store-the-filesinstallation-on-a-separate-drive)
 - [LDAP can be used as user backend for Nextcloud](https://github.com/nextcloud/all-in-one/tree/main#ldap)
 - Migration from any former Nextcloud installation to AIO is possible. See [this documentation](https://github.com/nextcloud/all-in-one/blob/main/migration.md)
@@ -60,6 +60,7 @@ Included are:
 - Can be installed with [Kubernetes](https://github.com/nextcloud/all-in-one/tree/main/nextcloud-aio-helm-chart)
 - Almost all included containers Alpine Linux based (good for security and size)
 - Many of the included containers run as non-root user (good for security)
+- Some of the included containers have a read-only root-FS (good for security)
 - Included containers run in its own docker network (good for security) and only really necessary ports are exposed on the host
 - [Multiple instances on one server](https://github.com/nextcloud/all-in-one/blob/main/multiple-instances.md) are doable without having to deal with VMs
 - Adjustable backup path from the AIO interface (good to put the backups e.g. on a different drive)
@@ -76,15 +77,15 @@ Included are:
 | ![image](https://user-images.githubusercontent.com/42591237/232849125-30e24c85-bfd7-465e-8310-9b69cd9666fe.png) | ![image](https://user-images.githubusercontent.com/42591237/232849036-28c38d9a-3151-4cf1-97a5-4d94c1f0eba0.png) |
 
 ## How to use this?
-The following instructions are meant for installations without a web server or reverse proxy (like Apache, Nginx and else) already being in place. If you want to run AIO behind a web server or reverse proxy (like Apache, Nginx and else), see the [reverse proxy documentation](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md). Also, the instructions below are especially meant for Linux. For macOS see [this](#how-to-run-aio-on-macos), for Windows see [this](#how-to-run-aio-on-windows) and for Synology see [this](#how-to-run-aio-on-synology-dsm).
+The following instructions are meant for installations without a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) already being in place. If you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else), see the [reverse proxy documentation](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md). Also, the instructions below are especially meant for Linux. For macOS see [this](#how-to-run-aio-on-macos), for Windows see [this](#how-to-run-aio-on-windows) and for Synology see [this](#how-to-run-aio-on-synology-dsm).
 1. Install Docker on your Linux installation by following the official documentation: https://docs.docker.com/engine/install/#server. The easiest way is installing it by **using the convenience script**:  
     ```sh
     curl -fsSL https://get.docker.com | sudo sh
     ```
 1. If you need ipv6 support, you should enable it by following https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md.
-2. Run the command below in order to start the container on Linux and without a web server or reverse proxy (like Apache, Nginx and else) already in place:
+2. Run the command below in order to start the container on Linux and without a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) already in place:
     ```
-    # For Linux and without a web server or reverse proxy (like Apache, Nginx and else) already in place:
+    # For Linux and without a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) already in place:
     sudo docker run \
     --sig-proxy=false \
     --name nextcloud-aio-mastercontainer \
@@ -193,6 +194,11 @@ If you have the NAS setup on your local network (which is most often the case) y
 ### How to run AIO with Portainer?
 The easiest way to run it with Portainer on Linux is to use Portainer's stacks feature and use [this docker-compose file](./compose.yaml) in order to start AIO correctly. 
 
