Merge pull request #5004 from nextcloud/dependabot/docker/Containers/collabora/collabora/code-24.04.5.2.1

build(deps): bump collabora/code from 24.04.5.1.1 to 24.04.5.2.1 in /Containers/collabora

.gitattributes

@@ -0,0 +1 @@
+* text=auto

.github/workflows/dependency-updates.yml

@@ -13,7 +13,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: shivammathur/setup-php@v2
       with:
-        php-version: 8.2
+        php-version: 8.3
         extensions: apcu
     - name: Run dependency update script
       run: |

.github/workflows/helm-release.yml

@@ -16,7 +16,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Turnstyle
-        uses: softprops/turnstyle@v1
+        uses: softprops/turnstyle@v2
         with:
           continue-after-seconds: 180
         env:
@@ -32,10 +32,14 @@ jobs:
 
       # See https://github.com/helm/chart-releaser-action/issues/6
       - name: Set up Helm
-        uses: azure/setup-helm@v3.5
+        uses: azure/setup-helm@v4
         with:
           version: v3.6.3
 
+      - name: Run Helm Lint
+        run: |
+          helm lint ./nextcloud-aio-helm-chart
+
       - name: Run chart-releaser
         uses: helm/chart-releaser-action@v1.6.0
         with:

.github/workflows/imaginary-update.yml

@@ -19,7 +19,7 @@ jobs:
             | cut -f1 \
             | tail -1
         )"
-        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH $imaginary_version|" ./Containers/imaginary/Dockerfile
+        sed -i "s|^ENV IMAGINARY_HASH.*$|ENV IMAGINARY_HASH=$imaginary_version|" ./Containers/imaginary/Dockerfile
         
     - name: Create Pull Request
       uses: peter-evans/create-pull-request@v6

.github/workflows/lint-helm.yml

@@ -1,4 +1,4 @@
-name: Lint and Test Charts
+name: Lint Helm Charts
 
 on:
   workflow_dispatch:
@@ -8,7 +8,7 @@ on:
 
 jobs:
   lint-helm:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -16,20 +16,9 @@ jobs:
           fetch-depth: 0
 
       - name: Install Helm
-        uses: azure/setup-helm@v3.5
+        uses: azure/setup-helm@v4
         with:
           version: v3.11.1
 
-      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.6.1
-
-      - name: Run chart-testing (lint)
-        id: lint
-        run: ct lint --target-branch ${{ github.event.repository.default_branch }} --debug --chart-dirs nextcloud-aio-helm-chart
-
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.9.0
-
-      - name: Run chart-testing (install)
-        id: install
-        run: ct install --target-branch ${{ github.event.repository.default_branch }} --debug --chart-dirs nextcloud-aio-helm-chart
+      - name: Lint charts
+        run: helm lint nextcloud-aio-helm-chart

.github/workflows/lint-php.yml

@@ -27,16 +27,16 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        php-versions: [ "8.2" ]
+        php-versions: [ "8.3" ]
 
     name: php-lint
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4 # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Set up php ${{ matrix.php-versions }}
-        uses: shivammathur/setup-php@c5fc0d8281aba02c7fda07d3a70cc5371548067d # v2
+        uses: shivammathur/setup-php@a4e22b60bbb9c1021113f2860347b0759f66fe5d # v2
         with:
           php-version: ${{ matrix.php-versions }}
           coverage: none
@@ -47,10 +47,10 @@ jobs:
       - name: Lint
         run: cd php && composer run lint
 
-  php-lint-summary:
+  summary:
     permissions:
       contents: none
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-low
     needs: php-lint
 
     if: always()

.github/workflows/nextcloud-update.yml

@@ -36,7 +36,7 @@ jobs:
             | sort -V \
             | tail -1
         )"
-        sed -i "s|pecl install memcached.*\;|pecl install memcached-$memcached_version\;|" ./Containers/nextcloud/Dockerfile
+        sed -i "s|pecl install memcached.* |pecl install memcached-$memcached_version |" ./Containers/nextcloud/Dockerfile
         
         # Redis
         redis_version="$(
@@ -47,7 +47,7 @@ jobs:
             | sort -V \
             | tail -1
         )"
-        sed -i "s|pecl install redis.*\;|pecl install redis-$redis_version\;|" ./Containers/nextcloud/Dockerfile
+        sed -i "s|pecl install redis.* |pecl install redis-$redis_version |" ./Containers/nextcloud/Dockerfile
         
         # Imagick
         imagick_version="$(
@@ -60,11 +60,22 @@ jobs:
         )"
         sed -i "s|pecl install imagick.*\;|pecl install imagick-$imagick_version\;|" ./Containers/nextcloud/Dockerfile
 
+        # Igbinary
+        igbinary_version="$(
+          git ls-remote --tags https://github.com/igbinary/igbinary.git \
+            | cut -d/ -f3 \
+            | grep -viE '[a-z]' \
+            | tr -d '^{}' \
+            | sort -V \
+            | tail -1
+        )"
+        sed -i "s|pecl install igbinary.*\;|pecl install igbinary-$igbinary_version\;|" ./Containers/nextcloud/Dockerfile
+
         # Nextcloud
         NC_MAJOR="$(grep "ENV NEXTCLOUD_VERSION" ./Containers/nextcloud/Dockerfile | grep -oP '[23][0-9]')"
         NCVERSION=$(curl -s -m 900 https://download.nextcloud.com/server/releases/ | sed --silent 's/.*href="nextcloud-\([^"]\+\).zip.asc".*/\1/p' | grep "$NC_MAJOR" | sort --version-sort | tail -1)
         if [ -n "$NCVERSION" ]; then
-          sed -i "s|^ENV NEXTCLOUD_VERSION.*|ENV NEXTCLOUD_VERSION $NCVERSION|" ./Containers/nextcloud/Dockerfile
+          sed -i "s|^ENV NEXTCLOUD_VERSION.*|ENV NEXTCLOUD_VERSION=$NCVERSION|" ./Containers/nextcloud/Dockerfile
         fi
 
     - name: Create Pull Request

.github/workflows/php-deprecation-detector.yml

@@ -17,10 +17,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Set up php8.2
+      - name: Set up php
         uses: shivammathur/setup-php@v2
         with:
-          php-version: 8.2
+          php-version: 8.3
           extensions: apcu
           coverage: none
 

.github/workflows/psalm-update-baseline.yml

@@ -12,10 +12,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Set up php8.2
+      - name: Set up php
         uses: shivammathur/setup-php@v2
         with:
-          php-version: 8.2
+          php-version: 8.3
           extensions: apcu
           coverage: none
 

.github/workflows/psalm.yml

@@ -23,15 +23,15 @@ jobs:
   static-analysis:
     runs-on: ubuntu-latest
 
-    name: Nextcloud
+    name: static-psalm-analysis
     steps:
       - name: Checkout
-        uses: actions/checkout@v4 # v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Set up php
-        uses: shivammathur/setup-php@c5fc0d8281aba02c7fda07d3a70cc5371548067d # v2
+        uses: shivammathur/setup-php@a4e22b60bbb9c1021113f2860347b0759f66fe5d # v2
         with:
-          php-version: 8.2
+          php-version: 8.3
           extensions: apcu
           coverage: none
           ini-file: development

.github/workflows/talk.yml

@@ -21,7 +21,7 @@ jobs:
             | grep -E "^v[0-9\.]+$" \
             | tail -1
         )"
-        sed -i "s|^ENV RECORDING_VERSION.*$|ENV RECORDING_VERSION $recording_version|" ./Containers/talk-recording/Dockerfile
+        sed -i "s|^ENV RECORDING_VERSION.*$|ENV RECORDING_VERSION=$recording_version|" ./Containers/talk-recording/Dockerfile
         curl -L "https://raw.githubusercontent.com/nextcloud/nextcloud-talk-recording/$recording_version/server.conf.in" -o Containers/talk-recording/recording.conf
         
         # Signaling

.github/workflows/twig-lint.yml

@@ -29,7 +29,7 @@ jobs:
       - name: Set up php ${{ matrix.php-versions }}
         uses: shivammathur/setup-php@v2
         with:
-          php-version: 8.2
+          php-version: 8.3
           extensions: apcu
           coverage: none
 

.github/workflows/update-helm.yml

@@ -14,8 +14,7 @@ jobs:
         uses: actions/checkout@v4
       - name: update helm chart
         run: |
-          DOCKER_TAG="$(curl -L -s 'https://registry.hub.docker.com/v2/repositories/nextcloud/all-in-one/tags?page_size=1024' | jq '."results"[]["name"]' | sed 's|"||g' | grep '^20' | sort -r | head -1)"
-          DOCKER_TAG="${DOCKER_TAG%%-latest*}"
+          DOCKER_TAG="$(curl -L -s 'https://registry.hub.docker.com/v2/repositories/nextcloud/all-in-one/tags?page_size=1024' | jq '."results"[]["name"]' | sed 's|"||g' | grep '^20[0-9_]\+' | grep -v latest | sort -r | head -1)"
           export DOCKER_TAG
           if [ -n "$DOCKER_TAG" ] && ! grep -q "$DOCKER_TAG" ./nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml; then
             sudo bash nextcloud-aio-helm-chart/update-helm.sh "$DOCKER_TAG"

Containers/apache/Caddyfile

@@ -51,16 +51,13 @@ https://{$ADDITIONAL_TRUSTED_DOMAIN}:443,
         reverse_proxy {$TALK_HOST}:8081
     }
 
-    # Others
-    import /mnt/data/caddy-imports/*
-
     # Nextcloud
     route {
-        rewrite /.well-known/carddav /remote.php/dav
-        rewrite /.well-known/caldav /remote.php/dav
         header Strict-Transport-Security max-age=31536000;
-        reverse_proxy localhost:8000
+        reverse_proxy 127.0.0.1:8000
     }
+    redir /.well-known/carddav /remote.php/dav/ 301
+    redir /.well-known/caldav /remote.php/dav/ 301
 
     # TLS options
     tls {

Containers/apache/Dockerfile

@@ -1,7 +1,8 @@
 # syntax=docker/dockerfile:latest
-FROM caddy:2.7.6-alpine as caddy
+FROM caddy:2.8.4-alpine AS caddy
 
-FROM httpd:2.4.58-alpine3.19
+# From https://github.com/docker-library/httpd/blob/master/2.4/alpine/Dockerfile
+FROM httpd:2.4.61-alpine3.20
 
 COPY --from=caddy /usr/bin/caddy /usr/bin/caddy
 
@@ -14,9 +15,8 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 VOLUME /mnt/data
 
 RUN set -ex; \
+    apk upgrade --no-cache -a; \
     apk add --no-cache shadow; \
-    groupmod -g 333 xfs; \
-    usermod -u 333 -g 333 xfs; \
     groupmod -g 33 www-data; \
     usermod -u 33 -g 33 www-data; \
     apk del --no-cache shadow; \

Containers/apache/healthcheck.sh

@@ -1,8 +1,8 @@
 #!/bin/bash
 
 nc -z "$NEXTCLOUD_HOST" 9000 || exit 0
-nc -z localhost 8000 || exit 1
-nc -z localhost "$APACHE_PORT" || exit 1
+nc -z 127.0.0.1 8000 || exit 1
+nc -z 127.0.0.1 "$APACHE_PORT" || exit 1
 if ! nc -z "$NC_DOMAIN" 443; then
     echo "Could not reach $NC_DOMAIN on port 443."
     exit 1

Containers/apache/nextcloud.conf

@@ -14,6 +14,9 @@ Listen 8000
         SetHandler "proxy:fcgi://${NEXTCLOUD_HOST}:9000"
     </FilesMatch>
 
+    <Proxy "fcgi://${NEXTCLOUD_HOST}:9000" flushpackets=on>
+    </Proxy>
+
     # Enable Brotli compression for js, css and svg files - other plain files are compressed by Nextcloud by default
     <IfModule mod_brotli.c>
         AddOutputFilterByType BROTLI_COMPRESS text/javascript application/javascript application/x-javascript text/css image/svg+xml
@@ -37,10 +40,6 @@ Listen 8000
         Require all denied
     </Files>
 
-    # Fix zero file sizes 
-    # See https://github.com/nextcloud/server/issues/3056#issuecomment-954209565
-    SetEnv proxy-sendcl 1
-
     # See https://httpd.apache.org/docs/current/en/mod/core.html#limitrequestbody
     LimitRequestBody ${APACHE_MAX_SIZE}
 

