Merge pull request #3894 from nextcloud/enh/noid/helm-beta

Signed-off-by: Simon L <szaimen@e.mail.de>

.github/dependabot.yml

@@ -165,3 +165,21 @@ updates:
   labels:
   - 3. to review
   - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/notify-push"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies
+- package-ecosystem: "docker"
+  directory: "/Containers/docker-socket-proxy"
+  schedule:
+    interval: "daily"
+    time: "12:00"
+  open-pull-requests-limit: 10
+  labels:
+  - 3. to review
+  - dependencies

.github/release.yml

@@ -0,0 +1,14 @@
+changelog:
+  categories:
+    - title: 🏕 New features and other improvements
+      labels:
+        - enhancement
+    - title: 🐞 Fixed bugs
+      labels:
+        - bug
+    - title: 👒 Updated dependencies
+      labels:
+        - dependencies
+    - title: 📄 Improved documentation
+      labels:
+        - documentation

.github/workflows/codespell.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Check spelling
         uses: codespell-project/actions-codespell@v2
         with:

.github/workflows/command-rebase.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Add reaction on start
-        uses: peter-evans/create-or-update-comment@c6c9a1a66007646a28c153e2a8580a5bad27bcfa # v3.0.2
+        uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 # v3.1.0
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}
           repository: ${{ github.event.repository.full_name }}
@@ -31,7 +31,7 @@ jobs:
           reaction-type: "+1"
 
       - name: Checkout the latest code
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@v4 # v3.5.2
         with:
           fetch-depth: 0
           token: ${{ secrets.COMMAND_BOT_PAT }}
@@ -42,7 +42,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.COMMAND_BOT_PAT }}
 
       - name: Add reaction on failure
-        uses: peter-evans/create-or-update-comment@c6c9a1a66007646a28c153e2a8580a5bad27bcfa # v3.0.2
+        uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 # v3.1.0
         if: failure()
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}

.github/workflows/community-containers.yml

@@ -0,0 +1,37 @@
+name: Validate community containers
+
+on:
+  pull_request:
+    paths:
+      - 'community-containers/**'
+  push:
+    branches:
+      - main
+    paths:
+      - 'community-containers/**'
+
+jobs:
+  validator-community-containers:
+    name: Validate community containers
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Validate structure
+        run: |
+          CONTAINERS="$(find ./community-containers -mindepth 1 -maxdepth 1 -type d)"
+          mapfile -t CONTAINERS <<< "$CONTAINERS"
+          for container in "${CONTAINERS[@]}"; do
+            container="$(echo "$container" | sed 's|./community-containers/||')"
+            if ! [ -f ./community-containers/"$container"/"$container.json" ]; then
+                echo ".json file must be named like its parent folder $container"
+                FAIL=1
+            fi
+            if ! [ -f ./community-containers/"$container"/readme.md ]; then
+                echo "There must be a readme.md file in the folder!"
+                FAIL=1
+            fi
+            if [ -n "$FAIL" ]; then
+                exit 1
+            fi
+          done

.github/workflows/dependency-updates.yml

@@ -10,7 +10,7 @@ jobs:
     name: Run dependency update script
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: shivammathur/setup-php@v2
       with:
         php-version: 8.2

.github/workflows/docker-lint.yml

@@ -25,30 +25,22 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: Install npm and dockerfilelint
+      - name: Install hadolint
         run: |
-          sudo apt-get update
-          sudo apt-get install nodejs npm -y --no-install-recommends
-          npm install -g dockerfilelint
-          wget https://github.com/replicatedhq/dockerfilelint/pull/184.patch -O /usr/local/lib/node_modules/dockerfilelint/184.patch
-          CURRENT_DIR=$PWD
-          cd /usr/local/lib/node_modules/dockerfilelint/
-          git apply 184.patch
-          cd $CURRENT_DIR
-          cat << RULES > ./.dockerfilelintrc
-          rules:
-            sudo_usage: off
-          RULES
+          sudo wget https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -O /usr/bin/hadolint
+          sudo chmod +x /usr/bin/hadolint
 
       - name: run lint
         run: |
           DOCKERFILES="$(find ./Containers -name Dockerfile)"
           mapfile -t DOCKERFILES <<< "$DOCKERFILES"
           for file in "${DOCKERFILES[@]}"; do
-            dockerfilelint "$file" --config ./ | tee -a ./dockerfilelint.log
+            # DL3018 warning: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
+            # DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
+            hadolint "$file" --ignore DL3018 --ignore DL4006 | tee -a ./hadolint.log
           done
-          if grep "^Issues: [0-9]" ./dockerfilelint.log; then
+          if grep -q "DL[0-9]\+\|SC[0-9]\+" ./hadolint.log; then
             exit 1
           fi

.github/workflows/helm-release.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Turnstyle
         uses: softprops/turnstyle@v1

.github/workflows/imaginary-update.yml

@@ -10,7 +10,7 @@ jobs:
     name: update to latest imaginary commit on master branch
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Run imaginary-update
       run: |
         # Imaginary

.github/workflows/json-validator.yml

@@ -16,10 +16,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Validate Json
         run: |
           sudo apt-get update
           sudo apt-get install python3-pip -y --no-install-recommends
           sudo pip3 install json-spec
-          json validate --schema-file=php/containers-schema.json --document-file=php/containers.json
+          if ! json validate --schema-file=php/containers-schema.json --document-file=php/containers.json; then
+            exit 1
+          fi
+          JSON_FILES="$(find ./community-containers -name '*.json')"
+          mapfile -t JSON_FILES <<< "$JSON_FILES"
+          for file in "${JSON_FILES[@]}"; do
+            json validate --schema-file=php/containers-schema.json --document-file="$file" 2>&1 | tee -a ./json-validator.log
+          done
+          if grep -q "document does not validate with schema." ./json-validator.log; then
+            exit 1
+          fi

.github/workflows/lint-helm.yml

@@ -0,0 +1,35 @@
+name: Lint and Test Charts
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - 'nextcloud-aio-helm-chart/**'
+
+jobs:
+  lint-helm:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3.5
+        with:
+          version: v3.11.1
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.6.1
+
+      - name: Run chart-testing (lint)
+        id: lint
+        run: ct lint --target-branch ${{ github.event.repository.default_branch }} --debug --chart-dirs nextcloud-aio-helm-chart
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.8.0
+
+      - name: Run chart-testing (install)
+        id: install
+        run: ct install --target-branch ${{ github.event.repository.default_branch }} --debug --chart-dirs nextcloud-aio-helm-chart

.github/workflows/lint-php.yml

@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@v4 # v3.5.2
 
       - name: Set up php ${{ matrix.php-versions }}
         uses: shivammathur/setup-php@c5fc0d8281aba02c7fda07d3a70cc5371548067d # v2

.github/workflows/lock-threads.yml

@@ -14,7 +14,7 @@ jobs:
   action:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@v4
+      - uses: dessant/lock-threads@v5
         with: 
           issue-inactive-days: '14'
           process-only: 'issues'

.github/workflows/nextcloud-update.yml

@@ -11,7 +11,7 @@ jobs:
     name: Run nextcloud-update script
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Run nextcloud-update script
       run: |
         # Inspired by https://github.com/nextcloud/docker/blob/master/update.sh
@@ -63,14 +63,16 @@ jobs:
         # Nextcloud
         NC_MAJOR="$(grep "ENV NEXTCLOUD_VERSION" ./Containers/nextcloud/Dockerfile | grep -oP '[23][0-9]')"
         NCVERSION=$(curl -s -m 900 https://download.nextcloud.com/server/releases/ | sed --silent 's/.*href="nextcloud-\([^"]\+\).zip.asc".*/\1/p' | grep "$NC_MAJOR" | sort --version-sort | tail -1)
-        sed -i "s|^ENV NEXTCLOUD_VERSION.*|ENV NEXTCLOUD_VERSION $NCVERSION|" ./Containers/nextcloud/Dockerfile
+        if [ -n "$NCVERSION" ]; then
+          sed -i "s|^ENV NEXTCLOUD_VERSION.*|ENV NEXTCLOUD_VERSION $NCVERSION|" ./Containers/nextcloud/Dockerfile
+        fi
 
     - name: Create Pull Request
       uses: peter-evans/create-pull-request@v5
       with:
         commit-message: nextcloud-update automated change
         signoff: true
-        title: Nextcloud update
+        title: Nextcloud dependency update
         body: Automated Nextcloud container update
         labels: dependencies, 3. to review
         milestone: next

.github/workflows/php-deprecation-detector.yml

@@ -16,7 +16,7 @@ jobs:
     name: PHP Deprecation Detector
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up php8.2
         uses: shivammathur/setup-php@v2
         with:

.github/workflows/psalm-update-baseline.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up php8.2
         uses: shivammathur/setup-php@v2

.github/workflows/psalm.yml

@@ -26,7 +26,7 @@ jobs:
     name: Nextcloud
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@v4 # v3.5.2
 
       - name: Set up php
         uses: shivammathur/setup-php@c5fc0d8281aba02c7fda07d3a70cc5371548067d # v2

.github/workflows/shellcheck.yml

@@ -15,7 +15,7 @@ jobs:
     name: Check Shell
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Run Shellcheck
       uses: ludeeus/action-shellcheck@2.0.0
       with:

.github/workflows/talk.yml

@@ -10,19 +10,19 @@ jobs:
     name: update talk
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - name: Run talk-update
+    - uses: actions/checkout@v4
+    - name: Run talk-container-update
       run: |
-        # Spreed
-        spreed_version="$(
-          git ls-remote https://github.com/nextcloud/spreed v*.*.* \
+        # Recording
+        recording_version="$(
+          git ls-remote https://github.com/nextcloud/nextcloud-talk-recording v* \
             | cut -d/ -f3 \
             | sort -V \
-            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
+            | grep -E "^v[0-9\.]+$" \
             | tail -1
         )"
-        sed -i "s|^ENV RECORDING_VERSION.*$|ENV RECORDING_VERSION $spreed_version|" ./Containers/talk-recording/Dockerfile
-        curl -L "https://raw.githubusercontent.com/nextcloud/spreed/$spreed_version/recording/server.conf.in" -o Containers/talk-recording/recording.conf
+        sed -i "s|^ENV RECORDING_VERSION.*$|ENV RECORDING_VERSION $recording_version|" ./Containers/talk-recording/Dockerfile
+        curl -L "https://raw.githubusercontent.com/nextcloud/nextcloud-talk-recording/$recording_version/server.conf.in" -o Containers/talk-recording/recording.conf
         
         # Signaling
         signaling_version="$(
@@ -49,7 +49,7 @@ jobs:
       with:
         commit-message: talk-update automated change
         signoff: true
-        title: talk update
+        title: talk container update
         body: Automated talk container update
         labels: dependencies, 3. to review
         milestone: next

.github/workflows/twig-lint.yml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up php ${{ matrix.php-versions }}
         uses: shivammathur/setup-php@v2

.github/workflows/update-helm.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: update helm chart
         run: |
           DOCKER_TAG="$(curl -L -s 'https://registry.hub.docker.com/v2/repositories/nextcloud/all-in-one/tags?page_size=1024' | jq '."results"[]["name"]' | sed 's|"||g' | grep '^20' | sort -r | head -1)"

.github/workflows/update-yaml.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: update yaml files
         run: |
           sudo bash manual-install/update-yaml.sh

Containers/apache/Dockerfile

@@ -1,6 +1,6 @@
-FROM caddy:2.7.2-alpine as caddy
+FROM caddy:2.7.5-alpine as caddy
 
-FROM httpd:2.4.57-alpine3.18
+FROM httpd:2.4.58-alpine3.18
 
 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
 
@@ -30,6 +30,7 @@ RUN set -ex; \
         tzdata \
         ca-certificates \
         openssl \
+        bind-tools \
         netcat-openbsd; \
     \
     sed -i \

Containers/apache/healthcheck.sh

@@ -3,4 +3,7 @@
 nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
 nc -z localhost 8000 || exit 1
 nc -z localhost "$APACHE_PORT" || exit 1
-nc -z "$NC_DOMAIN" 443 || exit 1
+if ! nc -z "$NC_DOMAIN" 443; then
+    echo "Could not reach $NC_DOMAIN on port 443."
+    exit 1
+fi

Containers/apache/nextcloud.conf

@@ -49,4 +49,7 @@ Listen 8000
 
     # See https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxytimeout
     ProxyTimeout ${APACHE_MAX_TIME}
+
+    # See https://httpd.apache.org/docs/trunk/mod/core.html#traceenable
+    TraceEnable Off
 </VirtualHost>

Containers/apache/start.sh

@@ -17,6 +17,12 @@ while ! nc -z "$NEXTCLOUD_HOST" 9000; do
     sleep 5
 done
 
+# Get ipv4-address of Apache
+IPv4_ADDRESS="$(dig nextcloud-aio-apache A +short +search | head -1)"
+# Bring it in CIDR notation
+# shellcheck disable=SC2001
+IPv4_ADDRESS="$(echo "$IPv4_ADDRESS" | sed 's|[0-9]\+$|1/32|')"
+
 if [ -z "$APACHE_PORT" ]; then
     export APACHE_PORT="443"
 fi
@@ -41,7 +47,7 @@ echo "$CADDYFILE" > /tmp/Caddyfile
 if [ "$APACHE_PORT" != '443' ]; then
     CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies static private_ranges|' /tmp/Caddyfile)"
 else
-    CADDYFILE="$(sed 's|trusted_proxies.*private_ranges|# trusted_proxies placeholder|' /tmp/Caddyfile)"
+    CADDYFILE="$(sed "s|# trusted_proxies placeholder|trusted_proxies static $IPv4_ADDRESS|" /tmp/Caddyfile)"
 fi
 echo "$CADDYFILE" > /tmp/Caddyfile
 
@@ -57,7 +63,7 @@ mkdir -p /mnt/data/caddy-imports
 # Remove falsely added Nextcloud conf
 rm -f /mnt/data/caddy-imports/nextcloud
 
-# Makre sure that the caddy-imports dir is not empty
+# Make sure that the caddy-imports dir is not empty
 echo "# empty file so that caddy does not print a warning" > /mnt/data/caddy-imports/empty
 
 # Fix apache startup

Containers/borgbackup/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.18.3
+FROM alpine:3.18.5
 
 RUN set -ex; \
     \
@@ -16,6 +16,7 @@ VOLUME /root
 COPY --chmod=770 *.sh /
 
 ENTRYPOINT ["/start.sh"]
+# hadolint ignore=DL3002
 USER root
 
 LABEL com.centurylinklabs.watchtower.enable="false"

Containers/borgbackup/backupscript.sh

@@ -35,19 +35,19 @@ done
 
 # Check if target is mountpoint
 if ! mountpoint -q /mnt/borgbackup; then
-    echo "/mnt/borgbackup is not a mountpoint which is not allowed"
+    echo "/mnt/borgbackup is not a mountpoint which is not allowed."
     exit 1
 fi
 
