fix the hc

Signed-off-by: Simon L <szaimen@e.mail.de>

.github/dependabot.yml

@@ -165,3 +165,12 @@ updates:
   labels:
   - 3. to review
   - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/docker-socket-proxy"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies

.github/workflows/dependency-updates.yml

@@ -46,10 +46,10 @@ jobs:
     - name: Create Pull Request
       uses: peter-evans/create-pull-request@v5
       with:
-        commit-message: dependency updates
+        commit-message: php dependency updates
         signoff: true
-        title: Dependency updates
-        body: Automated dependency updates since dependabot does not support grouped updates
+        title: PHP dependency updates
+        body: Automated php dependency updates since dependabot does not support grouped updates
         labels: dependencies, 3. to review
         milestone: next
         branch: aio-dependency-update

.github/workflows/docker-lint.yml

@@ -32,10 +32,10 @@ jobs:
           sudo apt-get update
           sudo apt-get install nodejs npm -y --no-install-recommends
           npm install -g dockerfilelint
-          wget https://github.com/replicatedhq/dockerfilelint/pull/184.patch -O /usr/local/lib/node_modules/dockerfilelint/184.patch
+          wget https://github.com/replicatedhq/dockerfilelint/pull/201.patch -O /usr/local/lib/node_modules/dockerfilelint/201.patch
           CURRENT_DIR=$PWD
           cd /usr/local/lib/node_modules/dockerfilelint/
-          git apply 184.patch
+          git apply 201.patch
           cd $CURRENT_DIR
           cat << RULES > ./.dockerfilelintrc
           rules:

.github/workflows/helm-release.yml

@@ -32,7 +32,7 @@ jobs:
 
       # See https://github.com/helm/chart-releaser-action/issues/6
       - name: Set up Helm
-        uses: azure/setup-helm@v3.1
+        uses: azure/setup-helm@v3.5
         with:
           version: v3.6.3
 
@@ -46,4 +46,3 @@ jobs:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"
           CR_SKIP_EXISTING: true
-          CR_GENERATE_RELEASE_NOTES: true

.github/workflows/lint-helm.yml

@@ -0,0 +1,35 @@
+name: Lint and Test Charts
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - 'nextcloud-aio-helm-chart/**'
+
+jobs:
+  lint-helm:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3.5
+        with:
+          version: v3.11.1
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.4.0
+
+      - name: Run chart-testing (lint)
+        id: lint
+        run: ct lint --target-branch ${{ github.event.repository.default_branch }} --debug --chart-dirs nextcloud-aio-helm-chart
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.8.0
+
+      - name: Run chart-testing (install)
+        id: install
+        run: ct install --target-branch ${{ github.event.repository.default_branch }} --debug --chart-dirs nextcloud-aio-helm-chart

.github/workflows/nextcloud-update.yml

@@ -63,7 +63,9 @@ jobs:
         # Nextcloud
         NC_MAJOR="$(grep "ENV NEXTCLOUD_VERSION" ./Containers/nextcloud/Dockerfile | grep -oP '[23][0-9]')"
         NCVERSION=$(curl -s -m 900 https://download.nextcloud.com/server/releases/ | sed --silent 's/.*href="nextcloud-\([^"]\+\).zip.asc".*/\1/p' | grep "$NC_MAJOR" | sort --version-sort | tail -1)
-        sed -i "s|^ENV NEXTCLOUD_VERSION.*|ENV NEXTCLOUD_VERSION $NCVERSION|" ./Containers/nextcloud/Dockerfile
+        if [ -n "$NCVERSION" ]; then
+          sed -i "s|^ENV NEXTCLOUD_VERSION.*|ENV NEXTCLOUD_VERSION $NCVERSION|" ./Containers/nextcloud/Dockerfile
+        fi
 
     - name: Create Pull Request
       uses: peter-evans/create-pull-request@v5

.github/workflows/psalm-update-baseline.yml

@@ -39,8 +39,6 @@ jobs:
           author: nextcloud-command <nextcloud-command@users.noreply.github.com>
           signoff: true
           branch: automated/noid/psalm-baseline-update
-          # Make sure we can open multiple PRs
-          branch-suffix: timestamp
           title: '[Automated] Update psalm-baseline.xml'
           milestone: next
           body: |

.github/workflows/talk.yml

@@ -34,6 +34,16 @@ jobs:
         )"
         curl -L "https://raw.githubusercontent.com/strukturag/nextcloud-spreed-signaling/$signaling_version/server.conf.in" -o Containers/talk/server.conf.in
         
+        # Janus
+        janus_version="$(
+          git ls-remote https://github.com/meetecho/janus-gateway v0.*.* \
+            | cut -d/ -f3 \
+            | sort -V \
+            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
+            | tail -1
+        )"
+        sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
+        
     - name: Create Pull Request
       uses: peter-evans/create-pull-request@v5
       with:

Containers/apache/Dockerfile

@@ -1,4 +1,4 @@
-FROM caddy:2.6.4-alpine as caddy
+FROM caddy:2.7.4-alpine as caddy
 
 FROM httpd:2.4.57-alpine3.18
 
@@ -30,6 +30,7 @@ RUN set -ex; \
         tzdata \
         ca-certificates \
         openssl \
+        bind-tools \
         netcat-openbsd; \
     \
     sed -i \
@@ -48,6 +49,7 @@ RUN set -ex; \
             -e 's/^#\(LoadModule .*mod_brotli.so\)/\1/' \
             -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
             -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
+            -e 's/\(ScriptAlias \)/#\1/' \
         /usr/local/apache2/conf/httpd.conf; \
     echo "Include conf/nextcloud.conf" | tee -a /usr/local/apache2/conf/httpd.conf; \
     echo "ServerName localhost" | tee -a /usr/local/apache2/conf/httpd.conf; \
@@ -68,6 +70,7 @@ RUN set -ex; \
     mkdir -p /usr/local/apache2/logs; \
     chmod 777 -R /home/www-data; \
     chmod 777 -R /usr/local/apache2/logs; \
+    rm -rf /usr/local/apache2/cgi-bin/; \
     \
     echo "root:$(openssl rand -base64 12)" | chpasswd
 

Containers/apache/healthcheck.sh

@@ -3,4 +3,7 @@
 nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
 nc -z localhost 8000 || exit 1
 nc -z localhost "$APACHE_PORT" || exit 1
-nc -z "$NC_DOMAIN" 443 || exit 1
+if ! nc -z "$NC_DOMAIN" 443; then
+    echo "Could not reach $NC_DOMAIN on port 443."
+    exit 1
+fi

Containers/apache/start.sh

@@ -17,6 +17,12 @@ while ! nc -z "$NEXTCLOUD_HOST" 9000; do
     sleep 5
 done
 
+# Get ipv4-address of Apache
+IPv4_ADDRESS="$(dig nextcloud-aio-apache A +short | head -1)"
+# Bring it in CIDR notation
+# shellcheck disable=SC2001
+IPv4_ADDRESS="$(echo "$IPv4_ADDRESS" | sed 's|[0-9]\+$|1/32|')"
+
 if [ -z "$APACHE_PORT" ]; then
     export APACHE_PORT="443"
 fi
@@ -41,7 +47,7 @@ echo "$CADDYFILE" > /tmp/Caddyfile
 if [ "$APACHE_PORT" != '443' ]; then
     CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies static private_ranges|' /tmp/Caddyfile)"
 else
-    CADDYFILE="$(sed 's|trusted_proxies.*private_ranges|# trusted_proxies placeholder|' /tmp/Caddyfile)"
+    CADDYFILE="$(sed "s|# trusted_proxies placeholder|trusted_proxies static $IPv4_ADDRESS|" /tmp/Caddyfile)"
 fi
 echo "$CADDYFILE" > /tmp/Caddyfile
 
@@ -57,7 +63,7 @@ mkdir -p /mnt/data/caddy-imports
 # Remove falsely added Nextcloud conf
 rm -f /mnt/data/caddy-imports/nextcloud
 
-# Makre sure that the caddy-imports dir is not empty
+# Make sure that the caddy-imports dir is not empty
 echo "# empty file so that caddy does not print a warning" > /mnt/data/caddy-imports/empty
 
 # Fix apache startup

Containers/borgbackup/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.18.2
+FROM alpine:3.18.3
 
 RUN set -ex; \
     \

Containers/borgbackup/backupscript.sh

@@ -35,19 +35,19 @@ done
 
 # Check if target is mountpoint
 if ! mountpoint -q /mnt/borgbackup; then
-    echo "/mnt/borgbackup is not a mountpoint which is not allowed"
+    echo "/mnt/borgbackup is not a mountpoint which is not allowed."
     exit 1
 fi
 
 # Check if target is empty
 if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
-    echo "The repository is empty. cannot perform check or restore."
+    echo "The repository is empty. Cannot perform check or restore."
     exit 1
 fi
 
 # Do not continue if this file exists (needed for simple external blocking)
 if [ -f "$BORG_BACKUP_DIRECTORY/aio-lockfile" ]; then
-    echo "Not continuing because aio-lockfile exists - it seems like a script is externally running which is locking the backup archive."
+    echo "Not continuing because aio-lockfile exists – it seems like a script is externally running which is locking the backup archive."
     echo "If this should not be the case, you can fix this by deleting the 'aio-lockfile' file from the backup archive directory."
     exit 1
 fi
@@ -65,10 +65,10 @@ if [ "$BORG_MODE" = backup ]; then
         echo "configuration.json not present. Cannot perform the backup!"
         exit 1
     elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/config/config.php" ]; then
-        echo "config.php is missing cannot perform backup"
+        echo "config.php is missing. Cannot perform backup!"
         exit 1
     elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/database-dump.sql" ]; then
-        echo "database-dump is missing. cannot perform backup"
+        echo "database-dump is missing. Cannot perform backup!"
         exit 1
     fi
 
@@ -81,9 +81,17 @@ if [ "$BORG_MODE" = backup ]; then
     done
 
     if [ -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/export.failed" ]; then
-        echo "Database export failed the last time. Most likely was the export time not high enough."
         echo "Cannot create a backup now."
-        echo "Please report this to https://github.com/nextcloud/all-in-one/issues. Thanks!"
+        echo "Reason is that the database export failed the last time."
+        echo "Most likely was the database container not correctly shut down via the AIO interface."
+        echo ""
+        echo "You might want to try the database export again manually by running the three commands:"
+        echo "sudo docker start nextcloud-aio-database"
+        echo "sleep 10"
+        echo "sudo docker stop nextcloud-aio-database -t 1800"
+        echo ""
+        echo "Afterwards try to create a backup again and it should hopefully work."
+        echo "If it should still fail, feel free to report this to https://github.com/nextcloud/all-in-one/issues and post the database container logs and the borgbackup container logs into the thread. Thanks!"
         exit 1
     fi
 
@@ -101,7 +109,7 @@ if [ "$BORG_MODE" = backup ]; then
             exit 1
         fi
 
-        echo "initializing repository..."
+        echo "Initializing repository..."
         NEW_REPOSITORY=1
         if ! borg init --debug --encryption=repokey-blake2 "$BORG_BACKUP_DIRECTORY"; then
             echo "Could not initialize borg repository."
@@ -212,7 +220,7 @@ if [ "$BORG_MODE" = backup ]; then
             fi
             echo "Compacting additional volumes..."
             if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
-                echo "Failed to compact archives!"
+                echo "Failed to compact additional docker-volume archives!"
                 exit 1
             fi
         fi
@@ -242,7 +250,7 @@ if [ "$BORG_MODE" = backup ]; then
             fi
             echo "Compacting additional host mounts..."
             if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
-                echo "Failed to compact archives!"
+                echo "Failed to compact additional host-mount archives!"
                 exit 1
             fi
         fi
@@ -250,7 +258,7 @@ if [ "$BORG_MODE" = backup ]; then
 
     # Inform user
     get_expiration_time
-    echo "Backup finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
+    echo "Backup finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
     if [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/update.failed" ]; then
         echo "However a Nextcloud update failed. So reporting that the backup failed which will skip any update attempt the next time."
         echo "Please restore a backup from before the failed Nextcloud update attempt."
@@ -361,7 +369,7 @@ if [ "$BORG_MODE" = restore ]; then
 
     # Inform user
     get_expiration_time
-    echo "Restore finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
+    echo "Restore finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
 
     # Add file to Nextcloud container so that it skips any update the next time
     touch "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/skip.update"
@@ -389,7 +397,7 @@ if [ "$BORG_MODE" = check ]; then
 
     # Inform user
     get_expiration_time
-    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
+    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
     exit 0
 fi
 
@@ -406,7 +414,7 @@ if [ "$BORG_MODE" = "check-repair" ]; then
 
     # Inform user
     get_expiration_time
-    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
+    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
     exit 0
 fi
 

Containers/clamav/Dockerfile

@@ -1,5 +1,5 @@
 # Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/1.1/alpine/Dockerfile
-FROM clamav/clamav:1.1.0-1
+FROM clamav/clamav:1.2.0-1
 
 COPY clamav.conf /tmp/clamav.conf
 

Containers/collabora/Dockerfile

@@ -1,5 +1,5 @@
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:23.05.1.3.1
+FROM collabora/code:23.05.3.1.1
 