Containers/apache/start.sh

@@ -18,10 +18,11 @@ while ! nc -z "$NEXTCLOUD_HOST" 9000; do
 done
 
 # Get ipv4-address of Apache
-IPv4_ADDRESS="$(dig nextcloud-aio-apache A +short +search | head -1)"
+# shellcheck disable=SC2153
+IPv4_ADDRESS="$(dig "$APACHE_HOST" A +short +search | head -1)"
 # Bring it in CIDR notation
 # shellcheck disable=SC2001
-IPv4_ADDRESS="$(echo "$IPv4_ADDRESS" | sed 's|[0-9]\+$|1/32|')"
+IPv4_ADDRESS="$(echo "$IPv4_ADDRESS" | sed 's|[0-9]\+$|0/16|')"
 
 if [ -z "$APACHE_PORT" ]; then
     export APACHE_PORT="443"
@@ -63,15 +64,6 @@ caddy fmt --overwrite /tmp/Caddyfile
 # Add caddy path
 mkdir -p /mnt/data/caddy/
 
-# Add caddy import path
-mkdir -p /mnt/data/caddy-imports
-
-# Remove falsely added Nextcloud conf
-rm -f /mnt/data/caddy-imports/nextcloud
-
-# Make sure that the caddy-imports dir is not empty
-echo "# empty file so that caddy does not print a warning" > /mnt/data/caddy-imports/empty
-
 # Fix apache startup
 rm -f /usr/local/apache2/logs/httpd.pid
 

Containers/borgbackup/Dockerfile

@@ -1,8 +1,9 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.19.1
+FROM alpine:3.20.1
 
 RUN set -ex; \
     \
+    apk upgrade --no-cache -a; \
     apk add --no-cache \
         util-linux-misc \
         bash \

Containers/clamav/Dockerfile

@@ -1,19 +1,26 @@
 # syntax=docker/dockerfile:latest
-# Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/1.1/alpine/Dockerfile
-FROM clamav/clamav:1.3.0-39
+# Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/1.3/alpine/Dockerfile
+FROM clamav/clamav:1.3.1-60
 
-COPY clamav.conf /tmp/clamav.conf
+COPY clamav.conf /clamav.conf
+COPY --chmod=775 start.script /start.script
 
 RUN set -ex; \
-    apk add --no-cache tzdata; \
-    cat /tmp/clamav.conf >> /etc/clamav/clamd.conf; \
-    rm /tmp/clamav.conf; \
+    apk upgrade --no-cache -a; \
+    apk add --no-cache tzdata bash; \
     mkdir -p /var/run/clamav /run/lock; \
     chown -R clamav:clamav /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock; \
-    chmod 777 -R /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock /tmp
+    chmod 777 -R /var/run/clamav /run/clamav /var/log/clamav /var/lock /run/lock /tmp; \
+    sed -i "/^set -eu/r /start.script" /init-unprivileged; \
+    rm /start.script; \
+    grep -q 'clamd --foreground &' /init-unprivileged; \
+    sed -i "s|clamd --foreground \&|clamd --foreground --config-file /tmp/clamd.conf \&|" /init-unprivileged; \
+    cat /init-unprivileged
 
 VOLUME /var/lib/clamav
 
 USER clamav
 
 LABEL com.centurylinklabs.watchtower.enable="false"
+
+ENTRYPOINT ["/init-unprivileged"]

Containers/clamav/clamav.conf

@@ -1,4 +1,5 @@
+# AIO settings
 MaxDirectoryRecursion 30
-MaxFileSize 100M
-PCREMaxFileSize 100M
-StreamMaxLength 100M
+MaxFileSize 10G
+PCREMaxFileSize 10G
+StreamMaxLength 10G

Containers/clamav/start.script

@@ -0,0 +1,4 @@
+# Adjust settings
+cat /etc/clamav/clamd.conf > /tmp/clamd.conf
+CLAMAV_FILE="$(sed "s|10G|$MAX_SIZE|" /clamav.conf)"
+echo "$CLAMAV_FILE" >> /tmp/clamd.conf

Containers/collabora/Dockerfile

@@ -1,14 +1,14 @@
 # syntax=docker/dockerfile:latest
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:23.05.9.1.1
+FROM collabora/code:24.04.5.2.1
 
 USER root
+ARG DEBIAN_FRONTEND=noninteractive
 
 # hadolint ignore=DL3008
 RUN set -ex; \
     \
     apt-get update; \
-    export DEBIAN_FRONTEND=noninteractive; \
     apt-get install -y --no-install-recommends \
         tzdata \
         netcat-openbsd \
@@ -17,5 +17,5 @@ RUN set -ex; \
 
 USER 100
 
-HEALTHCHECK CMD nc -z localhost 9980 || exit 1
+HEALTHCHECK CMD nc -z 127.0.0.1 9980 || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false"

Containers/docker-socket-proxy/Dockerfile

@@ -1,10 +1,11 @@
 # syntax=docker/dockerfile:latest
-FROM haproxy:2.9.5-alpine3.19
+FROM haproxy:3.0.3-alpine
 
 # hadolint ignore=DL3002
 USER root
-ENV NEXTCLOUD_HOST nextcloud-aio-nextcloud
+ENV NEXTCLOUD_HOST=nextcloud-aio-nextcloud
 RUN set -ex; \
+    apk upgrade --no-cache -a; \
     apk add --no-cache \
         ca-certificates \
         tzdata \

Containers/docker-socket-proxy/haproxy.cfg

@@ -16,6 +16,8 @@ frontend http
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } METH_GET
     # container inspect: GET containers/%s/json
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET
+    # container inspect: GET containers/%s/logs
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/logs } METH_GET
     # container start/stop: POST containers/%s/start containers/%s/stop
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((start)|(stop)) } METH_POST
     # container rm: DELETE containers/%s

Containers/docker-socket-proxy/healthcheck.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
 
 nc -z "$NEXTCLOUD_HOST" 9001 || exit 0
-nc -z localhost 2375 || exit 1
+nc -z 127.0.0.1 2375 || exit 1

Containers/domaincheck/Dockerfile

@@ -1,6 +1,7 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.19.1
+FROM alpine:3.20.1
 RUN set -ex; \
+    apk upgrade --no-cache -a; \
     apk add --no-cache bash lighttpd netcat-openbsd; \
     adduser -S www-data -G www-data; \
     rm -rf /etc/lighttpd/lighttpd.conf; \
@@ -15,5 +16,5 @@ COPY --chmod=775 start.sh /start.sh
 USER www-data
 ENTRYPOINT ["/start.sh"]
 
-HEALTHCHECK CMD nc -z localhost $APACHE_PORT || exit 1
+HEALTHCHECK CMD nc -z 127.0.0.1 $APACHE_PORT || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false"

Containers/fulltextsearch/Dockerfile

@@ -1,14 +1,16 @@
 # syntax=docker/dockerfile:latest
 # Probably from here https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/Dockerfile
-FROM elasticsearch:8.12.1
+FROM elasticsearch:8.14.3
 
 USER root
 
+ARG DEBIAN_FRONTEND=noninteractive
+
 # hadolint ignore=DL3008
 RUN set -ex; \
     \
-    export DEBIAN_FRONTEND=noninteractive; \
     apt-get update; \
+    apt-get upgrade -y; \
     apt-get install -y --no-install-recommends \
         tzdata \
     ; \
@@ -17,5 +19,5 @@ RUN set -ex; \
 
 USER 1000:0
 
-HEALTHCHECK CMD nc -z localhost 9200 || exit 1
+HEALTHCHECK CMD nc -z 127.0.0.1 9200 || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false"

Containers/imaginary/Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:latest
-FROM golang:1.22.0-alpine3.18 as go
+FROM golang:1.22.5-alpine3.20 AS go
 
-ENV IMAGINARY_HASH 6cd9edd1d3fb151eb773c14552886e4fc8e50138
+ENV IMAGINARY_HASH=6cd9edd1d3fb151eb773c14552886e4fc8e50138
 
 RUN set -ex; \
     apk add --no-cache \
@@ -13,8 +13,9 @@ RUN set -ex; \
         build-base; \
     go install github.com/h2non/imaginary@"$IMAGINARY_HASH";
 
-FROM alpine:3.18.6
+FROM alpine:3.20.1
 RUN set -ex; \
+    apk upgrade --no-cache -a; \
     apk add --no-cache \
         tzdata \
         ca-certificates \
@@ -23,17 +24,20 @@ RUN set -ex; \
         vips-magick \
         vips-heif \
         vips-jxl \
-        vips-poppler
+        vips-poppler \
+        ttf-dejavu \
+        bash
 
 COPY --from=go /go/bin/imaginary /usr/local/bin/imaginary
+COPY --chmod=775 start.sh /start.sh
 
-ENV PORT 9000
+ENV PORT=9000
 
 USER nobody
 
 # https://github.com/h2non/imaginary#memory-issues
 ENV MALLOC_ARENA_MAX=2
-ENTRYPOINT ["imaginary", "-return-size", "-max-allowed-resolution", "222.2"]
+ENTRYPOINT ["/start.sh"]
 
-HEALTHCHECK CMD nc -z localhost "$PORT" || exit 1
+HEALTHCHECK CMD nc -z 127.0.0.1 "$PORT" || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false"

Containers/imaginary/start.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+echo "Imaginary has started"
+if [ -z "$IMAGINARY_SECRET" ]; then
+    imaginary -return-size -max-allowed-resolution 222.2 "$@"
+else
+    imaginary -return-size -max-allowed-resolution 222.2 -key "$IMAGINARY_SECRET" "$@"
+fi

Containers/mastercontainer/Caddyfile

@@ -16,7 +16,7 @@
     }
 
     on_demand_tls {
-        ask http://localhost:9876/
+        ask http://127.0.0.1:9876/
     }
 }
 
@@ -26,7 +26,7 @@ http://:80 {
 
 https://:8443 {
 
-    reverse_proxy localhost:8000
+    reverse_proxy 127.0.0.1:8000
 
     tls {
         on_demand

Containers/mastercontainer/Dockerfile

@@ -1,12 +1,12 @@
 # syntax=docker/dockerfile:latest
 # Docker CLI is a requirement
-FROM docker:25.0.3-cli as docker
+FROM docker:27.0.3-cli AS docker
 
 # Caddy is a requirement
-FROM caddy:2.7.6-alpine as caddy
+FROM caddy:2.8.4-alpine AS caddy
 
-# From https://github.com/docker-library/php/blob/master/8.2/alpine3.19/fpm/Dockerfile
-FROM php:8.2.16-fpm-alpine3.19
+# From https://github.com/docker-library/php/blob/master/8.3/alpine3.20/fpm/Dockerfile
+FROM php:8.3.9-fpm-alpine3.20
 
 EXPOSE 80
 EXPOSE 8080
@@ -19,9 +19,8 @@ WORKDIR /var/www/docker-aio
 
 # hadolint ignore=SC2086,DL3047,DL3003,DL3004
 RUN set -ex; \
+    apk upgrade --no-cache -a; \
     apk add --no-cache shadow; \
-    groupmod -g 333 xfs; \
-    usermod -u 333 -g 333 xfs; \
     groupmod -g 33 www-data; \
     usermod -u 33 -g 33 www-data; \
     \

Containers/mastercontainer/healthcheck.sh

@@ -1,10 +1,10 @@
 #!/bin/bash
 
 if [ -f "/mnt/docker-aio-config/data/configuration.json" ]; then
-    nc -z localhost 80 || exit 1
-    nc -z localhost 8000 || exit 1
-    nc -z localhost 8080 || exit 1
-    nc -z localhost 8443 || exit 1
-    nc -z localhost 9000 || exit 1
-    nc -z localhost 9876 || exit 1
+    nc -z 127.0.0.1 80 || exit 1
+    nc -z 127.0.0.1 8000 || exit 1
+    nc -z 127.0.0.1 8080 || exit 1
+    nc -z 127.0.0.1 8443 || exit 1
+    nc -z 127.0.0.1 9000 || exit 1
+    nc -z 127.0.0.1 9876 || exit 1
 fi

Containers/mastercontainer/mastercontainer.conf

@@ -19,7 +19,7 @@ Listen 8080
 
     # PHP match
     <FilesMatch "\.php$">
-        SetHandler "proxy:fcgi://localhost:9000"
+        SetHandler "proxy:fcgi://127.0.0.1:9000"
     </FilesMatch>
     # Master dir
     DocumentRoot /var/www/docker-aio/php/public/
@@ -41,8 +41,8 @@ Listen 8080
 # Https host
 <VirtualHost *:8080>
     # Proxy to https
-    ProxyPass / http://localhost:8000/
-    ProxyPassReverse / http://localhost:8000/
+    ProxyPass / http://127.0.0.1:8000/
+    ProxyPassReverse / http://127.0.0.1:8000/
     ProxyPreserveHost On
     # SSL
     SSLCertificateKeyFile /etc/apache2/certs/ssl.key

