increase to 6.4.0

Signed-off-by: Simon L <szaimen@e.mail.de>

.github/workflows/talk.yml

@@ -34,6 +34,16 @@ jobs:
         )"
         curl -L "https://raw.githubusercontent.com/strukturag/nextcloud-spreed-signaling/$signaling_version/server.conf.in" -o Containers/talk/server.conf.in
         
+        # Janus
+        janus_version="$(
+          git ls-remote https://github.com/meetecho/janus-gateway v0.*.* \
+            | cut -d/ -f3 \
+            | sort -V \
+            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
+            | tail -1
+        )"
+        sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
+        
     - name: Create Pull Request
       uses: peter-evans/create-pull-request@v5
       with:

Containers/apache/Dockerfile

@@ -22,6 +22,7 @@ RUN set -ex; \
     \
     mkdir -p /mnt/data; \
     chown -R www-data:www-data /mnt/data; \
+    chown -R 777 /tmp; \
     \
     apk add --no-cache \
         bash \
@@ -47,6 +48,7 @@ RUN set -ex; \
             -e 's/^#\(LoadModule .*mod_brotli.so\)/\1/' \
             -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
             -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
+            -e 's/\(ScriptAlias \)/#\1/' \
         /usr/local/apache2/conf/httpd.conf; \
     echo "Include conf/nextcloud.conf" | tee -a /usr/local/apache2/conf/httpd.conf; \
     echo "ServerName localhost" | tee -a /usr/local/apache2/conf/httpd.conf; \
@@ -59,9 +61,15 @@ RUN set -ex; \
     mkdir /var/run/supervisord; \
     chown www-data:www-data /var/run/supervisord; \
     chown www-data:www-data /var/log/supervisord; \
+    chmod 777 /var/run/supervisord; \
+    chmod 777 /var/log/supervisord; \
     \
     chown -R www-data:www-data /usr/local/apache2; \
     chmod +r -R /usr/local/apache2; \
+    mkdir -p /usr/local/apache2/logs; \
+    chmod 777 -R /home/www-data; \
+    chmod 777 -R /usr/local/apache2/logs; \
+    rm -rf /usr/local/apache2/cgi-bin/; \
     \
     echo "root:$(openssl rand -base64 12)" | chpasswd
 
@@ -71,4 +79,4 @@ ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 
 HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"

Containers/apache/start.sh

@@ -35,18 +35,18 @@ if [ "$APACHE_PORT" != '443' ]; then
 else
     CADDYFILE="$(sed 's|auto_https.*|auto_https disable_redirects|' /Caddyfile)"
 fi
-echo "$CADDYFILE" > /Caddyfile
+echo "$CADDYFILE" > /tmp/Caddyfile
 
 # Change the trusted_proxies in case of reverse proxies
 if [ "$APACHE_PORT" != '443' ]; then
-    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies static private_ranges|' /Caddyfile)"
+    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies static private_ranges|' /tmp/Caddyfile)"
 else
-    CADDYFILE="$(sed 's|trusted_proxies.*private_ranges|# trusted_proxies placeholder|' /Caddyfile)"
+    CADDYFILE="$(sed 's|trusted_proxies.*private_ranges|# trusted_proxies placeholder|' /tmp/Caddyfile)"
 fi
-echo "$CADDYFILE" > /Caddyfile
+echo "$CADDYFILE" > /tmp/Caddyfile
 
 # Fix the Caddyfile format
-caddy fmt --overwrite /Caddyfile
+caddy fmt --overwrite /tmp/Caddyfile
 
 # Add caddy path
 mkdir -p /mnt/data/caddy/

Containers/apache/supervisord.conf

@@ -20,4 +20,4 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /Caddyfile
+command=/usr/bin/caddy run --config /tmp/Caddyfile

Containers/borgbackup/Dockerfile

@@ -18,5 +18,5 @@ COPY --chmod=770 *.sh /
 ENTRYPOINT ["/start.sh"]
 USER root
 
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"
 ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"

Containers/clamav/Dockerfile

@@ -15,4 +15,4 @@ VOLUME /var/lib/clamav
 
 USER clamav
 
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"

Containers/collabora/Dockerfile

@@ -1,5 +1,5 @@
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:23.05.0.5.1
+FROM collabora/code:23.05.1.3.1
 
 USER root
 
@@ -11,9 +11,9 @@ RUN set -ex; \
         tzdata \
         netcat-openbsd \
     ; \
-    rm -rf /var/lib/apt/lists/*
+    rm -rf /var/lib/apt/lists/*;
 
 USER 100
 
 HEALTHCHECK CMD nc -z localhost 9980 || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"

Containers/domaincheck/Dockerfile

@@ -3,10 +3,11 @@ RUN set -ex; \
     apk add --no-cache bash lighttpd netcat-openbsd; \
     adduser -S www-data -G www-data; \
     rm -rf /etc/lighttpd/lighttpd.conf; \
-    chmod +r -R /etc/lighttpd; \
+    chmod 777 -R /etc/lighttpd; \
     mkdir -p /var/www/domaincheck; \
-    chown www-data:www-data -R /var/www
-COPY --chown=www-data:www-data lighttpd.conf /etc/lighttpd/lighttpd.conf
+    chown www-data:www-data -R /var/www; \
+    chmod 777 -R /var/www/domaincheck
+COPY --chown=www-data:www-data lighttpd.conf /lighttpd.conf
 
 COPY --chmod=775 start.sh /start.sh
 
@@ -14,4 +15,4 @@ USER www-data
 ENTRYPOINT ["/start.sh"]
 
 HEALTHCHECK CMD nc -z localhost $APACHE_PORT || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"

Containers/domaincheck/start.sh

@@ -11,7 +11,7 @@ if [ -z "$APACHE_PORT" ]; then
     export APACHE_PORT="443"
 fi
 
-CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /etc/lighttpd/lighttpd.conf)"
+CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /lighttpd.conf)"
 echo "$CONF_FILE" > /etc/lighttpd/lighttpd.conf
 
 # Check config file

Containers/fulltextsearch/Dockerfile

@@ -1,5 +1,5 @@
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:7.17.10
+FROM elasticsearch:8.8.0
 
 USER root
 
@@ -16,4 +16,4 @@ RUN set -ex; \
 USER 1000:0
 
 HEALTHCHECK CMD nc -z localhost 9200 || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"

Containers/imaginary/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.20.5-alpine3.18 as go
+FROM golang:1.20.6-alpine3.18 as go
 
 ENV IMAGINARY_HASH b632dae8cc321452c3f85bcae79c580b1ae1ed84
 
@@ -35,4 +35,4 @@ ENV MALLOC_ARENA_MAX=2
 ENTRYPOINT ["imaginary", "-return-size", "-max-allowed-resolution", "222.2"]
 
 HEALTHCHECK CMD nc -z localhost "$PORT" || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"

Containers/mastercontainer/Caddyfile

@@ -10,6 +10,10 @@
     log {
         level ERROR
     }
+
+    servers {
+        protocols h1 h2 h2c
+    }
 }
 
 http://:80 {

Containers/mastercontainer/Dockerfile

@@ -1,11 +1,11 @@
 # Docker CLI is a requirement
-FROM docker:24.0.2-cli as docker
+FROM docker:24.0.4-cli as docker
 
 # Caddy is a requirement
 FROM caddy:2.6.4-alpine as caddy
 
 # From https://github.com/docker-library/php/blob/master/8.2/alpine3.18/fpm/Dockerfile
-FROM php:8.2.7-fpm-alpine3.18
+FROM php:8.2.8-fpm-alpine3.18
 
 EXPOSE 80
 EXPOSE 8080
@@ -93,6 +93,7 @@ RUN set -ex; \
             -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
             -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
             -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
+            -e 's/\(ScriptAlias \)/#\1/' \
         /etc/apache2/httpd.conf; \
         mkdir -p /etc/apache2/logs; \
         rm /etc/apache2/conf.d/ssl.conf; \
@@ -108,6 +109,7 @@ RUN set -ex; \
           /etc/apache2/conf.d/userdir.conf \
           /etc/apache2/conf.d/info.conf; \
     \
+    rm -rf /var/www/localhost/cgi-bin/; \
     mkdir /var/log/supervisord; \
     mkdir /var/run/supervisord;
 

Containers/mastercontainer/cron.sh

@@ -57,6 +57,9 @@ while true; do
     # Remove dangling images
     sudo -u www-data docker image prune --force
 
+    # Check for available free space
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/CheckFreeDiskSpace.php
+
     # Remove mastercontainer from default bridge network
     if sudo -u www-data docker inspect nextcloud-aio-mastercontainer  --format "{{.NetworkSettings.Networks}}" | grep -q "bridge"; then
         sudo -u www-data docker network disconnect bridge nextcloud-aio-mastercontainer

Containers/mastercontainer/start.sh

@@ -64,7 +64,6 @@ fi
 # Check if api version is supported
 if ! sudo -u www-data docker info &>/dev/null; then
     print_red "Cannot connect to the docker socket. Cannot proceed."
-    echo "If you are on Docker Desktop v4.19 or higher, see https://github.com/nextcloud/all-in-one/issues/2450"
     echo "If SELinux is enabled on your host, see https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled"
     echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
     exit 1

Containers/nextcloud/Dockerfile

@@ -1,9 +1,9 @@
-FROM php:8.1.20-fpm-alpine3.18
+FROM php:8.1.21-fpm-alpine3.18
 
 ENV PHP_MEMORY_LIMIT 512M
 ENV PHP_UPLOAD_LIMIT 10G
 ENV PHP_MAX_TIME 3600
-ENV NEXTCLOUD_VERSION 26.0.2
+ENV NEXTCLOUD_VERSION 26.0.4
 ENV AIO_TOKEN 123456
 ENV AIO_URL localhost
 
@@ -209,6 +209,7 @@ RUN set -ex; \
     chown www-data:root -R /usr/src && \
     chown www-data:root -R /usr/local/etc/php/conf.d && \
     chown www-data:root -R /usr/local/etc/php-fpm.d && \
+    chmod -R 777 /tmp; \
     rm -r /usr/src/nextcloud/apps/updatenotification; \
     \
     mkdir -p /nc-updater; \
@@ -223,4 +224,4 @@ ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 
 HEALTHCHECK CMD sudo -E -u www-data bash /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"

Containers/nextcloud/config/aio.config.php

@@ -0,0 +1,5 @@
+<?php
+$CONFIG = array (
+  'one-click-instance' => true,
+  'one-click-instance.user-limit' => 100,
+);

Containers/nextcloud/entrypoint.sh

@@ -444,12 +444,14 @@ if [ -z "$OBJECTSTORE_S3_BUCKET" ] && [ -z "$OBJECTSTORE_SWIFT_URL" ]; then
         exit 1
     fi
 
