fix details around logging of new domain-validator

Signed-off-by: Simon L <szaimen@e.mail.de>
Merge pull request #3082 from nextcloud/dependabot/docker/Containers/mastercontainer/caddy-2.7.2-alpine
2026-05-21 19:00:33 +00:00 · 2023-08-10 13:40:11 +02:00 · 2023-08-10 13:20:53 +02:00 · 2023-08-10 13:20:37 +02:00 · 2023-08-10 13:02:18 +02:00 · 2023-08-10 11:36:39 +02:00
117 changed files with 1405 additions and 505 deletions
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -0,0 +1,20 @@
+name: 'Codespell'
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  codespell:
+    name: Check spelling
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+      - name: Check spelling
+        uses: codespell-project/actions-codespell@v2
+        with:
+          check_filenames: true
+          check_hidden: true
--- a/.github/workflows/dependency-updates.yml
+++ b/.github/workflows/dependency-updates.yml
@@ -46,10 +46,10 @@ jobs:
    - name: Create Pull Request
      uses: peter-evans/create-pull-request@v5
      with:
-        commit-message: dependency updates
+        commit-message: php dependency updates
        signoff: true
-        title: Dependency updates
-        body: Automated dependency updates since dependabot does not support grouped updates
+        title: PHP dependency updates
+        body: Automated php dependency updates since dependabot does not support grouped updates
        labels: dependencies, 3. to review
        milestone: next
        branch: aio-dependency-update
--- a/.github/workflows/helm-release.yml
+++ b/.github/workflows/helm-release.yml
@@ -32,7 +32,7 @@ jobs:

      # See https://github.com/helm/chart-releaser-action/issues/6
      - name: Set up Helm
-        uses: azure/setup-helm@v3.1
+        uses: azure/setup-helm@v3.5
        with:
          version: v3.6.3

--- a/.github/workflows/imaginary-update.yml
+++ b/.github/workflows/imaginary-update.yml
@@ -19,7 +19,7 @@ jobs:
            | cut -f1 \
            | tail -1
        )"
-        sed -i "s|^ENV IMAGINARY_HASH.*|ENV IMAGINARY_HASH $imaginary_version|" ./Containers/imaginary/Dockerfile
+        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH $imaginary_version|" ./Containers/imaginary/Dockerfile
        
    - name: Create Pull Request
      uses: peter-evans/create-pull-request@v5
--- a/.github/workflows/psalm-update-baseline.yml
+++ b/.github/workflows/psalm-update-baseline.yml
@@ -39,8 +39,6 @@ jobs:
          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
          signoff: true
          branch: automated/noid/psalm-baseline-update
-          # Make sure we can open multiple PRs
-          branch-suffix: timestamp
          title: '[Automated] Update psalm-baseline.xml'
          milestone: next
          body: |
--- a/.github/workflows/spellcheck.yml
+++ b/.github/workflows/spellcheck.yml
@@ -1,23 +0,0 @@
-name: 'Spellcheck'
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-
-jobs:
-  spellcheck:
-    name: Check spelling
-    runs-on: ubuntu-latest
-    steps:
-      - name: spelling or typos
-        uses: actions/checkout@v3
-      - name: fix permission for reviewdog
-        run: sudo chown -R root:root $GITHUB_WORKSPACE
-      - name: misspell
-        uses: reviewdog/action-misspell@v1
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          locale: "US"
-          fail_on_error: true
--- a/.github/workflows/talk.yml
+++ b/.github/workflows/talk.yml
@@ -21,7 +21,7 @@ jobs:
            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
            | tail -1
        )"
-        sed -i "s|^ENV RECORDING_VERSION.*|ENV RECORDING_VERSION $spreed_version|" ./Containers/talk-recording/Dockerfile
+        sed -i "s|^ENV RECORDING_VERSION.*$|ENV RECORDING_VERSION $spreed_version|" ./Containers/talk-recording/Dockerfile
        curl -L "https://raw.githubusercontent.com/nextcloud/spreed/$spreed_version/recording/server.conf.in" -o Containers/talk-recording/recording.conf
        
        # Signaling
@@ -34,6 +34,16 @@ jobs:
        )"
        curl -L "https://raw.githubusercontent.com/strukturag/nextcloud-spreed-signaling/$signaling_version/server.conf.in" -o Containers/talk/server.conf.in
        
+        # Janus
+        janus_version="$(
+          git ls-remote https://github.com/meetecho/janus-gateway v0.*.* \
+            | cut -d/ -f3 \
+            | sort -V \
+            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
+            | tail -1
+        )"
+        sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
+        
    - name: Create Pull Request
      uses: peter-evans/create-pull-request@v5
      with:
--- a/Containers/apache/Caddyfile
+++ b/Containers/apache/Caddyfile
@@ -30,7 +30,7 @@
    # Notify Push
    route /push/* {
        uri strip_prefix /push
-        reverse_proxy {$NEXTCLOUD_HOST}:7867
+        reverse_proxy {$NOTIFY_PUSH_HOST}:7867
    }

    # Onlyoffice
--- a/Containers/apache/Dockerfile
+++ b/Containers/apache/Dockerfile
@@ -1,6 +1,6 @@
-FROM caddy:2.6.4-alpine as caddy
+FROM caddy:2.7.2-alpine as caddy

-FROM httpd:2.4.57-alpine3.17
+FROM httpd:2.4.57-alpine3.18

 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy

@@ -22,6 +22,7 @@ RUN set -ex; \
    \
    mkdir -p /mnt/data; \
    chown -R www-data:www-data /mnt/data; \
+    chown -R 777 /tmp; \
    \
    apk add --no-cache \
        bash \
@@ -47,6 +48,7 @@ RUN set -ex; \
            -e 's/^#\(LoadModule .*mod_brotli.so\)/\1/' \
            -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
            -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
+            -e 's/\(ScriptAlias \)/#\1/' \
        /usr/local/apache2/conf/httpd.conf; \
    echo "Include conf/nextcloud.conf" | tee -a /usr/local/apache2/conf/httpd.conf; \
    echo "ServerName localhost" | tee -a /usr/local/apache2/conf/httpd.conf; \
@@ -59,9 +61,15 @@ RUN set -ex; \
    mkdir /var/run/supervisord; \
    chown www-data:www-data /var/run/supervisord; \
    chown www-data:www-data /var/log/supervisord; \
+    chmod 777 /var/run/supervisord; \
+    chmod 777 /var/log/supervisord; \
    \
    chown -R www-data:www-data /usr/local/apache2; \
    chmod +r -R /usr/local/apache2; \
+    mkdir -p /usr/local/apache2/logs; \
+    chmod 777 -R /home/www-data; \
+    chmod 777 -R /usr/local/apache2/logs; \
+    rm -rf /usr/local/apache2/cgi-bin/; \
    \
    echo "root:$(openssl rand -base64 12)" | chpasswd

@@ -71,4 +79,4 @@ ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

 HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/apache/nextcloud.conf
+++ b/Containers/apache/nextcloud.conf
@@ -3,17 +3,20 @@ Listen 8000
    ServerName localhost

    # Add error log
-    CustomLog /proc/self/fd/1 combined
+    CustomLog /proc/self/fd/1 proxy
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
    ErrorLog /proc/self/fd/2
+    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
+    LogLevel warn

    # PHP match
    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://${NEXTCLOUD_HOST}:9000"
    </FilesMatch>

-    # Enable Brotli compression for js files
+    # Enable Brotli compression for js, css and svg files - other plain files are compressed by Nextcloud by default
    <IfModule mod_brotli.c>
-        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript
+        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
        BrotliCompressionQuality 0
    </IfModule>

--- a/Containers/apache/start.sh
+++ b/Containers/apache/start.sh
@@ -35,18 +35,18 @@ if [ "$APACHE_PORT" != '443' ]; then
 else
    CADDYFILE="$(sed 's|auto_https.*|auto_https disable_redirects|' /Caddyfile)"
 fi
-echo "$CADDYFILE" > /Caddyfile
+echo "$CADDYFILE" > /tmp/Caddyfile

 # Change the trusted_proxies in case of reverse proxies
 if [ "$APACHE_PORT" != '443' ]; then
-    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies static private_ranges|' /Caddyfile)"
+    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies static private_ranges|' /tmp/Caddyfile)"
 else
-    CADDYFILE="$(sed 's|trusted_proxies.*private_ranges|# trusted_proxies placeholder|' /Caddyfile)"
+    CADDYFILE="$(sed 's|trusted_proxies.*private_ranges|# trusted_proxies placeholder|' /tmp/Caddyfile)"
 fi
-echo "$CADDYFILE" > /Caddyfile
+echo "$CADDYFILE" > /tmp/Caddyfile

 # Fix the Caddyfile format
-caddy fmt --overwrite /Caddyfile
+caddy fmt --overwrite /tmp/Caddyfile

 # Add caddy path
 mkdir -p /mnt/data/caddy/
--- a/Containers/apache/supervisord.conf
+++ b/Containers/apache/supervisord.conf
@@ -20,4 +20,4 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /Caddyfile
+command=/usr/bin/caddy run --config /tmp/Caddyfile
--- a/Containers/borgbackup/Dockerfile
+++ b/Containers/borgbackup/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.17.3
+FROM alpine:3.18.3

 RUN set -ex; \
    \
@@ -18,5 +18,5 @@ COPY --chmod=770 *.sh /
 ENTRYPOINT ["/start.sh"]
 USER root

-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
 ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
--- a/Containers/borgbackup/backupscript.sh
+++ b/Containers/borgbackup/backupscript.sh
@@ -137,6 +137,9 @@ if [ "$BORG_MODE" = backup ]; then
    # auto,zstd compression seems to has the best ratio based on:
    # https://forum.level1techs.com/t/optimal-compression-for-borg-backups/145870/6
    BORG_OPTS=(-v --stats --compression "auto,zstd" --exclude-caches)
+    if [ "$NEW_REPOSITORY" = 1 ]; then
+        BORG_OPTS+=(--progress)
+    fi

    # Exclude the nextcloud log and audit log for GDPR reasons
    BORG_EXCLUDE=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/nextcloud.log*" --exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/audit.log")
@@ -294,7 +297,7 @@ if [ "$BORG_MODE" = restore ]; then
    --exclude "nextcloud_aio_mastercontainer/data/daily_backup_running" \
    --exclude "nextcloud_aio_mastercontainer/data/session_date_file" \
    --exclude "nextcloud_aio_mastercontainer/session/**" \
-    /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes; then
+    /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes/; then
        RESTORE_FAILED=1
        echo "Something failed while restoring from backup."
    fi
--- a/Containers/clamav/Dockerfile
+++ b/Containers/clamav/Dockerfile
@@ -6,8 +6,13 @@ COPY clamav.conf /tmp/clamav.conf
 RUN set -ex; \
    apk add --no-cache tzdata; \
    cat /tmp/clamav.conf | tee -a /etc/clamav/clamd.conf; \
-    rm /tmp/clamav.conf
+    rm /tmp/clamav.conf; \
+    mkdir -p /var/run/clamav /run/lock; \
+    chown -R clamav:clamav /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock; \
+    chmod 777 -R /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock /tmp

-# USER root is probably used
+VOLUME /var/lib/clamav

-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+USER clamav
+
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/collabora/Dockerfile
+++ b/Containers/collabora/Dockerfile
@@ -1,5 +1,5 @@
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:23.05.0.5.1
+FROM collabora/code:23.05.2.2.1

 USER root

@@ -11,9 +11,9 @@ RUN set -ex; \
        tzdata \
        netcat-openbsd \
    ; \
-    rm -rf /var/lib/apt/lists/*
+    rm -rf /var/lib/apt/lists/*;

 USER 100

 HEALTHCHECK CMD nc -z localhost 9980 || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/domaincheck/Dockerfile
+++ b/Containers/domaincheck/Dockerfile
@@ -1,12 +1,13 @@
-FROM alpine:3.17.3
+FROM alpine:3.18.3
 RUN set -ex; \
    apk add --no-cache bash lighttpd netcat-openbsd; \
    adduser -S www-data -G www-data; \
    rm -rf /etc/lighttpd/lighttpd.conf; \
-    chmod +r -R /etc/lighttpd; \
+    chmod 777 -R /etc/lighttpd; \
    mkdir -p /var/www/domaincheck; \
-    chown www-data:www-data -R /var/www
-COPY --chown=www-data:www-data lighttpd.conf /etc/lighttpd/lighttpd.conf
+    chown www-data:www-data -R /var/www; \
+    chmod 777 -R /var/www/domaincheck
+COPY --chown=www-data:www-data lighttpd.conf /lighttpd.conf

 COPY --chmod=775 start.sh /start.sh

@@ -14,4 +15,4 @@ USER www-data
 ENTRYPOINT ["/start.sh"]

 HEALTHCHECK CMD nc -z localhost $APACHE_PORT || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/domaincheck/start.sh
+++ b/Containers/domaincheck/start.sh
@@ -11,7 +11,7 @@ if [ -z "$APACHE_PORT" ]; then
    export APACHE_PORT="443"
 fi

-CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /etc/lighttpd/lighttpd.conf)"
+CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /lighttpd.conf)"
 echo "$CONF_FILE" > /etc/lighttpd/lighttpd.conf

 # Check config file
--- a/Containers/fulltextsearch/Dockerfile
+++ b/Containers/fulltextsearch/Dockerfile
@@ -1,5 +1,5 @@
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:7.17.10
+FROM elasticsearch:8.8.1

 USER root

@@ -16,4 +16,4 @@ RUN set -ex; \
 USER 1000:0

 HEALTHCHECK CMD nc -z localhost 9200 || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/imaginary/Dockerfile
+++ b/Containers/imaginary/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.20.5-alpine3.17 as go
+FROM golang:1.21.0-alpine3.18 as go

 ENV IMAGINARY_HASH b632dae8cc321452c3f85bcae79c580b1ae1ed84

@@ -12,7 +12,7 @@ RUN set -ex; \
        build-base; \
    go install github.com/h2non/imaginary@"$IMAGINARY_HASH";

-FROM alpine:3.17.3
+FROM alpine:3.18.3
 RUN set -ex; \
    apk add --no-cache \
        tzdata \
@@ -35,4 +35,4 @@ ENV MALLOC_ARENA_MAX=2
 ENTRYPOINT ["imaginary", "-return-size", "-max-allowed-resolution", "222.2"]

 HEALTHCHECK CMD nc -z localhost "$PORT" || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/mastercontainer/Caddyfile
+++ b/Containers/mastercontainer/Caddyfile
@@ -10,18 +10,21 @@
    log {
        level ERROR
    }
+
+    servers {
+        protocols h1 h2 h2c
+    }
+
+    on_demand_tls {
+        ask http://localhost:9876/
+    }
 }

 http://:80 {
  redir https://{host}{uri}
 }

-# Match only host names and not ip-addresses:
-https://*.*:8443,
-https://*.*.*:8443,
-https://*.*.*.*:8443,
-https://*.*.*.*.*:8443,
-https://*.*.*.*.*.*:8443 {
+https://:8443 {

    reverse_proxy localhost:8000

--- a/Containers/mastercontainer/Dockerfile
+++ b/Containers/mastercontainer/Dockerfile
@@ -1,11 +1,11 @@
 # Docker CLI is a requirement
-FROM docker:24.0.2-cli as docker
+FROM docker:24.0.5-cli as docker

 # Caddy is a requirement
-FROM caddy:2.6.4-alpine as caddy
+FROM caddy:2.7.2-alpine as caddy

-# From https://github.com/docker-library/php/blob/master/8.2/alpine3.17/fpm/Dockerfile
-FROM php:8.2.7-fpm-alpine3.17
+# From https://github.com/docker-library/php/blob/master/8.2/alpine3.18/fpm/Dockerfile
+FROM php:8.2.8-fpm-alpine3.18