 USER root
 

Containers/docker-socket-proxy/Dockerfile

@@ -0,0 +1,18 @@
+FROM haproxy:2.8.2-alpine3.18
+
+USER root
+ENV NEXTCLOUD_HOST nextcloud-aio-nextcloud
+RUN set -ex; \
+    apk add --no-cache \
+        ca-certificates \
+        tzdata \
+        bash \
+        bind-tools; \
+    chmod -R 777 /tmp
+
+COPY --chmod=775 *.sh /
+COPY --chmod=664 haproxy.cfg /haproxy.cfg
+
+ENTRYPOINT ["/start.sh"]
+HEALTHCHECK CMD /healthcheck.sh
+LABEL com.centurylinklabs.watchtower.enable="false"

Containers/docker-socket-proxy/haproxy.cfg

@@ -0,0 +1,54 @@
+# Inspiration: https://github.com/Tecnativa/docker-socket-proxy/blob/master/haproxy.cfg
+
+defaults
+    timeout connect 10s
+    timeout client 10s
+    timeout server 10s
+
+frontend http
+    mode http
+    bind :::2375 v4v6
+    http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src NC_IPV4_PLACEHOLDER } || { src NC_IPV6_PLACEHOLDER }
+    # container inspect: GET containers/%s/json
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET
+    # container start/stop: POST containers/%s/start containers/%s/stop
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((start)|(stop)) } METH_POST
+    # container rm: DELETE containers/%s
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE
+
+
+    # container create: POST containers/create?name=%s
+    # ACL to restrict container name to nc_app_[a-zA-Z0-9_.-]+
+    acl nc_app_container_name url_param(name) -m reg -i "^nc_app_[a-zA-Z0-9_.-]+"
+
+    # ACL to restrict the number of Mounts to 1
+    acl one_mount_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*(?:(?!\"Mounts\"\s*:\s*\[)[^}]*)}[^}]*\]"
+    # ACL to deny if there are any binds
+    acl binds_present req.body -m reg -i "\"HostConfig\"\s*:.*\"Binds\"\s*:"
+    # ACL to restrict the type of Mounts to volume
+    acl type_not_volume req.body -m reg -i "\"Mounts\":\s*\[[^\]]*(\"Type\":\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
+    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST
+
+    # ACL to restrict container creation, that it has HostConfig.Privileged not set
+    acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\"\s*:"
+    # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data
+    acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !no_privileged_flag nc_app_volume_data_only METH_POST
+    # end of container create
+
+    # volume create: POST volumes/create
+    # restrict name
+    acl nc_app_volume_data req.body -m reg -i "\"Name\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
+    # do not allow to use "device" word e.g., "--opt device=:/path/to/dir"
+    acl volume_no_device req.body -m reg -i "\"device\""
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data !volume_no_device METH_POST
+    # volume rm: DELETE volumes/%s
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/nc_app_[a-zA-Z0-9_.-]+_data } METH_DELETE
+    # image pull: POST images/create?fromImage=%s
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/create } METH_POST
+    http-request deny
+    default_backend dockerbackend
+
+backend dockerbackend
+    mode http
+    server dockersocket /var/run/docker.sock

Containers/docker-socket-proxy/healthcheck.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
+nc -z localhost 2375 || exit 1

Containers/docker-socket-proxy/start.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Only start container if nextcloud is accessible
+while ! nc -z "$NEXTCLOUD_HOST" 9000; do
+    echo "Waiting for Nextcloud to start..."
+    sleep 5
+done
+
+set -x
+IPv4_ADDRESS_NC="$(dig nextcloud-aio-nextcloud IN A +short | grep '^[0-9.]\+$' | sort | head -n1)"
+HAPROXYFILE="$(sed "s|NC_IPV4_PLACEHOLDER|$IPv4_ADDRESS_NC|" /haproxy.cfg)" 
+echo "$HAPROXYFILE" > /tmp/haproxy.cfg
+
+IPv6_ADDRESS_NC="$(dig nextcloud-aio-nextcloud AAAA +short | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+if [ -n "$IPv6_ADDRESS_NC" ]; then
+    HAPROXYFILE="$(sed "s|NC_IPV6_PLACEHOLDER|$IPv6_ADDRESS_NC|" /tmp/haproxy.cfg)"
+else
+    HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
+fi
+echo "$HAPROXYFILE" > /tmp/haproxy.cfg
+set +x
+
+haproxy -f /tmp/haproxy.cfg -db

Containers/domaincheck/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.18.2
+FROM alpine:3.18.3
 RUN set -ex; \
     apk add --no-cache bash lighttpd netcat-openbsd; \
     adduser -S www-data -G www-data; \

Containers/fulltextsearch/Dockerfile

@@ -1,5 +1,5 @@
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:7.17.10
+FROM elasticsearch:8.9.1
 
 USER root
 

Containers/imaginary/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.20.6-alpine3.18 as go
+FROM golang:1.21.0-alpine3.18 as go
 
 ENV IMAGINARY_HASH b632dae8cc321452c3f85bcae79c580b1ae1ed84
 
@@ -12,7 +12,7 @@ RUN set -ex; \
         build-base; \
     go install github.com/h2non/imaginary@"$IMAGINARY_HASH";
 
-FROM alpine:3.18.2
+FROM alpine:3.18.3
 RUN set -ex; \
     apk add --no-cache \
         tzdata \

Containers/mastercontainer/Caddyfile

@@ -14,18 +14,17 @@
     servers {
         protocols h1 h2 h2c
     }
+
+    on_demand_tls {
+        ask http://localhost:9876/
+    }
 }
 
 http://:80 {
   redir https://{host}{uri}
 }
 
-# Match only host names and not ip-addresses:
-https://*.*:8443,
-https://*.*.*:8443,
-https://*.*.*.*:8443,
-https://*.*.*.*.*:8443,
-https://*.*.*.*.*.*:8443 {
+https://:8443 {
 
     reverse_proxy localhost:8000
 

Containers/mastercontainer/Dockerfile

@@ -1,11 +1,11 @@
 # Docker CLI is a requirement
-FROM docker:24.0.4-cli as docker
+FROM docker:24.0.5-cli as docker
 
 # Caddy is a requirement
-FROM caddy:2.6.4-alpine as caddy
+FROM caddy:2.7.4-alpine as caddy
 
 # From https://github.com/docker-library/php/blob/master/8.2/alpine3.18/fpm/Dockerfile
-FROM php:8.2.8-fpm-alpine3.18
+FROM php:8.2.9-fpm-alpine3.18
 
 EXPOSE 80
 EXPOSE 8080
@@ -93,6 +93,7 @@ RUN set -ex; \
             -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
             -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
             -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
+            -e 's/\(ScriptAlias \)/#\1/' \
         /etc/apache2/httpd.conf; \
         mkdir -p /etc/apache2/logs; \
         rm /etc/apache2/conf.d/ssl.conf; \
@@ -108,6 +109,7 @@ RUN set -ex; \
           /etc/apache2/conf.d/userdir.conf \
           /etc/apache2/conf.d/info.conf; \
     \
+    rm -rf /var/www/localhost/cgi-bin/; \
     mkdir /var/log/supervisord; \
     mkdir /var/run/supervisord;
 
@@ -119,6 +121,5 @@ COPY mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf
 USER root
 
 ENTRYPOINT ["/start.sh"]
-CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 
 HEALTHCHECK CMD /healthcheck.sh

Containers/mastercontainer/daily-backup.sh

@@ -16,7 +16,7 @@ fi
 sudo -u www-data touch "/mnt/docker-aio-config/data/daily_backup_running"
 
 # Check if apache is running/stopped, watchtower is stopped and backupcontainer is stopped
-APACHE_PORT="$(docker inspect nextcloud-aio-apache --format "{{.HostConfig.PortBindings}}" | grep -oP '[0-9]+' | head -1)"
+APACHE_PORT="$(docker inspect nextcloud-aio-apache --format "{{.HostConfig.PortBindings}}" | grep -o '[0-9]\+' | head -1)"
 while docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-apache$" && ! nc -z nextcloud-aio-apache "$APACHE_PORT"; do
     echo "Waiting for apache to become available"
     sleep 30

Containers/mastercontainer/healthcheck.sh

@@ -1,5 +1,10 @@
 #!/bin/bash
 
 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
+    nc -z localhost 80 || exit 1
+    nc -z localhost 8000 || exit 1
     nc -z localhost 8080 || exit 1
+    nc -z localhost 8443 || exit 1
+    nc -z localhost 9000 || exit 1
+    nc -z localhost 9876 || exit 1
 fi

Containers/mastercontainer/start.sh

@@ -26,6 +26,12 @@ if [ "$EUID" != "0" ]; then
     exit 1
 fi
 
+# Check that the CMD is not overwritten nor set
+if [ "$*" != "" ]; then
+    print_red "Docker run command for AIO is incorrect as a CMD option was given which is not expected."
+    exit 1
+fi
+
 # Check if socket is available and readable
 if ! [ -a "/var/run/docker.sock" ]; then
     print_red "Docker socket is not available. Cannot continue."
@@ -247,6 +253,32 @@ if [ "$?" = 6 ]; then
     exit 1
 fi
 
+# Check that no changes have been made to timezone settings since AIO only supports running in UTC timezone
+if [ -n "$TZ" ]; then
+    print_red "The environmental variable TZ has been set which is not supported by AIO since it only supports running in the default UTC timezone!"
+    echo "The correct timezone can be set in the AIO interface later on!"
+    exit 1
+elif mountpoint -q /etc/localtime; then
+    print_red "/etc/localtime has been mounted into the container which is not allowed because AIO only supports running in the default UTC timezone!"
+    echo "The correct timezone can be set in the AIO interface later on!"
+    exit 1
+elif mountpoint -q /etc/timezone; then
+    print_red "/etc/timezone has been mounted into the container which is not allowed because AIO only supports running in the default UTC timezone!"
+    echo "The correct timezone can be set in the AIO interface later on!"
+    exit 1
+fi
+
+# Check if unsupported env are set (but don't exit as it would break many instances)
+if [ -n "$APACHE_DISABLE_REWRITE_IP" ]; then
+    print_red "The environmental variable APACHE_DISABLE_REWRITE_IP has been set which is not supported by AIO. Please remove it!"
+fi
+if [ -n "$NEXTCLOUD_TRUSTED_DOMAINS" ]; then
+    print_red "The environmental variable NEXTCLOUD_TRUSTED_DOMAINS has been set which is not supported by AIO. Please remove it!"
+fi
+if [ -n "$TRUSTED_PROXIES" ]; then
+    print_red "The environmental variable TRUSTED_PROXIES has been set which is not supported by AIO. Please remove it!"
+fi
+
 # Add important folders
 mkdir -p /mnt/docker-aio-config/data/
 mkdir -p /mnt/docker-aio-config/session/
@@ -298,8 +330,8 @@ E.g. https://internal.ip.of.this.server:8080
 If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
 https://your-domain-that-points-to-this-server.tld:8443"
 
-# Set the timezone to UTC
-export TZ=UTC
+# Set the timezone to Etc/UTC
+export TZ=Etc/UTC
 
 # Fix apache startup
 rm -f /var/run/apache2/httpd.pid
@@ -310,4 +342,5 @@ caddy fmt --overwrite /Caddyfile
 # Fix caddy log 
 chmod 777 /root
 
-exec "$@"
+# Start supervisord
+/usr/bin/supervisord -c /supervisord.conf

Containers/mastercontainer/supervisord.conf

@@ -55,3 +55,12 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/session-deduplicator.sh
 user=root
+
+[program:domain-validator]
+# Logging is disabled as otherwise all attempts will be logged which spams the logs
+# stdout_logfile=/dev/stdout
+# stdout_logfile_maxbytes=0
+# stderr_logfile=/dev/stderr
+# stderr_logfile_maxbytes=0
+command=php -S 127.0.0.1:9876 /var/www/docker-aio/php/domain-validator.php
+user=www-data

Containers/nextcloud/Dockerfile

@@ -1,9 +1,9 @@
-FROM php:8.1.21-fpm-alpine3.18
+FROM php:8.1.22-fpm-alpine3.18
 
 ENV PHP_MEMORY_LIMIT 512M
 ENV PHP_UPLOAD_LIMIT 10G
 ENV PHP_MAX_TIME 3600
-ENV NEXTCLOUD_VERSION 26.0.3
+ENV NEXTCLOUD_VERSION 27.0.2
 ENV AIO_TOKEN 123456
 ENV AIO_URL localhost
 
@@ -209,6 +209,7 @@ RUN set -ex; \
     chown www-data:root -R /usr/src && \
     chown www-data:root -R /usr/local/etc/php/conf.d && \
     chown www-data:root -R /usr/local/etc/php-fpm.d && \
+    chmod -R 777 /tmp; \
     rm -r /usr/src/nextcloud/apps/updatenotification; \
     \
     mkdir -p /nc-updater; \
@@ -222,5 +223,5 @@ USER root
 ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 
-HEALTHCHECK CMD sudo -E -u www-data bash /healthcheck.sh
+HEALTHCHECK --start-period=60s CMD sudo -E -u www-data bash /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false"

Containers/nextcloud/entrypoint.sh

@@ -282,6 +282,8 @@ DATADIR_PERMISSION_CONF
                         touch "$NEXTCLOUD_DATA_DIR/install.failed"
                         exit 1
                     fi
+                    # shellcheck disable=SC2016
+                    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
                 fi
                 php /var/www/html/occ app:disable updatenotification
                 rm -rf /var/www/html/apps/updatenotification
@@ -476,11 +478,15 @@ php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
 