-    # Configure tempdirectory
-    mkdir -p "$NEXTCLOUD_DATA_DIR/tmp/"
-    if ! grep -q upload_tmp_dir /usr/local/etc/php/conf.d/nextcloud.ini; then
-        echo "upload_tmp_dir = $NEXTCLOUD_DATA_DIR/tmp/" >> /usr/local/etc/php/conf.d/nextcloud.ini
+    # Delete formerly configured tempdirectory as the default is usually faster (if the datadir is on a HDD or network FS)
+    if [ "$(php /var/www/html/occ config:system:get tempdirectory)" = "$NEXTCLOUD_DATA_DIR/tmp/" ]; then
+        php /var/www/html/occ config:system:delete tempdirectory
+        if [ -d "$NEXTCLOUD_DATA_DIR/tmp/" ]; then
+            rm -r "$NEXTCLOUD_DATA_DIR/tmp/"
+        fi
     fi
-    php /var/www/html/occ config:system:set tempdirectory --value="$NEXTCLOUD_DATA_DIR/tmp/"
+
 fi
 
 # Perform fingerprint update if instance was restored
@@ -648,7 +650,7 @@ if [ "$CLAMAV_ENABLED" = 'yes' ]; then
         php /var/www/html/occ config:app:set files_antivirus av_port --value="3310"
         php /var/www/html/occ config:app:set files_antivirus av_host --value="$CLAMAV_HOST"
         php /var/www/html/occ config:app:set files_antivirus av_stream_max_length --value="104857600"
-        php /var/www/html/occ config:app:set files_antivirus av_max_file_size --value="-1"
+        php /var/www/html/occ config:app:set files_antivirus av_max_file_size --value="104857600"
         php /var/www/html/occ config:app:set files_antivirus av_infected_action --value="only_log"
     fi
 else

Containers/notify-push/Dockerfile

@@ -18,4 +18,4 @@ USER 33
 ENTRYPOINT ["/start.sh"]
 
 HEALTHCHECK CMD nc -z localhost 7867 || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"

Containers/notify-push/start.sh

@@ -27,12 +27,14 @@ elif [ "$CPU_ARCH" != "x86_64" ]; then
     export CPU_ARCH="aarch64"
 fi
 
+# Set sensitive values as env
+export DATABASE_URL="postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST/$POSTGRES_DB"
+export REDIS_URL="redis://:$REDIS_HOST_PASSWORD@$REDIS_HOST"
+
 # Run it
 /nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
     --database-prefix="oc_" \
     --nextcloud-url "https://$NC_DOMAIN" \
-    --port 7867 \
-    --redis-url "redis://:$REDIS_HOST_PASSWORD@$REDIS_HOST" \
-    --database-url "postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST/$POSTGRES_DB"
+    --port 7867
 
 exec "$@"

Containers/onlyoffice/Dockerfile

@@ -4,4 +4,4 @@ FROM onlyoffice/documentserver:7.4.0.1
 # USER root is probably used
 
 HEALTHCHECK CMD nc -z localhost 80 || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"

Containers/postgresql/Dockerfile

@@ -22,6 +22,7 @@ RUN set -ex; \
 # Fix default permissions
     chown -R postgres:postgres /var/lib/postgresql; \
     chown -R postgres:postgres /var/run/postgresql; \
+    chmod -R 777 /var/run/postgresql; \
     chown -R postgres:postgres "$PGDATA"; \
     \
     mkdir /mnt/data; \
@@ -37,4 +38,4 @@ USER postgres
 ENTRYPOINT ["/start.sh"]
 
 HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"

Containers/redis/Dockerfile

@@ -1,5 +1,5 @@
 # From https://github.com/docker-library/redis/blob/master/7.0/alpine/Dockerfile
-FROM redis:7.0.11-alpine
+FROM redis:7.0.12-alpine
 
 COPY --chmod=775 start.sh /start.sh
 
@@ -13,4 +13,4 @@ USER redis
 ENTRYPOINT ["/start.sh"]
 
 HEALTHCHECK CMD redis-cli -a $REDIS_HOST_PASSWORD PING || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"

Containers/talk-recording/Dockerfile

@@ -2,7 +2,11 @@ FROM python:3.11.4-alpine3.18
 
 COPY --chmod=775 start.sh /start.sh
 
-ENV RECORDING_VERSION v17.0.0
+ENV RECORDING_VERSION v17.0.2
+ENV ALLOW_ALL false
+ENV HPB_PROTOCOL https
+ENV SKIP_VERIFY false
+ENV HPB_PATH /standalone-signaling/
 
 RUN set -ex; \
     apk add --no-cache \
@@ -31,6 +35,9 @@ RUN set -ex; \
     touch /etc/recording.conf; \
     chown recording:recording -R \
         /tmp /etc/recording.conf; \
+    mkdir -p /conf; \
+    chmod 777 /conf; \
+    chmod 777 /tmp; \
     apk del --no-cache \
         git \
         wget \
@@ -40,7 +47,7 @@ RUN set -ex; \
 WORKDIR /tmp
 USER recording
 ENTRYPOINT ["/start.sh"]
-CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/etc/recording.conf"]
+CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.conf"]
 
 HEALTHCHECK CMD nc -z localhost 1234 || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"

Containers/talk-recording/start.sh

@@ -12,34 +12,35 @@ elif [ -z "$INTERNAL_SECRET" ]; then
     exit 1
 fi
 
-cat << RECORDING_CONF > "/etc/recording.conf"
+cat << RECORDING_CONF > "/conf/recording.conf"
 [logs]
+# 30 means Warning
 level = 30
 
 [http]
 listen = 0.0.0.0:1234
 
 [backend]
-allowall = false
+allowall = ${ALLOW_ALL}
 # TODO: remove secret below when https://github.com/nextcloud/spreed/issues/9580 is fixed
 secret = ${RECORDING_SECRET}
 backends = backend-1
-skipverify = false
+skipverify = ${SKIP_VERIFY}
 maxmessagesize = 1024
 videowidth = 1920
 videoheight = 1080
 directory = /tmp
 
 [backend-1]
-url = https://${NC_DOMAIN}
+url = ${HPB_PROTOCOL}://${NC_DOMAIN}
 secret = ${RECORDING_SECRET}
-skipverify = false
+skipverify = ${SKIP_VERIFY}
 
 [signaling]
 signalings = signaling-1
 
 [signaling-1]
-url = https://${NC_DOMAIN}/standalone-signaling/
+url = ${HPB_PROTOCOL}://${NC_DOMAIN}${HPB_PATH}
 internalsecret = ${INTERNAL_SECRET}
 
 [ffmpeg]

Containers/talk/Dockerfile

@@ -1,67 +1,98 @@
-FROM nats:2.9.18-scratch as nats
-FROM strukturag/nextcloud-spreed-signaling:1.1.2 as signaling
-FROM coturn/coturn:4.6.2-r3-alpine
+FROM nats:2.9.20-scratch as nats
+FROM strukturag/nextcloud-spreed-signaling:1.1.3 as signaling
+FROM alpine:3.18.2 as janus
+
+ARG JANUS_VERSION=v0.13.4
+WORKDIR /src
+RUN set -ex; \
+    apk add --no-cache \
+        ca-certificates \
+        git \
+        autoconf \
+        automake \
+        build-base \
+        pkgconfig \
+        libtool \
+        util-linux \
+        glib-dev \
+        zlib-dev \
+        openssl-dev \
+        jansson-dev \
+        libnice-dev \
+        libconfig-dev \
+        libsrtp-dev \
+        libusrsctp-dev \
+        gengetopt-dev \
+        libwebsockets-dev; \
+    git clone --recursive https://github.com/meetecho/janus-gateway --depth=1 --single-branch --branch "$JANUS_VERSION" /src; \
+    /src/autogen.sh; \
+    /src/configure --disable-rabbitmq --disable-mqtt --disable-boringssl; \
+    make; \
+    make install; \
+    make configs; \
+    rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
+
+FROM coturn/coturn:4.6.2-alpine3.18
 USER root
-# Pin alpine version manually as long as https://github.com/coturn/coturn/issues/1226 is not done
-ENV ALPINE_VERSION=3.18
-
-COPY --from=nats /nats-server /usr/local/bin/nats-server
-COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
-
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=664 supervisord.conf /supervisord.conf
 
 RUN set -ex; \
-    grep VERSION_ID /etc/os-release | grep -q "$ALPINE_VERSION.[0-9]\+$"; \
     apk add --no-cache \
         ca-certificates \
         tzdata \
         bash \
-        janus-gateway \
         openssl \
         supervisor \
         bind-tools \
         netcat-openbsd \
-        shadow \
-        util-linux \
-        build-base \
-        wget \
-        lua5.3-dev \
-        luarocks5.3; \
+        \
+        glib \
+        zlib \
+        libssl3 \
+        libcrypto3 \
+        jansson \
+        libnice \
+        libconfig \
+        libsrtp \
+        libusrsctp \
+        libwebsockets \
+        \
+        shadow; \
     useradd --system talk; \
-    luarocks-5.3 install luajson; \
-    luarocks-5.3 install ansicolors; \
-    rename -v ".jcfg.sample" ".jcfg" /etc/janus/*.sample; \
     apk del --no-cache \
-        shadow \
-        util-linux \
-        build-base \
-        wget \
-        lua5.3-dev \
-        luarocks5.3; \
+        shadow; \
     \
 # Give root a random password
     echo "root:$(openssl rand -base64 12)" | chpasswd; \
     \
     touch \
-        /etc/nats.conf \
-        /etc/signaling.conf \
-        /etc/turnserver.conf; \
+        /etc/nats.conf; \
     echo "listen: 127.0.0.1:4222" | tee /etc/nats.conf; \
     mkdir -p \
         /var/tmp \
+        /conf \
+        /var/lib/turn \
+        /var/log/supervisord \
+        /var/run/supervisord \
+        /usr/local/lib/janus/loggers; \
+    chown talk:talk -R \
+        /usr \
+        /etc/nats.conf \
         /var/lib/turn \
         /var/log/supervisord \
         /var/run/supervisord; \
-    chown talk:talk -R \
-        /usr \
-        /etc/janus \
-        /etc/nats.conf \
-        /etc/signaling.conf \
-        /etc/turnserver.conf \
+    chmod 777 -R \
+        /tmp \
+        /conf \
+        /var/run/supervisord \
         /var/lib/turn \
-        /var/log/supervisord \
-        /var/run/supervisord;
+        /var/log/supervisord;
+
+COPY --from=janus /usr/local /usr/local
+COPY --from=nats /nats-server /usr/local/bin/nats-server
+COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
+
+COPY --chmod=775 start.sh /start.sh
+COPY --chmod=664 supervisord.conf /supervisord.conf
 
 # Set default talk port https://github.com/nextcloud/all-in-one/issues/1011
 ENV TALK_PORT=3478
@@ -71,4 +102,4 @@ ENTRYPOINT ["/start.sh"]
 CMD ["supervisord", "-c", "/supervisord.conf"]
 
 HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost "$TALK_PORT" && nc -z "$NC_DOMAIN" "$TALK_PORT") || exit 1
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"

Containers/talk/server.conf.in

@@ -89,7 +89,7 @@ allowall = false
 # Common shared secret for requests from and to the backend servers if
 # "allowall" is enabled. This must be the same value as configured in the
 # Nextcloud admin ui.
-#secret = the-shared-secret
+#secret = the-shared-secret-for-allowall
 
 # Timeout in seconds for requests to the backend.
 timeout = 10

Containers/talk/start.sh

@@ -20,7 +20,7 @@ IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk A +short)"
 set +x
 