 EXPOSE 80
 EXPOSE 8080
@@ -62,7 +62,7 @@ RUN set -ex; \
    chmod +x /usr/local/bin/composer; \
    cd /var/www/docker-aio; \
    git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
-    find ./ -not -path ./php -maxdepth 1 -mindepth 1 -delete; \
+    find ./ -maxdepth 1 -mindepth 1 -not -path ./php -exec rm -r {} \; ; \
    chown www-data:www-data -R /var/www/docker-aio; \
    cd php; \
    sudo -u www-data composer install --no-dev; \
@@ -80,6 +80,8 @@ RUN set -ex; \
    \
    sed -i \
            -e '/^Listen /d' \
+            -e 's/^LogLevel .*/LogLevel error/' \
+            -e 's|^ErrorLog .*|ErrorLog /proc/self/fd/2|' \
            -e 's/User apache/User www-data/g' \
            -e 's/Group apache/Group www-data/g' \
            -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
@@ -91,10 +93,14 @@ RUN set -ex; \
            -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
            -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
            -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
+            -e 's/\(ScriptAlias \)/#\1/' \
        /etc/apache2/httpd.conf; \
        mkdir -p /etc/apache2/logs; \
        rm /etc/apache2/conf.d/ssl.conf; \
        echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \
+        grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \
+        sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \
+        echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \
        echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \
        echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \
        echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \
@@ -103,6 +109,7 @@ RUN set -ex; \
          /etc/apache2/conf.d/userdir.conf \
          /etc/apache2/conf.d/info.conf; \
    \
+    rm -rf /var/www/localhost/cgi-bin/; \
    mkdir /var/log/supervisord; \
    mkdir /var/run/supervisord;

@@ -114,6 +121,5 @@ COPY mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf
 USER root

 ENTRYPOINT ["/start.sh"]
-CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

 HEALTHCHECK CMD /healthcheck.sh
--- a/Containers/mastercontainer/cron.sh
+++ b/Containers/mastercontainer/cron.sh
@@ -57,6 +57,9 @@ while true; do
    # Remove dangling images
    sudo -u www-data docker image prune --force

+    # Check for available free space
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/CheckFreeDiskSpace.php
+
    # Remove mastercontainer from default bridge network
    if sudo -u www-data docker inspect nextcloud-aio-mastercontainer  --format "{{.NetworkSettings.Networks}}" | grep -q "bridge"; then
        sudo -u www-data docker network disconnect bridge nextcloud-aio-mastercontainer
--- a/Containers/mastercontainer/mastercontainer.conf
+++ b/Containers/mastercontainer/mastercontainer.conf
@@ -11,8 +11,11 @@ Listen 8080
    ServerName localhost

    # Add error log
-    CustomLog /proc/self/fd/1 combined
+    CustomLog /proc/self/fd/1 proxy
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
    ErrorLog /proc/self/fd/2
+    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
+    LogLevel warn

    # PHP match
    <FilesMatch "\.php$">
--- a/Containers/mastercontainer/start.sh
+++ b/Containers/mastercontainer/start.sh
@@ -26,13 +26,22 @@ if [ "$EUID" != "0" ]; then
    exit 1
 fi

+# Check that the CMD is not overwritten nor set
+if [ "$*" != "" ]; then
+    print_red "Docker run command for AIO is incorrect as a CMD option was given which is not expected."
+    exit 1
+fi
+
 # Check if socket is available and readable
 if ! [ -a "/var/run/docker.sock" ]; then
    print_red "Docker socket is not available. Cannot continue."
+    echo "Please make sure to mount the docker socket into /var/run/docker.sock inside the container!"
    echo "If you did this by purpose because you don't want the container to have access to the docker socket, see https://github.com/nextcloud/all-in-one/tree/main/manual-install."
    exit 1
 elif ! mountpoint -q "/mnt/docker-aio-config"; then
    print_red "/mnt/docker-aio-config is not a mountpoint. Cannot proceed!"
+    echo "Please make sure to mount the nextcloud_aio_mastercontainer docker volume into /mnt/docker-aio-config inside the container!"
+    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
    exit 1
 elif ! sudo -u www-data test -r /var/run/docker.sock; then
    echo "Trying to fix docker.sock permissions internally..."
@@ -61,8 +70,8 @@ fi
 # Check if api version is supported
 if ! sudo -u www-data docker info &>/dev/null; then
    print_red "Cannot connect to the docker socket. Cannot proceed."
-    echo "If you are on Docker Desktop v4.19 or higher, see https://github.com/nextcloud/all-in-one/issues/2450"
    echo "If SELinux is enabled on your host, see https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled"
+    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
    exit 1
 fi
 API_VERSION_FILE="$(find ./ -name DockerActionManager.php | head -1)"
@@ -295,8 +304,8 @@ E.g. https://internal.ip.of.this.server:8080
 If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
 https://your-domain-that-points-to-this-server.tld:8443"

-# Set the timezone to UTC
-export TZ=UTC
+# Set the timezone to Etc/UTC
+export TZ=Etc/UTC

 # Fix apache startup
 rm -f /var/run/apache2/httpd.pid
@@ -307,4 +316,5 @@ caddy fmt --overwrite /Caddyfile
 # Fix caddy log 
 chmod 777 /root

-exec "$@"
+# Start supervisord
+/usr/bin/supervisord -c /supervisord.conf
--- a/Containers/mastercontainer/supervisord.conf
+++ b/Containers/mastercontainer/supervisord.conf
@@ -55,3 +55,11 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/session-deduplicator.sh
 user=root
+
+[program:domain-validator]
+# stdout_logfile=/dev/stdout
+# stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=php -S 127.0.0.1:9876 /var/www/docker-aio/php/domain-validator.php
+user=www-data
--- a/Containers/nextcloud/Dockerfile
+++ b/Containers/nextcloud/Dockerfile
@@ -1,9 +1,9 @@
-FROM php:8.1.20-fpm-alpine3.17
+FROM php:8.1.22-fpm-alpine3.18

 ENV PHP_MEMORY_LIMIT 512M
 ENV PHP_UPLOAD_LIMIT 10G
 ENV PHP_MAX_TIME 3600
-ENV NEXTCLOUD_VERSION 26.0.2
+ENV NEXTCLOUD_VERSION 27.0.2
 ENV AIO_TOKEN 123456
 ENV AIO_URL localhost

@@ -91,11 +91,12 @@ RUN set -ex; \
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
    { \
-        echo 'opcache.interned_strings_buffer=32'; \
+        echo 'opcache.memory_consumption=256'; \
+        echo 'opcache.interned_strings_buffer=64'; \
        echo 'opcache.save_comments=1'; \
        echo 'opcache.revalidate_freq=60'; \
        echo 'opcache.jit=1255'; \
-        echo 'opcache.jit_buffer_size=128M'; \
+        echo 'opcache.jit_buffer_size=8M'; \
    } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
    \
    echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
@@ -208,6 +209,7 @@ RUN set -ex; \
    chown www-data:root -R /usr/src && \
    chown www-data:root -R /usr/local/etc/php/conf.d && \
    chown www-data:root -R /usr/local/etc/php-fpm.d && \
+    chmod -R 777 /tmp; \
    rm -r /usr/src/nextcloud/apps/updatenotification; \
    \
    mkdir -p /nc-updater; \
@@ -222,4 +224,4 @@ ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

 HEALTHCHECK CMD sudo -E -u www-data bash /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/nextcloud/config/aio.config.php
+++ b/Containers/nextcloud/config/aio.config.php
@@ -0,0 +1,5 @@
+<?php
+$CONFIG = array (
+  'one-click-instance' => true,
+  'one-click-instance.user-limit' => 100,
+);
--- a/Containers/nextcloud/entrypoint.sh
+++ b/Containers/nextcloud/entrypoint.sh
@@ -10,6 +10,15 @@ directory_empty() {
    [ -z "$(ls -A "$1/")" ]
 }

+run_upgrade_if_needed_due_to_app_update() {
+    if php /var/www/html/occ status | grep needsDbUpgrade | grep -q true; then
+        # Disable integrity check temporarily until next update
+        php /var/www/html/occ config:system:set integrity.check.disabled --type bool --value true
+        php /var/www/html/occ upgrade
+        php /var/www/html/occ app:enable nextcloud-aio --force
+    fi
+}
+
 echo "Configuring Redis as session handler..."
 cat << REDIS_CONF > /usr/local/etc/php/conf.d/redis-session.ini
 session.save_handler = redis
@@ -147,6 +156,8 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                fi
            done

+            run_upgrade_if_needed_due_to_app_update
+
            php /var/www/html/occ maintenance:mode --off

            echo "Getting and backing up the status of apps for later, this might take a while..."
@@ -170,6 +181,8 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then

            php /var/www/html/occ app:update --all

+            run_upgrade_if_needed_due_to_app_update
+
            # Fix removing the updatenotification for old instances
            UPDATENOTIFICATION_STATUS="$(php /var/www/html/occ config:app:get updatenotification enabled)"
            if [ -d "/var/www/html/apps/updatenotification" ]; then
@@ -343,6 +356,7 @@ DATADIR_PERMISSION_CONF
        else
            touch "$NEXTCLOUD_DATA_DIR/update.failed"
            echo "Upgrading nextcloud from $installed_version to $image_version..."
+            php /var/www/html/occ config:system:delete integrity.check.disabled
            if ! php /var/www/html/occ upgrade || ! php /var/www/html/occ -V; then
                echo "Upgrade failed. Please restore from backup."
                bash /notify.sh "Nextcloud update to $image_version failed!" "Please restore from backup!"
@@ -354,6 +368,8 @@ DATADIR_PERMISSION_CONF

            php /var/www/html/occ app:update --all

+            run_upgrade_if_needed_due_to_app_update
+
            # Restore app status
            if [ "${APPSTORAGE[0]}" != "no-export-done" ]; then
                echo "Restoring the status of apps. This can take a while..."
@@ -367,6 +383,7 @@ DATADIR_PERMISSION_CONF
                                    rm -r "/var/www/html/custom_apps/$app"
                                    php /var/www/html/occ maintenance:mode --off
                                fi
+                                run_upgrade_if_needed_due_to_app_update
                                echo "The $app app could not get enabled. Probably because it is not compatible with the new Nextcloud version."
                                if [ "$app" = apporder ]; then
                                    CUSTOM_HINT="The apporder app was deprecated. A possible replacement is the side_menu app, aka 'Custom menu'."
@@ -387,6 +404,8 @@ DATADIR_PERMISSION_CONF

            php /var/www/html/occ app:update --all

+            run_upgrade_if_needed_due_to_app_update
+
            # Apply optimization
            echo "Doing some optimizations..."
            php /var/www/html/occ maintenance:repair
@@ -402,8 +421,7 @@ DATADIR_PERMISSION_CONF
    # Performing update of all apps if daily backups are enabled, running and successful and if it is saturday
    if [ "$UPDATE_NEXTCLOUD_APPS" = 'yes' ] && [ "$(date +%u)" = 6 ]; then
        UPDATED_APPS="$(php /var/www/html/occ app:update --all)"
-        # Update all apps again and try to prevent something like https://github.com/nextcloud/polls/issues/2793 from happening
-        php /var/www/html/occ app:update --all
+        run_upgrade_if_needed_due_to_app_update
        if [ -n "$UPDATED_APPS" ]; then
             bash /notify.sh "Your apps just got updated!" "$UPDATED_APPS"
        fi
@@ -412,23 +430,28 @@ else
    SKIP_UPDATE=1
 fi

+run_upgrade_if_needed_due_to_app_update
+
 if [ -z "$OBJECTSTORE_S3_BUCKET" ] && [ -z "$OBJECTSTORE_SWIFT_URL" ]; then
    # Check if appdata is present
    # If not, something broke (e.g. changing ncdatadir after aio was first started)
    if [ -z "$(find "$NEXTCLOUD_DATA_DIR/" -maxdepth 1 -mindepth 1 -type d -name "appdata_*")" ]; then
-        echo "Appdata is not present. Did you maybe change the datadir after aio was first started?"
+        echo "Appdata is not present. Did you maybe change the datadir after the initial Nextcloud installation? This is not supported!"
        echo "See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir"
+        echo "If you adjusted the datadir to be located on an external drive, make sure that the drive is still mounted!"
        echo "In the datadir was found:"
        ls -la "$NEXTCLOUD_DATA_DIR/"
        exit 1
    fi

-    # Configure tempdirectory
-    mkdir -p "$NEXTCLOUD_DATA_DIR/tmp/"
-    if ! grep -q upload_tmp_dir /usr/local/etc/php/conf.d/nextcloud.ini; then
-        echo "upload_tmp_dir = $NEXTCLOUD_DATA_DIR/tmp/" >> /usr/local/etc/php/conf.d/nextcloud.ini
+    # Delete formerly configured tempdirectory as the default is usually faster (if the datadir is on a HDD or network FS)
+    if [ "$(php /var/www/html/occ config:system:get tempdirectory)" = "$NEXTCLOUD_DATA_DIR/tmp/" ]; then
+        php /var/www/html/occ config:system:delete tempdirectory
+        if [ -d "$NEXTCLOUD_DATA_DIR/tmp/" ]; then
+            rm -r "$NEXTCLOUD_DATA_DIR/tmp/"
+        fi
    fi
-    php /var/www/html/occ config:system:set tempdirectory --value="$NEXTCLOUD_DATA_DIR/tmp/"
+
 fi

 # Perform fingerprint update if instance was restored
@@ -446,17 +469,22 @@ php /var/www/html/occ app:enable support

 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
+php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
 php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
 php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
 php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"

 # Apply network settings
 echo "Applying network settings..."
+php /var/www/html/occ config:system:set davstorage.request_timeout --value="$PHP_MAX_TIME" --type=int
 php /var/www/html/occ config:system:set trusted_domains 1 --value="$NC_DOMAIN"
 php /var/www/html/occ config:system:set overwrite.cli.url --value="https://$NC_DOMAIN/"
 php /var/www/html/occ config:system:set htaccess.RewriteBase --value="/"
 php /var/www/html/occ maintenance:update:htaccess

+# Apply dbpersistent setting in order to fix too many db connections
+php /var/www/html/occ config:system:set dbpersistent --value=true --type=bool
+
 # Disallow creating local external storages when nothing was mounted
 if [ -z "$NEXTCLOUD_MOUNT" ]; then
    php /var/www/html/occ config:system:set files_external_allow_create_new_local --type=bool --value=false
@@ -626,7 +654,7 @@ if [ "$CLAMAV_ENABLED" = 'yes' ]; then
        php /var/www/html/occ config:app:set files_antivirus av_port --value="3310"
        php /var/www/html/occ config:app:set files_antivirus av_host --value="$CLAMAV_HOST"
        php /var/www/html/occ config:app:set files_antivirus av_stream_max_length --value="104857600"
-        php /var/www/html/occ config:app:set files_antivirus av_max_file_size --value="-1"
+        php /var/www/html/occ config:app:set files_antivirus av_max_file_size --value="104857600"
        php /var/www/html/occ config:app:set files_antivirus av_infected_action --value="only_log"
    fi
 else
--- a/Containers/nextcloud/healthcheck.sh
+++ b/Containers/nextcloud/healthcheck.sh
@@ -2,6 +2,6 @@

 nc -z "$POSTGRES_HOST" 5432 || exit 0

-if ! nc -z localhost 9000 || ! nc -z localhost 7867; then
+if ! nc -z localhost 9000; then
    exit 1
 fi
--- a/Containers/nextcloud/start.sh
+++ b/Containers/nextcloud/start.sh
@@ -131,14 +131,4 @@ if ! sudo -E -u www-data bash /entrypoint.sh; then
    exit 1
 fi

