Update index.yaml

Signed-off-by: szaimen <szaimen@users.noreply.github.com>

.github/dependabot.yml

@@ -108,15 +108,6 @@ updates:
   labels:
   - 3. to review
   - dependencies
-- package-ecosystem: "docker"
-  directory: "/Containers/talk-recording"
-  schedule:
-    interval: "daily"
-    time: "12:00"
-  open-pull-requests-limit: 10
-  labels:
-  - 3. to review
-  - dependencies
 - package-ecosystem: "docker"
   directory: "/Containers/watchtower"
   schedule:
@@ -165,21 +156,3 @@ updates:
   labels:
   - 3. to review
   - dependencies
-- package-ecosystem: "docker"
-  directory: "/Containers/notify-push"
-  schedule:
-    interval: "daily"
-    time: "12:00"
-  open-pull-requests-limit: 10
-  labels:
-  - 3. to review
-  - dependencies
-- package-ecosystem: "docker"
-  directory: "/Containers/docker-socket-proxy"
-  schedule:
-    interval: "daily"
-    time: "12:00"
-  open-pull-requests-limit: 10
-  labels:
-  - 3. to review
-  - dependencies

.github/release.yml

@@ -1,14 +0,0 @@
-changelog:
-  categories:
-    - title: 🏕 New features and other improvements
-      labels:
-        - enhancement
-    - title: 🐞 Fixed bugs
-      labels:
-        - bug
-    - title: 👒 Updated dependencies
-      labels:
-        - dependencies
-    - title: 📄 Improved documentation
-      labels:
-        - documentation

.github/workflows/codespell.yml

@@ -1,20 +0,0 @@
-name: 'Codespell'
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-
-jobs:
-  codespell:
-    name: Check spelling
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-      - name: Check spelling
-        uses: codespell-project/actions-codespell@v2
-        with:
-          check_filenames: true
-          check_hidden: true

.github/workflows/command-rebase.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Add reaction on start
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        uses: peter-evans/create-or-update-comment@v2
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}
           repository: ${{ github.event.repository.full_name }}
@@ -31,18 +31,18 @@ jobs:
           reaction-type: "+1"
 
       - name: Checkout the latest code
-        uses: actions/checkout@v4 # v3.5.2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
           token: ${{ secrets.COMMAND_BOT_PAT }}
 
       - name: Automatic Rebase
-        uses: cirrus-actions/rebase@b87d48154a87a85666003575337e27b8cd65f691 # 1.8
+        uses: cirrus-actions/rebase@1.8
         env:
           GITHUB_TOKEN: ${{ secrets.COMMAND_BOT_PAT }}
 
       - name: Add reaction on failure
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        uses: peter-evans/create-or-update-comment@v2
         if: failure()
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}

.github/workflows/community-containers.yml

@@ -1,37 +0,0 @@
-name: Validate community containers
-
-on:
-  pull_request:
-    paths:
-      - 'community-containers/**'
-  push:
-    branches:
-      - main
-    paths:
-      - 'community-containers/**'
-
-jobs:
-  validator-community-containers:
-    name: Validate community containers
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      - name: Validate structure
-        run: |
-          CONTAINERS="$(find ./community-containers -mindepth 1 -maxdepth 1 -type d)"
-          mapfile -t CONTAINERS <<< "$CONTAINERS"
-          for container in "${CONTAINERS[@]}"; do
-            container="$(echo "$container" | sed 's|./community-containers/||')"
-            if ! [ -f ./community-containers/"$container"/"$container.json" ]; then
-                echo ".json file must be named like its parent folder $container"
-                FAIL=1
-            fi
-            if ! [ -f ./community-containers/"$container"/readme.md ]; then
-                echo "There must be a readme.md file in the folder!"
-                FAIL=1
-            fi
-            if [ -n "$FAIL" ]; then
-                exit 1
-            fi
-          done

.github/workflows/create-psalm-container.yml

@@ -0,0 +1,54 @@
+name: Create Psalm Container
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '5 4 * * *'
+
+jobs:
+  push_to_registry:
+    runs-on: ubuntu-latest
+
+    name: Create Psalm Container
+
+    permissions:
+      packages: write
+      contents: read
+
+    steps:
+      - name: Check out the repo
+        run: |
+          git clone https://github.com/psalm/psalm-github-actions.git
+      
+      - name: Modify the Dockerfile
+        run: |
+          set -x
+          sed -i 's|FROM php:7.4-alpine|FROM php:8.1-alpine|' "psalm-github-actions/Dockerfile"
+          cat << APCU >> "psalm-github-actions/Dockerfile"
+          RUN mkdir -p /usr/src/php/ext/apcu && \
+            curl -fsSL https://pecl.php.net/get/apcu | tar xvz -C "/usr/src/php/ext/apcu" --strip 1 && \
+            docker-php-ext-install apcu
+          APCU
+
+      - name: Log in to GitHub Docker Registry
+        uses: docker/login-action@v2
+        with:
+          registry: docker.pkg.github.com
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build container image
+        uses: docker/build-push-action@v4
+        with:
+          push: true
+          context: 'psalm-github-actions'
+          file: 'psalm-github-actions/Dockerfile'
+          tags: |
+            ghcr.io/nextcloud/all-in-one-psalm:latest

.github/workflows/dependency-updates.yml

@@ -10,27 +10,26 @@ jobs:
     name: Run dependency update script
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
     - uses: shivammathur/setup-php@v2
       with:
-        php-version: 8.2
+        php-version: 8.1
         extensions: apcu
     - name: Run dependency update script
       run: |
         set -x
         cd ./php
-        composer update --with-all-dependencies
-        # Disable dependency updates for now
-        # set +e
-        # ALL_LINES="$(composer outdated | grep -v "^$\|Direct dependencies\|Everything up to date\|Transitive dependencies")"
-        # set -e
-        # while [ -n "$ALL_LINES" ]; do
-        #   CURRENT_LINE="$(echo "$ALL_LINES" | head -1)"
-        #   composer require "$(echo "$CURRENT_LINE" | awk '{print $1}')" "^$(echo "$CURRENT_LINE" | awk '{print $4}')" --with-all-dependencies
-        #   ALL_LINES="$(echo "$ALL_LINES" | sed '1d')"
-        # done
-        # echo "outdated dependencies:
-        # $(composer outdated)"
+        composer update
+        set +e
+        ALL_LINES="$(composer outdated | grep -v "^$\|Direct dependencies\|Everything up to date\|Transitive dependencies")"
+        set -e
+        while [ -n "$ALL_LINES" ]; do
+          CURRENT_LINE="$(echo "$ALL_LINES" | head -1)"
+          composer require "$(echo "$CURRENT_LINE" | awk '{print $1}')" "^$(echo "$CURRENT_LINE" | awk '{print $4}')" --with-all-dependencies
+          ALL_LINES="$(echo "$ALL_LINES" | sed '1d')"
+        done
+        echo "outdated dependencies:
+        $(composer outdated)"
     - name: Update apcu
       run: |
         # APCU
@@ -44,12 +43,12 @@ jobs:
         )"
         sed -i "s|pecl install APCu.*\;|pecl install APCu-$apcu_version\;|" ./Containers/mastercontainer/Dockerfile
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v6
+      uses: peter-evans/create-pull-request@v4
       with:
-        commit-message: php dependency updates
+        commit-message: dependency updates
         signoff: true
-        title: PHP dependency updates
-        body: Automated php dependency updates since dependabot does not support grouped updates
-        labels: dependencies, 3. to review
+        title: Dependency updates
+        body: Automated dependency updates since dependabot does not support grouped updates
+        labels: dependencies, enhancement
         milestone: next
         branch: aio-dependency-update

.github/workflows/docker-lint.yml

@@ -1,46 +0,0 @@
-name: Docker Lint
-
-on:
-  pull_request:
-    paths:
-      - 'Containers/**'
-  push:
-    branches:
-      - main
-    paths:
-      - 'Containers/**'
-
-permissions:
-  contents: read
-
-concurrency: 
-  group: docker-lint-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  docker-lint:
-    runs-on: ubuntu-latest
-
-    name: docker-lint
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Install hadolint
-        run: |
-          sudo wget https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -O /usr/bin/hadolint
-          sudo chmod +x /usr/bin/hadolint
-
-      - name: run lint
-        run: |
-          DOCKERFILES="$(find ./Containers -name Dockerfile)"
-          mapfile -t DOCKERFILES <<< "$DOCKERFILES"
-          for file in "${DOCKERFILES[@]}"; do
-            # DL3018 warning: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
-            # DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
-            hadolint "$file" --ignore DL3018 --ignore DL4006 | tee -a ./hadolint.log
-          done
-          if grep -q "DL[0-9]\+\|SC[0-9]\+" ./hadolint.log; then
-            exit 1
-          fi

.github/workflows/helm-release.yml

@@ -6,14 +6,14 @@ on:
     branches:
       - main
     paths:
-      - 'nextcloud-aio-helm-chart/**'
+      - 'helm-chart/**'
 
 jobs:
   release:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
 
       - name: Turnstyle
         uses: softprops/turnstyle@v1
@@ -32,15 +32,17 @@ jobs:
 
       # See https://github.com/helm/chart-releaser-action/issues/6
       - name: Set up Helm
-        uses: azure/setup-helm@v3.5
+        uses: azure/setup-helm@v3.1
         with:
           version: v3.6.3
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.6.0
+        # TODO: switch back @main to a specific version like @v1.5.1 or higher
+        uses: helm/chart-releaser-action@main
         with:
+          charts_repo_url: https://nextcloud.github.io/all-in-one
+          charts_dir: helm-chart
           mark_as_latest: false
-          charts_dir: .
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"

.github/workflows/imaginary-update.yml

@@ -1,33 +0,0 @@
-name: imaginary-update
-
-on:
-  workflow_dispatch:
-  schedule:
-  - cron:  '00 12 * * *'
-
-jobs:
-  run_update:
-    name: update to latest imaginary commit on master branch
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - name: Run imaginary-update
-      run: |
-        # Imaginary
-        imaginary_version="$(
-          git ls-remote https://github.com/h2non/imaginary master \
-            | cut -f1 \
-            | tail -1
-        )"
-        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH $imaginary_version|" ./Containers/imaginary/Dockerfile
-        
-    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v6
-      with:
-        commit-message: imaginary-update automated change
-        signoff: true
-        title: Imaginary update
-        body: Automated Imaginary container update
-        labels: dependencies, 3. to review
-        milestone: next
-        branch: imaginary-container-update

.github/workflows/json-validator.yml

@@ -2,34 +2,19 @@ name: Json Validator
 
 on:
   pull_request:
-    paths:
-      - '**.json'
   push:
     branches:
       - main
-    paths:
-      - '**.json'
 
 jobs:
-  json-validator:
+  psalm:
     name: Json Validator
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
       - name: Validate Json
         run: |
-          sudo apt-get update
-          sudo apt-get install python3-pip -y --no-install-recommends
+          sudo apt install python3-pip --no-install-recommends
           sudo pip3 install json-spec
-          if ! json validate --schema-file=php/containers-schema.json --document-file=php/containers.json; then
-            exit 1
-          fi
-          JSON_FILES="$(find ./community-containers -name '*.json')"
-          mapfile -t JSON_FILES <<< "$JSON_FILES"
-          for file in "${JSON_FILES[@]}"; do
-            json validate --schema-file=php/containers-schema.json --document-file="$file" 2>&1 | tee -a ./json-validator.log
-          done
-          if grep -q "document does not validate with schema." ./json-validator.log; then
-            exit 1
-          fi
+          json validate --schema-file=php/containers-schema.json --document-file=php/containers.json

.github/workflows/lint-helm.yml

@@ -1,35 +0,0 @@
-name: Lint and Test Charts
-
-on:
-  workflow_dispatch:
-  pull_request:
-    paths:
-      - 'nextcloud-aio-helm-chart/**'
-
-jobs:
-  lint-helm:
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Install Helm
-        uses: azure/setup-helm@v3.5
-        with:
-          version: v3.11.1
-
-      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.6.1
-
-      - name: Run chart-testing (lint)
-        id: lint
-        run: ct lint --target-branch ${{ github.event.repository.default_branch }} --debug --chart-dirs nextcloud-aio-helm-chart
-
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.8.0
-
-      - name: Run chart-testing (install)
-        id: install
-        run: ct install --target-branch ${{ github.event.repository.default_branch }} --debug --chart-dirs nextcloud-aio-helm-chart

.github/workflows/lint-php.yml

@@ -3,22 +3,18 @@
 # https://github.com/nextcloud/.github
 # https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
 
-name: Lint php
+name: Lint
 
 on:
   pull_request:
-    paths:
-      - 'php/**'
   push:
     branches:
       - main
-    paths:
-      - 'php/**'
 
 permissions:
   contents: read
 
-concurrency:
+concurrency: 
   group: lint-php-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
@@ -27,27 +23,24 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        php-versions: [ "8.2" ]
+        php-versions: ["8.1"]
 
     name: php-lint
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4 # v3.5.2
+        uses: actions/checkout@v3
 
       - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@c5fc0d8281aba02c7fda07d3a70cc5371548067d # v2
+        uses: shivammathur/setup-php@v2
         with:
           php-version: ${{ matrix.php-versions }}
           coverage: none
-          ini-file: development
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Lint
         run: cd php && composer run lint
 
-  php-lint-summary:
+  summary:
     permissions:
       contents: none
     runs-on: ubuntu-latest

.github/workflows/lock-threads.yml

@@ -14,7 +14,7 @@ jobs:
   action:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@v5
+      - uses: dessant/lock-threads@v4
         with: 
           issue-inactive-days: '14'
           process-only: 'issues'

.github/workflows/nextcloud-update.yml

@@ -11,7 +11,7 @@ jobs:
     name: Run nextcloud-update script
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
     - name: Run nextcloud-update script
       run: |
         # Inspired by https://github.com/nextcloud/docker/blob/master/update.sh
@@ -63,17 +63,15 @@ jobs:
         # Nextcloud
         NC_MAJOR="$(grep "ENV NEXTCLOUD_VERSION" ./Containers/nextcloud/Dockerfile | grep -oP '[23][0-9]')"
         NCVERSION=$(curl -s -m 900 https://download.nextcloud.com/server/releases/ | sed --silent 's/.*href="nextcloud-\([^"]\+\).zip.asc".*/\1/p' | grep "$NC_MAJOR" | sort --version-sort | tail -1)
-        if [ -n "$NCVERSION" ]; then
-          sed -i "s|^ENV NEXTCLOUD_VERSION.*|ENV NEXTCLOUD_VERSION $NCVERSION|" ./Containers/nextcloud/Dockerfile
-        fi
+        sed -i "s|^ENV NEXTCLOUD_VERSION.*|ENV NEXTCLOUD_VERSION $NCVERSION|" ./Containers/nextcloud/Dockerfile
 
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v6
+      uses: peter-evans/create-pull-request@v4
       with:
         commit-message: nextcloud-update automated change
         signoff: true
-        title: Nextcloud dependency update
+        title: Nextcloud update
         body: Automated Nextcloud container update
-        labels: dependencies, 3. to review
+        labels: dependencies, enhancement
         milestone: next
         branch: nextcloud-container-update

.github/workflows/php-deprecation-detector.yml

@@ -3,24 +3,20 @@ name: PHP Deprecation Detector
 
 on:
   pull_request:
-    paths:
-      - 'php/**'
   push:
     branches:
       - main
-    paths:
-      - 'php/**'
 
 jobs:
-  phpdd:
+  psalm:
     name: PHP Deprecation Detector
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - name: Set up php8.2
+      - uses: actions/checkout@v3
+      - name: Set up php8.1
         uses: shivammathur/setup-php@v2
         with:
-          php-version: 8.2
+          php-version: 8.1
           extensions: apcu
           coverage: none
 

.github/workflows/psalm-analysis.yml

@@ -0,0 +1,28 @@
+name: Psalm Analysis
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  psalm:
+    name: Psalm
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up php8.1
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 8.1
+          extensions: apcu
+          coverage: none
+
+      - name: Run script
+        run: |
+          set -x
+          cd php
+          composer global require vimeo/psalm --prefer-dist --no-progress --dev
+          composer install
+          composer run psalm

.github/workflows/psalm-security.yml

@@ -0,0 +1,25 @@
+name: Psalm Security Analysis
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  psalm:
+    name: Psalm
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Psalm
+        uses: docker://ghcr.io/nextcloud/all-in-one-psalm
+        with:
+          relative_dir: php
+          security_analysis: true
+          composer_ignore_platform_reqs: false
+          report_file: results.sarif
+      - name: Upload Security Analysis results to GitHub
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: php/results.sarif

.github/workflows/psalm-update-baseline.yml

@@ -10,12 +10,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
 
-      - name: Set up php8.2
+      - name: Set up php8.1
         uses: shivammathur/setup-php@v2
         with:
-          php-version: 8.2
+          php-version: 8.1
           extensions: apcu
           coverage: none
 
@@ -31,7 +31,7 @@ jobs:
         continue-on-error: true
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v4
         with:
           token: ${{ secrets.COMMAND_BOT_PAT }}
           commit-message: Update psalm baseline
@@ -39,9 +39,10 @@ jobs:
           author: nextcloud-command <nextcloud-command@users.noreply.github.com>
           signoff: true
           branch: automated/noid/psalm-baseline-update
+          # Make sure we can open multiple PRs
+          branch-suffix: timestamp
           title: '[Automated] Update psalm-baseline.xml'
-          milestone: next
           body: |
             Auto-generated update psalm-baseline.xml with fixed psalm warnings
           labels: |
-            3. to review, dependencies
+            3. to review

.github/workflows/psalm.yml

@@ -1,47 +0,0 @@
-# This workflow is provided via the organization template repository
-#
-# https://github.com/nextcloud/.github
-# https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
-
-name: Static analysis
-
-on:
-  pull_request:
-    paths:
-      - 'php/**'
-  push:
-    branches:
-      - main
-    paths:
-      - 'php/**'
-
-concurrency:
-  group: psalm-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  static-analysis:
-    runs-on: ubuntu-latest
-
-    name: Nextcloud
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4 # v3.5.2
-
-      - name: Set up php
-        uses: shivammathur/setup-php@c5fc0d8281aba02c7fda07d3a70cc5371548067d # v2
-        with:
-          php-version: 8.2
-          extensions: apcu
-          coverage: none
-          ini-file: development
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Install dependencies and run psalm
-        run: |
-          set -x
-          cd php
-          composer global require vimeo/psalm --prefer-dist --no-progress --dev
-          composer install
-          composer run psalm

.github/workflows/shellcheck.yml

@@ -2,20 +2,16 @@ name: Shellcheck
 
 on:
   pull_request:
-    paths:
-      - '**.sh'
   push:
     branches:
       - main
-    paths:
-      - '**.sh'
 
 jobs:
   shellcheck:
     name: Check Shell
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
     - name: Run Shellcheck
       uses: ludeeus/action-shellcheck@2.0.0
       with:

.github/workflows/spellcheck.yml

@@ -0,0 +1,23 @@
+name: 'Spellcheck'
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  spellcheck:
+    name: Check spelling
+    runs-on: ubuntu-latest
+    steps:
+      - name: spelling or typos
+        uses: actions/checkout@v3
+      - name: fix permission for reviewdog
+        run: sudo chown -R root:root $GITHUB_WORKSPACE
+      - name: misspell
+        uses: reviewdog/action-misspell@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          locale: "US"
+          fail_on_error: true

.github/workflows/talk.yml

@@ -1,56 +0,0 @@
-name: talk-update
-
-on:
-  workflow_dispatch:
-  schedule:
-  - cron:  '00 12 * * *'
-
-jobs:
-  talk-update:
-    name: update talk
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - name: Run talk-container-update
-      run: |
-        # Recording
-        recording_version="$(
-          git ls-remote https://github.com/nextcloud/nextcloud-talk-recording v* \
-            | cut -d/ -f3 \
-            | sort -V \
-            | grep -E "^v[0-9\.]+$" \
-            | tail -1
-        )"
-        sed -i "s|^ENV RECORDING_VERSION.*$|ENV RECORDING_VERSION $recording_version|" ./Containers/talk-recording/Dockerfile
-        curl -L "https://raw.githubusercontent.com/nextcloud/nextcloud-talk-recording/$recording_version/server.conf.in" -o Containers/talk-recording/recording.conf
-        
-        # Signaling
-        signaling_version="$(
-          git ls-remote https://github.com/strukturag/nextcloud-spreed-signaling v*.*.* \
-            | cut -d/ -f3 \
-            | sort -V \
-            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
-            | tail -1
-        )"
-        curl -L "https://raw.githubusercontent.com/strukturag/nextcloud-spreed-signaling/$signaling_version/server.conf.in" -o Containers/talk/server.conf.in
-        
-        # Janus
-        janus_version="$(
-          git ls-remote https://github.com/meetecho/janus-gateway v0.*.* \
-            | cut -d/ -f3 \
-            | sort -V \
-            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
-            | tail -1
-        )"
-        sed -i "s|^ARG JANUS_VERSION=.*$|ARG JANUS_VERSION=$janus_version|" ./Containers/talk/Dockerfile
-        
-    - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v6
-      with:
-        commit-message: talk-update automated change
-        signoff: true
-        title: talk container update
-        body: Automated talk container update
-        labels: dependencies, 3. to review
-        milestone: next
-        branch: talk-container-update

.github/workflows/twig-lint.yml

@@ -1,42 +0,0 @@
-name: Twig Lint
-
-on:
-  pull_request:
-    paths:
-      - '**.twig'
-  push:
-    branches:
-      - main
-    paths:
-      - '**.twig'
-
-permissions:
-  contents: read
-
-concurrency: 
-  group: lint-twig-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  twig-lint:
-    runs-on: ubuntu-latest
-    name: twig-lint
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@v2
-        with:
-          php-version: 8.2
-          extensions: apcu
-          coverage: none
-
-      - name: twig lint
-        run: |
-          cd php
-          composer require sserbin/twig-linter:@dev --no-progress --dev
-          composer install
-          chmod +x ./vendor/bin/twig-linter
-          ./vendor/bin/twig-linter lint ./templates

.github/workflows/update-helm.yml

@@ -6,28 +6,28 @@ on:
   - cron:  '00 12 * * *'
 
 jobs:
-  update-helm:
+  psalm:
     name: update helm chart
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
       - name: update helm chart
         run: |
           DOCKER_TAG="$(curl -L -s 'https://registry.hub.docker.com/v2/repositories/nextcloud/all-in-one/tags?page_size=1024' | jq '."results"[]["name"]' | sed 's|"||g' | grep '^20' | sort -r | head -1)"
           DOCKER_TAG="${DOCKER_TAG%%-latest*}"
           export DOCKER_TAG
-          if [ -n "$DOCKER_TAG" ] && ! grep -q "$DOCKER_TAG" ./nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml; then
-            sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"
+          if [ -n "$DOCKER_TAG" ] && ! grep -q "$DOCKER_TAG" ./helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml; then
+            sudo bash helm-chart/update-helm.sh "$DOCKER_TAG"
           fi
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v4
         with:
           commit-message: Helm Chart updates
           signoff: true
           title: Helm Chart updates
           body: Automated Helm Chart updates for the yaml files. It can be merged if it looks good at any time which will automatically trigger a new release of the helm chart.
-          labels: dependencies, 3. to review
+          labels: dependencies
           milestone: next
           branch: aio-helm-update
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/update-yaml.yml

@@ -6,23 +6,23 @@ on:
   - cron:  '00 12 * * *'
 
 jobs:
-  update-yaml:
+  psalm:
     name: update yaml files
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
       - name: update yaml files
         run: |
           sudo bash manual-install/update-yaml.sh
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v4
         with:
           commit-message: Yaml updates
           signoff: true
           title: Yaml updates
           body: Automated yaml updates for the docker-compose files. Should only be merged shortly before the next latest release.
-          labels: dependencies, 3. to review
+          labels: dependencies
           milestone: next
           branch: aio-yaml-update
           token: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -6,5 +6,4 @@
 /manual-install/*.conf
 !/manual-install/sample.conf
 /manual-install/docker-compose.yml
-/manual-install/compose.yaml
 /manual-install/.env

Containers/apache/Caddyfile

@@ -5,33 +5,44 @@
         root /mnt/data/caddy
     }
 
-    servers {
-        # trusted_proxies placeholder
-    }
-
     log {
         level ERROR
     }
 }
 
-https://{$ADDITIONAL_TRUSTED_DOMAIN}:443,
 {$PROTOCOL}://{$NC_DOMAIN}:{$APACHE_PORT} {
 
-    # Collabora
-    route /browser/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
-    }
-    route /hosting/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
-    }
-    route /cool/* {
-        reverse_proxy {$COLLABORA_HOST}:9980
-    }
-
     # Notify Push
     route /push/* {
         uri strip_prefix /push
-        reverse_proxy {$NOTIFY_PUSH_HOST}:7867
+        reverse_proxy {$NEXTCLOUD_HOST}:7867 {
+            # trusted_proxies placeholder
+        }
+    }
+
+    # Talk
+    route /standalone-signaling/* {
+        uri strip_prefix /standalone-signaling
+        reverse_proxy {$TALK_HOST}:8081 {
+            # trusted_proxies placeholder
+        }
+    }
+
+    # Collabora
+    route /browser/* {
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
+    }
+    route /hosting/* {
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
+    }
+    route /cool/* {
+        reverse_proxy {$COLLABORA_HOST}:9980 {
+            # trusted_proxies placeholder
+        }
     }
 