 # Turn
-cat << TURN_CONF > "/etc/turnserver.conf"
+cat << TURN_CONF > "/conf/turnserver.conf"
 listening-port=$TALK_PORT
 fingerprint
 use-auth-secret
@@ -54,7 +54,7 @@ denied-peer-ip=240.0.0.0-255.255.255.255
 TURN_CONF
 
 # Signling
-cat << SIGNALING_CONF > "/etc/signaling.conf"
+cat << SIGNALING_CONF > "/conf/signaling.conf"
 [http]
 listen = 0.0.0.0:8081
 

Containers/talk/supervisord.conf

@@ -1,6 +1,5 @@
 [supervisord]
 nodaemon=true
-nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
@@ -13,7 +12,7 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=turnserver -c /etc/turnserver.conf
+command=turnserver -c /conf/turnserver.conf
 
 [program:nats-server]
 stdout_logfile=/dev/stdout
@@ -27,11 +26,12 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=janus --config=/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
+# debug-level 3 means warning
+command=janus --config=/usr/local/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
 
 [program:signaling]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=nextcloud-spreed-signaling -config /etc/signaling.conf
+command=nextcloud-spreed-signaling -config /conf/signaling.conf

Containers/watchtower/Dockerfile

@@ -11,4 +11,4 @@ COPY --chmod=775 start.sh /start.sh
 USER root
 
 ENTRYPOINT ["/start.sh"]
-LABEL com.centurylinklabs.watchtower.monitor-only="true"
+LABEL com.centurylinklabs.watchtower.enable="false"

manual-install/latest.yml

@@ -5,9 +5,11 @@ services:
       - nextcloud-aio-collabora
       - nextcloud-aio-talk
       - nextcloud-aio-nextcloud
+      - nextcloud-aio-notify-push
     image: nextcloud/aio-apache:latest
     ports:
       - ${APACHE_IP_BINDING}:${APACHE_PORT}:${APACHE_PORT}/tcp
+      - ${APACHE_IP_BINDING}:${APACHE_PORT}:${APACHE_PORT}/udp
     environment:
       - NC_DOMAIN=${NC_DOMAIN}
       - NEXTCLOUD_HOST=nextcloud-aio-nextcloud
@@ -18,12 +20,20 @@ services:
       - TZ=${TIMEZONE}
       - APACHE_MAX_SIZE=${APACHE_MAX_SIZE}
       - APACHE_MAX_TIME=${NEXTCLOUD_MAX_TIME}
+      - NOTIFY_PUSH_HOST=nextcloud-aio-notify-push
     volumes:
       - nextcloud_aio_nextcloud:/var/www/html:ro
       - nextcloud_aio_apache:/mnt/data:rw
     restart: unless-stopped
     networks:
       - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/log/supervisord
+      - /var/run/supervisord
+      - /usr/local/apache2/logs
+      - /tmp
+      - /home/www-data
 
   nextcloud-aio-database:
     image: nextcloud/aio-postgresql:latest
@@ -43,6 +53,9 @@ services:
     shm_size: 268435456
     networks:
       - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/run/postgresql
 
   nextcloud-aio-nextcloud:
     depends_on:
@@ -55,7 +68,6 @@ services:
     image: nextcloud/aio-nextcloud:latest
     expose:
       - "9000"
-      - "7867"
     volumes:
       - nextcloud_aio_nextcloud:/var/www/html:rw
       - ${NEXTCLOUD_DATADIR}:/mnt/ncdata:rw
@@ -107,6 +119,26 @@ services:
     networks:
       - nextcloud-aio
 
+  nextcloud-aio-notify-push:
+    image: nextcloud/aio-notify-push:latest
+    expose:
+      - "7867"
+    volumes:
+      - nextcloud_aio_nextcloud:/nextcloud:ro
+    environment:
+      - NC_DOMAIN=${NC_DOMAIN}
+      - NEXTCLOUD_HOST=nextcloud-aio-nextcloud
+      - REDIS_HOST=nextcloud-aio-redis
+      - REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
+      - POSTGRES_HOST=nextcloud-aio-database
+      - POSTGRES_PASSWORD=${DATABASE_PASSWORD}
+      - POSTGRES_DB=nextcloud_database
+      - POSTGRES_USER=nextcloud
+    restart: unless-stopped
+    networks:
+      - nextcloud-aio
+    read_only: true
+
   nextcloud-aio-redis:
     image: nextcloud/aio-redis:latest
     expose:
@@ -158,6 +190,13 @@ services:
       - talk-recording
     networks:
       - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/log/supervisord
+      - /var/run/supervisord
+      - /conf
+      - /var/lib/turn
+      - /tmp
 
   nextcloud-aio-talk-recording:
     image: nextcloud/aio-talk-recording:latest
@@ -174,6 +213,10 @@ services:
       - talk-recording
     networks:
       - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /tmp
+      - /conf
 
   nextcloud-aio-clamav:
     image: nextcloud/aio-clamav:latest
@@ -189,6 +232,11 @@ services:
       - clamav
     networks:
       - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/lock
+      - /var/log/clamav
+      - /tmp
 
   nextcloud-aio-onlyoffice:
     image: nextcloud/aio-onlyoffice:latest
@@ -220,6 +268,9 @@ services:
       - imaginary
     networks:
       - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /tmp
 
   nextcloud-aio-fulltextsearch:
     image: nextcloud/aio-fulltextsearch:latest

migration.md

@@ -14,7 +14,7 @@ The procedure for migrating only the files works like this:
 1. Install Nextcloud AIO on a new server/linux installation, enter your domain and wait until all containers are running
 1. Recreate all users that were present on your former installation
 1. Take a backup using Nextcloud AIO's built-in backup solution (so that you can easily restore to this state again) (Note: this will stop all containers and is expected: don't start the container again at this point!)
-1. Restore the datadirectory of your former instance: for `/path/to/nextcloud/data/` run `sudo docker cp --follow-link /path/to/nextcloud/data/ nextcloud-aio-nextcloud:/mnt/ncdata/` Note: the `/` at the end are necessary.
+1. Restore the datadirectory of your former instance: for `/path/to/nextcloud/data/` run `sudo docker cp --follow-link /path/to/nextcloud/data/. nextcloud-aio-nextcloud:/mnt/ncdata/` Note: the `/.` and `/` at the end are necessary.
 1. Next, run `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine chown -R 33:0 /mnt/ncdata/` and `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine chmod -R 750 /mnt/ncdata/` to apply the correct permissions. (Or if `NEXTCLOUD_DATADIR` was provided, apply `chown -R 33:0` and `chmod -R 750` to the chosen path.)
 1. Start the containers again and wait until all containers are running
 1. Run `sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ files:scan-app-data && sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ files:scan --all` in order to scan all files in the datadirectory.
@@ -24,7 +24,7 @@ The procedure for migrating only the files works like this:
 
 The procedure for migrating the files and the database works like this:
 1. Make sure that your old instance is on exactly the same version like the version used in Nextcloud AIO. (e.g. 23.0.0) You can find the used version here: [click here](https://github.com/nextcloud/all-in-one/search?l=Dockerfile&q=NEXTCLOUD_VERSION&type=). If not, simply upgrade your former installation to that version or wait until the version used in Nextcloud AIO got updated to the same version of your former installation or the other way around.
-1. Take a backup of your former instance (especially from your datadirectory and database)
+1. First, on the old instance, update all Nextcloud apps to its latest version via the app management site (important for the restore later on). Then take a backup of your former instance (especially from your datadirectory and database).
 1. If your former installation didn't use Postgresql already, you will now need to convert your old installation to use Postgresql as database temporarily (in order to be able to perform a pg_dump afterwards):
     1. Install Postgresql on your former installation: on a Debian based OS should the following command work:
         ```
@@ -56,7 +56,7 @@ The procedure for migrating the files and the database works like this:
     ```
     **Please note:** The exact name of the database export file is important! (`database-dump.sql`)<br>
     And of course you need to to use the correct name that the Postgresql database has for the export (if `$PG_DATABASE` doesn't work directly).
-1. At this point, you can finally install Nextcloud AIO on a new server/linux installation, enter your domain in the AIO interface (use the same domain that you used on your former installation) and wait until all containers are running. Then you should check the included Nextcloud version by running `sudo docker inspect nextcloud-aio-nextcloud | grep NEXTCLOUD_VERSION`.
+1. At this point, you can finally install Nextcloud AIO on a new server/linux installation, enter your domain in the AIO interface (use the same domain that you used on your former installation) and wait until all containers are running. Then you should check the included Nextcloud version by running `sudo docker inspect nextcloud-aio-nextcloud | grep NEXTCLOUD_VERSION`. Also install all apps via the apps management site that were installed on the old Nextcloud installation. Otherwise they will show as installed, but will not work.
 1. Next, take a backup using Nextcloud AIO's built-in backup solution (so that you can easily restore to this state again) (Note: this will stop all containers and is expected: don't start the container again at this point!)
 1. Now, we are slowly starting to import your files and database. First, you need to modify the datadirectory that is stored inside the database export:
     1. Find out what the directory of your old Nextcloud installation is by e.g. opening the config.php file and looking at the value `datadirectory`.
@@ -75,7 +75,7 @@ The procedure for migrating the files and the database works like this:
     sudo docker run --rm --volume nextcloud_aio_database_dump:/mnt/data:rw alpine chmod 777 /mnt/data/database-dump.sql
     sudo docker run --rm --volume nextcloud_aio_database_dump:/mnt/data:rw alpine rm /mnt/data/initial-cleanup-done
     ```
-1. If the commands above were executed successfully, restore the datadirectory of your former instance into your datadirectory: `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine sh -c "rm -rf /mnt/ncdata/*"` and `sudo docker cp --follow-link /path/to/nextcloud/data/ nextcloud-aio-nextcloud:/mnt/ncdata/` Note: the `/` at the end are necessary. (Or if `NEXTCLOUD_DATADIR` was provided, first delete the files in there and then copy the files to the chosen path.)
+1. If the commands above were executed successfully, restore the datadirectory of your former instance into your datadirectory: `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine sh -c "rm -rf /mnt/ncdata/*"` and `sudo docker cp --follow-link /path/to/nextcloud/data/. nextcloud-aio-nextcloud:/mnt/ncdata/` Note: the `/.` and `/` at the end are necessary. (Or if `NEXTCLOUD_DATADIR` was provided, first delete the files in there and then copy the files to the chosen path.)
 1. Next, run `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine chown -R 33:0 /mnt/ncdata/` and `sudo docker run --rm --volume nextcloud_aio_nextcloud_data:/mnt/ncdata:rw alpine chmod -R 750 /mnt/ncdata/` to apply the correct permissions on the datadirectory. (Or if `NEXTCLOUD_DATADIR` was provided, apply `chown -R 33:0` and `chmod -R 750` to the chosen path.)
 1. Edit the Nextcloud AIO config.php file using `sudo docker run -it --rm --volume nextcloud_aio_nextcloud:/var/www/html:rw alpine sh -c "apk add --no-cache nano && nano /var/www/html/config/config.php"` and modify only `passwordsalt`, `secret`, `instanceid` and set it to the old values that you used on your old installation. If you are brave, feel free to modify further values e.g. add your old LDAP config or S3 storage config. (Some things like Mail server config can be added back using Nextcloud's webinterface later on).
 1. When you are done and saved your changes to the file, finally start the containers again and wait until all containers are running.