-# Correctly set CPU_ARCH for notify_push
-CPU_ARCH="$(uname -m)"
-export CPU_ARCH
-if [ -z "$CPU_ARCH" ]; then
-    echo "Could not get processor architecture. Exiting."
-    exit 1
-elif [ "$CPU_ARCH" != "x86_64" ]; then
-    export CPU_ARCH="aarch64"
-fi
-
 exec "$@"
--- a/Containers/nextcloud/supervisord.conf
+++ b/Containers/nextcloud/supervisord.conf
@@ -25,14 +25,6 @@ stderr_logfile_maxbytes=0
 command=/cron.sh
 user=www-data

-[program:notify-push]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=/var/www/html/custom_apps/notify_push/bin/%(ENV_CPU_ARCH)s/notify_push /var/www/html/config/config.php --port 7867 --redis-url redis://:%(ENV_REDIS_HOST_PASSWORD)s@%(ENV_REDIS_HOST)s
-user=www-data
-
 [program:run-exec-commands]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
--- a/Containers/notify-push/Dockerfile
+++ b/Containers/notify-push/Dockerfile
@@ -0,0 +1,21 @@
+FROM alpine:3.18.2
+
+COPY --chmod=775 start.sh /start.sh
+
+RUN set -ex; \
+    apk add --no-cache \
+        ca-certificates \
+        netcat-openbsd \
+        tzdata \
+        bash \
+        openssl; \
+# Give root a random password
+    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    apk del --no-cache \
+        openssl;
+
+USER 33
+ENTRYPOINT ["/start.sh"]
+
+HEALTHCHECK CMD nc -z localhost 7867 || exit 1
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/notify-push/start.sh
+++ b/Containers/notify-push/start.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+if [ -z "$NEXTCLOUD_HOST" ]; then
+    echo "NEXTCLOUD_HOST need to be provided. Exiting!"
+    exit 1
+elif [ -z "$POSTGRES_HOST" ]; then
+    echo "POSTGRES_HOST need to be provided. Exiting!"
+    exit 1
+elif [ -z "$REDIS_HOST" ]; then
+    echo "REDIS_HOST need to be provided. Exiting!"
+    exit 1
+fi
+
+# Only start container if nextcloud is accessible
+while ! nc -z "$NEXTCLOUD_HOST" 9000; do
+    echo "Waiting for Nextcloud to start..."
+    sleep 5
+done
+
+# Correctly set CPU_ARCH for notify_push
+CPU_ARCH="$(uname -m)"
+export CPU_ARCH
+if [ -z "$CPU_ARCH" ]; then
+    echo "Could not get processor architecture. Exiting."
+    exit 1
+elif [ "$CPU_ARCH" != "x86_64" ]; then
+    export CPU_ARCH="aarch64"
+fi
+
+# Set sensitive values as env
+export DATABASE_URL="postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST/$POSTGRES_DB"
+export REDIS_URL="redis://:$REDIS_HOST_PASSWORD@$REDIS_HOST"
+
+# Run it
+/nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
+    --database-prefix="oc_" \
+    --nextcloud-url "https://$NC_DOMAIN" \
+    --port 7867
+
+exec "$@"
--- a/Containers/onlyoffice/Dockerfile
+++ b/Containers/onlyoffice/Dockerfile
@@ -1,7 +1,7 @@
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:7.3.3.50
+FROM onlyoffice/documentserver:7.4.1.1

 # USER root is probably used

 HEALTHCHECK CMD nc -z localhost 80 || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/postgresql/Dockerfile
+++ b/Containers/postgresql/Dockerfile
@@ -6,7 +6,11 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 COPY --chmod=775 init-user-db.sh /docker-entrypoint-initdb.d/init-user-db.sh

 RUN set -ex; \
-    apk add --no-cache bash openssl shadow grep; \
+    apk add --no-cache \
+        bash \
+        openssl \
+        shadow \
+        grep; \
    \
 # We need to use the same gid and uid as on old installations
    deluser postgres; \
@@ -18,13 +22,15 @@ RUN set -ex; \
 # Fix default permissions
    chown -R postgres:postgres /var/lib/postgresql; \
    chown -R postgres:postgres /var/run/postgresql; \
+    chmod -R 777 /var/run/postgresql; \
    chown -R postgres:postgres "$PGDATA"; \
    \
    mkdir /mnt/data; \
    chown postgres:postgres /mnt/data; \
    \
 # Give root a random password
-    echo "root:$(openssl rand -base64 12)" | chpasswd
+    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    apk --no-cache del openssl;

 VOLUME /mnt/data

@@ -32,4 +38,4 @@ USER postgres
 ENTRYPOINT ["/start.sh"]

 HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/postgresql/start.sh
+++ b/Containers/postgresql/start.sh
@@ -146,11 +146,19 @@ if ! [ -f "$DATADIR/PG_VERSION" ] && ! [ -f "$DUMP_FILE" ]; then
    rm -rf "${DATADIR:?}/"*
 fi

-echo "Setting max connections..."
-MEMORY=$(awk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
-MAX_CONNECTIONS=$((MEMORY/50+3))
-if [ -n "$MAX_CONNECTIONS" ]; then
-    sed -i "s|^max_connections =.*|max_connections = $MAX_CONNECTIONS|" "/var/lib/postgresql/data/postgresql.conf"
+# Modify postgresql.conf
+if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
+    echo "Setting max connections..."
+    MEMORY=$(awk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
+    MAX_CONNECTIONS=$((MEMORY/50+3))
+    if [ -n "$MAX_CONNECTIONS" ]; then
+        sed -i "s|^max_connections =.*|max_connections = $MAX_CONNECTIONS|" "/var/lib/postgresql/data/postgresql.conf"
+    fi
+
+    # Modify conf
+    if grep -q "#log_checkpoints" /var/lib/postgresql/data/postgresql.conf; then
+        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' /var/lib/postgresql/data/postgresql.conf
+    fi
 fi

 # Catch docker stop attempts
--- a/Containers/redis/Dockerfile
+++ b/Containers/redis/Dockerfile
@@ -1,7 +1,7 @@
 # From https://github.com/docker-library/redis/blob/master/7.0/alpine/Dockerfile
-FROM redis:7.0.11-alpine
+FROM redis:7.0.12-alpine

-COPY --chmod=775 start.sh /usr/bin/start.sh
+COPY --chmod=775 start.sh /start.sh

 RUN set -ex; \
    apk add --no-cache openssl bash; \
@@ -10,7 +10,7 @@ RUN set -ex; \
    echo "root:$(openssl rand -base64 12)" | chpasswd

 USER redis
-ENTRYPOINT ["start.sh"]
+ENTRYPOINT ["/start.sh"]

 HEALTHCHECK CMD redis-cli -a $REDIS_HOST_PASSWORD PING || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/redis/start.sh
+++ b/Containers/redis/start.sh
@@ -8,9 +8,9 @@ fi

 # Run redis with a password if provided
 if [ -n "$REDIS_HOST_PASSWORD" ]; then
-    exec redis-server --requirepass "$REDIS_HOST_PASSWORD"
+    exec redis-server --requirepass "$REDIS_HOST_PASSWORD" --loglevel warning
 else
-    exec redis-server
+    exec redis-server --loglevel warning
 fi

 exec "$@"
--- a/Containers/talk-recording/Dockerfile
+++ b/Containers/talk-recording/Dockerfile
@@ -2,7 +2,11 @@ FROM python:3.11.4-alpine3.18

 COPY --chmod=775 start.sh /start.sh

-ENV RECORDING_VERSION v16.0.4
+ENV RECORDING_VERSION v17.0.3
+ENV ALLOW_ALL false
+ENV HPB_PROTOCOL https
+ENV SKIP_VERIFY false
+ENV HPB_PATH /standalone-signaling/

 RUN set -ex; \
    apk add --no-cache \
@@ -31,6 +35,9 @@ RUN set -ex; \
    touch /etc/recording.conf; \
    chown recording:recording -R \
        /tmp /etc/recording.conf; \
+    mkdir -p /conf; \
+    chmod 777 /conf; \
+    chmod 777 /tmp; \
    apk del --no-cache \
        git \
        wget \
@@ -40,7 +47,7 @@ RUN set -ex; \
 WORKDIR /tmp
 USER recording
 ENTRYPOINT ["/start.sh"]
-CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/etc/recording.conf"]
+CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.conf"]

 HEALTHCHECK CMD nc -z localhost 1234 || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/talk-recording/start.sh
+++ b/Containers/talk-recording/start.sh
@@ -12,34 +12,39 @@ elif [ -z "$INTERNAL_SECRET" ]; then
    exit 1
 fi

-cat << RECORDING_CONF > "/etc/recording.conf"
+if [ -z "$HPB_DOMAIN" ]; then
+    export HPB_DOMAIN="$NC_DOMAIN"
+fi
+
+cat << RECORDING_CONF > "/conf/recording.conf"
 [logs]
+# 30 means Warning
 level = 30

 [http]
 listen = 0.0.0.0:1234

 [backend]
-allowall = false
+allowall = ${ALLOW_ALL}
 # TODO: remove secret below when https://github.com/nextcloud/spreed/issues/9580 is fixed
 secret = ${RECORDING_SECRET}
 backends = backend-1
-skipverify = false
+skipverify = ${SKIP_VERIFY}
 maxmessagesize = 1024
 videowidth = 1920
 videoheight = 1080
 directory = /tmp

 [backend-1]
-url = https://${NC_DOMAIN}
+url = ${HPB_PROTOCOL}://${NC_DOMAIN}
 secret = ${RECORDING_SECRET}
-skipverify = false
+skipverify = ${SKIP_VERIFY}

 [signaling]
 signalings = signaling-1

 [signaling-1]
-url = https://${NC_DOMAIN}/standalone-signaling/
+url = ${HPB_PROTOCOL}://${HPB_DOMAIN}${HPB_PATH}
 internalsecret = ${INTERNAL_SECRET}

 [ffmpeg]
--- a/Containers/talk/Dockerfile
+++ b/Containers/talk/Dockerfile
@@ -1,14 +1,40 @@
-FROM nats:2.9.17-scratch as nats
-FROM strukturag/nextcloud-spreed-signaling:1.1.2 as signaling
-FROM coturn/coturn:4.6.2-r0-alpine
+FROM nats:2.9.21-scratch as nats
+FROM strukturag/nextcloud-spreed-signaling:1.1.3 as signaling
+FROM alpine:3.18.3 as janus
+
+ARG JANUS_VERSION=v0.14.0
+WORKDIR /src
+RUN set -ex; \
+    apk add --no-cache \
+        ca-certificates \
+        git \
+        autoconf \
+        automake \
+        build-base \
+        pkgconfig \
+        libtool \
+        util-linux \
+        glib-dev \
+        zlib-dev \
+        openssl-dev \
+        jansson-dev \
+        libnice-dev \
+        libconfig-dev \
+        libsrtp-dev \
+        libusrsctp-dev \
+        gengetopt-dev \
+        libwebsockets-dev; \
+    git clone --recursive https://github.com/meetecho/janus-gateway --depth=1 --single-branch --branch "$JANUS_VERSION" /src; \
+    /src/autogen.sh; \
+    /src/configure --disable-rabbitmq --disable-mqtt --disable-boringssl; \
+    make; \
+    make install; \
+    make configs; \
+    rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
+
+FROM coturn/coturn:4.6.2-alpine3.18
 USER root

-COPY --from=nats /nats-server /usr/local/bin/nats-server
-COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
-
-COPY --chmod=775 start.sh /usr/bin/start.sh
-COPY --chmod=664 supervisord.conf /supervisord.conf
-
 RUN set -ex; \
    apk add --no-cache \
        ca-certificates \
@@ -18,52 +44,62 @@ RUN set -ex; \
        supervisor \
        bind-tools \
        netcat-openbsd \
-        shadow \
-        util-linux \
-        build-base \
-        lua5.3-dev \
-        luarocks5.3; \
-    apk add --no-cache janus-gateway --repository http://dl-cdn.alpinelinux.org/alpine/edge/community; \
+        \
+        glib \
+        zlib \
+        libssl3 \
+        libcrypto3 \
+        jansson \
+        libnice \
+        libconfig \
+        libsrtp \
+        libusrsctp \
+        libwebsockets \
+        \
+        shadow; \
    useradd --system talk; \
-    luarocks-5.3 install luajson; \
-    luarocks-5.3 install ansicolors; \
-    rename -v ".jcfg.sample" ".jcfg" /etc/janus/*.sample; \
    apk del --no-cache \
-        shadow \
-        util-linux \
-        build-base \
-        lua5.3-dev \
-        luarocks5.3; \
+        shadow; \
    \
 # Give root a random password
    echo "root:$(openssl rand -base64 12)" | chpasswd; \
    \
    touch \
-        /etc/nats.conf \
-        /etc/signaling.conf \
-        /etc/turnserver.conf; \
+        /etc/nats.conf; \
    echo "listen: 127.0.0.1:4222" | tee /etc/nats.conf; \
    mkdir -p \
        /var/tmp \
+        /conf \
+        /var/lib/turn \
+        /var/log/supervisord \
+        /var/run/supervisord \
+        /usr/local/lib/janus/loggers; \
+    chown talk:talk -R \
+        /usr \
+        /etc/nats.conf \
        /var/lib/turn \
        /var/log/supervisord \
        /var/run/supervisord; \
-    chown talk:talk -R \
-        /usr \
-        /etc/janus \
-        /etc/nats.conf \
-        /etc/signaling.conf \
-        /etc/turnserver.conf \
+    chmod 777 -R \
+        /tmp \
+        /conf \
+        /var/run/supervisord \
        /var/lib/turn \
-        /var/log/supervisord \
-        /var/run/supervisord;
+        /var/log/supervisord;
+
+COPY --from=janus /usr/local /usr/local
+COPY --from=nats /nats-server /usr/local/bin/nats-server
+COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
+
+COPY --chmod=775 start.sh /start.sh
+COPY --chmod=664 supervisord.conf /supervisord.conf

 # Set default talk port https://github.com/nextcloud/all-in-one/issues/1011
 ENV TALK_PORT=3478

 USER talk
-ENTRYPOINT ["start.sh"]
+ENTRYPOINT ["/start.sh"]
 CMD ["supervisord", "-c", "/supervisord.conf"]

 HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost "$TALK_PORT" && nc -z "$NC_DOMAIN" "$TALK_PORT") || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/Containers/talk/server.conf.in
+++ b/Containers/talk/server.conf.in
@@ -89,7 +89,7 @@ allowall = false
 # Common shared secret for requests from and to the backend servers if
 # "allowall" is enabled. This must be the same value as configured in the
 # Nextcloud admin ui.
-#secret = the-shared-secret
+#secret = the-shared-secret-for-allowall

 # Timeout in seconds for requests to the backend.
 timeout = 10
--- a/Containers/talk/start.sh
+++ b/Containers/talk/start.sh
@@ -20,7 +20,7 @@ IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk A +short)"
 set +x

 # Turn
-cat << TURN_CONF > "/etc/turnserver.conf"
+cat << TURN_CONF > "/conf/turnserver.conf"
 listening-port=$TALK_PORT
 fingerprint
 use-auth-secret
@@ -54,7 +54,7 @@ denied-peer-ip=240.0.0.0-255.255.255.255
 TURN_CONF

 # Signling
-cat << SIGNALING_CONF > "/etc/signaling.conf"
+cat << SIGNALING_CONF > "/conf/signaling.conf"
 [http]
 listen = 0.0.0.0:8081