 # Check if target is empty
 if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
-    echo "The repository is empty. cannot perform check or restore."
+    echo "The repository is empty. Cannot perform check or restore."
     exit 1
 fi
 
 # Do not continue if this file exists (needed for simple external blocking)
 if [ -f "$BORG_BACKUP_DIRECTORY/aio-lockfile" ]; then
-    echo "Not continuing because aio-lockfile exists - it seems like a script is externally running which is locking the backup archive."
+    echo "Not continuing because aio-lockfile exists – it seems like a script is externally running which is locking the backup archive."
     echo "If this should not be the case, you can fix this by deleting the 'aio-lockfile' file from the backup archive directory."
     exit 1
 fi
@@ -65,25 +65,33 @@ if [ "$BORG_MODE" = backup ]; then
         echo "configuration.json not present. Cannot perform the backup!"
         exit 1
     elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/config/config.php" ]; then
-        echo "config.php is missing cannot perform backup"
+        echo "config.php is missing. Cannot perform backup!"
         exit 1
     elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/database-dump.sql" ]; then
-        echo "database-dump is missing. cannot perform backup"
+        echo "database-dump is missing. Cannot perform backup!"
         exit 1
     fi
 
-    # Test that nothing is empty
-    for directory in "${VOLUME_DIRS[@]}"; do
-        if [ -z "$(ls -A "$directory")" ] && [ "$directory" != "/nextcloud_aio_volumes/nextcloud_aio_elasticsearch" ]; then
-            echo "$directory is empty which is not allowed."
+    # Test that default volumes are not empty
+    for volume in "${DEFAULT_VOLUMES[@]}"; do
+        if [ -z "$(ls -A "/nextcloud_aio_volumes/$volume")" ] && [ "$volume" != "nextcloud_aio_elasticsearch" ]; then
+            echo "/nextcloud_aio_volumes/$volume is empty which should not happen!"
             exit 1
         fi
     done
 
     if [ -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/export.failed" ]; then
-        echo "Database export failed the last time. Most likely was the export time not high enough."
         echo "Cannot create a backup now."
-        echo "Please report this to https://github.com/nextcloud/all-in-one/issues. Thanks!"
+        echo "Reason is that the database export failed the last time."
+        echo "Most likely was the database container not correctly shut down via the AIO interface."
+        echo ""
+        echo "You might want to try the database export again manually by running the three commands:"
+        echo "sudo docker start nextcloud-aio-database"
+        echo "sleep 10"
+        echo "sudo docker stop nextcloud-aio-database -t 1800"
+        echo ""
+        echo "Afterwards try to create a backup again and it should hopefully work."
+        echo "If it should still fail, feel free to report this to https://github.com/nextcloud/all-in-one/issues and post the database container logs and the borgbackup container logs into the thread. Thanks!"
         exit 1
     fi
 
@@ -101,7 +109,7 @@ if [ "$BORG_MODE" = backup ]; then
             exit 1
         fi
 
-        echo "initializing repository..."
+        echo "Initializing repository..."
         NEW_REPOSITORY=1
         if ! borg init --debug --encryption=repokey-blake2 "$BORG_BACKUP_DIRECTORY"; then
             echo "Could not initialize borg repository."
@@ -212,7 +220,7 @@ if [ "$BORG_MODE" = backup ]; then
             fi
             echo "Compacting additional volumes..."
             if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
-                echo "Failed to compact archives!"
+                echo "Failed to compact additional docker-volume archives!"
                 exit 1
             fi
         fi
@@ -242,7 +250,7 @@ if [ "$BORG_MODE" = backup ]; then
             fi
             echo "Compacting additional host mounts..."
             if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
-                echo "Failed to compact archives!"
+                echo "Failed to compact additional host-mount archives!"
                 exit 1
             fi
         fi
@@ -250,7 +258,7 @@ if [ "$BORG_MODE" = backup ]; then
 
     # Inform user
     get_expiration_time
-    echo "Backup finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
+    echo "Backup finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
     if [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/update.failed" ]; then
         echo "However a Nextcloud update failed. So reporting that the backup failed which will skip any update attempt the next time."
         echo "Please restore a backup from before the failed Nextcloud update attempt."
@@ -361,7 +369,7 @@ if [ "$BORG_MODE" = restore ]; then
 
     # Inform user
     get_expiration_time
-    echo "Restore finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
+    echo "Restore finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
 
     # Add file to Nextcloud container so that it skips any update the next time
     touch "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/skip.update"
@@ -389,7 +397,7 @@ if [ "$BORG_MODE" = check ]; then
 
     # Inform user
     get_expiration_time
-    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
+    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
     exit 0
 fi
 
@@ -406,7 +414,7 @@ if [ "$BORG_MODE" = "check-repair" ]; then
 
     # Inform user
     get_expiration_time
-    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
+    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
     exit 0
 fi
 

Containers/clamav/Dockerfile

@@ -1,11 +1,11 @@
 # Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/1.1/alpine/Dockerfile
-FROM clamav/clamav:1.1.0-1
+FROM clamav/clamav:1.2.1-20
 
 COPY clamav.conf /tmp/clamav.conf
 
 RUN set -ex; \
     apk add --no-cache tzdata; \
-    cat /tmp/clamav.conf | tee -a /etc/clamav/clamd.conf; \
+    cat /tmp/clamav.conf >> /etc/clamav/clamd.conf; \
     rm /tmp/clamav.conf; \
     mkdir -p /var/run/clamav /run/lock; \
     chown -R clamav:clamav /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock; \

Containers/collabora/Dockerfile

@@ -1,8 +1,9 @@
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:23.05.2.2.1
+FROM collabora/code:23.05.5.4.1
 
 USER root
 
+# hadolint ignore=DL3008
 RUN set -ex; \
     \
     apt-get update; \

Containers/docker-socket-proxy/Dockerfile

@@ -0,0 +1,19 @@
+FROM haproxy:2.9.0-alpine3.18
+
+# hadolint ignore=DL3002
+USER root
+ENV NEXTCLOUD_HOST nextcloud-aio-nextcloud
+RUN set -ex; \
+    apk add --no-cache \
+        ca-certificates \
+        tzdata \
+        bash \
+        bind-tools; \
+    chmod -R 777 /tmp
+
+COPY --chmod=775 *.sh /
+COPY --chmod=664 haproxy.cfg /haproxy.cfg
+
+ENTRYPOINT ["/start.sh"]
+HEALTHCHECK CMD /healthcheck.sh
+LABEL com.centurylinklabs.watchtower.enable="false"

Containers/docker-socket-proxy/haproxy.cfg

@@ -0,0 +1,59 @@
+# Inspiration: https://github.com/Tecnativa/docker-socket-proxy/blob/master/haproxy.cfg
+
+global
+    maxconn 10
+
+defaults
+    timeout connect 10s
+    timeout client 10s
+    timeout server 10s
+
+frontend http
+    mode http
+    bind :::2375 v4v6
+    http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src NC_IPV4_PLACEHOLDER } || { src NC_IPV6_PLACEHOLDER }
+    # docker system _ping
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } METH_GET
+    # container inspect: GET containers/%s/json
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET
+    # container start/stop: POST containers/%s/start containers/%s/stop
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((start)|(stop)) } METH_POST
+    # container rm: DELETE containers/%s
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE
+
+
+    # container create: POST containers/create?name=%s
+    # ACL to restrict container name to nc_app_[a-zA-Z0-9_.-]+
+    acl nc_app_container_name url_param(name) -m reg -i "^nc_app_[a-zA-Z0-9_.-]+"
+
+    # ACL to restrict the number of Mounts to 1
+    acl one_mount_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*(?:(?!\"Mounts\"\s*:\s*\[)[^}]*)}[^}]*\]"
+    # ACL to deny if there are any binds
+    acl binds_present req.body -m reg -i "\"HostConfig\"\s*:.*\"Binds\"\s*:"
+    # ACL to restrict the type of Mounts to volume
+    acl type_not_volume req.body -m reg -i "\"Mounts\":\s*\[[^\]]*(\"Type\":\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
+    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST
+
+    # ACL to restrict container creation, that it has HostConfig.Privileged not set
+    acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\""
+    # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data
+    acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !no_privileged_flag nc_app_volume_data_only METH_POST
+    # end of container create
+
+    # volume create: POST volumes/create
+    # restrict name
+    acl nc_app_volume_data req.body -m reg -i "\"Name\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
+    # do not allow to use "device" word e.g., "--opt device=:/path/to/dir"
+    acl volume_no_device req.body -m reg -i "\"device\""
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data !volume_no_device METH_POST
+    # volume rm: DELETE volumes/%s
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/nc_app_[a-zA-Z0-9_.-]+_data } METH_DELETE
+    # image pull: POST images/create?fromImage=%s
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/create } METH_POST
+    http-request deny
+    default_backend dockerbackend
+
+backend dockerbackend
+    mode http
+    server dockersocket /var/run/docker.sock

Containers/docker-socket-proxy/healthcheck.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+nc -z "$NEXTCLOUD_HOST" 9001 || exit 0
+nc -z localhost 2375 || exit 1

Containers/docker-socket-proxy/start.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Only start container if nextcloud is accessible
+while ! nc -z "$NEXTCLOUD_HOST" 9001; do
+    echo "Waiting for Nextcloud to start..."
+    sleep 5
+done
+
+set -x
+IPv4_ADDRESS_NC="$(dig nextcloud-aio-nextcloud IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
+HAPROXYFILE="$(sed "s|NC_IPV4_PLACEHOLDER|$IPv4_ADDRESS_NC|" /haproxy.cfg)" 
+echo "$HAPROXYFILE" > /tmp/haproxy.cfg
+
+IPv6_ADDRESS_NC="$(dig nextcloud-aio-nextcloud AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+if [ -n "$IPv6_ADDRESS_NC" ]; then
+    HAPROXYFILE="$(sed "s|NC_IPV6_PLACEHOLDER|$IPv6_ADDRESS_NC|" /tmp/haproxy.cfg)"
+else
+    HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
+fi
+echo "$HAPROXYFILE" > /tmp/haproxy.cfg
+set +x
+
+haproxy -f /tmp/haproxy.cfg -db

Containers/domaincheck/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.18.3
+FROM alpine:3.18.5
 RUN set -ex; \
     apk add --no-cache bash lighttpd netcat-openbsd; \
     adduser -S www-data -G www-data; \

Containers/fulltextsearch/Dockerfile

@@ -1,8 +1,9 @@
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:8.8.1
+FROM elasticsearch:8.11.0
 
 USER root
 
+# hadolint ignore=DL3008
 RUN set -ex; \
     \
     export DEBIAN_FRONTEND=noninteractive; \

Containers/imaginary/Dockerfile

@@ -1,6 +1,6 @@
-FROM golang:1.21.0-alpine3.18 as go
+FROM golang:1.21.5-alpine3.18 as go
 
-ENV IMAGINARY_HASH b632dae8cc321452c3f85bcae79c580b1ae1ed84
+ENV IMAGINARY_HASH 6cd9edd1d3fb151eb773c14552886e4fc8e50138
 
 RUN set -ex; \
     apk add --no-cache \
@@ -12,7 +12,7 @@ RUN set -ex; \
         build-base; \
     go install github.com/h2non/imaginary@"$IMAGINARY_HASH";
 
-FROM alpine:3.18.3
+FROM alpine:3.18.5
 RUN set -ex; \
     apk add --no-cache \
         tzdata \

Containers/mastercontainer/Caddyfile

@@ -21,7 +21,7 @@
 }
 
 http://:80 {
-  redir https://{host}{uri}
+    redir https://{host}{uri} permanent
 }
 
 https://:8443 {

Containers/mastercontainer/Dockerfile

@@ -1,11 +1,11 @@
 # Docker CLI is a requirement
-FROM docker:24.0.5-cli as docker
+FROM docker:24.0.7-cli as docker
 
 # Caddy is a requirement
-FROM caddy:2.7.2-alpine as caddy
+FROM caddy:2.7.5-alpine as caddy
 
 # From https://github.com/docker-library/php/blob/master/8.2/alpine3.18/fpm/Dockerfile
-FROM php:8.2.8-fpm-alpine3.18
+FROM php:8.2.13-fpm-alpine3.18
 
 EXPOSE 80
 EXPOSE 8080
@@ -16,6 +16,7 @@ COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker
 
 WORKDIR /var/www/docker-aio
 
+# hadolint ignore=SC2086,DL3047,DL3003,DL3004
 RUN set -ex; \
     apk add --no-cache shadow; \
     groupmod -g 333 xfs; \
@@ -41,7 +42,7 @@ RUN set -ex; \
     apk add --no-cache --virtual .build-deps \
         autoconf \
         build-base; \
-    pecl install APCu-5.1.22; \
+    pecl install APCu-5.1.23; \
     docker-php-ext-enable apcu; \
     rm -r /tmp/pear; \
     runDeps="$( \
@@ -50,19 +51,21 @@ RUN set -ex; \
             | sort -u \
             | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
     )"; \
-    apk add --virtual .nextcloud-aio-rundeps $runDeps; \
+    apk add --no-cache --virtual .nextcloud-aio-rundeps $runDeps; \
     apk del .build-deps; \
     grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
+    grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \
+    sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \
     \
     apk add --no-cache git; \
     wget https://getcomposer.org/installer -O - | php -- --install-dir=/usr/local/bin --filename=composer; \
     chmod +x /usr/local/bin/composer; \
     cd /var/www/docker-aio; \
     git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
-    find ./ -maxdepth 1 -mindepth 1 -not -path ./php -exec rm -r {} \; ; \
+    find ./ -maxdepth 1 -mindepth 1 -not -path ./php -not -path ./community-containers -exec rm -r {} \; ; \
     chown www-data:www-data -R /var/www/docker-aio; \
     cd php; \
     sudo -u www-data composer install --no-dev; \
@@ -118,6 +121,7 @@ COPY --chmod=664 Caddyfile /Caddyfile
 COPY --chmod=664 supervisord.conf /supervisord.conf
 COPY mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf
 
+# hadolint ignore=DL3002
 USER root
 
 ENTRYPOINT ["/start.sh"]

Containers/mastercontainer/cron.sh

@@ -12,6 +12,11 @@ while true; do
             export AUTOMATIC_UPDATES=0
             export START_CONTAINERS=1
         fi
+        if [ "$(sed -n '3p' "/mnt/docker-aio-config/data/daily_backup_time")" != 'successNotificationsAreNotEnabled' ]; then
+            export SEND_SUCCESS_NOTIFICATIONS=1
+        else
+            export SEND_SUCCESS_NOTIFICATIONS=0
+        fi
         set +x
         if [ -f "/mnt/docker-aio-config/data/daily_backup_running" ]; then
             export LOCK_FILE_PRESENT=1

Containers/mastercontainer/daily-backup.sh

@@ -16,7 +16,7 @@ fi
 sudo -u www-data touch "/mnt/docker-aio-config/data/daily_backup_running"
 