nextcloud-aio-helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 6.1.1
+version: 6.3.0
 apiVersion: v2
 keywords:
   - latest

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml

@@ -2,11 +2,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-apache
   name: nextcloud-aio-apache
+  namespace: {{ values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -15,8 +16,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-apache
@@ -29,7 +30,22 @@ spec:
             - "777"
             - /nextcloud-aio-nextcloud
             - /nextcloud-aio-apache
+            - /nextcloud-aio-apache-tmpfs0
+            - /nextcloud-aio-apache-tmpfs1
+            - /nextcloud-aio-apache-tmpfs2
+            - /nextcloud-aio-apache-tmpfs3
+            - /nextcloud-aio-apache-tmpfs4
           volumeMounts:
+            - name: nextcloud-aio-apache-tmpfs4
+              mountPath: /nextcloud-aio-apache-tmpfs4
+            - name: nextcloud-aio-apache-tmpfs3
+              mountPath: /nextcloud-aio-apache-tmpfs3
+            - name: nextcloud-aio-apache-tmpfs2
+              mountPath: /nextcloud-aio-apache-tmpfs2
+            - name: nextcloud-aio-apache-tmpfs1
+              mountPath: /nextcloud-aio-apache-tmpfs1
+            - name: nextcloud-aio-apache-tmpfs0
+              mountPath: /nextcloud-aio-apache-tmpfs0
             - name: nextcloud-aio-apache
               mountPath: /nextcloud-aio-apache
             - name: nextcloud-aio-nextcloud
@@ -48,22 +64,41 @@ spec:
               value: "{{ .Values.NC_DOMAIN }}"
             - name: NEXTCLOUD_HOST
               value: nextcloud-aio-nextcloud
+            - name: NOTIFY_PUSH_HOST
+              value: nextcloud-aio-notify-push
             - name: ONLYOFFICE_HOST
               value: nextcloud-aio-onlyoffice
             - name: TALK_HOST
               value: nextcloud-aio-talk
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-apache:20230613_120442-latest
+          image: nextcloud/aio-apache:20230720_134150-latest
           name: nextcloud-aio-apache
           ports:
             - containerPort: {{ .Values.APACHE_PORT }}
+              hostPort: {{ .Values.APACHE_PORT }}
+              protocol: TCP
+            - containerPort: {{ .Values.APACHE_PORT }}
+              hostPort: {{ .Values.APACHE_PORT }}
+              protocol: UDP
+          securityContext:
+            readOnlyRootFilesystem: true
           volumeMounts:
             - mountPath: /var/www/html
               name: nextcloud-aio-nextcloud
               readOnly: true
             - mountPath: /mnt/data
               name: nextcloud-aio-apache
+            - mountPath: /var/log/supervisord
+              name: nextcloud-aio-apache-tmpfs0
+            - mountPath: /var/run/supervisord
+              name: nextcloud-aio-apache-tmpfs1
+            - mountPath: /usr/local/apache2/logs
+              name: nextcloud-aio-apache-tmpfs2
+            - mountPath: /tmp
+              name: nextcloud-aio-apache-tmpfs3
+            - mountPath: /home/www-data
+              name: nextcloud-aio-apache-tmpfs4
       volumes:
         - name: nextcloud-aio-nextcloud
           persistentVolumeClaim:
@@ -71,3 +106,13 @@ spec:
         - name: nextcloud-aio-apache
           persistentVolumeClaim:
             claimName: nextcloud-aio-apache
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs0
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs1
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs2
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs3
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs4

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-apache
   name: nextcloud-aio-apache
+  namespace: {{ values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-service.yaml

@@ -2,16 +2,21 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-apache
   name: nextcloud-aio-apache
+  namespace: {{ values.NAMESPACE }}
 spec:
   type: LoadBalancer
   ports:
     - name: "{{ .Values.APACHE_PORT }}"
       port: {{ .Values.APACHE_PORT }}
       targetPort: {{ .Values.APACHE_PORT }}
+    - name: {{ .Values.APACHE_PORT }}-udp
+      port: {{ .Values.APACHE_PORT }}
+      protocol: UDP
+      targetPort: {{ .Values.APACHE_PORT }}
   selector:
     io.kompose.service: nextcloud-aio-apache

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml

@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-clamav
   name: nextcloud-aio-clamav
+  namespace: {{ values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -16,8 +17,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-clamav
@@ -29,7 +30,16 @@ spec:
             - chmod
             - "777"
             - /nextcloud-aio-clamav
+            - /nextcloud-aio-clamav-tmpfs0
+            - /nextcloud-aio-clamav-tmpfs1
+            - /nextcloud-aio-clamav-tmpfs2
           volumeMounts:
+            - name: nextcloud-aio-clamav-tmpfs2
+              mountPath: /nextcloud-aio-clamav-tmpfs2
+            - name: nextcloud-aio-clamav-tmpfs1
+              mountPath: /nextcloud-aio-clamav-tmpfs1
+            - name: nextcloud-aio-clamav-tmpfs0
+              mountPath: /nextcloud-aio-clamav-tmpfs0
             - name: nextcloud-aio-clamav
               mountPath: /nextcloud-aio-clamav
       containers:
@@ -38,15 +48,31 @@ spec:
               value: "90"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-clamav:20230613_120442-latest
+          image: nextcloud/aio-clamav:20230720_134150-latest
           name: nextcloud-aio-clamav
           ports:
             - containerPort: 3310
+              hostPort: 3310
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
           volumeMounts:
             - mountPath: /var/lib/clamav
               name: nextcloud-aio-clamav
+            - mountPath: /var/lock
+              name: nextcloud-aio-clamav-tmpfs0
+            - mountPath: /var/log/clamav
+              name: nextcloud-aio-clamav-tmpfs1
+            - mountPath: /tmp
+              name: nextcloud-aio-clamav-tmpfs2
       volumes:
         - name: nextcloud-aio-clamav
           persistentVolumeClaim:
             claimName: nextcloud-aio-clamav
+        - emptyDir: {}
+          name: nextcloud-aio-clamav-tmpfs0
+        - emptyDir: {}
+          name: nextcloud-aio-clamav-tmpfs1
+        - emptyDir: {}
+          name: nextcloud-aio-clamav-tmpfs2
 {{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-clamav
   name: nextcloud-aio-clamav
+  namespace: {{ values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-service.yaml

@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-clamav
   name: nextcloud-aio-clamav
+  namespace: {{ values.NAMESPACE }}
 spec:
   ports:
     - name: "3310"

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml

@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-collabora
   name: nextcloud-aio-collabora
+  namespace: {{ values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -16,8 +17,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-collabora
@@ -36,8 +37,10 @@ spec:
               value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json
             - name: server_name
               value: "{{ .Values.NC_DOMAIN }}"
-          image: nextcloud/aio-collabora:20230613_120442-latest
+          image: nextcloud/aio-collabora:20230720_134150-latest
           name: nextcloud-aio-collabora
           ports:
             - containerPort: 9980
+              hostPort: 9980
+              protocol: TCP
 {{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-service.yaml

@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-collabora
   name: nextcloud-aio-collabora
+  namespace: {{ values.NAMESPACE }}
 spec:
   ports:
     - name: "9980"

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml

@@ -2,11 +2,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-database
   name: nextcloud-aio-database
+  namespace: {{ values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -15,8 +16,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-database
@@ -30,7 +31,10 @@ spec:
             - /nextcloud-aio-database/data
             - /nextcloud-aio-database
             - /nextcloud-aio-database-dump
+            - /nextcloud-aio-database-tmpfs0
           volumeMounts:
+            - name: nextcloud-aio-database-tmpfs0
+              mountPath: /nextcloud-aio-database-tmpfs0
             - name: nextcloud-aio-database-dump
               mountPath: /nextcloud-aio-database-dump
             - name: nextcloud-aio-database
@@ -43,7 +47,10 @@ spec:
             - "-R"
             - /nextcloud-aio-database
             - /nextcloud-aio-database-dump
+            - /nextcloud-aio-database-tmpfs0
           volumeMounts:
+            - name: nextcloud-aio-database-tmpfs0
+              mountPath: /nextcloud-aio-database-tmpfs0
             - name: nextcloud-aio-database-dump
               mountPath: /nextcloud-aio-database-dump
             - name: nextcloud-aio-database
@@ -60,16 +67,22 @@ spec:
               value: nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-postgresql:20230613_120442-latest
+          image: nextcloud/aio-postgresql:20230720_134150-latest
           name: nextcloud-aio-database
           ports:
             - containerPort: 5432
+              hostPort: 5432
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
           volumeMounts:
             - mountPath: /var/lib/postgresql/data
               subPath: data
               name: nextcloud-aio-database
             - mountPath: /mnt/data
               name: nextcloud-aio-database-dump
+            - mountPath: /var/run/postgresql
+              name: nextcloud-aio-database-tmpfs0
       terminationGracePeriodSeconds: 1800
       volumes:
         - name: nextcloud-aio-database
@@ -78,3 +91,5 @@ spec:
         - name: nextcloud-aio-database-dump
           persistentVolumeClaim:
             claimName: nextcloud-aio-database-dump
+        - emptyDir: {}
+          name: nextcloud-aio-database-tmpfs0

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-dump-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-database-dump
   name: nextcloud-aio-database-dump
+  namespace: {{ values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-database
   name: nextcloud-aio-database
+  namespace: {{ values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-service.yaml

@@ -2,11 +2,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-database
   name: nextcloud-aio-database
+  namespace: {{ values.NAMESPACE }}
 spec:
   ports:
     - name: "5432"

nextcloud-aio-helm-chart/templates/nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-elasticsearch
   name: nextcloud-aio-elasticsearch
+  namespace: {{ values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml

@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-fulltextsearch
   name: nextcloud-aio-fulltextsearch
+  namespace: {{ values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -16,8 +17,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-fulltextsearch
@@ -42,10 +43,12 @@ spec:
               value: "{{ .Values.TIMEZONE }}"
             - name: discovery.type
               value: single-node
-          image: nextcloud/aio-fulltextsearch:20230613_120442-latest
+          image: nextcloud/aio-fulltextsearch:20230720_134150-latest
           name: nextcloud-aio-fulltextsearch
           ports:
             - containerPort: 9200
+              hostPort: 9200
+              protocol: TCP
           volumeMounts:
             - mountPath: /usr/share/elasticsearch/data
               name: nextcloud-aio-elasticsearch

nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-service.yaml

@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-fulltextsearch
   name: nextcloud-aio-fulltextsearch
+  namespace: {{ values.NAMESPACE }}
 spec:
   ports:
     - name: "9200"

nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml

@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-imaginary
   name: nextcloud-aio-imaginary
+  namespace: {{ values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -16,22 +17,41 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-imaginary
     spec:
+      initContainers:
+        - name: init-volumes
+          image: alpine
+          command:
+            - chmod
+            - "777"
+            - /nextcloud-aio-imaginary-tmpfs0
+          volumeMounts:
+            - name: nextcloud-aio-imaginary-tmpfs0
+              mountPath: /nextcloud-aio-imaginary-tmpfs0
       containers:
         - env:
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-imaginary:20230613_120442-latest
+          image: nextcloud/aio-imaginary:20230720_134150-latest
           name: nextcloud-aio-imaginary
           ports:
             - containerPort: 9000
+              hostPort: 9000
+              protocol: TCP
           securityContext:
             capabilities:
               add:
                 - SYS_NICE
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /tmp
+              name: nextcloud-aio-imaginary-tmpfs0
+      volumes:
+        - emptyDir: {}
+          name: nextcloud-aio-imaginary-tmpfs0
 {{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-service.yaml