--- a/Containers/talk/supervisord.conf
+++ b/Containers/talk/supervisord.conf
@@ -1,6 +1,5 @@
 [supervisord]
 nodaemon=true
-nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
@@ -13,7 +12,7 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=turnserver -c /etc/turnserver.conf
+command=turnserver -c /conf/turnserver.conf

 [program:nats-server]
 stdout_logfile=/dev/stdout
@@ -27,11 +26,12 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=janus --config=/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle
+# debug-level 3 means warning
+command=janus --config=/usr/local/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3

 [program:signaling]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=nextcloud-spreed-signaling -config /etc/signaling.conf
+command=nextcloud-spreed-signaling -config /conf/signaling.conf
--- a/Containers/watchtower/Dockerfile
+++ b/Containers/watchtower/Dockerfile
@@ -1,7 +1,7 @@
 # From https://github.com/containrrr/watchtower/blob/main/dockerfiles/Dockerfile.self-contained
 FROM containrrr/watchtower:1.5.3 as watchtower

-FROM alpine:3.17.3
+FROM alpine:3.18.3

 RUN apk add --no-cache bash
 COPY --from=watchtower /watchtower /watchtower
@@ -11,4 +11,4 @@ COPY --chmod=775 start.sh /start.sh
 USER root

 ENTRYPOINT ["/start.sh"]
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
--- a/app/appinfo/info.xml
+++ b/app/appinfo/info.xml
@@ -13,7 +13,7 @@
 	<category>monitoring</category>
 	<bugs>https://github.com/nextcloud/all-in-one/issues</bugs>
 	<dependencies>
-		<nextcloud min-version="25" max-version="26"/>
+		<nextcloud min-version="26" max-version="27"/>
 	</dependencies>

 	<settings>
--- a/compose.yaml
+++ b/compose.yaml
@@ -7,26 +7,26 @@ services:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
      - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
    ports:
-      - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      - 8080:8080
-      - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
    # environment: # Is needed when using any of the options below
-      # - AIO_DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface.
-      # - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-      # - APACHE_IP_BINDING=127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      # - AIO_DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
+      # - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      # - APACHE_IP_BINDING=127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
      # - BORG_RETENTION_POLICY=--keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
      # - COLLABORA_SECCOMP_DISABLED=false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
-      # - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
+      # - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
      # - NEXTCLOUD_MOUNT=/mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
      # - NEXTCLOUD_UPLOAD_LIMIT=10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
      # - NEXTCLOUD_MAX_TIME=3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
      # - NEXTCLOUD_MEMORY_LIMIT=512M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
-      # - NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defiend-certification-authorities-ca
+      # - NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
      # - NEXTCLOUD_STARTUP_APPS=deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
      # - NEXTCLOUD_ADDITIONAL_APKS=imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
      # - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
-      # - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container which is needed for hardware-transcoding. See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
-      # - TALK_PORT=3478 # This allows to adjust the port that the talk container is using.
+      # - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
+      # - TALK_PORT=3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
      # - WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
    # networks: # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
      # - nextcloud-aio # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
@@ -51,7 +51,6 @@ volumes:

 # # Optional: If you need ipv6, follow step 1 and 2 of https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md first and then uncomment the below config in order to activate ipv6 for the internal nextcloud-aio network.
 # # Please make sure to uncomment also the networking lines of the mastercontainer above in order to actually create the network with docker-compose
-# # Inspired by https://github.com/mailcow/mailcow-dockerized/blob/master/docker-compose.yml
 # networks:
 #   nextcloud-aio:
 #     name: nextcloud-aio # This line is not allowed to be changed as otherwise the created network will not be used by the other containers of AIO
--- a/local-instance.md
+++ b/local-instance.md
@@ -6,14 +6,14 @@ The recommended way is the following:
 1. Set up your domain correctly to point to your home network
 1. Set up a reverse proxy by following the [reverse proxy documentation](./reverse-proxy.md) but only open port 80 (which is needed for the ACME challenge to work - however no real traffic will use this port).
 1. Set up a local DNS-server like a pi-hole and configure it to be your local DNS-server for the whole network. Then in the Pi-hole interface, add a custom DNS-record for your domain and overwrite the A-record (and possibly the AAAA-record, too) to point to the private ip-address of your reverse proxy (see https://github.com/nextcloud/all-in-one#how-can-i-access-nextcloud-locally)
-1. Enter the ip-address of your local dns-server in the deamon.json file for docker so that you are sure that all docker containers use the correct local dns-server.
+1. Enter the ip-address of your local dns-server in the daemon.json file for docker so that you are sure that all docker containers use the correct local dns-server.
 1. Now, entering the domain in the AIO-interface should work as expected and should allow you to continue with the setup

 ## 2. Use the ACME DNS-challenge
 You can alternatively use the ACME DNS-challenge to get a valid certificate for Nextcloud. Here is described how to set it up: https://github.com/nextcloud/all-in-one#how-to-get-nextcloud-running-using-the-acme-dns-challenge

 ## 3. Use Cloudflare
-If you do not have any contol over the network, you may think about using Cloudflare Tunnel to get a valid certificate for your Nextcloud. However it will be opened to the public internet then. See https://github.com/nextcloud/all-in-one#how-to-run-nextcloud-behind-a-cloudflare-tunnel how to set this up.
+If you do not have any control over the network, you may think about using Cloudflare Tunnel to get a valid certificate for your Nextcloud. However it will be opened to the public internet then. See https://github.com/nextcloud/all-in-one#how-to-run-nextcloud-behind-a-cloudflare-tunnel how to set this up.

 ## 4. Buy a certificate and use that
 If none of the above ways work for you, you may simply buy a certificate from an issuer for your domain. You then download the certificate onto your server, configure AIO in [reverse proxy mode](./reverse-proxy.md) and use the certificate for your domain in your reverse proxy config.
--- a/manual-install/latest.yml
+++ b/manual-install/latest.yml
@@ -1,13 +1,25 @@
 services:
  nextcloud-aio-apache:
    depends_on:
-      - nextcloud-aio-onlyoffice
-      - nextcloud-aio-collabora
-      - nextcloud-aio-talk
-      - nextcloud-aio-nextcloud
+      nextcloud-aio-onlyoffice:
+        condition: service_started
+        required: false
+      nextcloud-aio-collabora:
+        condition: service_started
+        required: false
+      nextcloud-aio-talk:
+        condition: service_started
+        required: false
+      nextcloud-aio-nextcloud:
+        condition: service_started
+        required: false
+      nextcloud-aio-notify-push:
+        condition: service_started
+        required: false
    image: nextcloud/aio-apache:latest
    ports:
      - ${APACHE_IP_BINDING}:${APACHE_PORT}:${APACHE_PORT}/tcp
+      - ${APACHE_IP_BINDING}:${APACHE_PORT}:${APACHE_PORT}/udp
    environment:
      - NC_DOMAIN=${NC_DOMAIN}
      - NEXTCLOUD_HOST=nextcloud-aio-nextcloud
@@ -18,12 +30,20 @@ services:
      - TZ=${TIMEZONE}
      - APACHE_MAX_SIZE=${APACHE_MAX_SIZE}
      - APACHE_MAX_TIME=${NEXTCLOUD_MAX_TIME}
+      - NOTIFY_PUSH_HOST=nextcloud-aio-notify-push
    volumes:
      - nextcloud_aio_nextcloud:/var/www/html:ro
      - nextcloud_aio_apache:/mnt/data:rw
    restart: unless-stopped
    networks:
      - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/log/supervisord
+      - /var/run/supervisord
+      - /usr/local/apache2/logs
+      - /tmp
+      - /home/www-data

  nextcloud-aio-database:
    image: nextcloud/aio-postgresql:latest
@@ -43,19 +63,33 @@ services:
    shm_size: 268435456
    networks:
      - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/run/postgresql

  nextcloud-aio-nextcloud:
    depends_on:
-      - nextcloud-aio-database
-      - nextcloud-aio-redis
-      - nextcloud-aio-clamav
-      - nextcloud-aio-fulltextsearch
-      - nextcloud-aio-talk-recording
-      - nextcloud-aio-imaginary
+      nextcloud-aio-database:
+        condition: service_started
+        required: false
+      nextcloud-aio-redis:
+        condition: service_started
+        required: false
+      nextcloud-aio-clamav:
+        condition: service_started
+        required: false
+      nextcloud-aio-fulltextsearch:
+        condition: service_started
+        required: false
+      nextcloud-aio-talk-recording:
+        condition: service_started
+        required: false
+      nextcloud-aio-imaginary:
+        condition: service_started
+        required: false
    image: nextcloud/aio-nextcloud:latest
    expose:
      - "9000"
-      - "7867"
    volumes:
      - nextcloud_aio_nextcloud:/var/www/html:rw
      - ${NEXTCLOUD_DATADIR}:/mnt/ncdata:rw
@@ -106,6 +140,28 @@ services:
    restart: unless-stopped
    networks:
      - nextcloud-aio
+    tmpfs:
+      - /tmp:exec
+
+  nextcloud-aio-notify-push:
+    image: nextcloud/aio-notify-push:latest
+    expose:
+      - "7867"
+    volumes:
+      - nextcloud_aio_nextcloud:/nextcloud:ro
+    environment:
+      - NC_DOMAIN=${NC_DOMAIN}
+      - NEXTCLOUD_HOST=nextcloud-aio-nextcloud
+      - REDIS_HOST=nextcloud-aio-redis
+      - REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
+      - POSTGRES_HOST=nextcloud-aio-database
+      - POSTGRES_PASSWORD=${DATABASE_PASSWORD}
+      - POSTGRES_DB=nextcloud_database
+      - POSTGRES_USER=nextcloud
+    restart: unless-stopped
+    networks:
+      - nextcloud-aio
+    read_only: true

  nextcloud-aio-redis:
    image: nextcloud/aio-redis:latest
@@ -158,6 +214,13 @@ services:
      - talk-recording
    networks:
      - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/log/supervisord
+      - /var/run/supervisord
+      - /conf
+      - /var/lib/turn
+      - /tmp

  nextcloud-aio-talk-recording:
    image: nextcloud/aio-talk-recording:latest
@@ -174,6 +237,10 @@ services:
      - talk-recording
    networks:
      - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /tmp
+      - /conf

  nextcloud-aio-clamav:
    image: nextcloud/aio-clamav:latest
@@ -189,6 +256,11 @@ services:
      - clamav
    networks:
      - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/lock
+      - /var/log/clamav
+      - /tmp

  nextcloud-aio-onlyoffice:
    image: nextcloud/aio-onlyoffice:latest
@@ -220,6 +292,9 @@ services:
      - imaginary
    networks:
      - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /tmp

  nextcloud-aio-fulltextsearch:
    image: nextcloud/aio-fulltextsearch:latest
@@ -227,9 +302,14 @@ services:
      - "9200"
    environment:
      - TZ=${TIMEZONE}
+      - ES_JAVA_OPTS=-Xms512M -Xmx512M
+      - bootstrap.memory_lock=true
+      - cluster.name=nextcloud-aio
      - discovery.type=single-node
-      - ES_JAVA_OPTS=-Xms1024M -Xmx1024M
-      - POSTGRES_HOST=nextcloud-aio-database
+      - logger.org.elasticsearch.discovery=WARN
+      - http.port=9200
+      - xpack.license.self_generated.type=basic
+      - xpack.security.enabled=false
    volumes:
      - nextcloud_aio_elasticsearch:/usr/share/elasticsearch/data:rw
    restart: unless-stopped
--- a/manual-install/readme.md
+++ b/manual-install/readme.md
@@ -28,9 +28,9 @@ Now copy the provided yaml file to a compose.yaml file by running `cp latest.yml
 Now you should be ready to go with `sudo docker-compose up`.

 ## Docker profiles
-The default profile of `latest.yml` only provide the minimum necessary services: nextcloud, database, redis and apache. To get optional services collabora, onlyoffice, talk, clamav, imaginary or fulltextsearch use additional arguments for each of them, for example `--profile collabora`. (Note: there is no clamav image for arm64).
+The default profile of `latest.yml` only provide the minimum necessary services: nextcloud, database, redis and apache. To get optional services collabora, talk, talk-recording, clamav, imaginary or fulltextsearch use additional arguments for each of them, for example `--profile collabora`. (Note: there is no clamav image for arm64).

-For a complete all-in-one with collabora use `sudo docker-compose --profile collabora --profile talk --profile clamav --profile imaginary --profile fulltextsearch up`. (Note: there is no clamav image for arm64).
+For a complete all-in-one with collabora use `sudo docker-compose --profile collabora --profile talk --profile talk-recording --profile clamav --profile imaginary --profile fulltextsearch up`. (Note: there is no clamav image for arm64).

 ## How to update?
 Since the AIO containers may change in the future, it is highly recommended to strictly follow the following procedure whenever you want to upgrade your containers.
--- a/manual-install/sample.conf
+++ b/manual-install/sample.conf
@@ -17,9 +17,9 @@ ONLYOFFICE_ENABLED="no"          # Setting this to "yes" (with quotes) enables t
 TALK_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.
 TALK_RECORDING_ENABLED="no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.

-APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx and else) and if that is running on the same host and using localhost to connect
+APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) and if that is running on the same host and using localhost to connect
 APACHE_MAX_SIZE=10737418240          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
-APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx and else).
+APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else).
 COLLABORA_DICTIONARIES="de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"        # You can change this in order to enable other dictionaries for collabora
 COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.
 INSTALL_LATEST_MAJOR=no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation
--- a/manual-install/update-yaml.sh
+++ b/manual-install/update-yaml.sh
@@ -20,6 +20,7 @@ OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].nextcloud_exec_commands)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-watchtower"))')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-domaincheck"))')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-borgbackup"))')"
+OUTPUT="$(echo "$OUTPUT" | jq '.services[] |= if has("depends_on") then .depends_on |= map({ (.): { "condition": "service_started", "required": false } }) else . end' | jq '.services[] |= if has("depends_on") then .depends_on |= reduce .[] as $item ({}; . + $item) else . end')"

 snap install yq
 mkdir -p ./manual-install
@@ -78,8 +79,8 @@ sed -i 's|APACHE_MAX_SIZE=|APACHE_MAX_SIZE=10737418240          # This needs to
 sed -i 's|NEXTCLOUD_MAX_TIME=|NEXTCLOUD_MAX_TIME=3600          # This allows to change the upload time limit of the Nextcloud container|' sample.conf
 sed -i 's|NEXTCLOUD_TRUSTED_CACERTS_DIR=|NEXTCLOUD_TRUSTED_CACERTS_DIR=/usr/local/share/ca-certificates/my-custom-ca          # Nextcloud container will trust all the Certification Authorities, whose certificates are included in the given directory.|' sample.conf
 sed -i 's|UPDATE_NEXTCLOUD_APPS=|UPDATE_NEXTCLOUD_APPS="no"          # When setting to "yes" (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.|' sample.conf
-sed -i 's|APACHE_PORT=|APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx and else).|' sample.conf
-sed -i 's|APACHE_IP_BINDING=|APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx and else) and if that is running on the same host and using localhost to connect|' sample.conf
+sed -i 's|APACHE_PORT=|APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else).|' sample.conf
+sed -i 's|APACHE_IP_BINDING=|APACHE_IP_BINDING=0.0.0.0          # This can be changed to e.g. 127.0.0.1 if you want to run AIO behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) and if that is running on the same host and using localhost to connect|' sample.conf
 sed -i 's|TALK_PORT=|TALK_PORT=3478          # This allows to adjust the port that the talk container is using.|' sample.conf
 sed -i 's|NC_DOMAIN=|NC_DOMAIN=yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.|' sample.conf
 sed -i 's|NEXTCLOUD_PASSWORD=|NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".|' sample.conf
@@ -111,7 +112,7 @@ for name in "${NAMES[@]}"
 do
    OUTPUT="$(echo "$OUTPUT" | sed "/container_name.*$name$/i\ \ $name:")"
    if [ "$name" != "nextcloud-aio-apache" ]; then
-        OUTPUT="$(echo "$OUTPUT" | sed "/  $name:/i\ ")"
+        OUTPUT="$(echo "$OUTPUT" | sed "/^  $name:/i\ ")"
    fi
 done