     # Onlyoffice
@@ -40,24 +51,19 @@ https://{$ADDITIONAL_TRUSTED_DOMAIN}:443,
         reverse_proxy {$ONLYOFFICE_HOST}:80 {
             header_up X-Forwarded-Host {http.request.host}/onlyoffice
             header_up X-Forwarded-Proto https
+            # trusted_proxies placeholder
         }
     }
 
-    # Talk
-    route /standalone-signaling/* {
-        uri strip_prefix /standalone-signaling
-        reverse_proxy {$TALK_HOST}:8081
-    }
-
-    # Others
-    import /mnt/data/caddy-imports/*
-
     # Nextcloud
     route {
         rewrite /.well-known/carddav /remote.php/dav
         rewrite /.well-known/caldav /remote.php/dav
         header Strict-Transport-Security max-age=31536000;
-        reverse_proxy localhost:8000
+        reverse_proxy localhost:8000 {
+            # See https://github.com/nextcloud/all-in-one/issues/828
+            # trusted_proxies placeholder
+        }
     }
 
     # TLS options

Containers/apache/Dockerfile

@@ -1,16 +1,7 @@
-FROM caddy:2.7.6-alpine as caddy
+# Caddy is a requirement
+FROM caddy:2.6.4-alpine as caddy
 
-FROM httpd:2.4.58-alpine3.19
-
-COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
-
-COPY --chown=33:33 Caddyfile /Caddyfile
-COPY --chmod=664 nextcloud.conf /usr/local/apache2/conf/nextcloud.conf
-COPY --chmod=664 supervisord.conf /supervisord.conf
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
-
-VOLUME /mnt/data
+FROM httpd:2.4.56-alpine3.17
 
 RUN set -ex; \
     apk add --no-cache shadow; \
@@ -18,72 +9,77 @@ RUN set -ex; \
     usermod -u 333 -g 333 xfs; \
     groupmod -g 33 www-data; \
     usermod -u 33 -g 33 www-data; \
-    apk del --no-cache shadow; \
-    \
-    mkdir -p /mnt/data; \
-    chown -R www-data:www-data /mnt/data; \
-    chown -R 777 /tmp; \
-    \
+    apk del --no-cache shadow
+
+RUN mkdir -p /mnt/data; \
+    chown www-data:www-data /mnt/data;
+
+VOLUME /mnt/data
+
+RUN set -ex; \
     apk add --no-cache \
         bash \
         supervisor \
+        wget \
         tzdata \
         ca-certificates \
         openssl \
-        bind-tools \
-        netcat-openbsd; \
-    \
-    sed -i \
-            -e '/^Listen /d' \
-            -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_proxy.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_proxy_fcgi.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_setenvif.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_alias.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
-            -e 's/^#\(LoadModule .*mod_brotli.so\)/\1/' \
-            -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
-            -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
-            -e 's/\(ScriptAlias \)/#\1/' \
-        /usr/local/apache2/conf/httpd.conf; \
-    echo "Include conf/nextcloud.conf" | tee -a /usr/local/apache2/conf/httpd.conf; \
-    echo "ServerName localhost" | tee -a /usr/local/apache2/conf/httpd.conf; \
-# Sync this with max db connections and pm.max_children
-# We don't actually expect so many workers but don't want to limit it artificially because people will report issues otherwise.
-    sed -i 's|MaxRequestWorkers.*|MaxRequestWorkers 5000|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-    grep -q '<IfModule mpm_event_module>' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-# ServerLimit needs to be set to MaxRequestWorkers divided by ThreadsPerChild which is set to 25 by default
-    sed -i '/<IfModule mpm_event_module>/a\ \ \ \ ServerLimit 200' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
-    \
-    rm -rf /usr/local/apache2/conf/original /var/www; \
-    mkdir -p /var/www; \
-    chown -R www-data:www-data /var/www; \
-    \
-    mkdir /var/log/supervisord; \
+        netcat-openbsd
+
+COPY --from=caddy /usr/bin/caddy /usr/bin/
+RUN chmod +x /usr/bin/caddy
+
+RUN sed -i \
+                -e '/^Listen /d' \
+                -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_headers.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_proxy.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_proxy_fcgi.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_setenvif.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_env.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_mime.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_dir.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_authz_core.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_alias.so\)/\1/' \
+                -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
+                -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
+                -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
+                conf/httpd.conf; \
+		echo "Include conf/nextcloud.conf" | tee -a conf/httpd.conf; \
+                echo "ServerName localhost" | tee -a conf/httpd.conf
+		
+COPY nextcloud.conf conf
+
+RUN set -ex; \
+    rm -rf conf/original conf/original && \
+    rm -rf /var/www/html/* && \
+    mkdir /var/www && \
+    chown -R www-data:www-data /var/www;
+
+RUN mkdir /var/log/supervisord; \
     mkdir /var/run/supervisord; \
     chown www-data:www-data /var/run/supervisord; \
-    chown www-data:www-data /var/log/supervisord; \
-    chmod 777 /var/run/supervisord; \
-    chmod 777 /var/log/supervisord; \
-    \
+    chown www-data:www-data /var/log/supervisord;
+
+COPY Caddyfile /
+
+COPY start.sh /usr/bin/
+COPY healthcheck.sh /usr/bin/
+COPY supervisord.conf /
+RUN chmod +x /usr/bin/start.sh; \
+    chmod +x /usr/bin/healthcheck.sh; \
+    chmod +r /supervisord.conf; \
+    chown www-data:www-data /Caddyfile; \
     chown -R www-data:www-data /usr/local/apache2; \
-    chmod +r -R /usr/local/apache2; \
-    mkdir -p /usr/local/apache2/logs; \
-    chmod 777 -R /home/www-data; \
-    chmod 777 -R /usr/local/apache2/logs; \
-    rm -rf /usr/local/apache2/cgi-bin/; \
-    \
-    echo "root:$(openssl rand -base64 12)" | chpasswd
+    chmod +r -R /usr/local/apache2
+
+# Give root a random password
+RUN echo "root:$(openssl rand -base64 12)" | chpasswd
 
 USER www-data
 
-ENTRYPOINT ["/start.sh"]
+ENTRYPOINT ["start.sh"]
 CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 
-HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false"
+HEALTHCHECK CMD healthcheck.sh
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/apache/healthcheck.sh

@@ -2,8 +2,8 @@
 
 nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
 nc -z localhost 8000 || exit 1
-nc -z localhost "$APACHE_PORT" || exit 1
-if ! nc -z "$NC_DOMAIN" 443; then
-    echo "Could not reach $NC_DOMAIN on port 443."
-    exit 1
+if [ "$APACHE_PORT" != '443' ]; then
+    nc -z localhost "$APACHE_PORT" || exit 1
+else
+    nc -z "$NC_DOMAIN" "$APACHE_PORT" || exit 1
 fi

Containers/apache/nextcloud.conf

@@ -3,23 +3,13 @@ Listen 8000
     ServerName localhost
 
     # Add error log
-    CustomLog /proc/self/fd/1 proxy
-    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+    CustomLog /proc/self/fd/1 combined
     ErrorLog /proc/self/fd/2
-    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
-    LogLevel warn
 
     # PHP match
     <FilesMatch "\.php$">
         SetHandler "proxy:fcgi://${NEXTCLOUD_HOST}:9000"
     </FilesMatch>
-
-    # Enable Brotli compression for js, css and svg files - other plain files are compressed by Nextcloud by default
-    <IfModule mod_brotli.c>
-        AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
-        BrotliCompressionQuality 0
-    </IfModule>
-
     # Nextcloud dir
     DocumentRoot /var/www/html/
     <Directory /var/www/html/>
@@ -49,7 +39,4 @@ Listen 8000
 
     # See https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxytimeout
     ProxyTimeout ${APACHE_MAX_TIME}
-
-    # See https://httpd.apache.org/docs/trunk/mod/core.html#traceenable
-    TraceEnable Off
 </VirtualHost>

Containers/apache/start.sh

@@ -17,12 +17,6 @@ while ! nc -z "$NEXTCLOUD_HOST" 9000; do
     sleep 5
 done
 
-# Get ipv4-address of Apache
-IPv4_ADDRESS="$(dig nextcloud-aio-apache A +short +search | head -1)"
-# Bring it in CIDR notation
-# shellcheck disable=SC2001
-IPv4_ADDRESS="$(echo "$IPv4_ADDRESS" | sed 's|[0-9]\+$|1/32|')"
-
 if [ -z "$APACHE_PORT" ]; then
     export APACHE_PORT="443"
 fi
@@ -41,37 +35,22 @@ if [ "$APACHE_PORT" != '443' ]; then
 else
     CADDYFILE="$(sed 's|auto_https.*|auto_https disable_redirects|' /Caddyfile)"
 fi
-echo "$CADDYFILE" > /tmp/Caddyfile
+echo "$CADDYFILE" > /Caddyfile
 
 # Change the trusted_proxies in case of reverse proxies
 if [ "$APACHE_PORT" != '443' ]; then
-    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies static private_ranges|' /tmp/Caddyfile)"
+    CADDYFILE="$(sed 's|# trusted_proxies placeholder|trusted_proxies private_ranges|' /Caddyfile)"
 else
-    CADDYFILE="$(sed "s|# trusted_proxies placeholder|trusted_proxies static $IPv4_ADDRESS|" /tmp/Caddyfile)"
+    CADDYFILE="$(sed 's|trusted_proxies private_ranges|# trusted_proxies placeholder|' /Caddyfile)"
 fi
-echo "$CADDYFILE" > /tmp/Caddyfile
-
-# Remove additional domain if not given
-if [ -z "$ADDITIONAL_TRUSTED_DOMAIN" ]; then
-    CADDYFILE="$(sed '/ADDITIONAL_TRUSTED_DOMAIN/d' /tmp/Caddyfile)"
-fi
-echo "$CADDYFILE" > /tmp/Caddyfile
+echo "$CADDYFILE" > /Caddyfile
 
 # Fix the Caddyfile format
-caddy fmt --overwrite /tmp/Caddyfile
+caddy fmt --overwrite /Caddyfile
 
 # Add caddy path
 mkdir -p /mnt/data/caddy/
 
-# Add caddy import path
-mkdir -p /mnt/data/caddy-imports
-
-# Remove falsely added Nextcloud conf
-rm -f /mnt/data/caddy-imports/nextcloud
-
-# Make sure that the caddy-imports dir is not empty
-echo "# empty file so that caddy does not print a warning" > /mnt/data/caddy-imports/empty
-
 # Fix apache startup
 rm -f /usr/local/apache2/logs/httpd.pid
 

Containers/apache/supervisord.conf

@@ -20,4 +20,4 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/usr/bin/caddy run --config /tmp/Caddyfile
+command=/usr/bin/caddy run --config /Caddyfile

Containers/borgbackup/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.19.1
+FROM alpine:3.17.2
 
 RUN set -ex; \
     \
@@ -13,11 +13,11 @@ RUN set -ex; \
 
 VOLUME /root
 
-COPY --chmod=770 *.sh /
+COPY start.sh /usr/bin/
+COPY backupscript.sh /
+RUN chmod +x /usr/bin/start.sh; \
+    chmod +x /backupscript.sh
 
-ENTRYPOINT ["/start.sh"]
-# hadolint ignore=DL3002
 USER root
-
-LABEL com.centurylinklabs.watchtower.enable="false"
-ENV BORG_RETENTION_POLICY="--keep-within=7d --keep-weekly=4 --keep-monthly=6"
+ENTRYPOINT ["start.sh"]
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/borgbackup/backupscript.sh

@@ -24,30 +24,22 @@ for directory in "${VOLUME_DIRS[@]}"; do
         exit 1
     fi
 done
-# Test if default volumes are there
-DEFAULT_VOLUMES=(nextcloud_aio_apache nextcloud_aio_nextcloud nextcloud_aio_database nextcloud_aio_database_dump nextcloud_aio_elasticsearch nextcloud_aio_nextcloud_data nextcloud_aio_mastercontainer)
-for volume in "${DEFAULT_VOLUMES[@]}"; do
-    if ! mountpoint -q "/nextcloud_aio_volumes/$volume"; then
-        echo "$volume is missing which is not intended."
-        exit 1
-    fi
-done
 
 # Check if target is mountpoint
 if ! mountpoint -q /mnt/borgbackup; then
-    echo "/mnt/borgbackup is not a mountpoint which is not allowed."
+    echo "/mnt/borgbackup is not a mountpoint which is not allowed"
     exit 1
 fi
 
 # Check if target is empty
 if [ "$BORG_MODE" != backup ] && [ "$BORG_MODE" != test ] && ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
-    echo "The repository is empty. Cannot perform check or restore."
+    echo "The repository is empty. cannot perform check or restore."
     exit 1
 fi
 
 # Do not continue if this file exists (needed for simple external blocking)
 if [ -f "$BORG_BACKUP_DIRECTORY/aio-lockfile" ]; then
-    echo "Not continuing because aio-lockfile exists – it seems like a script is externally running which is locking the backup archive."
+    echo "Not continuing because aio-lockfile exists - it seems like a script is externally running which is locking the backup archive."
     echo "If this should not be the case, you can fix this by deleting the 'aio-lockfile' file from the backup archive directory."
     exit 1
 fi
@@ -65,38 +57,25 @@ if [ "$BORG_MODE" = backup ]; then
         echo "configuration.json not present. Cannot perform the backup!"
         exit 1
     elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/config/config.php" ]; then
-        echo "config.php is missing. Cannot perform backup!"
+        echo "config.php is missing cannot perform backup"
         exit 1
     elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/database-dump.sql" ]; then
-        echo "database-dump is missing. Cannot perform backup!"
-        echo "Please check the database container logs!"
-        exit 1
-    elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/.ocdata" ]; then
-        echo "The .ocdata file is missing in Nextcloud datadir which means it is invalid!"
-        echo "Is the drive where the datadir is located on still mounted?"
+        echo "database-dump is missing. cannot perform backup"
         exit 1
     fi
 
-    # Test that default volumes are not empty
-    for volume in "${DEFAULT_VOLUMES[@]}"; do
-        if [ -z "$(ls -A "/nextcloud_aio_volumes/$volume")" ] && [ "$volume" != "nextcloud_aio_elasticsearch" ]; then
-            echo "/nextcloud_aio_volumes/$volume is empty which should not happen!"
+    # Test that nothing is empty
+    for directory in "${VOLUME_DIRS[@]}"; do
+        if [ -z "$(ls -A "$directory")" ] && [ "$directory" != "/nextcloud_aio_volumes/nextcloud_aio_elasticsearch" ]; then
+            echo "$directory is empty which is not allowed."
             exit 1
         fi
     done
 
     if [ -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/export.failed" ]; then
+        echo "Database export failed the last time. Most likely was the export time not high enough."
         echo "Cannot create a backup now."
-        echo "Reason is that the database export failed the last time."
-        echo "Most likely was the database container not correctly shut down via the AIO interface."
-        echo ""
-        echo "You might want to try the database export again manually by running the three commands:"
-        echo "sudo docker start nextcloud-aio-database"
-        echo "sleep 10"
-        echo "sudo docker stop nextcloud-aio-database -t 1800"
-        echo ""
-        echo "Afterwards try to create a backup again and it should hopefully work."
-        echo "If it should still fail, feel free to report this to https://github.com/nextcloud/all-in-one/issues and post the database container logs and the borgbackup container logs into the thread. Thanks!"
+        echo "Please report this to https://github.com/nextcloud/all-in-one/issues. Thanks!"
         exit 1
     fi
 
@@ -107,14 +86,13 @@ if [ "$BORG_MODE" = backup ]; then
     if ! [ -f "$BORG_BACKUP_DIRECTORY/config" ]; then
         # Don't initialize if already initialized
         if [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
-            echo "No borg config file was found in the targeted directory."
-            echo "This might happen if the targeted directory is located on an external drive and the drive not connected anymore. You should check this."
-            echo "If you instead want to initialize a new backup repository, you may delete the 'borg.config' file that is stored in the mastercontainer volume manually, which will allow you to initialize a new borg repository in the chosen directory:"
+            echo "Cannot initialize a new repository as that was already done at least one time."
+            echo "If you still want to do so, you may delete the 'borg.config' file that is stored in the mastercontainer volume manually, which will allow you to initialize a new borg repository in the chosen directory:"
             echo "sudo docker exec nextcloud-aio-mastercontainer rm /mnt/docker-aio-config/data/borg.config"
             exit 1
         fi
 
-        echo "Initializing repository..."
+        echo "initializing repository..."
         NEW_REPOSITORY=1
         if ! borg init --debug --encryption=repokey-blake2 "$BORG_BACKUP_DIRECTORY"; then
             echo "Could not initialize borg repository."
@@ -149,21 +127,11 @@ if [ "$BORG_MODE" = backup ]; then
     # Borg options
     # auto,zstd compression seems to has the best ratio based on:
     # https://forum.level1techs.com/t/optimal-compression-for-borg-backups/145870/6
-    BORG_OPTS=(-v --stats --compression "auto,zstd" --exclude-caches)
-    if [ "$NEW_REPOSITORY" = 1 ]; then
-        BORG_OPTS+=(--progress)
-    fi
+    BORG_OPTS=(-v --stats --compression "auto,zstd" --exclude-caches --checkpoint-interval 86400)
 
     # Exclude the nextcloud log and audit log for GDPR reasons
     BORG_EXCLUDE=(--exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/nextcloud.log*" --exclude "/nextcloud_aio_volumes/nextcloud_aio_nextcloud/data/audit.log")
 
-    # Make sure that there is always a borg.config file before creating a new backup
-    if ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config" ]; then
-        echo "Did not find borg.config file in the mastercontainer volume."
-        echo "Cannot create a backup as this is wrong."
-        exit 1
-    fi
-
     # Create the backup
     echo "Starting the backup..."
     get_start_time
@@ -171,7 +139,6 @@ if [ "$BORG_MODE" = backup ]; then
         echo "Deleting the failed backup archive..."
         borg delete --stats "$BORG_BACKUP_DIRECTORY::$CURRENT_DATE-nextcloud-aio"
         echo "Backup failed!"
-        echo "You might want to check the backup integrity via the AIO interface."
         if [ "$NEW_REPOSITORY" = 1 ]; then
             echo "Deleting borg.config file so that you can choose a different location for the backup."
             rm "/nextcloud_aio_volumes/nextcloud_aio_mastercontainer/data/borg.config"
@@ -183,12 +150,11 @@ if [ "$BORG_MODE" = backup ]; then
     rm -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/skip.update"
 
     # Prune options
-    read -ra BORG_PRUNE_OPTS <<< "$BORG_RETENTION_POLICY"
-    echo "BORG_PRUNE_OPTS are ${BORG_PRUNE_OPTS[*]}"
+    BORG_PRUNE_OPTS=(--stats --keep-within=7d --keep-weekly=4 --keep-monthly=6 "$BORG_BACKUP_DIRECTORY")
 
     # Prune archives
     echo "Pruning the archives..."
-    if ! borg prune --stats --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}" "$BORG_BACKUP_DIRECTORY"; then
+    if ! borg prune --glob-archives '*_*-nextcloud-aio' "${BORG_PRUNE_OPTS[@]}"; then
         echo "Failed to prune archives!"
         exit 1
     fi
@@ -219,13 +185,13 @@ if [ "$BORG_MODE" = backup ]; then
                 exit 1
             fi
             echo "Pruning additional volumes..."
-            if ! borg prune --stats --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}" "$BORG_BACKUP_DIRECTORY"; then
+            if ! borg prune --glob-archives '*_*-additional-docker-volumes' "${BORG_PRUNE_OPTS[@]}"; then
                 echo "Failed to prune additional docker-volumes archives!"
                 exit 1
             fi
             echo "Compacting additional volumes..."
             if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
-                echo "Failed to compact additional docker-volume archives!"
+                echo "Failed to compact archives!"
                 exit 1
             fi
         fi
@@ -249,13 +215,13 @@ if [ "$BORG_MODE" = backup ]; then
                 exit 1
             fi
             echo "Pruning additional host mounts..."
-            if ! borg prune --stats --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}" "$BORG_BACKUP_DIRECTORY"; then
+            if ! borg prune --glob-archives '*_*-additional-host-mounts' "${BORG_PRUNE_OPTS[@]}"; then
                 echo "Failed to prune additional host-mount archives!"
                 exit 1
             fi
             echo "Compacting additional host mounts..."
             if ! borg compact "$BORG_BACKUP_DIRECTORY"; then
-                echo "Failed to compact additional host-mount archives!"
+                echo "Failed to compact archives!"
                 exit 1
             fi
         fi
@@ -263,7 +229,7 @@ if [ "$BORG_MODE" = backup ]; then
 
     # Inform user
     get_expiration_time
-    echo "Backup finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
+    echo "Backup finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
     if [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/update.failed" ]; then
         echo "However a Nextcloud update failed. So reporting that the backup failed which will skip any update attempt the next time."
         echo "Please restore a backup from before the failed Nextcloud update attempt."
@@ -310,7 +276,7 @@ if [ "$BORG_MODE" = restore ]; then
     --exclude "nextcloud_aio_mastercontainer/data/daily_backup_running" \
     --exclude "nextcloud_aio_mastercontainer/data/session_date_file" \
     --exclude "nextcloud_aio_mastercontainer/session/**" \
-    /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes/; then
+    /tmp/borg/nextcloud_aio_volumes/ /nextcloud_aio_volumes; then
         RESTORE_FAILED=1
         echo "Something failed while restoring from backup."
     fi
@@ -374,7 +340,7 @@ if [ "$BORG_MODE" = restore ]; then
 
     # Inform user
     get_expiration_time
-    echo "Restore finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
+    echo "Restore finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
 
     # Add file to Nextcloud container so that it skips any update the next time
     touch "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/skip.update"
@@ -396,13 +362,12 @@ if [ "$BORG_MODE" = check ]; then
     # Perform the check
     if ! borg check -v --verify-data "$BORG_BACKUP_DIRECTORY"; then
         echo "Some errors were found while checking the backup integrity!"
-        echo "Check the AIO interface for advices on how to proceed now!"
         exit 1
     fi
 
     # Inform user
     get_expiration_time
-    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
+    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
     exit 0
 fi
 
@@ -419,7 +384,7 @@ if [ "$BORG_MODE" = "check-repair" ]; then
 
     # Inform user
     get_expiration_time
-    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)."
+    echo "Check finished successfully on $END_DATE_READABLE ($DURATION_READABLE)"
     exit 0
 fi
 

Containers/clamav/Dockerfile

@@ -1,18 +1,7 @@
-# Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/1.1/alpine/Dockerfile
-FROM clamav/clamav:1.2.1-30
+# Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/0.105/alpine/Dockerfile
+FROM clamav/clamav:1.0.1-1
 
-COPY clamav.conf /tmp/clamav.conf
-
-RUN set -ex; \
-    apk add --no-cache tzdata; \
-    cat /tmp/clamav.conf >> /etc/clamav/clamd.conf; \
-    rm /tmp/clamav.conf; \
-    mkdir -p /var/run/clamav /run/lock; \
-    chown -R clamav:clamav /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock; \
-    chmod 777 -R /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock /tmp
-
-VOLUME /var/lib/clamav
-
-USER clamav
-
-LABEL com.centurylinklabs.watchtower.enable="false"
+RUN apk add --no-cache tzdata
+COPY clamav.conf /tmp/
+RUN cat /tmp/clamav.conf >> /etc/clamav/clamd.conf
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/collabora/Dockerfile

@@ -1,20 +1,19 @@
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:23.05.8.4.1
+FROM collabora/code:22.05.12.2.1
 
 USER root
 
-# hadolint ignore=DL3008
 RUN set -ex; \
     \
     apt-get update; \
     export DEBIAN_FRONTEND=noninteractive; \
     apt-get install -y --no-install-recommends \
         tzdata \
-        netcat-openbsd \
+        netcat \
     ; \
-    rm -rf /var/lib/apt/lists/*;
+    rm -rf /var/lib/apt/lists/*
 
-USER 100
+USER 104
 
 HEALTHCHECK CMD nc -z localhost 9980 || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false"
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/docker-socket-proxy/Dockerfile

@@ -1,19 +0,0 @@
-FROM haproxy:2.9.4-alpine3.19
-
-# hadolint ignore=DL3002
-USER root
-ENV NEXTCLOUD_HOST nextcloud-aio-nextcloud
-RUN set -ex; \
-    apk add --no-cache \
-        ca-certificates \
-        tzdata \
-        bash \
-        bind-tools; \
-    chmod -R 777 /tmp
-
-COPY --chmod=775 *.sh /
-COPY --chmod=664 haproxy.cfg /haproxy.cfg
-
-ENTRYPOINT ["/start.sh"]
-HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false"