@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-imaginary
   name: nextcloud-aio-imaginary
+  namespace: {{ values.NAMESPACE }}
 spec:
   ports:
     - name: "9000"

nextcloud-aio-helm-chart/templates/nextcloud-aio-namespace-namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ values.NAMESPACE }}
+  namespace: {{ values.NAMESPACE }}
+spec: {}

nextcloud-aio-helm-chart/templates/nextcloud-aio-networkpolicy.yaml

@@ -1,13 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: nextcloud-aio
-spec:
-  ingress:
-    - from:
-        - podSelector:
-            matchLabels:
-              io.kompose.network/nextcloud-aio: "true"
-  podSelector:
-    matchLabels:
-      io.kompose.network/nextcloud-aio: "true"

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-data-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-nextcloud-data
   name: nextcloud-aio-nextcloud-data
+  namespace: {{ values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml

@@ -2,11 +2,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-nextcloud
   name: nextcloud-aio-nextcloud
+  namespace: {{ values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -15,8 +16,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-nextcloud
@@ -116,11 +117,12 @@ spec:
               value: "{{ .Values.TIMEZONE }}"
             - name: UPDATE_NEXTCLOUD_APPS
               value: "{{ .Values.UPDATE_NEXTCLOUD_APPS }}"
-          image: nextcloud/aio-nextcloud:20230613_120442-latest
+          image: nextcloud/aio-nextcloud:20230720_134150-latest
           name: nextcloud-aio-nextcloud
           ports:
             - containerPort: 9000
-            - containerPort: 7867
+              hostPort: 9000
+              protocol: TCP
           volumeMounts:
             - mountPath: /var/www/html
               name: nextcloud-aio-nextcloud

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-nextcloud
   name: nextcloud-aio-nextcloud
+  namespace: {{ values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-service.yaml

@@ -2,18 +2,16 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-nextcloud
   name: nextcloud-aio-nextcloud
+  namespace: {{ values.NAMESPACE }}
 spec:
   ports:
     - name: "9000"
       port: 9000
       targetPort: 9000
-    - name: "7867"
-      port: 7867
-      targetPort: 7867
   selector:
     io.kompose.service: nextcloud-aio-nextcloud

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-trusted-cacerts-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-nextcloud-trusted-cacerts
   name: nextcloud-aio-nextcloud-trusted-cacerts
+  namespace: {{ values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml

@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
+  labels:
+    io.kompose.service: nextcloud-aio-notify-push
+  name: nextcloud-aio-notify-push
+  namespace: {{ values.NAMESPACE }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      io.kompose.service: nextcloud-aio-notify-push
+  template:
+    metadata:
+      annotations:
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
+      labels:
+        io.kompose.network/nextcloud-aio: "true"
+        io.kompose.service: nextcloud-aio-notify-push
+    spec:
+      initContainers:
+        - name: init-volumes
+          image: alpine
+          command:
+            - chmod
+            - "777"
+            - /nextcloud-aio-nextcloud
+          volumeMounts:
+            - name: nextcloud-aio-nextcloud
+              mountPath: /nextcloud-aio-nextcloud
+      containers:
+        - env:
+            - name: NC_DOMAIN
+              value: "{{ .Values.NC_DOMAIN }}"
+            - name: NEXTCLOUD_HOST
+              value: nextcloud-aio-nextcloud
+            - name: POSTGRES_DB
+              value: nextcloud_database
+            - name: POSTGRES_HOST
+              value: nextcloud-aio-database
+            - name: POSTGRES_PASSWORD
+              value: "{{ .Values.DATABASE_PASSWORD }}"
+            - name: POSTGRES_USER
+              value: nextcloud
+            - name: REDIS_HOST
+              value: nextcloud-aio-redis
+            - name: REDIS_HOST_PASSWORD
+              value: "{{ .Values.REDIS_PASSWORD }}"
+          image: nextcloud/aio-notify-push:20230720_134150-latest
+          name: nextcloud-aio-notify-push
+          ports:
+            - containerPort: 7867
+              hostPort: 7867
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /nextcloud
+              name: nextcloud-aio-nextcloud
+              readOnly: true
+      volumes:
+        - name: nextcloud-aio-nextcloud
+          persistentVolumeClaim:
+            claimName: nextcloud-aio-nextcloud

nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
+  labels:
+    io.kompose.service: nextcloud-aio-notify-push
+  name: nextcloud-aio-notify-push
+  namespace: {{ values.NAMESPACE }}
+spec:
+  ports:
+    - name: "7867"
+      port: 7867
+      targetPort: 7867
+  selector:
+    io.kompose.service: nextcloud-aio-notify-push

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml

@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-onlyoffice
   name: nextcloud-aio-onlyoffice
+  namespace: {{ values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -16,8 +17,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-onlyoffice
@@ -42,10 +43,12 @@ spec:
               value: "{{ .Values.ONLYOFFICE_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-onlyoffice:20230613_120442-latest
+          image: nextcloud/aio-onlyoffice:20230720_134150-latest
           name: nextcloud-aio-onlyoffice
           ports:
             - containerPort: 80
+              hostPort: 80
+              protocol: TCP
           volumeMounts:
             - mountPath: /var/lib/onlyoffice
               name: nextcloud-aio-onlyoffice

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-onlyoffice
   name: nextcloud-aio-onlyoffice
+  namespace: {{ values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-service.yaml

@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-onlyoffice
   name: nextcloud-aio-onlyoffice
+  namespace: {{ values.NAMESPACE }}
 spec:
   ports:
     - name: "80"

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml

@@ -2,11 +2,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-redis
   name: nextcloud-aio-redis
+  namespace: {{ values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -15,8 +16,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-redis
@@ -37,10 +38,14 @@ spec:
               value: "{{ .Values.REDIS_PASSWORD }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-redis:20230613_120442-latest
+          image: nextcloud/aio-redis:20230720_134150-latest
           name: nextcloud-aio-redis
           ports:
             - containerPort: 6379
+              hostPort: 6379
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
           volumeMounts:
             - mountPath: /data
               name: nextcloud-aio-redis

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-redis
   name: nextcloud-aio-redis
+  namespace: {{ values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-service.yaml

@@ -2,11 +2,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-redis
   name: nextcloud-aio-redis
+  namespace: {{ values.NAMESPACE }}
 spec:
   ports:
     - name: "6379"

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml

@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-talk
   name: nextcloud-aio-talk
+  namespace: {{ values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -16,12 +17,34 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-talk
     spec:
+      initContainers:
+        - name: init-volumes
+          image: alpine
+          command:
+            - chmod
+            - "777"
+            - /nextcloud-aio-talk-tmpfs0
+            - /nextcloud-aio-talk-tmpfs1
+            - /nextcloud-aio-talk-tmpfs2
+            - /nextcloud-aio-talk-tmpfs3
+            - /nextcloud-aio-talk-tmpfs4
+          volumeMounts:
+            - name: nextcloud-aio-talk-tmpfs4
+              mountPath: /nextcloud-aio-talk-tmpfs4
+            - name: nextcloud-aio-talk-tmpfs3
+              mountPath: /nextcloud-aio-talk-tmpfs3
+            - name: nextcloud-aio-talk-tmpfs2
+              mountPath: /nextcloud-aio-talk-tmpfs2
+            - name: nextcloud-aio-talk-tmpfs1
+              mountPath: /nextcloud-aio-talk-tmpfs1
+            - name: nextcloud-aio-talk-tmpfs0
+              mountPath: /nextcloud-aio-talk-tmpfs0
       containers:
         - env:
             - name: INTERNAL_SECRET
@@ -36,11 +59,40 @@ spec:
               value: "{{ .Values.TURN_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-talk:20230613_120442-latest
+          image: nextcloud/aio-talk:20230720_134150-latest
           name: nextcloud-aio-talk
           ports:
             - containerPort: {{ .Values.TALK_PORT }}
+              hostPort: {{ .Values.TALK_PORT }}
+              protocol: TCP
             - containerPort: {{ .Values.TALK_PORT }}
+              hostPort: {{ .Values.TALK_PORT }}
               protocol: UDP
             - containerPort: 8081
+              hostPort: 8081
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /var/log/supervisord
+              name: nextcloud-aio-talk-tmpfs0
+            - mountPath: /var/run/supervisord
+              name: nextcloud-aio-talk-tmpfs1
+            - mountPath: /conf
+              name: nextcloud-aio-talk-tmpfs2
+            - mountPath: /var/lib/turn
+              name: nextcloud-aio-talk-tmpfs3
+            - mountPath: /tmp
+              name: nextcloud-aio-talk-tmpfs4
+      volumes:
+        - emptyDir: {}
+          name: nextcloud-aio-talk-tmpfs0
+        - emptyDir: {}
+          name: nextcloud-aio-talk-tmpfs1
+        - emptyDir: {}
+          name: nextcloud-aio-talk-tmpfs2
+        - emptyDir: {}
+          name: nextcloud-aio-talk-tmpfs3
+        - emptyDir: {}
+          name: nextcloud-aio-talk-tmpfs4
 {{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml

@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-talk-recording
   name: nextcloud-aio-talk-recording
+  namespace: {{ values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -16,12 +17,25 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-talk-recording
     spec:
+      initContainers:
+        - name: init-volumes
+          image: alpine
+          command:
+            - chmod
+            - "777"
+            - /nextcloud-aio-talk-recording-tmpfs0
+            - /nextcloud-aio-talk-recording-tmpfs1
+          volumeMounts:
+            - name: nextcloud-aio-talk-recording-tmpfs1
+              mountPath: /nextcloud-aio-talk-recording-tmpfs1
+            - name: nextcloud-aio-talk-recording-tmpfs0
+              mountPath: /nextcloud-aio-talk-recording-tmpfs0
       containers:
         - env:
             - name: INTERNAL_SECRET
@@ -32,8 +46,22 @@ spec:
               value: "{{ .Values.RECORDING_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-talk-recording:20230613_120442-latest
+          image: nextcloud/aio-talk-recording:20230720_134150-latest
           name: nextcloud-aio-talk-recording
           ports:
             - containerPort: 1234
+              hostPort: 1234
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /tmp
+              name: nextcloud-aio-talk-recording-tmpfs0
+            - mountPath: /conf
+              name: nextcloud-aio-talk-recording-tmpfs1
+      volumes:
+        - emptyDir: {}
+          name: nextcloud-aio-talk-recording-tmpfs0
+        - emptyDir: {}
+          name: nextcloud-aio-talk-recording-tmpfs1
 {{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-service.yaml

@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-talk-recording
   name: nextcloud-aio-talk-recording
+  namespace: {{ values.NAMESPACE }}
 spec:
   ports:
     - name: "1234"