--- a/manual-upgrade.md
+++ b/manual-upgrade.md
@@ -12,7 +12,7 @@ The only way to fix this on your side is upgrading regularly (e.g. by enabling d
 1. Run the following commands in order to reverse engineer the Nextcloud container:
    ```bash
        sudo docker pull assaflavie/runlike
-        echo '#/bin/bash' > /tmp/nextcloud-aio-nextcloud
+        echo '#!/bin/bash' > /tmp/nextcloud-aio-nextcloud
        sudo docker run --rm -v /var/run/docker.sock:/var/run/docker.sock assaflavie/runlike -p nextcloud-aio-nextcloud >> /tmp/nextcloud-aio-nextcloud
        sudo chown root:root /tmp/nextcloud-aio-nextcloud
    ```
--- a/migration.md
+++ b/migration.md
@@ -14,7 +14,7 @@ The procedure for migrating only the files works like this:
 1. Install Nextcloud AIO on a new server/linux installation, enter your domain and wait until all containers are running
 1. Recreate all users that were present on your former installation
 1. Take a backup using Nextcloud AIO's built-in backup solution (so that you can easily restore to this state again) (Note: this will stop all containers and is expected: don't start the container again at this point!)
-1. Restore the datadirectory of your former instance: for `/path/to/nextcloud/data/` run `sudo docker cp --follow-link /path/to/nextcloud/data/ nextcloud-aio-nextcloud:/mnt/ncdata/` Note: the `/` at the end are necessary.
+1. Restore the datadirectory of your former instance: for `/path/to/nextcloud/data/` run `sudo docker cp --follow-link /path/to/nextcloud/data/. nextcloud-aio-nextcloud:/mnt/ncdata/` Note: the `/.` and `/` at the end are necessary.
 1. Next, run `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine chown -R 33:0 /mnt/ncdata/` and `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine chmod -R 750 /mnt/ncdata/` to apply the correct permissions. (Or if `NEXTCLOUD_DATADIR` was provided, apply `chown -R 33:0` and `chmod -R 750` to the chosen path.)
 1. Start the containers again and wait until all containers are running
 1. Run `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ files:scan-app-data && sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ files:scan --all` in order to scan all files in the datadirectory.
@@ -24,7 +24,7 @@ The procedure for migrating only the files works like this:

 The procedure for migrating the files and the database works like this:
 1. Make sure that your old instance is on exactly the same version like the version used in Nextcloud AIO. (e.g. 23.0.0) You can find the used version here: [click here](https://github.com/nextcloud/all-in-one/search?l=Dockerfile&q=NEXTCLOUD_VERSION&type=). If not, simply upgrade your former installation to that version or wait until the version used in Nextcloud AIO got updated to the same version of your former installation or the other way around.
-1. Take a backup of your former instance (especially from your datadirectory and database)
+1. First, on the old instance, update all Nextcloud apps to its latest version via the app management site (important for the restore later on). Then take a backup of your former instance (especially from your datadirectory and database).
 1. If your former installation didn't use Postgresql already, you will now need to convert your old installation to use Postgresql as database temporarily (in order to be able to perform a pg_dump afterwards):
    1. Install Postgresql on your former installation: on a Debian based OS should the following command work:
        ```
@@ -56,7 +56,7 @@ The procedure for migrating the files and the database works like this:
    ```
    **Please note:** The exact name of the database export file is important! (`database-dump.sql`)<br>
    And of course you need to to use the correct name that the Postgresql database has for the export (if `$PG_DATABASE` doesn't work directly).
-1. At this point, you can finally install Nextcloud AIO on a new server/linux installation, enter your domain in the AIO interface (use the same domain that you used on your former installation) and wait until all containers are running. Then you should check the included Nextcloud version by running `sudo docker inspect nextcloud-aio-nextcloud | grep NEXTCLOUD_VERSION`.
+1. At this point, you can finally install Nextcloud AIO on a new server/linux installation, enter your domain in the AIO interface (use the same domain that you used on your former installation) and wait until all containers are running. Then you should check the included Nextcloud version by running `sudo docker inspect nextcloud-aio-nextcloud | grep NEXTCLOUD_VERSION`. Also install all apps via the apps management site that were installed on the old Nextcloud installation. Otherwise they will show as installed, but will not work.
 1. Next, take a backup using Nextcloud AIO's built-in backup solution (so that you can easily restore to this state again) (Note: this will stop all containers and is expected: don't start the container again at this point!)
 1. Now, we are slowly starting to import your files and database. First, you need to modify the datadirectory that is stored inside the database export:
    1. Find out what the directory of your old Nextcloud installation is by e.g. opening the config.php file and looking at the value `datadirectory`.
@@ -75,7 +75,7 @@ The procedure for migrating the files and the database works like this:
    sudo docker run --rm --volume nextcloud_aio_database_dump:/mnt/data:rw alpine chmod 777 /mnt/data/database-dump.sql
    sudo docker run --rm --volume nextcloud_aio_database_dump:/mnt/data:rw alpine rm /mnt/data/initial-cleanup-done
    ```
-1. If the commands above were executed successfully, restore the datadirectory of your former instance into your datadirectory: `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine sh -c "rm -rf /mnt/ncdata/*"` and `sudo docker cp --follow-link /path/to/nextcloud/data/ nextcloud-aio-nextcloud:/mnt/ncdata/` Note: the `/` at the end are necessary. (Or if `NEXTCLOUD_DATADIR` was provided, first delete the files in there and then copy the files to the chosen path.)
+1. If the commands above were executed successfully, restore the datadirectory of your former instance into your datadirectory: `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine sh -c "rm -rf /mnt/ncdata/*"` and `sudo docker cp --follow-link /path/to/nextcloud/data/. nextcloud-aio-nextcloud:/mnt/ncdata/` Note: the `/.` and `/` at the end are necessary. (Or if `NEXTCLOUD_DATADIR` was provided, first delete the files in there and then copy the files to the chosen path.)
 1. Next, run `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine chown -R 33:0 /mnt/ncdata/` and `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine chmod -R 750 /mnt/ncdata/` to apply the correct permissions on the datadirectory. (Or if `NEXTCLOUD_DATADIR` was provided, apply `chown -R 33:0` and `chmod -R 750` to the chosen path.)
 1. Edit the Nextcloud AIO config.php file using `sudo docker run -it --rm --volume nextcloud_aio_nextcloud:/var/www/html:rw alpine sh -c "apk add --no-cache nano && nano /var/www/html/config/config.php"` and modify only `passwordsalt`, `secret`, `instanceid` and set it to the old values that you used on your old installation. If you are brave, feel free to modify further values e.g. add your old LDAP config or S3 storage config. (Some things like Mail server config can be added back using Nextcloud's webinterface later on).
 1. When you are done and saved your changes to the file, finally start the containers again and wait until all containers are running.
--- a/nextcloud-aio-helm-chart/Chart.yaml
+++ b/nextcloud-aio-helm-chart/Chart.yaml
@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 6.1.0
+version: 6.4.0
 apiVersion: v2
 keywords:
  - latest
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml
@@ -2,11 +2,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-apache
  name: nextcloud-aio-apache
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  replicas: 1
  selector:
@@ -15,8 +16,8 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
      labels:
        io.kompose.network/nextcloud-aio: "true"
        io.kompose.service: nextcloud-aio-apache
@@ -29,7 +30,22 @@ spec:
            - "777"
            - /nextcloud-aio-nextcloud
            - /nextcloud-aio-apache
+            - /nextcloud-aio-apache-tmpfs0
+            - /nextcloud-aio-apache-tmpfs1
+            - /nextcloud-aio-apache-tmpfs2
+            - /nextcloud-aio-apache-tmpfs3
+            - /nextcloud-aio-apache-tmpfs4
          volumeMounts:
+            - name: nextcloud-aio-apache-tmpfs4
+              mountPath: /nextcloud-aio-apache-tmpfs4
+            - name: nextcloud-aio-apache-tmpfs3
+              mountPath: /nextcloud-aio-apache-tmpfs3
+            - name: nextcloud-aio-apache-tmpfs2
+              mountPath: /nextcloud-aio-apache-tmpfs2
+            - name: nextcloud-aio-apache-tmpfs1
+              mountPath: /nextcloud-aio-apache-tmpfs1
+            - name: nextcloud-aio-apache-tmpfs0
+              mountPath: /nextcloud-aio-apache-tmpfs0
            - name: nextcloud-aio-apache
              mountPath: /nextcloud-aio-apache
            - name: nextcloud-aio-nextcloud
@@ -48,22 +64,41 @@ spec:
              value: "{{ .Values.NC_DOMAIN }}"
            - name: NEXTCLOUD_HOST
              value: nextcloud-aio-nextcloud
+            - name: NOTIFY_PUSH_HOST
+              value: nextcloud-aio-notify-push
            - name: ONLYOFFICE_HOST
              value: nextcloud-aio-onlyoffice
            - name: TALK_HOST
              value: nextcloud-aio-talk
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-apache:20230613_065816-latest
+          image: nextcloud/aio-apache:20230728_085937-latest
          name: nextcloud-aio-apache
          ports:
            - containerPort: {{ .Values.APACHE_PORT }}
+              hostPort: {{ .Values.APACHE_PORT }}
+              protocol: TCP
+            - containerPort: {{ .Values.APACHE_PORT }}
+              hostPort: {{ .Values.APACHE_PORT }}
+              protocol: UDP
+          securityContext:
+            readOnlyRootFilesystem: true
          volumeMounts:
            - mountPath: /var/www/html
              name: nextcloud-aio-nextcloud
              readOnly: true
            - mountPath: /mnt/data
              name: nextcloud-aio-apache
+            - mountPath: /var/log/supervisord
+              name: nextcloud-aio-apache-tmpfs0
+            - mountPath: /var/run/supervisord
+              name: nextcloud-aio-apache-tmpfs1
+            - mountPath: /usr/local/apache2/logs
+              name: nextcloud-aio-apache-tmpfs2
+            - mountPath: /tmp
+              name: nextcloud-aio-apache-tmpfs3
+            - mountPath: /home/www-data
+              name: nextcloud-aio-apache-tmpfs4
      volumes:
        - name: nextcloud-aio-nextcloud
          persistentVolumeClaim:
@@ -71,3 +106,13 @@ spec:
        - name: nextcloud-aio-apache
          persistentVolumeClaim:
            claimName: nextcloud-aio-apache
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs0
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs1
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs2
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs3
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs4
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-persistentvolumeclaim.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-persistentvolumeclaim.yaml
@@ -4,6 +4,7 @@ metadata:
  labels:
    io.kompose.service: nextcloud-aio-apache
  name: nextcloud-aio-apache
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  {{- if .Values.STORAGE_CLASS }}
  storageClassName: {{ .Values.STORAGE_CLASS }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-service.yaml
@@ -2,16 +2,21 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-apache
  name: nextcloud-aio-apache
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  type: LoadBalancer
  ports:
    - name: "{{ .Values.APACHE_PORT }}"
      port: {{ .Values.APACHE_PORT }}
      targetPort: {{ .Values.APACHE_PORT }}
+    - name: {{ .Values.APACHE_PORT }}-udp
+      port: {{ .Values.APACHE_PORT }}
+      protocol: UDP
+      targetPort: {{ .Values.APACHE_PORT }}
  selector:
    io.kompose.service: nextcloud-aio-apache
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml
@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-clamav
  name: nextcloud-aio-clamav
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  replicas: 1
  selector:
@@ -16,8 +17,8 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
      labels:
        io.kompose.network/nextcloud-aio: "true"
        io.kompose.service: nextcloud-aio-clamav
@@ -29,7 +30,16 @@ spec:
            - chmod
            - "777"
            - /nextcloud-aio-clamav
+            - /nextcloud-aio-clamav-tmpfs0
+            - /nextcloud-aio-clamav-tmpfs1
+            - /nextcloud-aio-clamav-tmpfs2
          volumeMounts:
+            - name: nextcloud-aio-clamav-tmpfs2
+              mountPath: /nextcloud-aio-clamav-tmpfs2
+            - name: nextcloud-aio-clamav-tmpfs1
+              mountPath: /nextcloud-aio-clamav-tmpfs1
+            - name: nextcloud-aio-clamav-tmpfs0
+              mountPath: /nextcloud-aio-clamav-tmpfs0
            - name: nextcloud-aio-clamav
              mountPath: /nextcloud-aio-clamav
      containers:
@@ -38,15 +48,31 @@ spec:
              value: "90"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-clamav:20230613_065816-latest
+          image: nextcloud/aio-clamav:20230728_085937-latest
          name: nextcloud-aio-clamav
          ports:
            - containerPort: 3310
+              hostPort: 3310
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
          volumeMounts:
            - mountPath: /var/lib/clamav
              name: nextcloud-aio-clamav
+            - mountPath: /var/lock
+              name: nextcloud-aio-clamav-tmpfs0
+            - mountPath: /var/log/clamav
+              name: nextcloud-aio-clamav-tmpfs1
+            - mountPath: /tmp
+              name: nextcloud-aio-clamav-tmpfs2
      volumes:
        - name: nextcloud-aio-clamav
          persistentVolumeClaim:
            claimName: nextcloud-aio-clamav
+        - emptyDir: {}
+          name: nextcloud-aio-clamav-tmpfs0
+        - emptyDir: {}
+          name: nextcloud-aio-clamav-tmpfs1
+        - emptyDir: {}
+          name: nextcloud-aio-clamav-tmpfs2
 {{- end }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-persistentvolumeclaim.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-persistentvolumeclaim.yaml
@@ -4,6 +4,7 @@ metadata:
  labels:
    io.kompose.service: nextcloud-aio-clamav
  name: nextcloud-aio-clamav
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  {{- if .Values.STORAGE_CLASS }}
  storageClassName: {{ .Values.STORAGE_CLASS }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-service.yaml
@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-clamav
  name: nextcloud-aio-clamav
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  ports:
    - name: "3310"
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml
@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-collabora
  name: nextcloud-aio-collabora
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  replicas: 1
  selector:
@@ -16,8 +17,8 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
      labels:
        io.kompose.network/nextcloud-aio: "true"
        io.kompose.service: nextcloud-aio-collabora
@@ -36,8 +37,10 @@ spec:
              value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json
            - name: server_name
              value: "{{ .Values.NC_DOMAIN }}"
-          image: nextcloud/aio-collabora:20230613_065816-latest
+          image: nextcloud/aio-collabora:20230728_085937-latest
          name: nextcloud-aio-collabora
          ports:
            - containerPort: 9980
+              hostPort: 9980
+              protocol: TCP
 {{- end }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-service.yaml
@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-collabora
  name: nextcloud-aio-collabora
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  ports:
    - name: "9980"
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml
@@ -2,11 +2,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-database
  name: nextcloud-aio-database
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  replicas: 1
  selector:
@@ -15,8 +16,8 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
      labels:
        io.kompose.network/nextcloud-aio: "true"
        io.kompose.service: nextcloud-aio-database
@@ -30,7 +31,10 @@ spec:
            - /nextcloud-aio-database/data
            - /nextcloud-aio-database
            - /nextcloud-aio-database-dump
+            - /nextcloud-aio-database-tmpfs0
          volumeMounts:
+            - name: nextcloud-aio-database-tmpfs0
+              mountPath: /nextcloud-aio-database-tmpfs0
            - name: nextcloud-aio-database-dump
              mountPath: /nextcloud-aio-database-dump
            - name: nextcloud-aio-database
@@ -43,7 +47,10 @@ spec:
            - "-R"
            - /nextcloud-aio-database
            - /nextcloud-aio-database-dump
+            - /nextcloud-aio-database-tmpfs0
          volumeMounts:
+            - name: nextcloud-aio-database-tmpfs0
+              mountPath: /nextcloud-aio-database-tmpfs0
            - name: nextcloud-aio-database-dump
              mountPath: /nextcloud-aio-database-dump
            - name: nextcloud-aio-database
@@ -60,16 +67,22 @@ spec:
              value: nextcloud
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-postgresql:20230613_065816-latest
+          image: nextcloud/aio-postgresql:20230728_085937-latest
          name: nextcloud-aio-database
          ports:
            - containerPort: 5432
+              hostPort: 5432
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
          volumeMounts:
            - mountPath: /var/lib/postgresql/data
              subPath: data
              name: nextcloud-aio-database
            - mountPath: /mnt/data
              name: nextcloud-aio-database-dump
+            - mountPath: /var/run/postgresql
+              name: nextcloud-aio-database-tmpfs0
      terminationGracePeriodSeconds: 1800
      volumes:
        - name: nextcloud-aio-database
@@ -78,3 +91,5 @@ spec:
        - name: nextcloud-aio-database-dump
          persistentVolumeClaim:
            claimName: nextcloud-aio-database-dump
+        - emptyDir: {}
+          name: nextcloud-aio-database-tmpfs0
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-dump-persistentvolumeclaim.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-dump-persistentvolumeclaim.yaml
@@ -4,6 +4,7 @@ metadata:
  labels:
    io.kompose.service: nextcloud-aio-database-dump
  name: nextcloud-aio-database-dump
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  {{- if .Values.STORAGE_CLASS }}
  storageClassName: {{ .Values.STORAGE_CLASS }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-persistentvolumeclaim.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-persistentvolumeclaim.yaml
@@ -4,6 +4,7 @@ metadata:
  labels:
    io.kompose.service: nextcloud-aio-database
  name: nextcloud-aio-database
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  {{- if .Values.STORAGE_CLASS }}
  storageClassName: {{ .Values.STORAGE_CLASS }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-database-service.yaml
@@ -2,11 +2,12 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-database
  name: nextcloud-aio-database
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  ports:
    - name: "5432"
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml
@@ -4,6 +4,7 @@ metadata:
  labels:
    io.kompose.service: nextcloud-aio-elasticsearch
  name: nextcloud-aio-elasticsearch
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  {{- if .Values.STORAGE_CLASS }}
  storageClassName: {{ .Values.STORAGE_CLASS }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml
@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-fulltextsearch
  name: nextcloud-aio-fulltextsearch
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  replicas: 1
  selector:
@@ -16,8 +17,8 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
      labels:
        io.kompose.network/nextcloud-aio: "true"
        io.kompose.service: nextcloud-aio-fulltextsearch
@@ -35,17 +36,29 @@ spec:
      containers:
        - env:
            - name: ES_JAVA_OPTS
-              value: -Xms1024M -Xmx1024M
-            - name: POSTGRES_HOST
-              value: nextcloud-aio-database
+              value: -Xms512M -Xmx512M
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
+            - name: bootstrap.memory_lock
+              value: "true"
+            - name: cluster.name
+              value: nextcloud-aio
            - name: discovery.type
              value: single-node
-          image: nextcloud/aio-fulltextsearch:20230613_065816-latest
+            - name: http.port
+              value: "9200"
+            - name: logger.org.elasticsearch.discovery
+              value: WARN
+            - name: xpack.license.self_generated.type
+              value: basic
+            - name: xpack.security.enabled
+              value: "false"
+          image: nextcloud/aio-fulltextsearch:20230728_085937-latest
          name: nextcloud-aio-fulltextsearch
          ports:
            - containerPort: 9200
+              hostPort: 9200
+              protocol: TCP
          volumeMounts:
            - mountPath: /usr/share/elasticsearch/data
              name: nextcloud-aio-elasticsearch
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-service.yaml
@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-fulltextsearch
  name: nextcloud-aio-fulltextsearch
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  ports:
    - name: "9200"
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml
@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-imaginary
  name: nextcloud-aio-imaginary
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  replicas: 1
  selector:
@@ -16,22 +17,41 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
      labels:
        io.kompose.network/nextcloud-aio: "true"
        io.kompose.service: nextcloud-aio-imaginary
    spec:
+      initContainers:
+        - name: init-volumes
+          image: alpine
+          command:
+            - chmod
+            - "777"
+            - /nextcloud-aio-imaginary-tmpfs0
+          volumeMounts:
+            - name: nextcloud-aio-imaginary-tmpfs0
+              mountPath: /nextcloud-aio-imaginary-tmpfs0
      containers:
        - env:
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-imaginary:20230613_065816-latest
+          image: nextcloud/aio-imaginary:20230728_085937-latest
          name: nextcloud-aio-imaginary
          ports:
            - containerPort: 9000
+              hostPort: 9000
+              protocol: TCP
          securityContext:
            capabilities:
              add:
                - SYS_NICE
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /tmp
+              name: nextcloud-aio-imaginary-tmpfs0
+      volumes:
+        - emptyDir: {}
+          name: nextcloud-aio-imaginary-tmpfs0
 {{- end }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-service.yaml
@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-imaginary
  name: nextcloud-aio-imaginary
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  ports:
    - name: "9000"
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-namespace-namespace.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-namespace-namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.NAMESPACE }}
+  namespace: {{ .Values.NAMESPACE }}
+spec: {}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-networkpolicy.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-networkpolicy.yaml
@@ -1,13 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: nextcloud-aio
-spec:
-  ingress:
-    - from:
-        - podSelector:
-            matchLabels:
-              io.kompose.network/nextcloud-aio: "true"
-  podSelector:
-    matchLabels:
-      io.kompose.network/nextcloud-aio: "true"
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-data-persistentvolumeclaim.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-data-persistentvolumeclaim.yaml
@@ -4,6 +4,7 @@ metadata:
  labels:
    io.kompose.service: nextcloud-aio-nextcloud-data
  name: nextcloud-aio-nextcloud-data
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  {{- if .Values.STORAGE_CLASS }}
  storageClassName: {{ .Values.STORAGE_CLASS }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml
@@ -2,11 +2,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-nextcloud
  name: nextcloud-aio-nextcloud
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  replicas: 1
  selector:
@@ -15,8 +16,8 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
      labels:
        io.kompose.network/nextcloud-aio: "true"
        io.kompose.service: nextcloud-aio-nextcloud
@@ -29,7 +30,10 @@ spec:
            - "777"
            - /nextcloud-aio-nextcloud
            - /nextcloud-aio-nextcloud-trusted-cacerts
+            - /nextcloud-aio-nextcloud-tmpfs0
          volumeMounts:
+            - name: nextcloud-aio-nextcloud-tmpfs0
+              mountPath: /nextcloud-aio-nextcloud-tmpfs0
            - name: nextcloud-aio-nextcloud-trusted-cacerts
              mountPath: /nextcloud-aio-nextcloud-trusted-cacerts
            - name: nextcloud-aio-nextcloud
@@ -116,11 +120,12 @@ spec:
              value: "{{ .Values.TIMEZONE }}"
            - name: UPDATE_NEXTCLOUD_APPS
              value: "{{ .Values.UPDATE_NEXTCLOUD_APPS }}"
-          image: nextcloud/aio-nextcloud:20230613_065816-latest
+          image: nextcloud/aio-nextcloud:20230728_085937-latest
          name: nextcloud-aio-nextcloud
          ports:
            - containerPort: 9000
-            - containerPort: 7867
+              hostPort: 9000
+              protocol: TCP
          volumeMounts:
            - mountPath: /var/www/html
              name: nextcloud-aio-nextcloud
@@ -129,6 +134,8 @@ spec:
            - mountPath: /usr/local/share/ca-certificates
              name: nextcloud-aio-nextcloud-trusted-cacerts
              readOnly: true
+            - mountPath: /tmp
+              name: nextcloud-aio-nextcloud-tmpfs0
      volumes:
        - name: nextcloud-aio-nextcloud
          persistentVolumeClaim:
@@ -139,3 +146,5 @@ spec:
        - name: nextcloud-aio-nextcloud-trusted-cacerts
          persistentVolumeClaim:
            claimName: nextcloud-aio-nextcloud-trusted-cacerts
+        - emptyDir: {}
+          name: nextcloud-aio-nextcloud-tmpfs0
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-persistentvolumeclaim.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-persistentvolumeclaim.yaml
@@ -4,6 +4,7 @@ metadata:
  labels:
    io.kompose.service: nextcloud-aio-nextcloud
  name: nextcloud-aio-nextcloud
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  {{- if .Values.STORAGE_CLASS }}
  storageClassName: {{ .Values.STORAGE_CLASS }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-service.yaml
@@ -2,18 +2,16 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-nextcloud
  name: nextcloud-aio-nextcloud
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  ports:
    - name: "9000"
      port: 9000
      targetPort: 9000
-    - name: "7867"
-      port: 7867
-      targetPort: 7867
  selector:
    io.kompose.service: nextcloud-aio-nextcloud
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-trusted-cacerts-persistentvolumeclaim.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-trusted-cacerts-persistentvolumeclaim.yaml
@@ -4,6 +4,7 @@ metadata:
  labels:
    io.kompose.service: nextcloud-aio-nextcloud-trusted-cacerts
  name: nextcloud-aio-nextcloud-trusted-cacerts
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  {{- if .Values.STORAGE_CLASS }}
  storageClassName: {{ .Values.STORAGE_CLASS }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml
@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
+  labels:
+    io.kompose.service: nextcloud-aio-notify-push
+  name: nextcloud-aio-notify-push
+  namespace: {{ .Values.NAMESPACE }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      io.kompose.service: nextcloud-aio-notify-push
+  template:
+    metadata:
+      annotations:
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
+      labels:
+        io.kompose.network/nextcloud-aio: "true"
+        io.kompose.service: nextcloud-aio-notify-push
+    spec:
+      initContainers:
+        - name: init-volumes
+          image: alpine
+          command:
+            - chmod
+            - "777"
+            - /nextcloud-aio-nextcloud
+          volumeMounts:
+            - name: nextcloud-aio-nextcloud
+              mountPath: /nextcloud-aio-nextcloud
+      containers:
+        - env:
+            - name: NC_DOMAIN
+              value: "{{ .Values.NC_DOMAIN }}"
+            - name: NEXTCLOUD_HOST
+              value: nextcloud-aio-nextcloud
+            - name: POSTGRES_DB
+              value: nextcloud_database
+            - name: POSTGRES_HOST
+              value: nextcloud-aio-database
+            - name: POSTGRES_PASSWORD
+              value: "{{ .Values.DATABASE_PASSWORD }}"
+            - name: POSTGRES_USER
+              value: nextcloud
+            - name: REDIS_HOST
+              value: nextcloud-aio-redis
+            - name: REDIS_HOST_PASSWORD
+              value: "{{ .Values.REDIS_PASSWORD }}"
+          image: nextcloud/aio-notify-push:20230728_085937-latest
+          name: nextcloud-aio-notify-push
+          ports:
+            - containerPort: 7867
+              hostPort: 7867
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /nextcloud
+              name: nextcloud-aio-nextcloud
+              readOnly: true
+      volumes:
+        - name: nextcloud-aio-nextcloud
+          persistentVolumeClaim:
+            claimName: nextcloud-aio-nextcloud
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
+  labels:
+    io.kompose.service: nextcloud-aio-notify-push
+  name: nextcloud-aio-notify-push
+  namespace: {{ .Values.NAMESPACE }}
+spec:
+  ports:
+    - name: "7867"
+      port: 7867
+      targetPort: 7867
+  selector:
+    io.kompose.service: nextcloud-aio-notify-push
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml
@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-onlyoffice
  name: nextcloud-aio-onlyoffice
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  replicas: 1
  selector:
@@ -16,8 +17,8 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
      labels:
        io.kompose.network/nextcloud-aio: "true"
        io.kompose.service: nextcloud-aio-onlyoffice
@@ -42,10 +43,12 @@ spec:
              value: "{{ .Values.ONLYOFFICE_SECRET }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-onlyoffice:20230613_065816-latest
+          image: nextcloud/aio-onlyoffice:20230728_085937-latest
          name: nextcloud-aio-onlyoffice
          ports:
            - containerPort: 80
+              hostPort: 80
+              protocol: TCP
          volumeMounts:
            - mountPath: /var/lib/onlyoffice
              name: nextcloud-aio-onlyoffice
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-persistentvolumeclaim.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-persistentvolumeclaim.yaml
@@ -4,6 +4,7 @@ metadata:
  labels:
    io.kompose.service: nextcloud-aio-onlyoffice
  name: nextcloud-aio-onlyoffice
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  {{- if .Values.STORAGE_CLASS }}
  storageClassName: {{ .Values.STORAGE_CLASS }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-service.yaml
@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-onlyoffice
  name: nextcloud-aio-onlyoffice
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  ports:
    - name: "80"
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml
@@ -2,11 +2,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-redis
  name: nextcloud-aio-redis
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  replicas: 1
  selector:
@@ -15,8 +16,8 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
      labels:
        io.kompose.network/nextcloud-aio: "true"
        io.kompose.service: nextcloud-aio-redis
@@ -37,10 +38,14 @@ spec:
              value: "{{ .Values.REDIS_PASSWORD }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-redis:20230613_065816-latest
+          image: nextcloud/aio-redis:20230728_085937-latest
          name: nextcloud-aio-redis
          ports:
            - containerPort: 6379
+              hostPort: 6379
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
          volumeMounts:
            - mountPath: /data
              name: nextcloud-aio-redis
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-persistentvolumeclaim.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-persistentvolumeclaim.yaml
@@ -4,6 +4,7 @@ metadata:
  labels:
    io.kompose.service: nextcloud-aio-redis
  name: nextcloud-aio-redis
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  {{- if .Values.STORAGE_CLASS }}
  storageClassName: {{ .Values.STORAGE_CLASS }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-service.yaml
@@ -2,11 +2,12 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-redis
  name: nextcloud-aio-redis
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  ports:
    - name: "6379"
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml
@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-talk
  name: nextcloud-aio-talk
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  replicas: 1
  selector:
@@ -16,12 +17,34 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
      labels:
        io.kompose.network/nextcloud-aio: "true"
        io.kompose.service: nextcloud-aio-talk
    spec:
+      initContainers:
+        - name: init-volumes
+          image: alpine
+          command:
+            - chmod
+            - "777"
+            - /nextcloud-aio-talk-tmpfs0
+            - /nextcloud-aio-talk-tmpfs1
+            - /nextcloud-aio-talk-tmpfs2
+            - /nextcloud-aio-talk-tmpfs3
+            - /nextcloud-aio-talk-tmpfs4
+          volumeMounts:
+            - name: nextcloud-aio-talk-tmpfs4
+              mountPath: /nextcloud-aio-talk-tmpfs4
+            - name: nextcloud-aio-talk-tmpfs3
+              mountPath: /nextcloud-aio-talk-tmpfs3
+            - name: nextcloud-aio-talk-tmpfs2
+              mountPath: /nextcloud-aio-talk-tmpfs2
+            - name: nextcloud-aio-talk-tmpfs1
+              mountPath: /nextcloud-aio-talk-tmpfs1
+            - name: nextcloud-aio-talk-tmpfs0
+              mountPath: /nextcloud-aio-talk-tmpfs0
      containers:
        - env:
            - name: INTERNAL_SECRET
@@ -36,11 +59,40 @@ spec:
              value: "{{ .Values.TURN_SECRET }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-talk:20230613_065816-latest
+          image: nextcloud/aio-talk:20230728_085937-latest
          name: nextcloud-aio-talk
          ports:
            - containerPort: {{ .Values.TALK_PORT }}
+              hostPort: {{ .Values.TALK_PORT }}
+              protocol: TCP
            - containerPort: {{ .Values.TALK_PORT }}
+              hostPort: {{ .Values.TALK_PORT }}
              protocol: UDP
            - containerPort: 8081
+              hostPort: 8081
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /var/log/supervisord
+              name: nextcloud-aio-talk-tmpfs0
+            - mountPath: /var/run/supervisord
+              name: nextcloud-aio-talk-tmpfs1
+            - mountPath: /conf
+              name: nextcloud-aio-talk-tmpfs2
+            - mountPath: /var/lib/turn
+              name: nextcloud-aio-talk-tmpfs3
+            - mountPath: /tmp
+              name: nextcloud-aio-talk-tmpfs4
+      volumes:
+        - emptyDir: {}
+          name: nextcloud-aio-talk-tmpfs0
+        - emptyDir: {}
+          name: nextcloud-aio-talk-tmpfs1
+        - emptyDir: {}
+          name: nextcloud-aio-talk-tmpfs2
+        - emptyDir: {}
+          name: nextcloud-aio-talk-tmpfs3
+        - emptyDir: {}
+          name: nextcloud-aio-talk-tmpfs4
 {{- end }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml
@@ -1,12 +1,14 @@
+{{- if eq .Values.TALK_RECORDING_ENABLED "yes" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-talk-recording
  name: nextcloud-aio-talk-recording
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  replicas: 1
  selector:
@@ -15,12 +17,25 @@ spec:
  template:
    metadata:
      annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
      labels:
        io.kompose.network/nextcloud-aio: "true"
        io.kompose.service: nextcloud-aio-talk-recording
    spec:
+      initContainers:
+        - name: init-volumes
+          image: alpine
+          command:
+            - chmod
+            - "777"
+            - /nextcloud-aio-talk-recording-tmpfs0
+            - /nextcloud-aio-talk-recording-tmpfs1
+          volumeMounts:
+            - name: nextcloud-aio-talk-recording-tmpfs1
+              mountPath: /nextcloud-aio-talk-recording-tmpfs1
+            - name: nextcloud-aio-talk-recording-tmpfs0
+              mountPath: /nextcloud-aio-talk-recording-tmpfs0
      containers:
        - env:
            - name: INTERNAL_SECRET
@@ -31,7 +46,22 @@ spec:
              value: "{{ .Values.RECORDING_SECRET }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-talk-recording:20230613_065816-latest
+          image: nextcloud/aio-talk-recording:20230728_085937-latest
          name: nextcloud-aio-talk-recording
          ports:
            - containerPort: 1234
+              hostPort: 1234
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /tmp
+              name: nextcloud-aio-talk-recording-tmpfs0
+            - mountPath: /conf
+              name: nextcloud-aio-talk-recording-tmpfs1
+      volumes:
+        - emptyDir: {}
+          name: nextcloud-aio-talk-recording-tmpfs0
+        - emptyDir: {}
+          name: nextcloud-aio-talk-recording-tmpfs1
+{{- end }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-service.yaml
@@ -1,12 +1,14 @@
+{{- if eq .Values.TALK_RECORDING_ENABLED "yes" }}
 apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-talk-recording
  name: nextcloud-aio-talk-recording
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  ports:
    - name: "1234"
@@ -14,3 +16,4 @@ spec:
      targetPort: 1234
  selector:
    io.kompose.service: nextcloud-aio-talk-recording
+{{- end }}
--- a/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-service.yaml
+++ b/nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-service.yaml
@@ -4,11 +4,12 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-talk
  name: nextcloud-aio-talk-public
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  type: LoadBalancer
  ports:
@@ -26,11 +27,12 @@ apiVersion: v1
 kind: Service
 metadata:
  annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
  labels:
    io.kompose.service: nextcloud-aio-talk
  name: nextcloud-aio-talk
+  namespace: {{ .Values.NAMESPACE }}
 spec:
  ports:
    - name: "8081"
--- a/nextcloud-aio-helm-chart/update-helm.sh
+++ b/nextcloud-aio-helm-chart/update-helm.sh
@@ -15,6 +15,9 @@ curl -L https://github.com/kubernetes/kompose/releases/download/"$LATEST_KOMPOSE
 chmod +x kompose
 sudo mv ./kompose /usr/local/bin/kompose