 # Check if apache is running/stopped, watchtower is stopped and backupcontainer is stopped
-APACHE_PORT="$(docker inspect nextcloud-aio-apache --format "{{.HostConfig.PortBindings}}" | grep -oP '[0-9]+' | head -1)"
+APACHE_PORT="$(docker inspect nextcloud-aio-apache --format "{{.HostConfig.PortBindings}}" | grep -o '[0-9]\+' | head -1)"
 while docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-apache$" && ! nc -z nextcloud-aio-apache "$APACHE_PORT"; do
     echo "Waiting for apache to become available"
     sleep 30
@@ -105,7 +105,7 @@ if [ "$DAILY_BACKUP" = 1 ] && ([ "$AUTOMATIC_UPDATES" = 1 ] || [ "$START_CONTAIN
         done
     fi
     echo "Sending backup notification..."
-    sudo -u www-data php /var/www/docker-aio/php/src/Cron/BackupNotification.php
+    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/BackupNotification.php
 fi
 
 echo "Daily backup script has finished"

Containers/mastercontainer/healthcheck.sh

@@ -1,5 +1,10 @@
 #!/bin/bash
 
 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
+    nc -z localhost 80 || exit 1
+    nc -z localhost 8000 || exit 1
     nc -z localhost 8080 || exit 1
+    nc -z localhost 8443 || exit 1
+    nc -z localhost 9000 || exit 1
+    nc -z localhost 9876 || exit 1
 fi

Containers/mastercontainer/mastercontainer.conf

@@ -49,8 +49,14 @@ Listen 8080
     SSLCertificateFile /etc/apache2/certs/ssl.crt
     SSLEngine               on
     SSLProtocol             -all +TLSv1.2 +TLSv1.3
+    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+    SSLHonorCipherOrder     off
+    SSLSessionTickets       off
 </VirtualHost>
 
 # Increase timeout in case e.g. the initial download takes a long time
 Timeout 7200
 ProxyTimeout 7200
+
+# See https://httpd.apache.org/docs/trunk/mod/core.html#traceenable
+TraceEnable Off

Containers/mastercontainer/start.sh

@@ -179,7 +179,7 @@ It is set to '$APACHE_PORT'."
     fi
 fi
 if [ -n "$APACHE_IP_BINDING" ]; then
-    if ! echo "$APACHE_IP_BINDING" | grep -q '^[0-9.]\+$'; then
+    if ! echo "$APACHE_IP_BINDING" | grep -q '^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$\|^[0-9a-f:]\+$'; then
         print_red "You provided an ip-address for the apache container's ip-binding but it was not a valid ip-address.
 It is set to '$APACHE_IP_BINDING'."
         exit 1
@@ -241,6 +241,20 @@ It is set to '$NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS'."
         exit 1
     fi
 fi
+if [ -n "$AIO_COMMUNITY_CONTAINERS" ]; then
+    read -ra AIO_CCONTAINERS <<< "$AIO_COMMUNITY_CONTAINERS"
+    for container in "${AIO_CCONTAINERS[@]}"; do
+        if ! [ -d "/var/www/docker-aio/community-containers/$container" ]; then
+            print_red "The community container $container was not found!"
+            FAIL_CCONTAINERS=1
+        fi
+    done
+    if [ -n "$FAIL_CCONTAINERS" ]; then
+        print_red "You've set AIO_COMMUNITY_CONTAINERS but at least one container was not found.
+It is set to '$AIO_COMMUNITY_CONTAINERS'."
+        exit 1
+    fi
+fi
 
 # Check DNS resolution
 # Prevents issues like https://github.com/nextcloud/all-in-one/discussions/565
@@ -253,6 +267,35 @@ if [ "$?" = 6 ]; then
     exit 1
 fi
 
+# Check that no changes have been made to timezone settings since AIO only supports running in Etc/UTC timezone
+if [ -n "$TZ" ]; then
+    print_red "The environmental variable TZ has been set which is not supported by AIO since it only supports running in the default Etc/UTC timezone!"
+    echo "The correct timezone can be set in the AIO interface later on!"
+    # Disable exit since it seems to be by default set on unraid and we dont want to break these instances
+    # exit 1
+fi
+if mountpoint -q /etc/localtime; then
+    print_red "/etc/localtime has been mounted into the container which is not allowed because AIO only supports running in the default Etc/UTC timezone!"
+    echo "The correct timezone can be set in the AIO interface later on!"
+    exit 1
+fi
+if mountpoint -q /etc/timezone; then
+    print_red "/etc/timezone has been mounted into the container which is not allowed because AIO only supports running in the default Etc/UTC timezone!"
+    echo "The correct timezone can be set in the AIO interface later on!"
+    exit 1
+fi
+
+# Check if unsupported env are set (but don't exit as it would break many instances)
+if [ -n "$APACHE_DISABLE_REWRITE_IP" ]; then
+    print_red "The environmental variable APACHE_DISABLE_REWRITE_IP has been set which is not supported by AIO. Please remove it!"
+fi
+if [ -n "$NEXTCLOUD_TRUSTED_DOMAINS" ]; then
+    print_red "The environmental variable NEXTCLOUD_TRUSTED_DOMAINS has been set which is not supported by AIO. Please remove it!"
+fi
+if [ -n "$TRUSTED_PROXIES" ]; then
+    print_red "The environmental variable TRUSTED_PROXIES has been set which is not supported by AIO. Please remove it!"
+fi
+
 # Add important folders
 mkdir -p /mnt/docker-aio-config/data/
 mkdir -p /mnt/docker-aio-config/session/

Containers/mastercontainer/supervisord.conf

@@ -57,9 +57,10 @@ command=/session-deduplicator.sh
 user=root
 
 [program:domain-validator]
+# Logging is disabled as otherwise all attempts will be logged which spams the logs
 # stdout_logfile=/dev/stdout
 # stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
+# stderr_logfile=/dev/stderr
+# stderr_logfile_maxbytes=0
 command=php -S 127.0.0.1:9876 /var/www/docker-aio/php/domain-validator.php
 user=www-data

Containers/nextcloud/Dockerfile

@@ -1,9 +1,9 @@
-FROM php:8.1.22-fpm-alpine3.18
+FROM php:8.1.26-fpm-alpine3.18
 
 ENV PHP_MEMORY_LIMIT 512M
 ENV PHP_UPLOAD_LIMIT 10G
 ENV PHP_MAX_TIME 3600
-ENV NEXTCLOUD_VERSION 27.0.2
+ENV NEXTCLOUD_VERSION 27.1.4
 ENV AIO_TOKEN 123456
 ENV AIO_URL localhost
 
@@ -16,6 +16,7 @@ VOLUME /mnt/ncdata
 VOLUME /var/www/html
 
 # Custom: change id of www-data user as it needs to be the same like on old installations
+# hadolint ignore=SC2086,DL3003
 RUN set -ex; \
     apk add --no-cache shadow; \
     deluser www-data; \
@@ -67,9 +68,9 @@ RUN set -ex; \
     ; \
     \
 # pecl will claim success even if one install fails, so we need to perform each install separately
-    pecl install APCu-5.1.22; \
+    pecl install APCu-5.1.23; \
     pecl install memcached-3.2.0; \
-    pecl install redis-5.3.7; \
+    pecl install redis-6.0.2; \
     pecl install imagick-3.7.0; \
     \
     docker-php-ext-enable \
@@ -85,7 +86,7 @@ RUN set -ex; \
             | sort -u \
             | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
     )"; \
-    apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
+    apk add --no-cache --virtual .nextcloud-phpext-rundeps $runDeps; \
     apk del .build-deps; \
     \
 # set recommended PHP.ini settings
@@ -170,7 +171,7 @@ RUN set -ex; \
             | sort -u \
             | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
     )"; \
-    apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
+    apk add --no-cache --virtual .nextcloud-phpext-rundeps $runDeps; \
     apk del .build-deps; \
     \
     mkdir -p \
@@ -189,14 +190,15 @@ RUN set -ex; \
         sudo \
         grep \
         nodejs \
+        bind-tools \
         coreutils; \
     \
     grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's/^pm.start_servers =.*/pm.start_servers = 2/' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's/^pm.min_spare_servers =.*/pm.min_spare_servers = 1/' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's/^pm.max_spare_servers =.*/pm.max_spare_servers = 3/' /usr/local/etc/php-fpm.d/www.conf; \
+# Sync this with max db connections
+# We don't actually expect so many children but don't want to limit it artificially because people will report issues otherwise.
+# Also children will usually be terminated again after the process is done due to the ondemand setting
+    sed -i 's/^pm.max_children =.*/pm.max_children = 5000/' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
     \
     rm -rf /tmp/nextcloud-aio && \
@@ -219,9 +221,10 @@ RUN set -ex; \
 # Give root a random password
     echo "root:$(openssl rand -base64 12)" | chpasswd
 
+# hadolint ignore=DL3002
 USER root
 ENTRYPOINT ["/start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 
-HEALTHCHECK CMD sudo -E -u www-data bash /healthcheck.sh
+HEALTHCHECK --start-period=60s CMD sudo -E -u www-data bash /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false"

Containers/nextcloud/config/apps.config.php

@@ -12,4 +12,5 @@ $CONFIG = array (
               'writable' => true,
       ),
   ),
+  'appsallowlist' => getenv('APPS_ALLOWLIST') ? explode(" ", getenv('APPS_ALLOWLIST')) : [],
 );

Containers/nextcloud/config/smtp.config.php

@@ -0,0 +1,20 @@
+<?php
+if (getenv('SMTP_HOST') && getenv('MAIL_FROM_ADDRESS') && getenv('MAIL_DOMAIN')) {
+  $CONFIG = array (
+    'mail_smtpmode' => 'smtp',
+    'mail_smtphost' => getenv('SMTP_HOST'),
+    'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25),
+    'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '',
+    'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'),
+    'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN',
+    'mail_smtpname' => getenv('SMTP_NAME') ?: '',
+    'mail_from_address' => getenv('MAIL_FROM_ADDRESS'),
+    'mail_domain' => getenv('MAIL_DOMAIN'),
+  );
+
+  if (getenv('SMTP_PASSWORD')) {
+      $CONFIG['mail_smtppassword'] = getenv('SMTP_PASSWORD');
+  } else {
+      $CONFIG['mail_smtppassword'] = '';
+  }
+}

Containers/nextcloud/cron.sh

@@ -1,7 +1,20 @@
 #!/bin/bash
 set -eu
 
+wait_for_cron() {
+    set -x
+    while [ -n "$(pgrep -f /var/www/html/cron.php)" ]; do
+        echo "Waiting for cron to stop..."
+        sleep 5
+    done
+    echo "Cronjob successfully exited."
+    set +x
+}
+
+trap wait_for_cron SIGINT SIGTERM
+
 while true; do
     php -f /var/www/html/cron.php &
-    sleep 5m
+    sleep 5m &
+    wait $!
 done

Containers/nextcloud/entrypoint.sh

@@ -30,13 +30,6 @@ redis.session.lock_retries = -1
 redis.session.lock_wait_time = 10000
 REDIS_CONF
 
-echo "Setting php max children..."
-MEMORY=$(awk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
-PHP_MAX_CHILDREN=$((MEMORY/50))
-if [ -n "$PHP_MAX_CHILDREN" ]; then
-    sed -i "s/^pm.max_children =.*/pm.max_children = $PHP_MAX_CHILDREN/" /usr/local/etc/php-fpm.d/www.conf
-fi
-
 # Check permissions in ncdata
 touch "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" &>/dev/null
 if ! [ -f "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" ]; then
@@ -282,6 +275,8 @@ DATADIR_PERMISSION_CONF
                         touch "$NEXTCLOUD_DATA_DIR/install.failed"
                         exit 1
                     fi
+                    # shellcheck disable=SC2016
+                    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
                 fi
                 php /var/www/html/occ app:disable updatenotification
                 rm -rf /var/www/html/apps/updatenotification
@@ -363,6 +358,9 @@ DATADIR_PERMISSION_CONF
                 exit 1
             fi
 
+            # shellcheck disable=SC2016
+            installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+
             rm "$NEXTCLOUD_DATA_DIR/update.failed"
             bash /notify.sh "Nextcloud update to $image_version successful!" "Feel free to inspect the Nextcloud container logs for more info."
 
@@ -466,6 +464,10 @@ php /var/www/html/occ config:system:set one-click-instance --value=true --type=b
 php /var/www/html/occ config:system:set one-click-instance.user-limit --value=100 --type=int
 php /var/www/html/occ config:system:set one-click-instance.link --value="https://nextcloud.com/all-in-one/"
 php /var/www/html/occ app:enable support
+if [ -n "$SUBSCRIPTION_KEY" ] && [ -z "$(php /var/www/html/occ config:app:get support potential_subscription_key)" ]; then
+    php /var/www/html/occ config:app:set support potential_subscription_key --value="$SUBSCRIPTION_KEY"
+    php /var/www/html/occ config:app:delete support last_check
+fi
 
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
@@ -473,17 +475,21 @@ php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https:
 php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
 php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
 php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
+if [ -n "$SERVERINFO_TOKEN" ] && [ -z "$(php /var/www/html/occ config:app:get serverinfo token)" ]; then
+    php /var/www/html/occ config:app:set serverinfo token --value="$SERVERINFO_TOKEN"
+fi
 
 # Apply network settings
 echo "Applying network settings..."
+php /var/www/html/occ config:system:set allow_local_remote_servers --type=bool --value=true
 php /var/www/html/occ config:system:set davstorage.request_timeout --value="$PHP_MAX_TIME" --type=int
 php /var/www/html/occ config:system:set trusted_domains 1 --value="$NC_DOMAIN"
 php /var/www/html/occ config:system:set overwrite.cli.url --value="https://$NC_DOMAIN/"
 php /var/www/html/occ config:system:set htaccess.RewriteBase --value="/"
 php /var/www/html/occ maintenance:update:htaccess
 
-# Apply dbpersistent setting in order to fix too many db connections
-php /var/www/html/occ config:system:set dbpersistent --value=true --type=bool
+# Revert dbpersistent setting to check if it fixes too many db connections
+php /var/www/html/occ config:system:set dbpersistent --value=false --type=bool
 
 # Disallow creating local external storages when nothing was mounted
 if [ -z "$NEXTCLOUD_MOUNT" ]; then
@@ -493,8 +499,14 @@ else
 fi
 
 # AIO app
-if [ "$(php /var/www/html/occ config:app:get nextcloud-aio enabled)" != "yes" ]; then
-    php /var/www/html/occ app:enable nextcloud-aio
+if [ "$THIS_IS_AIO" = "true" ]; then
+    if [ "$(php /var/www/html/occ config:app:get nextcloud-aio enabled)" != "yes" ]; then
+        php /var/www/html/occ app:enable nextcloud-aio
+    fi
+else
+    if [ "$(php /var/www/html/occ config:app:get nextcloud-aio enabled)" != "no" ]; then
+        php /var/www/html/occ app:disable nextcloud-aio
+    fi
 fi
 