+### Can I run AIO on TrueNAS SCALE?
+On TrueNAS SCALE, there are two ways to run AIO. The preferred one is to run AIO inside a VM. This is necessary since they do not expose the docker socket for containers on the host, you also cannot use docker-compose on it thus and it is also not possible to run custom helm-charts that are not explicitly written for TrueNAS SCALE.
+
+Another but untested way is to install Portainer on your TrueNAS SCALE from here https://truecharts.org/charts/stable/portainer/installation-notes and add the Helm-chart repository https://nextcloud.github.io/all-in-one/ into Portainer by following https://docs.portainer.io/user/kubernetes/helm. More docs on AIOs Helm Chart are available here: https://github.com/nextcloud/all-in-one/tree/main/nextcloud-aio-helm-chart#nextcloud-aio-helm-chart.
+
 ### Notes on Cloudflare (proxy/tunnel)
 - Using Cloudflare Tunnel potentially slows down Nextcloud by a lot since local access via the configured domain is not possible since TLS proxying is in that case offloaded to Cloudflares infrastructure. You can fix this by setting up your own reverse proxy that handles TLS proxying locally.
 - It is known that the domain validation may not work correctly behind Cloudflare since Cloudflare might block the validation attempt. You can simply skip it in that case by following: https://github.com/nextcloud/all-in-one#how-to-skip-the-domain-validation
@@ -201,7 +207,7 @@ The easiest way to run it with Portainer on Linux is to use Portainer's stacks f
 - Cloudflare only allows a max timeout of 100s for requests which is not configurable. This means that any server-side processing e.g. for assembling chunks for big files during upload that take longer than 100s will simply not work. See https://github.com/nextcloud/server/issues/19223. If you need to upload big files reliably, you need to disable the proxy option in your DNS settings, or you must use another proxy than Cloudflare tunnels. Both options will disable Cloudflare DDoS protection.
 - It is known that the in AIO included collabora (Nextcloud Office) does not work out of the box behind Cloudflare. To make it work, you need to add all [Cloudflare IP-ranges](https://www.cloudflare.com/ips/) to the wopi-allowlist in `https://yourdomain.com/settings/admin/richdocuments`
 - Cloudflare Proxy might block the Turnserver for Nextcloud Talk from working correctly. You might want to disable Cloudflare Proxy thus. See https://github.com/nextcloud/all-in-one/discussions/2463#discussioncomment-5779981
-- The built-in turn-server for Nextcloud Talk will not work behind Cloudflare Tunnel since it needs a separate port (by default 3478 or as chosen) available on the same domain. If you still want to use the feature, you will need to adjust and test your settings in `https://yourdomain.com/settings/admin/talk`.
+- The built-in turn-server for Nextcloud Talk will not work behind Cloudflare Tunnel since it needs a separate port (by default 3478 or as chosen) available on the same domain. If you still want to use the feature, you will need to install your own turnserver or use a publicly available one and adjust and test your stun and turn settings in `https://yourdomain.com/settings/admin/talk`.
 - If you get an error in Nextcloud's admin overview that the HSTS header is not set correctly, you might need to enable it in Cloudflare manually.
 - If you are using AIO's built-in Reverse Proxy and don't use your own, then may the certificate issuing possibly not work out-of-the-box because Cloudflare might block the attempt. In that case you need to disable the Proxy feature at least temporarily in order to make it work. See https://github.com/nextcloud/all-in-one/discussions/1101.
 
@@ -210,7 +216,7 @@ Although it does not seems like it is the case but from AIO perspective a Cloudf
 
 ### Disrecommended VPS providers
 - Stratos VPS crash/freeze/make errors when they reach an extremely low PID limit, which is very quickly reached by AIO, see [here](https://github.com/nextcloud/all-in-one/discussions/1747#discussioncomment-4716164), Strato does normally not increase this limit.
-- Hostingers VPS seem to miss a specifc Kernel feature which is required for AIO to run correctly. See [here](https://help.nextcloud.com/t/help-installing-nc-via-aio-on-vps/153956).
+- Hostingers VPS seem to miss a specific Kernel feature which is required for AIO to run correctly. See [here](https://help.nextcloud.com/t/help-installing-nc-via-aio-on-vps/153956).
 
 ### Recommended VPS
 In general recommended VPS are those that are KVM/non-virtualized as Docker should work best on them.
@@ -235,6 +241,9 @@ No and they will not be. If you want to run it locally, without opening Nextclou
 ### Can I use an ip-address for Nextcloud instead of a domain?
 No and it will not be added. If you only want to run it locally, you may have a look at the following documentation: [local-instance.md](./local-instance.md)
 
+### Can I use AIO with multiple domains?
+No and it will not be added. However you can use [this feature](https://github.com/nextcloud/all-in-one/blob/main/multiple-instances.md) in order to create multiple AIO instances, one for each domain.
+
 ### Are other ports than the default 443 for Nextcloud supported?
 No and they will not be. Please use a dedicated domain for Nextcloud and set it up correctly by following the [reverse proxy documentation](./reverse-proxy.md). If port 443 and/or 80 is blocked for you, you may use the ACME DNS-challenge or a Cloudflare Tunnel.
 