 # Apply network settings
 echo "Applying network settings..."
+php /var/www/html/occ config:system:set davstorage.request_timeout --value="$PHP_MAX_TIME" --type=int
 php /var/www/html/occ config:system:set trusted_domains 1 --value="$NC_DOMAIN"
 php /var/www/html/occ config:system:set overwrite.cli.url --value="https://$NC_DOMAIN/"
 php /var/www/html/occ config:system:set htaccess.RewriteBase --value="/"
 php /var/www/html/occ maintenance:update:htaccess
 
+# Apply dbpersistent setting in order to fix too many db connections
+php /var/www/html/occ config:system:set dbpersistent --value=true --type=bool
+
 # Disallow creating local external storages when nothing was mounted
 if [ -z "$NEXTCLOUD_MOUNT" ]; then
     php /var/www/html/occ config:system:set files_external_allow_create_new_local --type=bool --value=false
@@ -701,7 +707,7 @@ if [ "$FULLTEXTSEARCH_ENABLED" = 'yes' ]; then
         php /var/www/html/occ app:update files_fulltextsearch
     fi
     php /var/www/html/occ fulltextsearch:configure '{"search_platform":"OCA\\FullTextSearch_Elasticsearch\\Platform\\ElasticSearchPlatform"}'
-    php /var/www/html/occ fulltextsearch_elasticsearch:configure "{\"elastic_host\":\"http://$FULLTEXTSEARCH_HOST:9200\",\"elastic_index\":\"nextcloud-aio\"}"
+    php /var/www/html/occ fulltextsearch_elasticsearch:configure "{\"elastic_host\":\"http://elastic:$FULLTEXTSEARCH_PASSWORD@$FULLTEXTSEARCH_HOST:9200\",\"elastic_index\":\"nextcloud-aio\"}"
     php /var/www/html/occ files_fulltextsearch:configure "{\"files_pdf\":\"1\",\"files_office\":\"1\"}"
 
     # Do the index
@@ -728,5 +734,22 @@ else
     fi
 fi
 
+# Docker socket proxy
+if version_greater "$installed_version" "27.1.0.0"; then
+    if [ "$DOCKER_SOCKET_PROXY_ENABLED" = 'yes' ]; then
+        if ! [ -d "/var/www/html/custom_apps/app_ecosystem_v2" ]; then
+            php /var/www/html/occ app:install app_ecosystem_v2
+        elif [ "$(php /var/www/html/occ config:app:get app_ecosystem_v2 enabled)" != "yes" ]; then
+            php /var/www/html/occ app:enable app_ecosystem_v2
+        elif [ "$SKIP_UPDATE" != 1 ]; then
+            php /var/www/html/occ app:update app_ecosystem_v2
+        fi
+    else
+        if [ -d "/var/www/html/custom_apps/app_ecosystem_v2" ]; then
+            php /var/www/html/occ app:remove app_ecosystem_v2
+        fi
+    fi
+fi
+
 # Remove the update skip file always
 rm -f "$NEXTCLOUD_DATA_DIR"/skip.update

Containers/nextcloud/run-exec-commands.sh

@@ -15,9 +15,14 @@ if [ -n "$NEXTCLOUD_EXEC_COMMANDS" ]; then
 else
     # Collabora must work also if using manual-install 
     if [ "$COLLABORA_ENABLED" = yes ]; then
-        echo "Activating collabora config..."
+        echo "Activating Collabora config..."
         php /var/www/html/occ richdocuments:activate-config
     fi
+    # OnlyOffice must work also if using manual-install
+    if [ "$ONLYOFFICE_ENABLED" = yes ]; then
+        echo "Activating OnlyOffice config..."
+        php /var/www/html/occ onlyoffice:documentserver --check
+    fi
 fi
 
 sleep inf

Containers/nextcloud/start.sh

@@ -34,7 +34,7 @@ fi
 # Check if /dev/dri device is present and apply correct permissions
 set -x
 if ! [ -f "/dev-dri-group-was-added" ] && [ -n "$(find /dev -maxdepth 1 -mindepth 1 -name dri)" ] && [ -n "$(find /dev/dri -maxdepth 1 -mindepth 1 -name renderD128)" ]; then
-    # From https://github.com/pulsejet/memories/wiki/QSV-Transcoding#docker-installations
+    # From https://memories.gallery/hw-transcoding/#docker-installations
     GID="$(stat -c "%g" /dev/dri/renderD128)"
     groupadd -g "$GID" render2 || true # sometimes this is needed
     GROUP="$(getent group "$GID" | cut -d: -f1)"

Containers/notify-push/Dockerfile

@@ -1,6 +1,7 @@
 FROM alpine:3.18.2
 
 COPY --chmod=775 start.sh /start.sh
+COPY --chmod=775 healthcheck.sh /healthcheck.sh
 
 RUN set -ex; \
     apk add --no-cache \
@@ -17,5 +18,5 @@ RUN set -ex; \
 USER 33
 ENTRYPOINT ["/start.sh"]
 
-HEALTHCHECK CMD nc -z localhost 7867 || exit 1
+HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false"

Containers/notify-push/healthcheck.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if ! nc -z "$NEXTCLOUD_HOST" 9000; then
+    exit 0
+fi
+
+nc -z localhost 7867 || exit 1

Containers/onlyoffice/Dockerfile

@@ -1,5 +1,5 @@
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:7.4.0.1
+FROM onlyoffice/documentserver:7.4.1.1
 
 # USER root is probably used
 

Containers/postgresql/Dockerfile

@@ -1,5 +1,5 @@
 # From https://github.com/docker-library/postgres/blob/master/15/alpine/Dockerfile
-FROM postgres:15.3-alpine
+FROM postgres:15.4-alpine
 
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

Containers/postgresql/start.sh

@@ -92,14 +92,14 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
 
     # Check if the line we grep for later on is there
     GREP_STRING='Name: oc_appconfig; Type: TABLE; Schema: public; Owner:'
-    if ! grep -q "$GREP_STRING" "$DUMP_FILE"; then
+    if ! grep -qa "$GREP_STRING" "$DUMP_FILE"; then
         echo "The needed oc_appconfig line is not there which is unexpected."
         echo "Please report this to https://github.com/nextcloud/all-in-one/issues. Thanks!"
         exit 1
     fi
 
     # Get the Owner
-    DB_OWNER="$(grep "$GREP_STRING" "$DUMP_FILE" | grep -oP 'Owner:.*$' | sed 's|Owner:||;s| ||g')"
+    DB_OWNER="$(grep -a "$GREP_STRING" "$DUMP_FILE" | grep -oP 'Owner:.*$' | sed 's|Owner:||;s| ||g')"
     if [ "$DB_OWNER" = "$POSTGRES_USER" ]; then
         echo "Unfortunately was the found database owner of the dump file the same as the POSTGRES_USER $POSTGRES_USER"
         echo "It is not possible to import a database dump from this database owner."

Containers/talk-recording/Dockerfile

@@ -1,8 +1,12 @@
-FROM python:3.11.4-alpine3.18
+FROM python:3.11.5-alpine3.18
 
 COPY --chmod=775 start.sh /start.sh
 
-ENV RECORDING_VERSION v17.0.1
+ENV RECORDING_VERSION v17.0.3
+ENV ALLOW_ALL false
+ENV HPB_PROTOCOL https
+ENV SKIP_VERIFY false
+ENV HPB_PATH /standalone-signaling/
 
 RUN set -ex; \
     apk add --no-cache \

Containers/talk-recording/start.sh

@@ -12,6 +12,10 @@ elif [ -z "$INTERNAL_SECRET" ]; then
     exit 1
 fi
 
+if [ -z "$HPB_DOMAIN" ]; then
+    export HPB_DOMAIN="$NC_DOMAIN"
+fi
+
 cat << RECORDING_CONF > "/conf/recording.conf"
 [logs]
 # 30 means Warning
@@ -21,26 +25,26 @@ level = 30
 listen = 0.0.0.0:1234
 
 [backend]
-allowall = false
+allowall = ${ALLOW_ALL}
 # TODO: remove secret below when https://github.com/nextcloud/spreed/issues/9580 is fixed
 secret = ${RECORDING_SECRET}
 backends = backend-1
-skipverify = false
+skipverify = ${SKIP_VERIFY}
 maxmessagesize = 1024
 videowidth = 1920
 videoheight = 1080
 directory = /tmp
 
 [backend-1]
-url = https://${NC_DOMAIN}
+url = ${HPB_PROTOCOL}://${NC_DOMAIN}
 secret = ${RECORDING_SECRET}
-skipverify = false
+skipverify = ${SKIP_VERIFY}
 
 [signaling]
 signalings = signaling-1
 
 [signaling-1]
-url = https://${NC_DOMAIN}/standalone-signaling/
+url = ${HPB_PROTOCOL}://${HPB_DOMAIN}${HPB_PATH}
 internalsecret = ${INTERNAL_SECRET}
 
 [ffmpeg]

Containers/talk/Dockerfile

@@ -1,12 +1,47 @@
-FROM nats:2.9.19-scratch as nats
+FROM nats:2.9.21-scratch as nats
+FROM eturnal/eturnal:1.11.1 AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:1.1.3 as signaling
-FROM coturn/coturn:4.6.2-alpine3.18
-USER root
+FROM alpine:3.18.3 as janus
 
-COPY --from=nats /nats-server /usr/local/bin/nats-server
+ARG JANUS_VERSION=v0.14.0
+WORKDIR /src
+RUN set -ex; \
+    apk add --no-cache \
+        ca-certificates \
+        git \
+        autoconf \
+        automake \
+        build-base \
+        pkgconfig \
+        libtool \
+        util-linux \
+        glib-dev \
+        zlib-dev \
+        openssl-dev \
+        jansson-dev \
+        libnice-dev \
+        libconfig-dev \
+        libsrtp-dev \
+        libusrsctp-dev \
+        gengetopt-dev \
+        libwebsockets-dev; \
+    git clone --recursive https://github.com/meetecho/janus-gateway --depth=1 --single-branch --branch "$JANUS_VERSION" /src; \
+    /src/autogen.sh; \
+    /src/configure --disable-rabbitmq --disable-mqtt --disable-boringssl; \
+    make; \
+    make install; \
+    make configs; \
+    rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
+
+FROM alpine:3.18.2
+ENV ETURNAL_ETC_DIR="/conf"
+COPY --from=janus     /usr/local                          /usr/local
+COPY --from=eturnal   /opt/eturnal                        /opt/eturnal
+COPY --from=nats      /nats-server                        /usr/local/bin/nats-server
 COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
 
 COPY --chmod=775 start.sh /start.sh
+COPY --chmod=775 healthcheck.sh /healthcheck.sh
 COPY --chmod=664 supervisord.conf /supervisord.conf
 
 RUN set -ex; \
@@ -14,62 +49,59 @@ RUN set -ex; \
         ca-certificates \
         tzdata \
         bash \
-        janus-gateway \
         openssl \
         supervisor \
         bind-tools \
         netcat-openbsd \
-        shadow \
-        util-linux \
-        build-base \
-        wget \
-        lua5.3-dev \
-        luarocks5.3; \
-    useradd --system talk; \
-    luarocks-5.3 install luajson; \
-    luarocks-5.3 install ansicolors; \
-    rename -v ".jcfg.sample" ".jcfg" /etc/janus/*.sample; \
+        \
+        glib \
+        zlib \
+        libssl3 \
+        libcrypto3 \
+        jansson \
+        libnice \
+        libconfig \
+        libsrtp \
+        libusrsctp \
+        libwebsockets \
+        \
+        shadow; \
+    useradd --system eturnal; \
     apk del --no-cache \
-        shadow \
-        util-linux \
-        build-base \
-        wget \
-        lua5.3-dev \
-        luarocks5.3; \
+        shadow; \
     \
 # Give root a random password
     echo "root:$(openssl rand -base64 12)" | chpasswd; \
     \
     touch \
-        /etc/nats.conf; \
+        /etc/nats.conf \
+        /etc/eturnal.yml; \
     echo "listen: 127.0.0.1:4222" | tee /etc/nats.conf; \
     mkdir -p \
         /var/tmp \
         /conf \
         /var/lib/turn \
         /var/log/supervisord \
-        /var/lib/turn \
-        /var/run/supervisord; \
-    chown talk:talk -R \
+        /var/run/supervisord \
+        /usr/local/lib/janus/loggers; \
+    chown eturnal:eturnal -R \
         /usr \
-        /etc/janus \
+        /opt/eturnal \
         /etc/nats.conf \
-        /var/lib/turn \
         /var/log/supervisord \
         /var/run/supervisord; \
     chmod 777 -R \
         /tmp \
         /conf \
+        /opt/eturnal \
         /var/run/supervisord \
-        /var/lib/turn \
-        /var/log/supervisord;
+        /var/log/supervisord; \
+    ln -s /opt/eturnal/bin/stun /usr/local/bin/stun; \
+    ln -s /opt/eturnal/bin/eturnalctl /usr/local/bin/eturnalctl
 
-# Set default talk port https://github.com/nextcloud/all-in-one/issues/1011
-ENV TALK_PORT=3478
-
-USER talk
+USER eturnal
 ENTRYPOINT ["/start.sh"]
 CMD ["supervisord", "-c", "/supervisord.conf"]
 
-HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost "$TALK_PORT" && nc -z "$NC_DOMAIN" "$TALK_PORT") || exit 1
+HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false"