Containers/mastercontainer/start.sh

@@ -47,7 +47,7 @@ elif ! sudo -u www-data test -r /var/run/docker.sock; then
     echo "Trying to fix docker.sock permissions internally..."
     DOCKER_GROUP=$(stat -c '%G' /var/run/docker.sock)
     DOCKER_GROUP_ID=$(stat -c '%g' /var/run/docker.sock)
-    # Check if a group with the same group id of /var/run/docker.socket already exists in the container
+    # Check if a group with the same group name of /var/run/docker.socket already exists in the container
     if grep -q "^$DOCKER_GROUP:" /etc/group; then
         # If yes, add www-data to that group
         echo "Adding internal www-data to group $DOCKER_GROUP"
@@ -76,7 +76,7 @@ if ! sudo -u www-data docker info &>/dev/null; then
     exit 1
 fi
 API_VERSION_FILE="$(find ./ -name DockerActionManager.php | head -1)"
-API_VERSION="$(grep -oP 'const API_VERSION.*\;' "$API_VERSION_FILE" | grep -oP '[0-9]+.[0-9]+' | head -1)"
+API_VERSION="$(grep -oP 'const string API_VERSION.*\;' "$API_VERSION_FILE" | grep -oP '[0-9]+.[0-9]+' | head -1)"
 # shellcheck disable=SC2001
 API_VERSION_NUMB="$(echo "$API_VERSION" | sed 's/\.//')"
 LOCAL_API_VERSION_NUMB="$(sudo -u www-data docker version | grep -i "api version" | grep -oP '[0-9]+.[0-9]+' | head -1 | sed 's/\.//')"
@@ -180,7 +180,7 @@ It is set to '$APACHE_PORT'."
     fi
 fi
 if [ -n "$APACHE_IP_BINDING" ]; then
-    if ! echo "$APACHE_IP_BINDING" | grep -q '^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$\|^[0-9a-f:]\+$'; then
+    if ! echo "$APACHE_IP_BINDING" | grep -q '^[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+$\|^[0-9a-f:]\+$\|^@INTERNAL$'; then
         print_red "You provided an ip-address for the apache container's ip-binding but it was not a valid ip-address.
 It is set to '$APACHE_IP_BINDING'."
         exit 1
@@ -344,6 +344,7 @@ fi
 print_green "Initial startup of Nextcloud All-in-One complete!
 You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
 E.g. https://internal.ip.of.this.server:8080
+⚠️ Important: do always use an ip-address if you access this port and not a domain as HSTS might block access to it later!
 
 If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
 https://your-domain-that-points-to-this-server.tld:8443"

Containers/nextcloud/Dockerfile

@@ -1,17 +1,22 @@
 # syntax=docker/dockerfile:latest
-FROM php:8.1.27-fpm-alpine3.19
+FROM php:8.2.21-fpm-alpine3.20
 
-ENV PHP_MEMORY_LIMIT 512M
-ENV PHP_UPLOAD_LIMIT 10G
-ENV PHP_MAX_TIME 3600
-ENV NEXTCLOUD_VERSION 27.1.5
-ENV AIO_TOKEN 123456
-ENV AIO_URL localhost
+ENV PHP_MEMORY_LIMIT=512M
+ENV PHP_UPLOAD_LIMIT=10G
+ENV PHP_MAX_TIME=3600
+ENV SOURCE_LOCATION=/usr/src/nextcloud
+
+# AIO settings start # Do not remove or change this line!
+ENV NEXTCLOUD_VERSION=29.0.4
+ENV AIO_TOKEN=123456
+ENV AIO_URL=localhost
+# AIO settings end # Do not remove or change this line!
 
 COPY --chmod=775 *.sh /
 COPY --chmod=774 upgrade.exclude /upgrade.exclude
 COPY config/*.php /
 COPY supervisord.conf /supervisord.conf
+COPY root.motd /root.motd
 
 VOLUME /mnt/ncdata
 VOLUME /var/www/html
@@ -19,10 +24,9 @@ VOLUME /var/www/html
 # Custom: change id of www-data user as it needs to be the same like on old installations
 # hadolint ignore=SC2086,DL3003
 RUN set -ex; \
+    apk upgrade --no-cache -a; \
     apk add --no-cache shadow; \
     deluser www-data; \
-    groupmod -g 333 xfs; \
-    usermod -u 333 -g 333 xfs; \
     addgroup -g 33 -S www-data; \
     adduser -u 33 -D -S -G www-data www-data; \
     \
@@ -40,6 +44,8 @@ RUN set -ex; \
         icu-dev \
         imagemagick-dev \
         imagemagick-svg \
+        imagemagick-heic \
+        imagemagick-tiff \
         libevent-dev \
         libjpeg-turbo-dev \
         libmcrypt-dev \
@@ -54,6 +60,7 @@ RUN set -ex; \
     ; \
     \
     docker-php-ext-configure gd --with-freetype --with-jpeg --with-webp; \
+    docker-php-ext-configure ftp --with-openssl-dir=/usr; \
     docker-php-ext-configure ldap; \
     docker-php-ext-install -j "$(nproc)" \
         bcmath \
@@ -70,12 +77,16 @@ RUN set -ex; \
     ; \
     \
 # pecl will claim success even if one install fails, so we need to perform each install separately
+    pecl install igbinary-3.2.15; \ 
     pecl install APCu-5.1.23; \
-    pecl install memcached-3.2.0; \
-    pecl install redis-6.0.2; \
+    pecl install memcached-3.2.0 \
+        --configureoptions 'enable-memcached-igbinary="yes"'; \
+    pecl install redis-6.0.2 \
+        --configureoptions 'enable-redis-igbinary="yes" enable-redis-zstd="yes" enable-redis-lz4="yes"'; \
     pecl install imagick-3.7.0; \
     \
     docker-php-ext-enable \
+        igbinary \
         apcu \
         memcached \
         redis \
@@ -91,6 +102,11 @@ RUN set -ex; \
     apk add --no-cache --virtual .nextcloud-phpext-rundeps $runDeps; \
     apk del .build-deps; \
     \
+    { \
+        echo 'apc.serializer=igbinary'; \
+        echo 'session.serialize_handler=igbinary'; \
+    } >> /usr/local/etc/php/conf.d/docker-php-ext-igbinary.ini; \
+    \
 # set recommended PHP.ini settings
 # see https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/server_tuning.html#enable-php-opcache
     { \
@@ -110,12 +126,22 @@ RUN set -ex; \
         echo 'post_max_size=${PHP_UPLOAD_LIMIT}'; \
         echo 'max_execution_time=${PHP_MAX_TIME}'; \
         echo 'max_input_time=${PHP_MAX_TIME}'; \
+        echo 'default_socket_timeout=600'; \
     } > /usr/local/etc/php/conf.d/nextcloud.ini; \
     \
+    { \
+        echo 'session.save_handler = redis'; \
+        echo 'session.save_path = "tcp://${REDIS_HOST}:6379?auth=${REDIS_HOST_PASSWORD}"'; \
+        echo 'redis.session.locking_enabled = 1'; \
+        echo 'redis.session.lock_retries = -1'; \
+        echo 'redis.session.lock_wait_time = 10000'; \
+    } > /usr/local/etc/php/conf.d/redis-session.ini; \
+    \
     mkdir -p /var/www/data; \
     chown -R www-data:root /var/www; \
     chmod -R g=u /var/www; \
     \
+# Download Nextcloud archive start # Do not remove or change this line!
     apk add --no-cache --virtual .fetch-deps \
         bzip2 \
         gnupg \
@@ -136,8 +162,9 @@ RUN set -ex; \
     mkdir -p /usr/src/nextcloud/custom_apps; \
     chmod +x /usr/src/nextcloud/occ; \
     mkdir -p /usr/src/nextcloud/config; \
-    mv /*.php /usr/src/nextcloud/config/; \
     apk del .fetch-deps; \
+# Download Nextcloud archive end # Do not remove or change this line!
+    mv /*.php /usr/src/nextcloud/config/; \
     \
 # Template from https://github.com/nextcloud/docker/blob/master/.examples/dockerfiles/full/fpm-alpine/Dockerfile
     apk add --no-cache \
@@ -163,6 +190,7 @@ RUN set -ex; \
         bz2 \
         imap \
         pgsql \
+        ftp \
     ; \
     pecl install smbclient; \
     docker-php-ext-enable smbclient; \
@@ -180,6 +208,8 @@ RUN set -ex; \
     /var/log/supervisord \
     /var/run/supervisord \
     ; \
+    chown www-data:root -R /var/log/supervisord; \
+    chown www-data:root -R /var/run/supervisord; \
     \
     apk add --no-cache \
         bash \
@@ -195,6 +225,8 @@ RUN set -ex; \
         bind-tools \
         imagemagick \
         imagemagick-svg \
+        imagemagick-heic \
+        imagemagick-tiff \
         coreutils; \
     \
     grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \
@@ -205,18 +237,21 @@ RUN set -ex; \
     sed -i 's/^pm.max_children =.*/pm.max_children = 5000/' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's|access.log = /proc/self/fd/2|access.log = /proc/self/fd/1|' /usr/local/etc/php-fpm.d/docker.conf; \
     \
+# AIO cloning start # Do not remove or change this line!
     rm -rf /tmp/nextcloud-aio && \
     mkdir -p /tmp/nextcloud-aio && \
     cd /tmp/nextcloud-aio && \
     git clone https://github.com/nextcloud-releases/all-in-one.git --depth 1 .; \
     mkdir -p /usr/src/nextcloud/apps/nextcloud-aio; \
     cp -r ./app/* /usr/src/nextcloud/apps/nextcloud-aio/; \
+    echo "[ -n \"\$TERM\" ] && cat /root.motd" >> /root/.bashrc; \
+# AIO cloning end # Do not remove or change this line!
     \
     chown www-data:root -R /usr/src && \
     chown www-data:root -R /usr/local/etc/php/conf.d && \
     chown www-data:root -R /usr/local/etc/php-fpm.d && \
     chmod -R 777 /tmp; \
-    rm -r /usr/src/nextcloud/apps/updatenotification; \
+    rm -rf /usr/src/nextcloud/apps/updatenotification; \
     \
     mkdir -p /nc-updater; \
     chown -R www-data:www-data /nc-updater; \

Containers/nextcloud/config/apps.config.php

@@ -2,15 +2,17 @@
 $CONFIG = array (
   'apps_paths' => array (
       0 => array (
-              'path'     => OC::$SERVERROOT.'/apps',
+              'path'     => '/var/www/html/apps',
               'url'      => '/apps',
               'writable' => false,
       ),
       1 => array (
-              'path'     => OC::$SERVERROOT.'/custom_apps',
+              'path'     => '/var/www/html/custom_apps',
               'url'      => '/custom_apps',
               'writable' => true,
       ),
   ),
-  'appsallowlist' => getenv('APPS_ALLOWLIST') ? explode(" ", getenv('APPS_ALLOWLIST')) : false,
 );
+if (getenv('APPS_ALLOWLIST') !== false) {
+    $CONFIG['appsallowlist'] = explode(" ", getenv('APPS_ALLOWLIST'));
+}

Containers/nextcloud/config/redis.config.php

@@ -14,4 +14,8 @@ if (getenv('REDIS_HOST')) {
   } elseif (getenv('REDIS_HOST')[0] != '/') {
     $CONFIG['redis']['port'] = 6379;
   }
+
+  if (getenv('REDIS_DB_INDEX') !== false) {
+    $CONFIG['redis']['dbindex'] = (int) getenv('REDIS_DB_INDEX');
+  }
 }

Containers/nextcloud/config/s3.config.php

@@ -11,9 +11,11 @@ if (getenv('OBJECTSTORE_S3_BUCKET')) {
         'bucket' => getenv('OBJECTSTORE_S3_BUCKET'),
         'key' => getenv('OBJECTSTORE_S3_KEY') ?: '',
         'secret' => getenv('OBJECTSTORE_S3_SECRET') ?: '',
+        'sse_c_key' => getenv('OBJECTSTORE_S3_SSE_C_KEY') ?: '',
         'region' => getenv('OBJECTSTORE_S3_REGION') ?: '',
         'hostname' => getenv('OBJECTSTORE_S3_HOST') ?: '',
         'port' => getenv('OBJECTSTORE_S3_PORT') ?: '',
+        'storageClass' => getenv('OBJECTSTORE_S3_STORAGE_CLASS') ?: '',
         'objectPrefix' => getenv("OBJECTSTORE_S3_OBJECT_PREFIX") ? getenv("OBJECTSTORE_S3_OBJECT_PREFIX") : "urn:oid:",
         'autocreate' => (strtolower($autocreate) === 'false' || $autocreate == false) ? false : true,
         'use_ssl' => (strtolower($use_ssl) === 'false' || $use_ssl == false) ? false : true,