Containers/docker-socket-proxy/haproxy.cfg

@@ -1,59 +0,0 @@
-# Inspiration: https://github.com/Tecnativa/docker-socket-proxy/blob/master/haproxy.cfg
-
-global
-    maxconn 10
-
-defaults
-    timeout connect 10s
-    timeout client 10s
-    timeout server 10s
-
-frontend http
-    mode http
-    bind :::2375 v4v6
-    http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src NC_IPV4_PLACEHOLDER } || { src NC_IPV6_PLACEHOLDER }
-    # docker system _ping
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } METH_GET
-    # container inspect: GET containers/%s/json
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET
-    # container start/stop: POST containers/%s/start containers/%s/stop
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((start)|(stop)) } METH_POST
-    # container rm: DELETE containers/%s
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE
-
-
-    # container create: POST containers/create?name=%s
-    # ACL to restrict container name to nc_app_[a-zA-Z0-9_.-]+
-    acl nc_app_container_name url_param(name) -m reg -i "^nc_app_[a-zA-Z0-9_.-]+"
-
-    # ACL to restrict the number of Mounts to 1
-    acl one_mount_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*(?:(?!\"Mounts\"\s*:\s*\[)[^}]*)}[^}]*\]"
-    # ACL to deny if there are any binds
-    acl binds_present req.body -m reg -i "\"HostConfig\"\s*:.*\"Binds\"\s*:"
-    # ACL to restrict the type of Mounts to volume
-    acl type_not_volume req.body -m reg -i "\"Mounts\":\s*\[[^\]]*(\"Type\":\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
-    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST
-
-    # ACL to restrict container creation, that it has HostConfig.Privileged not set
-    acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\""
-    # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data
-    acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !no_privileged_flag nc_app_volume_data_only METH_POST
-    # end of container create
-
-    # volume create: POST volumes/create
-    # restrict name
-    acl nc_app_volume_data req.body -m reg -i "\"Name\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
-    # do not allow to use "device" word e.g., "--opt device=:/path/to/dir"
-    acl volume_no_device req.body -m reg -i "\"device\""
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data !volume_no_device METH_POST
-    # volume rm: DELETE volumes/%s
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/nc_app_[a-zA-Z0-9_.-]+_data } METH_DELETE
-    # image pull: POST images/create?fromImage=%s
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/create } METH_POST
-    http-request deny
-    default_backend dockerbackend
-
-backend dockerbackend
-    mode http
-    server dockersocket /var/run/docker.sock

Containers/docker-socket-proxy/healthcheck.sh

@@ -1,4 +0,0 @@
-#!/bin/bash
-
-nc -z "$NEXTCLOUD_HOST" 9001 || exit 0
-nc -z localhost 2375 || exit 1

Containers/docker-socket-proxy/start.sh

@@ -1,23 +0,0 @@
-#!/bin/sh
-
-# Only start container if nextcloud is accessible
-while ! nc -z "$NEXTCLOUD_HOST" 9001; do
-    echo "Waiting for Nextcloud to start..."
-    sleep 5
-done
-
-set -x
-IPv4_ADDRESS_NC="$(dig nextcloud-aio-nextcloud IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
-HAPROXYFILE="$(sed "s|NC_IPV4_PLACEHOLDER|$IPv4_ADDRESS_NC|" /haproxy.cfg)" 
-echo "$HAPROXYFILE" > /tmp/haproxy.cfg
-
-IPv6_ADDRESS_NC="$(dig nextcloud-aio-nextcloud AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
-if [ -n "$IPv6_ADDRESS_NC" ]; then
-    HAPROXYFILE="$(sed "s|NC_IPV6_PLACEHOLDER|$IPv6_ADDRESS_NC|" /tmp/haproxy.cfg)"
-else
-    HAPROXYFILE="$(sed "s# || { src NC_IPV6_PLACEHOLDER }##g" /tmp/haproxy.cfg)"
-fi
-echo "$HAPROXYFILE" > /tmp/haproxy.cfg
-set +x
-
-haproxy -f /tmp/haproxy.cfg -db

Containers/domaincheck/Dockerfile

@@ -1,18 +1,19 @@
-FROM alpine:3.19.1
-RUN set -ex; \
-    apk add --no-cache bash lighttpd netcat-openbsd; \
-    adduser -S www-data -G www-data; \
-    rm -rf /etc/lighttpd/lighttpd.conf; \
-    chmod 777 -R /etc/lighttpd; \
-    mkdir -p /var/www/domaincheck; \
-    chown www-data:www-data -R /var/www; \
-    chmod 777 -R /var/www/domaincheck
-COPY --chown=www-data:www-data lighttpd.conf /lighttpd.conf
+FROM alpine:3.17.2
+RUN apk add --no-cache lighttpd bash netcat-openbsd
 
-COPY --chmod=775 start.sh /start.sh
+RUN adduser -S www-data -G www-data
+RUN rm -rf /etc/lighttpd/lighttpd.conf
+COPY lighttpd.conf /etc/lighttpd/lighttpd.conf
+RUN chmod +r -R /etc/lighttpd && \
+    chown www-data:www-data -R /var/www && \
+    chown www-data:www-data /etc/lighttpd/lighttpd.conf
+
+COPY start.sh /
+RUN chmod +x /start.sh
 
 USER www-data
+RUN mkdir -p /var/www/domaincheck/
 ENTRYPOINT ["/start.sh"]
 
 HEALTHCHECK CMD nc -z localhost $APACHE_PORT || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false"
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/domaincheck/start.sh

@@ -11,7 +11,7 @@ if [ -z "$APACHE_PORT" ]; then
     export APACHE_PORT="443"
 fi
 
-CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /lighttpd.conf)"
+CONF_FILE="$(sed "s|ipv6-placeholder|\[::\]:$APACHE_PORT|" /etc/lighttpd/lighttpd.conf)"
 echo "$CONF_FILE" > /etc/lighttpd/lighttpd.conf
 
 # Check config file

Containers/fulltextsearch/Dockerfile

@@ -1,20 +1,15 @@
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:8.12.1
+FROM elasticsearch:7.17.9
 
-USER root
+RUN elasticsearch-plugin install --batch ingest-attachment
 
-# hadolint ignore=DL3008
 RUN set -ex; \
     \
-    export DEBIAN_FRONTEND=noninteractive; \
     apt-get update; \
     apt-get install -y --no-install-recommends \
         tzdata \
     ; \
-    rm -rf /var/lib/apt/lists/*; \
-    elasticsearch-plugin install --batch ingest-attachment
-
-USER 1000:0
+    rm -rf /var/lib/apt/lists/*
 
 HEALTHCHECK CMD nc -z localhost 9200 || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false"
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/imaginary/Dockerfile

@@ -1,38 +1,29 @@
-FROM golang:1.22.0-alpine3.19 as go
-
-ENV IMAGINARY_HASH 6cd9edd1d3fb151eb773c14552886e4fc8e50138
+# From https://github.com/h2non/imaginary/blob/master/Dockerfile
+FROM nextcloud/imaginary:20230301
 
+USER root
 RUN set -ex; \
-    apk add --no-cache \
-        vips-dev \
-        vips-magick \
-        vips-heif \
-        vips-jxl \
-        vips-poppler \
-        build-base; \
-    go install github.com/h2non/imaginary@"$IMAGINARY_HASH";
-
-FROM alpine:3.19.1
-RUN set -ex; \
-    apk add --no-cache \
-        tzdata \
-        ca-certificates \
-        netcat-openbsd \
-        vips \
-        vips-magick \
-        vips-heif \
-        vips-jxl \
-        vips-poppler
-
-COPY --from=go /go/bin/imaginary /usr/local/bin/imaginary
-
-ENV PORT 9000
-
+    \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        netcat \
+    ; \
+    echo "deb http://deb.debian.org/debian bookworm main" > /etc/apt/sources.list.d/bookworm.list; \
+    apt-get update; \
+    apt-get install -t bookworm -y --no-install-recommends \
+        libheif1 \
+        libde265-0 \
+        libx265-199 \
+        libvips \
+    ; \
+    rm /etc/apt/sources.list.d/bookworm.list; \
+    rm -rf /var/lib/apt/lists/*
 USER nobody
 
+ENTRYPOINT ["/usr/local/bin/imaginary", "-return-size", "-max-allowed-resolution", "222.2"]
+
+HEALTHCHECK CMD nc -z localhost 9000 || exit 1
+LABEL com.centurylinklabs.watchtower.monitor-only="true"
+
 # https://github.com/h2non/imaginary#memory-issues
 ENV MALLOC_ARENA_MAX=2
-ENTRYPOINT ["imaginary", "-return-size", "-max-allowed-resolution", "222.2"]
-
-HEALTHCHECK CMD nc -z localhost "$PORT" || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false"

Containers/mastercontainer/Caddyfile

@@ -10,21 +10,18 @@
     log {
         level ERROR
     }
-
-    servers {
-        protocols h1 h2 h2c
-    }
-
-    on_demand_tls {
-        ask http://localhost:9876/
-    }
 }
 
 http://:80 {
-    redir https://{host}{uri} permanent
+  redir https://{host}{uri}
 }
 
-https://:8443 {
+# Match only host names and not ip-addresses:
+https://*.*:8443,
+https://*.*.*:8443,
+https://*.*.*.*:8443,
+https://*.*.*.*.*:8443,
+https://*.*.*.*.*.*:8443 {
 
     reverse_proxy localhost:8000
 

Containers/mastercontainer/Dockerfile

@@ -1,29 +1,28 @@
 # Docker CLI is a requirement
-FROM docker:25.0.2-cli as docker
+FROM docker:23.0.1-dind as dind
 
 # Caddy is a requirement
-FROM caddy:2.7.6-alpine as caddy
+FROM caddy:2.6.4-alpine as caddy
 
-# From https://github.com/docker-library/php/blob/master/8.2/alpine3.19/fpm/Dockerfile
-FROM php:8.2.15-fpm-alpine3.19
+# From https://github.com/docker-library/php/blob/master/8.1/alpine3.17/fpm/Dockerfile
+FROM php:8.1.17-fpm-alpine3.17
 
-EXPOSE 80
-EXPOSE 8080
-EXPOSE 8443
-
-COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
-COPY --from=docker /usr/local/bin/docker /usr/local/bin/docker
-
-WORKDIR /var/www/docker-aio
-
-# hadolint ignore=SC2086,DL3047,DL3003,DL3004
 RUN set -ex; \
     apk add --no-cache shadow; \
     groupmod -g 333 xfs; \
     usermod -u 333 -g 333 xfs; \
     groupmod -g 33 www-data; \
-    usermod -u 33 -g 33 www-data; \
-    \
+    usermod -u 33 -g 33 www-data
+
+EXPOSE 80
+EXPOSE 8080
+EXPOSE 8443
+
+RUN mkdir -p /var/www/docker-aio;
+
+WORKDIR /var/www/docker-aio
+
+RUN set -ex; \
     apk add --no-cache \
         util-linux-misc \
         ca-certificates \
@@ -37,54 +36,60 @@ RUN set -ex; \
         sudo \
         netcat-openbsd \
         curl \
-        grep; \
-    \
+        grep
+
+RUN set -ex; \
     apk add --no-cache --virtual .build-deps \
         autoconf \
         build-base; \
-    pecl install APCu-5.1.23; \
+    pecl install APCu-5.1.22; \
     docker-php-ext-enable apcu; \
     rm -r /tmp/pear; \
+    \
     runDeps="$( \
         scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/lib/php/extensions \
             | tr ',' '\n' \
             | sort -u \
             | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
     )"; \
-    apk add --no-cache --virtual .nextcloud-aio-rundeps $runDeps; \
+    apk add --virtual .nextcloud-aio-rundeps $runDeps; \
     apk del .build-deps; \
     grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
-    grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \
-    \
+    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf
+
+COPY --from=caddy /usr/bin/caddy /usr/bin/
+RUN chmod +x /usr/bin/caddy
+
+COPY --from=dind /usr/local/bin/docker /usr/local/bin/
+RUN chmod +x /usr/local/bin/docker
+
+RUN set -e && \
     apk add --no-cache git; \
     wget https://getcomposer.org/installer -O - | php -- --install-dir=/usr/local/bin --filename=composer; \
     chmod +x /usr/local/bin/composer; \
     cd /var/www/docker-aio; \
     git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
-    find ./ -maxdepth 1 -mindepth 1 -not -path ./php -not -path ./community-containers -exec rm -r {} \; ; \
-    chown www-data:www-data -R /var/www/docker-aio; \
     cd php; \
-    sudo -u www-data composer install --no-dev; \
-    sudo -u www-data composer clear-cache; \
+    composer install --no-dev; \
+    composer clearcache; \
     cd ..; \
     rm -f /usr/local/bin/composer; \
-    chmod -R 770 /var/www/docker-aio; \
-    chown -R www-data:www-data /var/www; \
-    rm -r php/data; \
-    rm -r php/session; \
-    \
-    mkdir -p /etc/apache2/certs; \
-    cd /etc/apache2/certs; \
-    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout /etc/apache2/certs/ssl.key -out /etc/apache2/certs/ssl.crt; \
-    \
-    sed -i \
+    chmod 770 -R ./; \
+    chown www-data:www-data -R /var/www; \
+    rm -r ./php/data; \
+    rm -r ./php/session; \
+    apk del --no-cache git
+
+RUN mkdir -p /etc/apache2/certs && \
+    cd /etc/apache2/certs && \
+    openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj "/C=DE/ST=BE/L=Local/O=Dev/CN=nextcloud.local" -keyout ./ssl.key -out ./ssl.crt;
+
+COPY mastercontainer.conf /etc/apache2/sites-available/
+
+RUN sed -i \
             -e '/^Listen /d' \
-            -e 's/^LogLevel .*/LogLevel error/' \
-            -e 's|^ErrorLog .*|ErrorLog /proc/self/fd/2|' \
             -e 's/User apache/User www-data/g' \
             -e 's/Group apache/Group www-data/g' \
             -e 's/^#\(LoadModule .*mod_rewrite.so\)/\1/' \
@@ -96,34 +101,41 @@ RUN set -ex; \
             -e 's/^#\(LoadModule .*mod_mpm_event.so\)/\1/' \
             -e 's/\(LoadModule .*mod_mpm_worker.so\)/#\1/' \
             -e 's/\(LoadModule .*mod_mpm_prefork.so\)/#\1/' \
-            -e 's/\(ScriptAlias \)/#\1/' \
         /etc/apache2/httpd.conf; \
         mkdir -p /etc/apache2/logs; \
         rm /etc/apache2/conf.d/ssl.conf; \
         echo "ServerName localhost" | tee -a /etc/apache2/httpd.conf; \
-        grep -q '^LoadModule lbmethod_heartbeat_module' /etc/apache2/conf.d/proxy.conf; \
-        sed -i 's|^LoadModule lbmethod_heartbeat_module.*|#LoadModule lbmethod_heartbeat_module|' /etc/apache2/conf.d/proxy.conf; \
-        echo "SSLSessionCache nonenotnull" | tee -a /etc/apache2/httpd.conf; \
         echo "LoadModule ssl_module modules/mod_ssl.so" | tee -a /etc/apache2/httpd.conf; \
         echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" | tee -a /etc/apache2/httpd.conf; \
-        echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf; \
-    \
+        echo "Include /etc/apache2/sites-available/mastercontainer.conf" | tee -a /etc/apache2/httpd.conf
+
+RUN set -ex; \
     rm -f /etc/apache2/conf.d/default.conf \
           /etc/apache2/conf.d/userdir.conf \
-          /etc/apache2/conf.d/info.conf; \
-    \
-    rm -rf /var/www/localhost/cgi-bin/; \
-    mkdir /var/log/supervisord; \
+          /etc/apache2/conf.d/info.conf
+
+RUN mkdir /var/log/supervisord; \
     mkdir /var/run/supervisord;
 
-COPY --chmod=775 *.sh /
-COPY --chmod=664 Caddyfile /Caddyfile
-COPY --chmod=664 supervisord.conf /supervisord.conf
-COPY mastercontainer.conf /etc/apache2/sites-available/mastercontainer.conf
+COPY Caddyfile /
+COPY start.sh /usr/bin/
+COPY backup-time-file-watcher.sh /
+COPY session-deduplicator.sh /
+COPY cron.sh /
+COPY daily-backup.sh /
+COPY supervisord.conf /
+COPY healthcheck.sh /
+RUN chmod +x /usr/bin/start.sh; \
+    chmod +x /cron.sh; \
+    chmod +x /session-deduplicator.sh; \
+    chmod +x /backup-time-file-watcher.sh; \
+    chmod +x /daily-backup.sh; \
+    chmod a+r /Caddyfile; \
+    chmod +x /healthcheck.sh
 
-# hadolint ignore=DL3002
 USER root
 
-ENTRYPOINT ["/start.sh"]
+ENTRYPOINT ["start.sh"]
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 
 HEALTHCHECK CMD /healthcheck.sh

Containers/mastercontainer/cron.sh

@@ -12,11 +12,6 @@ while true; do
             export AUTOMATIC_UPDATES=0
             export START_CONTAINERS=1
         fi
-        if [ "$(sed -n '3p' "/mnt/docker-aio-config/data/daily_backup_time")" != 'successNotificationsAreNotEnabled' ]; then
-            export SEND_SUCCESS_NOTIFICATIONS=1
-        else
-            export SEND_SUCCESS_NOTIFICATIONS=0
-        fi
         set +x
         if [ -f "/mnt/docker-aio-config/data/daily_backup_running" ]; then
             export LOCK_FILE_PRESENT=1
@@ -62,14 +57,6 @@ while true; do
     # Remove dangling images
     sudo -u www-data docker image prune --force
 
-    # Check for available free space
-    sudo -u www-data php /var/www/docker-aio/php/src/Cron/CheckFreeDiskSpace.php
-
-    # Remove mastercontainer from default bridge network
-    if sudo -u www-data docker inspect nextcloud-aio-mastercontainer  --format "{{.NetworkSettings.Networks}}" | grep -q "bridge"; then
-        sudo -u www-data docker network disconnect bridge nextcloud-aio-mastercontainer
-    fi
-
     # Wait 60s so that the whole loop will not be executed again
     sleep 60
 done

Containers/mastercontainer/daily-backup.sh

@@ -16,7 +16,7 @@ fi
 sudo -u www-data touch "/mnt/docker-aio-config/data/daily_backup_running"
 
 # Check if apache is running/stopped, watchtower is stopped and backupcontainer is stopped
-APACHE_PORT="$(docker inspect nextcloud-aio-apache --format "{{.HostConfig.PortBindings}}" | grep -o '[0-9]\+' | head -1)"
+APACHE_PORT="$(docker inspect nextcloud-aio-apache --format "{{.HostConfig.PortBindings}}" | grep -oP '[0-9]+' | head -1)"
 while docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-apache$" && ! nc -z nextcloud-aio-apache "$APACHE_PORT"; do
     echo "Waiting for apache to become available"
     sleep 30
@@ -105,7 +105,7 @@ if [ "$DAILY_BACKUP" = 1 ] && ([ "$AUTOMATIC_UPDATES" = 1 ] || [ "$START_CONTAIN
         done
     fi
     echo "Sending backup notification..."
-    sudo -E -u www-data php /var/www/docker-aio/php/src/Cron/BackupNotification.php
+    sudo -u www-data php /var/www/docker-aio/php/src/Cron/BackupNotification.php
 fi
 
 echo "Daily backup script has finished"

Containers/mastercontainer/healthcheck.sh

@@ -1,10 +1,5 @@
 #!/bin/bash
 
 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
-    nc -z localhost 80 || exit 1
-    nc -z localhost 8000 || exit 1
     nc -z localhost 8080 || exit 1
-    nc -z localhost 8443 || exit 1
-    nc -z localhost 9000 || exit 1
-    nc -z localhost 9876 || exit 1
 fi

Containers/mastercontainer/mastercontainer.conf

@@ -11,11 +11,8 @@ Listen 8080
     ServerName localhost
 
     # Add error log
-    CustomLog /proc/self/fd/1 proxy
-    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+    CustomLog /proc/self/fd/1 combined
     ErrorLog /proc/self/fd/2
-    ErrorLogFormat "[%t] [%l] [%E] [client: %{X-Forwarded-For}i] [%M] [%{User-Agent}i]"
-    LogLevel warn
 
     # PHP match
     <FilesMatch "\.php$">
@@ -49,14 +46,8 @@ Listen 8080
     SSLCertificateFile /etc/apache2/certs/ssl.crt
     SSLEngine               on
     SSLProtocol             -all +TLSv1.2 +TLSv1.3
-    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
-    SSLHonorCipherOrder     off
-    SSLSessionTickets       off
 </VirtualHost>
 
 # Increase timeout in case e.g. the initial download takes a long time
 Timeout 7200
 ProxyTimeout 7200
-
-# See https://httpd.apache.org/docs/trunk/mod/core.html#traceenable
-TraceEnable Off

Containers/mastercontainer/start.sh

@@ -6,12 +6,6 @@ print_green() {
     printf "%b%s%b\n" "\e[0;92m" "$TEXT" "\e[0m"
 }
 
-# Function to show text in red
-print_red() {
-    local TEXT="$1"
-    printf "%b%s%b\n" "\e[0;31m" "$TEXT" "\e[0m"
-}
-
 # Function to check if number was provided
 check_if_number() {
 case "${1}" in
@@ -20,28 +14,12 @@ case "${1}" in
 esac
 }
 
-# Check if running as root user
-if [ "$EUID" != "0" ]; then
-    print_red "Container does not run as root user. This is not supported."
-    exit 1
-fi
-
-# Check that the CMD is not overwritten nor set
-if [ "$*" != "" ]; then
-    print_red "Docker run command for AIO is incorrect as a CMD option was given which is not expected."
-    exit 1
-fi
-
 # Check if socket is available and readable
 if ! [ -a "/var/run/docker.sock" ]; then
-    print_red "Docker socket is not available. Cannot continue."
-    echo "Please make sure to mount the docker socket into /var/run/docker.sock inside the container!"
-    echo "If you did this by purpose because you don't want the container to have access to the docker socket, see https://github.com/nextcloud/all-in-one/tree/main/manual-install."
+    echo "Docker socket is not available. Cannot continue."
     exit 1
 elif ! mountpoint -q "/mnt/docker-aio-config"; then
-    print_red "/mnt/docker-aio-config is not a mountpoint. Cannot proceed!"
-    echo "Please make sure to mount the nextcloud_aio_mastercontainer docker volume into /mnt/docker-aio-config inside the container!"
-    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
+    echo "/mnt/docker-aio-config is not a mountpoint. Cannot proceed!"
     exit 1
 elif ! sudo -u www-data test -r /var/run/docker.sock; then
     echo "Trying to fix docker.sock permissions internally..."
@@ -62,17 +40,14 @@ elif ! sudo -u www-data test -r /var/run/docker.sock; then
         usermod -aG docker www-data
     fi
     if ! sudo -u www-data test -r /var/run/docker.sock; then
-        print_red "Docker socket is not readable by the www-data user. Cannot continue."
+        echo "Docker socket is not readable by the www-data user. Cannot continue."
         exit 1
     fi
 fi
 
 # Check if api version is supported
 if ! sudo -u www-data docker info &>/dev/null; then
-    print_red "Cannot connect to the docker socket. Cannot proceed."
-    echo "Did you maybe remove group read permissions for the docker socket? AIO needs them in order to access the docker socket."
-    echo "If SELinux is enabled on your host, see https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled"
-    echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
+    echo "Cannot connect to the docker socket. Cannot proceed."
     exit 1
 fi
 API_VERSION_FILE="$(find ./ -name DockerActionManager.php | head -1)"
@@ -82,7 +57,7 @@ API_VERSION_NUMB="$(echo "$API_VERSION" | sed 's/\.//')"
 LOCAL_API_VERSION_NUMB="$(sudo -u www-data docker version | grep -i "api version" | grep -oP '[0-9]+.[0-9]+' | head -1 | sed 's/\.//')"
 if [ -n "$LOCAL_API_VERSION_NUMB" ] && [ -n "$API_VERSION_NUMB" ]; then
     if ! [ "$LOCAL_API_VERSION_NUMB" -ge "$API_VERSION_NUMB" ]; then
-        print_red "Docker API v$API_VERSION is not supported by your docker engine. Cannot proceed. Please upgrade your docker engine if you want to run Nextcloud AIO!"
+        echo "Docker API v$API_VERSION is not supported by your docker engine. Cannot proceed. Please upgrade your docker engine if you want to run Nextcloud AIO!"
         exit 1
     fi
 else
@@ -103,16 +78,16 @@ fi
 