 # Notify push
@@ -505,8 +517,12 @@ elif [ "$(php /var/www/html/occ config:app:get notify_push enabled)" != "yes" ];
 elif [ "$SKIP_UPDATE" != 1 ]; then
     php /var/www/html/occ app:update notify_push
 fi
+chmod 775 -R /var/www/html/custom_apps/notify_push/bin/
 php /var/www/html/occ config:system:set trusted_proxies 0 --value="127.0.0.1"
 php /var/www/html/occ config:system:set trusted_proxies 1 --value="::1"
+if [ -n "$ADDITIONAL_TRUSTED_PROXY" ]; then
+    php /var/www/html/occ config:system:set trusted_proxies 2 --value="$ADDITIONAL_TRUSTED_PROXY"
+fi
 php /var/www/html/occ config:app:set notify_push base_endpoint --value="https://$NC_DOMAIN/push"
 
 # Collabora
@@ -519,14 +535,9 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
         php /var/www/html/occ app:update richdocuments
     fi
     php /var/www/html/occ config:app:set richdocuments wopi_url --value="https://$NC_DOMAIN/"
-    # Fix https://github.com/nextcloud/all-in-one/issues/188:
-    php /var/www/html/occ config:system:set allow_local_remote_servers --type=bool --value=true
     # Make collabora more save
-    COLLABORA_IPv4_ADDRESS="$(echo "<?php echo gethostbyname('$NC_DOMAIN');" | php | head -1)"
-    COLLABORA_IPv6_ADDRESS="<?php \$record = dns_get_record('$NC_DOMAIN', DNS_AAAA);"
-    # shellcheck disable=SC2016
-    COLLABORA_IPv6_ADDRESS+='if (!empty($record)) {echo $record[0]["ipv6"];}'
-    COLLABORA_IPv6_ADDRESS="$(echo "$COLLABORA_IPv6_ADDRESS" | php | head -1)"
+    COLLABORA_IPv4_ADDRESS="$(dig "$NC_DOMAIN" A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
+    COLLABORA_IPv6_ADDRESS="$(dig "$NC_DOMAIN" AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
     COLLABORA_ALLOW_LIST="$(php /var/www/html/occ config:app:get richdocuments wopi_allowlist)"
     if [ -n "$COLLABORA_IPv4_ADDRESS" ]; then
         if ! echo "$COLLABORA_ALLOW_LIST" | grep -q "$COLLABORA_IPv4_ADDRESS"; then
@@ -555,12 +566,17 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
         if ! echo "$COLLABORA_ALLOW_LIST" | grep -q "$PRIVATE_IP_RANGES"; then
             COLLABORA_ALLOW_LIST+=",$PRIVATE_IP_RANGES"
         fi
+        if [ -n "$ADDITIONAL_TRUSTED_PROXY" ]; then
+            if ! echo "$COLLABORA_ALLOW_LIST" | grep -q "$ADDITIONAL_TRUSTED_PROXY"; then
+                COLLABORA_ALLOW_LIST+=",$ADDITIONAL_TRUSTED_PROXY"
+            fi
+        fi
         php /var/www/html/occ config:app:set richdocuments wopi_allowlist --value="$COLLABORA_ALLOW_LIST"
     else
         echo "Warning: wopi_allowlist is empty which should not be the case!"
     fi
 else
-    if [ -d "/var/www/html/custom_apps/richdocuments" ]; then
+    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/richdocuments" ]; then
         php /var/www/html/occ app:remove richdocuments
     fi
 fi
@@ -582,9 +598,8 @@ if [ "$ONLYOFFICE_ENABLED" = 'yes' ]; then
     php /var/www/html/occ config:app:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
     php /var/www/html/occ config:system:set onlyoffice jwt_header --value="AuthorizationJwt"
     php /var/www/html/occ config:app:set onlyoffice DocumentServerUrl --value="https://$NC_DOMAIN/onlyoffice"
-    php /var/www/html/occ config:system:set allow_local_remote_servers --type=bool --value=true
 else
-    if [ -d "/var/www/html/custom_apps/onlyoffice" ] && [ -n "$ONLYOFFICE_SECRET" ] && [ "$(php /var/www/html/occ config:system:get onlyoffice jwt_secret)" = "$ONLYOFFICE_SECRET" ]; then
+    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/onlyoffice" ] && [ -n "$ONLYOFFICE_SECRET" ] && [ "$(php /var/www/html/occ config:system:get onlyoffice jwt_secret)" = "$ONLYOFFICE_SECRET" ]; then
         php /var/www/html/occ app:remove onlyoffice
     fi
 fi
@@ -611,7 +626,7 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
         php /var/www/html/occ talk:signaling:add "https://$NC_DOMAIN/standalone-signaling/" "$SIGNALING_SECRET" --verify
     fi
 else
-    if [ -d "/var/www/html/custom_apps/spreed" ]; then
+    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/spreed" ]; then
         php /var/www/html/occ app:remove spreed
     fi
 fi
@@ -658,7 +673,7 @@ if [ "$CLAMAV_ENABLED" = 'yes' ]; then
         php /var/www/html/occ config:app:set files_antivirus av_infected_action --value="only_log"
     fi
 else
-    if [ -d "/var/www/html/custom_apps/files_antivirus" ]; then
+    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/files_antivirus" ]; then
         php /var/www/html/occ app:remove files_antivirus
     fi
 fi
@@ -705,7 +720,7 @@ if [ "$FULLTEXTSEARCH_ENABLED" = 'yes' ]; then
         php /var/www/html/occ app:update files_fulltextsearch
     fi
     php /var/www/html/occ fulltextsearch:configure '{"search_platform":"OCA\\FullTextSearch_Elasticsearch\\Platform\\ElasticSearchPlatform"}'
-    php /var/www/html/occ fulltextsearch_elasticsearch:configure "{\"elastic_host\":\"http://$FULLTEXTSEARCH_HOST:9200\",\"elastic_index\":\"nextcloud-aio\"}"
+    php /var/www/html/occ fulltextsearch_elasticsearch:configure "{\"elastic_host\":\"http://elastic:$FULLTEXTSEARCH_PASSWORD@$FULLTEXTSEARCH_HOST:9200\",\"elastic_index\":\"nextcloud-aio\"}"
     php /var/www/html/occ files_fulltextsearch:configure "{\"files_pdf\":\"1\",\"files_office\":\"1\"}"
 
     # Do the index
@@ -721,14 +736,33 @@ if [ "$FULLTEXTSEARCH_ENABLED" = 'yes' ]; then
         fi
     fi
 else
-    if [ -d "/var/www/html/custom_apps/fulltextsearch" ]; then
-        php /var/www/html/occ app:remove fulltextsearch
+    if [ "$REMOVE_DISABLED_APPS" = yes ]; then
+        if [ -d "/var/www/html/custom_apps/fulltextsearch" ]; then
+            php /var/www/html/occ app:remove fulltextsearch
+        fi
+        if [ -d "/var/www/html/custom_apps/fulltextsearch_elasticsearch" ]; then
+            php /var/www/html/occ app:remove fulltextsearch_elasticsearch
+        fi
+        if [ -d "/var/www/html/custom_apps/files_fulltextsearch" ]; then
+            php /var/www/html/occ app:remove files_fulltextsearch
+        fi
     fi
-    if [ -d "/var/www/html/custom_apps/fulltextsearch_elasticsearch" ]; then
-        php /var/www/html/occ app:remove fulltextsearch_elasticsearch
-    fi
-    if [ -d "/var/www/html/custom_apps/files_fulltextsearch" ]; then
-        php /var/www/html/occ app:remove files_fulltextsearch
+fi
+
+# Docker socket proxy
+if version_greater "$installed_version" "27.1.2.0"; then
+    if [ "$DOCKER_SOCKET_PROXY_ENABLED" = 'yes' ]; then
+        if ! [ -d "/var/www/html/custom_apps/app_api" ]; then
+            php /var/www/html/occ app:install app_api
+        elif [ "$(php /var/www/html/occ config:app:get app_api enabled)" != "yes" ]; then
+            php /var/www/html/occ app:enable app_api
+        elif [ "$SKIP_UPDATE" != 1 ]; then
+            php /var/www/html/occ app:update app_api
+        fi
+    else
+        if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/app_api" ]; then
+            php /var/www/html/occ app:remove app_api
+        fi
     fi
 fi
 

Containers/nextcloud/run-exec-commands.sh

@@ -1,9 +1,7 @@
 #!/bin/bash
 
-while ! nc -z "$NC_DOMAIN" 443; do
-    sleep 5
-done
-sleep 10
+# Wait 15s for domain to be reachable
+sleep 15
 
 if [ -n "$NEXTCLOUD_EXEC_COMMANDS" ]; then
     echo "#!/bin/bash" > /tmp/nextcloud-exec-commands
@@ -15,9 +13,14 @@ if [ -n "$NEXTCLOUD_EXEC_COMMANDS" ]; then
 else
     # Collabora must work also if using manual-install 
     if [ "$COLLABORA_ENABLED" = yes ]; then
-        echo "Activating collabora config..."
+        echo "Activating Collabora config..."
         php /var/www/html/occ richdocuments:activate-config
     fi
+    # OnlyOffice must work also if using manual-install
+    if [ "$ONLYOFFICE_ENABLED" = yes ]; then
+        echo "Activating OnlyOffice config..."
+        php /var/www/html/occ onlyoffice:documentserver --check
+    fi
 fi
 
 sleep inf

Containers/nextcloud/start.sh

@@ -34,7 +34,7 @@ fi
 # Check if /dev/dri device is present and apply correct permissions
 set -x
 if ! [ -f "/dev-dri-group-was-added" ] && [ -n "$(find /dev -maxdepth 1 -mindepth 1 -name dri)" ] && [ -n "$(find /dev/dri -maxdepth 1 -mindepth 1 -name renderD128)" ]; then
-    # From https://github.com/pulsejet/memories/wiki/QSV-Transcoding#docker-installations
+    # From https://memories.gallery/hw-transcoding/#docker-installations
     GID="$(stat -c "%g" /dev/dri/renderD128)"
     groupadd -g "$GID" render2 || true # sometimes this is needed
     GROUP="$(getent group "$GID" | cut -d: -f1)"
@@ -119,7 +119,7 @@ if [ -n "$ADDITIONAL_PHP_EXTENSIONS" ]; then
                     | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
             )";
             # shellcheck disable=SC2086
-            apk add --virtual .nextcloud-phpext-rundeps $runDeps >/dev/null
+            apk add --no-cache --virtual .nextcloud-phpext-rundeps $runDeps >/dev/null
             apk del .build-deps >/dev/null
         fi
     fi
@@ -131,4 +131,25 @@ if ! sudo -E -u www-data bash /entrypoint.sh; then
     exit 1
 fi
 
-exec "$@"
+while [ "$THIS_IS_AIO" = "true" ] && [ -z "$(dig nextcloud-aio-apache A +short +search)" ]; do
+    echo "Waiting for nextcloud-aio-apache to start..."
+    sleep 5
+done
+
+set -x
+# shellcheck disable=SC2235
+if [ "$THIS_IS_AIO" = "true" ] && ([ "$APACHE_PORT" = 443 ] || [ "$APACHE_IP_BINDING" = "127.0.0.1" ] || [ "$APACHE_IP_BINDING" = "::1" ]); then
+    IPv4_ADDRESS_APACHE="$(dig nextcloud-aio-apache A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
+    IPv6_ADDRESS_APACHE="$(dig nextcloud-aio-apache AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+    IPv4_ADDRESS_MASTERCONTAINER="$(dig nextcloud-aio-mastercontainer A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
+    IPv6_ADDRESS_MASTERCONTAINER="$(dig nextcloud-aio-mastercontainer AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+
+    sed -i "s|^;listen.allowed_clients|listen.allowed_clients|" /usr/local/etc/php-fpm.d/www.conf
+    sed -i "s|listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1,$IPv4_ADDRESS_APACHE,$IPv6_ADDRESS_APACHE,$IPv4_ADDRESS_MASTERCONTAINER,$IPv6_ADDRESS_MASTERCONTAINER|" /usr/local/etc/php-fpm.d/www.conf
+    sed -i "/^listen.allowed_clients/s/,,/,/g" /usr/local/etc/php-fpm.d/www.conf
+    sed -i "/^listen.allowed_clients/s/,$//" /usr/local/etc/php-fpm.d/www.conf
+    grep listen.allowed_clients /usr/local/etc/php-fpm.d/www.conf
+fi
+set +x
+
+exec "$@"

Containers/nextcloud/supervisord.conf

@@ -32,3 +32,12 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/run-exec-commands.sh
 user=www-data
+
+# This is a hack but no better solution is there
+[program:is-nextcloud-online]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=nc -lk 9001
+user=www-data

Containers/notify-push/Dockerfile

@@ -1,6 +1,7 @@
-FROM alpine:3.18.2
+FROM alpine:3.18.5
 
 COPY --chmod=775 start.sh /start.sh
+COPY --chmod=775 healthcheck.sh /healthcheck.sh
 
 RUN set -ex; \
     apk add --no-cache \
@@ -17,5 +18,5 @@ RUN set -ex; \
 USER 33
 ENTRYPOINT ["/start.sh"]
 
-HEALTHCHECK CMD nc -z localhost 7867 || exit 1
+HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false"

Containers/notify-push/healthcheck.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if ! nc -z "$NEXTCLOUD_HOST" 9001; then
+    exit 0
+fi
+
+nc -z localhost 7867 || exit 1

Containers/notify-push/start.sh

@@ -12,7 +12,7 @@ elif [ -z "$REDIS_HOST" ]; then
 fi
 
 # Only start container if nextcloud is accessible
-while ! nc -z "$NEXTCLOUD_HOST" 9000; do
+while ! nc -z "$NEXTCLOUD_HOST" 9001; do
     echo "Waiting for Nextcloud to start..."
     sleep 5
 done
@@ -27,6 +27,26 @@ elif [ "$CPU_ARCH" != "x86_64" ]; then
     export CPU_ARCH="aarch64"
 fi
 
+# Add warning
+if ! [ -f /nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
+    echo "The notify_push binary was not found."
+    echo "Most likely is DNS resolution not working correctly."
+    echo "You can try to fix this by configuring a DNS server globally in dockers daemon.json."
+    echo "See https://dockerlabs.collabnix.com/intermediate/networking/Configuring_DNS.html"
+    echo "Afterwards a restart of docker should automatically resolve this."
+    echo "Additionally, make sure to disable VPN software that might be running on your server"
+    echo "Also check your firewall if it blocks connections to github"
+    echo "If it should still not work afterwards, feel free to create a new thread at https://github.com/nextcloud/all-in-one/discussions/new?category=questions and post the Nextcloud container logs there."
+    echo ""
+    echo ""
+    exit 1
+fi
+
+# Add a timeout of 15s to hopefully get rid of the first error that is logged if apache is not there yet
+sleep 15
+
+echo "notify-push was started"
+
 # Set sensitive values as env
 export DATABASE_URL="postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST/$POSTGRES_DB"
 export REDIS_URL="redis://:$REDIS_HOST_PASSWORD@$REDIS_HOST"