Containers/nextcloud/cron.sh

@@ -1,6 +1,4 @@
 #!/bin/bash
-set -eu
-
 wait_for_cron() {
     set -x
     while [ -n "$(pgrep -f /var/www/html/cron.php)" ]; do
@@ -8,7 +6,7 @@ wait_for_cron() {
         sleep 5
     done
     echo "Cronjob successfully exited."
-    set +x
+    exit
 }
 
 trap wait_for_cron SIGINT SIGTERM

Containers/nextcloud/entrypoint.sh

@@ -19,16 +19,12 @@ run_upgrade_if_needed_due_to_app_update() {
     fi
 }
 
-echo "Configuring Redis as session handler..."
-cat << REDIS_CONF > /usr/local/etc/php/conf.d/redis-session.ini
-session.save_handler = redis
-session.save_path = "tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}"
-redis.session.locking_enabled = 1
-redis.session.lock_retries = -1
-# redis.session.lock_wait_time is specified in microseconds.
-# Wait 10ms before retrying the lock rather than the default 2ms.
-redis.session.lock_wait_time = 10000
-REDIS_CONF
+# Only start container if redis is accessible
+# shellcheck disable=SC2153
+while ! nc -z "$REDIS_HOST" "6379"; do
+    echo "Waiting for redis to start..."
+    sleep 5
+done
 
 # Check permissions in ncdata
 touch "$NEXTCLOUD_DATA_DIR/this-is-a-test-file" &>/dev/null
@@ -55,9 +51,9 @@ if [ -f /var/www/html/version.php ]; then
 else
     installed_version="0.0.0.0"
 fi
-if [ -f "/usr/src/nextcloud/version.php" ]; then
+if [ -f "$SOURCE_LOCATION/version.php" ]; then
     # shellcheck disable=SC2016
-    image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
+    image_version="$(php -r "require '$SOURCE_LOCATION/version.php'; echo implode('.', \$OC_Version);")"
 else
     image_version="$installed_version"
 fi
@@ -106,6 +102,8 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
         fi
 
         if [ "$installed_version" != "0.0.0.0" ] && [ "$((IMAGE_MAJOR - INSTALLED_MAJOR))" -gt 1 ]; then
+# Do not skip major versions placeholder # Do not remove or change this line!
+# Do not skip major versions start # Do not remove or change this line!
             set -ex
             NEXT_MAJOR="$((INSTALLED_MAJOR + 1))"
             curl -fsSL -o nextcloud.tar.bz2 "https://download.nextcloud.com/server/releases/latest-${NEXT_MAJOR}.tar.bz2"
@@ -122,17 +120,18 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
             mkdir -p /usr/src/tmp/nextcloud/data
             mkdir -p /usr/src/tmp/nextcloud/custom_apps
             chmod +x /usr/src/tmp/nextcloud/occ
-            cp -r /usr/src/nextcloud/config/* /usr/src/tmp/nextcloud/config/
+            cp -r "$SOURCE_LOCATION"/config/* /usr/src/tmp/nextcloud/config/
             mkdir -p /usr/src/tmp/nextcloud/apps/nextcloud-aio
-            cp -r /usr/src/nextcloud/apps/nextcloud-aio/* /usr/src/tmp/nextcloud/apps/nextcloud-aio/
-            mv /usr/src/nextcloud /usr/src/temp-nextcloud
-            mv /usr/src/tmp/nextcloud /usr/src/nextcloud
+            cp -r "$SOURCE_LOCATION"/apps/nextcloud-aio/* /usr/src/tmp/nextcloud/apps/nextcloud-aio/
+            mv "$SOURCE_LOCATION" /usr/src/temp-nextcloud
+            mv /usr/src/tmp/nextcloud "$SOURCE_LOCATION"
             rm -r /usr/src/tmp
             rm -r /usr/src/temp-nextcloud
             # shellcheck disable=SC2016
-            image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
+            image_version="$(php -r "require $SOURCE_LOCATION/version.php; echo implode('.', \$OC_Version);")"
             IMAGE_MAJOR="${image_version%%.*}"
             set +ex
+# Do not skip major versions end # Do not remove or change this line!
         fi
 
         if [ "$installed_version" != "0.0.0.0" ]; then
@@ -163,8 +162,12 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
                 declare -Ag APPSTORAGE
                 echo "Disabling apps before the update in order to make the update procedure more safe. This can take a while..."
                 for app in "${NC_APPS_ARRAY[@]}"; do
-                    APPSTORAGE[$app]=$(php /var/www/html/occ config:app:get "$app" enabled)
-                    php /var/www/html/occ app:disable "$app"
+                    if APPSTORAGE[$app]="$(php /var/www/html/occ config:app:get "$app" enabled)"; then
+                        php /var/www/html/occ app:disable "$app"
+                    else
+                        APPSTORAGE[$app]=""
+                        echo "Not disabling $app because the occ command to get the enabled state was failing."
+                    fi
                 done
             fi
 
@@ -186,15 +189,15 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
         fi
 
         echo "Initializing nextcloud $image_version ..."
-        rsync -rlD --delete --exclude-from=/upgrade.exclude /usr/src/nextcloud/ /var/www/html/
+        rsync -rlD --delete --exclude-from=/upgrade.exclude "$SOURCE_LOCATION/" /var/www/html/
 
         for dir in config data custom_apps themes; do
             if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
-                rsync -rlD --include "/$dir/" --exclude '/*' /usr/src/nextcloud/ /var/www/html/
+                rsync -rlD --include "/$dir/" --exclude '/*' "$SOURCE_LOCATION/" /var/www/html/
             fi
         done
-        rsync -rlD --delete --include '/config/' --exclude '/*' --exclude '/config/CAN_INSTALL' --exclude '/config/config.sample.php' --exclude '/config/config.php' /usr/src/nextcloud/ /var/www/html/
-        rsync -rlD --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/
+        rsync -rlD --delete --include '/config/' --exclude '/*' --exclude '/config/CAN_INSTALL' --exclude '/config/config.sample.php' --exclude '/config/config.php' "$SOURCE_LOCATION/" /var/www/html/
+        rsync -rlD --include '/version.php' --exclude '/*' "$SOURCE_LOCATION/" /var/www/html/
         echo "Initializing finished"
 
         #install
@@ -220,7 +223,11 @@ if ! [ -f "$NEXTCLOUD_DATA_DIR/skip.update" ]; then
 DATADIR_PERMISSION_CONF
 
             echo "Installing with PostgreSQL database"
-            INSTALL_OPTIONS+=(--database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST")
+            # Set a default value for POSTGRES_PORT
+            if [ -z "$POSTGRES_PORT" ]; then
+              POSTGRES_PORT=5432
+            fi
+            INSTALL_OPTIONS+=(--database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST" --database-port "$POSTGRES_PORT")
 
             echo "Starting Nextcloud installation..."
             if ! php /var/www/html/occ maintenance:install "${INSTALL_OPTIONS[@]}"; then
@@ -255,6 +262,7 @@ DATADIR_PERMISSION_CONF
             # unset admin password
             unset ADMIN_PASSWORD
 
+# AIO update to latest start # Do not remove or change this line!
             if [ "$INSTALL_LATEST_MAJOR" = yes ]; then
                 php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
                 INSTALLED_AT="$(php /var/www/html/occ config:app:get core installedat)"
@@ -292,23 +300,24 @@ DATADIR_PERMISSION_CONF
                 php /var/www/html/occ db:add-missing-primary-keys
                 yes | php /var/www/html/occ db:convert-filecache-bigint
             fi
+# AIO update to latest end # Do not remove or change this line!
 
             # Apply log settings
             echo "Applying default settings..."
             mkdir -p /var/www/html/data
-            php /var/www/html/occ config:system:set loglevel --value=2
-            php /var/www/html/occ config:system:set log_type --value=file
+            php /var/www/html/occ config:system:set loglevel --value="2" --type=integer
+            php /var/www/html/occ config:system:set log_type --value="file"
             php /var/www/html/occ config:system:set logfile --value="/var/www/html/data/nextcloud.log"
-            php /var/www/html/occ config:system:set log_rotate_size --value="10485760"
+            php /var/www/html/occ config:system:set log_rotate_size --value="10485760" --type=integer
             php /var/www/html/occ app:enable admin_audit
             php /var/www/html/occ config:app:set admin_audit logfile --value="/var/www/html/data/audit.log"
             php /var/www/html/occ config:system:set log.condition apps 0 --value="admin_audit"
 
             # Apply preview settings
             echo "Applying preview settings..."
-            php /var/www/html/occ config:system:set preview_max_x --value="2048"
-            php /var/www/html/occ config:system:set preview_max_y --value="2048"
-            php /var/www/html/occ config:system:set jpeg_quality --value="60"
+            php /var/www/html/occ config:system:set preview_max_x --value="2048" --type=integer
+            php /var/www/html/occ config:system:set preview_max_y --value="2048" --type=integer
+            php /var/www/html/occ config:system:set jpeg_quality --value="60" --type=integer
             php /var/www/html/occ config:app:set preview jpeg_quality --value="60"
             php /var/www/html/occ config:system:delete enabledPreviewProviders
             php /var/www/html/occ config:system:set enabledPreviewProviders 1 --value="OC\\Preview\\Image"
@@ -322,11 +331,13 @@ DATADIR_PERMISSION_CONF
 
             # Apply other settings
             echo "Applying other settings..."
+            # Add missing indices after new installation because they seem to be missing on new installation
+            php /var/www/html/occ db:add-missing-indices
             php /var/www/html/occ config:system:set upgrade.disable-web --type=bool --value=true
             php /var/www/html/occ config:system:set mail_smtpmode --value="smtp"
             php /var/www/html/occ config:system:set trashbin_retention_obligation --value="auto, 30"
             php /var/www/html/occ config:system:set versions_retention_obligation --value="auto, 30"
-            php /var/www/html/occ config:system:set activity_expire_days --value="30"
+            php /var/www/html/occ config:system:set activity_expire_days --value="30" --type=integer
             php /var/www/html/occ config:system:set simpleSignUpLink.shown --type=bool --value=false
             php /var/www/html/occ config:system:set share_folder --value="/Shared"
             # Not needed anymore with the removal of the updatenotification app:
@@ -463,16 +474,25 @@ if [ -f "$NEXTCLOUD_DATA_DIR/fingerprint.update" ]; then
     rm "$NEXTCLOUD_DATA_DIR/fingerprint.update"
 fi
 
+# AIO one-click settings start # Do not remove or change this line!
 # Apply one-click-instance settings
 echo "Applying one-click-instance settings..."
 php /var/www/html/occ config:system:set one-click-instance --value=true --type=bool
 php /var/www/html/occ config:system:set one-click-instance.user-limit --value=100 --type=int
 php /var/www/html/occ config:system:set one-click-instance.link --value="https://nextcloud.com/all-in-one/"
+# AIO one-click settings end # Do not remove or change this line!
 php /var/www/html/occ app:enable support
 if [ -n "$SUBSCRIPTION_KEY" ] && [ -z "$(php /var/www/html/occ config:app:get support potential_subscription_key)" ]; then
     php /var/www/html/occ config:app:set support potential_subscription_key --value="$SUBSCRIPTION_KEY"
     php /var/www/html/occ config:app:delete support last_check
 fi
+if [ -n "$NEXTCLOUD_DEFAULT_QUOTA" ]; then
+    if [ "$NEXTCLOUD_DEFAULT_QUOTA" = "unlimited" ]; then
+        php /var/www/html/occ config:app:delete files default_quota
+    else
+        php /var/www/html/occ config:app:set files default_quota --value="$NEXTCLOUD_DEFAULT_QUOTA"
+    fi
+fi
 
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
@@ -483,6 +503,10 @@ php /var/www/html/occ config:system:set updatedirectory --value="/nc-updater"
 if [ -n "$SERVERINFO_TOKEN" ] && [ -z "$(php /var/www/html/occ config:app:get serverinfo token)" ]; then
     php /var/www/html/occ config:app:set serverinfo token --value="$SERVERINFO_TOKEN"
 fi
+# Set maintenance window so that no warning is shown in the admin overview
+if [ -z "$(php /var/www/html/occ config:system:get maintenance_window_start)" ]; then
+    php /var/www/html/occ config:system:set maintenance_window_start --type=int --value=100
+fi
 
 # Apply network settings
 echo "Applying network settings..."
@@ -496,6 +520,14 @@ php /var/www/html/occ maintenance:update:htaccess
 # Revert dbpersistent setting to check if it fixes too many db connections
 php /var/www/html/occ config:system:set dbpersistent --value=false --type=bool
 
+if [ "$DISABLE_BRUTEFORCE_PROTECTION" = yes ]; then
+    php /var/www/html/occ config:system:set auth.bruteforce.protection.enabled --type=bool --value=false
+    php /var/www/html/occ config:system:set ratelimit.protection.enabled --type=bool --value=false
+else
+    php /var/www/html/occ config:system:set auth.bruteforce.protection.enabled --type=bool --value=true
+    php /var/www/html/occ config:system:set ratelimit.protection.enabled --type=bool --value=true
+fi
+
 # Disallow creating local external storages when nothing was mounted
 if [ -z "$NEXTCLOUD_MOUNT" ]; then
     php /var/www/html/occ config:system:set files_external_allow_create_new_local --type=bool --value=false
@@ -503,6 +535,7 @@ else
     php /var/www/html/occ config:system:set files_external_allow_create_new_local --type=bool --value=true
 fi
 
+# AIO app start # Do not remove or change this line!
 # AIO app
 if [ "$THIS_IS_AIO" = "true" ]; then
     if [ "$(php /var/www/html/occ config:app:get nextcloud-aio enabled)" != "yes" ]; then
@@ -513,6 +546,7 @@ else
         php /var/www/html/occ app:disable nextcloud-aio
     fi
 fi
+# AIO app end # Do not remove or change this line!
 