 # Check if startup command was executed correctly
 if ! sudo -u www-data docker ps --format "{{.Names}}" | grep -q "^nextcloud-aio-mastercontainer$"; then
-    print_red "It seems like you did not give the mastercontainer the correct name? (The 'nextcloud-aio-mastercontainer' container was not found.)
+    echo "It seems like you did not give the mastercontainer the correct name? (The 'nextcloud-aio-mastercontainer' container was not found.)
 Using a different name is not supported since mastercontainer updates will not work in that case!
 If you are on docker swarm and try to run AIO, see https://github.com/nextcloud/all-in-one#can-i-run-this-with-docker-swarm"
     exit 1
 elif ! sudo -u www-data docker volume ls --format "{{.Name}}" | grep -q "^nextcloud_aio_mastercontainer$"; then
-    print_red "It seems like you did not give the mastercontainer volume the correct name? (The 'nextcloud_aio_mastercontainer' volume was not found.)
+    echo "It seems like you did not give the mastercontainer volume the correct name? (The 'nextcloud_aio_mastercontainer' volume was not found.)
 Using a different name is not supported since the built-in backup solution will not work in that case!"
     exit 1
 elif ! sudo -u www-data docker inspect nextcloud-aio-mastercontainer | grep -q "nextcloud_aio_mastercontainer"; then
-    print_red "It seems like you did not attach the 'nextcloud_aio_mastercontainer' volume to the mastercontainer?
+    echo "It seems like you did not attach the 'nextcloud_aio_mastercontainer' volume to the mastercontainer?
 This is not supported since the built-in backup solution will not work in that case!"
     exit 1
 fi
@@ -120,34 +95,34 @@ fi
 # Check for other options
 if [ -n "$NEXTCLOUD_DATADIR" ]; then
     if [ "$NEXTCLOUD_DATADIR" = "nextcloud_aio_nextcloud_datadir" ]; then
-        sleep 1
+        echo "NEXTCLOUD_DATADIR is set to $NEXTCLOUD_DATADIR"
     elif ! echo "$NEXTCLOUD_DATADIR" | grep -q "^/" || [ "$NEXTCLOUD_DATADIR" = "/" ]; then
-        print_red "You've set NEXTCLOUD_DATADIR but not to an allowed value.
-The string must start with '/' and must not be equal to '/'. Also allowed is 'nextcloud_aio_nextcloud_datadir'.
+        echo "You've set NEXTCLOUD_DATADIR but not to an allowed value.
+The string must start with '/' and must not be equal to '/'.
 It is set to '$NEXTCLOUD_DATADIR'."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_MOUNT" ]; then
     if ! echo "$NEXTCLOUD_MOUNT" | grep -q "^/" || [ "$NEXTCLOUD_MOUNT" = "/" ]; then
-        print_red "You've set NEXCLOUD_MOUNT but not to an allowed value.
+        echo "You've set NEXCLOUD_MOUNT but not to an allowed value.
 The string must start with '/' and must not be equal to '/'.
 It is set to '$NEXTCLOUD_MOUNT'."
         exit 1
     elif [ "$NEXTCLOUD_MOUNT" = "/mnt/ncdata" ] || echo "$NEXTCLOUD_MOUNT" | grep -q "^/mnt/ncdata/"; then
-        print_red "'/mnt/ncdata' and '/mnt/ncdata/' are not allowed as values for NEXTCLOUD_MOUNT."
+        echo "'/mnt/ncdata' and '/mnt/ncdata/' are not allowed as values for NEXTCLOUD_MOUNT."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_DATADIR" ] && [ -n "$NEXTCLOUD_MOUNT" ]; then
     if [ "$NEXTCLOUD_DATADIR" = "$NEXTCLOUD_MOUNT" ]; then
-        print_red "NEXTCLOUD_DATADIR and NEXTCLOUD_MOUNT are not allowed to be equal."
+        echo "NEXTCLOUD_DATADIR and NEXTCLOUD_MOUNT are not allowed to be equal."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_UPLOAD_LIMIT" ]; then
     if ! echo "$NEXTCLOUD_UPLOAD_LIMIT" | grep -q '^[0-9]\+G$'; then
-        print_red "You've set NEXTCLOUD_UPLOAD_LIMIT but not to an allowed value.
+        echo "You've set NEXTCLOUD_UPLOAD_LIMIT but not to an allowed value.
 The string must start with a number and end with 'G'.
 It is set to '$NEXTCLOUD_UPLOAD_LIMIT'."
         exit 1
@@ -155,7 +130,7 @@ It is set to '$NEXTCLOUD_UPLOAD_LIMIT'."
 fi
 if [ -n "$NEXTCLOUD_MAX_TIME" ]; then
     if ! echo "$NEXTCLOUD_MAX_TIME" | grep -q '^[0-9]\+$'; then
-        print_red "You've set NEXTCLOUD_MAX_TIME but not to an allowed value.
+        echo "You've set NEXTCLOUD_MAX_TIME but not to an allowed value.
 The string must be a number. E.g. '3600'.
 It is set to '$NEXTCLOUD_MAX_TIME'."
         exit 1
@@ -163,7 +138,7 @@ It is set to '$NEXTCLOUD_MAX_TIME'."
 fi
 if [ -n "$NEXTCLOUD_MEMORY_LIMIT" ]; then
     if ! echo "$NEXTCLOUD_MEMORY_LIMIT" | grep -q '^[0-9]\+M$'; then
-        print_red "You've set NEXTCLOUD_MEMORY_LIMIT but not to an allowed value.
+        echo "You've set NEXTCLOUD_MEMORY_LIMIT but not to an allowed value.
 The string must start with a number and end with 'M'.
 It is set to '$NEXTCLOUD_MEMORY_LIMIT'."
         exit 1
@@ -171,64 +146,64 @@ It is set to '$NEXTCLOUD_MEMORY_LIMIT'."
 fi
 if [ -n "$APACHE_PORT" ]; then
     if ! check_if_number "$APACHE_PORT"; then
-        print_red "You provided an Apache port but did not only use numbers.
+        echo "You provided an Apache port but did not only use numbers.
 It is set to '$APACHE_PORT'."
         exit 1
     elif ! [ "$APACHE_PORT" -le 65535 ] || ! [ "$APACHE_PORT" -ge 1 ]; then
-        print_red "The provided Apache port is invalid. It must be between 1 and 65535"
+        echo "The provided Apache port is invalid. It must be between 1 and 65535"
         exit 1
     fi
 fi
 if [ -n "$APACHE_IP_BINDING" ]; then
-    if ! echo "$APACHE_IP_BINDING" | grep -q '^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$\|^[0-9a-f:]\+$'; then
-        print_red "You provided an ip-address for the apache container's ip-binding but it was not a valid ip-address.
+    if ! echo "$APACHE_IP_BINDING" | grep -q '^[0-9.]\+$'; then
+        echo "You provided an ip-address for the apache container's ip-binding but it was not a valid ip-address.
 It is set to '$APACHE_IP_BINDING'."
         exit 1
     fi
 fi
 if [ -n "$TALK_PORT" ]; then
     if ! check_if_number "$TALK_PORT"; then
-        print_red "You provided an Talk port but did not only use numbers.
+        echo "You provided an Talk port but did not only use numbers.
 It is set to '$TALK_PORT'."
         exit 1
     elif ! [ "$TALK_PORT" -le 65535 ] || ! [ "$TALK_PORT" -ge 1 ]; then
-        print_red "The provided Talk port is invalid. It must be between 1 and 65535"
+        echo "The provided Talk port is invalid. It must be between 1 and 65535"
         exit 1
     fi
 fi
 if [ -n "$APACHE_PORT" ] && [ -n "$TALK_PORT" ]; then
     if [ "$APACHE_PORT" = "$TALK_PORT" ]; then
-        print_red "APACHE_PORT and TALK_PORT are not allowed to be equal."
+        echo "APACHE_PORT and TALK_PORT are not allowed to be equal."
         exit 1
     fi
 fi
-if [ -n "$WATCHTOWER_DOCKER_SOCKET_PATH" ]; then
-    if ! echo "$WATCHTOWER_DOCKER_SOCKET_PATH" | grep -q "^/" || echo "$WATCHTOWER_DOCKER_SOCKET_PATH" | grep -q "/$"; then
-        print_red "You've set WATCHTOWER_DOCKER_SOCKET_PATH but not to an allowed value.
+if [ -n "$DOCKER_SOCKET_PATH" ]; then
+    if ! echo "$DOCKER_SOCKET_PATH" | grep -q "^/" || echo "$DOCKER_SOCKET_PATH" | grep -q "/$"; then
+        echo "You've set DOCKER_SOCKET_PATH but not to an allowed value.
 The string must start with '/' and must not end with '/'.
-It is set to '$WATCHTOWER_DOCKER_SOCKET_PATH'."
+It is set to '$DOCKER_SOCKET_PATH'."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_TRUSTED_CACERTS_DIR" ]; then
     if ! echo "$NEXTCLOUD_TRUSTED_CACERTS_DIR" | grep -q "^/" || echo "$NEXTCLOUD_TRUSTED_CACERTS_DIR" | grep -q "/$"; then
-        print_red "You've set NEXTCLOUD_TRUSTED_CACERTS_DIR but not to an allowed value.
+        echo "You've set NEXTCLOUD_TRUSTED_CACERTS_DIR but not to an allowed value.
 It should be an absolute path to a directory that starts with '/' but not end with '/'.
 It is set to '$NEXTCLOUD_TRUSTED_CACERTS_DIR '."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_STARTUP_APPS" ]; then
-    if ! echo "$NEXTCLOUD_STARTUP_APPS" | grep -q "^[a-z0-9 _-]\+$"; then
-        print_red "You've set NEXTCLOUD_STARTUP_APPS but not to an allowed value.
-It needs to be a string. Allowed are small letters a-z, 0-9, spaces, hyphens and '_'.
+    if ! echo "$NEXTCLOUD_STARTUP_APPS" | grep -q "^[a-z _-]\+$"; then
+        echo "You've set NEXTCLOUD_STARTUP_APPS but not to an allowed value.
+It needs to be a string. Allowed are small letters a-z, spaces, hyphens and '_'.
 It is set to '$NEXTCLOUD_STARTUP_APPS'."
         exit 1
     fi
 fi
 if [ -n "$NEXTCLOUD_ADDITIONAL_APKS" ]; then
     if ! echo "$NEXTCLOUD_ADDITIONAL_APKS" | grep -q "^[a-z0-9 ._-]\+$"; then
-        print_red "You've set NEXTCLOUD_ADDITIONAL_APKS but not to an allowed value.
+        echo "You've set NEXTCLOUD_ADDITIONAL_APKS but not to an allowed value.
 It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens, dots and '_'.
 It is set to '$NEXTCLOUD_ADDITIONAL_APKS'."
         exit 1
@@ -236,67 +211,24 @@ It is set to '$NEXTCLOUD_ADDITIONAL_APKS'."
 fi
 if [ -n "$NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS" ]; then
     if ! echo "$NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS" | grep -q "^[a-z0-9 ._-]\+$"; then
-        print_red "You've set NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS but not to an allowed value.
+        echo "You've set NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS but not to an allowed value.
 It needs to be a string. Allowed are small letters a-z, digits 0-9, spaces, hyphens, dots and '_'.
 It is set to '$NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS'."
         exit 1
     fi
 fi
-if [ -n "$AIO_COMMUNITY_CONTAINERS" ]; then
-    read -ra AIO_CCONTAINERS <<< "$AIO_COMMUNITY_CONTAINERS"
-    for container in "${AIO_CCONTAINERS[@]}"; do
-        if ! [ -d "/var/www/docker-aio/community-containers/$container" ]; then
-            print_red "The community container $container was not found!"
-            FAIL_CCONTAINERS=1
-        fi
-    done
-    if [ -n "$FAIL_CCONTAINERS" ]; then
-        print_red "You've set AIO_COMMUNITY_CONTAINERS but at least one container was not found.
-It is set to '$AIO_COMMUNITY_CONTAINERS'."
-        exit 1
-    fi
-fi
 
 # Check DNS resolution
 # Prevents issues like https://github.com/nextcloud/all-in-one/discussions/565
 curl https://nextcloud.com &>/dev/null
 if [ "$?" = 6 ]; then
-    print_red "Could not resolve the host nextcloud.com."
+    echo "Could not resolve the host nextcloud.com."
     echo "Most likely the DNS resolving does not work."
     echo "You should be able to fix this by following https://dockerlabs.collabnix.com/intermediate/networking/Configuring_DNS.html"
     echo "Apart from that, there has been this: https://github.com/nextcloud/all-in-one/discussions/2065"
     exit 1
 fi
 
-# Check that no changes have been made to timezone settings since AIO only supports running in Etc/UTC timezone
-if [ -n "$TZ" ]; then
-    print_red "The environmental variable TZ has been set which is not supported by AIO since it only supports running in the default Etc/UTC timezone!"
-    echo "The correct timezone can be set in the AIO interface later on!"
-    # Disable exit since it seems to be by default set on unraid and we dont want to break these instances
-    # exit 1
-fi
-if mountpoint -q /etc/localtime; then
-    print_red "/etc/localtime has been mounted into the container which is not allowed because AIO only supports running in the default Etc/UTC timezone!"
-    echo "The correct timezone can be set in the AIO interface later on!"
-    exit 1
-fi
-if mountpoint -q /etc/timezone; then
-    print_red "/etc/timezone has been mounted into the container which is not allowed because AIO only supports running in the default Etc/UTC timezone!"
-    echo "The correct timezone can be set in the AIO interface later on!"
-    exit 1
-fi
-
-# Check if unsupported env are set (but don't exit as it would break many instances)
-if [ -n "$APACHE_DISABLE_REWRITE_IP" ]; then
-    print_red "The environmental variable APACHE_DISABLE_REWRITE_IP has been set which is not supported by AIO. Please remove it!"
-fi
-if [ -n "$NEXTCLOUD_TRUSTED_DOMAINS" ]; then
-    print_red "The environmental variable NEXTCLOUD_TRUSTED_DOMAINS has been set which is not supported by AIO. Please remove it!"
-fi
-if [ -n "$TRUSTED_PROXIES" ]; then
-    print_red "The environmental variable TRUSTED_PROXIES has been set which is not supported by AIO. Please remove it!"
-fi
-
 # Add important folders
 mkdir -p /mnt/docker-aio-config/data/
 mkdir -p /mnt/docker-aio-config/session/
@@ -341,15 +273,15 @@ if [ -f ./ssl.crt ] && [ -f ./ssl.key ]; then
     cp "$GENERATED_CERTS/ssl.key" ./
 fi
 
-print_green "Initial startup of Nextcloud All-in-One complete!
+print_green "Initial startup of Nextcloud All In One complete!
 You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
 E.g. https://internal.ip.of.this.server:8080
 
 If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
 https://your-domain-that-points-to-this-server.tld:8443"
 
-# Set the timezone to Etc/UTC
-export TZ=Etc/UTC
+# Set the timezone to UTC
+export TZ=UTC
 
 # Fix apache startup
 rm -f /var/run/apache2/httpd.pid
@@ -360,5 +292,4 @@ caddy fmt --overwrite /Caddyfile
 # Fix caddy log 
 chmod 777 /root
 
-# Start supervisord
-/usr/bin/supervisord -c /supervisord.conf
+exec "$@"

Containers/mastercontainer/supervisord.conf

@@ -38,7 +38,6 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/cron.sh
-user=root
 
 [program:backup-time-file-watcher]
 stdout_logfile=/dev/stdout
@@ -55,12 +54,3 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 command=/session-deduplicator.sh
 user=root
-
-[program:domain-validator]
-# Logging is disabled as otherwise all attempts will be logged which spams the logs
-# stdout_logfile=/dev/stdout
-# stdout_logfile_maxbytes=0
-# stderr_logfile=/dev/stderr
-# stderr_logfile_maxbytes=0
-command=php -S 127.0.0.1:9876 /var/www/docker-aio/php/domain-validator.php
-user=www-data

Containers/nextcloud/Dockerfile

@@ -1,55 +1,58 @@
-FROM php:8.1.27-fpm-alpine3.19
-
-ENV PHP_MEMORY_LIMIT 512M
-ENV PHP_UPLOAD_LIMIT 10G
-ENV PHP_MAX_TIME 3600
-ENV NEXTCLOUD_VERSION 27.1.5
-ENV AIO_TOKEN 123456
-ENV AIO_URL localhost
-
-COPY --chmod=775 *.sh /
-COPY --chmod=774 upgrade.exclude /upgrade.exclude
-COPY config/*.php /
-COPY supervisord.conf /supervisord.conf
-
-VOLUME /mnt/ncdata
-VOLUME /var/www/html
+# From https://github.com/nextcloud/docker/blob/master/23/fpm-alpine/Dockerfile
+FROM php:8.0.28-fpm-alpine3.16
 
 # Custom: change id of www-data user as it needs to be the same like on old installations
-# hadolint ignore=SC2086,DL3003
 RUN set -ex; \
     apk add --no-cache shadow; \
     deluser www-data; \
     groupmod -g 333 xfs; \
     usermod -u 333 -g 333 xfs; \
     addgroup -g 33 -S www-data; \
-    adduser -u 33 -D -S -G www-data www-data; \
-    \
+    adduser -u 33 -D -S -G www-data www-data
+
 # entrypoint.sh and cron.sh dependencies
+RUN set -ex; \
+    \
     apk add --no-cache \
         rsync \
-    ; \
+    ;
+
 # install the PHP extensions we need
 # see https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html
+ENV PHP_MEMORY_LIMIT 512M
+ENV PHP_UPLOAD_LIMIT 10G
+ENV PHP_MAX_TIME 3600
+RUN set -ex; \
+    \
     apk add --no-cache --virtual .build-deps \
         $PHPIZE_DEPS \
         autoconf \
+        libtool \
         freetype-dev \
-        gmp-dev \
         icu-dev \
-        imagemagick-dev \
-        imagemagick-svg \
         libevent-dev \
         libjpeg-turbo-dev \
         libmcrypt-dev \
-        libmemcached-dev \
         libpng-dev \
-        libwebp-dev \
+        libmemcached-dev \
         libxml2-dev \
         libzip-dev \
         openldap-dev \
         pcre-dev \
         postgresql-dev \
+        libwebp-dev \
+        gmp-dev \
+        lcms2-dev \
+        fontconfig-dev \
+        freetype-dev \
+        ghostscript-dev \
+        tiff-dev \
+        zlib-dev \
+        imagemagick-dev \
+        libheif-dev \
+        librsvg-dev \
+        libxext-dev \
+        ghostscript-fonts \
     ; \
     \
     docker-php-ext-configure gd --with-freetype --with-jpeg --with-webp; \
@@ -58,20 +61,19 @@ RUN set -ex; \
         bcmath \
         exif \
         gd \
-        gmp \
         intl \
         ldap \
         opcache \
         pcntl \
         pdo_pgsql \
-        sysvsem \
         zip \
+        gmp \
     ; \
     \
 # pecl will claim success even if one install fails, so we need to perform each install separately
-    pecl install APCu-5.1.23; \
+    pecl install APCu-5.1.22; \
     pecl install memcached-3.2.0; \
-    pecl install redis-6.0.2; \
+    pecl install redis-5.3.7; \
     pecl install imagick-3.7.0; \
     \
     docker-php-ext-enable \
@@ -87,18 +89,15 @@ RUN set -ex; \
             | sort -u \
             | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
     )"; \
-    apk add --no-cache --virtual .nextcloud-phpext-rundeps $runDeps; \
-    apk del .build-deps; \
-    \
+    apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
+    apk del .build-deps
+
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
-    { \
-        echo 'opcache.memory_consumption=256'; \
-        echo 'opcache.interned_strings_buffer=64'; \
+RUN { \
+        echo 'opcache.interned_strings_buffer=32'; \
         echo 'opcache.save_comments=1'; \
         echo 'opcache.revalidate_freq=60'; \
-        echo 'opcache.jit=1255'; \
-        echo 'opcache.jit_buffer_size=8M'; \
     } > /usr/local/etc/php/conf.d/opcache-recommended.ini; \
     \
     echo 'apc.enable_cli=1' >> /usr/local/etc/php/conf.d/docker-php-ext-apcu.ini; \
@@ -111,10 +110,15 @@ RUN set -ex; \
         echo 'max_input_time=${PHP_MAX_TIME}'; \
     } > /usr/local/etc/php/conf.d/nextcloud.ini; \
     \
-    mkdir -p /var/www/data; \
+    mkdir /var/www/data; \
     chown -R www-data:root /var/www; \
-    chmod -R g=u /var/www; \
-    \
+    chmod -R g=u /var/www
+
+VOLUME /var/www/html
+
+ENV NEXTCLOUD_VERSION 25.0.5
+
+RUN set -ex; \
     apk add --no-cache --virtual .fetch-deps \
         bzip2 \
         gnupg \
@@ -134,18 +138,27 @@ RUN set -ex; \
     mkdir -p /usr/src/nextcloud/data; \
     mkdir -p /usr/src/nextcloud/custom_apps; \
     chmod +x /usr/src/nextcloud/occ; \
-    mkdir -p /usr/src/nextcloud/config; \
-    mv /*.php /usr/src/nextcloud/config/; \
-    apk del .fetch-deps; \
-    \
+    apk del .fetch-deps
+
+COPY *.sh upgrade.exclude /
+COPY config/* /usr/src/nextcloud/config/
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["php-fpm"]
+
 # Template from https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/full/fpm-alpine/Dockerfile
+
+RUN set -ex; \
+    \
     apk add --no-cache \
         ffmpeg \
         procps \
         samba-client \
         supervisor \
 #       libreoffice \
-    ; \
+    ;
+
+RUN set -ex; \
     \
     apk add --no-cache --virtual .build-deps \
         $PHPIZE_DEPS \
@@ -172,13 +185,22 @@ RUN set -ex; \
             | sort -u \
             | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
     )"; \
-    apk add --no-cache --virtual .nextcloud-phpext-rundeps $runDeps; \
-    apk del .build-deps; \
-    \
-    mkdir -p \
+    apk add --virtual .nextcloud-phpext-rundeps $runDeps; \
+    apk del .build-deps
+
+RUN mkdir -p \
     /var/log/supervisord \
     /var/run/supervisord \
-    ; \
+;
+
+COPY supervisord.conf /
+
+ENV NEXTCLOUD_UPDATE=1
+
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
+
+# Custom:
+RUN set -ex; \
     \
     apk add --no-cache \
         bash \
@@ -188,46 +210,63 @@ RUN set -ex; \
         git \
         postgresql-client \
         tzdata \
+        mawk \
         sudo \
         grep \
-        nodejs \
-        bind-tools \
-        imagemagick \
-        imagemagick-svg \
-        coreutils; \
-    \
+        coreutils \
+        libjpeg \
+        librsvg \
+        libheif \
+        libpng \
+        ghostscript-fonts;
+
+RUN set -ex; \
     grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
-# Sync this with max db connections and MaxRequestWorkers
-# We don't actually expect so many children but don't want to limit it artificially because people will report issues otherwise.
-# Also children will usually be terminated again after the process is done due to the ondemand setting
-    sed -i 's/^pm.max_children =.*/pm.max_children = 5000/' /usr/local/etc/php-fpm.d/www.conf; \
-    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
-    \
+    sed -i 's/^pm.max_children =.*/pm.max_children = 80/' /usr/local/etc/php-fpm.d/www.conf; \
+    sed -i 's/^pm.start_servers =.*/pm.start_servers = 2/' /usr/local/etc/php-fpm.d/www.conf; \
+    sed -i 's/^pm.min_spare_servers =.*/pm.min_spare_servers = 1/' /usr/local/etc/php-fpm.d/www.conf; \
+    sed -i 's/^pm.max_spare_servers =.*/pm.max_spare_servers = 3/' /usr/local/etc/php-fpm.d/www.conf; \
+    sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf
+
+RUN set -ex; \
     rm -rf /tmp/nextcloud-aio && \
     mkdir -p /tmp/nextcloud-aio && \
     cd /tmp/nextcloud-aio && \
     git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
     mkdir -p /usr/src/nextcloud/apps/nextcloud-aio; \
-    cp -r ./app/* /usr/src/nextcloud/apps/nextcloud-aio/; \
-    \
+    cp -r ./app/* /usr/src/nextcloud/apps/nextcloud-aio/
+
+RUN set -ex; \
     chown www-data:root -R /usr/src && \
     chown www-data:root -R /usr/local/etc/php/conf.d && \
     chown www-data:root -R /usr/local/etc/php-fpm.d && \
-    chmod -R 777 /tmp; \
-    rm -r /usr/src/nextcloud/apps/updatenotification; \
-    \
-    mkdir -p /nc-updater; \
-    chown -R www-data:www-data /nc-updater; \
-    chmod -R 770 /nc-updater; \
-    \
-# Give root a random password
-    echo "root:$(openssl rand -base64 12)" | chpasswd
+    rm -r /usr/src/nextcloud/apps/updatenotification
+
+COPY start.sh /
+COPY notify.sh /
+COPY notify-all.sh /
+RUN set -ex; \
+    chmod +x /start.sh && \
+    chmod +x /entrypoint.sh && \
+    chmod +r /upgrade.exclude && \
+    chmod +x /cron.sh && \
+    chmod +x /notify.sh && \
+    chmod +x /notify-all.sh && \
+    chmod +x /activate-collabora.sh && \
+    chmod +x /healthcheck.sh
+
+RUN set -ex; \
+    mkdir /mnt/ncdata; \
+    chown www-data:www-data /mnt/ncdata;
+
+VOLUME /mnt/ncdata
+
+# Give root a random password
+RUN echo "root:$(openssl rand -base64 12)" | chpasswd
 