@@ -287,7 +296,7 @@ This project values stability over new features. That means that when a new majo
 You can switch to a different channel like e.g. the beta channel or from the beta channel back to the latest channel by stopping the mastercontainer, removing it (no data will be lost) and recreating the container using the same command that you used initially to create the mastercontainer. You simply need to change the last line `nextcloud/all-in-one:latest` to `nextcloud/all-in-one:beta` and vice versa.
 
 ### How to update the containers?
-If we push new containers to `latest`, you will see in the AIO interface below the `containers` section that new container updates were found. In this case, just press `Stop containers` and `Start containers` in order to update the containers. The mastercontainer has its own update procedure though. See below. And don't forget to back up the current state of your instance using the built-in backup solution before starting the containers again! Otherwise you won't be able to restore your instance easily if something should break during the update. 
+If we push new containers to `latest`, you will see in the AIO interface below the `containers` section that new container updates were found. In this case, just press `Stop containers` and `Start and update containers` in order to update the containers. The mastercontainer has its own update procedure though. See below. And don't forget to back up the current state of your instance using the built-in backup solution before starting the containers again! Otherwise you won't be able to restore your instance easily if something should break during the update. 
 
 If a new `Mastercontainer` update was found, you'll see an additional section below the `containers` section which shows that a mastercontainer update is available. If so, you can simply press on the button to update the container.
 
@@ -299,8 +308,8 @@ If your Nextcloud is running and you are logged in as admin in your Nextcloud, y
 ### How to change the domain?
 **⚠️ Please note:** Editing the configuration.json manually and making a mistake may break your instance so please create a backup first!
 
-If you set up a new AIO instance, you need to enter a domain. Currently there is no way to change this domain afterwards from the AIO interface. So in order to change it, you need to edit the configuration.json manually using `sudo docker run -it --rm --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config:rw alpine sh -c "apk add --no-cache nano && nano /mnt/docker-aio-config/data/configuration.json"`, subsitute each occurrence of your old domain with your new domain and save and write out the file. Afterwards restart your containers from the AIO interface and everything should work as expected if the new domain is correctly configured.<br>
-If you are running AIO behind a web server or reverse proxy (like Apache, Nginx and else), you need to obviously also change the domain in your reverse proxy config.
+If you set up a new AIO instance, you need to enter a domain. Currently there is no way to change this domain afterwards from the AIO interface. So in order to change it, you need to edit the configuration.json manually using `sudo docker run -it --rm --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config:rw alpine sh -c "apk add --no-cache nano && nano /mnt/docker-aio-config/data/configuration.json"`, substitute each occurrence of your old domain with your new domain and save and write out the file. Afterwards restart your containers from the AIO interface and everything should work as expected if the new domain is correctly configured.<br>
+If you are running AIO behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else), you need to obviously also change the domain in your reverse proxy config.
 
 ### How to properly reset the instance?
 If something goes unexpected routes during the initial installation, you might want to reset the AIO installation to be able to start from scratch.
@@ -533,11 +542,11 @@ One example for this would be `sudo docker exec -it --env DAILY_BACKUP=1 nextclo
 If you already have a backup solution in place, you may want to hide the backup section. You can do so by adding `--env AIO_DISABLE_BACKUP_SECTION=true` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used).
 
 ### How to change the default location of Nextcloud's Datadir?
-⚠️ **Attention:** It is very important to change the datadir **before** Nextcloud is installed/started the first time and not to change it afterwards! If you still want to do it afterwards, see [this](https://github.com/nextcloud/all-in-one/discussions/890#discussioncomment-3089903) on how to do it.
+⚠️⚠️⚠️ **Warning:** Warning: do not set or adjust this value after the initial Nextcloud installation is done! If you still want to do it afterwards, see [this](https://github.com/nextcloud/all-in-one/discussions/890#discussioncomment-3089903) on how to do it.
 