 # Notify push
 if ! [ -d "/var/www/html/custom_apps/notify_push" ]; then
@@ -528,6 +562,14 @@ php /var/www/html/occ config:system:set trusted_proxies 1 --value="::1"
 if [ -n "$ADDITIONAL_TRUSTED_PROXY" ]; then
     php /var/www/html/occ config:system:set trusted_proxies 2 --value="$ADDITIONAL_TRUSTED_PROXY"
 fi
+
+# Get ipv4-address of Nextcloud 
+IPv4_ADDRESS="$(dig nextcloud-aio-nextcloud A +short +search | head -1)" 
+# Bring it in CIDR notation 
+# shellcheck disable=SC2001
+IPv4_ADDRESS="$(echo "$IPv4_ADDRESS" | sed 's|[0-9]\+$|0/16|')" 
+php /var/www/html/occ config:system:set trusted_proxies 10 --value="$IPv4_ADDRESS"
+
 if [ -n "$ADDITIONAL_TRUSTED_DOMAIN" ]; then
     php /var/www/html/occ config:system:set trusted_domains 2 --value="$ADDITIONAL_TRUSTED_DOMAIN"
 fi
@@ -535,6 +577,11 @@ php /var/www/html/occ config:app:set notify_push base_endpoint --value="https://
 
 # Collabora
 if [ "$COLLABORA_ENABLED" = 'yes' ]; then
+    set -x
+    if echo "$COLLABORA_HOST" | grep -q "nextcloud-.*-collabora"; then
+        COLLABORA_HOST="$NC_DOMAIN"
+    fi
+    set +x
     if ! [ -d "/var/www/html/custom_apps/richdocuments" ]; then
         php /var/www/html/occ app:install richdocuments
     elif [ "$(php /var/www/html/occ config:app:get richdocuments enabled)" != "yes" ]; then
@@ -542,10 +589,10 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
     elif [ "$SKIP_UPDATE" != 1 ]; then
         php /var/www/html/occ app:update richdocuments
     fi
-    php /var/www/html/occ config:app:set richdocuments wopi_url --value="https://$NC_DOMAIN/"
+    php /var/www/html/occ config:app:set richdocuments wopi_url --value="https://$COLLABORA_HOST/"
     # Make collabora more save
-    COLLABORA_IPv4_ADDRESS="$(dig "$NC_DOMAIN" A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
-    COLLABORA_IPv6_ADDRESS="$(dig "$NC_DOMAIN" AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+    COLLABORA_IPv4_ADDRESS="$(dig "$COLLABORA_HOST" A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
+    COLLABORA_IPv6_ADDRESS="$(dig "$COLLABORA_HOST" AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
     COLLABORA_ALLOW_LIST="$(php /var/www/html/occ config:app:get richdocuments wopi_allowlist)"
     if [ -n "$COLLABORA_IPv4_ADDRESS" ]; then
         if ! echo "$COLLABORA_ALLOW_LIST" | grep -q "$COLLABORA_IPv4_ADDRESS"; then
@@ -556,7 +603,7 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
             fi
         fi
     else
-        echo "Warning: No ipv4-address found for $NC_DOMAIN."
+        echo "Warning: No ipv4-address found for $COLLABORA_HOST."
     fi
     if [ -n "$COLLABORA_IPv6_ADDRESS" ]; then
         if ! echo "$COLLABORA_ALLOW_LIST" | grep -q "$COLLABORA_IPv6_ADDRESS"; then
@@ -567,7 +614,7 @@ if [ "$COLLABORA_ENABLED" = 'yes' ]; then
             fi
         fi
     else
-        echo "No ipv6-address found for $NC_DOMAIN."
+        echo "No ipv6-address found for $COLLABORA_HOST."
     fi
     if [ -n "$COLLABORA_ALLOW_LIST" ]; then
         PRIVATE_IP_RANGES='127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,fd00::/8,::1'
@@ -614,6 +661,15 @@ fi
 
 # Talk
 if [ "$TALK_ENABLED" = 'yes' ]; then
+    set -x
+    if [ -z "$TALK_HOST" ] || echo "$TALK_HOST" | grep -q "nextcloud-.*-talk"; then
+        TALK_HOST="$NC_DOMAIN"
+        HPB_PATH="/standalone-signaling/"
+    fi
+    if [ -z "$TURN_DOMAIN" ]; then
+        TURN_DOMAIN="$TALK_HOST"
+    fi
+    set +x
     if ! [ -d "/var/www/html/custom_apps/spreed" ]; then
         php /var/www/html/occ app:install spreed
     elif [ "$(php /var/www/html/occ config:app:get spreed enabled)" != "yes" ]; then
@@ -623,15 +679,16 @@ if [ "$TALK_ENABLED" = 'yes' ]; then
     fi
     # Based on https://github.com/nextcloud/spreed/issues/960#issuecomment-416993435
     if [ -z "$(php /var/www/html/occ talk:turn:list --output="plain")" ]; then
-        php /var/www/html/occ talk:turn:add turn "$NC_DOMAIN:$TALK_PORT" "udp,tcp" --secret="$TURN_SECRET"
+        # shellcheck disable=SC2153
+        php /var/www/html/occ talk:turn:add turn "$TURN_DOMAIN:$TALK_PORT" "udp,tcp" --secret="$TURN_SECRET"
     fi
     STUN_SERVER="$(php /var/www/html/occ talk:stun:list --output="plain")"
     if [ -z "$STUN_SERVER" ] || echo "$STUN_SERVER" | grep -oP '[a-zA-Z.:0-9]+' | grep -q "^stun.nextcloud.com:443$"; then
-        php /var/www/html/occ talk:stun:add "$NC_DOMAIN:$TALK_PORT"
+        php /var/www/html/occ talk:stun:add "$TURN_DOMAIN:$TALK_PORT"
         php /var/www/html/occ talk:stun:delete "stun.nextcloud.com:443"
     fi
-    if ! php /var/www/html/occ talk:signaling:list --output="plain" | grep -q "https://$NC_DOMAIN/standalone-signaling/"; then
-        php /var/www/html/occ talk:signaling:add "https://$NC_DOMAIN/standalone-signaling/" "$SIGNALING_SECRET" --verify
+    if ! php /var/www/html/occ talk:signaling:list --output="plain" | grep -q "https://$TALK_HOST$HPB_PATH"; then
+        php /var/www/html/occ talk:signaling:add "https://$TALK_HOST$HPB_PATH" "$SIGNALING_SECRET" --verify
     fi
 else
     if [ "$REMOVE_DISABLED_APPS" = yes ] && [ -d "/var/www/html/custom_apps/spreed" ]; then
@@ -676,8 +733,8 @@ if [ "$CLAMAV_ENABLED" = 'yes' ]; then
         php /var/www/html/occ config:app:set files_antivirus av_mode --value="daemon"
         php /var/www/html/occ config:app:set files_antivirus av_port --value="3310"
         php /var/www/html/occ config:app:set files_antivirus av_host --value="$CLAMAV_HOST"
-        php /var/www/html/occ config:app:set files_antivirus av_stream_max_length --value="104857600"
-        php /var/www/html/occ config:app:set files_antivirus av_max_file_size --value="104857600"
+        php /var/www/html/occ config:app:set files_antivirus av_stream_max_length --value="$CLAMAV_MAX_SIZE"
+        php /var/www/html/occ config:app:set files_antivirus av_max_file_size --value="$CLAMAV_MAX_SIZE"
         php /var/www/html/occ config:app:set files_antivirus av_infected_action --value="only_log"
     fi
 else
@@ -690,6 +747,7 @@ fi
 if [ "$IMAGINARY_ENABLED" = 'yes' ]; then
     php /var/www/html/occ config:system:set enabledPreviewProviders 0 --value="OC\\Preview\\Imaginary"
     php /var/www/html/occ config:system:set preview_imaginary_url --value="http://$IMAGINARY_HOST:9000"
+    php /var/www/html/occ config:system:set preview_imaginary_key --value="$IMAGINARY_SECRET"
 else
     if [ -n "$(php /var/www/html/occ config:system:get preview_imaginary_url)" ]; then
         php /var/www/html/occ config:system:delete enabledPreviewProviders 0

Containers/nextcloud/healthcheck.sh

@@ -1,7 +1,15 @@
 #!/bin/bash
 
-nc -z "$POSTGRES_HOST" 5432 || exit 0
+# Set a default value for POSTGRES_PORT
+if [ -z "$POSTGRES_PORT" ]; then
+    POSTGRES_PORT=5432
+fi
 
-if ! nc -z localhost 9000; then
+
+# POSTGRES_HOST must be set in the containers env vars and POSTGRES_PORT has a default above
+# shellcheck disable=SC2153
+nc -z "$POSTGRES_HOST" "$POSTGRES_PORT" || exit 0
+
+if ! nc -z 127.0.0.1 9000; then
     exit 1
 fi

Containers/nextcloud/root.motd

@@ -0,0 +1,4 @@
+Warning: You have logged in into the Nextcloud container as root user.
+See https://github.com/nextcloud/all-in-one#how-to-run-occ-commands if you want to run occ commands.
+Apart from that, you can use 'sudo -u www-data -E php occ <your-command>' in order to run occ commands.
+Of course <your-command> needs to be substituted with the command that you want to use.