-# hadolint ignore=DL3002
 USER root
 ENTRYPOINT ["/start.sh"]
-CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
 
-HEALTHCHECK --start-period=60s CMD sudo -E -u www-data bash /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false"
+HEALTHCHECK CMD sudo -E -u www-data bash /healthcheck.sh
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/nextcloud/activate-collabora.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+if [ "$COLLABORA_ENABLED" != yes ]; then
+    # Basically sleep for forever if collabora is not enabled
+    sleep inf
+fi
+while ! nc -z "$NC_DOMAIN" 443; do
+    sleep 5
+done
+sleep 10
+echo "Activating collabora config..."
+php /var/www/html/occ richdocuments:activate-config
+sleep inf

Containers/nextcloud/config/aio.config.php

@@ -1,5 +0,0 @@
-<?php
-$CONFIG = array (
-  'one-click-instance' => true,
-  'one-click-instance.user-limit' => 100,
-);

Containers/nextcloud/config/apps.config.php

@@ -12,5 +12,4 @@ $CONFIG = array (
               'writable' => true,
       ),
   ),
-  'appsallowlist' => getenv('APPS_ALLOWLIST') ? explode(" ", getenv('APPS_ALLOWLIST')) : [],
 );

Containers/nextcloud/config/smtp.config.php

@@ -1,20 +0,0 @@
-<?php
-if (getenv('SMTP_HOST') && getenv('MAIL_FROM_ADDRESS') && getenv('MAIL_DOMAIN')) {
-  $CONFIG = array (
-    'mail_smtpmode' => 'smtp',
-    'mail_smtphost' => getenv('SMTP_HOST'),
-    'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25),
-    'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '',
-    'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'),
-    'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN',
-    'mail_smtpname' => getenv('SMTP_NAME') ?: '',
-    'mail_from_address' => getenv('MAIL_FROM_ADDRESS'),
-    'mail_domain' => getenv('MAIL_DOMAIN'),
-  );
-
-  if (getenv('SMTP_PASSWORD')) {
-      $CONFIG['mail_smtppassword'] = getenv('SMTP_PASSWORD');
-  } else {
-      $CONFIG['mail_smtppassword'] = '';
-  }
-}

Containers/nextcloud/cron.sh

@@ -1,20 +1,7 @@
 #!/bin/bash
 set -eu
 
-wait_for_cron() {
-    set -x
-    while [ -n "$(pgrep -f /var/www/html/cron.php)" ]; do
-        echo "Waiting for cron to stop..."
-        sleep 5
-    done
-    echo "Cronjob successfully exited."
-    set +x
-}
-
-trap wait_for_cron SIGINT SIGTERM
-
 while true; do
     php -f /var/www/html/cron.php &
-    sleep 5m &
-    wait $!
+    sleep 5m
 done

Containers/nextcloud/entrypoint.sh

@@ -10,15 +10,6 @@ directory_empty() {
     [ -z "$(ls -A "$1/")" ]
 }
 
-run_upgrade_if_needed_due_to_app_update() {
-    if php /var/www/html/occ status | grep needsDbUpgrade | grep -q true; then
-        # Disable integrity check temporarily until next update
-        php /var/www/html/occ config:system:set integrity.check.disabled --type bool --value true
-        php /var/www/html/occ upgrade
-        php /var/www/html/occ app:enable nextcloud-aio --force
-    fi
-}
-
 echo "Configuring Redis as session handler..."
 cat << REDIS_CONF > /usr/local/etc/php/conf.d/redis-session.ini
 session.save_handler = redis
@@ -30,6 +21,13 @@ redis.session.lock_retries = -1
 redis.session.lock_wait_time = 10000
 REDIS_CONF
 
+echo "Setting php max children..."
+MEMORY=$(mawk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
+PHP_MAX_CHILDREN=$((MEMORY/50))
+if [ -n "$PHP_MAX_CHILDREN" ]; then
+    sed -i "s/^pm.max_children =.*/pm.max_children = $PHP_MAX_CHILDREN/" /usr/local/etc/php-fpm.d/www.conf
+fi
+
 # Check permissions in ncdata
 touch "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" &>/dev/null
 if ! [ -f "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" ]; then
@@ -149,8 +147,6 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                 fi
             done
 
-            run_upgrade_if_needed_due_to_app_update
-
             php /var/www/html/occ maintenance:mode --off
 
             echo "Getting and backing up the status of apps for later, this might take a while..."
@@ -174,8 +170,6 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
 
             php /var/www/html/occ app:update --all
 
-            run_upgrade_if_needed_due_to_app_update
-
             # Fix removing the updatenotification for old instances
             UPDATENOTIFICATION_STATUS="$(php /var/www/html/occ config:app:get updatenotification enabled)"
             if [ -d "/var/www/html/apps/updatenotification" ]; then
@@ -211,14 +205,6 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                 INSTALL_OPTIONS+=(--data-dir "$NEXTCLOUD_DATA_DIR")
             fi
 
-            # We do our own permission check so the permission check is not needed
-            cat << DATADIR_PERMISSION_CONF > /var/www/html/config/datadir.permission.config.php
-<?php
-    \$CONFIG = array (
-    'check_data_directory_permissions' => false
-);
-DATADIR_PERMISSION_CONF
-
             echo "Installing with PostgreSQL database"
             INSTALL_OPTIONS+=(--database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST")
 
@@ -229,6 +215,9 @@ DATADIR_PERMISSION_CONF
                 exit 1
             fi
 
+            # We do our own permission check so the permission check is not needed
+            php /var/www/html/occ config:system:set check_data_directory_permissions --value=false --type=bool
+
             # Try to force generation of appdata dir:
             php /var/www/html/occ maintenance:repair
 
@@ -249,50 +238,9 @@ DATADIR_PERMISSION_CONF
                 fi
             fi
 
-            # This autoconfig is not needed anymore and should be able to be overwritten by the user
-            rm /var/www/html/config/datadir.permission.config.php
-
             # unset admin password
             unset ADMIN_PASSWORD
 
-            if [ "$INSTALL_LATEST_MAJOR" = yes ]; then
-                php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
-                INSTALLED_AT="$(php /var/www/html/occ config:app:get core installedat)"
-                if [ -n "${INSTALLED_AT}" ]; then
-                    # Set the installdat to 00 which will allow to skip staging and install the next major directly
-                    # shellcheck disable=SC2001
-                    INSTALLED_AT="$(echo "${INSTALLED_AT}" | sed "s|[0-9][0-9]$|00|")"
-                    php /var/www/html/occ config:app:set core installedat --value="${INSTALLED_AT}" 
-                fi
-                php /var/www/html/updater/updater.phar --no-interaction --no-backup
-                if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
-                    echo "Installation of Nextcloud failed!"
-                    touch "$NEXTCLOUD_DATA_DIR/install.failed"
-                    exit 1
-                fi
-                # shellcheck disable=SC2016
-                installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-                INSTALLED_MAJOR="${installed_version%%.*}"
-                IMAGE_MAJOR="${image_version%%.*}"
-                if ! [ "$INSTALLED_MAJOR" -gt "$IMAGE_MAJOR" ]; then
-                    php /var/www/html/updater/updater.phar --no-interaction --no-backup
-                    if ! php /var/www/html/occ -V || php /var/www/html/occ status | grep maintenance | grep -q 'true'; then
-                        echo "Installation of Nextcloud failed!"
-                        touch "$NEXTCLOUD_DATA_DIR/install.failed"
-                        exit 1
-                    fi
-                    # shellcheck disable=SC2016
-                    installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-                fi
-                php /var/www/html/occ app:disable updatenotification
-                rm -rf /var/www/html/apps/updatenotification
-                php /var/www/html/occ app:enable nextcloud-aio --force
-                php /var/www/html/occ db:add-missing-indices
-                php /var/www/html/occ db:add-missing-columns
-                php /var/www/html/occ db:add-missing-primary-keys
-                yes | php /var/www/html/occ db:convert-filecache-bigint
-            fi
-
             # Apply log settings
             echo "Applying default settings..."
             mkdir -p /var/www/html/data
@@ -317,7 +265,6 @@ DATADIR_PERMISSION_CONF
             php /var/www/html/occ config:system:set enabledPreviewProviders 4 --value="OC\\Preview\\TXT"
             php /var/www/html/occ config:system:set enabledPreviewProviders 5 --value="OC\\Preview\\OpenDocument"
             php /var/www/html/occ config:system:set enabledPreviewProviders 6 --value="OC\\Preview\\Movie"
-            php /var/www/html/occ config:system:set enabledPreviewProviders 7 --value="OC\\Preview\\Krita"
             php /var/www/html/occ config:system:set enable_previews --value=true --type=boolean
 
             # Apply other settings
@@ -352,27 +299,26 @@ DATADIR_PERMISSION_CONF
                 done
             fi
 
+            # Set the permission check to its default value again if not set
+            if [ "$SKIP_DATA_DIRECTORY_PERMISSION_CHECK" != yes ]; then
+                php /var/www/html/occ config:system:set check_data_directory_permissions --value=true --type=bool
+            fi
+
         #upgrade
         else
             touch "$NEXTCLOUD_DATA_DIR/update.failed"
             echo "Upgrading nextcloud from $installed_version to $image_version..."
-            php /var/www/html/occ config:system:delete integrity.check.disabled
             if ! php /var/www/html/occ upgrade || ! php /var/www/html/occ -V; then
                 echo "Upgrade failed. Please restore from backup."
                 bash /notify.sh "Nextcloud update to $image_version failed!" "Please restore from backup!"
                 exit 1
             fi
 
-            # shellcheck disable=SC2016
-            installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-
             rm "$NEXTCLOUD_DATA_DIR/update.failed"
             bash /notify.sh "Nextcloud update to $image_version successful!" "Feel free to inspect the Nextcloud container logs for more info."
 
             php /var/www/html/occ app:update --all
 
-            run_upgrade_if_needed_due_to_app_update
-
             # Restore app status
             if [ "${APPSTORAGE[0]}" != "no-export-done" ]; then
                 echo "Restoring the status of apps. This can take a while..."
@@ -381,12 +327,6 @@ DATADIR_PERMISSION_CONF
                         if [ "${APPSTORAGE[$app]}" != "no" ]; then
                             echo "Enabling $app..."
                             if ! php /var/www/html/occ app:enable "$app" >/dev/null; then
-                                php /var/www/html/occ app:disable "$app" >/dev/null
-                                if ! php /var/www/html/occ -V &>/dev/null; then
-                                    rm -r "/var/www/html/custom_apps/$app"
-                                    php /var/www/html/occ maintenance:mode --off
-                                fi
-                                run_upgrade_if_needed_due_to_app_update
                                 echo "The $app app could not get enabled. Probably because it is not compatible with the new Nextcloud version."
                                 if [ "$app" = apporder ]; then
                                     CUSTOM_HINT="The apporder app was deprecated. A possible replacement is the side_menu app, aka 'Custom menu'."
@@ -407,8 +347,6 @@ DATADIR_PERMISSION_CONF
 
             php /var/www/html/occ app:update --all
 
-            run_upgrade_if_needed_due_to_app_update
-
             # Apply optimization
             echo "Doing some optimizations..."
             php /var/www/html/occ maintenance:repair
@@ -424,7 +362,8 @@ DATADIR_PERMISSION_CONF
     # Performing update of all apps if daily backups are enabled, running and successful and if it is saturday
     if [ "$UPDATE_NEXTCLOUD_APPS" = 'yes' ] && [ "$(date +%u)" = 6 ]; then
         UPDATED_APPS="$(php /var/www/html/occ app:update --all)"
-        run_upgrade_if_needed_due_to_app_update
+        # Update all apps again and try to prevent something like https://github.com/nextcloud/polls/issues/2793 from happening
+        php /var/www/html/occ app:update --all
         if [ -n "$UPDATED_APPS" ]; then
              bash /notify.sh "Your apps just got updated!" "$UPDATED_APPS"
         fi
@@ -433,28 +372,23 @@ else
     SKIP_UPDATE=1
 fi
 
-run_upgrade_if_needed_due_to_app_update
-
 if [ -z "$OBJECTSTORE_S3_BUCKET" ] && [ -z "$OBJECTSTORE_SWIFT_URL" ]; then
     # Check if appdata is present
     # If not, something broke (e.g. changing ncdatadir after aio was first started)
     if [ -z "$(find "$NEXTCLOUD_DATA_DIR/" -maxdepth 1 -mindepth 1 -type d -name "appdata_*")" ]; then
-        echo "Appdata is not present. Did you maybe change the datadir after the initial Nextcloud installation? This is not supported!"
+        echo "Appdata is not present. Did you maybe change the datadir after aio was first started?"
         echo "See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir"
-        echo "If you adjusted the datadir to be located on an external drive, make sure that the drive is still mounted!"
         echo "In the datadir was found:"
         ls -la "$NEXTCLOUD_DATA_DIR/"
         exit 1
     fi
 
-    # Delete formerly configured tempdirectory as the default is usually faster (if the datadir is on a HDD or network FS)
-    if [ "$(php /var/www/html/occ config:system:get tempdirectory)" = "$NEXTCLOUD_DATA_DIR/tmp/" ]; then
-        php /var/www/html/occ config:system:delete tempdirectory
-        if [ -d "$NEXTCLOUD_DATA_DIR/tmp/" ]; then
-            rm -r "$NEXTCLOUD_DATA_DIR/tmp/"
-        fi
+    # Configure tempdirectory
+    mkdir -p "$NEXTCLOUD_DATA_DIR/tmp/"
+    if ! grep -q upload_tmp_dir /usr/local/etc/php/conf.d/nextcloud.ini; then
+        echo "upload_tmp_dir = $NEXTCLOUD_DATA_DIR/tmp/" >> /usr/local/etc/php/conf.d/nextcloud.ini
     fi
-
+    php /var/www/html/occ config:system:set tempdirectory --value="$NEXTCLOUD_DATA_DIR/tmp/"
 fi
 
 # Perform fingerprint update if instance was restored
@@ -469,33 +403,19 @@ php /var/www/html/occ config:system:set one-click-instance --value=true --type=b
 php /var/www/html/occ config:system:set one-click-instance.user-limit --value=100 --type=int
 php /var/www/html/occ config:system:set one-click-instance.link --value="https://nextcloud.com/all-in-one/"
 php /var/www/html/occ app:enable support
-if [ -n "$SUBSCRIPTION_KEY" ] && [ -z "$(php /var/www/html/occ config:app:get support potential_subscription_key)" ]; then
-    php /var/www/html/occ config:app:set support potential_subscription_key --value="$SUBSCRIPTION_KEY"
-    php /var/www/html/occ config:app:delete support last_check
-fi
 
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
-php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
 php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
 php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
-php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
-if [ -n "$SERVERINFO_TOKEN" ] && [ -z "$(php /var/www/html/occ config:app:get serverinfo token)" ]; then
-    php /var/www/html/occ config:app:set serverinfo token --value="$SERVERINFO_TOKEN"
-fi
 
 # Apply network settings
 echo "Applying network settings..."
-php /var/www/html/occ config:system:set allow_local_remote_servers --type=bool --value=true
-php /var/www/html/occ config:system:set davstorage.request_timeout --value="$PHP_MAX_TIME" --type=int
 php /var/www/html/occ config:system:set trusted_domains 1 --value="$NC_DOMAIN"
 php /var/www/html/occ config:system:set overwrite.cli.url --value="https://$NC_DOMAIN/"
 php /var/www/html/occ config:system:set htaccess.RewriteBase --value="/"
 php /var/www/html/occ maintenance:update:htaccess
 
-# Revert dbpersistent setting to check if it fixes too many db connections
-php /var/www/html/occ config:system:set dbpersistent --value=false --type=bool
-
 # Disallow creating local external storages when nothing was mounted
 if [ -z "$NEXTCLOUD_MOUNT" ]; then
     php /var/www/html/occ config:system:set files_external_allow_create_new_local --type=bool --value=false
@@ -504,14 +424,8 @@ else
 fi
 
 # AIO app
-if [ "$THIS_IS_AIO" = "true" ]; then
-    if [ "$(php /var/www/html/occ config:app:get nextcloud-aio enabled)" != "yes" ]; then
-        php /var/www/html/occ app:enable nextcloud-aio
-    fi
-else
-    if [ "$(php /var/www/html/occ config:app:get nextcloud-aio enabled)" != "no" ]; then
-        php /var/www/html/occ app:disable nextcloud-aio
-    fi
+if [ "$(php /var/www/html/occ config:app:get nextcloud-aio enabled)" != "yes" ]; then
+    php /var/www/html/occ app:enable nextcloud-aio
 fi
 
 # Notify push
@@ -522,15 +436,8 @@ elif [ "$(php /var/www/html/occ config:app:get notify_push enabled)" != "yes" ];
 elif [ "$SKIP_UPDATE" != 1 ]; then
     php /var/www/html/occ app:update notify_push
 fi
-chmod 775 -R /var/www/html/custom_apps/notify_push/bin/
 php /var/www/html/occ config:system:set trusted_proxies 0 --value="127.0.0.1"
 php /var/www/html/occ config:system:set trusted_proxies 1 --value="::1"
-if [ -n "$ADDITIONAL_TRUSTED_PROXY" ]; then
-    php /var/www/html/occ config:system:set trusted_proxies 2 --value="$ADDITIONAL_TRUSTED_PROXY"
-fi
-if [ -n "$ADDITIONAL_TRUSTED_DOMAIN" ]; then
-    php /var/www/html/occ config:system:set trusted_domains 2 --value="$ADDITIONAL_TRUSTED_DOMAIN"
-fi
 php /var/www/html/occ config:app:set notify_push base_endpoint --value="https://$NC_DOMAIN/push"
 
 # Collabora
@@ -543,9 +450,14 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
         php /var/www/html/occ app:update richdocuments
     fi
     php /var/www/html/occ config:app:set richdocuments wopi_url --value="https://$NC_DOMAIN/"
+    # Fix https://github.com/nextcloud/all-in-one/issues/188:
+    php /var/www/html/occ config:system:set allow_local_remote_servers --type=bool --value=true
     # Make collabora more save
-    COLLABORA_IPv4_ADDRESS="$(dig "$NC_DOMAIN" A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
-    COLLABORA_IPv6_ADDRESS="$(dig "$NC_DOMAIN" AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+    COLLABORA_IPv4_ADDRESS="$(echo "<?php echo gethostbyname('$NC_DOMAIN');" | php | head -1)"
+    COLLABORA_IPv6_ADDRESS="<?php \$record = dns_get_record('$NC_DOMAIN', DNS_AAAA);"
+    # shellcheck disable=SC2016
+    COLLABORA_IPv6_ADDRESS+='if (!empty($record)) {echo $record[0]["ipv6"];}'
+    COLLABORA_IPv6_ADDRESS="$(echo "$COLLABORA_IPv6_ADDRESS" | php | head -1)"
     COLLABORA_ALLOW_LIST="$(php /var/www/html/occ config:app:get richdocuments wopi_allowlist)"
     if [ -n "$COLLABORA_IPv4_ADDRESS" ]; then
         if ! echo "$COLLABORA_ALLOW_LIST" | grep -q "$COLLABORA_IPv4_ADDRESS"; then
@@ -574,17 +486,12 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
         if ! echo "$COLLABORA_ALLOW_LIST" | grep -q "$PRIVATE_IP_RANGES"; then
             COLLABORA_ALLOW_LIST+=",$PRIVATE_IP_RANGES"
         fi
-        if [ -n "$ADDITIONAL_TRUSTED_PROXY" ]; then
-            if ! echo "$COLLABORA_ALLOW_LIST" | grep -q "$ADDITIONAL_TRUSTED_PROXY"; then
-                COLLABORA_ALLOW_LIST+=",$ADDITIONAL_TRUSTED_PROXY"
-            fi
-        fi
         php /var/www/html/occ config:app:set richdocuments wopi_allowlist --value="$COLLABORA_ALLOW_LIST"
     else
         echo "Warning: wopi_allowlist is empty which should not be the case!"
     fi
 else
-    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/richdocuments" ]; then
+    if [ -d "/var/www/html/custom_apps/richdocuments" ]; then
         php /var/www/html/occ app:remove richdocuments
     fi
 fi
@@ -603,11 +510,11 @@ if [ "$ONLYOFFICE_ENABLED" = 'yes' ]; then
         php /var/www/html/occ app:update onlyoffice
     fi
     php /var/www/html/occ config:system:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
-    php /var/www/html/occ config:app:set onlyoffice jwt_secret --value="$ONLYOFFICE_SECRET"
     php /var/www/html/occ config:system:set onlyoffice jwt_header --value="AuthorizationJwt"
     php /var/www/html/occ config:app:set onlyoffice DocumentServerUrl --value="https://$NC_DOMAIN/onlyoffice"
+    php /var/www/html/occ config:system:set allow_local_remote_servers --type=bool --value=true
 else
-    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/onlyoffice" ] && [ -n "$ONLYOFFICE_SECRET" ] && [ "$(php /var/www/html/occ config:system:get onlyoffice jwt_secret)" = "$ONLYOFFICE_SECRET" ]; then
+    if [ -d "/var/www/html/custom_apps/onlyoffice" ] && [ -n "$ONLYOFFICE_SECRET" ] && [ "$(php /var/www/html/occ config:system:get onlyoffice jwt_secret)" = "$ONLYOFFICE_SECRET" ]; then
         php /var/www/html/occ app:remove onlyoffice
     fi
 fi
@@ -634,26 +541,11 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
         php /var/www/html/occ talk:signaling:add "https://$NC_DOMAIN/standalone-signaling/" "$SIGNALING_SECRET" --verify
     fi
 else
-    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/spreed" ]; then
+    if [ -d "/var/www/html/custom_apps/spreed" ]; then
         php /var/www/html/occ app:remove spreed
     fi
 fi
 
-# Talk recording
-if [ -d "/var/www/html/custom_apps/spreed" ]; then
-    if [ "$TALK_RECORDING_ENABLED" = 'yes' ]; then
-        while ! nc -z "$TALK_RECORDING_HOST" 1234; do
-            echo "waiting for Talk Recording to become available..."
-            sleep 5
-        done
-        # TODO: migrate to occ command if that becomes available
-        RECORDING_SERVERS_STRING="{\"servers\":[{\"server\":\"http://$TALK_RECORDING_HOST:1234/\",\"verify\":true}],\"secret\":\"$RECORDING_SECRET\"}"
-        php /var/www/html/occ config:app:set spreed recording_servers --value="$RECORDING_SERVERS_STRING"
-    else
-        php /var/www/html/occ config:app:delete spreed recording_servers
-    fi
-fi
-
 # Clamav
 if [ "$CLAMAV_ENABLED" = 'yes' ]; then
     count=0
@@ -677,26 +569,28 @@ if [ "$CLAMAV_ENABLED" = 'yes' ]; then
         php /var/www/html/occ config:app:set files_antivirus av_port --value="3310"
         php /var/www/html/occ config:app:set files_antivirus av_host --value="$CLAMAV_HOST"
         php /var/www/html/occ config:app:set files_antivirus av_stream_max_length --value="104857600"
-        php /var/www/html/occ config:app:set files_antivirus av_max_file_size --value="104857600"
+        php /var/www/html/occ config:app:set files_antivirus av_max_file_size --value="-1"
         php /var/www/html/occ config:app:set files_antivirus av_infected_action --value="only_log"
     fi
 else
-    if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/files_antivirus" ]; then
+    if [ -d "/var/www/html/custom_apps/files_antivirus" ]; then
         php /var/www/html/occ app:remove files_antivirus
     fi
 fi
 