 You can configure the Nextcloud container to use a specific directory on your host as data directory. You can do so by adding the environmental variable `NEXTCLOUD_DATADIR` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used). Allowed values for that variable are strings that start with `/` and are not equal to `/`. The chosen directory or volume will then be mounted to `/mnt/ncdata` inside the container.
 
-- An example for Linux is `--env NEXTCLOUD_DATADIR="/mnt/ncdata"`.
+- An example for Linux is `--env NEXTCLOUD_DATADIR="/mnt/ncdata"`. ⚠️ Please note: If you should be using an external BTRFS drive that is mounted to `/mnt/ncdata`, make sure to choose a subfolder like e.g. `/mnt/ncdata/nextcloud` as datadir, since the root folder is not suited as datadir in that case. See https://github.com/nextcloud/all-in-one/discussions/2696.
 - On macOS it might be `--env NEXTCLOUD_DATADIR="/var/nextcloud-data"`
 - For Synology it may be `--env NEXTCLOUD_DATADIR="/volume1/docker/nextcloud/data"`. 
 - On Windows it might be `--env NEXTCLOUD_DATADIR="/run/desktop/mnt/host/c/ncdata"`. (This path is equivalent to `C:\ncdata` on your Windows host so you need to translate the path accordingly. Hint: the path that you enter needs to start with `/run/desktop/mnt/host/`. Append to that the exact location on your windows host, e.g. `c/ncdata` which is equivalent to `C:\ncdata`.)
@@ -609,7 +618,7 @@ Yes. For that to work, you need to use and follow the [helm-chart documentation]
 You can run AIO also with docker rootless. How to do this is documented here: [docker-rootless.md](https://github.com/nextcloud/all-in-one/blob/main/docker-rootless.md)
 
 ### Can I run this with Podman instead of Docker?
-No. Since Podman is not 100% compatible with the Docker API, you cannot use Podman instead of Docker (since that would add yet another platform where the maintaner would need to test on). However you can use and follow the [manual-install documentation](./manual-install/) to get AIO's containers running with Podman or use Docker rootless, as described in the above section.
+No. Since Podman is not 100% compatible with the Docker API, you cannot use Podman instead of Docker (since that would add yet another platform where the maintainer would need to test on). However you can use and follow the [manual-install documentation](./manual-install/) to get AIO's containers running with Podman or use Docker rootless, as described in the above section.
 
 ### How to change the Nextcloud apps that are installed on the first startup?
 You might want to adjust the Nextcloud apps that are installed upon the first startup of the Nextcloud container. You can do so by adding `--env NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and customize the value to your fitting. It must be a string with small letters a-z, 0-9, spaces and hyphens or '_'. You can disable shipped and by default enabled apps by adding a hyphen in front of the appid. E.g. `-contactsinteraction`.
@@ -617,7 +626,7 @@ You might want to adjust the Nextcloud apps that are installed upon the first st
 ### How to add OS packages permanently to the Nextcloud container?
 Some Nextcloud apps require additional external dependencies that must be bundled within Nextcloud container in order to work correctly. As we cannot put each and every dependency for all apps into the container - as this would make the project very fast unmaintainable - there is an official way how you can add additional dependencies into the Nextcloud container. However note that doing this is disrecommended since we do not test Nextcloud apps that require external dependencies. 
 
-You can do so by adding `--env NEXTCLOUD_ADDITIONAL_APKS="imagemagick dependency2 dependency3"` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and customize the value to your fitting. It must be a string with small letters a-z, digits 0-9, spaces, dots and hyphens or '_'. You can find available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.17. By default added is `imagemagick`. If you want to keep that, you need to specify it as well.
+You can do so by adding `--env NEXTCLOUD_ADDITIONAL_APKS="imagemagick dependency2 dependency3"` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and customize the value to your fitting. It must be a string with small letters a-z, digits 0-9, spaces, dots and hyphens or '_'. You can find available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.18. By default added is `imagemagick`. If you want to keep that, you need to specify it as well.
 