+# Install yq
+snap install yq
+
 set -ex

 # Conversion of docker-compose
@@ -39,11 +42,14 @@ sed -i "/^volumes:/a\ \ nextcloud_aio_nextcloud_trusted_cacerts:\n \ \ \ \ name:
 sed -i "s|\${NEXTCLOUD_TRUSTED_CACERTS_DIR}:|nextcloud_aio_nextcloud_trusted_cacerts:|g#" latest.yml
 sed -i 's|\${|{{ .Values.|g' latest.yml
 sed -i 's|}| }}|g' latest.yml
+yq -i 'del(.services.[].profiles)' latest.yml
 cat latest.yml
-kompose convert -c -f latest.yml
+kompose convert -c -f latest.yml --namespace nextcloud-aio-namespace
 cd latest

-mv ./templates/manual-install-nextcloud-aio-networkpolicy.yaml ./templates/nextcloud-aio-networkpolicy.yaml
+if [ -f ./templates/manual-install-nextcloud-aio-networkpolicy.yaml ]; then
+    mv ./templates/manual-install-nextcloud-aio-networkpolicy.yaml ./templates/nextcloud-aio-networkpolicy.yaml
+fi
 # shellcheck disable=SC1083
 find ./ -name '*networkpolicy.yaml' -exec sed -i "s|manual-install-nextcloud-aio|nextcloud-aio|" \{} \; 
 cat << EOL > /tmp/initcontainers
@@ -109,10 +115,16 @@ for variable in "${DEPLOYMENTS[@]}"; do
    fi
 done
 # shellcheck disable=SC1083
+find ./ -name '*.yaml' -exec sed -i "s|nextcloud-aio-namespace|\{\{ .Values.NAMESPACE \}\}|" \{} \; 
+# shellcheck disable=SC1083
 find ./ -name '*service.yaml' -exec sed -i "/^status:/,$ d" \{} \; 
 # shellcheck disable=SC1083
 find ./ -name '*deployment.yaml' -exec sed -i "s|manual-install-nextcloud-aio|nextcloud-aio|" \{} \; 
 # shellcheck disable=SC1083
+find ./ -name '*deployment.yaml' -exec sed -i "/medium: Memory/d" \{} \;
+# shellcheck disable=SC1083
+find ./ -name '*deployment.yaml' -exec sed -i "s|emptyDir:|emptyDir: \{\}|" \{} \; 
+# shellcheck disable=SC1083
 find ./ -name '*persistentvolumeclaim.yaml' -exec sed -i "s|ReadOnlyMany|ReadWriteOnce|" \{} \;   
 # shellcheck disable=SC1083
 find ./ -name '*persistentvolumeclaim.yaml' -exec sed -i "/accessModes:/i\ \ {{- if .Values.STORAGE_CLASS }}" \{} \;  
@@ -194,6 +206,10 @@ sed -i '/_ENABLED.*/s/ no / "no" /' /tmp/sample.conf
 sed -i 's|^NEXTCLOUD_TRUSTED_CACERTS_DIR: .*|NEXTCLOUD_TRUSTED_CACERTS_DIR:        # Setting this to any value allows to automatically import root certificates into the Nextcloud container|' /tmp/sample.conf
 sed -i 's|10737418240|"10737418240"|' /tmp/sample.conf
 # shellcheck disable=SC2129
+echo "NAMESPACE: default        # By changing this, you can adjust the namespace of the installation which allows to install multiple instances on one kubernetes cluster" >> /tmp/sample.conf
+# shellcheck disable=SC2129
+echo "" >> /tmp/sample.conf
+# shellcheck disable=SC2129
 echo 'STORAGE_CLASS:        # By setting this, you can adjust the storage class for your volumes' >> /tmp/sample.conf
 for variable in "${VOLUME_VARIABLE[@]}"; do
    echo "$variable: 1Gi       # You can change the size of the $(echo "$variable" | sed 's|_STORAGE_SIZE||;s|_|-|g' | tr '[:upper:]' '[:lower:]') volume that default to 1Gi with this value" >> /tmp/sample.conf
--- a/nextcloud-aio-helm-chart/values.yaml
+++ b/nextcloud-aio-helm-chart/values.yaml
@@ -18,7 +18,7 @@ TALK_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the op
 TALK_RECORDING_ENABLED: "no"          # Setting this to "yes" (with quotes) enables the option in Nextcloud automatically.