 # Imaginary
-if [ "$IMAGINARY_ENABLED" = 'yes' ]; then
-    php /var/www/html/occ config:system:set enabledPreviewProviders 0 --value="OC\\Preview\\Imaginary"
-    php /var/www/html/occ config:system:set preview_imaginary_url --value="http://$IMAGINARY_HOST:9000"
-else
-    if [ -n "$(php /var/www/html/occ config:system:get preview_imaginary_url)" ]; then
-        php /var/www/html/occ config:system:delete enabledPreviewProviders 0
-        php /var/www/html/occ config:system:delete preview_imaginary_url
-        php /var/www/html/occ config:system:delete enabledPreviewProviders 20
-        php /var/www/html/occ config:system:delete enabledPreviewProviders 21
-        php /var/www/html/occ config:system:delete enabledPreviewProviders 22
+if version_greater "$installed_version" "24.0.0.0"; then
+    if [ "$IMAGINARY_ENABLED" = 'yes' ]; then
+        php /var/www/html/occ config:system:set enabledPreviewProviders 0 --value="OC\\Preview\\Imaginary"
+        php /var/www/html/occ config:system:set preview_imaginary_url --value="http://$IMAGINARY_HOST:9000"
+    else
+        if [ -n "$(php /var/www/html/occ config:system:get preview_imaginary_url)" ]; then
+            php /var/www/html/occ config:system:delete enabledPreviewProviders 0
+            php /var/www/html/occ config:system:delete preview_imaginary_url
+            php /var/www/html/occ config:system:delete enabledPreviewProviders 20
+            php /var/www/html/occ config:system:delete enabledPreviewProviders 21
+            php /var/www/html/occ config:system:delete enabledPreviewProviders 22
+        fi
     fi
 fi
 
@@ -728,7 +622,7 @@ if [ "$FULLTEXTSEARCH_ENABLED" = 'yes' ]; then
         php /var/www/html/occ app:update files_fulltextsearch
     fi
     php /var/www/html/occ fulltextsearch:configure '{"search_platform":"OCA\\FullTextSearch_Elasticsearch\\Platform\\ElasticSearchPlatform"}'
-    php /var/www/html/occ fulltextsearch_elasticsearch:configure "{\"elastic_host\":\"http://elastic:$FULLTEXTSEARCH_PASSWORD@$FULLTEXTSEARCH_HOST:9200\",\"elastic_index\":\"nextcloud-aio\"}"
+    php /var/www/html/occ fulltextsearch_elasticsearch:configure "{\"elastic_host\":\"http://$FULLTEXTSEARCH_HOST:9200\",\"elastic_index\":\"nextcloud-aio\"}"
     php /var/www/html/occ files_fulltextsearch:configure "{\"files_pdf\":\"1\",\"files_office\":\"1\"}"
 
     # Do the index
@@ -744,33 +638,14 @@ if [ "$FULLTEXTSEARCH_ENABLED" = 'yes' ]; then
         fi
     fi
 else
-    if [ "$REMOVE_DISABLED_APPS" = yes ]; then
-        if [ -d "/var/www/html/custom_apps/fulltextsearch" ]; then
-            php /var/www/html/occ app:remove fulltextsearch
-        fi
-        if [ -d "/var/www/html/custom_apps/fulltextsearch_elasticsearch" ]; then
-            php /var/www/html/occ app:remove fulltextsearch_elasticsearch
-        fi
-        if [ -d "/var/www/html/custom_apps/files_fulltextsearch" ]; then
-            php /var/www/html/occ app:remove files_fulltextsearch
-        fi
+    if [ -d "/var/www/html/custom_apps/fulltextsearch" ]; then
+        php /var/www/html/occ app:remove fulltextsearch
     fi
-fi
-
-# Docker socket proxy
-if version_greater "$installed_version" "27.1.2.0"; then
-    if [ "$DOCKER_SOCKET_PROXY_ENABLED" = 'yes' ]; then
-        if ! [ -d "/var/www/html/custom_apps/app_api" ]; then
-            php /var/www/html/occ app:install app_api
-        elif [ "$(php /var/www/html/occ config:app:get app_api enabled)" != "yes" ]; then
-            php /var/www/html/occ app:enable app_api
-        elif [ "$SKIP_UPDATE" != 1 ]; then
-            php /var/www/html/occ app:update app_api
-        fi
-    else
-        if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/app_api" ]; then
-            php /var/www/html/occ app:remove app_api
-        fi
+    if [ -d "/var/www/html/custom_apps/fulltextsearch_elasticsearch" ]; then
+        php /var/www/html/occ app:remove fulltextsearch_elasticsearch
+    fi
+    if [ -d "/var/www/html/custom_apps/files_fulltextsearch" ]; then
+        php /var/www/html/occ app:remove files_fulltextsearch
     fi
 fi
 

Containers/nextcloud/healthcheck.sh

@@ -2,6 +2,6 @@
 
 nc -z "$POSTGRES_HOST" 5432 || exit 0
 
-if ! nc -z localhost 9000; then
+if ! nc -z localhost 9000 || ! nc -z localhost 7867; then
     exit 1
 fi

Containers/nextcloud/run-exec-commands.sh

@@ -1,26 +0,0 @@
-#!/bin/bash
-
-# Wait 15s for domain to be reachable
-sleep 15
-
-if [ -n "$NEXTCLOUD_EXEC_COMMANDS" ]; then
-    echo "#!/bin/bash" > /tmp/nextcloud-exec-commands
-    echo "$NEXTCLOUD_EXEC_COMMANDS" >> /tmp/nextcloud-exec-commands
-    if ! grep "one-click-instance" /tmp/nextcloud-exec-commands; then
-        bash /tmp/nextcloud-exec-commands
-        rm /tmp/nextcloud-exec-commands
-    fi
-else
-    # Collabora must work also if using manual-install 
-    if [ "$COLLABORA_ENABLED" = yes ]; then
-        echo "Activating Collabora config..."
-        php /var/www/html/occ richdocuments:activate-config
-    fi
-    # OnlyOffice must work also if using manual-install
-    if [ "$ONLYOFFICE_ENABLED" = yes ]; then
-        echo "Activating OnlyOffice config..."
-        php /var/www/html/occ onlyoffice:documentserver --check
-    fi
-fi
-
-sleep inf

Containers/nextcloud/start.sh

@@ -34,7 +34,7 @@ fi
 # Check if /dev/dri device is present and apply correct permissions
 set -x
 if ! [ -f "/dev-dri-group-was-added" ] && [ -n "$(find /dev -maxdepth 1 -mindepth 1 -name dri)" ] && [ -n "$(find /dev/dri -maxdepth 1 -mindepth 1 -name renderD128)" ]; then
-    # From https://memories.gallery/hw-transcoding/#docker-installations
+    # From https://github.com/pulsejet/memories/wiki/QSV-Transcoding#docker-installations
     GID="$(stat -c "%g" /dev/dri/renderD128)"
     groupadd -g "$GID" render2 || true # sometimes this is needed
     GROUP="$(getent group "$GID" | cut -d: -f1)"
@@ -54,17 +54,11 @@ sudo -u www-data rm -f "$NEXTCLOUD_DATA_DIR/this-is-a-test-file"
 # Install additional dependencies
 if [ -n "$ADDITIONAL_APKS" ]; then
     if ! [ -f "/additional-apks-are-installed" ]; then
-        # Allow to disable imagemagick without having to download it each time
-        if ! echo "$ADDITIONAL_APKS" | grep -q imagemagick; then
-            apk del imagemagick imagemagick-svg;
-        fi
         read -ra ADDITIONAL_APKS_ARRAY <<< "$ADDITIONAL_APKS"
         for app in "${ADDITIONAL_APKS_ARRAY[@]}"; do
-            if [ "$app" != imagemagick ]; then
-                echo "Installing $app via apk..."
-                if ! apk add --no-cache "$app" >/dev/null; then
-                    echo "The packet $app was not installed!"
-                fi
+            echo "Installing $app via apk..."
+            if ! apk add --no-cache "$app" >/dev/null; then
+                echo "The packet $app was not installed!"
             fi
         done
     fi
@@ -125,7 +119,7 @@ if [ -n "$ADDITIONAL_PHP_EXTENSIONS" ]; then
                     | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
             )";
             # shellcheck disable=SC2086
-            apk add --no-cache --virtual .nextcloud-phpext-rundeps $runDeps >/dev/null
+            apk add --virtual .nextcloud-phpext-rundeps $runDeps >/dev/null
             apk del .build-deps >/dev/null
         fi
     fi
@@ -137,25 +131,14 @@ if ! sudo -E -u www-data bash /entrypoint.sh; then
     exit 1
 fi
 
-while [ "$THIS_IS_AIO" = "true" ] && [ -z "$(dig nextcloud-aio-apache A +short +search)" ]; do
-    echo "Waiting for nextcloud-aio-apache to start..."
-    sleep 5
-done
-
-set -x
-# shellcheck disable=SC2235
-if [ "$THIS_IS_AIO" = "true" ] && ([ "$APACHE_PORT" = 443 ] || [ "$APACHE_IP_BINDING" = "127.0.0.1" ] || [ "$APACHE_IP_BINDING" = "::1" ]); then
-    IPv4_ADDRESS_APACHE="$(dig nextcloud-aio-apache A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
-    IPv6_ADDRESS_APACHE="$(dig nextcloud-aio-apache AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
-    IPv4_ADDRESS_MASTERCONTAINER="$(dig nextcloud-aio-mastercontainer A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
-    IPv6_ADDRESS_MASTERCONTAINER="$(dig nextcloud-aio-mastercontainer AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
-
-    sed -i "s|^;listen.allowed_clients|listen.allowed_clients|" /usr/local/etc/php-fpm.d/www.conf
-    sed -i "s|listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1,$IPv4_ADDRESS_APACHE,$IPv6_ADDRESS_APACHE,$IPv4_ADDRESS_MASTERCONTAINER,$IPv6_ADDRESS_MASTERCONTAINER|" /usr/local/etc/php-fpm.d/www.conf
-    sed -i "/^listen.allowed_clients/s/,,/,/g" /usr/local/etc/php-fpm.d/www.conf
-    sed -i "/^listen.allowed_clients/s/,$//" /usr/local/etc/php-fpm.d/www.conf
-    grep listen.allowed_clients /usr/local/etc/php-fpm.d/www.conf
+# Correctly set CPU_ARCH for notify_push
+CPU_ARCH="$(uname -m)"
+export CPU_ARCH
+if [ -z "$CPU_ARCH" ]; then
+    echo "Could not get processor architecture. Exiting."
+    exit 1
+elif [ "$CPU_ARCH" != "x86_64" ]; then
+    export CPU_ARCH="aarch64"
 fi
-set +x
 
-exec "$@"
+exec "$@"

Containers/nextcloud/supervisord.conf

@@ -25,19 +25,18 @@ stderr_logfile_maxbytes=0
 command=/cron.sh
 user=www-data
 
-[program:run-exec-commands]
+[program:notify-push]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=/run-exec-commands.sh
+command=/var/www/html/custom_apps/notify_push/bin/%(ENV_CPU_ARCH)s/notify_push /var/www/html/config/config.php --port 7867 --redis-url redis://:%(ENV_REDIS_HOST_PASSWORD)s@%(ENV_REDIS_HOST)s
 user=www-data
 
-# This is a hack but no better solution is there
-[program:is-nextcloud-online]
+[program:activate-collabora]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=nc -lk 9001
+command=/activate-collabora.sh
 user=www-data

Containers/notify-push/Dockerfile

@@ -1,22 +0,0 @@
-FROM alpine:3.19.1
-
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
-
-RUN set -ex; \
-    apk add --no-cache \
-        ca-certificates \
-        netcat-openbsd \
-        tzdata \
-        bash \
-        openssl; \
-# Give root a random password
-    echo "root:$(openssl rand -base64 12)" | chpasswd; \
-    apk del --no-cache \
-        openssl;
-
-USER 33
-ENTRYPOINT ["/start.sh"]
-
-HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false"

Containers/notify-push/healthcheck.sh

@@ -1,7 +0,0 @@
-#!/bin/bash
-
-if ! nc -z "$NEXTCLOUD_HOST" 9001; then
-    exit 0
-fi
-
-nc -z localhost 7867 || exit 1

Containers/notify-push/start.sh

@@ -1,57 +0,0 @@
-#!/bin/bash
-
-if [ -z "$NEXTCLOUD_HOST" ]; then
-    echo "NEXTCLOUD_HOST need to be provided. Exiting!"
-    exit 1
-elif [ -z "$POSTGRES_HOST" ]; then
-    echo "POSTGRES_HOST need to be provided. Exiting!"
-    exit 1
-elif [ -z "$REDIS_HOST" ]; then
-    echo "REDIS_HOST need to be provided. Exiting!"
-    exit 1
-fi
-
-# Only start container if nextcloud is accessible
-while ! nc -z "$NEXTCLOUD_HOST" 9001; do
-    echo "Waiting for Nextcloud to start..."
-    sleep 5
-done
-
-# Correctly set CPU_ARCH for notify_push
-CPU_ARCH="$(uname -m)"
-export CPU_ARCH
-if [ -z "$CPU_ARCH" ]; then
-    echo "Could not get processor architecture. Exiting."
-    exit 1
-elif [ "$CPU_ARCH" != "x86_64" ]; then
-    export CPU_ARCH="aarch64"
-fi
-
-# Add warning
-if ! [ -f /nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push ]; then
-    echo "The notify_push binary was not found."
-    echo "Most likely is DNS resolution not working correctly."
-    echo "You can try to fix this by configuring a DNS server globally in dockers daemon.json."
-    echo "See https://dockerlabs.collabnix.com/intermediate/networking/Configuring_DNS.html"
-    echo "Afterwards a restart of docker should automatically resolve this."
-    echo "Additionally, make sure to disable VPN software that might be running on your server"
-    echo "Also check your firewall if it blocks connections to github"
-    echo "If it should still not work afterwards, feel free to create a new thread at https://github.com/nextcloud/all-in-one/discussions/new?category=questions and post the Nextcloud container logs there."
-    echo ""
-    echo ""
-    exit 1
-fi
-
-echo "notify-push was started"
-
-# Set sensitive values as env
-export DATABASE_URL="postgres://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST/$POSTGRES_DB"
-export REDIS_URL="redis://:$REDIS_HOST_PASSWORD@$REDIS_HOST"
-
-# Run it
-/nextcloud/custom_apps/notify_push/bin/"$CPU_ARCH"/notify_push \
-    --database-prefix="oc_" \
-    --nextcloud-url "https://$NC_DOMAIN" \
-    --port 7867
-
-exec "$@"

Containers/onlyoffice/Dockerfile

@@ -1,7 +1,5 @@
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:7.5.1.1
-
-# USER root is probably used
+FROM onlyoffice/documentserver:7.3.3.49
 
 HEALTHCHECK CMD nc -z localhost 80 || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false"
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/postgresql/Dockerfile

@@ -1,41 +1,39 @@
 # From https://github.com/docker-library/postgres/blob/master/15/alpine/Dockerfile
-FROM postgres:15.5-alpine
+FROM postgres:15.2-alpine
 
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
-COPY --chmod=775 init-user-db.sh /docker-entrypoint-initdb.d/init-user-db.sh
+RUN apk add --no-cache bash openssl shadow grep mawk
 
-RUN set -ex; \
-    apk add --no-cache \
-        bash \
-        openssl \
-        shadow \
-        grep; \
-    \
 # We need to use the same gid and uid as on old installations
+RUN set -ex; \
     deluser postgres; \
     groupmod -g 9999 ping; \
     addgroup -g 999 -S postgres; \
-    adduser -u 999 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
-    apk del --no-cache shadow; \
-    \
+    adduser -u 999 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres
+
 # Fix default permissions
+RUN set -ex; \
     chown -R postgres:postgres /var/lib/postgresql; \
     chown -R postgres:postgres /var/run/postgresql; \
-    chmod -R 777 /var/run/postgresql; \
-    chown -R postgres:postgres "$PGDATA"; \
-    \
-    mkdir /mnt/data; \
-    chown postgres:postgres /mnt/data; \
-    \
-# Give root a random password
-    echo "root:$(openssl rand -base64 12)" | chpasswd; \
-    apk --no-cache del openssl;
+    chown -R postgres:postgres "$PGDATA"
+
+COPY start.sh /usr/bin/
+COPY healthcheck.sh /usr/bin/
+COPY init-user-db.sh /docker-entrypoint-initdb.d/
+RUN set -ex; \
+    chmod +x /usr/bin/start.sh; \
+    chmod +xr /docker-entrypoint-initdb.d/init-user-db.sh; \
+    chmod +x /usr/bin/healthcheck.sh
+
+RUN mkdir /mnt/data; \
+    chown postgres:postgres /mnt/data;
 
 VOLUME /mnt/data
 
-USER postgres
-ENTRYPOINT ["/start.sh"]
+# Give root a random password
+RUN echo "root:$(openssl rand -base64 12)" | chpasswd
 
-HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false"
+USER postgres
+ENTRYPOINT ["start.sh"]
+
+HEALTHCHECK CMD healthcheck.sh
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/postgresql/start.sh

@@ -31,7 +31,7 @@ fi
 if [ -f "$DUMP_DIR/initialization.failed" ]; then
     echo "The database initialization failed. Most likely was a wrong timezone selected."
     echo "The selected timezone is '$TZ'." 
-    echo "Please check if it is in the 'TZ identifier' column of the timezone list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List"
+    echo "Please check if it is in 'TZ database name' column of the timezone list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List"
     echo "For further clues on what went wrong, look at the logs above."
     echo "You might start again from scratch by following https://github.com/nextcloud/all-in-one#how-to-properly-reset-the-instance and selecting a proper timezone."
     exit 1
@@ -92,14 +92,14 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
 
     # Check if the line we grep for later on is there
     GREP_STRING='Name: oc_appconfig; Type: TABLE; Schema: public; Owner:'
-    if ! grep -qa "$GREP_STRING" "$DUMP_FILE"; then
+    if ! grep -q "$GREP_STRING" "$DUMP_FILE"; then
         echo "The needed oc_appconfig line is not there which is unexpected."
         echo "Please report this to https://github.com/nextcloud/all-in-one/issues. Thanks!"
         exit 1
     fi
 
     # Get the Owner
-    DB_OWNER="$(grep -a "$GREP_STRING" "$DUMP_FILE" | grep -oP 'Owner:.*$' | sed 's|Owner:||;s| ||g')"
+    DB_OWNER="$(grep "$GREP_STRING" "$DUMP_FILE" | grep -oP 'Owner:.*$' | sed 's|Owner:||;s| ||g')"
     if [ "$DB_OWNER" = "$POSTGRES_USER" ]; then
         echo "Unfortunately was the found database owner of the dump file the same as the POSTGRES_USER $POSTGRES_USER"
         echo "It is not possible to import a database dump from this database owner."
@@ -146,51 +146,32 @@ if ! [ -f "$DATADIR/PG_VERSION" ] && ! [ -f "$DUMP_FILE" ]; then
     rm -rf "${DATADIR:?}/"*
 fi
 
-# Modify postgresql.conf
-if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
-    echo "Setting postgres values..."
-
-    # Sync this with max pm.max_children and MaxRequestWorkers
-    # 5000 connections is apparently the highest possible value with postgres so set it to that so that we don't run into a limit here.
-    # We don't actually expect so many connections but don't want to limit it artificially because people will report issues otherwise
-    # Also connections should usually be closed again after the process is done
-    # If we should actually exceed this limit, it is definitely a bug in Nextcloud server or some of its apps that does not close connections correctly and not a bug in AIO
-    sed -i "s|^max_connections =.*|max_connections = 5000|" "/var/lib/postgresql/data/postgresql.conf"
-
-    # Do not log checkpoints
-    if grep -q "#log_checkpoints" /var/lib/postgresql/data/postgresql.conf; then
-        sed -i 's|#log_checkpoints.*|log_checkpoints = off|' /var/lib/postgresql/data/postgresql.conf
-    fi
-
-    # Closing idling connections automatically seems to break any logic so was reverted again to default where it is disabled
-    if grep -q "^idle_session_timeout" /var/lib/postgresql/data/postgresql.conf; then
-        sed -i 's|^idle_session_timeout.*|#idle_session_timeout|' /var/lib/postgresql/data/postgresql.conf
-    fi
+echo "Setting max connections..."
+MEMORY=$(mawk '/MemTotal/ {printf "%d", $2/1024}' /proc/meminfo)
+MAX_CONNECTIONS=$((MEMORY/50+3))
+if [ -n "$MAX_CONNECTIONS" ]; then
+    sed -i "s|^max_connections =.*|max_connections = $MAX_CONNECTIONS|" "/var/lib/postgresql/data/postgresql.conf"
 fi
 
-do_database_dump() {
-    set -x
-    rm -f "$DUMP_FILE.temp"
-    touch "$DUMP_DIR/export.failed"
-    if pg_dump --username "$POSTGRES_USER" "$POSTGRES_DB" > "$DUMP_FILE.temp"; then
-        rm -f "$DUMP_FILE"
-        mv "$DUMP_FILE.temp" "$DUMP_FILE"
-        pg_ctl stop -m fast
-        rm "$DUMP_DIR/export.failed"
-        echo 'Database dump successful!'
-        set +x
-        exit 0
-    else
-        pg_ctl stop -m fast
-        echo "Database dump unsuccessful!"
-        set +x
-        exit 1
-    fi
-}
-
 # Catch docker stop attempts
-trap do_database_dump SIGINT SIGTERM
+trap 'true' SIGINT SIGTERM
 
 # Start the database
 exec docker-entrypoint.sh postgres &
 wait $!
+
+# Continue with shutdown procedure: do database dump, etc.
+rm -f "$DUMP_FILE.temp"
+touch "$DUMP_DIR/export.failed"
+if pg_dump --username "$POSTGRES_USER" "$POSTGRES_DB" > "$DUMP_FILE.temp"; then
+    rm -f "$DUMP_FILE"
+    mv "$DUMP_FILE.temp" "$DUMP_FILE"
+    pg_ctl stop -m fast
+    rm "$DUMP_DIR/export.failed"
+    echo 'Database dump successful!'
+    exit 0
+else
+    pg_ctl stop -m fast
+    echo "Database dump unsuccessful!"
+    exit 1
+fi

Containers/redis/Dockerfile

@@ -1,16 +1,16 @@
 # From https://github.com/docker-library/redis/blob/master/7.0/alpine/Dockerfile
-FROM redis:7.2.4-alpine
+FROM redis:7.0.10-alpine
 
-COPY --chmod=775 start.sh /start.sh
+RUN apk add --no-cache openssl bash
+
+COPY start.sh /usr/bin/
+RUN chmod +x /usr/bin/start.sh
 
-RUN set -ex; \
-    apk add --no-cache openssl bash; \
-    \
 # Give root a random password
-    echo "root:$(openssl rand -base64 12)" | chpasswd
+RUN echo "root:$(openssl rand -base64 12)" | chpasswd
 
 USER redis
-ENTRYPOINT ["/start.sh"]
+ENTRYPOINT ["start.sh"]
 
 HEALTHCHECK CMD redis-cli -a $REDIS_HOST_PASSWORD PING || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false"
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/redis/start.sh

@@ -8,9 +8,9 @@ fi
 
 # Run redis with a password if provided
 if [ -n "$REDIS_HOST_PASSWORD" ]; then
-    exec redis-server --requirepass "$REDIS_HOST_PASSWORD" --loglevel warning
+    exec redis-server --requirepass "$REDIS_HOST_PASSWORD"
 else
-    exec redis-server --loglevel warning
+    exec redis-server
 fi
 
 exec "$@"

Containers/talk-recording/Dockerfile

@@ -1,56 +0,0 @@
-FROM python:3.12.1-alpine3.19
-
-COPY --chmod=775 start.sh /start.sh
-
-ENV RECORDING_VERSION v0.1
-ENV ALLOW_ALL false
-ENV HPB_PROTOCOL https
-ENV SKIP_VERIFY false
-ENV HPB_PATH /standalone-signaling/
-
-RUN set -ex; \
-    apk add --no-cache \
-        ca-certificates \
-        tzdata \
-        bash \
-        xvfb \
-        ffmpeg \
-        firefox \
-        bind-tools \
-        netcat-openbsd \
-        git \
-        wget \
-        shadow \
-        pulseaudio \
-        openssl \
-        build-base \
-        linux-headers; \
-    # chromium chromium-chromedriver?
-    apk add --no-cache geckodriver --repository http://dl-cdn.alpinelinux.org/alpine/edge/community; \
-    useradd -d /tmp --system recording; \
-# Give root a random password
-    echo "root:$(openssl rand -base64 12)" | chpasswd; \
-    git clone --recursive https://github.com/nextcloud/nextcloud-talk-recording --depth=1 --single-branch --branch "$RECORDING_VERSION" /src; \
-    python3 -m pip install --no-cache-dir /src; \
-    rm -rf /src; \
-    touch /etc/recording.conf; \
-    chown recording:recording -R \
-        /tmp /etc/recording.conf; \
-    mkdir -p /conf; \
-    chmod 777 /conf; \
-    chmod 777 /tmp; \
-    apk del --no-cache \
-        git \
-        wget \
-        shadow \
-        openssl \
-        build-base \
-        linux-headers;
-
-WORKDIR /tmp
-USER recording
-ENTRYPOINT ["/start.sh"]
-CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.conf"]
-
-HEALTHCHECK CMD nc -z localhost 1234 || exit 1
-LABEL com.centurylinklabs.watchtower.enable="false"