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-service.yaml

@@ -4,11 +4,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-talk
   name: nextcloud-aio-talk-public
+  namespace: {{ values.NAMESPACE }}
 spec:
   type: LoadBalancer
   ports:
@@ -26,11 +27,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-talk
   name: nextcloud-aio-talk
+  namespace: {{ values.NAMESPACE }}
 spec:
   ports:
     - name: "8081"

nextcloud-aio-helm-chart/update-helm.sh

@@ -15,6 +15,9 @@ curl -L https://github.com/kubernetes/kompose/releases/download/"$LATEST_KOMPOSE
 chmod +x kompose
 sudo mv ./kompose /usr/local/bin/kompose
 
+# Install yq
+snap install yq
+
 set -ex
 
 # Conversion of docker-compose
@@ -39,11 +42,14 @@ sed -i "/^volumes:/a\ \ nextcloud_aio_nextcloud_trusted_cacerts:\n \ \ \ \ name:
 sed -i "s|\${NEXTCLOUD_TRUSTED_CACERTS_DIR}:|nextcloud_aio_nextcloud_trusted_cacerts:|g#" latest.yml
 sed -i 's|\${|{{ .Values.|g' latest.yml
 sed -i 's|}| }}|g' latest.yml
+yq -i 'del(.services.[].profiles)' latest.yml
 cat latest.yml
-kompose convert -c -f latest.yml
+kompose convert -c -f latest.yml --namespace nextcloud-aio-namespace
 cd latest
 
-mv ./templates/manual-install-nextcloud-aio-networkpolicy.yaml ./templates/nextcloud-aio-networkpolicy.yaml
+if [ -f ./templates/manual-install-nextcloud-aio-networkpolicy.yaml ]; then
+    mv ./templates/manual-install-nextcloud-aio-networkpolicy.yaml ./templates/nextcloud-aio-networkpolicy.yaml
+fi
 # shellcheck disable=SC1083
 find ./ -name '*networkpolicy.yaml' -exec sed -i "s|manual-install-nextcloud-aio|nextcloud-aio|" \{} \; 
 cat << EOL > /tmp/initcontainers
@@ -109,13 +115,15 @@ for variable in "${DEPLOYMENTS[@]}"; do
     fi
 done
 # shellcheck disable=SC1083
+find ./ -name '*.yaml' -exec sed -i "s|nextcloud-aio-namespace|\{\{ values.NAMESPACE \}\}|" \{} \; 
+# shellcheck disable=SC1083
 find ./ -name '*service.yaml' -exec sed -i "/^status:/,$ d" \{} \; 
 # shellcheck disable=SC1083
 find ./ -name '*deployment.yaml' -exec sed -i "s|manual-install-nextcloud-aio|nextcloud-aio|" \{} \; 
 # shellcheck disable=SC1083
 find ./ -name '*deployment.yaml' -exec sed -i "/medium: Memory/d" \{} \;
 # shellcheck disable=SC1083
-find ./ -name '*deployment.yaml' -exec sed -i "s|emptyDir:|emptyDir: {}|" \{} \; 
+find ./ -name '*deployment.yaml' -exec sed -i "s|emptyDir:|emptyDir: \{\}|" \{} \; 
 # shellcheck disable=SC1083
 find ./ -name '*persistentvolumeclaim.yaml' -exec sed -i "s|ReadOnlyMany|ReadWriteOnce|" \{} \;   
 # shellcheck disable=SC1083
@@ -197,6 +205,9 @@ sed -i '/_ENABLED.*/s/ yes / "yes" /' /tmp/sample.conf
 sed -i '/_ENABLED.*/s/ no / "no" /' /tmp/sample.conf
 sed -i 's|^NEXTCLOUD_TRUSTED_CACERTS_DIR: .*|NEXTCLOUD_TRUSTED_CACERTS_DIR:        # Setting this to any value allows to automatically import root certificates into the Nextcloud container|' /tmp/sample.conf
 sed -i 's|10737418240|"10737418240"|' /tmp/sample.conf
+# shellcheck disable=SC2129
+echo "NAMESPACE: default        # By changing this, you can adjust the namespace of the installation which allows to install multiple instances on one kubernetes cluster" >> /tmp/sample.conf
+# shellcheck disable=SC2129
 echo "" >> /tmp/sample.conf
 # shellcheck disable=SC2129
 echo 'STORAGE_CLASS:        # By setting this, you can adjust the storage class for your volumes' >> /tmp/sample.conf

nextcloud-aio-helm-chart/values.yaml

@@ -31,6 +31,8 @@ NEXTCLOUD_TRUSTED_CACERTS_DIR:        # Setting this to any value allows to auto
 NEXTCLOUD_UPLOAD_LIMIT: 10G          # This allows to change the upload limit of the Nextcloud container
 TALK_PORT: 3478          # This allows to adjust the port that the talk container is using.
 UPDATE_NEXTCLOUD_APPS: no          # When setting to yes (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.
+NAMESPACE: default        # By changing this, you can adjust the namespace of the installation which allows to install multiple instances on one kubernetes cluster
+
 STORAGE_CLASS:        # By setting this, you can adjust the storage class for your volumes
 APACHE_STORAGE_SIZE: 1Gi       # You can change the size of the apache volume that default to 1Gi with this value
 CLAMAV_STORAGE_SIZE: 1Gi       # You can change the size of the clamav volume that default to 1Gi with this value

php/composer.lock

@@ -699,16 +699,16 @@
         },
         {
             "name": "php-di/slim-bridge",
-            "version": "3.3.0",
+            "version": "3.4.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/PHP-DI/Slim-Bridge.git",
-                "reference": "9374b67ebf2f135b32c34907b7891b02b935d845"
+                "reference": "d14c95b34b3c5ba2e8c40020dd93fdcc8f3ba875"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/PHP-DI/Slim-Bridge/zipball/9374b67ebf2f135b32c34907b7891b02b935d845",
-                "reference": "9374b67ebf2f135b32c34907b7891b02b935d845",
+                "url": "https://api.github.com/repos/PHP-DI/Slim-Bridge/zipball/d14c95b34b3c5ba2e8c40020dd93fdcc8f3ba875",
+                "reference": "d14c95b34b3c5ba2e8c40020dd93fdcc8f3ba875",
                 "shasum": ""
             },
             "require": {
@@ -734,9 +734,9 @@
             "description": "PHP-DI integration in Slim",
             "support": {
                 "issues": "https://github.com/PHP-DI/Slim-Bridge/issues",
-                "source": "https://github.com/PHP-DI/Slim-Bridge/tree/3.3.0"
+                "source": "https://github.com/PHP-DI/Slim-Bridge/tree/3.4.0"
             },
-            "time": "2023-01-13T15:49:44+00:00"
+            "time": "2023-06-29T14:08:47+00:00"
         },
         {
             "name": "psr/container",

php/containers-schema.json

@@ -141,7 +141,7 @@
 						"type": "array",
 						"items": {
 							"type": "string",
-							"pattern": "^/[a-z/_]+$"
+							"pattern": "^/[a-z/_0-9-]+$"
 						}
 					},
 					"volumes": {

php/containers.json

@@ -16,6 +16,11 @@
           "ip_binding": "%APACHE_IP_BINDING%",
           "port_number": "%APACHE_PORT%",
           "protocol": "tcp"
+        },
+        {
+          "ip_binding": "%APACHE_IP_BINDING%",
+          "port_number": "%APACHE_PORT%",
+          "protocol": "udp"
         }
       ],
       "internal_port": "%APACHE_PORT%",
@@ -50,6 +55,14 @@
       ],
       "networks": [
         "nextcloud-aio"
+      ],
+      "read_only": true,
+      "tmpfs": [
+        "/var/log/supervisord",
+        "/var/run/supervisord",
+        "/usr/local/apache2/logs",
+        "/tmp",
+        "/home/www-data"
       ]
     },
     {
@@ -91,6 +104,10 @@
       ],
       "networks": [
         "nextcloud-aio"
+      ],
+      "read_only": true,
+      "tmpfs": [
+        "/var/run/postgresql"
       ]
     },
     {
@@ -192,6 +209,9 @@
       ],
       "networks": [
         "nextcloud-aio"
+      ],
+      "tmpfs": [
+        "/tmp"
       ]
     },
     {
@@ -327,6 +347,14 @@
       ],
       "networks": [
         "nextcloud-aio"
+      ],
+      "read_only": true,
+      "tmpfs": [
+        "/var/log/supervisord",
+        "/var/run/supervisord",
+        "/conf",
+        "/var/lib/turn",
+        "/tmp"
       ]
     },
     {
@@ -354,6 +382,11 @@
       ],
       "networks": [
         "nextcloud-aio"
+      ],
+      "read_only": true,
+      "tmpfs": [
+        "/tmp",
+        "/conf"
       ]
     },
     {
@@ -442,6 +475,7 @@
           "protocol": "tcp"
         }
       ],
+      "internal_port": "%APACHE_PORT%",
       "environment": [
         "INSTANCE_ID=%INSTANCE_ID%",
         "APACHE_PORT=%APACHE_PORT%"
@@ -449,7 +483,12 @@
       "secrets": [
         "INSTANCE_ID"
       ],
-      "stop_grace_period": 1
+      "stop_grace_period": 1,
+      "read_only": true,
+      "tmpfs": [
+        "/etc/lighttpd",
+        "/var/www/domaincheck"
+      ]
     },
     {
       "container_name": "nextcloud-aio-clamav",
@@ -537,7 +576,10 @@
       "networks": [
         "nextcloud-aio"
       ],
-      "read_only": true
+      "read_only": true,
+      "tmpfs": [
+        "/tmp"
+      ]
     },
     {
       "container_name": "nextcloud-aio-fulltextsearch",
@@ -549,9 +591,14 @@
       "internal_port": "9200",
       "environment": [
         "TZ=%TIMEZONE%",
+        "ES_JAVA_OPTS=-Xms512M -Xmx512M",
+        "bootstrap.memory_lock=true",
+        "cluster.name=nextcloud-aio",
         "discovery.type=single-node",
-        "ES_JAVA_OPTS=-Xms1024M -Xmx1024M",
-        "POSTGRES_HOST=nextcloud-aio-database"
+        "logger.org.elasticsearch.discovery=WARN",
+        "http.port=9200",
+        "xpack.license.self_generated.type=basic",
+        "xpack.security.enabled=false"
       ],
       "volumes": [
         {

php/psalm-baseline.xml

@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<files psalm-version="5.12.0@f90118cdeacd0088e7215e64c0c99ceca819e176"/>
+<files psalm-version="5.13.1@086b94371304750d1c673315321a55d15fc59015"/>

php/public/forms.js

@@ -1,4 +1,14 @@
 "use strict";
+
+function showPassword(id) {
+  let passwordField = document.getElementById(id);
+  if (passwordField.type === "password" && passwordField.value !== "") {
+    passwordField.type = "text";
+  } else if (passwordField.type === "text" && passwordField.value === "") {
+    passwordField.type = "password";
+  }
+}
+
 (function (){
   let lastError;
 

php/public/index.php

@@ -176,6 +176,6 @@ $app->get('/', function (\Psr\Http\Message\RequestInterface $request, Response $
     }
 });
 