 ### How to add PHP extensions permanently to the Nextcloud container?
 Some Nextcloud apps require additional php extensions that must be bundled within Nextcloud container in order to work correctly. As we cannot put each and every dependency for all apps into the container - as this would make the project very fast unmaintainable - there is an official way how you can add additional php extensions into the Nextcloud container. However note that doing this is disrecommended since we do not test Nextcloud apps that require additional php extensions. 
@@ -628,7 +637,7 @@ You can do so by adding `--env NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS="imagick exte
 The [facerecognition app](https://apps.nextcloud.com/apps/facerecognition) requires the pdlib PHP extension to be installed. Unfortunately, it is not available on PECL nor via PHP core, so there is no way to add this into AIO currently. However you can vote up [this issue](https://github.com/goodspb/pdlib/issues/56) to bring it to PECL and there is the [recognize app](https://apps.nextcloud.com/apps/recognize) that also allows to do face-recognition.
 
 ### How to enable hardware-transcoding for Nextcloud?
-⚠️ Attention: this only works if the `/dev/dri` device is present on the host! If it should not exist on your host, don't proceed as otherwise the Nextcloud container will fail to start!
+⚠️⚠️⚠️ Warning: this only works if the `/dev/dri` device is present on the host! If it should not exist on your host, don't proceed as otherwise the Nextcloud container will fail to start! If you are unsure about this, better do not proceed with the instructions below.
 
 The [memories app](https://apps.nextcloud.com/apps/memories) allows to enable hardware transcoding for videos. In order to use that, you need to add `--env NEXTCLOUD_ENABLE_DRI_DEVICE=true` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) which will mount the `/dev/dri` device into the container. Additionally, you need to add required packets to the Nextcloud container by using [this feature](https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container) and adding the required Alpine packages that are documented [here](https://github.com/pulsejet/memories/wiki/QSV-Transcoding).
 
@@ -681,7 +690,7 @@ What are the requirements?
 4. It must be possible to run the container without big quirks inside docker containers. Big quirks means e.g. needing to change the capabilities or security options. 
 5. The container should not mount directories from the host into the container: only docker volumes should be used.
 
-### How to trust user-defiend Certification Authorities (CA)?
+### How to trust user-defined Certification Authorities (CA)?
 For some applications it might be necessary to enstablish a secured connection to a host / server which is using a certificated issued by a Certification Authority that is not trusted out of the box. An example could be configuring LDAPS against the Domain Controller (ActiveDirectory) of an organization
 
 You can make the Nextcloud container trust any Certification Authority by providing the environmental variable `NEXTCLOUD_TRUSTED_CACERTS_DIR` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used). The value of the variables should be set to the absolute path to a directory on the host, which contains one or more Certification Authority's certificate. You should use X.509 certificates, Base64 encoded. (Other formats may work but have not been tested!) All the certificates in the directory will be trusted.

reverse-proxy.md

@@ -4,7 +4,7 @@ A [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) is basically a we
 
 **Please note:** Publishing the AIO interface with a valid certificate to the public internet is **not** the goal of this documentation! Instead, the main goal is to publish Nextcloud with a valid certificate to the public internet which is **not** running inside the mastercontainer but in a different container! If you need a valid certificate for the AIO interface, see [point 5](#5-optional-get-a-valid-certificate-for-the-aio-interface).
 
-In order to run Nextcloud behind a web server or reverse proxy (like Apache, Nginx and else), you need to specify the port that AIO's Apache container shall use, add a specific config to your web server or reverse proxy and modify the startup command a bit. All examples below will use port `11000` as example Apache port which will be exposed on the host. Modify the port to your needings.
+In order to run Nextcloud behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else), you need to specify the port that AIO's Apache container shall use, add a specific config to your web server or reverse proxy and modify the startup command a bit. All examples below will use port `11000` as example Apache port which will be exposed on the host. Modify the port to your needings.
 
 **Attention:** The process to run Nextcloud behind a reverse proxy consists of at least steps 1, 2 and 4:
 1. **Configure the reverse proxy! See [point 1](#1-add-this-to-your-reverse-proxy-config)**
@@ -80,7 +80,7 @@ Add this as a new Apache site config:
 </VirtualHost>
 ```
 
-Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. Also make sure to adjust the port 11000 to match the chosen `APACHE_PORT`. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `localhost` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
+Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. Also make sure to adjust the port 11000 to match the chosen `APACHE_PORT`. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network (if you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy in that case manually). ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `localhost` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
 
 To make the config work you can run the following command:
 `sudo a2enmod rewrite proxy proxy_http proxy_wstunnel ssl headers http2`
@@ -102,7 +102,7 @@ https://<your-nc-domain>:443 {
 ```
 The Caddyfile is a text file called `Caddyfile` (no extension) which – if you should be running Caddy inside a container – should usually be created in the same location as your `compose.yaml` file prior to starting the container.
 
-Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. Also make sure to adjust the port 11000 to match the chosen `APACHE_PORT`. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `localhost` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
+Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. Also make sure to adjust the port 11000 to match the chosen `APACHE_PORT`. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network (if you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy in that case manually). ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `localhost` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
 
 **Advice:** You may have a look at [this](https://github.com/nextcloud/all-in-one/discussions/575#discussion-4055615) for a more complete example.
 
@@ -126,7 +126,7 @@ You can get AIO running using the ACME DNS-challenge. Here is how to do it.
         }
     }
     ```
-   Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. You also need to adjust `<provider>` and `<key>` to match your case. Also make sure to adjust the port 11000 to match the chosen `APACHE_PORT`. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `localhost` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
+   Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. You also need to adjust `<provider>` and `<key>` to match your case. Also make sure to adjust the port 11000 to match the chosen `APACHE_PORT`. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network (if you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy in that case manually). ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `localhost` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
 1. Now continue with [point 2](#2-use-this-startup-command) but additionally, add `--env SKIP_DOMAIN_VALIDATION=true` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`) which will disable the dommain validation (because it is known that the domain validation will not when using the DNS-challenge since no port is publicly opened.
 
 **Advice:** In order to make it work in your home network, you may add the internal ipv4-address of your reverse proxy as A DNS-record to your domain and disable the dns-rebind-protection in your router. Another way it to set up a local dns-server like a pi-hole and set up a custom dns-record for that domain that points to the internal ip-adddress of your reverse proxy (see https://github.com/nextcloud/all-in-one#how-can-i-access-nextcloud-locally). If both is not possible, you may add the domain to the hosts file which is needed then for any devices that shall use the server.
@@ -244,7 +244,7 @@ backend Nextcloud
     server Nextcloud localhost:11000 
 ```
 
-Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. Also make sure to adjust the port 11000 to match the chosen `APACHE_PORT`. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `localhost` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
+Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. Also make sure to adjust the port 11000 to match the chosen `APACHE_PORT`. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network (if you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy in that case manually). ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `localhost` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
 
 </details>
 
@@ -254,9 +254,11 @@ Of course you need to modify `<your-nc-domain>` to the domain on which you want
 
 <summary>click here to expand</summary>
 
-**Disclaimer:** It might be possible that the config below is not working 100% correctly, yet. Improvements to it are very welcome!
+**Disclaimer:** This config was tested and should normally work on all modern nginx version if you configure it correctly. Improvements to the config are very welcome!
 
-Add this to you nginx config:
+Add the below template to you nginx config.
+
+**Note:** please check your nginx version by running: `nginx -v` and adjust it the lines marked with version notes, so that they fit your nginx version.
 
 ```
 map $http_upgrade $connection_upgrade {
@@ -272,13 +274,18 @@ server {
         return 301 https://$host$request_uri;
     }
 
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2; # comment to disable IPv6
+    listen 443 ssl http2;      # for nginx versions below v1.25.1
+    listen [::]:443 ssl http2; # for nginx versions below v1.25.1 - comment to disable IPv6
+
+    # listen 443 ssl;      # for nginx v1.25.1+
+    # listen [::]:443 ssl; # for nginx v1.25.1+ - keep comment to disable IPv6
 	
-    # http3 on;              # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
-    # listen 443 quic;       # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
-    # listen [::]:443 quic;  # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
-    # add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400'; # uncomment to enable HTTP3/QUIC - supported on nginx v1.25.0+
+    # http2 on;                                 # uncomment to enable HTTP/2        - supported on nginx v1.25.1+
+    # http3 on;                                 # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
+    # quic_retry on;                            # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
+    # add_header Alt-Svc 'h3=":443"; ma=86400'; # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+
+    # listen 443 quic reuseport;       # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport
+    # listen [::]:443 quic reuseport;  # uncomment to enable HTTP/3 / QUIC - supported on nginx v1.25.0+ - please remove "reuseport" if there is already another quic listener on port 443 with enabled reuseport - keep comment to disable IPv6
 
     server_name <your-nc-domain>;
 