Containers/nextcloud/start.sh

@@ -1,7 +1,14 @@
 #!/bin/bash
 
+# Set a default value for POSTGRES_PORT
+if [ -z "$POSTGRES_PORT" ]; then
+    POSTGRES_PORT=5432
+fi
+
 # Only start container if database is accessible
-while ! sudo -u www-data nc -z "$POSTGRES_HOST" 5432; do
+# POSTGRES_HOST must be set in the containers env vars and POSTGRES_PORT has a default above
+# shellcheck disable=SC2153
+while ! sudo -u www-data nc -z "$POSTGRES_HOST" "$POSTGRES_PORT"; do
     echo "Waiting for database to start..."
     sleep 5
 done
@@ -13,7 +20,7 @@ export POSTGRES_USER
 # Fix false database connection on old instances
 if [ -f "/var/www/html/config/config.php" ]; then
     sleep 2
-    while ! sudo -u www-data psql -d "postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:5432/$POSTGRES_DB" -c "select now()"; do
+    while ! sudo -u www-data psql -d "postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB" -c "select now()"; do
         echo "Waiting for the database to start..."
         sleep 5
     done
@@ -56,7 +63,7 @@ if [ -n "$ADDITIONAL_APKS" ]; then
     if ! [ -f "/additional-apks-are-installed" ]; then
         # Allow to disable imagemagick without having to download it each time
         if ! echo "$ADDITIONAL_APKS" | grep -q imagemagick; then
-            apk del imagemagick imagemagick-svg;
+            apk del imagemagick imagemagick-svg imagemagick-heic imagemagick-tiff;
         fi
         read -ra ADDITIONAL_APKS_ARRAY <<< "$ADDITIONAL_APKS"
         for app in "${ADDITIONAL_APKS_ARRAY[@]}"; do
@@ -144,7 +151,7 @@ done
 
 set -x
 # shellcheck disable=SC2235
-if [ "$THIS_IS_AIO" = "true" ] && ([ "$APACHE_PORT" = 443 ] || [ "$APACHE_IP_BINDING" = "127.0.0.1" ] || [ "$APACHE_IP_BINDING" = "::1" ]); then
+if [ "$THIS_IS_AIO" = "true" ] && [ "$APACHE_PORT" = 443 ]; then
     IPv4_ADDRESS_APACHE="$(dig nextcloud-aio-apache A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
     IPv6_ADDRESS_APACHE="$(dig nextcloud-aio-apache AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
     IPv4_ADDRESS_MASTERCONTAINER="$(dig nextcloud-aio-mastercontainer A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"

Containers/notify-push/Dockerfile

@@ -1,10 +1,11 @@
 # syntax=docker/dockerfile:latest
-FROM alpine:3.19.1
+FROM alpine:3.20.1
 
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
 
 RUN set -ex; \
+    apk upgrade --no-cache -a; \
     apk add --no-cache \
         ca-certificates \
         netcat-openbsd \

Containers/notify-push/healthcheck.sh

@@ -4,4 +4,4 @@ if ! nc -z "$NEXTCLOUD_HOST" 9001; then
     exit 0
 fi
 
-nc -z localhost 7867 || exit 1
+nc -z 127.0.0.1 7867 || exit 1

Containers/notify-push/start.sh

@@ -44,8 +44,12 @@ fi
 
 echo "notify-push was started"
 
+# Set a default value for POSTGRES_PORT
+if [ -z "$POSTGRES_PORT" ]; then
+    POSTGRES_PORT=5432
+fi
 # Set sensitive values as env
-export DATABASE_URL="postgres://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST/$POSTGRES_DB"
+export DATABASE_URL="postgres://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB"
 export REDIS_URL="redis://:$REDIS_HOST_PASSWORD@$REDIS_HOST"
 
 # Run it

Containers/onlyoffice/Dockerfile

@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/master/Dockerfile
-FROM onlyoffice/documentserver:7.5.1.1
+FROM onlyoffice/documentserver:8.1.1.1
 
 # USER root is probably used
 
-HEALTHCHECK CMD nc -z localhost 80 || exit 1
+HEALTHCHECK CMD nc -z 127.0.0.1 80 || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false"

Containers/postgresql/Dockerfile

@@ -1,12 +1,13 @@
 # syntax=docker/dockerfile:latest
-# From https://github.com/docker-library/postgres/blob/master/15/alpine/Dockerfile
-FROM postgres:15.6-alpine
+# From https://github.com/docker-library/postgres/blob/master/16/alpine3.20/Dockerfile
+FROM postgres:16.3-alpine
 
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
 COPY --chmod=775 init-user-db.sh /docker-entrypoint-initdb.d/init-user-db.sh
 
 RUN set -ex; \
+    apk upgrade --no-cache -a; \
     apk add --no-cache \
         bash \
         openssl \
@@ -31,7 +32,10 @@ RUN set -ex; \
     \
 # Give root a random password
     echo "root:$(openssl rand -base64 12)" | chpasswd; \
-    apk --no-cache del openssl;
+    apk --no-cache del openssl; \
+    \
+# Get rid of unused binaries
+    rm -f /usr/local/bin/gosu /usr/local/bin/su-exec;
 
 VOLUME /mnt/data
 

Containers/postgresql/healthcheck.sh

@@ -2,4 +2,4 @@
 
 test -f "/mnt/data/backup-is-running" && exit 0
 
-psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@localhost:5432/$POSTGRES_DB" -c "select now()" || exit 1
+psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:5432/$POSTGRES_DB" -c "select now()" || exit 1

Containers/postgresql/start.sh

@@ -85,7 +85,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
     exec docker-entrypoint.sh postgres &
 
     # Wait for creation
-    while ! psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@localhost:11000/$POSTGRES_DB" -c "select now()"; do
+    while ! psql -d "postgresql://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@127.0.0.1:11000/$POSTGRES_DB" -c "select now()"; do
         echo "Waiting for the database to start."
         sleep 5
     done
@@ -99,7 +99,7 @@ if ( [ -f "$DATADIR/PG_VERSION" ] && [ "$PG_MAJOR" != "$(cat "$DATADIR/PG_VERSIO
     fi
 
     # Get the Owner
-    DB_OWNER="$(grep -a "$GREP_STRING" "$DUMP_FILE" | grep -oP 'Owner:.*$' | sed 's|Owner:||;s| ||g')"
+    DB_OWNER="$(grep -a "$GREP_STRING" "$DUMP_FILE" | head -1 | grep -oP 'Owner:.*$' | sed 's|Owner:||;s| ||g')"
     if [ "$DB_OWNER" = "$POSTGRES_USER" ]; then
         echo "Unfortunately was the found database owner of the dump file the same as the POSTGRES_USER $POSTGRES_USER"
         echo "It is not possible to import a database dump from this database owner."

Containers/redis/Dockerfile

@@ -1,14 +1,18 @@
 # syntax=docker/dockerfile:latest
-# From https://github.com/docker-library/redis/blob/master/7.0/alpine/Dockerfile
-FROM redis:7.2.4-alpine
+# From https://github.com/docker-library/redis/blob/master/7.2/alpine/Dockerfile
+FROM redis:7.2.5-alpine
 
 COPY --chmod=775 start.sh /start.sh
 
 RUN set -ex; \
+    apk upgrade --no-cache -a; \
     apk add --no-cache openssl bash; \
     \
 # Give root a random password
-    echo "root:$(openssl rand -base64 12)" | chpasswd
+    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    \
+# Get rid of unused binaries
+    rm -f /usr/local/bin/gosu;
 
 USER redis
 ENTRYPOINT ["/start.sh"]

Containers/redis/start.sh

@@ -7,6 +7,7 @@ if [ "$(sysctl -n vm.overcommit_memory)" != "1" ]; then
 fi
 
 # Run redis with a password if provided
+echo "Redis has started"
 if [ -n "$REDIS_HOST_PASSWORD" ]; then
     exec redis-server --requirepass "$REDIS_HOST_PASSWORD" --loglevel warning
 else

Containers/talk-recording/Dockerfile

@@ -1,15 +1,16 @@
 # syntax=docker/dockerfile:latest
-FROM python:3.12.2-alpine3.19
+FROM python:3.12.4-alpine3.20
 
 COPY --chmod=775 start.sh /start.sh
 
-ENV RECORDING_VERSION v0.1
-ENV ALLOW_ALL false
-ENV HPB_PROTOCOL https
-ENV SKIP_VERIFY false
-ENV HPB_PATH /standalone-signaling/
+ENV RECORDING_VERSION=v0.1
+ENV ALLOW_ALL=false
+ENV HPB_PROTOCOL=https
+ENV SKIP_VERIFY=false
+ENV HPB_PATH=/standalone-signaling/
 
 RUN set -ex; \
+    apk upgrade --no-cache -a; \
     apk add --no-cache \
         ca-certificates \
         tzdata \
@@ -25,9 +26,8 @@ RUN set -ex; \
         pulseaudio \
         openssl \
         build-base \
-        linux-headers; \
-    # chromium chromium-chromedriver?
-    apk add --no-cache geckodriver --repository http://dl-cdn.alpinelinux.org/alpine/edge/community; \
+        linux-headers \
+        geckodriver; \
     useradd -d /tmp --system recording; \
 # Give root a random password
     echo "root:$(openssl rand -base64 12)" | chpasswd; \
@@ -53,5 +53,5 @@ USER recording
 ENTRYPOINT ["/start.sh"]
 CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/conf/recording.conf"]
 
-HEALTHCHECK CMD nc -z localhost 1234 || exit 1
+HEALTHCHECK CMD nc -z 127.0.0.1 1234 || exit 1
 LABEL com.centurylinklabs.watchtower.enable="false"

Containers/talk/Dockerfile

@@ -1,10 +1,10 @@
 # syntax=docker/dockerfile:latest
-FROM nats:2.10.11-scratch as nats
+FROM nats:2.10.18-scratch AS nats
 FROM eturnal/eturnal:1.12.0 AS eturnal
-FROM strukturag/nextcloud-spreed-signaling:1.2.3 as signaling
-FROM alpine:3.19.1 as janus
+FROM strukturag/nextcloud-spreed-signaling:1.3.2 AS signaling
+FROM alpine:3.20.1 AS janus
 
-ARG JANUS_VERSION=v0.14.1
+ARG JANUS_VERSION=v0.14.3
 WORKDIR /src
 RUN set -ex; \
     apk add --no-cache \
@@ -34,7 +34,7 @@ RUN set -ex; \
     make configs; \
     rename -v ".jcfg.sample" ".jcfg" /usr/local/etc/janus/*.jcfg.sample
 
-FROM alpine:3.19.1
+FROM alpine:3.20.1
 ENV ETURNAL_ETC_DIR="/conf"
 COPY --from=janus     --chmod=777 --chown=1000:1000 /usr/local                          /usr/local
 COPY --from=eturnal   --chmod=777 --chown=1000:1000 /opt/eturnal                        /opt/eturnal
@@ -46,6 +46,7 @@ COPY --chmod=775 healthcheck.sh /healthcheck.sh
 COPY --chmod=664 supervisord.conf /supervisord.conf
 
 RUN set -ex; \
+    apk upgrade --no-cache -a; \
     apk add --no-cache \
         ca-certificates \
         tzdata \

Containers/talk/healthcheck.sh

@@ -1,11 +1,7 @@
 #!/bin/bash
 
-nc -z localhost 8081 || exit 1
-nc -z localhost 8188 || exit 1
-nc -z localhost 4222 || exit 1
-nc -z localhost "$TALK_PORT" || exit 1
+nc -z 127.0.0.1 8081 || exit 1
+nc -z 127.0.0.1 8188 || exit 1
+nc -z 127.0.0.1 4222 || exit 1
+nc -z 127.0.0.1 "$TALK_PORT" || exit 1
 eturnalctl status || exit 1
-if ! nc -z "$NC_DOMAIN" "$TALK_PORT"; then
-    echo "Could not reach $NC_DOMAIN on port $TALK_PORT."
-    exit 1
-fi

Containers/talk/server.conf.in

@@ -7,7 +7,7 @@
 #readtimeout = 15
 
 # HTTP socket write timeout in seconds.
-#writetimeout = 15
+#writetimeout = 30
 
 [https]
 # IP and port to listen on for HTTPS requests.
@@ -18,7 +18,7 @@
 #readtimeout = 15
 
 # HTTPS socket write timeout in seconds.
-#writetimeout = 15
+#writetimeout = 30
 
 # Certificate / private key to use for the HTTPS server.
 certificate = /etc/nginx/ssl/server.crt
@@ -34,6 +34,12 @@ debug = false
 # room and call can be subscribed.
 #allowsubscribeany = false
 
+# Comma separated list of trusted proxies (IPs or CIDR networks) that may set
+# the "X-Real-Ip" or "X-Forwarded-For" headers. If both are provided, the
+# "X-Real-Ip" header will take precedence (if valid).
+# Leave empty to allow loopback and local addresses.
+#trustedproxies =
+
 [sessions]
 # Secret value used to generate checksums of sessions. This should be a random
 # string of 32 or 64 bytes.
@@ -221,6 +227,8 @@ connectionsperhost = 8
 # register an account at "https://www.maxmind.com/en/geolite2/signup" for
 # free. See "https://dev.maxmind.com/geoip/geoip2/geolite2/" for further
 # information.
+# You can also get a free GeoIP database from https://db-ip.com/ without
+# registration. Provide the URL below in this case.
 # Leave empty to disable GeoIP lookups.
 #license =
 

Containers/talk/start.sh

@@ -20,8 +20,10 @@ fi
 
 set -x
 IPv4_ADDRESS_TALK_RELAY="$(hostname -i | grep -oP '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -1)"
-IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
-IPv6_ADDRESS_TALK="$(dig nextcloud-aio-talk AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
+# shellcheck disable=SC2153
+IPv4_ADDRESS_TALK="$(dig "$TALK_HOST" IN A +short +search | grep '^[0-9.]\+$' | sort | head -n1)"
+# shellcheck disable=SC2153
+IPv6_ADDRESS_TALK="$(dig "$TALK_HOST" AAAA +short +search | grep '^[0-9a-f:]\+$' | sort | head -n1)"
 set +x
 
 if [ -n "$IPv4_ADDRESS_TALK" ] && [ "$IPv4_ADDRESS_TALK_RELAY" = "$IPv4_ADDRESS_TALK" ]; then
@@ -56,6 +58,14 @@ TURN_CONF
 # Remove empty lines so that the config is not invalid
 sed -i '/""/d' /conf/eturnal.yml
 