-$errorMiddleware = $app->addErrorMiddleware(true, true, true);
+$errorMiddleware = $app->addErrorMiddleware(false, true, true);
 
 $app->run();

php/src/Auth/AuthManager.php

@@ -28,6 +28,12 @@ class AuthManager {
             $date = new DateTime();
             $dateTime = $date->getTimestamp();
             $_SESSION['date_time'] = $dateTime;
+
+            $df = disk_free_space(DataConst::GetSessionDirectory());
+            if ($df !== false && (int)$df < 10240) {
+                error_log(DataConst::GetSessionDirectory() . " has only less than 10KB free space. The login might not succeed because of that!");
+            }
+
             file_put_contents(DataConst::GetSessionDateFile(), (string)$dateTime);
         }
 

php/src/ContainerDefinitionFetcher.php

@@ -48,7 +48,7 @@ class ContainerDefinitionFetcher
         if (!$validator->isValid()) {
             error_log("JSON does not validate. Violations:");
             foreach ($validator->getErrors() as $error) {
-                error_log(printf("[%s] %s\n", $error['property'], $error['message']));
+                error_log((string)printf("[%s] %s\n", $error['property'], $error['message']));
             }
         }
     }

php/src/Controller/DockerController.php

@@ -173,7 +173,8 @@ class DockerController
         $this->startTopContainer(true);
 
         // Clear apcu cache in order to check if container updates are available
-        apcu_clear_cache();
+        // Temporarily disabled as it leads much faster to docker rate limits
+        // apcu_clear_cache();
 
         return $response->withStatus(201)->withHeader('Location', '/');
     }
@@ -254,7 +255,11 @@ class DockerController
         }
 
         $this->StopDomaincheckContainer();
-        $this->PerformRecursiveContainerStart($id);
+        try {
+            $this->PerformRecursiveContainerStart($id);
+        } catch (\Exception $e) {
+            error_log('Could not start domaincheck container: ' . $e->getMessage());
+        }
 
         // Cache the start for 10 minutes
         apcu_add($cacheKey, '1', 600);

php/src/Cron/CheckFreeDiskSpace.php

@@ -0,0 +1,26 @@
+<?php
+declare(strict_types=1);
+
+// increase memory limit to 2GB
+ini_set('memory_limit', '2048M');
+
+use DI\Container;
+use AIO\Data\DataConst;
+
+require __DIR__ . '/../../vendor/autoload.php';
+
+$container = \AIO\DependencyInjection::GetContainer();
+
+/** @var \AIO\Docker\DockerActionManager $dockerActionManger */
+$dockerActionManger = $container->get(\AIO\Docker\DockerActionManager::class);
+/** @var \AIO\ContainerDefinitionFetcher $containerDefinitionFetcher */
+$containerDefinitionFetcher = $container->get(\AIO\ContainerDefinitionFetcher::class);
+
+$id = 'nextcloud-aio-nextcloud';
+$nextcloudContainer = $containerDefinitionFetcher->GetContainerById($id);
+
+$df = disk_free_space(DataConst::GetDataDirectory());
+if ($df !== false && (int)$df < 1024 * 1024 * 1024 * 5) {
+    error_log("The drive that hosts the mastercontainer volume has less than 5 GB free space. Container updates and backups might not succeed due to that!");
+    $dockerActionManger->sendNotification($nextcloudContainer, 'Low on space!', 'The drive that hosts the mastercontainer volume has less than 5 GB free space. Container updates and backups might not succeed due to that!');
+}

php/src/Docker/DockerActionManager.php

@@ -211,9 +211,16 @@ class DockerActionManager
 
     public function CreateContainer(Container $container) : void {
         $volumes = [];
-        foreach($container->GetVolumes()->GetVolumes() as $volume) {
+        foreach ($container->GetVolumes()->GetVolumes() as $volume) {
+            // NEXTCLOUD_MOUNT gets added via bind-mount later on
+            if ($container->GetIdentifier() === 'nextcloud-aio-nextcloud') {
+                if ($volume->name === $this->configurationManager->GetNextcloudMount()) {
+                    continue;
+                }
+            }
+
             $volumeEntry = $volume->name . ':' . $volume->mountPoint;
-            if($volume->isWritable) {
+            if ($volume->isWritable) {
                 $volumeEntry = $volumeEntry . ':' . 'rw';
             } else {
                 $volumeEntry = $volumeEntry . ':' . 'ro';
@@ -226,7 +233,7 @@ class DockerActionManager
             'Image' => $this->BuildImageName($container),
         ];
 
-        if(count($volumes) > 0) {
+        if (count($volumes) > 0) {
             $requestBody['HostConfig']['Binds'] = $volumes;
         }
 
@@ -447,10 +454,11 @@ class DockerActionManager
             $requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined"];
         }
 
+        $mounts = [];
+
         // Special things for the backup container which should not be exposed in the containers.json
         if ($container->GetIdentifier() === 'nextcloud-aio-borgbackup') {
             // Additional backup directories
-            $mounts = [];
             foreach ($this->getAllBackupVolumes() as $additionalBackupVolumes) {
                 if ($additionalBackupVolumes !== '') {
                     $mounts[] = ["Type" => "volume", "Source" => $additionalBackupVolumes, "Target" => "/nextcloud_aio_volumes/" . $additionalBackupVolumes, "ReadOnly" => false];
@@ -465,13 +473,22 @@ class DockerActionManager
                     }
                 }
             }
-            if(count($mounts) > 0) {
-                $requestBody['HostConfig']['Mounts'] = $mounts;
-            }
         // Special things for the talk container which should not be exposed in the containers.json
         } elseif ($container->GetIdentifier() === 'nextcloud-aio-talk') {
             // This is needed due to a bug in libwebsockets which cannot handle unlimited ulimits
             $requestBody['HostConfig']['Ulimits'] = [["Name" => "nofile", "Hard" => 200000, "Soft" => 200000]];
+        // Special things for the nextcloud container which should not be exposed in the containers.json
+        } elseif ($container->GetIdentifier() === 'nextcloud-aio-nextcloud') {
+            foreach ($container->GetVolumes()->GetVolumes() as $volume) {
+                if ($volume->name !== $this->configurationManager->GetNextcloudMount()) {
+                    continue;
+                }
+                $mounts[] = ["Type" => "bind", "Source" => $volume->name, "Target" => $volume->mountPoint, "ReadOnly" => !$volume->isWritable, "BindOptions" => [ "Propagation" => "rshared"]];
+            }
+        }
+
+        if (count($mounts) > 0) {
+            $requestBody['HostConfig']['Mounts'] = $mounts;
         }
 
         $url = $this->BuildApiUrl('containers/create?name=' . $container->GetIdentifier());

php/templates/containers.twig

@@ -16,7 +16,7 @@
     </header>
 
     <div class="content">
-        <h1>Nextcloud AIO v6.2.0</h1>
+        <h1>Nextcloud AIO v6.4.0</h1>
 
         {# Add 2nd tab warning #}
         <script type="text/javascript" src="second-tab-warning.js"></script>
@@ -24,6 +24,7 @@
         {% set isAnyRunning = false %}
         {% set isAnyRestarting = false %}
         {% set isWatchtowerRunning = false %}
+        {% set isDomaincheckRunning = false %}
         {% set isBackupOrRestoreRunning = false %}
         {% set isApacheStarting = false %}
         {# Setting newMajorVersion to '' will hide corresponding options/elements, can be set to an integer like 26 in order to show corresponding elements. If set, also increase installLatestMajor in https://github.com/nextcloud/all-in-one/blob/main/php/src/Controller/DockerController.php #}
@@ -45,6 +46,9 @@
             {% if container.GetIdentifier() == 'nextcloud-aio-watchtower' and class(container.GetRunningState()) == 'AIO\\Container\\State\\RunningState' %}
                 {% set isWatchtowerRunning = true %}
             {% endif %}
+            {% if container.GetIdentifier() == 'nextcloud-aio-domaincheck' and class(container.GetRunningState()) == 'AIO\\Container\\State\\RunningState' %}
+                {% set isDomaincheckRunning = true %}
+            {% endif %}
             {% if container.GetIdentifier() == 'nextcloud-aio-apache' and class(container.GetStartingState()) == 'AIO\\Container\\State\\StartingState' %}
                 {% set isApacheStarting = true %}
             {% endif %}
@@ -69,7 +73,10 @@
             <a href="" class="button reload">Reload ↻</a><br/>
         {% else %}
             {% if is_backup_container_running == false and domain == "" %}
-                {% if is_mastercontainer_update_available == true %}
+                {% if isDomaincheckRunning == false %}
+                    <h2>Domaincheck container is not running</h2>
+                    This is not expected. Most likely this happened because port {{ apache_port }} is already in use on your server. You can check the mastercontainer logs and domaincheck container logs for further clues. You should be able to resolve this by adjusting the APACHE_PORT by following the <b><a href="https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md">reverse proxy documentation</a></b>. Advice: have a detailed look at the changed docker run command for AIO.
+                {% elseif is_mastercontainer_update_available == true %}
                     <h2>Mastercontainer update</h2>
                     ⚠️ A mastercontainer update is available. Please click on the button below to update it. Afterwards, you will be able to proceed with the setup.<br><br>
                     <form method="POST" action="/api/docker/watchtower" class="xhr">
@@ -99,7 +106,7 @@
                             <input class="button" type="submit" value="Submit domain" />
                         </form>
                         {% if skip_domain_validation == false %}
-                            Make sure that this server is reachable on port 443 (port 443/tcp is open/forwarded in your firewall/router) and that you've correctly set up the DNS config for the domain that you enter (set the A record to your public ipv4-address and if you need ipv6, set the AAAA record to your public ipv6-address. A CNAME record if of course also possible). You should see hints on what went wrong if your domain does not get accepted in the top right corner.<br><br>
+                            Make sure that this server is reachable on port 443 (port 443/tcp is open/forwarded in your firewall/router and 443/udp as well if you want to enable http3) and that you've correctly set up the DNS config for the domain that you enter (set the A record to your public ipv4-address and if you need ipv6, set the AAAA record to your public ipv6-address. A CNAME record if of course also possible). You should see hints on what went wrong if your domain does not get accepted in the top right corner.<br><br>
                             <details>
                                 <summary>Click here for further hints</summary><br />
                                 If you should not have a domain yet, you can get one for free e.g. from duckdns.org and others.<br><br>
@@ -468,7 +475,7 @@
                                             {% if automatic_updates == true %}
                                                 Also your containers, the mastercontainer and on saturdays your Nextcloud apps will be automatically updated. 
                                             {% endif %}
-                                            You can disable this option again by clicking on the button below.<br><br/>
+                                            To change your backup time, first disable Daily Backups and then re-enable them with your new backup time.<br><br/>
                                             <form method="POST" action="/api/configuration" class="xhr">
                                                 <input type="hidden" name="delete_daily_backup_time" value="yes"/>
                                                 <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
@@ -509,8 +516,8 @@
                                 <summary>Click here to change your AIO password</summary><br />
                                 You can change your AIO password below:<br><br />
                                 <form method="POST" action="/api/configuration" class="xhr">
-                                    <input type="text" autocomplete="current-password" name="current-master-password" placeholder="Your current AIO password"/>
-                                    <input type="text" autocomplete="new-password" name="new-master-password" placeholder="Your new AIO password"/>
+                                    <input type="password" autocomplete="current-password" name="current-master-password" placeholder="Your current AIO password" id="current-master-password" oninput="showPassword('current-master-password')">
+                                    <input type="password" autocomplete="new-password" name="new-master-password" placeholder="Your new AIO password" id="new-master-password" oninput="showPassword('new-master-password')">
                                     <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                     <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                                     <input class="button" type="submit" value="Submit password change" />
@@ -548,9 +555,9 @@
                             <input type="checkbox" id="fulltextsearch" name="fulltextsearch"><label for="fulltextsearch">Fulltextsearch (needs ~1GB additional RAM)</label><br>
                         {% endif %}
                         {% if is_imaginary_enabled == true %}
-                            <input type="checkbox" id="imaginary" name="imaginary" checked="checked"><label for="imaginary">Imaginary (for previews of heic, heif, illustrator, pdf, svg, tiff and webp)</label><br><br>
+                            <input type="checkbox" id="imaginary" name="imaginary" checked="checked"><label for="imaginary">Imaginary (for previews of heic, heif, illustrator, pdf, svg, tiff and webp. Imaginary is currently <a href="https://github.com/nextcloud/server/issues/34262">incompatible with server-side-encryption</a>)</label><br><br>
                         {% else %}
-                            <input type="checkbox" id="imaginary" name="imaginary"><label for="imaginary">Imaginary (for previews of heic, heif, illustrator, pdf, svg, tiff and webp)</label><br><br>
+                            <input type="checkbox" id="imaginary" name="imaginary"><label for="imaginary">Imaginary (for previews of heic, heif, illustrator, pdf, svg, tiff and webp. Imaginary is currently <a href="https://github.com/nextcloud/server/issues/34262">incompatible with server-side-encryption</a>)</label><br><br>
                         {% endif %}
                         {% if is_talk_enabled == true %}
                             <input type="checkbox" id="talk" name="talk" checked="checked"><label for="talk">Nextcloud Talk (needs ports {{ talk_port }}/TCP and {{ talk_port }}/UDP open/forwarded in your firewall/router)</label><br><br>