 APACHE_MAX_SIZE: "10737418240"          # This needs to be an integer and in sync with NEXTCLOUD_UPLOAD_LIMIT
-APACHE_PORT: 443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx and else).
+APACHE_PORT: 443          # Changing this to a different value than 443 will allow you to run it behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else).
 COLLABORA_DICTIONARIES: de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru        # You can change this in order to enable other dictionaries for collabora
 COLLABORA_SECCOMP_POLICY: --o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.
 INSTALL_LATEST_MAJOR: no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation
@@ -31,6 +31,8 @@ NEXTCLOUD_TRUSTED_CACERTS_DIR:        # Setting this to any value allows to auto
 NEXTCLOUD_UPLOAD_LIMIT: 10G          # This allows to change the upload limit of the Nextcloud container
 TALK_PORT: 3478          # This allows to adjust the port that the talk container is using.
 UPDATE_NEXTCLOUD_APPS: no          # When setting to yes (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.
+NAMESPACE: default        # By changing this, you can adjust the namespace of the installation which allows to install multiple instances on one kubernetes cluster
+
 STORAGE_CLASS:        # By setting this, you can adjust the storage class for your volumes
 APACHE_STORAGE_SIZE: 1Gi       # You can change the size of the apache volume that default to 1Gi with this value
 CLAMAV_STORAGE_SIZE: 1Gi       # You can change the size of the clamav volume that default to 1Gi with this value
--- a/php/composer.lock
+++ b/php/composer.lock
@@ -134,16 +134,16 @@
        },
        {
            "name": "guzzlehttp/promises",
-            "version": "2.0.0",
+            "version": "2.0.1",
            "source": {
                "type": "git",
                "url": "https://github.com/guzzle/promises.git",
-                "reference": "3a494dc7dc1d7d12e511890177ae2d0e6c107da6"
+                "reference": "111166291a0f8130081195ac4556a5587d7f1b5d"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/promises/zipball/3a494dc7dc1d7d12e511890177ae2d0e6c107da6",
-                "reference": "3a494dc7dc1d7d12e511890177ae2d0e6c107da6",
+                "url": "https://api.github.com/repos/guzzle/promises/zipball/111166291a0f8130081195ac4556a5587d7f1b5d",
+                "reference": "111166291a0f8130081195ac4556a5587d7f1b5d",
                "shasum": ""
            },
            "require": {
@@ -197,7 +197,7 @@
            ],
            "support": {
                "issues": "https://github.com/guzzle/promises/issues",
-                "source": "https://github.com/guzzle/promises/tree/2.0.0"
+                "source": "https://github.com/guzzle/promises/tree/2.0.1"
            },
            "funding": [
                {
@@ -213,20 +213,20 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2023-05-21T13:50:22+00:00"
+            "time": "2023-08-03T15:11:55+00:00"
        },
        {
            "name": "guzzlehttp/psr7",
-            "version": "2.5.0",
+            "version": "2.6.0",
            "source": {
                "type": "git",
                "url": "https://github.com/guzzle/psr7.git",
-                "reference": "b635f279edd83fc275f822a1188157ffea568ff6"
+                "reference": "8bd7c33a0734ae1c5d074360512beb716bef3f77"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/psr7/zipball/b635f279edd83fc275f822a1188157ffea568ff6",
-                "reference": "b635f279edd83fc275f822a1188157ffea568ff6",
+                "url": "https://api.github.com/repos/guzzle/psr7/zipball/8bd7c33a0734ae1c5d074360512beb716bef3f77",
+                "reference": "8bd7c33a0734ae1c5d074360512beb716bef3f77",
                "shasum": ""
            },
            "require": {
@@ -313,7 +313,7 @@
            ],
            "support": {
                "issues": "https://github.com/guzzle/psr7/issues",
-                "source": "https://github.com/guzzle/psr7/tree/2.5.0"
+                "source": "https://github.com/guzzle/psr7/tree/2.6.0"
            },
            "funding": [
                {
@@ -329,7 +329,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2023-04-17T16:11:26+00:00"
+            "time": "2023-08-03T15:06:02+00:00"
        },
        {
            "name": "http-interop/http-factory-guzzle",
@@ -461,16 +461,16 @@
        },
        {
            "name": "laravel/serializable-closure",
-            "version": "v1.3.0",
+            "version": "v1.3.1",
            "source": {
                "type": "git",
                "url": "https://github.com/laravel/serializable-closure.git",
-                "reference": "f23fe9d4e95255dacee1bf3525e0810d1a1b0f37"
+                "reference": "e5a3057a5591e1cfe8183034b0203921abe2c902"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/f23fe9d4e95255dacee1bf3525e0810d1a1b0f37",
-                "reference": "f23fe9d4e95255dacee1bf3525e0810d1a1b0f37",
+                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/e5a3057a5591e1cfe8183034b0203921abe2c902",
+                "reference": "e5a3057a5591e1cfe8183034b0203921abe2c902",
                "shasum": ""
            },
            "require": {
@@ -517,7 +517,7 @@
                "issues": "https://github.com/laravel/serializable-closure/issues",
                "source": "https://github.com/laravel/serializable-closure"
            },
-            "time": "2023-01-30T18:31:20+00:00"
+            "time": "2023-07-14T13:56:28+00:00"
        },
        {
            "name": "nikic/fast-route",
@@ -626,16 +626,16 @@
        },
        {
            "name": "php-di/php-di",
-            "version": "7.0.2",
+            "version": "7.0.4",
            "source": {
                "type": "git",
                "url": "https://github.com/PHP-DI/PHP-DI.git",
-                "reference": "5d1a8664e24f23b25e0426bbcb1288287fb49181"
+                "reference": "8ed79468dfb163824bbf48de5e35d1729f9313b6"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/PHP-DI/PHP-DI/zipball/5d1a8664e24f23b25e0426bbcb1288287fb49181",
-                "reference": "5d1a8664e24f23b25e0426bbcb1288287fb49181",
+                "url": "https://api.github.com/repos/PHP-DI/PHP-DI/zipball/8ed79468dfb163824bbf48de5e35d1729f9313b6",
+                "reference": "8ed79468dfb163824bbf48de5e35d1729f9313b6",
                "shasum": ""
            },
            "require": {
@@ -649,13 +649,13 @@
            },
            "require-dev": {
                "friendsofphp/php-cs-fixer": "^3",
+                "friendsofphp/proxy-manager-lts": "^1",
                "mnapoli/phpunit-easymock": "^1.3",
-                "ocramius/proxy-manager": "^2.11.2",
                "phpunit/phpunit": "^9.5",
                "vimeo/psalm": "^4.6"
            },
            "suggest": {
-                "ocramius/proxy-manager": "Install it if you want to use lazy injection (version ^2.3)"
+                "friendsofphp/proxy-manager-lts": "Install it if you want to use lazy injection (version ^1)"
            },
            "type": "library",
            "autoload": {
@@ -683,7 +683,7 @@
            ],
            "support": {
                "issues": "https://github.com/PHP-DI/PHP-DI/issues",
-                "source": "https://github.com/PHP-DI/PHP-DI/tree/7.0.2"
+                "source": "https://github.com/PHP-DI/PHP-DI/tree/7.0.4"
            },
            "funding": [
                {
@@ -695,20 +695,20 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2023-02-07T17:34:03+00:00"
+            "time": "2023-08-08T15:59:16+00:00"
        },
        {
            "name": "php-di/slim-bridge",
-            "version": "3.3.0",
+            "version": "3.4.0",
            "source": {
                "type": "git",
                "url": "https://github.com/PHP-DI/Slim-Bridge.git",
-                "reference": "9374b67ebf2f135b32c34907b7891b02b935d845"
+                "reference": "d14c95b34b3c5ba2e8c40020dd93fdcc8f3ba875"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/PHP-DI/Slim-Bridge/zipball/9374b67ebf2f135b32c34907b7891b02b935d845",
-                "reference": "9374b67ebf2f135b32c34907b7891b02b935d845",
+                "url": "https://api.github.com/repos/PHP-DI/Slim-Bridge/zipball/d14c95b34b3c5ba2e8c40020dd93fdcc8f3ba875",
+                "reference": "d14c95b34b3c5ba2e8c40020dd93fdcc8f3ba875",
                "shasum": ""
            },
            "require": {
@@ -734,9 +734,9 @@
            "description": "PHP-DI integration in Slim",
            "support": {
                "issues": "https://github.com/PHP-DI/Slim-Bridge/issues",
-                "source": "https://github.com/PHP-DI/Slim-Bridge/tree/3.3.0"
+                "source": "https://github.com/PHP-DI/Slim-Bridge/tree/3.4.0"
            },
-            "time": "2023-01-13T15:49:44+00:00"
+            "time": "2023-06-29T14:08:47+00:00"
        },
        {
            "name": "psr/container",
@@ -1218,16 +1218,16 @@
        },
        {
            "name": "slim/slim",
-            "version": "4.11.0",
+            "version": "4.12.0",
            "source": {
                "type": "git",
                "url": "https://github.com/slimphp/Slim.git",
-                "reference": "b0f4ca393ea037be9ac7292ba7d0a34d18bac0c7"
+                "reference": "e9e99c2b24398b967841c6c4c3048622cc7e2b18"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/slimphp/Slim/zipball/b0f4ca393ea037be9ac7292ba7d0a34d18bac0c7",
-                "reference": "b0f4ca393ea037be9ac7292ba7d0a34d18bac0c7",
+                "url": "https://api.github.com/repos/slimphp/Slim/zipball/e9e99c2b24398b967841c6c4c3048622cc7e2b18",
+                "reference": "e9e99c2b24398b967841c6c4c3048622cc7e2b18",
                "shasum": ""
            },
            "require": {
@@ -1236,26 +1236,26 @@
                "php": "^7.4 || ^8.0",
                "psr/container": "^1.0 || ^2.0",
                "psr/http-factory": "^1.0",
-                "psr/http-message": "^1.0",
+                "psr/http-message": "^1.1",
                "psr/http-server-handler": "^1.0",
                "psr/http-server-middleware": "^1.0",
                "psr/log": "^1.1 || ^2.0 || ^3.0"
            },
            "require-dev": {
-                "adriansuter/php-autoload-override": "^1.3",
+                "adriansuter/php-autoload-override": "^1.4",
                "ext-simplexml": "*",
-                "guzzlehttp/psr7": "^2.4",
-                "httpsoft/http-message": "^1.0",
-                "httpsoft/http-server-request": "^1.0",
+                "guzzlehttp/psr7": "^2.5",
+                "httpsoft/http-message": "^1.1",
+                "httpsoft/http-server-request": "^1.1",
                "laminas/laminas-diactoros": "^2.17",
-                "nyholm/psr7": "^1.5",
+                "nyholm/psr7": "^1.8",
                "nyholm/psr7-server": "^1.0",
-                "phpspec/prophecy": "^1.15",
+                "phpspec/prophecy": "^1.17",
                "phpspec/prophecy-phpunit": "^2.0",
-                "phpstan/phpstan": "^1.8",
-                "phpunit/phpunit": "^9.5",
-                "slim/http": "^1.2",
-                "slim/psr7": "^1.5",
+                "phpstan/phpstan": "^1.10",
+                "phpunit/phpunit": "^9.6",
+                "slim/http": "^1.3",
+                "slim/psr7": "^1.6",
                "squizlabs/php_codesniffer": "^3.7"
            },
            "suggest": {
@@ -1329,7 +1329,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2022-11-06T16:33:39+00:00"
+            "time": "2023-07-23T04:54:29+00:00"
        },
        {
            "name": "slim/twig-view",
@@ -1709,16 +1709,16 @@
        },
        {
            "name": "twig/twig",
-            "version": "v3.6.1",
+            "version": "v3.7.0",
            "source": {
                "type": "git",
                "url": "https://github.com/twigphp/Twig.git",
-                "reference": "7e7d5839d4bec168dfeef0ac66d5c5a2edbabffd"
+                "reference": "5cf942bbab3df42afa918caeba947f1b690af64b"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/twigphp/Twig/zipball/7e7d5839d4bec168dfeef0ac66d5c5a2edbabffd",
-                "reference": "7e7d5839d4bec168dfeef0ac66d5c5a2edbabffd",
+                "url": "https://api.github.com/repos/twigphp/Twig/zipball/5cf942bbab3df42afa918caeba947f1b690af64b",
+                "reference": "5cf942bbab3df42afa918caeba947f1b690af64b",
                "shasum": ""
            },
            "require": {
@@ -1764,7 +1764,7 @@
            ],
            "support": {
                "issues": "https://github.com/twigphp/Twig/issues",
-                "source": "https://github.com/twigphp/Twig/tree/v3.6.1"
+                "source": "https://github.com/twigphp/Twig/tree/v3.7.0"
            },
            "funding": [
                {
@@ -1776,7 +1776,7 @@
                    "type": "tidelift"
                }
            ],
-            "time": "2023-06-08T12:52:13+00:00"
+            "time": "2023-07-26T07:16:09+00:00"
        }
    ],
    "packages-dev": [],
--- a/php/containers-schema.json
+++ b/php/containers-schema.json
@@ -137,6 +137,13 @@
 					"read_only": {
 						"type": "boolean"
 					},
+					"tmpfs": {
+						"type": "array",
+						"items": {
+							"type": "string",
+							"pattern": "^/[a-z/_0-9-:]+$"
+						}
+					},
 					"volumes": {
 						"type": "array",
 						"items": {
--- a/php/containers.json
+++ b/php/containers.json
@@ -6,7 +6,8 @@
        "nextcloud-aio-onlyoffice",
        "nextcloud-aio-collabora",
        "nextcloud-aio-talk",
-        "nextcloud-aio-nextcloud"
+        "nextcloud-aio-nextcloud",
+        "nextcloud-aio-notify-push"
      ],
      "display_name": "Apache",
      "image": "nextcloud/aio-apache",
@@ -15,6 +16,11 @@
          "ip_binding": "%APACHE_IP_BINDING%",
          "port_number": "%APACHE_PORT%",
          "protocol": "tcp"
+        },
+        {
+          "ip_binding": "%APACHE_IP_BINDING%",
+          "port_number": "%APACHE_PORT%",
+          "protocol": "udp"
        }
      ],
      "internal_port": "%APACHE_PORT%",
@@ -27,7 +33,8 @@
        "ONLYOFFICE_HOST=nextcloud-aio-onlyoffice",
        "TZ=%TIMEZONE%",
        "APACHE_MAX_SIZE=%APACHE_MAX_SIZE%",
-        "APACHE_MAX_TIME=%NEXTCLOUD_MAX_TIME%"
+        "APACHE_MAX_TIME=%NEXTCLOUD_MAX_TIME%",
+        "NOTIFY_PUSH_HOST=nextcloud-aio-notify-push"
      ],
      "volumes": [
        {
@@ -48,6 +55,14 @@
      ],
      "networks": [
        "nextcloud-aio"
+      ],
+      "read_only": true,
+      "tmpfs": [
+        "/var/log/supervisord",
+        "/var/run/supervisord",
+        "/usr/local/apache2/logs",
+        "/tmp",
+        "/home/www-data"
      ]
    },
    {
@@ -89,6 +104,10 @@
      ],
      "networks": [
        "nextcloud-aio"
+      ],
+      "read_only": true,
+      "tmpfs": [
+        "/var/run/postgresql"
      ]
    },
    {
@@ -104,8 +123,7 @@
      "display_name": "Nextcloud",
      "image": "nextcloud/aio-nextcloud",
      "expose": [
-        "9000",
-        "7867"
+        "9000"
      ],
      "internal_port": "9000",
      "secrets": [
@@ -191,8 +209,46 @@
      ],
      "networks": [
        "nextcloud-aio"
+      ],
+      "tmpfs": [
+        "/tmp:exec"
      ]
    },
+    {
+      "container_name": "nextcloud-aio-notify-push",
+      "display_name": "Notify Push",
+      "image": "nextcloud/aio-notify-push",
+      "expose": [
+        "7867"
+      ],
+      "internal_port": "7867",
+      "secrets": [
+        "REDIS_PASSWORD",
+        "DATABASE_PASSWORD"
+      ],
+      "volumes": [
+        {
+          "source": "nextcloud_aio_nextcloud",
+          "destination": "/nextcloud",
+          "writeable": false
+        }
+      ],
+      "environment": [
+        "NC_DOMAIN=%NC_DOMAIN%",
+        "NEXTCLOUD_HOST=nextcloud-aio-nextcloud",
+        "REDIS_HOST=nextcloud-aio-redis",
+        "REDIS_HOST_PASSWORD=%REDIS_PASSWORD%",
+        "POSTGRES_HOST=nextcloud-aio-database",
+        "POSTGRES_PASSWORD=%DATABASE_PASSWORD%",
+        "POSTGRES_DB=nextcloud_database",
+        "POSTGRES_USER=nextcloud"
+      ],
+      "restart": "unless-stopped",
+      "networks": [
+        "nextcloud-aio"
+      ],
+      "read_only": true
+    },
    {
      "container_name": "nextcloud-aio-redis",
      "display_name": "Redis",
@@ -291,6 +347,14 @@
      ],
      "networks": [
        "nextcloud-aio"
+      ],
+      "read_only": true,
+      "tmpfs": [
+        "/var/log/supervisord",
+        "/var/run/supervisord",
+        "/conf",
+        "/var/lib/turn",
+        "/tmp"
      ]
    },
    {
@@ -318,6 +382,11 @@
      ],
      "networks": [
        "nextcloud-aio"
+      ],
+      "read_only": true,
+      "tmpfs": [
+        "/tmp",
+        "/conf"
      ]
    },
    {
@@ -374,7 +443,12 @@
      "cap_add": [
        "SYS_ADMIN"
      ],
-      "apparmor_unconfined": true
+      "apparmor_unconfined": true,
+      "read_only": true,
+      "tmpfs": [
+        "/tmp",
+        "/nextcloud_aio_volumes"
+      ]
    },
    {
      "container_name": "nextcloud-aio-watchtower",
@@ -388,7 +462,8 @@
          "destination": "/var/run/docker.sock",
          "writeable": false
        }
-      ]
+      ],
+      "read_only": true
    },
    {
      "container_name": "nextcloud-aio-domaincheck",
@@ -400,6 +475,7 @@
          "protocol": "tcp"
        }
      ],
+      "internal_port": "%APACHE_PORT%",
      "environment": [
        "INSTANCE_ID=%INSTANCE_ID%",
        "APACHE_PORT=%APACHE_PORT%"
@@ -407,7 +483,12 @@
      "secrets": [
        "INSTANCE_ID"
      ],
-      "stop_grace_period": 1
+      "stop_grace_period": 1,
+      "read_only": true,
+      "tmpfs": [
+        "/etc/lighttpd",
+        "/var/www/domaincheck"
+      ]
    },
    {
      "container_name": "nextcloud-aio-clamav",
@@ -434,6 +515,12 @@
      ],
      "networks": [
        "nextcloud-aio"
+      ],
+      "read_only": true,
+      "tmpfs": [
+        "/var/lock",
+        "/var/log/clamav",
+        "/tmp"
      ]
    },
    {
@@ -488,6 +575,10 @@
      ],
      "networks": [
        "nextcloud-aio"
+      ],
+      "read_only": true,
+      "tmpfs": [
+        "/tmp"
      ]
    },
    {
@@ -500,9 +591,14 @@
      "internal_port": "9200",
      "environment": [
        "TZ=%TIMEZONE%",
+        "ES_JAVA_OPTS=-Xms512M -Xmx512M",
+        "bootstrap.memory_lock=true",
+        "cluster.name=nextcloud-aio",
        "discovery.type=single-node",
-        "ES_JAVA_OPTS=-Xms1024M -Xmx1024M",
-        "POSTGRES_HOST=nextcloud-aio-database"
+        "logger.org.elasticsearch.discovery=WARN",
+        "http.port=9200",
+        "xpack.license.self_generated.type=basic",
+        "xpack.security.enabled=false"
      ],
      "volumes": [
        {
--- a/php/domain-validator.php
+++ b/php/domain-validator.php
@@ -0,0 +1,18 @@
+<?php
+
+$domain = $_GET['domain'] ?? '';
+
+if (strpos($domain, '.') === false) { 
+    http_response_code(400); 
+} elseif (strpos($domain, '/') !== false) { 
+    http_response_code(400);  
+} elseif (strpos($domain, ':') !== false) { 
+    http_response_code(400);  
+} elseif (!filter_var($domain, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME)) { 
+    http_response_code(400); 
+} elseif (filter_var($domain, FILTER_VALIDATE_IP)) { 
+    http_response_code(400); 
+} else {
+    error_log($domain . ' was accepted as valid domain.');
+    http_response_code(200);
+}
--- a/php/psalm-baseline.xml
+++ b/php/psalm-baseline.xml
@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<files psalm-version="5.12.0@f90118cdeacd0088e7215e64c0c99ceca819e176"/>
+<files psalm-version="5.14.1@b9d355e0829c397b9b3b47d0c0ed042a8a70284d"/>
--- a/php/public/forms.js
+++ b/php/public/forms.js
@@ -1,4 +1,14 @@
 "use strict";
+
+function showPassword(id) {
+  let passwordField = document.getElementById(id);
+  if (passwordField.type === "password" && passwordField.value !== "") {
+    passwordField.type = "text";
+  } else if (passwordField.type === "text" && passwordField.value === "") {
+    passwordField.type = "password";
+  }
+}
+
 (function (){
  let lastError;

@@ -23,8 +33,11 @@
      disableSpinner()
      showError(xhr.response);
    } else if (xhr.status === 500) {
-      disableSpinner()
-      showError("Server error. Please check the mastercontainer logs for details.");
+      showError("Server error. Please check the mastercontainer logs for details. This page will reload after 10s automatically. Then you can check the mastercontainer logs.");
+      // Reload after 10s since it is expected that the updated view is shown (e.g. after starting containers)
+      setTimeout(function(){
+        window.location.reload(1);
+      }, 10000);
    } else {
      // If the responose is not one of the above, we should reload to show the latest content
      window.location.reload(1);
--- a/Show More
+++ b/Show More