Containers/onlyoffice/Dockerfile

@@ -1,5 +1,5 @@
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:7.4.1.1
+FROM onlyoffice/documentserver:7.5.1.1
 
 # USER root is probably used
 

Containers/postgresql/Dockerfile

@@ -1,5 +1,5 @@
 # From https://github.com/docker-library/postgres/blob/master/15/alpine/Dockerfile
-FROM postgres:15.3-alpine
+FROM postgres:15.5-alpine
 
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh

Containers/postgresql/start.sh

@@ -31,7 +31,7 @@ fi
 if [ -f "$DUMP_DIR/initialization.failed" ]; then
     echo "The database initialization failed. Most likely was a wrong timezone selected."
     echo "The selected timezone is '$TZ'." 
-    echo "Please check if it is in 'TZ database name' column of the timezone list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List"
+    echo "Please check if it is in the 'TZ identifier' column of the timezone list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List"
     echo "For further clues on what went wrong, look at the logs above."
     echo "You might start again from scratch by following https://github.com/nextcloud/all-in-one#how-to-properly-reset-the-instance and selecting a proper timezone."
     exit 1
@@ -92,14 +92,14 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
 
     # Check if the line we grep for later on is there
     GREP_STRING='Name: oc_appconfig; Type: TABLE; Schema: public; Owner:'
-    if ! grep -q "$GREP_STRING" "$DUMP_FILE"; then
+    if ! grep -qa "$GREP_STRING" "$DUMP_FILE"; then
         echo "The needed oc_appconfig line is not there which is unexpected."
         echo "Please report this to https://github.com/nextcloud/all-in-one/issues. Thanks!"
         exit 1
     fi
 
     # Get the Owner
-    DB_OWNER="$(grep "$GREP_STRING" "$DUMP_FILE" | grep -oP 'Owner:.*$' | sed 's|Owner:||;s| ||g')"
+    DB_OWNER="$(grep -a "$GREP_STRING" "$DUMP_FILE" | grep -oP 'Owner:.*$' | sed 's|Owner:||;s| ||g')"
     if [ "$DB_OWNER" = "$POSTGRES_USER" ]; then
         echo "Unfortunately was the found database owner of the dump file the same as the POSTGRES_USER $POSTGRES_USER"
         echo "It is not possible to import a database dump from this database owner."
@@ -148,17 +148,23 @@ fi
 
 # Modify postgresql.conf
 if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
-    echo "Setting max connections..."
-    MEMORY=$(awk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
-    MAX_CONNECTIONS=$((MEMORY/50+3))
-    if [ -n "$MAX_CONNECTIONS" ]; then
-        sed -i "s|^max_connections =.*|max_connections = $MAX_CONNECTIONS|" "/var/lib/postgresql/data/postgresql.conf"
-    fi
+    echo "Setting postgres values..."
 
-    # Modify conf
+    # 5000 connections is apparently the highest possible value with postgres so set it to that so that we don't run into a limit here.
+    # We don't actually expect so many connections but don't want to limit it artificially because people will report issues otherwise
+    # Also connections should usually be closed again after the process is done
+    # If we should actually exceed this limit, it is definitely a bug in Nextcloud server or some of its apps that does not close connections correctly and not a bug in AIO
+    sed -i "s|^max_connections =.*|max_connections = 5000|" "/var/lib/postgresql/data/postgresql.conf"
+
+    # Do not log checkpoints
     if grep -q "#log_checkpoints" /var/lib/postgresql/data/postgresql.conf; then
         sed -i 's|#log_checkpoints.*|log_checkpoints = off|' /var/lib/postgresql/data/postgresql.conf
     fi
+
+    # Closing idling connections automatically seems to break any logic so was reverted again to default where it is disabled
+    if grep -q "^idle_session_timeout" /var/lib/postgresql/data/postgresql.conf; then
+        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' /var/lib/postgresql/data/postgresql.conf
+    fi
 fi
 
 # Catch docker stop attempts

Containers/redis/Dockerfile

@@ -1,5 +1,5 @@
 # From https://github.com/docker-library/redis/blob/master/7.0/alpine/Dockerfile
-FROM redis:7.0.12-alpine
+FROM redis:7.2.3-alpine
 
 COPY --chmod=775 start.sh /start.sh
 

Containers/talk-recording/Dockerfile

@@ -1,8 +1,8 @@
-FROM python:3.11.4-alpine3.18
+FROM python:3.12.0-alpine3.18
 
 COPY --chmod=775 start.sh /start.sh
 
-ENV RECORDING_VERSION v17.0.3
+ENV RECORDING_VERSION v0.1
 ENV ALLOW_ALL false
 ENV HPB_PROTOCOL https
 ENV SKIP_VERIFY false
@@ -22,15 +22,16 @@ RUN set -ex; \
         wget \
         shadow \
         pulseaudio \
-        openssl; \
+        openssl \
+        build-base \
+        linux-headers; \
     # chromium chromium-chromedriver?
     apk add --no-cache geckodriver --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing; \
     useradd -d /tmp --system recording; \
 # Give root a random password
     echo "root:$(openssl rand -base64 12)" | chpasswd; \
-    git clone --recursive https://github.com/nextcloud/spreed --depth=1 --single-branch --branch "$RECORDING_VERSION" /src; \
-    mv -v /src/recording/pyproject.toml /src/recording/src/pyproject.toml; \
-    python3 -m pip install /src/recording/src; \
+    git clone --recursive https://github.com/nextcloud/nextcloud-talk-recording --depth=1 --single-branch --branch "$RECORDING_VERSION" /src; \
+    python3 -m pip install --no-cache-dir /src; \
     rm -rf /src; \
     touch /etc/recording.conf; \
     chown recording:recording -R \
@@ -42,7 +43,9 @@ RUN set -ex; \
         git \
         wget \
         shadow \
-        openssl;
+        openssl \
+        build-base \
+        linux-headers;
 
 WORKDIR /tmp
 USER recording

Containers/talk-recording/recording.conf

@@ -96,11 +96,15 @@
 #internalsecret = the-shared-secret-for-internal-clients
 
 [ffmpeg]
-# The options given to FFmpeg to encode the audio output. The options given here
+# The ffmpeg executable (name or full path) and the global options given to
+# ffmpeg. The options given here fully override the default global options.
+#common = ffmpeg -loglevel level+warning -n
+
+# The options given to ffmpeg to encode the audio output. The options given here
 # fully override the default options for the audio output.
 #outputaudio = -c:a libopus
 
-# The options given to FFmpeg to encode the video output. The options given here
+# The options given to ffmpeg to encode the video output. The options given here
 # fully override the default options for the video output.
 #outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
 
@@ -109,3 +113,11 @@
 
 # The extension of the file for audio and video recordings.
 #extensionvideo = .webm
+
+[recording]
+# Browser to use for recordings. Please note that the "chrome" value does not
+# refer to the web browser, but to the Selenium WebDriver. In practice, "chrome"
+# will use Google Chrome, or Chromium if Google Chrome is not installed.
+# Allowed values: firefox, chrome
+# Defaults to firefox
+# browser = firefox

Containers/talk-recording/start.sh

@@ -26,8 +26,6 @@ listen = 0.0.0.0:1234
 
 [backend]
 allowall = ${ALLOW_ALL}
-# TODO: remove secret below when https://github.com/nextcloud/spreed/issues/9580 is fixed
-secret = ${RECORDING_SECRET}
 backends = backend-1
 skipverify = ${SKIP_VERIFY}
 maxmessagesize = 1024
@@ -48,10 +46,14 @@ url = ${HPB_PROTOCOL}://${HPB_DOMAIN}${HPB_PATH}
 internalsecret = ${INTERNAL_SECRET}
 
 [ffmpeg]
+# common = ffmpeg -loglevel level+warning -n
 # outputaudio = -c:a libopus
 # outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
 extensionaudio = .ogg
 extensionvideo = .webm
+
+[recording]
+browser = firefox
 RECORDING_CONF
 
 exec "$@"

Containers/talk/Dockerfile

@@ -1,6 +1,7 @@
-FROM nats:2.9.21-scratch as nats
-FROM strukturag/nextcloud-spreed-signaling:1.1.3 as signaling
-FROM alpine:3.18.3 as janus
+FROM nats:2.10.6-scratch as nats
+FROM eturnal/eturnal:1.12.0 AS eturnal
+FROM strukturag/nextcloud-spreed-signaling:1.2.1 as signaling
+FROM alpine:3.18.5 as janus
 
 ARG JANUS_VERSION=v0.14.0
 WORKDIR /src
@@ -32,8 +33,16 @@ RUN set -ex; \
     make configs; \
     rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
 
-FROM coturn/coturn:4.6.2-alpine3.18
-USER root
+FROM alpine:3.18.5
+ENV ETURNAL_ETC_DIR="/conf"
+COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
+COPY --from=eturnal   --chmod=777 --chown=1000:1000 /opt/eturnal                        /opt/eturnal
+COPY --from=nats      --chmod=777 --chown=1000:1000 /nats-server                        /usr/local/bin/nats-server
+COPY --from=signaling --chmod=777 --chown=1000:1000 /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
+
+COPY --chmod=775 start.sh /start.sh
+COPY --chmod=775 healthcheck.sh /healthcheck.sh
+COPY --chmod=664 supervisord.conf /supervisord.conf
 
 RUN set -ex; \
     apk add --no-cache \
@@ -56,8 +65,9 @@ RUN set -ex; \
         libusrsctp \
         libwebsockets \
         \
-        shadow; \
-    useradd --system talk; \
+        shadow \
+        grep; \
+    useradd --system -u 1000 eturnal; \
     apk del --no-cache \
         shadow; \
     \
@@ -65,7 +75,8 @@ RUN set -ex; \
     echo "root:$(openssl rand -base64 12)" | chpasswd; \
     \
     touch \
-        /etc/nats.conf; \
+        /etc/nats.conf \
+        /etc/eturnal.yml; \
     echo "listen: 127.0.0.1:4222" | tee /etc/nats.conf; \
     mkdir -p \
         /var/tmp \
@@ -74,32 +85,21 @@ RUN set -ex; \
         /var/log/supervisord \
         /var/run/supervisord \
         /usr/local/lib/janus/loggers; \
-    chown talk:talk -R \
-        /usr \
+    chown eturnal:eturnal -R \
         /etc/nats.conf \
-        /var/lib/turn \
         /var/log/supervisord \
         /var/run/supervisord; \
     chmod 777 -R \
         /tmp \
         /conf \
         /var/run/supervisord \
-        /var/lib/turn \
-        /var/log/supervisord;
+        /var/log/supervisord; \
+    ln -s /opt/eturnal/bin/stun /usr/local/bin/stun; \
+    ln -s /opt/eturnal/bin/eturnalctl /usr/local/bin/eturnalctl
 
-COPY --from=janus /usr/local /usr/local
-COPY --from=nats /nats-server /usr/local/bin/nats-server
-COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
-
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=664 supervisord.conf /supervisord.conf
-
-# Set default talk port https://github.com/nextcloud/all-in-one/issues/1011
-ENV TALK_PORT=3478
-
-USER talk
+USER eturnal
 ENTRYPOINT ["/start.sh"]
 CMD ["supervisord", "-c", "/supervisord.conf"]
 
-HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost "$TALK_PORT" && nc -z "$NC_DOMAIN" "$TALK_PORT") || exit 1
+HEALTHCHECK CMD /healthcheck.sh
 LABEL com.centurylinklabs.watchtower.enable="false"

Containers/talk/healthcheck.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+nc -z localhost 8081 || exit 1
+nc -z localhost 8188 || exit 1
+nc -z localhost 4222 || exit 1
+nc -z localhost "$TALK_PORT" || exit 1
+eturnalctl status || exit 1
+if ! nc -z "$NC_DOMAIN" "$TALK_PORT"; then
+    echo "Could not reach $NC_DOMAIN on port $TALK_PORT."
+    exit 1
+fi

Containers/talk/server.conf.in

@@ -86,9 +86,10 @@ internalsecret = the-shared-secret-for-internal-clients
 # only be used while running the benchmark client against the server.
 allowall = false
 
-# Common shared secret for requests from and to the backend servers if
-# "allowall" is enabled. This must be the same value as configured in the
-# Nextcloud admin ui.
+# Common shared secret for requests from and to the backend servers. Used if
+# "allowall" is enabled or as fallback for individual backends that don't have
+# their own secret set.
+# This must be the same value as configured in the Nextcloud admin ui.
 #secret = the-shared-secret-for-allowall
 
 # Timeout in seconds for requests to the backend.
@@ -109,8 +110,9 @@ connectionsperhost = 8
 # URL of the Nextcloud instance
 #url = https://cloud.domain.invalid
 
-# Shared secret for requests from and to the backend servers. This must be the
-# same value as configured in the Nextcloud admin ui.
+# Shared secret for requests from and to the backend servers. Leave empty to use
+# the common shared secret from above.
+# This must be the same value as configured in the Nextcloud admin ui.
 #secret = the-shared-secret
 
 # Limit the number of sessions that are allowed to connect to this backend.
@@ -129,8 +131,9 @@ connectionsperhost = 8
 # URL of the Nextcloud instance
 #url = https://cloud.otherdomain.invalid
 
-# Shared secret for requests from and to the backend servers. This must be the
-# same value as configured in the Nextcloud admin ui.
+# Shared secret for requests from and to the backend servers. Leave empty to use
+# the common shared secret from above.
+# This must be the same value as configured in the Nextcloud admin ui.
 #secret = the-shared-secret
 
 [nats]

Containers/talk/start.sh

@@ -4,6 +4,9 @@
 if [ -z "$NC_DOMAIN" ]; then
     echo "You need to provide the NC_DOMAIN."
     exit 1
+elif [ -z "$TALK_PORT" ]; then
+    echo "You need to provide the TALK_PORT."
+    exit 1
 elif [ -z "$TURN_SECRET" ]; then
     echo "You need to provide the TURN_SECRET."
     exit 1
@@ -16,43 +19,43 @@ elif [ -z "$INTERNAL_SECRET" ]; then
 fi
 
 set -x
-IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk A +short)"
+IPv4_ADDRESS_TALK_RELAY="$(hostname -i | grep -oP '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -1)"
+IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
+IPv6_ADDRESS_TALK="$(dig nextcloud-aio-talk AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
 set +x
 