Containers/talk/healthcheck.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+nc -z localhost 8081 || exit 1
+nc -z localhost 8188 || exit 1
+nc -z localhost 4222 || exit 1
+nc -z localhost "$TALK_PORT" || exit 1
+eturnalctl status || exit 1
+if ! nc -z "$NC_DOMAIN" "$TALK_PORT"; then
+    echo "Could not reach $NC_DOMAIN on port $TALK_PORT."
+    exit 1
+fi

Containers/talk/start.sh

@@ -4,6 +4,9 @@
 if [ -z "$NC_DOMAIN" ]; then
     echo "You need to provide the NC_DOMAIN."
     exit 1
+elif [ -z "$TALK_PORT" ]; then
+    echo "You need to provide the TALK_PORT."
+    exit 1
 elif [ -z "$TURN_SECRET" ]; then
     echo "You need to provide the TURN_SECRET."
     exit 1
@@ -16,43 +19,37 @@ elif [ -z "$INTERNAL_SECRET" ]; then
 fi
 
 set -x
-IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk A +short)"
+IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk IN A +short | grep '^[0-9.]\+$' | sort | head -n1)"
+IPv6_ADDRESS_TALK="$(dig nextcloud-aio-talk AAAA +short | grep '^[0-9a-f:]\+$' | sort | head -n1)"
 set +x
 
 # Turn
-cat << TURN_CONF > "/conf/turnserver.conf"
-listening-port=$TALK_PORT
-fingerprint
-use-auth-secret
-static-auth-secret=$TURN_SECRET
-realm=$NC_DOMAIN
-total-quota=0
-bps-capacity=0
-stale-nonce
-no-multicast-peers
-simple-log
-pidfile=/var/tmp/turnserver.pid
-no-tls
-no-dtls
-userdb=/var/lib/turn/turndb
-# Based on https://nextcloud-talk.readthedocs.io/en/latest/TURN/#turn-server-and-internal-networks
-allowed-peer-ip=$IPv4_ADDRESS_TALK
-denied-peer-ip=0.0.0.0-0.255.255.255
-denied-peer-ip=10.0.0.0-10.255.255.255
-denied-peer-ip=100.64.0.0-100.127.255.255
-denied-peer-ip=127.0.0.0-127.255.255.255
-denied-peer-ip=169.254.0.0-169.254.255.255
-denied-peer-ip=172.16.0.0-172.31.255.255
-denied-peer-ip=192.0.0.0-192.0.0.255
-denied-peer-ip=192.0.2.0-192.0.2.255
-denied-peer-ip=192.88.99.0-192.88.99.255
-denied-peer-ip=192.168.0.0-192.168.255.255
-denied-peer-ip=198.18.0.0-198.19.255.255
-denied-peer-ip=198.51.100.0-198.51.100.255
-denied-peer-ip=203.0.113.0-203.0.113.255
-denied-peer-ip=240.0.0.0-255.255.255.255
+cat << TURN_CONF > "/conf/eturnal.yml"
+eturnal:
+  listen:
+    - ip: "::"
+      port: $TALK_PORT
+      transport: udp
+    - ip: "::"
+      port: $TALK_PORT
+      transport: tcp
+  log_dir: stdout
+  log_level: warning
+  secret: "$TURN_SECRET"
+  relay_ipv4_addr: "$IPv4_ADDRESS_TALK"
+  relay_ipv6_addr: "$IPv6_ADDRESS_TALK"
+  blacklist:
+  - recommended
+  whitelist:
+  - 127.0.0.1
+  - ::1
+  - "$IPv4_ADDRESS_TALK"
+  - "$IPv6_ADDRESS_TALK"
 TURN_CONF
 
+# Remove empty lines so that the config is not invalid
+sed -i '/""/d' /conf/eturnal.yml
+
 # Signling
 cat << SIGNALING_CONF > "/conf/signaling.conf"
 [http]

Containers/talk/supervisord.conf

@@ -1,6 +1,5 @@
 [supervisord]
 nodaemon=true
-nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
@@ -8,12 +7,12 @@ logfile_maxbytes=50MB
 logfile_backups=10                              
 loglevel=error
 
-[program:turnserver]
+[program:eturnal]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=turnserver -c /conf/turnserver.conf
+command=eturnalctl foreground
 
 [program:nats-server]
 stdout_logfile=/dev/stdout
@@ -28,7 +27,7 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 # debug-level 3 means warning
-command=janus --config=/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
+command=janus --config=/usr/local/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
 
 [program:signaling]
 stdout_logfile=/dev/stdout

Containers/watchtower/Dockerfile

@@ -1,7 +1,7 @@
 # From https://github.com/containrrr/watchtower/blob/main/dockerfiles/Dockerfile.self-contained
 FROM containrrr/watchtower:1.5.3 as watchtower
 
-FROM alpine:3.18.2
+FROM alpine:3.18.3
 
 RUN apk add --no-cache bash
 COPY --from=watchtower /watchtower /watchtower

app/appinfo/info.xml

@@ -13,7 +13,7 @@
 	<category>monitoring</category>
 	<bugs>https://github.com/nextcloud/all-in-one/issues</bugs>
 	<dependencies>
-		<nextcloud min-version="25" max-version="26"/>
+		<nextcloud min-version="26" max-version="27"/>
 	</dependencies>
 
 	<settings>

compose.yaml

@@ -1,6 +1,7 @@
 services:
-  nextcloud:
+  nextcloud-aio-mastercontainer:
     image: nextcloud/all-in-one:latest
+    init: true
     restart: always
     container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
     volumes:

develop.md

@@ -2,6 +2,7 @@
 If you want to switch to the develop channel, you simply stop and delete the mastercontainer and create a new one with a changed tag to develop:
 ```shell
 sudo docker run \
+--init \
 --sig-proxy=false \
 --name nextcloud-aio-mastercontainer \
 --restart always \

manual-install/latest.yml

@@ -1,11 +1,21 @@
 services:
   nextcloud-aio-apache:
     depends_on:
-      - nextcloud-aio-onlyoffice
-      - nextcloud-aio-collabora
-      - nextcloud-aio-talk
-      - nextcloud-aio-nextcloud
-      - nextcloud-aio-notify-push
+      nextcloud-aio-onlyoffice:
+        condition: service_started
+        required: false
+      nextcloud-aio-collabora:
+        condition: service_started
+        required: false
+      nextcloud-aio-talk:
+        condition: service_started
+        required: false
+      nextcloud-aio-nextcloud:
+        condition: service_started
+        required: false
+      nextcloud-aio-notify-push:
+        condition: service_started
+        required: false
     image: nextcloud/aio-apache:latest
     ports:
       - ${APACHE_IP_BINDING}:${APACHE_PORT}:${APACHE_PORT}/tcp
@@ -27,6 +37,13 @@ services:
     restart: unless-stopped
     networks:
       - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/log/supervisord
+      - /var/run/supervisord
+      - /usr/local/apache2/logs
+      - /tmp
+      - /home/www-data
 
   nextcloud-aio-database:
     image: nextcloud/aio-postgresql:latest
@@ -46,15 +63,30 @@ services:
     shm_size: 268435456
     networks:
       - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/run/postgresql
 
   nextcloud-aio-nextcloud:
     depends_on:
-      - nextcloud-aio-database
-      - nextcloud-aio-redis
-      - nextcloud-aio-clamav
-      - nextcloud-aio-fulltextsearch
-      - nextcloud-aio-talk-recording
-      - nextcloud-aio-imaginary
+      nextcloud-aio-database:
+        condition: service_started
+        required: false
+      nextcloud-aio-redis:
+        condition: service_started
+        required: false
+      nextcloud-aio-clamav:
+        condition: service_started
+        required: false
+      nextcloud-aio-fulltextsearch:
+        condition: service_started
+        required: false
+      nextcloud-aio-talk-recording:
+        condition: service_started
+        required: false
+      nextcloud-aio-imaginary:
+        condition: service_started
+        required: false
     image: nextcloud/aio-nextcloud:latest
     expose:
       - "9000"
@@ -108,6 +140,8 @@ services:
     restart: unless-stopped
     networks:
       - nextcloud-aio
+    tmpfs:
+      - /tmp:exec
 
   nextcloud-aio-notify-push:
     image: nextcloud/aio-notify-push:latest
@@ -180,6 +214,13 @@ services:
       - talk-recording
     networks:
       - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /var/log/supervisord
+      - /var/run/supervisord
+      - /conf
+      - /var/lib/turn
+      - /tmp
 
   nextcloud-aio-talk-recording:
     image: nextcloud/aio-talk-recording:latest
@@ -196,6 +237,10 @@ services:
       - talk-recording
     networks:
       - nextcloud-aio
+    read_only: true
+    tmpfs:
+      - /tmp
+      - /conf
 
   nextcloud-aio-clamav:
     image: nextcloud/aio-clamav:latest
@@ -248,6 +293,8 @@ services:
     networks:
       - nextcloud-aio
     read_only: true
+    tmpfs:
+      - /tmp
 
   nextcloud-aio-fulltextsearch:
     image: nextcloud/aio-fulltextsearch:latest
@@ -255,9 +302,14 @@ services:
       - "9200"
     environment:
       - TZ=${TIMEZONE}
+      - ES_JAVA_OPTS=-Xms512M -Xmx512M
+      - bootstrap.memory_lock=true
+      - cluster.name=nextcloud-aio
       - discovery.type=single-node
-      - ES_JAVA_OPTS=-Xms1024M -Xmx1024M
-      - POSTGRES_HOST=nextcloud-aio-database
+      - logger.org.elasticsearch.discovery=WARN
+      - http.port=9200
+      - xpack.license.self_generated.type=basic
+      - xpack.security.enabled=false
     volumes:
       - nextcloud_aio_elasticsearch:/usr/share/elasticsearch/data:rw
     restart: unless-stopped

manual-install/update-yaml.sh

@@ -20,6 +20,9 @@ OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].nextcloud_exec_commands)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-watchtower"))')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-domaincheck"))')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-borgbackup"))')"
+OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-docker-socket-proxy"))')"
+OUTPUT="$(echo "$OUTPUT" | jq '.services[] |= if has("depends_on") then .depends_on |= if contains(["nextcloud-aio-docker-socket-proxy"]) then del(.[index("nextcloud-aio-docker-socket-proxy")]) else . end else . end')"
+OUTPUT="$(echo "$OUTPUT" | jq '.services[] |= if has("depends_on") then .depends_on |= map({ (.): { "condition": "service_started", "required": false } }) else . end' | jq '.services[] |= if has("depends_on") then .depends_on |= reduce .[] as $item ({}; . + $item) else . end')"
 
 snap install yq
 mkdir -p ./manual-install
@@ -34,9 +37,7 @@ sed -i 's|- source: |- |' containers.yml
 sed -i 's|- ip_binding: |- |' containers.yml
 sed -i '/AIO_TOKEN/d' containers.yml
 sed -i '/AIO_URL/d' containers.yml
-
-sed -i '/AIO_TOKEN/d' sample.conf
-sed -i '/AIO_URL/d' sample.conf
+sed -i '/DOCKER_SOCKET_PROXY_ENABLED/d' containers.yml
 
 TCP="$(grep -oP '[%A-Z0-9_]+/tcp' containers.yml | sort -u)"
 mapfile -t TCP <<< "$TCP"
@@ -111,7 +112,7 @@ for name in "${NAMES[@]}"
 do
     OUTPUT="$(echo "$OUTPUT" | sed "/container_name.*$name$/i\ \ $name:")"
     if [ "$name" != "nextcloud-aio-apache" ]; then
-        OUTPUT="$(echo "$OUTPUT" | sed "/  $name:/i\ ")"
+        OUTPUT="$(echo "$OUTPUT" | sed "/^  $name:/i\ ")"
     fi
 done
 

manual-upgrade.md

@@ -12,7 +12,7 @@ The only way to fix this on your side is upgrading regularly (e.g. by enabling d
 1. Run the following commands in order to reverse engineer the Nextcloud container:
     ```bash
         sudo docker pull assaflavie/runlike
-        echo '#/bin/bash' > /tmp/nextcloud-aio-nextcloud
+        echo '#!/bin/bash' > /tmp/nextcloud-aio-nextcloud
         sudo docker run --rm -v /var/run/docker.sock:/var/run/docker.sock assaflavie/runlike -p nextcloud-aio-nextcloud >> /tmp/nextcloud-aio-nextcloud
         sudo chown root:root /tmp/nextcloud-aio-nextcloud
     ```

nextcloud-aio-helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 6.2.1
+version: 7.0.0
 apiVersion: v2
 keywords:
   - latest

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml

@@ -2,11 +2,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-apache
   name: nextcloud-aio-apache
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -15,8 +16,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-apache
@@ -29,7 +30,22 @@ spec:
             - "777"
             - /nextcloud-aio-nextcloud
             - /nextcloud-aio-apache
+            - /nextcloud-aio-apache-tmpfs0
+            - /nextcloud-aio-apache-tmpfs1
+            - /nextcloud-aio-apache-tmpfs2
+            - /nextcloud-aio-apache-tmpfs3
+            - /nextcloud-aio-apache-tmpfs4
           volumeMounts:
+            - name: nextcloud-aio-apache-tmpfs4
+              mountPath: /nextcloud-aio-apache-tmpfs4
+            - name: nextcloud-aio-apache-tmpfs3
+              mountPath: /nextcloud-aio-apache-tmpfs3
+            - name: nextcloud-aio-apache-tmpfs2
+              mountPath: /nextcloud-aio-apache-tmpfs2
+            - name: nextcloud-aio-apache-tmpfs1
+              mountPath: /nextcloud-aio-apache-tmpfs1
+            - name: nextcloud-aio-apache-tmpfs0
+              mountPath: /nextcloud-aio-apache-tmpfs0
             - name: nextcloud-aio-apache
               mountPath: /nextcloud-aio-apache
             - name: nextcloud-aio-nextcloud
@@ -56,16 +72,33 @@ spec:
               value: nextcloud-aio-talk
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-apache:20230626_101439-latest
+          image: nextcloud/aio-apache:20230817_065941-latest
           name: nextcloud-aio-apache
           ports:
             - containerPort: {{ .Values.APACHE_PORT }}
+              hostPort: {{ .Values.APACHE_PORT }}
+              protocol: TCP
+            - containerPort: {{ .Values.APACHE_PORT }}
+              hostPort: {{ .Values.APACHE_PORT }}
+              protocol: UDP
+          securityContext:
+            readOnlyRootFilesystem: true
           volumeMounts:
             - mountPath: /var/www/html
               name: nextcloud-aio-nextcloud
               readOnly: true
             - mountPath: /mnt/data
               name: nextcloud-aio-apache
+            - mountPath: /var/log/supervisord
+              name: nextcloud-aio-apache-tmpfs0
+            - mountPath: /var/run/supervisord
+              name: nextcloud-aio-apache-tmpfs1
+            - mountPath: /usr/local/apache2/logs
+              name: nextcloud-aio-apache-tmpfs2
+            - mountPath: /tmp
+              name: nextcloud-aio-apache-tmpfs3
+            - mountPath: /home/www-data
+              name: nextcloud-aio-apache-tmpfs4
       volumes:
         - name: nextcloud-aio-nextcloud
           persistentVolumeClaim:
@@ -73,3 +106,13 @@ spec:
         - name: nextcloud-aio-apache
           persistentVolumeClaim:
             claimName: nextcloud-aio-apache
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs0
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs1
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs2
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs3
+        - emptyDir: {}
+          name: nextcloud-aio-apache-tmpfs4

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-apache
   name: nextcloud-aio-apache
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-service.yaml

@@ -2,16 +2,21 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-apache
   name: nextcloud-aio-apache
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   type: LoadBalancer
   ports:
     - name: "{{ .Values.APACHE_PORT }}"
       port: {{ .Values.APACHE_PORT }}
       targetPort: {{ .Values.APACHE_PORT }}
+    - name: {{ .Values.APACHE_PORT }}-udp
+      port: {{ .Values.APACHE_PORT }}
+      protocol: UDP
+      targetPort: {{ .Values.APACHE_PORT }}
   selector:
     io.kompose.service: nextcloud-aio-apache

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml

@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-clamav
   name: nextcloud-aio-clamav
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -16,8 +17,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-clamav
@@ -47,10 +48,14 @@ spec:
               value: "90"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-clamav:20230626_101439-latest
+          image: nextcloud/aio-clamav:20230817_065941-latest
           name: nextcloud-aio-clamav
           ports:
             - containerPort: 3310
+              hostPort: 3310
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
           volumeMounts:
             - mountPath: /var/lib/clamav
               name: nextcloud-aio-clamav

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-clamav
   name: nextcloud-aio-clamav
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-service.yaml

@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-clamav
   name: nextcloud-aio-clamav
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   ports:
     - name: "3310"

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml

@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-collabora
   name: nextcloud-aio-collabora
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -16,8 +17,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-collabora
@@ -36,8 +37,10 @@ spec:
               value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json
             - name: server_name
               value: "{{ .Values.NC_DOMAIN }}"
-          image: nextcloud/aio-collabora:20230626_101439-latest
+          image: nextcloud/aio-collabora:20230817_065941-latest
           name: nextcloud-aio-collabora
           ports:
             - containerPort: 9980
+              hostPort: 9980
+              protocol: TCP
 {{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-service.yaml

@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-collabora
   name: nextcloud-aio-collabora
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   ports:
     - name: "9980"

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml

@@ -2,11 +2,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-database
   name: nextcloud-aio-database
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -15,8 +16,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-database
@@ -30,7 +31,10 @@ spec:
             - /nextcloud-aio-database/data
             - /nextcloud-aio-database
             - /nextcloud-aio-database-dump
+            - /nextcloud-aio-database-tmpfs0
           volumeMounts:
+            - name: nextcloud-aio-database-tmpfs0
+              mountPath: /nextcloud-aio-database-tmpfs0
             - name: nextcloud-aio-database-dump
               mountPath: /nextcloud-aio-database-dump
             - name: nextcloud-aio-database
@@ -43,7 +47,10 @@ spec:
             - "-R"
             - /nextcloud-aio-database
             - /nextcloud-aio-database-dump
+            - /nextcloud-aio-database-tmpfs0
           volumeMounts:
+            - name: nextcloud-aio-database-tmpfs0
+              mountPath: /nextcloud-aio-database-tmpfs0
             - name: nextcloud-aio-database-dump
               mountPath: /nextcloud-aio-database-dump
             - name: nextcloud-aio-database
@@ -60,16 +67,22 @@ spec:
               value: nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-postgresql:20230626_101439-latest
+          image: nextcloud/aio-postgresql:20230817_065941-latest
           name: nextcloud-aio-database
           ports:
             - containerPort: 5432
+              hostPort: 5432
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
           volumeMounts:
             - mountPath: /var/lib/postgresql/data
               subPath: data
               name: nextcloud-aio-database
             - mountPath: /mnt/data
               name: nextcloud-aio-database-dump
+            - mountPath: /var/run/postgresql
+              name: nextcloud-aio-database-tmpfs0
       terminationGracePeriodSeconds: 1800
       volumes:
         - name: nextcloud-aio-database
@@ -78,3 +91,5 @@ spec:
         - name: nextcloud-aio-database-dump
           persistentVolumeClaim:
             claimName: nextcloud-aio-database-dump
+        - emptyDir: {}
+          name: nextcloud-aio-database-tmpfs0

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-dump-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-database-dump
   name: nextcloud-aio-database-dump
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-database
   name: nextcloud-aio-database
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-service.yaml

@@ -2,11 +2,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-database
   name: nextcloud-aio-database
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   ports:
     - name: "5432"

nextcloud-aio-helm-chart/templates/nextcloud-aio-elasticsearch-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-elasticsearch
   name: nextcloud-aio-elasticsearch
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml

@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-fulltextsearch
   name: nextcloud-aio-fulltextsearch
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -16,8 +17,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-fulltextsearch
@@ -35,17 +36,29 @@ spec:
       containers:
         - env:
             - name: ES_JAVA_OPTS
-              value: -Xms1024M -Xmx1024M
-            - name: POSTGRES_HOST
-              value: nextcloud-aio-database