+if [ -z "$TALK_MAX_STREAM_BITRATE" ]; then
+    TALK_MAX_STREAM_BITRATE=1048576
+fi
+
+if [ -z "$TALK_MAX_SCREEN_BITRATE" ]; then
+    TALK_MAX_SCREEN_BITRATE=2097152
+fi
+
 # Signling
 cat << SIGNALING_CONF > "/conf/signaling.conf"
 [http]
@@ -80,6 +90,8 @@ connectionsperhost = 8
 [backend-1]
 url = https://${NC_DOMAIN}
 secret = ${SIGNALING_SECRET}
+maxstreambitrate = ${TALK_MAX_STREAM_BITRATE}
+maxscreenbitrate = ${TALK_MAX_SCREEN_BITRATE}
 
 [nats]
 url = nats://127.0.0.1:4222
@@ -87,6 +99,8 @@ url = nats://127.0.0.1:4222
 [mcu]
 type = janus
 url = ws://127.0.0.1:8188
+maxstreambitrate = ${TALK_MAX_STREAM_BITRATE}
+maxscreenbitrate = ${TALK_MAX_SCREEN_BITRATE}
 SIGNALING_CONF
 
 exec "$@"

Containers/watchtower/Dockerfile

@@ -1,10 +1,12 @@
 # syntax=docker/dockerfile:latest
 # From https://github.com/containrrr/watchtower/blob/main/dockerfiles/Dockerfile.self-contained
-FROM containrrr/watchtower:1.7.1 as watchtower
+FROM containrrr/watchtower:1.7.1 AS watchtower
 
-FROM alpine:3.19.1
+FROM alpine:3.20.1
+
+RUN apk upgrade --no-cache -a; \
+    apk add --no-cache bash
 
-RUN apk add --no-cache bash
 COPY --from=watchtower /watchtower /watchtower
 
 COPY --chmod=775 start.sh /start.sh

app/appinfo/info.xml

@@ -5,7 +5,7 @@
 	<name>Nextcloud All-in-One</name>
 	<summary>Provides a login link for admins.</summary>
 	<description>Add a link to the admin settings that gives access to the Nextcloud All-in-One admin interface</description>
-	<version>0.4.0</version>
+	<version>0.6.0</version>
 	<licence>agpl</licence>
 	<author>Azul</author>
 	<namespace>AllInOne</namespace>
@@ -13,7 +13,7 @@
 	<category>monitoring</category>
 	<bugs>https://github.com/nextcloud/all-in-one/issues</bugs>
 	<dependencies>
-		<nextcloud min-version="26" max-version="27"/>
+		<nextcloud min-version="28" max-version="29"/>
 	</dependencies>
 
 	<settings>

community-containers/caddy/caddy.json

@@ -5,7 +5,7 @@
             "display_name": "Caddy with geoblocking",
             "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy",
             "image": "szaimen/aio-caddy",
-            "image_tag": "v1",
+            "image_tag": "v2",
             "internal_port": "443",
             "restart": "unless-stopped",
             "ports": [
@@ -38,7 +38,7 @@
                 }
             ],
             "aio_variables": [
-                "apache_ip_binding=127.0.0.1",
+                "apache_ip_binding=@INTERNAL",
                 "apache_port=11000"
             ],
             "nextcloud_exec_commands": [

community-containers/caddy/readme.md

@@ -1,12 +1,16 @@
 ## Caddy with geoblocking
-This container bundles caddy and auto-configures it for you. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden by listening on `bw.$NC_DOMAIN`, if installed. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart by listening on `mail.$NC_DOMAIN`, if installed.
+This container bundles caddy and auto-configures it for you. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden by listening on `bw.$NC_DOMAIN`, if installed. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart by listening on `mail.$NC_DOMAIN`, if installed. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin by listening on `media.$NC_DOMAIN`, if installed. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap by listening on `ldap.$NC_DOMAIN`, if installed. It also covers https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb by listening on `tables.$NC_DOMAIN`, if installed.
 
 ### Notes
 - This container is incompatible with the [npmplus](https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus) community container. So make sure that you do not enable both at the same time!
 - Make sure that no other service is using port 443 on your host as otherwise the containers will fail to start. You can check this with `sudo netstat -tulpn | grep 443` before installing AIO.
 - If you want to use this with https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden, make sure that you point `bw.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for vaultwarden.
-- If you want to use this with https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart, make sure that you point `mail.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for stalwart.
+- If you want to use this with https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart, make sure that you point `mail.your-nc-domain.com` to your server using an A, AAAA or CNAME record so that caddy can get a certificate automatically for stalwart.
+- If you want to use this with https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin, make sure that you point `media.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for jellyfin.
+- If you want to use this with https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap, make sure that you point `ldap.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for lldap.
+- If you want to use this with https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb, make sure that you point `tables.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nocodb.
 - After the container was started the first time, you should see a new `nextcloud-aio-caddy` folder and inside there an `allowed-countries.txt` file when you open the files app with the default `admin` user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. `IT FR` would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the `GeoLite2-Country.mmdb` and upload it with this exact name into the `nextcloud-aio-caddy` folder. Afterwards restart all containers from the AIO interface and your new config should be active!
+- You can add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 
 ### Repository

community-containers/facerecognition/facerecognition.json

@@ -10,10 +10,11 @@
             "restart": "unless-stopped",
             "environment": [
                 "TZ=%TIMEZONE%",
-                "API_KEY=some-super-secret-api-key"
+                "API_KEY=some-super-secret-api-key",
+                "FACE_MODEL=3"
             ],
             "aio_variables": [
-                "nextcloud_memory_limit=4096M"
+                "nextcloud_memory_limit=2048M"
             ],
             "nextcloud_exec_commands": [
                 "php /var/www/html/occ app:install facerecognition",
@@ -21,7 +22,7 @@
                 "php /var/www/html/occ config:system:set facerecognition.external_model_url --value nextcloud-aio-facerecognition:5000",
                 "php /var/www/html/occ config:system:set facerecognition.external_model_api_key --value some-super-secret-api-key",
                 "php /var/www/html/occ face:setup -m 5",
-                "php /var/www/html/occ face:setup -M 4G",
+                "php /var/www/html/occ face:setup -M 1G",
                 "php /var/www/html/occ config:app:set facerecognition analysis_image_area --value 4320000",
                 "php /var/www/html/occ config:system:set enabledFaceRecognitionMimetype 0 --value image/jpeg",
                 "php /var/www/html/occ config:system:set enabledFaceRecognitionMimetype 1 --value image/png",

community-containers/fail2ban/readme.md

@@ -4,6 +4,7 @@ This container bundles fail2ban and auto-configures it for you in order to block
 ### Notes
 - This is not working on Docker Desktop since it needs `network_mode: host` in order to work correctly.
 - If you get an error like `"ip6tables v1.8.9 (legacy): can't initialize ip6tables table filter': Table does not exist (do you need to insmod?)"`, you need to enable ip6tables on your host via `sudo modprobe ip6table_filter`.
+- If you get an error like  `stderr: 'iptables: No chain/target/match by that name.'` and `stderr: 'ip6tables: No chain/target/match by that name.'`, you need to follow https://github.com/szaimen/aio-fail2ban/issues/9#issuecomment-2026898790 in order to resolve this.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 
 ### Repository

community-containers/jellyfin/jellyfin.json

@@ -0,0 +1,39 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-jellyfin",
+            "display_name": "Jellyfin",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin",
+            "image": "jellyfin/jellyfin",
+            "image_tag": "latest",
+            "internal_port": "host",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_jellyfin",
+                    "destination": "/config",
+                    "writeable": true
+                },
+                {
+                    "source": "%NEXTCLOUD_DATADIR%",
+                    "destination": "/media",
+                    "writeable": false
+                },
+                {
+                    "source": "%NEXTCLOUD_MOUNT%",
+                    "destination": "%NEXTCLOUD_MOUNT%",
+                    "writeable": false
+                }
+            ],
+            "devices": [
+                "/dev/dri"
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_jellyfin"
+            ]
+        }
+    ]
+}

community-containers/jellyfin/readme.md

@@ -0,0 +1,20 @@
+## Jellyfin
+This container bundles Jellyfin and auto-configures it for you.
+
+### Notes
+- This container is incompatible with the [Plex](https://github.com/nextcloud/all-in-one/tree/main/community-containers/plex) community container. So make sure that you do not enable both at the same time!
+- This container does not work on Docker Desktop since it needs `network_mode: host` in order to work correctly.
+- After adding and starting the container, you can directly visit http://ip.address.of.server:8096/ and access your new Jellyfin instance!
+- This container should usually only be run in home networks as it exposes unencrypted services like DLNA by default which can be disabld via the web interface though.
+- In order to access your Jellyfin outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md) and [Jellyfin's networking documentation](https://jellyfin.org/docs/general/networking/#running-jellyfin-behind-a-reverse-proxy), OR use the [Caddy](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy) community container that will automatically configure `media.$NC_DOMAIN` to redirect to your Jellyfin.
+- ⚠️ After the initial start, Jellyfin shows a configuration page to set up the root password, etc. **Be careful to initialize your Jellyfin before adding the DNS record.**
+- If you have a firewall like ufw configured, you might need to open all Jellyfin ports in there first in order to make it work. Especially port 8096 is important!
+- The data of Jellyfin will be automatically included in AIO's backup solution!
+- See [here](https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers) how to add it to the AIO stack.
+
+
+### Repository
+https://github.com/jellyfin/jellyfin
+
+### Maintainer
+https://github.com/airopi

community-containers/lldap/lldap.json

@@ -0,0 +1,46 @@
+{
+  "aio_services_v1": [
+    {
+      "container_name": "nextcloud-aio-lldap",
+      "display_name": "Light LDAP implementation",
+      "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap",
+      "image": "lldap/lldap",
+      "image_tag": "v0-alpine",
+      "internal_port": "17170",
+      "restart": "unless-stopped",
+      "ports": [
+        {
+          "ip_binding": "%APACHE_IP_BINDING%",
+          "port_number": "17170",
+          "protocol": "tcp"
+        }
+      ],
+      "environment": [
+        "TZ=%TIMEZONE%",
+        "UID=65534",
+        "GID=65534",
+        "LLDAP_JWT_SECRET=%LLDAP_JWT_SECRET%",
+        "LLDAP_LDAP_USER_PASS=%LLDAP_LDAP_USER_PASS%",
+        "LLDAP_LDAP_BASE_DN=%NC_BASE_DN%"
+      ],
+      "secrets": [
+        "LLDAP_JWT_SECRET",
+        "LLDAP_LDAP_USER_PASS"
+      ],
+      "volumes": [
+        {
+          "source": "nextcloud_aio_lldap",
+          "destination": "/data",
+          "writeable": true
+        }
+      ],
+      "backup_volumes": [
+        "nextcloud_aio_lldap"
+      ],
+      "nextcloud_exec_commands": [
+        "php /var/www/html/occ app:install user_ldap",
+        "php /var/www/html/occ app:enable user_ldap"
+      ]
+    }
+  ]
+}