+if [ -n "$IPv4_ADDRESS_TALK" ] && [ "$IPv4_ADDRESS_TALK_RELAY" = "$IPv4_ADDRESS_TALK" ]; then
+    IPv4_ADDRESS_TALK=""
+fi
+
 # Turn
-cat << TURN_CONF > "/conf/turnserver.conf"
-listening-port=$TALK_PORT
-fingerprint
-use-auth-secret
-static-auth-secret=$TURN_SECRET
-realm=$NC_DOMAIN
-total-quota=0
-bps-capacity=0
-stale-nonce
-no-multicast-peers
-simple-log
-pidfile=/var/tmp/turnserver.pid
-no-tls
-no-dtls
-userdb=/var/lib/turn/turndb
-# Based on https://nextcloud-talk.readthedocs.io/en/latest/TURN/#turn-server-and-internal-networks
-allowed-peer-ip=$IPv4_ADDRESS_TALK
-denied-peer-ip=0.0.0.0-0.255.255.255
-denied-peer-ip=10.0.0.0-10.255.255.255
-denied-peer-ip=100.64.0.0-100.127.255.255
-denied-peer-ip=127.0.0.0-127.255.255.255
-denied-peer-ip=169.254.0.0-169.254.255.255
-denied-peer-ip=172.16.0.0-172.31.255.255
-denied-peer-ip=192.0.0.0-192.0.0.255
-denied-peer-ip=192.0.2.0-192.0.2.255
-denied-peer-ip=192.88.99.0-192.88.99.255
-denied-peer-ip=192.168.0.0-192.168.255.255
-denied-peer-ip=198.18.0.0-198.19.255.255
-denied-peer-ip=198.51.100.0-198.51.100.255
-denied-peer-ip=203.0.113.0-203.0.113.255
-denied-peer-ip=240.0.0.0-255.255.255.255
+cat << TURN_CONF > "/conf/eturnal.yml"
+eturnal:
+  listen:
+    - ip: "::"
+      port: $TALK_PORT
+      transport: udp
+    - ip: "::"
+      port: $TALK_PORT
+      transport: tcp
+  log_dir: stdout
+  log_level: warning
+  secret: "$TURN_SECRET"
+  relay_ipv4_addr: "$IPv4_ADDRESS_TALK_RELAY"
+  relay_ipv6_addr: "$IPv6_ADDRESS_TALK"
+  blacklist_peers:
+  - recommended
+  whitelist_peers:
+  - 127.0.0.1
+  - ::1
+  - "$IPv4_ADDRESS_TALK_RELAY"
+  - "$IPv4_ADDRESS_TALK"
+  - "$IPv6_ADDRESS_TALK"
 TURN_CONF
 
+# Remove empty lines so that the config is not invalid
+sed -i '/""/d' /conf/eturnal.yml
+
 # Signling
 cat << SIGNALING_CONF > "/conf/signaling.conf"
 [http]

Containers/talk/supervisord.conf

@@ -7,12 +7,12 @@ logfile_maxbytes=50MB
 logfile_backups=10                              
 loglevel=error
 
-[program:turnserver]
+[program:eturnal]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=turnserver -c /conf/turnserver.conf
+command=eturnalctl foreground
 
 [program:nats-server]
 stdout_logfile=/dev/stdout

Containers/watchtower/Dockerfile

@@ -1,13 +1,14 @@
 # From https://github.com/containrrr/watchtower/blob/main/dockerfiles/Dockerfile.self-contained
-FROM containrrr/watchtower:1.5.3 as watchtower
+FROM containrrr/watchtower:1.7.1 as watchtower
 
-FROM alpine:3.18.3
+FROM alpine:3.18.5
 
 RUN apk add --no-cache bash
 COPY --from=watchtower /watchtower /watchtower
 
 COPY --chmod=775 start.sh /start.sh
 
+# hadolint ignore=DL3002
 USER root
 
 ENTRYPOINT ["/start.sh"]

app/lib/Settings/Admin.php

@@ -78,6 +78,6 @@ class Admin implements ISettings {
 	 * E.g.: 70
 	 */
 	public function getPriority(): int {
-		return 5;
+		return 0;
 	}
 }

community-containers/caddy/caddy.json

@@ -0,0 +1,52 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-caddy",
+            "display_name": "Caddy with geoblocking",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy",
+            "image": "szaimen/aio-caddy",
+            "image_tag": "v1",
+            "internal_port": "443",
+            "restart": "unless-stopped",
+            "ports": [
+                {
+                  "ip_binding": "",
+                  "port_number": "443",
+                  "protocol": "tcp"
+                },
+                {
+                    "ip_binding": "",
+                    "port_number": "443",
+                    "protocol": "udp"
+                }
+            ],
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "NC_DOMAIN=%NC_DOMAIN%",
+                "APACHE_PORT=%APACHE_PORT%"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_caddy",
+                    "destination": "/data",
+                    "writeable": true
+                },
+                {
+                    "source": "%NEXTCLOUD_DATADIR%",
+                    "destination": "/nextcloud",
+                    "writeable": false
+                }
+            ],
+            "aio_variables": [
+                "apache_ip_binding=127.0.0.1",
+                "apache_port=11000"
+            ],
+            "nextcloud_exec_commands": [
+                "mkdir '/mnt/ncdata/admin/files/nextcloud-aio-caddy'",
+                "touch '/mnt/ncdata/admin/files/nextcloud-aio-caddy/allowed-countries.txt'",
+                "echo 'Scanning nextcloud-aio-caddy folder for admin user...'",
+                "php /var/www/html/occ files:scan --path='/admin/files/nextcloud-aio-caddy'"
+            ]
+        }
+    ]
+}

community-containers/caddy/readme.md

@@ -0,0 +1,16 @@
+## Caddy with geoblocking
+This container bundles caddy and auto-configures it for you. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden by listening on `bw.$NC_DOMAIN`, if installed. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart by listening on `mail.$NC_DOMAIN`, if installed.
+
+### Notes
+- This container is incompatible with the [npmplus](https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus) community container. So make sure that you do not enable both at the same time!
+- Make sure that no other service is using port 443 on your host as otherwise the containers will fail to start. You can check this with `sudo netstat -tulpn | grep 443` before installing AIO.
+- If you want to use this with https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, make sure that you point `bw.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for vaultwarden.
+- If you want to use this with https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart, make sure that you point `mail.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for stalwart.
+- After the container was started the first time, you should see a new `nextcloud-aio-caddy` folder and inside there an `allowed-countries.txt` file when you open the files app with the default `admin` user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. `IT FR` would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the `GeoLite2-Country.mmdb` and upload it with this exact name into the `nextcloud-aio-caddy` folder. Afterwards restart all containers from the AIO interface and your new config should be active!
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/szaimen/aio-caddy
+
+### Maintainer
+https://github.com/szaimen

community-containers/dlna/dlna.json

@@ -0,0 +1,39 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-dlna",
+            "display_name": "DLNA",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/dlna",
+            "image": "thanek/nextcloud-dlna",
+            "image_tag": "latest",
+            "internal_port": "host",
+            "restart": "unless-stopped",
+            "depends_on": [
+                "nextcloud-aio-database"
+            ],
+            "environment": [
+                "NC_DOMAIN=%NC_DOMAIN%",
+                "NC_PORT=443",
+                "NEXTCLOUD_DLNA_SERVER_PORT=9999",
+                "NEXTCLOUD_DLNA_FRIENDLY_NAME=nextcloud-aio",
+                "NEXTCLOUD_DATA_DIR=/data",
+                "NEXTCLOUD_DB_TYPE=postgres",
+                "NEXTCLOUD_DB_HOST=%AIO_DATABASE_HOST%",
+                "NEXTCLOUD_DB_PORT=5432",
+                "NEXTCLOUD_DB_NAME=nextcloud_database",
+                "NEXTCLOUD_DB_USER=oc_nextcloud",
+                "NEXTCLOUD_DB_PASS=%DATABASE_PASSWORD%"
+            ],
+            "secrets": [
+                "DATABASE_PASSWORD"
+            ],
+            "volumes": [
+                {
+                    "source": "%NEXTCLOUD_DATADIR%",
+                    "destination": "/data",
+                    "writeable": false
+                }
+            ]
+        }
+    ]
+}

community-containers/dlna/readme.md

@@ -0,0 +1,15 @@
+## DLNA server
+This container bundles DLNA server for your Nextcloud files to be accessible by the clients in your local network. Simply run the container and look for a new media server `nextcloud-aio` in your local network.
+
+### Notes
+- This container will work only if the Nextcloud installation is in your home network, it is not suitable for installations on remote servers.
+- This is not working with Docker Desktop since it requires the `host` networking mode in docker, and it doesn't really share the host's network interfaces in this system
+- If you have a firewall like ufw configured, you might need to open at least port 9999 TCP and 1900 UDP first in order to make it work.
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/thanek/nextcloud-dlna
+
+### Maintainer
+https://github.com/thanek
+

community-containers/fail2ban/fail2ban.json

@@ -0,0 +1,32 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-fail2ban",
+            "display_name": "Fail2ban",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban",
+            "image": "szaimen/aio-fail2ban",
+            "image_tag": "v1",
+            "internal_port": "host",
+            "restart": "unless-stopped",
+            "cap_add": [
+                "NET_ADMIN",
+                "NET_RAW"
+            ],
+            "environment": [
+                "TZ=%TIMEZONE%"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_nextcloud",
+                    "destination": "/nextcloud",
+                    "writeable": false
+                },
+                {
+                    "source": "nextcloud_aio_vaultwarden_logs",
+                    "destination": "/vaultwarden",
+                    "writeable": false
+                }
+            ]
+        }
+    ]
+}

community-containers/fail2ban/readme.md

@@ -0,0 +1,13 @@
+## Fail2ban
+This container bundles fail2ban and auto-configures it for you in order to block ip-addresses automatically. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, if installed.
+
+### Notes
+- This is not working on Docker Desktop since it needs `network_mode: host` in order to work correctly.
+- If you get an error like `"ip6tables v1.8.9 (legacy): can't initialize ip6tables table filter': Table does not exist (do you need to insmod?)"`, you need to enable ip6tables on your host via `sudo modprobe ip6table_filter`.
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/szaimen/aio-fail2ban
+
+### Maintainer
+https://github.com/szaimen

community-containers/libretranslate/libretranslate.json

@@ -0,0 +1,34 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-libretranslate",
+            "display_name": "LibreTranslate",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/libretranslate",
+            "image": "szaimen/aio-libretranslate",
+            "image_tag": "v1",
+            "internal_port": "5000",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_libretranslate_db",
+                    "destination": "/app/db",
+                    "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_libretranslate_models",
+                    "destination": "/home/libretranslate/.local",
+                    "writeable": true
+                }
+            ],
+            "nextcloud_exec_commands": [
+                "php /var/www/html/occ app:install integration_libretranslate",
+                "php /var/www/html/occ app:enable integration_libretranslate",
+                "php /var/www/html/occ config:app:set integration_libretranslate host --value='http://nextcloud-aio-libretranslate'",
+                "php /var/www/html/occ config:app:set integration_libretranslate port --value='5000'"
+            ]
+        }
+    ]
+}

community-containers/libretranslate/readme.md

@@ -0,0 +1,17 @@
+## LibreTranslate
+This container bundles LibreTranslate and auto-configures it for you.
+
+### Notes
+- After the initial startup is done, you might want to change the default language to translate from and to via:
+```bash
+# Adjust the values `en` and `de` in commands below accordingly
+sudo docker exec --user www-data nextcloud-aio-nextcloud php occ config:app:set integration_libretranslate from_lang --value="en"
+sudo docker exec --user www-data nextcloud-aio-nextcloud php occ config:app:set integration_libretranslate to_lang --value="de"
+```
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/szaimen/aio-libretranslate
+
+### Maintainer
+https://github.com/szaimen

community-containers/local-ai/local-ai.json

@@ -0,0 +1,45 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-local-ai",
+            "display_name": "Local AI",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai",
+            "image": "szaimen/aio-local-ai",
+            "image_tag": "v1",
+            "internal_port": "8080",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "MODELS_PATH=/models"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_localai_models",
+                    "destination": "/models",
+                    "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_localai_images",
+                    "destination": "/tmp/generated/images/",
+                    "writeable": true
+                },
+                {
+                    "source": "%NEXTCLOUD_DATADIR%",
+                    "destination": "/nextcloud",
+                    "writeable": false
+                }
+            ],
+            "nextcloud_exec_commands": [
+                "mkdir '/mnt/ncdata/admin/files/nextcloud-aio-local-ai'",
+                "touch '/mnt/ncdata/admin/files/nextcloud-aio-local-ai/models.yaml'",
+                "echo 'Scanning nextcloud-aio-local-ai folder for admin user...'",
+                "php /var/www/html/occ files:scan --path='/admin/files/nextcloud-aio-local-ai'",
+                "php /var/www/html/occ app:install integration_openai",
+                "php /var/www/html/occ app:enable integration_openai",
+                "php /var/www/html/occ config:app:set integration_openai url --value http://nextcloud-aio-local-ai:8080",
+                "php /var/www/html/occ app:install assistant",
+                "php /var/www/html/occ app:enable assistant"
+            ]
+        }
+    ]
+}

community-containers/local-ai/readme.md

@@ -0,0 +1,27 @@
+## Local AI
+This container bundles Local AI and auto-configures it for you.
+
+### Notes
+- Make sure to have enough storage space available. This container alone needs ~14GB storage on x64, on arm64 only ~4GB. Every model that you add to `models.yaml` will of course use additional space which adds up quite fast.
+- After the container was started the first time, you should see a new `nextcloud-aio-local-ai` folder when you open the files app with the default `admin` user. In there you should see a `models.yaml` config file. You can now add models in there. Please refer [here](https://github.com/go-skynet/model-gallery/blob/main/index.yaml) where you can get further urls that you can put in there. Afterwards restart all containers from the AIO interface and the models should automatically get downloaded by the local-ai container and activated.
+- Example for content of `models.yaml` (if you add all of them, it takes around 10GB additional space):
+```yaml
+# Stable Diffusion in NCNN with c++, supported txt2img and img2img 
+- url: github:go-skynet/model-gallery/stablediffusion.yaml
+
+# Port of OpenAI's Whisper model in C/C++ 
+- url: github:go-skynet/model-gallery/whisper-base.yaml
+  name: whisper-1
+
+# A commercially licensable model based on GPT-J and trained by Nomic AI on the v0 GPT4All dataset.
+- url: github:go-skynet/model-gallery/gpt4all-j.yaml
+  name: gpt4all-j
+```
+-  Additionally after doing so, you might want to enable or disable specific features for your models in the integration_openai settings: `https://your-nc-domain.com/settings/admin/connected-accounts`
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/szaimen/aio-local-ai
+
+### Maintainer
+https://github.com/szaimen

community-containers/memories/memories.json

@@ -0,0 +1,33 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-memories",
+            "display_name": "Memories Transcoder",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/memories",
+            "image": "radialapps/go-vod",
+            "image_tag": "latest",
+            "internal_port": "47788",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "NEXTCLOUD_HOST=https://%NC_DOMAIN%"
+            ],
+            "volumes": [
+                {
+                    "source": "%NEXTCLOUD_DATADIR%",
+                    "destination": "/mnt/ncdata",
+                    "writeable": false
+                }
+            ],
+            "devices": [
+                "/dev/dri"
+            ],
+            "nextcloud_exec_commands": [
+                "php /var/www/html/occ app:install memories",
+                "php /var/www/html/occ app:enable memories",
+                "php /var/www/html/occ config:system:set memories.vod.external --value true --type bool",
+                "php /var/www/html/occ config:system:set memories.vod.connect --value nextcloud-aio-memories:47788"
+            ]
+        }
+    ]
+}