+              value: -Xms512M -Xmx512M
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
+            - name: bootstrap.memory_lock
+              value: "true"
+            - name: cluster.name
+              value: nextcloud-aio
             - name: discovery.type
               value: single-node
-          image: nextcloud/aio-fulltextsearch:20230626_101439-latest
+            - name: http.port
+              value: "9200"
+            - name: logger.org.elasticsearch.discovery
+              value: WARN
+            - name: xpack.license.self_generated.type
+              value: basic
+            - name: xpack.security.enabled
+              value: "false"
+          image: nextcloud/aio-fulltextsearch:20230817_065941-latest
           name: nextcloud-aio-fulltextsearch
           ports:
             - containerPort: 9200
+              hostPort: 9200
+              protocol: TCP
           volumeMounts:
             - mountPath: /usr/share/elasticsearch/data
               name: nextcloud-aio-elasticsearch

nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-service.yaml

@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-fulltextsearch
   name: nextcloud-aio-fulltextsearch
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   ports:
     - name: "9200"

nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml

@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-imaginary
   name: nextcloud-aio-imaginary
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -16,22 +17,41 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-imaginary
     spec:
+      initContainers:
+        - name: init-volumes
+          image: alpine
+          command:
+            - chmod
+            - "777"
+            - /nextcloud-aio-imaginary-tmpfs0
+          volumeMounts:
+            - name: nextcloud-aio-imaginary-tmpfs0
+              mountPath: /nextcloud-aio-imaginary-tmpfs0
       containers:
         - env:
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-imaginary:20230626_101439-latest
+          image: nextcloud/aio-imaginary:20230817_065941-latest
           name: nextcloud-aio-imaginary
           ports:
             - containerPort: 9000
+              hostPort: 9000
+              protocol: TCP
           securityContext:
             capabilities:
               add:
                 - SYS_NICE
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /tmp
+              name: nextcloud-aio-imaginary-tmpfs0
+      volumes:
+        - emptyDir: {}
+          name: nextcloud-aio-imaginary-tmpfs0
 {{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-service.yaml

@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-imaginary
   name: nextcloud-aio-imaginary
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   ports:
     - name: "9000"

nextcloud-aio-helm-chart/templates/nextcloud-aio-namespace-namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.NAMESPACE }}
+  namespace: {{ .Values.NAMESPACE }}
+spec: {}

nextcloud-aio-helm-chart/templates/nextcloud-aio-networkpolicy.yaml

@@ -1,13 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: nextcloud-aio
-spec:
-  ingress:
-    - from:
-        - podSelector:
-            matchLabels:
-              io.kompose.network/nextcloud-aio: "true"
-  podSelector:
-    matchLabels:
-      io.kompose.network/nextcloud-aio: "true"

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-data-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-nextcloud-data
   name: nextcloud-aio-nextcloud-data
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml

@@ -2,11 +2,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-nextcloud
   name: nextcloud-aio-nextcloud
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -15,8 +16,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-nextcloud
@@ -29,7 +30,10 @@ spec:
             - "777"
             - /nextcloud-aio-nextcloud
             - /nextcloud-aio-nextcloud-trusted-cacerts
+            - /nextcloud-aio-nextcloud-tmpfs0
           volumeMounts:
+            - name: nextcloud-aio-nextcloud-tmpfs0
+              mountPath: /nextcloud-aio-nextcloud-tmpfs0
             - name: nextcloud-aio-nextcloud-trusted-cacerts
               mountPath: /nextcloud-aio-nextcloud-trusted-cacerts
             - name: nextcloud-aio-nextcloud
@@ -116,10 +120,12 @@ spec:
               value: "{{ .Values.TIMEZONE }}"
             - name: UPDATE_NEXTCLOUD_APPS
               value: "{{ .Values.UPDATE_NEXTCLOUD_APPS }}"
-          image: nextcloud/aio-nextcloud:20230626_101439-latest
+          image: nextcloud/aio-nextcloud:20230817_065941-latest
           name: nextcloud-aio-nextcloud
           ports:
             - containerPort: 9000
+              hostPort: 9000
+              protocol: TCP
           volumeMounts:
             - mountPath: /var/www/html
               name: nextcloud-aio-nextcloud
@@ -128,6 +134,8 @@ spec:
             - mountPath: /usr/local/share/ca-certificates
               name: nextcloud-aio-nextcloud-trusted-cacerts
               readOnly: true
+            - mountPath: /tmp
+              name: nextcloud-aio-nextcloud-tmpfs0
       volumes:
         - name: nextcloud-aio-nextcloud
           persistentVolumeClaim:
@@ -138,3 +146,5 @@ spec:
         - name: nextcloud-aio-nextcloud-trusted-cacerts
           persistentVolumeClaim:
             claimName: nextcloud-aio-nextcloud-trusted-cacerts
+        - emptyDir: {}
+          name: nextcloud-aio-nextcloud-tmpfs0

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-nextcloud
   name: nextcloud-aio-nextcloud
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-service.yaml

@@ -2,11 +2,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-nextcloud
   name: nextcloud-aio-nextcloud
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   ports:
     - name: "9000"

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-trusted-cacerts-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-nextcloud-trusted-cacerts
   name: nextcloud-aio-nextcloud-trusted-cacerts
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml

@@ -2,11 +2,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-notify-push
   name: nextcloud-aio-notify-push
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -15,8 +16,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-notify-push
@@ -49,10 +50,14 @@ spec:
               value: nextcloud-aio-redis
             - name: REDIS_HOST_PASSWORD
               value: "{{ .Values.REDIS_PASSWORD }}"
-          image: nextcloud/aio-notify-push:20230626_101439-latest
+          image: nextcloud/aio-notify-push:20230817_065941-latest
           name: nextcloud-aio-notify-push
           ports:
             - containerPort: 7867
+              hostPort: 7867
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
           volumeMounts:
             - mountPath: /nextcloud
               name: nextcloud-aio-nextcloud

nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-service.yaml

@@ -2,11 +2,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-notify-push
   name: nextcloud-aio-notify-push
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   ports:
     - name: "7867"

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml

@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-onlyoffice
   name: nextcloud-aio-onlyoffice
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -16,8 +17,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-onlyoffice
@@ -42,10 +43,12 @@ spec:
               value: "{{ .Values.ONLYOFFICE_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-onlyoffice:20230626_101439-latest
+          image: nextcloud/aio-onlyoffice:20230817_065941-latest
           name: nextcloud-aio-onlyoffice
           ports:
             - containerPort: 80
+              hostPort: 80
+              protocol: TCP
           volumeMounts:
             - mountPath: /var/lib/onlyoffice
               name: nextcloud-aio-onlyoffice

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-onlyoffice
   name: nextcloud-aio-onlyoffice
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-service.yaml

@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-onlyoffice
   name: nextcloud-aio-onlyoffice
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   ports:
     - name: "80"

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml

@@ -2,11 +2,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-redis
   name: nextcloud-aio-redis
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -15,8 +16,8 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-redis
@@ -37,10 +38,14 @@ spec:
               value: "{{ .Values.REDIS_PASSWORD }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-redis:20230626_101439-latest
+          image: nextcloud/aio-redis:20230817_065941-latest
           name: nextcloud-aio-redis
           ports:
             - containerPort: 6379
+              hostPort: 6379
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
           volumeMounts:
             - mountPath: /data
               name: nextcloud-aio-redis

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-persistentvolumeclaim.yaml

@@ -4,6 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-redis
   name: nextcloud-aio-redis
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-service.yaml

@@ -2,11 +2,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-redis
   name: nextcloud-aio-redis
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   ports:
     - name: "6379"

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml

@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-talk
   name: nextcloud-aio-talk
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -16,12 +17,34 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-talk
     spec:
+      initContainers:
+        - name: init-volumes
+          image: alpine
+          command:
+            - chmod
+            - "777"
+            - /nextcloud-aio-talk-tmpfs0
+            - /nextcloud-aio-talk-tmpfs1
+            - /nextcloud-aio-talk-tmpfs2
+            - /nextcloud-aio-talk-tmpfs3
+            - /nextcloud-aio-talk-tmpfs4
+          volumeMounts:
+            - name: nextcloud-aio-talk-tmpfs4
+              mountPath: /nextcloud-aio-talk-tmpfs4
+            - name: nextcloud-aio-talk-tmpfs3
+              mountPath: /nextcloud-aio-talk-tmpfs3
+            - name: nextcloud-aio-talk-tmpfs2
+              mountPath: /nextcloud-aio-talk-tmpfs2
+            - name: nextcloud-aio-talk-tmpfs1
+              mountPath: /nextcloud-aio-talk-tmpfs1
+            - name: nextcloud-aio-talk-tmpfs0
+              mountPath: /nextcloud-aio-talk-tmpfs0
       containers:
         - env:
             - name: INTERNAL_SECRET
@@ -36,11 +59,40 @@ spec:
               value: "{{ .Values.TURN_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-talk:20230626_101439-latest
+          image: nextcloud/aio-talk:20230817_065941-latest
           name: nextcloud-aio-talk
           ports:
             - containerPort: {{ .Values.TALK_PORT }}
+              hostPort: {{ .Values.TALK_PORT }}
+              protocol: TCP
             - containerPort: {{ .Values.TALK_PORT }}
+              hostPort: {{ .Values.TALK_PORT }}
               protocol: UDP
             - containerPort: 8081
+              hostPort: 8081
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /var/log/supervisord
+              name: nextcloud-aio-talk-tmpfs0
+            - mountPath: /var/run/supervisord
+              name: nextcloud-aio-talk-tmpfs1
+            - mountPath: /conf
+              name: nextcloud-aio-talk-tmpfs2
+            - mountPath: /var/lib/turn
+              name: nextcloud-aio-talk-tmpfs3
+            - mountPath: /tmp
+              name: nextcloud-aio-talk-tmpfs4
+      volumes:
+        - emptyDir: {}
+          name: nextcloud-aio-talk-tmpfs0
+        - emptyDir: {}
+          name: nextcloud-aio-talk-tmpfs1
+        - emptyDir: {}
+          name: nextcloud-aio-talk-tmpfs2
+        - emptyDir: {}
+          name: nextcloud-aio-talk-tmpfs3
+        - emptyDir: {}
+          name: nextcloud-aio-talk-tmpfs4
 {{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml

@@ -3,11 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-talk-recording
   name: nextcloud-aio-talk-recording
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   replicas: 1
   selector:
@@ -16,12 +17,25 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml
-        kompose.version: 1.28.0 (c4137012e)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+        kompose.version: 1.30.0 (9d8dcb518)
       labels:
         io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-talk-recording
     spec:
+      initContainers:
+        - name: init-volumes
+          image: alpine
+          command:
+            - chmod
+            - "777"
+            - /nextcloud-aio-talk-recording-tmpfs0
+            - /nextcloud-aio-talk-recording-tmpfs1
+          volumeMounts:
+            - name: nextcloud-aio-talk-recording-tmpfs1
+              mountPath: /nextcloud-aio-talk-recording-tmpfs1
+            - name: nextcloud-aio-talk-recording-tmpfs0
+              mountPath: /nextcloud-aio-talk-recording-tmpfs0
       containers:
         - env:
             - name: INTERNAL_SECRET
@@ -32,8 +46,22 @@ spec:
               value: "{{ .Values.RECORDING_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-talk-recording:20230626_101439-latest
+          image: nextcloud/aio-talk-recording:20230817_065941-latest
           name: nextcloud-aio-talk-recording
           ports:
             - containerPort: 1234
+              hostPort: 1234
+              protocol: TCP
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - mountPath: /tmp
+              name: nextcloud-aio-talk-recording-tmpfs0
+            - mountPath: /conf
+              name: nextcloud-aio-talk-recording-tmpfs1
+      volumes:
+        - emptyDir: {}
+          name: nextcloud-aio-talk-recording-tmpfs0
+        - emptyDir: {}
+          name: nextcloud-aio-talk-recording-tmpfs1
 {{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-service.yaml

@@ -3,11 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-talk-recording
   name: nextcloud-aio-talk-recording
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   ports:
     - name: "1234"

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-service.yaml

@@ -4,11 +4,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-talk
   name: nextcloud-aio-talk-public
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   type: LoadBalancer
   ports:
@@ -26,11 +27,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml
-    kompose.version: 1.28.0 (c4137012e)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
+    kompose.version: 1.30.0 (9d8dcb518)
   labels:
     io.kompose.service: nextcloud-aio-talk
   name: nextcloud-aio-talk
+  namespace: {{ .Values.NAMESPACE }}
 spec:
   ports:
     - name: "8081"

nextcloud-aio-helm-chart/update-helm.sh

@@ -15,6 +15,9 @@ curl -L https://github.com/kubernetes/kompose/releases/download/"$LATEST_KOMPOSE
 chmod +x kompose
 sudo mv ./kompose /usr/local/bin/kompose
 
+# Install yq
+snap install yq
+
 set -ex
 
 # Conversion of docker-compose
@@ -39,11 +42,14 @@ sed -i "/^volumes:/a\ \ nextcloud_aio_nextcloud_trusted_cacerts:\n \ \ \ \ name:
 sed -i "s|\${NEXTCLOUD_TRUSTED_CACERTS_DIR}:|nextcloud_aio_nextcloud_trusted_cacerts:|g#" latest.yml
 sed -i 's|\${|{{ .Values.|g' latest.yml
 sed -i 's|}| }}|g' latest.yml
+yq -i 'del(.services.[].profiles)' latest.yml
 cat latest.yml
-kompose convert -c -f latest.yml
+kompose convert -c -f latest.yml --namespace nextcloud-aio-namespace
 cd latest
 
-mv ./templates/manual-install-nextcloud-aio-networkpolicy.yaml ./templates/nextcloud-aio-networkpolicy.yaml