@@ -311,13 +318,23 @@ server {
     ssl_session_tickets off;
 
     ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-    ssl_prefer_server_ciphers off;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+    ssl_prefer_server_ciphers on;
+
+    # Optional settings:
+
+    # OCSP stapling
+    # ssl_stapling on;
+    # ssl_stapling_verify on;
+    # ssl_trusted_certificate /etc/letsencrypt/live/<your-nc-domain>/chain.pem;
+
+    # replace with the IP address of your resolver
+    # resolver 127.0.0.1; # needed for oscp stapling: e.g. use 94.140.15.15 for adguard / 1.1.1.1 for cloudflared or 8.8.8.8 for google - you can use the same nameserver as listed in your /etc/resolv.conf file
 }
 
 ```
 
-Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. Also make sure to adjust the port 11000 to match the chosen `APACHE_PORT`. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `127.0.0.1` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
+Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. Also make sure to adjust the port 11000 to match the chosen `APACHE_PORT`. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network (if you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy in that case manually). ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `127.0.0.1` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
 
 **Advice:** You may have a look at [this](https://github.com/nextcloud/all-in-one/discussions/588#discussioncomment-2811152) for a more complete example.
 
@@ -345,6 +362,7 @@ Apart from that, there is this: [manual-install](https://github.com/nextcloud/al
 <summary>click here to expand</summary>
 
 First, please make sure that the environmental variables `PUID` and `PGID` in the compose.yaml file for NPM are either unset or set to `0`.
+If you need to change the GID/PID then please add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf`. Note: this will cause that non root users can bind privilleged ports.
 
 Second, see these screenshots for a working config:
 
@@ -362,9 +380,7 @@ proxy_read_timeout 86400s;
 client_max_body_size 0;
 ```
 
-Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. Also change `<you>@<your-mail-provider-domain>` to a mail address of yours. Also make sure to adjust the port 11000 to match the chosen `APACHE_PORT`. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `localhost` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
-
-**Advice:** You may have a look at [this](https://github.com/nextcloud/all-in-one/discussions/588#discussioncomment-3040493) for a more complete example.
+Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. Also change `<you>@<your-mail-provider-domain>` to a mail address of yours. Also make sure to adjust the port 11000 to match the chosen `APACHE_PORT`. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network (if you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy in that case manually). ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `localhost` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
 