php/templates/login.twig

@@ -8,7 +8,8 @@
             {% if is_login_allowed == true %}
                 <p>Log in using your Nextcloud AIO password:</p>
                 <form method="POST" action="/api/auth/login" class="xhr">
-                    <input type="text" autocomplete="off" name="password" placeholder="Password" />
+                    <input type="password" autocomplete="current-password" name="password" placeholder="Password" id="master-password" oninput="showPassword('master-password')">
+
                     <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                     <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
                     <input type="submit" class="button" value="Log in" />

readme.md

@@ -136,6 +136,7 @@ You can check this on Linux by running: `uname -m`
 ### Which ports are mandatory to be open in your firewall/router?
 Only those (if you access the Mastercontainer Interface internally via port 8080):
 - `443/TCP` for the Apache container
+- `443/UDP` if you want to enable http3 for the Apache container
 - `3478/TCP` and `3478/UDP` for the Talk container
 
 ### Explanation of used ports:
@@ -143,6 +144,7 @@ Only those (if you access the Mastercontainer Interface internally via port 8080
 - `80/TCP`: redirects to Nextcloud (is used for getting the certificate via ACME http-challenge for the Mastercontainer)
 - `8443/TCP`: Mastercontainer Interface with valid certificate (only works if port 80 and 8443 are open/forwarded in your firewall/router and you point a domain to your server. It generates a valid certificate then automatically and access via e.g. `https://public.domain.com:8443/` is possible.)
 - `443/TCP`: will be used by the Apache container later on and needs to be open/forwarded in your firewall/router
+- `443/UDP`: will be used by the Apache container later on and needs to be open/forwarded in your firewall/router if you want to enable http3
 - `3478/TCP` and `3478/UDP`: will be used by the Turnserver inside the Talk container and needs to be open/forwarded in your firewall/router
 
 ### How to run AIO on macOS?
@@ -589,7 +591,7 @@ After using this option, please make sure to apply the correct permissions to th
 
 You can then navigate to the apps management page, activate the external storage app, navigate to `https://your-nc-domain.com/settings/admin/externalstorages` and add a local external storage directory that will be accessible inside the container at the same place that you've entered. E.g. `/mnt/your-drive-mountpoint` will be mounted to `/mnt/your-drive-mountpoint` inside the container, etc. 
 
-Be aware though that these locations will not be covered by the built-in backup solution!
+Be aware though that these locations will not be covered by the built-in backup solution - but you can add further Docker volumes and host paths that you want to back up after the initial backup is done.
 
 **Please note:** If you can't see the type "local storage" in the external storage admin options, a restart of the containers from the AIO interface may be required.
 
@@ -642,7 +644,7 @@ The [facerecognition app](https://apps.nextcloud.com/apps/facerecognition) requi
 The [memories app](https://apps.nextcloud.com/apps/memories) allows to enable hardware transcoding for videos. In order to use that, you need to add `--env NEXTCLOUD_ENABLE_DRI_DEVICE=true` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) which will mount the `/dev/dri` device into the container. Additionally, you need to add required packets to the Nextcloud container by using [this feature](https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container) and adding the required Alpine packages that are documented [here](https://github.com/pulsejet/memories/wiki/QSV-Transcoding).
 
 ### Huge docker logs
-When your containers run for a few days without a restart, the container logs that you can view from the AIO interface can get really huge. You can limit the loge sizes by enabling logrotate for docker container logs. Feel free to enable this by following those instructions: https://sandro-keil.de/blog/logrotate-for-docker-container/
+If you should run into issues with huge docker logs, you can adjust the log size by following https://docs.docker.com/config/containers/logging/local/#usage. However for the included AIO containers, this should usually not be needed because almost all of them have the log level set to warn so they should not produce many logs.
 
 ### Access/Edit Nextcloud files/folders manually
 The files and folders that you add to Nextcloud are by default stored in the following docker directory: `nextcloud_aio_nextcloud:/mnt/ncdata/` (usually `/var/lib/docker/volumes/nextcloud_aio_nextcloud_data/_data/` on linux host systems). If needed, you can modify/add/delete files/folders there but **ATTENTION**: be very careful when doing so because you might corrupt your AIO installation! Best is to create a backup using the built-in backup solution before editing/changing files/folders in there because you will then be able to restore your instance to the backed up state.

reverse-proxy.md

@@ -340,21 +340,6 @@ Of course you need to modify `<your-nc-domain>` to the domain on which you want
 
 </details>
 
-### Nginx-Proxy
-
-<details>
-
-<summary>click here to expand</summary>
-
-Unfortunately it is not possible to configure nginx-proxy in a way that works because it completely relies on environmental variables of the docker containers itself. Providing these variables does not work as stated above.
-
-If you really want to use AIO, we recommend you to switch to caddy. It is simply amazing!<br>
-Of course understandable if that is not possible for you.
-
-Apart from that, there is this: [manual-install](https://github.com/nextcloud/all-in-one/tree/main/manual-install)
-
-</details>
-
 ### Nginx-Proxy-Manager
 
 <details>
@@ -384,6 +369,21 @@ Of course you need to modify `<your-nc-domain>` to the domain on which you want
 
 </details>
 
+### Nginx-Proxy
+
+<details>
+
+<summary>click here to expand</summary>
+
+Unfortunately it is not possible to configure nginx-proxy in a way that works because it completely relies on environmental variables of the docker containers itself. Providing these variables does not work as stated above.
+
+If you really want to use AIO, we recommend you to switch to caddy. It is simply amazing!<br>
+Of course understandable if that is not possible for you.
+
+Apart from that, there is this: [manual-install](https://github.com/nextcloud/all-in-one/tree/main/manual-install)
+
+</details>
+
 ### Node.js with Express
 
 <details>
@@ -642,7 +642,7 @@ Simply translate the docker run command into a docker-compose file. You can have
 
 ## 3. Limit the access to the apache container
 
-Use this envorinmental variable during the initial startup of the mastercontainer to make the apache container only listen on localhost: `--env APACHE_IP_BINDING=127.0.0.1`. **Attention:** This is only recommended to be set if you use `localhost` in your reverse proxy config to connect to your AIO instance. If you use an ip-address instead of localhost, you should set it to `0.0.0.0`.
+Use this environment variable during the initial startup of the mastercontainer to make the apache container only listen on localhost: `--env APACHE_IP_BINDING=127.0.0.1`. **Attention:** This is only recommended to be set if you use `localhost` in your reverse proxy config to connect to your AIO instance. If you use an ip-address instead of localhost, you should set it to `0.0.0.0`.
 
 ## 4. Open the AIO interface.
 After starting AIO, you should be able to access the AIO Interface via `https://ip.address.of.the.host:8080`. Enter your domain that you've entered in the reverse proxy config and you should be done. Please do not forget to open/forward port `3478/TCP` and `3478/UDP` in your firewall/router for the Talk container!
@@ -668,9 +668,9 @@ Afterwards should the AIO interface be accessible via `https://ip.address.of.the
 ## 6. How to debug things?
 If something does not work, follow the steps below:
 1. Make sure to exactly follow the whole reverse proxy documentation step-for-step from top to bottom!
-1. Make sure that you used the docker run command that is described in this reverse proxy documentation. Hint: make sure that you have set the APACHE_PORT during the docker run command!
+1. Make sure that you used the docker run command that is described in this reverse proxy documentation. **Hint:** make sure that you have set the `APACHE_PORT` via e.g. `--env APACHE_PORT=11000` during the docker run command!
 1. Make sure to set the `APACHE_IP_BINDING` variable correctly. If in doubt, set it to `--env APACHE_IP_BINDING=0.0.0.0`
-1. Make sure that all ports match the chosen `APACHE_PORT`.
+1. Make sure that all ports to which your reverse proxy is pointing match the chosen `APACHE_PORT`.
 1. Make sure that the reverse proxy is running on the host OS or if running in a container, connected to the host network. If that is not possible (e.g. on Windows or if the reverse proxy is running on a different host), substitute `localhost` or `127.0.0.1` in the default configurations by the private ip-address of the host that is running the docker daemon. If you are not sure how to retrieve that, you can run: `ip a | grep "scope global" | head -1 | awk '{print $2}' | sed 's|/.*||'`. If the command returns a public ip-address, use `ip a | grep "scope global" | grep docker0 | awk '{print $2}' | sed 's|/.*||'` instead (the commands only work on Linux)
 1. Make sure that the mastercontainer is able to spawn other containers. You can do so by checking that the mastercontainer indeed has access to the Docker socket which might not be positioned in one of the suggested directories like `/var/run/docker.sock` but in a different directory, based on your OS and the way how you installed Docker. The mastercontainer logs should help figuring this out. You can have a look at them by running `sudo docker logs nextcloud-aio-mastercontainer` after the container is started the first time.
 1. Check if after the mastercontainer was started, the reverse proxy if running inside a container, can reach the provided apache port. You can test this by running `nc -z localhost 11000; echo $?` from inside the reverse proxy container. If the output is `0`, everything works. Alternatively you can of course use instead of `localhost` the ip-address of the host here for the test.