Containers/talk-recording/recording.conf

@@ -1,123 +0,0 @@
-[logs]
-# Log level based on numeric values of Python logging levels:
-# - Critical: 50
-# - Error:    40
-# - Warning:  30
-# - Info:     20
-# - Debug:    10
-# - Not set:   0
-#level = 20
-
-[http]
-# IP and port to listen on for HTTP requests.
-#listen = 127.0.0.1:8000
-
-[backend]
-# Allow any hostname as backend endpoint. This is extremely insecure and should
-# only be used during development.
-#allowall = false
-
-# Common shared secret for requests from and to the backend servers if
-# "allowall" is enabled. This must be the same value as configured in the
-# Nextcloud admin ui.
-#secret = the-shared-secret
-
-# Comma-separated list of backend ids allowed to connect.
-#backends = backend-id, another-backend
-
-# If set to "true", certificate validation of backend endpoints will be skipped.
-# This should only be enabled during development, e.g. to work with self-signed
-# certificates.
-# Overridable by backend.
-#skipverify = false
-
-# Maximum allowed size in bytes for messages sent by the backend.
-# Overridable by backend.
-#maxmessagesize = 1024
-
-# Width for recorded videos.
-# Overridable by backend.
-#videowidth = 1920
-
-# Height for recorded videos.
-# Overridable by backend.
-#videoheight = 1080
-
-# Temporary directory used to store recordings until uploaded. It must be
-# writable by the user running the recording server.
-# Overridable by backend.
-#directory = /tmp
-
-# Backend configurations as defined in the "[backend]" section above. The
-# section names must match the ids used in "backends" above.
-#[backend-id]
-# URL of the Nextcloud instance
-#url = https://cloud.domain.invalid
-
-# Shared secret for requests from and to the backend servers. This must be the
-# same value as configured in the Nextcloud admin ui.
-#secret = the-shared-secret
-
-#[another-backend]
-# URL of the Nextcloud instance
-#url = https://cloud.otherdomain.invalid
-
-# Shared secret for requests from and to the backend servers. This must be the
-# same value as configured in the Nextcloud admin ui.
-#secret = the-shared-secret
-
-[signaling]
-# Common shared secret for authenticating as an internal client of signaling
-# servers if a specific secret is not set for a signaling server. This must be
-# the same value as configured in the signaling server configuration file.
-#internalsecret = the-shared-secret-for-internal-clients
-
-# Comma-separated list of signaling servers with specific internal secrets.
-#signalings = signaling-id, another-signaling
-
-# Signaling server configurations as defined in the "[signaling]" section above.
-# The section names must match the ids used in "signalings" above.
-#[signaling-id]
-# URL of the signaling server
-#url = https://signaling.domain.invalid
-
-# Shared secret for authenticating as an internal client of signaling servers.
-# This must be the same value as configured in the signaling server
-# configuration file.
-#internalsecret = the-shared-secret-for-internal-clients
-
-#[another-signaling]
-# URL of the signaling server
-#url = https://signaling.otherdomain.invalid
-
-# Shared secret for authenticating as an internal client of signaling servers.
-# This must be the same value as configured in the signaling server
-# configuration file.
-#internalsecret = the-shared-secret-for-internal-clients
-
-[ffmpeg]
-# The ffmpeg executable (name or full path) and the global options given to
-# ffmpeg. The options given here fully override the default global options.
-#common = ffmpeg -loglevel level+warning -n
-
-# The options given to ffmpeg to encode the audio output. The options given here
-# fully override the default options for the audio output.
-#outputaudio = -c:a libopus
-
-# The options given to ffmpeg to encode the video output. The options given here
-# fully override the default options for the video output.
-#outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
-
-# The extension of the file for audio only recordings.
-#extensionaudio = .ogg
-
-# The extension of the file for audio and video recordings.
-#extensionvideo = .webm
-
-[recording]
-# Browser to use for recordings. Please note that the "chrome" value does not
-# refer to the web browser, but to the Selenium WebDriver. In practice, "chrome"
-# will use Google Chrome, or Chromium if Google Chrome is not installed.
-# Allowed values: firefox, chrome
-# Defaults to firefox
-# browser = firefox

Containers/talk-recording/start.sh

@@ -1,61 +0,0 @@
-#!/bin/bash
-
-# Variables
-if [ -z "$NC_DOMAIN" ]; then
-    echo "You need to provide the NC_DOMAIN."
-    exit 1
-elif [ -z "$RECORDING_SECRET" ]; then
-    echo "You need to provide the RECORDING_SECRET."
-    exit 1
-elif [ -z "$INTERNAL_SECRET" ]; then
-    echo "You need to provide the INTERNAL_SECRET."
-    exit 1
-fi
-
-if [ -z "$HPB_DOMAIN" ]; then
-    export HPB_DOMAIN="$NC_DOMAIN"
-fi
-
-cat << RECORDING_CONF > "/conf/recording.conf"
-[logs]
-# 30 means Warning
-level = 30
-
-[http]
-listen = 0.0.0.0:1234
-
-[backend]
-allowall = ${ALLOW_ALL}
-# The secret below is still needed if allowall is set to true, also it doesn't hurt to be here
-secret = ${RECORDING_SECRET}
-backends = backend-1
-skipverify = ${SKIP_VERIFY}
-maxmessagesize = 1024
-videowidth = 1920
-videoheight = 1080
-directory = /tmp
-
-[backend-1]
-url = ${HPB_PROTOCOL}://${NC_DOMAIN}
-secret = ${RECORDING_SECRET}
-skipverify = ${SKIP_VERIFY}
-
-[signaling]
-signalings = signaling-1
-
-[signaling-1]
-url = ${HPB_PROTOCOL}://${HPB_DOMAIN}${HPB_PATH}
-internalsecret = ${INTERNAL_SECRET}
-
-[ffmpeg]
-# common = ffmpeg -loglevel level+warning -n
-# outputaudio = -c:a libopus
-# outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
-extensionaudio = .ogg
-extensionvideo = .webm
-
-[recording]
-browser = firefox
-RECORDING_CONF
-
-exec "$@"

Containers/talk/Dockerfile

@@ -1,105 +1,71 @@
-FROM nats:2.10.10-scratch as nats
-FROM eturnal/eturnal:1.12.0 AS eturnal
-FROM strukturag/nextcloud-spreed-signaling:1.2.3 as signaling
-FROM alpine:3.19.1 as janus
+FROM nats:2.9.15-scratch as nats
+FROM strukturag/nextcloud-spreed-signaling:1.1.2 as signaling
+FROM alpine:3.17.2
+USER root
 
-ARG JANUS_VERSION=v0.14.1
-WORKDIR /src
-RUN set -ex; \
-    apk add --no-cache \
-        ca-certificates \
-        git \
-        autoconf \
-        automake \
-        build-base \
-        pkgconfig \
-        libtool \
-        util-linux \
-        glib-dev \
-        zlib-dev \
-        openssl-dev \
-        jansson-dev \
-        libnice-dev \
-        libconfig-dev \
-        libsrtp-dev \
-        libusrsctp-dev \
-        gengetopt-dev \
-        libwebsockets-dev; \
-    git clone --recursive https://github.com/meetecho/janus-gateway --depth=1 --single-branch --branch "$JANUS_VERSION" /src; \
-    /src/autogen.sh; \
-    /src/configure --disable-rabbitmq --disable-mqtt --disable-boringssl; \
-    make; \
-    make install; \
-    make configs; \
-    rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
-
-FROM alpine:3.19.1
-ENV ETURNAL_ETC_DIR="/conf"
-COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
-COPY --from=eturnal   --chmod=777 --chown=1000:1000 /opt/eturnal                        /opt/eturnal
-COPY --from=nats      --chmod=777 --chown=1000:1000 /nats-server                        /usr/local/bin/nats-server
-COPY --from=signaling --chmod=777 --chown=1000:1000 /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
-
-COPY --chmod=775 start.sh /start.sh
-COPY --chmod=775 healthcheck.sh /healthcheck.sh
-COPY --chmod=664 supervisord.conf /supervisord.conf
+COPY --from=nats /nats-server /usr/local/bin/nats-server
+COPY --from=signaling /usr/bin/nextcloud-spreed-signaling /usr/local/bin/nextcloud-spreed-signaling
 
 RUN set -ex; \
     apk add --no-cache \
         ca-certificates \
         tzdata \
         bash \
+        coturn \
         openssl \
         supervisor \
         bind-tools \
         netcat-openbsd \
-        \
-        glib \
-        zlib \
-        libssl3 \
-        libcrypto3 \
-        jansson \
-        libnice \
-        libconfig \
-        libsrtp \
-        libusrsctp \
-        libwebsockets \
-        \
         shadow \
-        grep; \
-    useradd --system -u 1000 eturnal; \
+        util-linux \
+        build-base \
+        lua5.3-dev \
+        luarocks5.3; \
+    apk add --no-cache janus-gateway --repository http://dl-cdn.alpinelinux.org/alpine/edge/community; \
+    useradd --system talk; \
+    luarocks-5.3 install luajson; \
+    luarocks-5.3 install ansicolors; \
+    rename -v ".jcfg.sample" ".jcfg" /etc/janus/*.sample; \
     apk del --no-cache \
-        shadow; \
-    \
+        shadow \
+        util-linux \
+        build-base \
+        lua5.3-dev \
+        luarocks5.3;
+
 # Give root a random password
-    echo "root:$(openssl rand -base64 12)" | chpasswd; \
-    \
+RUN echo "root:$(openssl rand -base64 12)" | chpasswd
+
+COPY --chmod=775 start.sh /usr/bin/start.sh
+COPY --chmod=664 supervisord.conf /supervisord.conf
+
+RUN set -ex; \
     touch \
         /etc/nats.conf \
-        /etc/eturnal.yml; \
+        /etc/signaling.conf \
+        /etc/turnserver.conf; \
     echo "listen: 127.0.0.1:4222" | tee /etc/nats.conf; \
     mkdir -p \
         /var/tmp \
-        /conf \
         /var/lib/turn \
         /var/log/supervisord \
-        /var/run/supervisord \
-        /usr/local/lib/janus/loggers; \
-    chown eturnal:eturnal -R \
-        /etc/nats.conf \
-        /var/log/supervisord \
         /var/run/supervisord; \
-    chmod 777 -R \
-        /tmp \
-        /conf \
-        /var/run/supervisord \
-        /var/log/supervisord; \
-    ln -s /opt/eturnal/bin/stun /usr/local/bin/stun; \
-    ln -s /opt/eturnal/bin/eturnalctl /usr/local/bin/eturnalctl
+    chown talk:talk -R \
+        /usr \
+        /etc/janus \
+        /etc/nats.conf \
+        /etc/signaling.conf \
+        /etc/turnserver.conf \
+        /var/lib/turn \
+        /var/log/supervisord \
+        /var/run/supervisord;
 
-USER eturnal
-ENTRYPOINT ["/start.sh"]
-CMD ["supervisord", "-c", "/supervisord.conf"]
+# Set default talk port https://github.com/nextcloud/all-in-one/issues/1011
+ENV TALK_PORT=3478
 
-HEALTHCHECK CMD /healthcheck.sh
-LABEL com.centurylinklabs.watchtower.enable="false"
+USER talk
+ENTRYPOINT ["start.sh"]
+CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
+
+HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost $TALK_PORT) || exit 1
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

Containers/talk/healthcheck.sh

@@ -1,11 +0,0 @@
-#!/bin/bash
-
-nc -z localhost 8081 || exit 1
-nc -z localhost 8188 || exit 1
-nc -z localhost 4222 || exit 1
-nc -z localhost "$TALK_PORT" || exit 1
-eturnalctl status || exit 1
-if ! nc -z "$NC_DOMAIN" "$TALK_PORT"; then
-    echo "Could not reach $NC_DOMAIN on port $TALK_PORT."
-    exit 1
-fi

Containers/talk/server.conf.in

@@ -1,317 +0,0 @@
-[http]
-# IP and port to listen on for HTTP requests.
-# Comment line to disable the listener.
-#listen = 127.0.0.1:8080
-
-# HTTP socket read timeout in seconds.
-#readtimeout = 15
-
-# HTTP socket write timeout in seconds.
-#writetimeout = 15
-
-[https]
-# IP and port to listen on for HTTPS requests.
-# Comment line to disable the listener.
-#listen = 127.0.0.1:8443
-
-# HTTPS socket read timeout in seconds.
-#readtimeout = 15
-
-# HTTPS socket write timeout in seconds.
-#writetimeout = 15
-
-# Certificate / private key to use for the HTTPS server.
-certificate = /etc/nginx/ssl/server.crt
-key = /etc/nginx/ssl/server.key
-
-[app]
-# Set to "true" to install pprof debug handlers.
-# See "https://golang.org/pkg/net/http/pprof/" for further information.
-debug = false
-
-# Set to "true" to allow subscribing any streams. This is insecure and should
-# only be enabled for testing. By default only streams of users in the same
-# room and call can be subscribed.
-#allowsubscribeany = false
-
-[sessions]
-# Secret value used to generate checksums of sessions. This should be a random
-# string of 32 or 64 bytes.
-hashkey = the-secret-for-session-checksums
-
-# Optional key for encrypting data in the sessions. Must be either 16, 24 or
-# 32 bytes.
-# If no key is specified, data will not be encrypted (not recommended).
-blockkey = -encryption-key-
-
-[clients]
-# Shared secret for connections from internal clients. This must be the same
-# value as configured in the respective internal services.
-internalsecret = the-shared-secret-for-internal-clients
-
-[backend]
-# Type of backend configuration.
-# Defaults to "static".
-#
-# Possible values:
-# - static: A comma-separated list of backends is given in the "backends" option.
-# - etcd: Backends are retrieved from an etcd cluster.
-#backendtype = static
-
-# For backend type "static":
-# Comma-separated list of backend ids from which clients are allowed to connect
-# from. Each backend will have isolated rooms, i.e. clients connecting to room
-# "abc12345" on backend 1 will be in a different room than clients connected to
-# a room with the same name on backend 2. Also sessions connected from different
-# backends will not be able to communicate with each other.
-#backends = backend-id, another-backend
-
-# For backend type "etcd":
-# Key prefix of backend entries. All keys below will be watched and assumed to
-# contain a JSON document with the following entries:
-# - "url": Url of the Nextcloud instance.
-# - "secret": Shared secret for requests from and to the backend servers.
-#
-# Additional optional entries:
-# - "maxstreambitrate": Maximum bitrate per publishing stream (in bits per second).
-# - "maxscreenbitrate": Maximum bitrate per screensharing stream (in bits per second).
-# - "sessionlimit": Number of sessions that are allowed to connect.
-#
-# Example:
-# "/signaling/backend/one" -> {"url": "https://nextcloud.domain1.invalid", ...}
-# "/signaling/backend/two" -> {"url": "https://domain2.invalid/nextcloud", ...}
-#backendprefix = /signaling/backend
-
-# Allow any hostname as backend endpoint. This is extremely insecure and should
-# only be used while running the benchmark client against the server.
-allowall = false
-
-# Common shared secret for requests from and to the backend servers. Used if
-# "allowall" is enabled or as fallback for individual backends that don't have
-# their own secret set.
-# This must be the same value as configured in the Nextcloud admin ui.
-#secret = the-shared-secret-for-allowall
-
-# Timeout in seconds for requests to the backend.
-timeout = 10
-
-# Maximum number of concurrent backend connections per host.
-connectionsperhost = 8
-
-# If set to "true", certificate validation of backend endpoints will be skipped.
-# This should only be enabled during development, e.g. to work with self-signed
-# certificates.
-#skipverify = false
-
-# For backendtype "static":
-# Backend configurations as defined in the "[backend]" section above. The
-# section names must match the ids used in "backends" above.
-#[backend-id]
-# URL of the Nextcloud instance
-#url = https://cloud.domain.invalid
-
-# Shared secret for requests from and to the backend servers. Leave empty to use
-# the common shared secret from above.
-# This must be the same value as configured in the Nextcloud admin ui.
-#secret = the-shared-secret
-
-# Limit the number of sessions that are allowed to connect to this backend.
-# Omit or set to 0 to not limit the number of sessions.
-#sessionlimit = 10
-
-# The maximum bitrate per publishing stream (in bits per second).
-# Defaults to the maximum bitrate configured for the proxy / MCU.
-#maxstreambitrate = 1048576
-
-# The maximum bitrate per screensharing stream (in bits per second).
-# Defaults to the maximum bitrate configured for the proxy / MCU.
-#maxscreenbitrate = 2097152
-
-#[another-backend]
-# URL of the Nextcloud instance
-#url = https://cloud.otherdomain.invalid
-
-# Shared secret for requests from and to the backend servers. Leave empty to use
-# the common shared secret from above.
-# This must be the same value as configured in the Nextcloud admin ui.
-#secret = the-shared-secret
-
-[nats]
-# Url of NATS backend to use. This can also be a list of URLs to connect to
-# multiple backends. For local development, this can be set to "nats://loopback"
-# to process NATS messages internally instead of sending them through an
-# external NATS backend.
-#url = nats://localhost:4222
-
-[mcu]
-# The type of the MCU to use. Currently only "janus" and "proxy" are supported.
-# Leave empty to disable MCU functionality.
-#type =
-
-# For type "janus": the URL to the websocket endpoint of the MCU server.
-# For type "proxy": a space-separated list of proxy URLs to connect to.
-#url =
-
-# The maximum bitrate per publishing stream (in bits per second).
-# Defaults to 1 mbit/sec.
-# For type "proxy": will be capped to the maximum bitrate configured at the
-# proxy server that is used.
-#maxstreambitrate = 1048576
-
-# The maximum bitrate per screensharing stream (in bits per second).
-# Default is 2 mbit/sec.
-# For type "proxy": will be capped to the maximum bitrate configured at the
-# proxy server that is used.
-#maxscreenbitrate = 2097152
-
-# For type "proxy": timeout in seconds for requests to the proxy server.
-#proxytimeout = 2
-
-# For type "proxy": type of URL configuration for proxy servers.
-# Defaults to "static".
-#
-# Possible values:
-# - static: A space-separated list of proxy URLs is given in the "url" option.
-# - etcd: Proxy URLs are retrieved from an etcd cluster (see below).
-#urltype = static
-
-# If set to "true", certificate validation of proxy servers will be skipped.
-# This should only be enabled during development, e.g. to work with self-signed
-# certificates.
-#skipverify = false
-
-# For type "proxy": the id of the token to use when connecting to proxy servers.
-#token_id = server1
-
-# For type "proxy": the private key for the configured token id to use when
-# connecting to proxy servers.
-#token_key = privkey.pem
-
-# For url type "static": Enable DNS discovery on hostname of configured URL.
-# If the hostname resolves to multiple IP addresses, a connection is established
-# to each of them.
-# Changes to the DNS are monitored regularly and proxy connections are created
-# or deleted as necessary.
-#dnsdiscovery = true
-
-# For url type "etcd": Key prefix of MCU proxy entries. All keys below will be
-# watched and assumed to contain a JSON document. The entry "address" from this
-# document will be used as proxy URL, other contents in the document will be
-# ignored.
-#
-# Example:
-# "/signaling/proxy/server/one" -> {"address": "https://proxy1.domain.invalid"}
-# "/signaling/proxy/server/two" -> {"address": "https://proxy2.domain.invalid"}
-#keyprefix = /signaling/proxy/server
-
-[turn]
-# API key that the MCU will need to send when requesting TURN credentials.
-#apikey = the-api-key-for-the-rest-service
-
-# The shared secret to use for generating TURN credentials. This must be the
-# same as on the TURN server.
-#secret = 6d1c17a7-c736-4e22-b02c-e2955b7ecc64
-
-# A comma-separated list of TURN servers to use. Leave empty to disable the
-# TURN REST API.
-#servers = turn:1.2.3.4:9991?transport=udp,turn:1.2.3.4:9991?transport=tcp
-
-[geoip]
-# License key to use when downloading the MaxMind GeoIP database. You can
-# register an account at "https://www.maxmind.com/en/geolite2/signup" for
-# free. See "https://dev.maxmind.com/geoip/geoip2/geolite2/" for further
-# information.
-# Leave empty to disable GeoIP lookups.
-#license =
-
-# Optional URL to download a MaxMind GeoIP database from. Will be generated if
-# "license" is provided above. Can be a "file://" url if a local file should
-# be used. Please note that the database must provide a country field when
-# looking up IP addresses.
-#url =
-
-[geoip-overrides]
-# Optional overrides for GeoIP lookups. The key is an IP address / range, the
-# value the associated country code.
-#127.0.0.1 = DE
-#192.168.0.0/24 = DE
-
-[continent-overrides]
-# Optional overrides for continent mappings. The key is a continent code, the
-# value a comma-separated list of continent codes to map the continent to.
-# Use European servers for clients in Africa.
-#AF = EU
-# Use servers in North Africa for clients in South America.
-#SA = NA
-
-[stats]
-# Comma-separated list of IP addresses that are allowed to access the stats
-# endpoint. Leave empty (or commented) to only allow access from "127.0.0.1".
-#allowed_ips =
-
-[etcd]
-# Comma-separated list of static etcd endpoints to connect to.
-#endpoints = 127.0.0.1:2379,127.0.0.1:22379,127.0.0.1:32379
-
-# Options to perform endpoint discovery through DNS SRV.
-# Only used if no endpoints are configured manually.
-#discoverysrv = example.com
-#discoveryservice = foo
-
-# Path to private key, client certificate and CA certificate if TLS
-# authentication should be used.
-#clientkey = /path/to/etcd-client.key
-#clientcert = /path/to/etcd-client.crt
-#cacert = /path/to/etcd-ca.crt
-
-[grpc]
-# IP and port to listen on for GRPC requests.
-# Comment line to disable the listener.
-#listen = 0.0.0.0:9090
-
-# Certificate / private key to use for the GRPC server.
-# Omit to use unencrypted connections.
-#servercertificate = /path/to/grpc-server.crt
-#serverkey = /path/to/grpc-server.key
-
-# CA certificate that is allowed to issue certificates of GRPC servers.
-# Omit to expect unencrypted connections.
-#serverca = /path/to/grpc-ca.crt
-
-# Certificate / private key to use for the GRPC client.
-# Omit if clients don't need to authenticate on the server.
-#clientcertificate = /path/to/grpc-client.crt
-#clientkey = /path/to/grpc-client.key
-
-# CA certificate that is allowed to issue certificates of GRPC clients.
-# Omit to allow any clients to connect.
-#clientca = /path/to/grpc-ca.crt
-
-# Type of GRPC target configuration.
-# Defaults to "static".
-#
-# Possible values:
-# - static: A comma-separated list of targets is given in the "targets" option.
-# - etcd: Target URLs are retrieved from an etcd cluster.
-#targettype = static
-
-# For target type "static": Comma-separated list of GRPC targets to connect to
-# for clustering mode.
-#targets = 192.168.0.1:9090, 192.168.0.2:9090
-
-# For target type "static": Enable DNS discovery on hostnames of GRPC target.
-# If a hostname resolves to multiple IP addresses, a connection is established
-# to each of them.
-# Changes to the DNS are monitored regularly and GRPC clients are created or
-# deleted as necessary.
-#dnsdiscovery = true
-
-# For target type "etcd": Key prefix of GRPC target entries. All keys below will
-# be watched and assumed to contain a JSON document. The entry "address" from
-# this document will be used as target URL, other contents in the document will
-# be ignored.
-#
-# Example:
-# "/signaling/cluster/grpc/one" -> {"address": "192.168.0.1:9090"}
-# "/signaling/cluster/grpc/two" -> {"address": "192.168.0.2:9090"}
-#targetprefix = /signaling/cluster/grpc

Containers/talk/start.sh

@@ -4,60 +4,55 @@
 if [ -z "$NC_DOMAIN" ]; then
     echo "You need to provide the NC_DOMAIN."
     exit 1
-elif [ -z "$TALK_PORT" ]; then
-    echo "You need to provide the TALK_PORT."
-    exit 1
 elif [ -z "$TURN_SECRET" ]; then
     echo "You need to provide the TURN_SECRET."
     exit 1
 elif [ -z "$SIGNALING_SECRET" ]; then
     echo "You need to provide the SIGNALING_SECRET."
     exit 1
-elif [ -z "$INTERNAL_SECRET" ]; then
-    echo "You need to provide the INTERNAL_SECRET."
-    exit 1
 fi
 
 set -x
-IPv4_ADDRESS_TALK_RELAY="$(hostname -i | grep -oP '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -1)"
-IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
-IPv6_ADDRESS_TALK="$(dig nextcloud-aio-talk AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk A +short)"
 set +x
 