 </details>
 
@@ -452,7 +468,7 @@ httpServer.on('upgrade', (req, socket, head) => {
 ```
 
 Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. Also make sure to adjust the port 11000 to match the chosen `APACHE_PORT`. 
-**Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `localhost` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
+**Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network (if you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy in that case manually). ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `localhost` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
 
 </details>
 
@@ -470,7 +486,7 @@ See these screenshots for a working config:
 
 ![image](https://user-images.githubusercontent.com/70434961/213193789-fa936edc-e307-4e6a-9a53-ae26d1bf2f42.jpg)
 
-Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. Also make sure to adjust the port 11000 to match the chosen `APACHE_PORT`. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `localhost` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
+Of course you need to modify `<your-nc-domain>` to the domain on which you want to run Nextcloud. Also make sure to adjust the port 11000 to match the chosen `APACHE_PORT`. **Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network (if you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy in that case manually). ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `localhost` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
 
 </details>
 
@@ -553,7 +569,7 @@ The examples below define the dynamic configuration in YAML files. If you rather
 
 Of course you need to modify `<your-nextcloud-domain>` in the `nextcloud.yml` to the domain on which you want to run Nextcloud. Also make sure to adjust the port `11000` to match the chosen `APACHE_PORT`. 
 
-**Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network. ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `localhost` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
+**Please note:** The above configuration will only work if your reverse proxy is running directly on the host that is running the docker daemon. If the reverse proxy is running in a docker container, you can use the `--network host` option (or `network_mode: host` for docker-compose) when starting the reverse proxy container in order to connect the reverse proxy container to the host network (if you are using a firewall on the server, you need to open ports 80 and 443 for the reverse proxy in that case manually). ***If that is not an option or not possible for you (like e.g. on Windows or if the reverse proxy is running on a different host), you can alternatively instead of `localhost` use the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)***
 
 **Hint**: see https://www.youtube.com/watch?v=VLPSRrLMDmA for a video on configuring Traefik.
 
@@ -660,6 +676,7 @@ If something does not work, follow the steps below:
 1. Check if after the mastercontainer was started, the reverse proxy if running inside a container, can reach the provided apache port. You can test this by running `nc -z localhost 11000; echo $?` from inside the reverse proxy container. If the output is `0`, everything works. Alternatively you can of course use instead of `localhost` the ip-address of the host here for the test.
 1. Make sure that you are not behind CGNAT. If that is the case, you will not be able to open ports properly. In that case you might use a Cloudflare Tunnel.
 1. If you use Cloudflare, you might need to skip the domain validation anyways since it is known that Cloudflare might block the validation attempts. In that case, see the last option below.
+1. If your reverse proxy is configured to use the host network (as recommended in the above docs) or running on the host, make sure that you've configured your firewall to open port 443 and 80.
 1. Check if you have a public IPv4- and public IPv6-address. If you only have a public IPv6-address (e.g. due to DS-Lite), make sure to enable IPv6 in Docker and your whole networking infrastructure (e.g. also by adding an AAAA DNS-entry to your domain).
 1. Try to configure everything from scratch if it still does not work by following https://github.com/nextcloud/all-in-one#how-to-properly-reset-the-instance.
 1. As last resort, you may disable the domain validation by adding `--env SKIP_DOMAIN_VALIDATION=true` to the docker run command. But only use this if you are completely sure that you've correctly configured everything!

tests/QA/060-environmental-variables.md

@@ -14,7 +14,7 @@
 - [ ] When starting the mastercontainer with `--env WATCHTOWER_DOCKER_SOCKET_PATH="$XDG_RUNTIME_DIR/docker.sock"` it should map `$XDG_RUNTIME_DIR/docker.sock` to `/var/run/docker.sock` inside the watchtower container which allow to update the mastercontainer on docker rootless.
 - [ ] When starting the mastercontainer with `--env AIO_DISABLE_BACKUP_SECTION=true` it should hide the backup section that gets shown after AIO is set up (everything of [020-backup-and-restore](./020-backup-and-restore.md)) and simply show that the backup section is disabled.
 - [ ] When starting the mastercontainer with `--env NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts`, the resulting nextcloud container should trust all the Certification Authorities, whose certificates are included in the directory `/path/to/my/cacerts` on the host.
-See https://github.com/nextcloud/all-in-one#how-to-trust-user-defiend-certification-authorities-ca
+See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
 - [ ] When starting the mastercontainer with `--env COLLABORA_SECCOMP_DISABLED=true`, the resulting collabora container should have `--o:security.seccomp=false` applied to it.
 - [ ] When starting the mastercontainer with `--env NEXTCLOUD_STARTUP_APPS=deck`, the resulting Nextcloud should have only installed the deck app and not the other apps that get installed by default. Default are `deck twofactor_totp tasks calendar contacts notes`.
 - [ ] When starting the mastercontainer with `--env NEXTCLOUD_ADDITIONAL_APKS=zip`, the resulting Nextcloud container should have the zip package installed and not imagemagick.

tests/QA/070-timezone-change.md

@@ -5,6 +5,6 @@
 - [ ] If not already set, it should show an input field where you can enter a timezone
 - [ ] `Europe/Berlin` should be accepted, e.g. `Europe Berlin` not
 - [ ] When it is set, it should show that it is set to which timezone and display a button that allows to reset it again which does this on a press
-- [ ] When it is set, running `date` inside Nextcloud releated containers should return the correct timezone
+- [ ] When it is set, running `date` inside Nextcloud related containers should return the correct timezone
 
 You can now continue with [080-daily-backup-script.md](./080-daily-backup-script.md)