community-containers/memories/readme.md

@@ -0,0 +1,12 @@
+## Memories
+This container bundles the hardware-transcoding container of memories and auto-configures it for you.
+
+### Notes
+- In order to actually enable the hardware transcoding, you need to add the following flag to AIO apart from adding this container: https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/pulsejet/memories
+
+### Maintainer
+https://github.com/pulsejet

community-containers/npmplus/npmplus.json

@@ -0,0 +1,32 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-npmplus",
+            "display_name": "NPMplus",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus",
+            "image": "zoeyvid/npmplus",
+            "image_tag": "latest",
+            "internal_port": "host",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "NC_AIO=true",
+                "NC_DOMAIN=%NC_DOMAIN%"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_npmplus",
+                    "destination": "/data",
+                    "writeable": true
+                }
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_npmplus"
+            ],
+            "aio_variables": [
+                "apache_ip_binding=127.0.0.1",
+                "apache_port=11000"
+            ]
+        }
+    ]
+}

community-containers/npmplus/readme.md

@@ -0,0 +1,22 @@
+## NPMplus
+This container contains a fork of the Nginx Proxy Manager, which is a WebUI for nginx. It will also automatically create a config and cert for AIO.
+
+### Notes
+- This container is incompatible with the [caddy](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy) community container. So make sure that you do not enable both at the same time!
+- Only works on linux since it uses network mode host
+- You can ignore the NPM configuration of the reverse-proxy.md. The NPMplus fork already contains the changes of the advanced tab.
+- Make sure that no other service is using port `443 (tcp/upd)` or `81 (tcp)` on your host as otherwise the containers will fail to start. You can check this with `sudo netstat -tulpn | grep "443\|81"` before installing AIO.
+- Please change the default login data first, after you can read inside the logs that the default config for AIO is created and there are no errors.
+- After the container was started the first time, please check the logs for errors. Then you can open NPMplus on `https://<ip>:81` and change the password. 
+- The default password is `iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi` and the default email is `admin@example.com`
+- If you want to use NPMplus behind a domain and outside localhost just create a new proxy host inside the NPMplus which proxies to `https`, `127.0.0.1` and port `81` - all other settings should be the same as for the AIO host.
+- If you want to set env options from this [compose.yaml](https://github.com/ZoeyVid/NPMplus/blob/develop/compose.yaml), please set them inside the `.env` file which you can find in the `nextcloud_aio_npmplus` volume
+- The data (certs, configs, etc.) of NPMplus will be automatically included in AIOs backup solution!
+- **Important:** you always need to enable https for your hosts, since `DISABLE_HTTP` is set to true
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository and Documentation
+https://github.com/ZoeyVid/NPMplus
+
+### Maintainer
+https://github.com/Zoey2936

community-containers/pi-hole/pi-hole.json

@@ -0,0 +1,56 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-pihole",
+            "display_name": "Pi-hole",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/pi-hole",
+            "image": "pihole/pihole",
+            "image_tag": "latest",
+            "internal_port": "8573",
+            "restart": "unless-stopped",
+            "init": false,
+            "ports": [
+                {
+                  "ip_binding": "",
+                  "port_number": "53",
+                  "protocol": "tcp"
+                },
+                {
+                    "ip_binding": "",
+                    "port_number": "53",
+                    "protocol": "udp"
+                },
+                {
+                    "ip_binding": "",
+                    "port_number": "8573",
+                    "protocol": "tcp"
+                }
+            ],
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "WEBPASSWORD=%PIHOLE_WEBPASSWORD%",
+                "DNSMASQ_LISTENING=all",
+                "WEB_PORT=8573"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_pihole",
+                    "destination": "/etc/pihole",
+                    "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_pihole_dnsmasq",
+                    "destination": "/etc/dnsmasq.d",
+                    "writeable": true
+                }
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_pihole",
+                "nextcloud_aio_pihole_dnsmasq"
+            ],
+            "secrets": [
+                "PIHOLE_WEBPASSWORD"
+            ]
+        }
+    ]
+}

community-containers/pi-hole/readme.md

@@ -0,0 +1,18 @@
+## Pi-hole
+This container bundles pi-hole and auto-configures it for you.
+
+### Notes
+- You should not run this container on a public VPS! It is only intended to run in home networks!
+- Make sure that no dns server is already running by checking with `sudo netstat -tulpn | grep 53`. Otherwise the container will not be able to start!
+- The DHCP functionality of Pi-hole has been disabled!
+- The data of pi-hole will be automatically included in AIOs backup solution!
+- After adding and starting the container, you can visit `http://ip.address.of.this.server:8573` in order to log in with the admin key that you can retrieve when running `sudo docker inspect nextcloud-aio-pihole | grep WEBPASSWORD`. There you can configure the pi-hole setup. Also you can add local dns records.
+- You can configure your home network now to use pi-hole as its dns server by configuring your router.
+- Additionally, you can configure the docker daemon to use that by editing `/etc/docker/daemon.json` and adding ` { "dns" : [ "ip.address.of.this.server" , "8.8.8.8" ] } `.
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/pi-hole/docker-pi-hole
+
+### Maintainer
+https://github.com/szaimen

community-containers/plex/plex.json

@@ -0,0 +1,41 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-plex",
+            "display_name": "Plex",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/plex",
+            "image": "plexinc/pms-docker",
+            "image_tag": "latest",
+            "internal_port": "host",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "PLEX_UID=33",
+                "PLEX_GID=33"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_plex",
+                    "destination": "/config",
+                    "writeable": true
+                },
+                {
+                    "source": "%NEXTCLOUD_DATADIR%",
+                    "destination": "/data",
+                    "writeable": false
+                },
+                {
+                    "source": "%NEXTCLOUD_MOUNT%",
+                    "destination": "%NEXTCLOUD_MOUNT%",
+                    "writeable": false
+                }
+            ],
+            "devices": [
+                "/dev/dri"
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_plex"
+            ]
+        }
+    ]
+}

community-containers/plex/readme.md

@@ -0,0 +1,16 @@
+## Plex
+This container bundles Plex and auto-configures it for you.
+
+### Notes
+- This is not working on arm64 since Plex does only provide x64 docker images.
+- This is not working on Docker Desktop since it needs `network_mode: host` in order to work correctly.
+- If you have a firewall like ufw configured, you might need to open all Plex ports in there first in order to make it work. Especially port 32400 is important!
+- After adding and starting the container, you need to visit http://ip.address.of.server:32400/manage in order to claim your server with a plex account
+- The data of Plex will be automatically included in AIOs backup solution!
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/plexinc/pms-docker
+
+### Maintainer
+https://github.com/szaimen

community-containers/readme.md

@@ -0,0 +1,25 @@
+# Community containers
+This directory features containers that are built for AIO which allows to add additional functionality very easily.
+
+## Disclaimers
+⚠️ This is currently beta and not stable yet!
+
+All containers that are in this directory are community maintained so the responsibility is on the community to keep them updated and secure. There is no guarantee that this will be the case in the future.
+
+## How to use this?
+Before adding any additional container, make sure to create a backup via the AIO interface!
+
+Afterwards, you might want to add additional community containers to the default AIO stack. You can do so by adding `--env AIO_COMMUNITY_CONTAINERS="container1 container2"` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and customize the value to your fitting. It must match the folder names in this directory! ⚠️⚠️⚠️ Please review the folder for documentation on each of the containers before adding them! Not reviewing the documentation for each of them first might break starting the AIO containers because e.g. fail2ban only works on Linux and not on Docker Desktop!
+
+## How to add containers?
+Simply submit a PR by creating a new folder in this directory: https://github.com/nextcloud/all-in-one/tree/main/community-containers with the name of your container. It must include a json file with the same name and with correct syntax and a readme.md with additional information. You might get inspired by caddy, fail2ban, local-ai, libretranslate, plex, pi-hole or vaultwarden (subfolders in this directory). For a full-blown example of the json file, see https://github.com/nextcloud/all-in-one/blob/main/php/containers.json. The json-schema that it validates against can be found here: https://github.com/nextcloud/all-in-one/blob/main/php/containers-schema.json.
+
+### Is there a list of ideas for new community containers?
+Yes, see [this list](https://github.com/nextcloud/all-in-one/discussions/categories/ideas?discussions_q=is%3Aopen+category%3AIdeas+label%3A%22help+wanted%22) for already existing ideas for new community containers. Feel free to pick one up and add it to this folder by following the instructions above.
+
+## How to remove containers from AIOs stack?
+In some cases, you might want to remove some community containers from the AIO stack again. Here is how to do this.
+
+First, do a backup from the AIO interface in order to save the current state. Do not start the containers again afterwards! Now simply recreate the mastercontainer and remove any container from the `--env AIO_COMMUNITY_CONTAINERS="container1 container2"` that you do not actually need. If you want to remove all, simply use `--env AIO_COMMUNITY_CONTAINERS=" "`. 
+
+After removing the containers, there might be some data left on your server that you might want to remove. You can get rid of the data by first running `sudo docker rm nextcloud-aio-container1`, (adjust `container1` accordingly) per community-container that you removed. Then run `sudo docker image prune -a` in order to remove all images that are not used anymore. As last step you can get rid of persistent data of these containers that is stored in volumes. You can check if there is some by running `sudo docker volume ls` and look for any volume that matches the ones that you removed. If so, you can remove them with `sudo docker volume rm nextcloud_aio_volume-id` (of course you need to adjust the `volume-id`).

community-containers/stalwart/readme.md

@@ -0,0 +1,21 @@
+## Stalwart mail server
+This container bundles stalwart mail server and auto-configures it for you.
+
+### Notes
+- This is only intended to run on a VPS with static ip-address.
+- Check with `sudo netstat -tulpn` that no other service is using port 25, 143, 465, 578, 993 nor 4190 yet as otherwise the container will fail to start.
+- You need to configure a reverse proxy in order to run this container since stalwart needs a dedicated (sub)domain! For that, you might have a look at https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy.
+- Currently, only `mail.$NC_DOMAIN` is supported as subdomain! So if Nextcloud is using `your-domain.com`, Stalwart will use `mail.your-domain.com`.
+- The data of Stalwart will be automatically included in AIOs backup solution!
+- After adding and starting the container, you need to run `sudo docker exec -it nextcloud-aio-stalwart configure.sh` and follow https://stalw.art/docs/install/docker/#choose-where-to-store-your-data (1. choose `Local disk using Maildir`, 2. choose `No, create a new directory for me` (or select LDAP if you have an LDAP server), 3. type in your `$NC_DOMAIN` as `domain name` and `mail.$NC_DOMAIN` as `server hostname`. 4. add `DKIM, SPF and DMARC` as advised to your DNS config, 5. Take note of the administrator credentials, 6. Now the config script should exit and automatically restart the container and enable your config.
+- See https://stalw.art/docs/directory/types/memory/ how you can easily create new user accounts. (Alternatively see https://stalw.art/docs/directory/types/ldap if you have an LDAP server). You can edit the config file with `sudo docker exec -it nextcloud-aio-stalwart vi /opt/stalwart-mail/etc/config.toml` (you need to restart the container afterwards with `sudo docker restart nextcloud-aio-stalwart` in order to apply the settings).
+- Afterwards, you can visit the basic admin settings in `https://your-nc-domain.com/settings/admin` and add the your mail server for outgoing mails there.
+- Additionally, you might want to install and configure [snappymail](https://apps.nextcloud.com/apps/snappymail) or [mail](https://apps.nextcloud.com/apps/mail) inside Nextcloud in order to use your mail accounts for sending and retrieving mails.
+- See https://stalw.art/docs/faq for further faq and docs on the project
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/marcoambrosini/aio-stalwart
+
+### Maintainer
+https://github.com/marcoambrosini

community-containers/stalwart/stalwart.json

@@ -0,0 +1,64 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-stalwart",
+            "display_name": "Stalwart",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart",
+            "image": "marcoambrosini/aio-stalwart",
+            "image_tag": "v1",
+            "internal_port": "587",
+            "restart": "unless-stopped",
+            "ports": [
+                {
+                  "ip_binding": "",
+                  "port_number": "25",
+                  "protocol": "tcp"
+                },
+                {
+                  "ip_binding": "",
+                  "port_number": "143",
+                  "protocol": "tcp"
+                },
+                {
+                  "ip_binding": "",
+                  "port_number": "465",
+                  "protocol": "tcp"
+                },
+                {
+                  "ip_binding": "",
+                  "port_number": "587",
+                  "protocol": "tcp"
+                },
+                {
+                  "ip_binding": "",
+                  "port_number": "993",
+                  "protocol": "tcp"
+                },
+                {
+                  "ip_binding": "",
+                  "port_number": "4190",
+                  "protocol": "tcp"
+                }
+            ],
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "NC_DOMAIN=%NC_DOMAIN%"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_stalwart",
+                    "destination": "/opt/stalwart-mail",
+                    "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_caddy",
+                    "destination": "/caddy",
+                    "writeable": false
+                }
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_stalwart"
+            ]
+        }
+    ]
+}

community-containers/vaultwarden/readme.md

@@ -0,0 +1,16 @@
+## Vaultwarden
+This container bundles vaultwarden and auto-configures it for you.
+
+### Notes
+- You need to configure a reverse proxy in order to run this container since vaultwarden needs a dedicated (sub)domain! For that, you might have a look at https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy or follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md and https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples. You need to point the reverse proxy at port 8812 of this server.
+- Currently, only `bw.$NC_DOMAIN` is supported as subdomain! So if Nextcloud is using `your-domain.com`, vaultwarden will use `bw.your-domain.com`. The reverse proxy and domain must be configured accordingly!
+- If you want to secure the installation with fail2ban, you might want to check out https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban
+- The data of Vaultwarden will be automatically included in AIOs backup solution!
+- After adding and starting the container, you need to visit `https://bw.your-domain.com/admin` in order to log in with the admin key that you can retrieve when running `sudo docker inspect nextcloud-aio-vaultwarden | grep ADMIN_TOKEN`. There you can configure smtp first and then invite users via mail. After this is done, you might disable the admin panel via the reverse proxy by blocking connections to the subdirectory.
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/dani-garcia/vaultwarden
+
+### Maintainer
+https://github.com/szaimen

community-containers/vaultwarden/vaultwarden.json

@@ -0,0 +1,48 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-vaultwarden",
+            "display_name": "Vaultwarden",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden",
+            "image": "vaultwarden/server",
+            "image_tag": "alpine",
+            "internal_port": "8812",
+            "restart": "unless-stopped",
+            "ports": [
+                {
+                  "ip_binding": "%APACHE_IP_BINDING%",
+                  "port_number": "8812",
+                  "protocol": "tcp"
+                }
+            ],
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "ROCKET_PORT=8812",
+                "ADMIN_TOKEN=%VAULTWARDEN_ADMIN_TOKEN%",
+                "DOMAIN=https://bw.%NC_DOMAIN%",
+                "LOG_FILE=/logs/vaultwarden.log",
+                "LOG_LEVEL=warn",
+                "SIGNUPS_VERIFY=true",
+                "SIGNUPS_ALLOWED=false"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_vaultwarden",
+                    "destination": "/data",
+                    "writeable": true
+                },
+                {
+                    "source": "nextcloud_aio_vaultwarden_logs",
+                    "destination": "/logs",
+                    "writeable": true
+                }
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_vaultwarden"
+            ],
+            "secrets": [
+                "VAULTWARDEN_ADMIN_TOKEN"
+            ]
+        }
+    ]
+}

compose.yaml

@@ -1,6 +1,7 @@
 services:
-  nextcloud:
+  nextcloud-aio-mastercontainer:
     image: nextcloud/all-in-one:latest
+    init: true
     restart: always
     container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
     volumes:
@@ -26,10 +27,13 @@ services:
       # - NEXTCLOUD_ADDITIONAL_APKS=imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
       # - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
       # - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
+      # - NEXTCLOUD_KEEP_DISABLED_APPS=false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps
       # - TALK_PORT=3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
       # - WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
     # networks: # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
       # - nextcloud-aio # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
+    # # Uncomment the following line when using SELinux
+    # security_opt: ["label:disable"]
 
   # # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
   # # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
@@ -45,7 +49,7 @@ services:
   #     - ./sites:/srv
   #   network_mode: "host"
 
-volumes:
+volumes: # If you want to store the data on a different drive, see https://github.com/nextcloud/all-in-one#how-to-store-the-filesinstallation-on-a-separate-drive
   nextcloud_aio_mastercontainer:
     name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work
 

develop.md

@@ -2,6 +2,7 @@
 If you want to switch to the develop channel, you simply stop and delete the mastercontainer and create a new one with a changed tag to develop:
 ```shell
 sudo docker run \
+--init \
 --sig-proxy=false \
 --name nextcloud-aio-mastercontainer \
 --restart always \
@@ -37,3 +38,6 @@ This is documented here: https://github.com/nextcloud-releases/all-in-one/tree/m
 
 1. Verify that no job is running here: https://github.com/nextcloud-releases/all-in-one/actions/workflows/promote-to-beta.yml
 2. Go to https://github.com/nextcloud-releases/all-in-one/actions/workflows/promote-to-latest.yml, click on `Run workflow`.
+
+## How to connect to the database?
+Simply run `sudo docker exec -it nextcloud-aio-database psql -U oc_nextcloud nextcloud_database` and you should be in.

docker-rootless.md

@@ -1,14 +1,17 @@
 # Docker rootless
 
+**Please note:** Due to a bug in Collabora is the Collabora container currently in rootless mode not working. See https://github.com/CollaboraOnline/online/issues/2800. In that case, you need to run a separate Collabora instance on your own if you want to use this feature. The following flag will be useful https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps.
+
 You can run AIO with docker rootless by following the steps below.
 
 0. If docker is already installed, you should consider disabling it first: (`sudo systemctl disable --now docker.service docker.socket`)
 1. Install docker rootless by following the official documentation: https://docs.docker.com/engine/security/rootless/#install. The easiest way is installing it **Without packages** (`curl -fsSL https://get.docker.com/rootless | sh`). Further limitations, distribution specific hints, etc. are discussed on the same site. Also do not forget to enable the systemd service, which may not be enabled always by default. See https://docs.docker.com/engine/security/rootless/#usage. (`systemctl --user enable docker`)
 1. If you need ipv6 support, you should enable it by following https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md.
-1. Do not forget to set the mentioned environmental variables and in best case add them to your `~/.bashrc` file as shown!
+1. Do not forget to set the mentioned environmental variables `PATH` and `DOCKER_HOST` and in best case add them to your `~/.bashrc` file as shown!
 1. Also do not forget to run `loginctl enable-linger USERNAME` (and substitute USERNAME with the correct one) in order to make sure that user services are automatically started after every reboot.
 1. Expose the privileged ports by following https://docs.docker.com/engine/security/rootless/#exposing-privileged-ports. (`sudo setcap cap_net_bind_service=ep $(which rootlesskit); systemctl --user restart docker`)
-1. Use the official AIO startup command but use `--volume $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro` instead of `--volume /var/run/docker.sock:/var/run/docker.sock:ro` and also add `--env WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock` to the initial container startup (which is needed for mastercontainer updates to work correctly).
+1. Use the official AIO startup command but use `--volume $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro` instead of `--volume /var/run/docker.sock:/var/run/docker.sock:ro` and also add `--env WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock` to the initial container startup (which is needed for mastercontainer updates to work correctly). When you are using Portainer to deploy AIO, the variable `$XDG_RUNTIME_DIR` is not available. In this case, it is necessary to manually add the path (e.g. `/run/user/1000/docker.sock`) to the Docker compose file to replace the `$XDG_RUNTIME_DIR` variable. If you are not sure how to get the path, you can run on the host: `echo $XDG_RUNTIME_DIR`.
+
 1. Now everything should work like without docker rootless. You can consider using docker-compose for this or running it behind a reverse proxy. Basically the only thing that needs to be adjusted always in the startup command or compose.yaml file (after installing docker rootles) are things that are mentioned in point 3.
 
 **Please note:** All files outside the containers get created, written to and accessed as the user that is running the docker daemon or a subuid of it. So for the built-in backup to work you need to allow this user to write to the target directory. E.g. with `sudo chown -R USERNAME:GROUPNAME /mnt/backup`. The same applies when changing Nextcloud's datadir. E.g. `sudo chown -R USERNAME:GROUPNAME /mnt/ncdata`. When you want to use the NEXTCLOUD_MOUNT option for local external storage, you need to adjust the permissions of the chosen folders to be accessible/writeable by the userid `100032:100032` (if running `grep ^$(whoami): /etc/subuid` as the user that is running the docker daemon returns 100000 as first value). 

manual-install/latest.yml

@@ -17,6 +17,7 @@ services:
         condition: service_started
         required: false
     image: nextcloud/aio-apache:latest
+    init: true
     ports:
       - ${APACHE_IP_BINDING}:${APACHE_PORT}:${APACHE_PORT}/tcp
       - ${APACHE_IP_BINDING}:${APACHE_PORT}:${APACHE_PORT}/udp
@@ -47,6 +48,7 @@ services:
 
   nextcloud-aio-database:
     image: nextcloud/aio-postgresql:latest
+    init: true
     expose:
       - "5432"
     volumes:
@@ -88,8 +90,10 @@ services:
         condition: service_started
         required: false
     image: nextcloud/aio-nextcloud:latest
+    init: true
     expose:
       - "9000"
+      - "9001"
     volumes:
       - nextcloud_aio_nextcloud:/var/www/html:rw
       - ${NEXTCLOUD_DATADIR}:/mnt/ncdata:rw
@@ -137,14 +141,17 @@ services:
       - TALK_RECORDING_ENABLED=${TALK_RECORDING_ENABLED}
       - RECORDING_SECRET=${RECORDING_SECRET}
       - TALK_RECORDING_HOST=nextcloud-aio-talk-recording
+      - FULLTEXTSEARCH_PASSWORD=${FULLTEXTSEARCH_PASSWORD}
+      - REMOVE_DISABLED_APPS=${REMOVE_DISABLED_APPS}
+      - APACHE_PORT=${APACHE_PORT}
+      - APACHE_IP_BINDING=${APACHE_IP_BINDING}
     restart: unless-stopped
     networks:
       - nextcloud-aio
-    tmpfs:
-      - /tmp:exec
 
   nextcloud-aio-notify-push:
     image: nextcloud/aio-notify-push:latest
+    init: true
     expose:
       - "7867"
     volumes:
@@ -165,6 +172,7 @@ services:
 
   nextcloud-aio-redis:
     image: nextcloud/aio-redis:latest
+    init: true
     expose:
       - "6379"
     environment:
@@ -179,6 +187,7 @@ services:
 
   nextcloud-aio-collabora:
     image: nextcloud/aio-collabora:latest
+    init: true
     expose:
       - "9980"
     environment:
@@ -193,9 +202,12 @@ services:
       - collabora
     networks:
       - nextcloud-aio
+    cap_add:
+      - MKNOD
 
   nextcloud-aio-talk:
     image: nextcloud/aio-talk:latest
+    init: true
     ports:
       - ${TALK_PORT}:${TALK_PORT}/tcp
       - ${TALK_PORT}:${TALK_PORT}/udp
@@ -218,12 +230,13 @@ services:
     tmpfs:
       - /var/log/supervisord
       - /var/run/supervisord
+      - /opt/eturnal/run
       - /conf
-      - /var/lib/turn
       - /tmp
 
   nextcloud-aio-talk-recording:
     image: nextcloud/aio-talk-recording:latest
+    init: true
     expose:
       - "1234"
     environment:
@@ -244,6 +257,7 @@ services:
 
   nextcloud-aio-clamav:
     image: nextcloud/aio-clamav:latest
+    init: false
     expose:
       - "3310"
     environment:
@@ -264,6 +278,7 @@ services:
 
   nextcloud-aio-onlyoffice:
     image: nextcloud/aio-onlyoffice:latest
+    init: true
     expose:
       - "80"
     environment:
@@ -281,6 +296,7 @@ services:
 
   nextcloud-aio-imaginary:
     image: nextcloud/aio-imaginary:latest
+    init: true
     expose:
       - "9000"
     environment:
@@ -298,6 +314,7 @@ services:
 
   nextcloud-aio-fulltextsearch:
     image: nextcloud/aio-fulltextsearch:latest
+    init: false
     expose:
       - "9200"
     environment:
@@ -310,6 +327,7 @@ services:
       - http.port=9200
       - xpack.license.self_generated.type=basic
       - xpack.security.enabled=false
+      - FULLTEXTSEARCH_PASSWORD=${FULLTEXTSEARCH_PASSWORD}
     volumes:
       - nextcloud_aio_elasticsearch:/usr/share/elasticsearch/data:rw
     restart: unless-stopped

manual-install/readme.md

@@ -11,6 +11,7 @@ You can run the containers that are build for AIO with docker-compose. This come
 - You lose the AIO interface
 - You lose update notifications and automatic updates
 - You lose all AIO backup and restore features
+- You lose all community containers: https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers
 - **You need to know what you are doing, especially when modifying the compose.yaml file**
 - For updating, you need to strictly follow the at the bottom described update routine
 - Probably more

manual-install/sample.conf

@@ -1,4 +1,5 @@
 DATABASE_PASSWORD=          # TODO! This needs to be a unique and good password!
+FULLTEXTSEARCH_PASSWORD=          # TODO! This needs to be a unique and good password!
 NC_DOMAIN=yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.
 NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".
 ONLYOFFICE_SECRET=          # TODO! This needs to be a unique and good password!
@@ -32,6 +33,7 @@ NEXTCLOUD_MOUNT=/mnt/          # This allows the Nextcloud container to access d
 NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time
 NEXTCLOUD_TRUSTED_CACERTS_DIR=/usr/local/share/ca-certificates/my-custom-ca          # Nextcloud container will trust all the Certification Authorities, whose certificates are included in the given directory.
 NEXTCLOUD_UPLOAD_LIMIT=10G          # This allows to change the upload limit of the Nextcloud container
+REMOVE_DISABLED_APPS=yes        # Setting this to no keep Nextcloud apps that are disabled via their switch and not uninstall them if they should be installed in Nextcloud.
 TALK_PORT=3478          # This allows to adjust the port that the talk container is using.
 UPDATE_NEXTCLOUD_APPS="no"          # When setting to "yes" (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.
 IPV6_NETWORK=fd12:3456:789a:2::/64 # IPv6 subnet to use

manual-install/update-yaml.sh

@@ -17,9 +17,12 @@ OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].secrets)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].devices)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].backup_volumes)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].nextcloud_exec_commands)')"
+OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[].image_tag)')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-watchtower"))')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-domaincheck"))')"
 OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-borgbackup"))')"
+OUTPUT="$(echo "$OUTPUT" | jq 'del(.services[] | select(.container_name == "nextcloud-aio-docker-socket-proxy"))')"
+OUTPUT="$(echo "$OUTPUT" | jq '.services[] |= if has("depends_on") then .depends_on |= if contains(["nextcloud-aio-docker-socket-proxy"]) then del(.[index("nextcloud-aio-docker-socket-proxy")]) else . end else . end')"
 OUTPUT="$(echo "$OUTPUT" | jq '.services[] |= if has("depends_on") then .depends_on |= map({ (.): { "condition": "service_started", "required": false } }) else . end' | jq '.services[] |= if has("depends_on") then .depends_on |= reduce .[] as $item ({}; . + $item) else . end')"
 
 snap install yq
@@ -29,15 +32,14 @@ echo "$OUTPUT" | yq -P > ./manual-install/containers.yml
 cd manual-install || exit
 sed -i "s|'||g" containers.yml
 sed -i '/display_name:/d' containers.yml
+sed -i '/THIS_IS_AIO/d' containers.yml
 sed -i '/stop_grace_period:/s/$/s/' containers.yml
 sed -i '/: \[\]/d' containers.yml
 sed -i 's|- source: |- |' containers.yml
 sed -i 's|- ip_binding: |- |' containers.yml
 sed -i '/AIO_TOKEN/d' containers.yml
 sed -i '/AIO_URL/d' containers.yml
-
-sed -i '/AIO_TOKEN/d' sample.conf
-sed -i '/AIO_URL/d' sample.conf
+sed -i '/DOCKER_SOCKET_PROXY_ENABLED/d' containers.yml
 
 TCP="$(grep -oP '[%A-Z0-9_]+/tcp' containers.yml | sort -u)"
 mapfile -t TCP <<< "$TCP"
@@ -90,6 +92,7 @@ sed -i 's|NEXTCLOUD_STARTUP_APPS=|NEXTCLOUD_STARTUP_APPS="deck twofactor_totp ta
 sed -i 's|NEXTCLOUD_ADDITIONAL_APKS=|NEXTCLOUD_ADDITIONAL_APKS=imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=|NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick        # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value.|' sample.conf
 sed -i 's|INSTALL_LATEST_MAJOR=|INSTALL_LATEST_MAJOR=no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation|' sample.conf
+sed -i 's|REMOVE_DISABLED_APPS=|REMOVE_DISABLED_APPS=yes        # Setting this to no keep Nextcloud apps that are disabled via their switch and not uninstall them if they should be installed in Nextcloud.|' sample.conf
 sed -i 's|=$|=          # TODO! This needs to be a unique and good password!|' sample.conf
 echo 'IPV6_NETWORK=fd12:3456:789a:2::/64 # IPv6 subnet to use' >> sample.conf