-if [ -n "$IPv4_ADDRESS_TALK" ] && [ "$IPv4_ADDRESS_TALK_RELAY" = "$IPv4_ADDRESS_TALK" ]; then
-    IPv4_ADDRESS_TALK=""
-fi
-
 # Turn
-cat << TURN_CONF > "/conf/eturnal.yml"
-eturnal:
-  listen:
-    - ip: "::"
-      port: $TALK_PORT
-      transport: udp
-    - ip: "::"
-      port: $TALK_PORT
-      transport: tcp
-  log_dir: stdout
-  log_level: warning
-  secret: "$TURN_SECRET"
-  relay_ipv4_addr: "$IPv4_ADDRESS_TALK_RELAY"
-  relay_ipv6_addr: "$IPv6_ADDRESS_TALK"
-  blacklist_peers:
-  - recommended
-  whitelist_peers:
-  - 127.0.0.1
-  - ::1
-  - "$IPv4_ADDRESS_TALK_RELAY"
-  - "$IPv4_ADDRESS_TALK"
-  - "$IPv6_ADDRESS_TALK"
+cat << TURN_CONF > "/etc/turnserver.conf"
+listening-port=$TALK_PORT
+fingerprint
+lt-cred-mech
+use-auth-secret
+static-auth-secret=$TURN_SECRET
+realm=$NC_DOMAIN
+total-quota=0
+bps-capacity=0
+stale-nonce
+no-multicast-peers
+simple-log
+pidfile=/var/tmp/turnserver.pid
+no-tls
+no-dtls
+userdb=/var/lib/turn/turndb
+# Based on https://nextcloud-talk.readthedocs.io/en/latest/TURN/#turn-server-and-internal-networks
+allowed-peer-ip=$IPv4_ADDRESS_TALK
+denied-peer-ip=0.0.0.0-0.255.255.255
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+denied-peer-ip=240.0.0.0-255.255.255.255
 TURN_CONF
 
-# Remove empty lines so that the config is not invalid
-sed -i '/""/d' /conf/eturnal.yml
-
 # Signling
-cat << SIGNALING_CONF > "/conf/signaling.conf"
+cat << SIGNALING_CONF > "/etc/signaling.conf"
 [http]
 listen = 0.0.0.0:8081
 
@@ -69,7 +64,7 @@ hashkey = $(openssl rand -hex 16)
 blockkey = $(openssl rand -hex 16)
 
 [clients]
-internalsecret = ${INTERNAL_SECRET}
+internalsecret = $(openssl rand -hex 16)
 
 [backend]
 backends = backend-1

Containers/talk/supervisord.conf

@@ -1,5 +1,6 @@
 [supervisord]
 nodaemon=true
+nodaemon=true
 logfile=/var/log/supervisord/supervisord.log
 pidfile=/var/run/supervisord/supervisord.pid
 childlogdir=/var/log/supervisord/
@@ -7,12 +8,12 @@ logfile_maxbytes=50MB
 logfile_backups=10                              
 loglevel=error
 
-[program:eturnal]
+[program:turnserver]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=eturnalctl foreground
+command=turnserver -c /etc/turnserver.conf
 
 [program:nats-server]
 stdout_logfile=/dev/stdout
@@ -26,12 +27,11 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-# debug-level 3 means warning
-command=janus --config=/usr/local/etc/janus/janus.jcfg --disable-colors --log-stdout --full-trickle --debug-level 3
+command=janus --config=/etc/janus/janus.jcfg --disable-colors --log-stdout
 
 [program:signaling]
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
-command=nextcloud-spreed-signaling -config /conf/signaling.conf
+command=nextcloud-spreed-signaling -config /etc/signaling.conf

Containers/watchtower/Dockerfile

@@ -1,15 +1,14 @@
 # From https://github.com/containrrr/watchtower/blob/main/dockerfiles/Dockerfile.self-contained
-FROM containrrr/watchtower:1.7.1 as watchtower
+FROM containrrr/watchtower:1.5.3 as watchtower
 
-FROM alpine:3.19.1
+FROM alpine:3.17.2
 
 RUN apk add --no-cache bash
-COPY --from=watchtower /watchtower /watchtower
+COPY --from=watchtower /watchtower /
 
-COPY --chmod=775 start.sh /start.sh
+COPY start.sh /
+RUN chmod +x /start.sh
 
-# hadolint ignore=DL3002
 USER root
-
 ENTRYPOINT ["/start.sh"]
-LABEL com.centurylinklabs.watchtower.enable="false"
+LABEL com.centurylinklabs.watchtower.monitor-only="true"

app/appinfo/info.xml

@@ -2,10 +2,10 @@
 <info xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance"
 	  xsi:noNamespaceSchemaLocation="https://apps.nextcloud.com/schema/apps/info.xsd">
 	<id>nextcloud-aio</id>
-	<name>Nextcloud All-in-One</name>
+	<name>Nextcloud All In One</name>
 	<summary>Provides a login link for admins.</summary>
-	<description>Add a link to the admin settings that gives access to the Nextcloud All-in-One admin interface</description>
-	<version>0.4.0</version>
+	<description>Add a link to the admin settings that gives access to the Nextcloud All In One admin interface</description>
+	<version>0.3.0</version>
 	<licence>agpl</licence>
 	<author>Azul</author>
 	<namespace>AllInOne</namespace>
@@ -13,7 +13,7 @@
 	<category>monitoring</category>
 	<bugs>https://github.com/nextcloud/all-in-one/issues</bugs>
 	<dependencies>
-		<nextcloud min-version="26" max-version="27"/>
+		<nextcloud min-version="24" max-version="25"/>
 	</dependencies>
 
 	<settings>

app/lib/Settings/Admin.php

@@ -78,6 +78,6 @@ class Admin implements ISettings {
 	 * E.g.: 70
 	 */
 	public function getPriority(): int {
-		return 0;
+		return 5;
 	}
 }

app/templates/admin.php

@@ -10,7 +10,6 @@ declare(strict_types=1);
  */
 	/** @var array $_ */ ?>
 <div id="allinone" class="section">
-	<h2><?php p($l->t('Nextcloud All-in-One'));?></h2>
-	<a href="<?php p($_['AIOLoginUrl']);?>" class="button" target="_blank" rel="noopener">Open Nextcloud AIO Interface ↗</a><br><br>
-	<p><a href="https://github.com/nextcloud/all-in-one#how-to-easily-log-in-to-the-aio-interface">Click here for more infos on this feature (e.g. also on how to change the link in the button)</a></p>
+	<h2><?php p($l->t('Nextcloud All In One'));?></h2>
+	<a href="<?php p($_['AIOLoginUrl']);?>" class="button" target="_blank" rel="noopener">Open Nextcloud AIO Interface ↗</a>
 </div>

community-containers/caddy/caddy.json

@@ -1,52 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-caddy",
-            "display_name": "Caddy with geoblocking",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy",
-            "image": "szaimen/aio-caddy",
-            "image_tag": "v1",
-            "internal_port": "443",
-            "restart": "unless-stopped",
-            "ports": [
-                {
-                  "ip_binding": "",
-                  "port_number": "443",
-                  "protocol": "tcp"
-                },
-                {
-                    "ip_binding": "",
-                    "port_number": "443",
-                    "protocol": "udp"
-                }
-            ],
-            "environment": [
-                "TZ=%TIMEZONE%",
-                "NC_DOMAIN=%NC_DOMAIN%",
-                "APACHE_PORT=%APACHE_PORT%"
-            ],
-            "volumes": [
-                {
-                    "source": "nextcloud_aio_caddy",
-                    "destination": "/data",
-                    "writeable": true
-                },
-                {
-                    "source": "%NEXTCLOUD_DATADIR%",
-                    "destination": "/nextcloud",
-                    "writeable": false
-                }
-            ],
-            "aio_variables": [
-                "apache_ip_binding=127.0.0.1",
-                "apache_port=11000"
-            ],
-            "nextcloud_exec_commands": [
-                "mkdir '/mnt/ncdata/admin/files/nextcloud-aio-caddy'",
-                "touch '/mnt/ncdata/admin/files/nextcloud-aio-caddy/allowed-countries.txt'",
-                "echo 'Scanning nextcloud-aio-caddy folder for admin user...'",
-                "php /var/www/html/occ files:scan --path='/admin/files/nextcloud-aio-caddy'"
-            ]
-        }
-    ]
-}

community-containers/caddy/readme.md

@@ -1,16 +0,0 @@
-## Caddy with geoblocking
-This container bundles caddy and auto-configures it for you. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden by listening on `bw.$NC_DOMAIN`, if installed. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart by listening on `mail.$NC_DOMAIN`, if installed.
-
-### Notes
-- This container is incompatible with the [npmplus](https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus) community container. So make sure that you do not enable both at the same time!
-- Make sure that no other service is using port 443 on your host as otherwise the containers will fail to start. You can check this with `sudo netstat -tulpn | grep 443` before installing AIO.
-- If you want to use this with https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, make sure that you point `bw.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for vaultwarden.
-- If you want to use this with https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart, make sure that you point `mail.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for stalwart.
-- After the container was started the first time, you should see a new `nextcloud-aio-caddy` folder and inside there an `allowed-countries.txt` file when you open the files app with the default `admin` user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. `IT FR` would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the `GeoLite2-Country.mmdb` and upload it with this exact name into the `nextcloud-aio-caddy` folder. Afterwards restart all containers from the AIO interface and your new config should be active!
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository
-https://github.com/szaimen/aio-caddy
-
-### Maintainer
-https://github.com/szaimen

community-containers/dlna/dlna.json

@@ -1,39 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-dlna",
-            "display_name": "DLNA",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/dlna",
-            "image": "thanek/nextcloud-dlna",
-            "image_tag": "latest",
-            "internal_port": "host",
-            "restart": "unless-stopped",
-            "depends_on": [
-                "nextcloud-aio-database"
-            ],
-            "environment": [
-                "NC_DOMAIN=%NC_DOMAIN%",
-                "NC_PORT=443",
-                "NEXTCLOUD_DLNA_SERVER_PORT=9999",
-                "NEXTCLOUD_DLNA_FRIENDLY_NAME=nextcloud-aio",
-                "NEXTCLOUD_DATA_DIR=/data",
-                "NEXTCLOUD_DB_TYPE=postgres",
-                "NEXTCLOUD_DB_HOST=%AIO_DATABASE_HOST%",
-                "NEXTCLOUD_DB_PORT=5432",
-                "NEXTCLOUD_DB_NAME=nextcloud_database",
-                "NEXTCLOUD_DB_USER=oc_nextcloud",
-                "NEXTCLOUD_DB_PASS=%DATABASE_PASSWORD%"
-            ],
-            "secrets": [
-                "DATABASE_PASSWORD"
-            ],
-            "volumes": [
-                {
-                    "source": "%NEXTCLOUD_DATADIR%",
-                    "destination": "/data",
-                    "writeable": false
-                }
-            ]
-        }
-    ]
-}

community-containers/dlna/readme.md

@@ -1,15 +0,0 @@
-## DLNA server
-This container bundles DLNA server for your Nextcloud files to be accessible by the clients in your local network. Simply run the container and look for a new media server `nextcloud-aio` in your local network.
-
-### Notes
-- This container will work only if the Nextcloud installation is in your home network, it is not suitable for installations on remote servers.
-- This is not working with Docker Desktop since it requires the `host` networking mode in docker, and it doesn't really share the host's network interfaces in this system
-- If you have a firewall like ufw configured, you might need to open at least port 9999 TCP and 1900 UDP first in order to make it work.
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository
-https://github.com/thanek/nextcloud-dlna
-
-### Maintainer
-https://github.com/thanek
-

community-containers/facerecognition/facerecognition.json

@@ -1,35 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-facerecognition",
-            "display_name": "Computing container for facerecognition",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/facerecognition",
-            "image": "matiasdelellis/facerecognition-external-model",
-            "image_tag": "v1",
-            "internal_port": "5000",
-            "restart": "unless-stopped",
-            "environment": [
-                "TZ=%TIMEZONE%",
-                "API_KEY=some-super-secret-api-key"
-            ],
-            "aio_variables": [
-                "nextcloud_memory_limit=4096M"
-            ],
-            "nextcloud_exec_commands": [
-                "php /var/www/html/occ app:install facerecognition",
-                "php /var/www/html/occ app:enable facerecognition", 
-                "php /var/www/html/occ config:system:set facerecognition.external_model_url --value nextcloud-aio-facerecognition:5000",
-                "php /var/www/html/occ config:system:set facerecognition.external_model_api_key --value some-super-secret-api-key",
-                "php /var/www/html/occ face:setup -m 5",
-                "php /var/www/html/occ face:setup -M 4G",
-                "php /var/www/html/occ config:app:set facerecognition analysis_image_area --value 4320000",
-                "php /var/www/html/occ config:system:set enabledFaceRecognitionMimetype 0 --value image/jpeg",
-                "php /var/www/html/occ config:system:set enabledFaceRecognitionMimetype 1 --value image/png",
-                "php /var/www/html/occ config:system:set enabledFaceRecognitionMimetype 2 --value image/heic",
-                "php /var/www/html/occ config:system:set enabledFaceRecognitionMimetype 3 --value image/tiff",
-                "php /var/www/html/occ config:system:set enabledFaceRecognitionMimetype 4 --value image/webp",
-                "php /var/www/html/occ face:background_job --defer-clustering &"
-            ]
-        }
-    ]
-}

community-containers/facerecognition/readme.md

@@ -1,31 +0,0 @@
-## Facerecognition
-This container bundles the external model of facerecognition and auto-configures it for you.
-
-### Notes
-- This container needs imaginary in order to analyze modern file format images. Make sure to enable imaginary in the AIO interface before adding this container.
-- Facerecognition is by default disabled for all users, if you want to enable facerecognition for all users, you can run the following before adding this container:
-    ```bash
-    # Go into the container
-    sudo docker exec --user www-data -it nextcloud-aio-nextcloud bash
-    ```
-    Now inside the container:
-    ```bash
-    NC_USERS_NEW=$(php occ user:list | sed 's|^  - ||g' | sed 's|:.*||')
-    mapfile -t NC_USERS_NEW <<< "$NC_USERS_NEW"
-    for user in "${NC_USERS_NEW[@]}"
-    do
-        php occ user:setting "$user" facerecognition full_image_scan_done false
-        php occ user:setting "$user" facerecognition enabled true
-    done
-
-    # Exit the container shell
-    exit
-    ```
-- If facerecognition shall analyze shared files & folders (`sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:app:set facerecognition handle_shared_files --value true`), groupfolders (`sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:app:set facerecognition handle_group_files --value true`) and/or external storages (`sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:app:set facerecognition handle_external_files --value true`) in Nextcloud, you need to enable support for it manually first by running the mentioned commands before adding this container. See https://github.com/matiasdelellis/facerecognition/wiki/Settings#hidden-settings for further notes on each of these settings.
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository
-https://github.com/matiasdelellis/facerecognition-external-model
-
-### Maintainer
-https://github.com/matiasdelellis

community-containers/fail2ban/fail2ban.json

@@ -1,32 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-fail2ban",
-            "display_name": "Fail2ban",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban",
-            "image": "szaimen/aio-fail2ban",
-            "image_tag": "v1",
-            "internal_port": "host",
-            "restart": "unless-stopped",
-            "cap_add": [
-                "NET_ADMIN",
-                "NET_RAW"
-            ],
-            "environment": [
-                "TZ=%TIMEZONE%"
-            ],
-            "volumes": [
-                {
-                    "source": "nextcloud_aio_nextcloud",
-                    "destination": "/nextcloud",
-                    "writeable": false
-                },
-                {
-                    "source": "nextcloud_aio_vaultwarden_logs",
-                    "destination": "/vaultwarden",
-                    "writeable": false
-                }
-            ]
-        }
-    ]
-}

community-containers/fail2ban/readme.md

@@ -1,13 +0,0 @@
-## Fail2ban
-This container bundles fail2ban and auto-configures it for you in order to block ip-addresses automatically. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, if installed.
-
-### Notes
-- This is not working on Docker Desktop since it needs `network_mode: host` in order to work correctly.
-- If you get an error like `"ip6tables v1.8.9 (legacy): can't initialize ip6tables table filter': Table does not exist (do you need to insmod?)"`, you need to enable ip6tables on your host via `sudo modprobe ip6table_filter`.
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository
-https://github.com/szaimen/aio-fail2ban
-
-### Maintainer
-https://github.com/szaimen

community-containers/libretranslate/libretranslate.json

@@ -1,34 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-libretranslate",
-            "display_name": "LibreTranslate",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/libretranslate",
-            "image": "szaimen/aio-libretranslate",
-            "image_tag": "v1",
-            "internal_port": "5000",
-            "restart": "unless-stopped",
-            "environment": [
-                "TZ=%TIMEZONE%"
-            ],
-            "volumes": [
-                {
-                    "source": "nextcloud_aio_libretranslate_db",
-                    "destination": "/app/db",
-                    "writeable": true
-                },
-                {
-                    "source": "nextcloud_aio_libretranslate_models",
-                    "destination": "/home/libretranslate/.local",
-                    "writeable": true
-                }
-            ],
-            "nextcloud_exec_commands": [
-                "php /var/www/html/occ app:install integration_libretranslate",
-                "php /var/www/html/occ app:enable integration_libretranslate",
-                "php /var/www/html/occ config:app:set integration_libretranslate host --value='http://nextcloud-aio-libretranslate'",
-                "php /var/www/html/occ config:app:set integration_libretranslate port --value='5000'"
-            ]
-        }
-    ]
-}

community-containers/libretranslate/readme.md

@@ -1,17 +0,0 @@
-## LibreTranslate
-This container bundles LibreTranslate and auto-configures it for you.
-
-### Notes
-- After the initial startup is done, you might want to change the default language to translate from and to via:
-```bash
-# Adjust the values `en` and `de` in commands below accordingly
-sudo docker exec --user www-data nextcloud-aio-nextcloud php occ config:app:set integration_libretranslate from_lang --value="en"
-sudo docker exec --user www-data nextcloud-aio-nextcloud php occ config:app:set integration_libretranslate to_lang --value="de"
-```
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository
-https://github.com/szaimen/aio-libretranslate
-
-### Maintainer
-https://github.com/szaimen

community-containers/local-ai/local-ai.json

@@ -1,45 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-local-ai",
-            "display_name": "Local AI",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai",
-            "image": "szaimen/aio-local-ai",
-            "image_tag": "v1",
-            "internal_port": "8080",
-            "restart": "unless-stopped",
-            "environment": [
-                "TZ=%TIMEZONE%",
-                "MODELS_PATH=/models"
-            ],
-            "volumes": [
-                {
-                    "source": "nextcloud_aio_localai_models",
-                    "destination": "/models",
-                    "writeable": true
-                },
-                {
-                    "source": "nextcloud_aio_localai_images",
-                    "destination": "/tmp/generated/images/",
-                    "writeable": true
-                },
-                {
-                    "source": "%NEXTCLOUD_DATADIR%",
-                    "destination": "/nextcloud",
-                    "writeable": false
-                }
-            ],
-            "nextcloud_exec_commands": [
-                "mkdir '/mnt/ncdata/admin/files/nextcloud-aio-local-ai'",
-                "touch '/mnt/ncdata/admin/files/nextcloud-aio-local-ai/models.yaml'",
-                "echo 'Scanning nextcloud-aio-local-ai folder for admin user...'",
-                "php /var/www/html/occ files:scan --path='/admin/files/nextcloud-aio-local-ai'",
-                "php /var/www/html/occ app:install integration_openai",
-                "php /var/www/html/occ app:enable integration_openai",
-                "php /var/www/html/occ config:app:set integration_openai url --value http://nextcloud-aio-local-ai:8080",
-                "php /var/www/html/occ app:install assistant",
-                "php /var/www/html/occ app:enable assistant"
-            ]
-        }
-    ]
-}

community-containers/local-ai/readme.md

@@ -1,27 +0,0 @@
-## Local AI
-This container bundles Local AI and auto-configures it for you.
-
-### Notes
-- Make sure to have enough storage space available. This container alone needs ~14GB storage on x64, on arm64 only ~4GB. Every model that you add to `models.yaml` will of course use additional space which adds up quite fast.
-- After the container was started the first time, you should see a new `nextcloud-aio-local-ai` folder when you open the files app with the default `admin` user. In there you should see a `models.yaml` config file. You can now add models in there. Please refer [here](https://github.com/go-skynet/model-gallery/blob/main/index.yaml) where you can get further urls that you can put in there. Afterwards restart all containers from the AIO interface and the models should automatically get downloaded by the local-ai container and activated.
-- Example for content of `models.yaml` (if you add all of them, it takes around 10GB additional space):
-```yaml
-# Stable Diffusion in NCNN with c++, supported txt2img and img2img 
-- url: github:go-skynet/model-gallery/stablediffusion.yaml
-
-# Port of OpenAI's Whisper model in C/C++ 
-- url: github:go-skynet/model-gallery/whisper-base.yaml
-  name: whisper-1
-
-# A commercially licensable model based on GPT-J and trained by Nomic AI on the v0 GPT4All dataset.
-- url: github:go-skynet/model-gallery/gpt4all-j.yaml
-  name: gpt4all-j
-```
--  Additionally after doing so, you might want to enable or disable specific features for your models in the integration_openai settings: `https://your-nc-domain.com/settings/admin/connected-accounts`
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository
-https://github.com/szaimen/aio-local-ai
-
-### Maintainer
-https://github.com/szaimen

community-containers/memories/memories.json

@@ -1,33 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-memories",
-            "display_name": "Memories Transcoder",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/memories",
-            "image": "radialapps/go-vod",
-            "image_tag": "latest",
-            "internal_port": "47788",
-            "restart": "unless-stopped",
-            "environment": [
-                "TZ=%TIMEZONE%",
-                "NEXTCLOUD_HOST=https://%NC_DOMAIN%"
-            ],
-            "volumes": [
-                {
-                    "source": "%NEXTCLOUD_DATADIR%",
-                    "destination": "/mnt/ncdata",
-                    "writeable": false
-                }
-            ],
-            "devices": [
-                "/dev/dri"
-            ],
-            "nextcloud_exec_commands": [
-                "php /var/www/html/occ app:install memories",
-                "php /var/www/html/occ app:enable memories",
-                "php /var/www/html/occ config:system:set memories.vod.external --value true --type bool",
-                "php /var/www/html/occ config:system:set memories.vod.connect --value nextcloud-aio-memories:47788"
-            ]
-        }
-    ]
-}

community-containers/memories/readme.md

@@ -1,12 +0,0 @@
-## Memories
-This container bundles the hardware-transcoding container of memories and auto-configures it for you.
-
-### Notes
-- In order to actually enable the hardware transcoding, you need to add the following flag to AIO apart from adding this container: https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository
-https://github.com/pulsejet/memories
-
-### Maintainer
-https://github.com/pulsejet

community-containers/npmplus/npmplus.json

@@ -1,32 +0,0 @@
-{
-    "aio_services_v1": [
-        {
-            "container_name": "nextcloud-aio-npmplus",
-            "display_name": "NPMplus",
-            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus",
-            "image": "zoeyvid/npmplus",
-            "image_tag": "latest",
-            "internal_port": "host",
-            "restart": "unless-stopped",
-            "environment": [
-                "TZ=%TIMEZONE%",
-                "NC_AIO=true",
-                "NC_DOMAIN=%NC_DOMAIN%"
-            ],
-            "volumes": [
-                {
-                    "source": "nextcloud_aio_npmplus",
-                    "destination": "/data",
-                    "writeable": true
-                }
-            ],
-            "backup_volumes": [
-                "nextcloud_aio_npmplus"
-            ],
-            "aio_variables": [
-                "apache_ip_binding=127.0.0.1",
-                "apache_port=11000"
-            ]
-        }
-    ]
-}

community-containers/npmplus/readme.md

@@ -1,22 +0,0 @@
-## NPMplus
-This container contains a fork of the Nginx Proxy Manager, which is a WebUI for nginx. It will also automatically create a config and cert for AIO.
-
-### Notes
-- This container is incompatible with the [caddy](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy) community container. So make sure that you do not enable both at the same time!
-- Only works on linux since it uses network mode host
-- You can ignore the NPM configuration of the reverse-proxy.md. The NPMplus fork already contains the changes of the advanced tab.
-- Make sure that no other service is using port `443 (tcp/upd)` or `81 (tcp)` on your host as otherwise the containers will fail to start. You can check this with `sudo netstat -tulpn | grep "443\|81"` before installing AIO.
-- Please change the default login data first, after you can read inside the logs that the default config for AIO is created and there are no errors.
-- After the container was started the first time, please check the logs for errors. Then you can open NPMplus on `https://<ip>:81` and change the password. 
-- The default password is `iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi` and the default email is `admin@example.com`
-- If you want to use NPMplus behind a domain and outside localhost just create a new proxy host inside the NPMplus which proxies to `https`, `127.0.0.1` and port `81` - all other settings should be the same as for the AIO host.
-- If you want to set env options from this [compose.yaml](https://github.com/ZoeyVid/NPMplus/blob/develop/compose.yaml), please set them inside the `.env` file which you can find in the `nextcloud_aio_npmplus` volume
-- The data (certs, configs, etc.) of NPMplus will be automatically included in AIOs backup solution!
-- **Important:** you always need to enable https for your hosts, since `DISABLE_HTTP` is set to true
-- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
-
-### Repository and Documentation
-https://github.com/ZoeyVid/NPMplus
-
-### Maintainer
-https://github.com/Zoey2936