+if [ -f ./templates/manual-install-nextcloud-aio-networkpolicy.yaml ]; then
+    mv ./templates/manual-install-nextcloud-aio-networkpolicy.yaml ./templates/nextcloud-aio-networkpolicy.yaml
+fi
 # shellcheck disable=SC1083
 find ./ -name '*networkpolicy.yaml' -exec sed -i "s|manual-install-nextcloud-aio|nextcloud-aio|" \{} \; 
 cat << EOL > /tmp/initcontainers
@@ -109,6 +115,8 @@ for variable in "${DEPLOYMENTS[@]}"; do
     fi
 done
 # shellcheck disable=SC1083
+find ./ -name '*.yaml' -exec sed -i "s|nextcloud-aio-namespace|\{\{ .Values.NAMESPACE \}\}|" \{} \; 
+# shellcheck disable=SC1083
 find ./ -name '*service.yaml' -exec sed -i "/^status:/,$ d" \{} \; 
 # shellcheck disable=SC1083
 find ./ -name '*deployment.yaml' -exec sed -i "s|manual-install-nextcloud-aio|nextcloud-aio|" \{} \; 
@@ -147,7 +155,7 @@ for port in "${INTERNAL_TALK_PORTS[@]}"; do
 done
 echo '---' >>  /tmp/talk-service.copy
 # shellcheck disable=SC1083
-find ./ -name '*talk-service.yaml' -exec grep -v '{{ .Values.*}}\|protocol: UDP\|type: LoadBalancer' \{} \; >> /tmp/talk-service.copy
+find ./ -name '*talk-service.yaml' -exec grep -v '{{ .Values.TALK.*}}\|protocol: UDP\|type: LoadBalancer' \{} \; >> /tmp/talk-service.copy
 # shellcheck disable=SC1083
 find ./ -name '*talk-service.yaml' -exec mv /tmp/talk-service.copy \{} \;
 # shellcheck disable=SC1083
@@ -197,6 +205,9 @@ sed -i '/_ENABLED.*/s/ yes / "yes" /' /tmp/sample.conf
 sed -i '/_ENABLED.*/s/ no / "no" /' /tmp/sample.conf
 sed -i 's|^NEXTCLOUD_TRUSTED_CACERTS_DIR: .*|NEXTCLOUD_TRUSTED_CACERTS_DIR:        # Setting this to any value allows to automatically import root certificates into the Nextcloud container|' /tmp/sample.conf
 sed -i 's|10737418240|"10737418240"|' /tmp/sample.conf
+# shellcheck disable=SC2129
+echo "NAMESPACE: default        # By changing this, you can adjust the namespace of the installation which allows to install multiple instances on one kubernetes cluster" >> /tmp/sample.conf
+# shellcheck disable=SC2129
 echo "" >> /tmp/sample.conf
 # shellcheck disable=SC2129
 echo 'STORAGE_CLASS:        # By setting this, you can adjust the storage class for your volumes' >> /tmp/sample.conf

nextcloud-aio-helm-chart/values.yaml

@@ -31,6 +31,7 @@ NEXTCLOUD_TRUSTED_CACERTS_DIR:        # Setting this to any value allows to auto
 NEXTCLOUD_UPLOAD_LIMIT: 10G          # This allows to change the upload limit of the Nextcloud container
 TALK_PORT: 3478          # This allows to adjust the port that the talk container is using.
 UPDATE_NEXTCLOUD_APPS: no          # When setting to yes (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.
+NAMESPACE: default        # By changing this, you can adjust the namespace of the installation which allows to install multiple instances on one kubernetes cluster
 
 STORAGE_CLASS:        # By setting this, you can adjust the storage class for your volumes
 APACHE_STORAGE_SIZE: 1Gi       # You can change the size of the apache volume that default to 1Gi with this value

php/composer.lock

@@ -8,22 +8,22 @@
     "packages": [
         {
             "name": "guzzlehttp/guzzle",
-            "version": "7.7.0",
+            "version": "7.8.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/guzzle.git",
-                "reference": "fb7566caccf22d74d1ab270de3551f72a58399f5"
+                "reference": "1110f66a6530a40fe7aea0378fe608ee2b2248f9"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/guzzle/zipball/fb7566caccf22d74d1ab270de3551f72a58399f5",
-                "reference": "fb7566caccf22d74d1ab270de3551f72a58399f5",
+                "url": "https://api.github.com/repos/guzzle/guzzle/zipball/1110f66a6530a40fe7aea0378fe608ee2b2248f9",
+                "reference": "1110f66a6530a40fe7aea0378fe608ee2b2248f9",
                 "shasum": ""
             },
             "require": {
                 "ext-json": "*",
-                "guzzlehttp/promises": "^1.5.3 || ^2.0",
-                "guzzlehttp/psr7": "^1.9.1 || ^2.4.5",
+                "guzzlehttp/promises": "^1.5.3 || ^2.0.1",
+                "guzzlehttp/psr7": "^1.9.1 || ^2.5.1",
                 "php": "^7.2.5 || ^8.0",
                 "psr/http-client": "^1.0",
                 "symfony/deprecation-contracts": "^2.2 || ^3.0"
@@ -114,7 +114,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/guzzle/issues",
-                "source": "https://github.com/guzzle/guzzle/tree/7.7.0"
+                "source": "https://github.com/guzzle/guzzle/tree/7.8.0"
             },
             "funding": [
                 {
@@ -130,20 +130,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2023-05-21T14:04:53+00:00"
+            "time": "2023-08-27T10:20:53+00:00"
         },
         {
             "name": "guzzlehttp/promises",
-            "version": "2.0.0",
+            "version": "2.0.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/promises.git",
-                "reference": "3a494dc7dc1d7d12e511890177ae2d0e6c107da6"
+                "reference": "111166291a0f8130081195ac4556a5587d7f1b5d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/promises/zipball/3a494dc7dc1d7d12e511890177ae2d0e6c107da6",
-                "reference": "3a494dc7dc1d7d12e511890177ae2d0e6c107da6",
+                "url": "https://api.github.com/repos/guzzle/promises/zipball/111166291a0f8130081195ac4556a5587d7f1b5d",
+                "reference": "111166291a0f8130081195ac4556a5587d7f1b5d",
                 "shasum": ""
             },
             "require": {
@@ -197,7 +197,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/promises/issues",
-                "source": "https://github.com/guzzle/promises/tree/2.0.0"
+                "source": "https://github.com/guzzle/promises/tree/2.0.1"
             },
             "funding": [
                 {
@@ -213,20 +213,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2023-05-21T13:50:22+00:00"
+            "time": "2023-08-03T15:11:55+00:00"
         },
         {
             "name": "guzzlehttp/psr7",
-            "version": "2.5.0",
+            "version": "2.6.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/guzzle/psr7.git",
-                "reference": "b635f279edd83fc275f822a1188157ffea568ff6"
+                "reference": "be45764272e8873c72dbe3d2edcfdfcc3bc9f727"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/guzzle/psr7/zipball/b635f279edd83fc275f822a1188157ffea568ff6",
-                "reference": "b635f279edd83fc275f822a1188157ffea568ff6",
+                "url": "https://api.github.com/repos/guzzle/psr7/zipball/be45764272e8873c72dbe3d2edcfdfcc3bc9f727",
+                "reference": "be45764272e8873c72dbe3d2edcfdfcc3bc9f727",
                 "shasum": ""
             },
             "require": {
@@ -313,7 +313,7 @@
             ],
             "support": {
                 "issues": "https://github.com/guzzle/psr7/issues",
-                "source": "https://github.com/guzzle/psr7/tree/2.5.0"
+                "source": "https://github.com/guzzle/psr7/tree/2.6.1"
             },
             "funding": [
                 {
@@ -329,7 +329,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2023-04-17T16:11:26+00:00"
+            "time": "2023-08-27T10:13:57+00:00"
         },
         {
             "name": "http-interop/http-factory-guzzle",
@@ -461,16 +461,16 @@
         },
         {
             "name": "laravel/serializable-closure",
-            "version": "v1.3.0",
+            "version": "v1.3.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/laravel/serializable-closure.git",
-                "reference": "f23fe9d4e95255dacee1bf3525e0810d1a1b0f37"
+                "reference": "e5a3057a5591e1cfe8183034b0203921abe2c902"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/f23fe9d4e95255dacee1bf3525e0810d1a1b0f37",
-                "reference": "f23fe9d4e95255dacee1bf3525e0810d1a1b0f37",
+                "url": "https://api.github.com/repos/laravel/serializable-closure/zipball/e5a3057a5591e1cfe8183034b0203921abe2c902",
+                "reference": "e5a3057a5591e1cfe8183034b0203921abe2c902",
                 "shasum": ""
             },
             "require": {
@@ -517,7 +517,7 @@
                 "issues": "https://github.com/laravel/serializable-closure/issues",
                 "source": "https://github.com/laravel/serializable-closure"
             },
-            "time": "2023-01-30T18:31:20+00:00"
+            "time": "2023-07-14T13:56:28+00:00"
         },
         {
             "name": "nikic/fast-route",
@@ -626,16 +626,16 @@
         },
         {
             "name": "php-di/php-di",
-            "version": "7.0.3",
+            "version": "7.0.5",
             "source": {
                 "type": "git",
                 "url": "https://github.com/PHP-DI/PHP-DI.git",
-                "reference": "d5dad2500f409d8b78371823c8b382fe9b5d0917"
+                "reference": "9ea40a5a6970bf1ca5cbe148bc16cbad6ca3db6c"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/PHP-DI/PHP-DI/zipball/d5dad2500f409d8b78371823c8b382fe9b5d0917",
-                "reference": "d5dad2500f409d8b78371823c8b382fe9b5d0917",
+                "url": "https://api.github.com/repos/PHP-DI/PHP-DI/zipball/9ea40a5a6970bf1ca5cbe148bc16cbad6ca3db6c",
+                "reference": "9ea40a5a6970bf1ca5cbe148bc16cbad6ca3db6c",
                 "shasum": ""
             },
             "require": {
@@ -683,7 +683,7 @@
             ],
             "support": {
                 "issues": "https://github.com/PHP-DI/PHP-DI/issues",
-                "source": "https://github.com/PHP-DI/PHP-DI/tree/7.0.3"
+                "source": "https://github.com/PHP-DI/PHP-DI/tree/7.0.5"
             },
             "funding": [
                 {
@@ -695,7 +695,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2023-06-17T10:21:14+00:00"
+            "time": "2023-08-10T14:57:56+00:00"
         },
         {
             "name": "php-di/slim-bridge",
@@ -1218,16 +1218,16 @@
         },
         {
             "name": "slim/slim",
-            "version": "4.11.0",
+            "version": "4.12.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/slimphp/Slim.git",
-                "reference": "b0f4ca393ea037be9ac7292ba7d0a34d18bac0c7"
+                "reference": "e9e99c2b24398b967841c6c4c3048622cc7e2b18"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/slimphp/Slim/zipball/b0f4ca393ea037be9ac7292ba7d0a34d18bac0c7",
-                "reference": "b0f4ca393ea037be9ac7292ba7d0a34d18bac0c7",
+                "url": "https://api.github.com/repos/slimphp/Slim/zipball/e9e99c2b24398b967841c6c4c3048622cc7e2b18",
+                "reference": "e9e99c2b24398b967841c6c4c3048622cc7e2b18",
                 "shasum": ""
             },
             "require": {
@@ -1236,26 +1236,26 @@
                 "php": "^7.4 || ^8.0",
                 "psr/container": "^1.0 || ^2.0",
                 "psr/http-factory": "^1.0",
-                "psr/http-message": "^1.0",
+                "psr/http-message": "^1.1",
                 "psr/http-server-handler": "^1.0",
                 "psr/http-server-middleware": "^1.0",
                 "psr/log": "^1.1 || ^2.0 || ^3.0"
             },
             "require-dev": {
-                "adriansuter/php-autoload-override": "^1.3",
+                "adriansuter/php-autoload-override": "^1.4",
                 "ext-simplexml": "*",
-                "guzzlehttp/psr7": "^2.4",
-                "httpsoft/http-message": "^1.0",
-                "httpsoft/http-server-request": "^1.0",
+                "guzzlehttp/psr7": "^2.5",
+                "httpsoft/http-message": "^1.1",
+                "httpsoft/http-server-request": "^1.1",
                 "laminas/laminas-diactoros": "^2.17",
-                "nyholm/psr7": "^1.5",
+                "nyholm/psr7": "^1.8",
                 "nyholm/psr7-server": "^1.0",
-                "phpspec/prophecy": "^1.15",
+                "phpspec/prophecy": "^1.17",
                 "phpspec/prophecy-phpunit": "^2.0",
-                "phpstan/phpstan": "^1.8",
-                "phpunit/phpunit": "^9.5",
-                "slim/http": "^1.2",
-                "slim/psr7": "^1.5",
+                "phpstan/phpstan": "^1.10",
+                "phpunit/phpunit": "^9.6",
+                "slim/http": "^1.3",
+                "slim/psr7": "^1.6",
                 "squizlabs/php_codesniffer": "^3.7"
             },
             "suggest": {
@@ -1329,7 +1329,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2022-11-06T16:33:39+00:00"
+            "time": "2023-07-23T04:54:29+00:00"
         },
         {
             "name": "slim/twig-view",
@@ -1465,16 +1465,16 @@
         },
         {
             "name": "symfony/polyfill-ctype",
-            "version": "v1.27.0",
+            "version": "v1.28.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-ctype.git",
-                "reference": "5bbc823adecdae860bb64756d639ecfec17b050a"
+                "reference": "ea208ce43cbb04af6867b4fdddb1bdbf84cc28cb"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-ctype/zipball/5bbc823adecdae860bb64756d639ecfec17b050a",
-                "reference": "5bbc823adecdae860bb64756d639ecfec17b050a",
+                "url": "https://api.github.com/repos/symfony/polyfill-ctype/zipball/ea208ce43cbb04af6867b4fdddb1bdbf84cc28cb",
+                "reference": "ea208ce43cbb04af6867b4fdddb1bdbf84cc28cb",
                 "shasum": ""
             },
             "require": {
@@ -1489,7 +1489,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "1.27-dev"
+                    "dev-main": "1.28-dev"
                 },
                 "thanks": {
                     "name": "symfony/polyfill",
@@ -1527,7 +1527,7 @@
                 "portable"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-ctype/tree/v1.27.0"
+                "source": "https://github.com/symfony/polyfill-ctype/tree/v1.28.0"
             },
             "funding": [
                 {
@@ -1543,20 +1543,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2022-11-03T14:55:06+00:00"
+            "time": "2023-01-26T09:26:14+00:00"
         },
         {
             "name": "symfony/polyfill-mbstring",
-            "version": "v1.27.0",
+            "version": "v1.28.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-mbstring.git",
-                "reference": "8ad114f6b39e2c98a8b0e3bd907732c207c2b534"
+                "reference": "42292d99c55abe617799667f454222c54c60e229"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/8ad114f6b39e2c98a8b0e3bd907732c207c2b534",
-                "reference": "8ad114f6b39e2c98a8b0e3bd907732c207c2b534",
+                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/42292d99c55abe617799667f454222c54c60e229",
+                "reference": "42292d99c55abe617799667f454222c54c60e229",
                 "shasum": ""
             },
             "require": {
@@ -1571,7 +1571,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "1.27-dev"
+                    "dev-main": "1.28-dev"
                 },
                 "thanks": {
                     "name": "symfony/polyfill",
@@ -1610,7 +1610,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.27.0"
+                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.28.0"
             },
             "funding": [
                 {
@@ -1626,20 +1626,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2022-11-03T14:55:06+00:00"
+            "time": "2023-07-28T09:04:16+00:00"
         },
         {
             "name": "symfony/polyfill-php81",
-            "version": "v1.27.0",
+            "version": "v1.28.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-php81.git",
-                "reference": "707403074c8ea6e2edaf8794b0157a0bfa52157a"
+                "reference": "7581cd600fa9fd681b797d00b02f068e2f13263b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-php81/zipball/707403074c8ea6e2edaf8794b0157a0bfa52157a",
-                "reference": "707403074c8ea6e2edaf8794b0157a0bfa52157a",
+                "url": "https://api.github.com/repos/symfony/polyfill-php81/zipball/7581cd600fa9fd681b797d00b02f068e2f13263b",
+                "reference": "7581cd600fa9fd681b797d00b02f068e2f13263b",
                 "shasum": ""
             },
             "require": {
@@ -1648,7 +1648,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-main": "1.27-dev"
+                    "dev-main": "1.28-dev"
                 },
                 "thanks": {
                     "name": "symfony/polyfill",
@@ -1689,7 +1689,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-php81/tree/v1.27.0"
+                "source": "https://github.com/symfony/polyfill-php81/tree/v1.28.0"
             },
             "funding": [
                 {
@@ -1705,20 +1705,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2022-11-03T14:55:06+00:00"
+            "time": "2023-01-26T09:26:14+00:00"
         },
         {
             "name": "twig/twig",
-            "version": "v3.6.1",
+            "version": "v3.7.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/twigphp/Twig.git",
-                "reference": "7e7d5839d4bec168dfeef0ac66d5c5a2edbabffd"
+                "reference": "a0ce373a0ca3bf6c64b9e3e2124aca502ba39554"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/twigphp/Twig/zipball/7e7d5839d4bec168dfeef0ac66d5c5a2edbabffd",
-                "reference": "7e7d5839d4bec168dfeef0ac66d5c5a2edbabffd",
+                "url": "https://api.github.com/repos/twigphp/Twig/zipball/a0ce373a0ca3bf6c64b9e3e2124aca502ba39554",
+                "reference": "a0ce373a0ca3bf6c64b9e3e2124aca502ba39554",
                 "shasum": ""
             },
             "require": {
@@ -1728,7 +1728,7 @@
             },
             "require-dev": {
                 "psr/container": "^1.0|^2.0",
-                "symfony/phpunit-bridge": "^4.4.9|^5.0.9|^6.0"
+                "symfony/phpunit-bridge": "^5.4.9|^6.3"
             },
             "type": "library",
             "autoload": {
@@ -1764,7 +1764,7 @@
             ],
             "support": {
                 "issues": "https://github.com/twigphp/Twig/issues",
-                "source": "https://github.com/twigphp/Twig/tree/v3.6.1"
+                "source": "https://github.com/twigphp/Twig/tree/v3.7.1"
             },
             "funding": [
                 {
@@ -1776,7 +1776,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2023-06-08T12:52:13+00:00"
+            "time": "2023-08-28T11:09:02+00:00"
         }
     ],
     "packages-dev": [],

php/containers-schema.json

@@ -96,6 +96,10 @@
 							"pattern": "^[A-Z_]+$"
 						}
 					},
+					"image_tag": {
+						"type": "string",
+						"pattern": "^[a-z0-9.-]+$"
+					},
 					"devices": {
 						"type": "array",
 						"items": {
@@ -137,11 +141,14 @@
 					"read_only": {
 						"type": "boolean"
 					},
+					"init": {
+						"type": "boolean"
+					},
 					"tmpfs": {
 						"type": "array",
 						"items": {
 							"type": "string",
-							"pattern": "^/[a-z/_0-9-]+$"
+							"pattern": "^/[a-z/_0-9-:]+$"
 						}
 					},
 					"volumes": {

php/containers.json

@@ -11,6 +11,7 @@
       ],
       "display_name": "Apache",
       "image": "nextcloud/aio-apache",
+      "init": true,
       "ports": [
         {
           "ip_binding": "%APACHE_IP_BINDING%",
@@ -69,6 +70,7 @@
       "container_name": "nextcloud-aio-database",
       "display_name": "Database",
       "image": "nextcloud/aio-postgresql",
+      "init": true,
       "expose": [
         "5432"
       ],
@@ -118,10 +120,12 @@
         "nextcloud-aio-clamav",
         "nextcloud-aio-fulltextsearch",
         "nextcloud-aio-talk-recording",
-        "nextcloud-aio-imaginary"
+        "nextcloud-aio-imaginary",
+        "nextcloud-aio-docker-socket-proxy"
       ],
       "display_name": "Nextcloud",
       "image": "nextcloud/aio-nextcloud",
+      "init": true,
       "expose": [
         "9000"
       ],
@@ -131,7 +135,8 @@
         "REDIS_PASSWORD",
         "NEXTCLOUD_PASSWORD",
         "TURN_SECRET",
-        "SIGNALING_SECRET"
+        "SIGNALING_SECRET",
+        "FULLTEXTSEARCH_PASSWORD"
       ],
       "volumes": [
         {
@@ -198,7 +203,9 @@
         "INSTALL_LATEST_MAJOR=%INSTALL_LATEST_MAJOR%",
         "TALK_RECORDING_ENABLED=%TALK_RECORDING_ENABLED%",
         "RECORDING_SECRET=%RECORDING_SECRET%",
-        "TALK_RECORDING_HOST=nextcloud-aio-talk-recording"
+        "TALK_RECORDING_HOST=nextcloud-aio-talk-recording",
+        "FULLTEXTSEARCH_PASSWORD=%FULLTEXTSEARCH_PASSWORD%",
+        "DOCKER_SOCKET_PROXY_ENABLED=%DOCKER_SOCKET_PROXY_ENABLED%"
       ],
       "restart": "unless-stopped",
       "devices": [
@@ -209,12 +216,16 @@
       ],
       "networks": [
         "nextcloud-aio"
+      ],
+      "tmpfs": [
+        "/tmp:exec"
       ]
     },
     {
       "container_name": "nextcloud-aio-notify-push",
       "display_name": "Notify Push",
       "image": "nextcloud/aio-notify-push",
+      "init": true,
       "expose": [
         "7867"
       ],
@@ -250,6 +261,7 @@
       "container_name": "nextcloud-aio-redis",
       "display_name": "Redis",
       "image": "nextcloud/aio-redis",
+      "init": true,
       "expose": [
         "6379"
       ],
@@ -280,6 +292,7 @@
       "container_name": "nextcloud-aio-collabora",
       "display_name": "Collabora",
       "image": "nextcloud/aio-collabora",
+      "init": true,
       "expose": [
         "9980"
       ],
@@ -294,7 +307,7 @@
       ],
       "restart": "unless-stopped",
       "nextcloud_exec_commands": [
-        "echo 'Activating collabora config...'",
+        "echo 'Activating Collabora config...'",
         "php /var/www/html/occ richdocuments:activate-config"
       ],
       "profiles": [
@@ -308,6 +321,7 @@
       "container_name": "nextcloud-aio-talk",
       "display_name": "Talk",
       "image": "nextcloud/aio-talk",
+      "init": true,
       "ports": [
         {
           "ip_binding": "",
@@ -349,8 +363,8 @@
       "tmpfs": [
         "/var/log/supervisord",
         "/var/run/supervisord",
+        "/opt/eturnal/run",
         "/conf",
-        "/var/lib/turn",
         "/tmp"
       ]
     },
@@ -358,6 +372,7 @@
       "container_name": "nextcloud-aio-talk-recording",
       "display_name": "Talk Recording",
       "image": "nextcloud/aio-talk-recording",
+      "init": true,
       "expose": [
         "1234"
       ],
@@ -389,6 +404,7 @@
     {
       "container_name": "nextcloud-aio-borgbackup",
       "image": "nextcloud/aio-borgbackup",
+      "init": true,
       "environment": [
         "BORG_PASSWORD=%BORGBACKUP_PASSWORD%",
         "BORG_MODE=%BORGBACKUP_MODE%",
@@ -450,6 +466,7 @@
     {
       "container_name": "nextcloud-aio-watchtower",
       "image": "nextcloud/aio-watchtower",
+      "init": true,
       "environment": [
         "CONTAINER_TO_UPDATE=nextcloud-aio-mastercontainer"
       ],
@@ -465,6 +482,7 @@
     {
       "container_name": "nextcloud-aio-domaincheck",
       "image": "nextcloud/aio-domaincheck",
+      "init": true,
       "ports": [
         {
           "ip_binding": "%APACHE_IP_BINDING%",
@@ -472,6 +490,7 @@
           "protocol": "tcp"
         }
       ],
+      "internal_port": "%APACHE_PORT%",
       "environment": [
         "INSTANCE_ID=%INSTANCE_ID%",
         "APACHE_PORT=%APACHE_PORT%"
@@ -490,6 +509,7 @@
       "container_name": "nextcloud-aio-clamav",
       "display_name": "ClamAV",
       "image": "nextcloud/aio-clamav",
+      "init": true,
       "expose": [
         "3310"
       ],
@@ -523,6 +543,7 @@
       "container_name": "nextcloud-aio-onlyoffice",
       "display_name": "OnlyOffice",
       "image": "nextcloud/aio-onlyoffice",
+      "init": true,
       "expose": [
         "80"
       ],
@@ -544,6 +565,10 @@
         "ONLYOFFICE_SECRET"
       ],
       "restart": "unless-stopped",
+      "nextcloud_exec_commands": [
+        "echo 'Activating OnlyOffice config...'",
+        "php /var/www/html/occ onlyoffice:documentserver --check"
+      ],
       "profiles": [
         "onlyoffice"
       ],
@@ -555,6 +580,7 @@
       "container_name": "nextcloud-aio-imaginary",
       "display_name": "Imaginary",
       "image": "nextcloud/aio-imaginary",
+      "init": true,
       "expose": [
         "9000"
       ],
@@ -581,15 +607,22 @@
       "container_name": "nextcloud-aio-fulltextsearch",
       "display_name": "Fulltextsearch",
       "image": "nextcloud/aio-fulltextsearch",
+      "init": false,
       "expose": [
         "9200"
       ],
       "internal_port": "9200",
       "environment": [
         "TZ=%TIMEZONE%",
+        "ES_JAVA_OPTS=-Xms512M -Xmx512M",
+        "bootstrap.memory_lock=true",
+        "cluster.name=nextcloud-aio",
         "discovery.type=single-node",
-        "ES_JAVA_OPTS=-Xms1024M -Xmx1024M",
-        "POSTGRES_HOST=nextcloud-aio-database"
+        "logger.org.elasticsearch.discovery=WARN",
+        "http.port=9200",
+        "xpack.license.self_generated.type=basic",
+        "xpack.security.enabled=false",
+        "FULLTEXTSEARCH_PASSWORD=%FULLTEXTSEARCH_PASSWORD%"
       ],
       "volumes": [
         {
@@ -604,6 +637,31 @@
       ],
       "networks": [
         "nextcloud-aio"
+      ],
+      "secrets": [
+        "FULLTEXTSEARCH_PASSWORD"
+      ]
+    },
+    {
+      "container_name": "nextcloud-aio-docker-socket-proxy",
+      "display_name": "Docker Socket Proxy",
+      "image": "nextcloud/aio-docker-socket-proxy",
+      "init": true,
+      "internal_port": "2375",
+      "environment": [
+        "TZ=%TIMEZONE%"
+      ],
+      "volumes": [
+        {
+          "source": "%WATCHTOWER_DOCKER_SOCKET_PATH%",
+          "destination": "/var/run/docker.sock",
+          "writeable": false
+        }
+      ],
+      "restart": "unless-stopped",
+      "read_only": true,
+      "tmpfs": [
+        "/tmp"
       ]
     }
   ]

php/domain-validator.php

@@ -0,0 +1,19 @@
+<?php
+
+$domain = $_GET['domain'] ?? '';
+
+if (strpos($domain, '.') === false) { 
+    http_response_code(400); 
+} elseif (strpos($domain, '/') !== false) { 
+    http_response_code(400);  
+} elseif (strpos($domain, ':') !== false) { 
+    http_response_code(400);  
+} elseif (!filter_var($domain, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME)) { 
+    http_response_code(400); 
+} elseif (filter_var($domain, FILTER_VALIDATE_IP)) { 
+    http_response_code(400); 
+} else {
+    // Commented because logging is disabled as otherwise all attempts will be logged which spams the logs
+    // error_log($domain . ' was accepted as valid domain.');
+    http_response_code(200);
+}

php/psalm-baseline.xml

@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<files psalm-version="5.13.1@086b94371304750d1c673315321a55d15fc59015"/>
+<files psalm-version="5.15.0@5c774aca4746caf3d239d9c8cadb9f882ca29352"/>

php/public/disable-docker-socket-proxy.js

@@ -0,0 +1,7 @@
+document.addEventListener("DOMContentLoaded", function(event) {
+    // Docker socket proxy
+    let dockerSocketProxy = document.getElementById("docker-socket-proxy");
+    if (dockerSocketProxy) {
+        dockerSocketProxy.disabled = true;
+    }
+});

php/public/forms.js

@@ -33,8 +33,11 @@ function showPassword(id) {
       disableSpinner()
       showError(xhr.response);
     } else if (xhr.status === 500) {
-      disableSpinner()
-      showError("Server error. Please check the mastercontainer logs for details.");
+      showError("Server error. Please check the mastercontainer logs for details. This page will reload after 10s automatically. Then you can check the mastercontainer logs.");
+      // Reload after 10s since it is expected that the updated view is shown (e.g. after starting containers)
+      setTimeout(function(){
+        window.location.reload(1);
+      }, 10000);
     } else {
       // If the responose is not one of the above, we should reload to show the latest content
       window.location.reload(1);

php/public/index.php

@@ -121,6 +121,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'nextcloud_memory_limit' => $configurationManager->GetNextcloudMemoryLimit(),
         'is_dri_device_enabled' => $configurationManager->isDriDeviceEnabled(),
         'is_talk_recording_enabled' => $configurationManager->isTalkRecordingEnabled(),
+        'is_docker_socket_proxy_enabled' => $configurationManager->isDockerSocketProxyEnabled(),
     ]);
 })->setName('profile');
 $app->get('/login', function (Request $request, Response $response, array $args) use ($container) {
@@ -176,6 +177,6 @@ $app->get('/', function (\Psr\Http\Message\RequestInterface $request, Response $
     }
 });
 
-$errorMiddleware = $app->addErrorMiddleware(true, true, true);
+$errorMiddleware = $app->addErrorMiddleware(false, true, true);
 
 $app->run();

php/public/options-form-submit.js

@@ -14,6 +14,13 @@ function handleTalkVisibility() {
     }
 }
 
+function handleDockerSocketProxyWarning() {
+    let dockerSocketProxy = document.getElementById("docker-socket-proxy");
+    if (dockerSocketProxy.checked) {
+        alert('⚠️ Warning! Enabling this container comes with possible Security problems since you are exposing the docker socket and all its privileges to the Nextcloud container. Enable this only if you are sure what you are doing!')
+    }
+}
+
 document.addEventListener("DOMContentLoaded", function(event) {
     // handle submit button for options form
     let optionsFormSubmit = document.getElementById("options-form-submit");
@@ -52,4 +59,11 @@ document.addEventListener("DOMContentLoaded", function(event) {
     // Fulltextsearch
     let fulltextsearch = document.getElementById("fulltextsearch");
     fulltextsearch.addEventListener('change', makeOptionsFormSubmitVisible);
+
+    // Docker socket proxy
+    let dockerSocketProxy = document.getElementById("docker-socket-proxy");
+    if (dockerSocketProxy) {
+        dockerSocketProxy.addEventListener('change', makeOptionsFormSubmitVisible);
+        // dockerSocketProxy.addEventListener('change', handleDockerSocketProxyWarning);
+    }
 });

php/public/style.css

@@ -85,7 +85,7 @@ div.toast {
     padding: 12px;
     margin-top: 45px;
     position: fixed;
-    z-index: 1;
+    z-index: 1000;
     border-radius: 3px;
     background: none;
     background-color: white;

php/src/Container/Container.php

@@ -32,6 +32,8 @@ class Container {
     private array $nextcloudExecCommands;
     private bool $readOnlyRootFs;
     private array $tmpfs;
+    private bool $init;
+    private string $imageTag;
     private DockerActionManager $dockerActionManager;
 
     public function __construct(
@@ -54,6 +56,8 @@ class Container {
         array $nextcloudExecCommands,
         bool $readOnlyRootFs,
         array $tmpfs,
+        bool $init,
+        string $imageTag,
         DockerActionManager $dockerActionManager
     ) {
         $this->identifier = $identifier;
@@ -75,6 +79,8 @@ class Container {
         $this->nextcloudExecCommands = $nextcloudExecCommands;
         $this->readOnlyRootFs = $readOnlyRootFs;
         $this->tmpfs = $tmpfs;
+        $this->init = $init;
+        $this->imageTag = $imageTag;
         $this->dockerActionManager = $dockerActionManager;
     }
 
@@ -94,10 +100,18 @@ class Container {
         return $this->restartPolicy;
     }
 
+    public function GetImageTag() : string {
+        return $this->imageTag;
+    }
+
     public function GetReadOnlySetting() : bool {
         return $this->readOnlyRootFs;
     }
 
+    public function GetInit() : bool {
+        return $this->init;
+    }
+
     public function GetShmSize() : int {
         return $this->shmSize;
     }