community-containers/lldap/readme.md

@@ -0,0 +1,93 @@
+## Light LDAP server
+This container bundles LLDAP server and auto-configures your Nextcloud instance for you.
+
+### Notes
+- In order to access your LLDAP web interface outside the local network, you have to set up your own reverse proxy. You can set up a reverse proxy following [these instructions](https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md) OR use the [Caddy](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy) community container that will automatically configure `ldap.$NC_DOMAIN` to redirect to your Lldap. You need to point the reverse proxy at port 17170 of this server.
+- After adding and starting the container, you can log in to the lldap web interface by using the username `admin` and the password that you can retrieve via `sudo docker inspect nextcloud-aio-lldap | grep LLDAP_JWT_SECRET`.
+- To configure Nextcloud, you can use the generic configuration proposed below.
+- For advanced configurations, see how to configure a client with lldap https://github.com/lldap/lldap#client-configuration
+- Also, see how Nextcloud's LDAP application works https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Generic Nextcloud LDAP config
+Functionality with this configuration:
+- User and group management.
+- Login via username (or email) and password.
+- Profile picture sync.
+- Synchronization of administrator accounts (via the lldap_admin group).
+
+> For simplicity, this configuration is done via the command line (don't worry, it's very simple).
+
+First, you need to retrieve the LLDAP admin password, this will be used later on. Which you need to type in or copy and paste:
+```bash
+sudo docker inspect nextcloud-aio-lldap | grep LLDAP_LDAP_USER_PASS
+```
+
+Now go into the Nextcloud container:
+```bash
+sudo docker exec --user www-data -it nextcloud-aio-nextcloud bash
+```
+Now inside the container:
+```bash
+# Get Base
+BASE_DN="dc=${NC_DOMAIN//./,dc=}"
+
+# Create a new empty ldap config
+CONF_NAME=$(php /var/www/html/occ ldap:create-empty-config -p)
+
+# Check that the base DN matches your domain and retrieve your configuration name
+echo "Base DN: '$BASE_DN', Config name: '$CONF_NAME'"
+
+# Set the ldap password
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapAgentPassword "<your-password>"
+
+# Set the ldap config: Host and connection
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapAdminGroup       lldap_admin
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapAgentName        "cn=admin,ou=people,$BASE_DN"
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapBase             "$BASE_DN"
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapHost             "ldap://nextcloud-aio-lldap"
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapPort             3890
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapTLS              0
+php /var/www/html/occ ldap:set-config $CONF_NAME turnOnPasswordChange 0
+
+# Set the ldap config: Users
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapBaseUsers             "ou=people,$BASE_DN"
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapEmailAttribute        mail
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapGidNumber             gidNumber
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapLoginFilter           "(&(|(objectclass=person))(|(uid=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))"
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapLoginFilterEmail      1
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapLoginFilterUsername   1
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapUserAvatarRule        default
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapUserDisplayName       cn
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapUserFilter            "(|(objectclass=person))"
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapUserFilterMode        0
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapUserFilterObjectclass person
+
+# Set the ldap config: Groups
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapBaseGroups                "ou=groups,$BASE_DN"
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapGroupDisplayName          cn
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapGroupFilter               "(&(|(objectclass=groupOfUniqueNames)))"
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapGroupFilterMode           0
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapGroupFilterObjectclass    groupOfUniqueNames
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapGroupMemberAssocAttr      uniqueMember
+php /var/www/html/occ ldap:set-config $CONF_NAME useMemberOfToDetectMembership 1
+
+# Optional : Check the configuration
+#php /var/www/html/occ ldap:show-config $CONF_NAME
+
+# Test the ldap config
+php /var/www/html/occ ldap:test-config $CONF_NAME
+
+# Enable ldap config
+php /var/www/html/occ ldap:set-config $CONF_NAME ldapConfigurationActive 1
+
+# Exit the container shell
+exit
+```
+It's done ! All you have to do is go to the Nextcloud administration interface to see the magic of LDAP.
+
+### Repository
+https://github.com/lldap/lldap
+
+### Maintainer
+https://github.com/docjyj

community-containers/local-ai/local-ai.json

@@ -5,7 +5,7 @@
             "display_name": "Local AI",
             "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/local-ai",
             "image": "szaimen/aio-local-ai",
-            "image_tag": "v1",
+            "image_tag": "v2",
             "internal_port": "8080",
             "restart": "unless-stopped",
             "environment": [

community-containers/local-ai/readme.md

@@ -2,12 +2,13 @@
 This container bundles Local AI and auto-configures it for you.
 
 ### Notes
-- Make sure to have enough storage space available. This container alone needs ~14GB storage on x64, on arm64 only ~4GB. Every model that you add to `models.yaml` will of course use additional space which adds up quite fast.
+- Make sure to have enough storage space available. This container alone needs ~7GB storage. Every model that you add to `models.yaml` will of course use additional space which adds up quite fast.
 - After the container was started the first time, you should see a new `nextcloud-aio-local-ai` folder when you open the files app with the default `admin` user. In there you should see a `models.yaml` config file. You can now add models in there. Please refer [here](https://github.com/go-skynet/model-gallery/blob/main/index.yaml) where you can get further urls that you can put in there. Afterwards restart all containers from the AIO interface and the models should automatically get downloaded by the local-ai container and activated.
 - Example for content of `models.yaml` (if you add all of them, it takes around 10GB additional space):
 ```yaml
 # Stable Diffusion in NCNN with c++, supported txt2img and img2img 
 - url: github:go-skynet/model-gallery/stablediffusion.yaml
+  name: Stable_diffusion
 
 # Port of OpenAI's Whisper model in C/C++ 
 - url: github:go-skynet/model-gallery/whisper-base.yaml
@@ -17,6 +18,7 @@ This container bundles Local AI and auto-configures it for you.
 - url: github:go-skynet/model-gallery/gpt4all-j.yaml
   name: gpt4all-j
 ```
+-  You need to add gpt4all-j under Text Generation (Default completion model to use) in Connected Accounts in the Administration Settings in Nextcloud, the default does not work.
 -  Additionally after doing so, you might want to enable or disable specific features for your models in the integration_openai settings: `https://your-nc-domain.com/settings/admin/connected-accounts`
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 

community-containers/nocodb/nocodb.json

@@ -0,0 +1,43 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-nocodb",
+            "display_name": "NocoDB",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb",
+            "image": "docjyj/aio-nocodb",
+            "image_tag": "%AIO_CHANNEL%",
+            "internal_port": "10028",
+            "restart": "unless-stopped",
+            "ports": [
+                {
+                    "ip_binding": "%APACHE_IP_BINDING%",
+                    "port_number": "10028",
+                    "protocol": "tcp"
+                }
+            ],
+            "environment": [
+                "NC_AUTH_JWT_SECRET=%NOCODB_JWT_SECRET%",
+                "NC_PUBLIC_URL=https://tables.%NC_DOMAIN%/",
+                "NC_DASHBOARD_URL=/",
+                "NC_ADMIN_EMAIL=admin@noco.db",
+                "NC_ADMIN_PASS=%NOCODB_USER_PASS%",
+                "PORT=10028",
+                "NC_DISABLE_TELE=true"
+            ],
+            "secrets": [
+                "NOCODB_JWT_SECRET",
+                "NOCODB_USER_PASS"
+            ],
+            "volumes": [
+                {
+                    "source": "nextcloud_aio_nocodb",
+                    "destination": "/usr/app/data",
+                    "writeable": true
+                }
+            ],
+            "backup_volumes": [
+                "nextcloud_aio_nocodb"
+            ]
+        }
+    ]
+}

community-containers/nocodb/readme.md

@@ -0,0 +1,28 @@
+> [!NOTE]
+> This container is there to compensate for the lack of functionality in Nextcloud Tables.
+>
+> When Nextcloud Tables V2 is released, I will stop checking for updates, and will no longer fix any potential issues.
+>
+> Some missing functionality in Nextcloud Tables:
+> - Multiple view layout (Gantt, Kanban, Calendar...)
+> - Field (Person, Tag, File...)
+> - See more here https://github.com/nextcloud/tables/issues/103 
+
+## NocoDb server
+This container bundles NocoDb without synchronization with Nextcloud.
+
+This is an alternative of **Airtable**.
+
+### Notes
+- You need to configure a reverse proxy in order to run this container since nocodb needs a dedicated (sub)domain! For that, you might have a look at https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy.
+- Currently, only `tables.$NC_DOMAIN` is supported as subdomain! So if Nextcloud is using `your-domain.com`, nocodb will use `tables.your-domain.com`.
+- The data of NocoDb will be automatically included in AIOs backup solution!
+- After adding and starting the container, you need to run `docker inspect nextcloud-aio-nocodb  | grep NC_ADMIN_PASS` to obtain the system administrator password (username: `admin@noco.db`). With this information, you can log in to the web interface at `https://tables.$NC_DOMAIN/#/signin`
+- See https://docs.nocodb.com/ for usage of NocoDb
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/docjyJ/aio-nocodb
+
+### Maintainer
+https://github.com/docjyJ

community-containers/plex/readme.md

@@ -2,8 +2,10 @@
 This container bundles Plex and auto-configures it for you.
 
 ### Notes
+- This container is incompatible with the [Jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) community container. So make sure that you do not enable both at the same time!
 - This is not working on arm64 since Plex does only provide x64 docker images.
 - This is not working on Docker Desktop since it needs `network_mode: host` in order to work correctly.
+- This container should usually only be run in home networks as it exposes unencrypted services like DLNA by default which can be disabld via the web interface though.
 - If you have a firewall like ufw configured, you might need to open all Plex ports in there first in order to make it work. Especially port 32400 is important!
 - After adding and starting the container, you need to visit http://ip.address.of.server:32400/manage in order to claim your server with a plex account
 - The data of Plex will be automatically included in AIOs backup solution!

community-containers/readme.md

@@ -2,20 +2,18 @@
 This directory features containers that are built for AIO which allows to add additional functionality very easily.
 
 ## Disclaimers
-⚠️ This is currently beta and not stable yet!
-
 All containers that are in this directory are community maintained so the responsibility is on the community to keep them updated and secure. There is no guarantee that this will be the case in the future.
 
 ## How to use this?
 Before adding any additional container, make sure to create a backup via the AIO interface!
 
-Afterwards, you might want to add additional community containers to the default AIO stack. You can do so by adding `--env AIO_COMMUNITY_CONTAINERS="container1 container2"` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and customize the value to your fitting. It must match the folder names in this directory! ⚠️⚠️⚠️ Please review the folder for documentation on each of the containers before adding them! Not reviewing the documentation for each of them first might break starting the AIO containers because e.g. fail2ban only works on Linux and not on Docker Desktop!
+Afterwards, you might want to add additional community containers to the default AIO stack. You can do so by adding `--env AIO_COMMUNITY_CONTAINERS="container1 container2"` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and customize the value to your fitting. It must match the folder names in this directory! ⚠️⚠️⚠️ Please review the folder for documentation on each of the containers before adding them! Not reviewing the documentation for each of them first might break starting the AIO containers because e.g. fail2ban only works on Linux and not on Docker Desktop! **Hint:** If the containers where running already, in order to actually start the added container, you need to click on `Stop containers` and the `Update and start containers` in order to actually start it.
 
 ## How to add containers?
 Simply submit a PR by creating a new folder in this directory: https://github.com/nextcloud/all-in-one/tree/main/community-containers with the name of your container. It must include a json file with the same name and with correct syntax and a readme.md with additional information. You might get inspired by caddy, fail2ban, local-ai, libretranslate, plex, pi-hole or vaultwarden (subfolders in this directory). For a full-blown example of the json file, see https://github.com/nextcloud/all-in-one/blob/main/php/containers.json. The json-schema that it validates against can be found here: https://github.com/nextcloud/all-in-one/blob/main/php/containers-schema.json.
 
 ### Is there a list of ideas for new community containers?
-Yes, see [this list](https://github.com/nextcloud/all-in-one/discussions/categories/ideas?discussions_q=is%3Aopen+category%3AIdeas+label%3A%22help+wanted%22) for already existing ideas for new community containers. Feel free to pick one up and add it to this folder by following the instructions above.
+Yes, see [this list](https://github.com/nextcloud/all-in-one/discussions/categories/ideas?discussions_q=is%3Aopen+category%3AIdeas+label%3A%22help+wanted%22+sort%3Atop) for already existing ideas for new community containers. Feel free to pick one up and add it to this folder by following the instructions above.
 
 ## How to remove containers from AIOs stack?
 In some cases, you might want to remove some community containers from the AIO stack again. Here is how to do this.

community-containers/stalwart/readme.md

@@ -1,3 +1,11 @@
+> [!WARNING]
+> The Stalwart server is under development.
+> 
+> The stability of Stalwart services is not guaranteed.
+> Do not use this feature as a main mail server without a redundancy system and without knowledge.
+> 
+> To learn or use as a secondary server enjoy it and please report bugs at [docjyj/aio-stalwart](https://github.com/docjyj/aio-stalwart/issues).
+
 ## Stalwart mail server
 This container bundles stalwart mail server and auto-configures it for you.
 
@@ -7,15 +15,14 @@ This container bundles stalwart mail server and auto-configures it for you.
 - You need to configure a reverse proxy in order to run this container since stalwart needs a dedicated (sub)domain! For that, you might have a look at https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy.
 - Currently, only `mail.$NC_DOMAIN` is supported as subdomain! So if Nextcloud is using `your-domain.com`, Stalwart will use `mail.your-domain.com`.
 - The data of Stalwart will be automatically included in AIOs backup solution!
-- After adding and starting the container, you need to run `sudo docker exec -it nextcloud-aio-stalwart configure.sh` and follow https://stalw.art/docs/install/docker/#choose-where-to-store-your-data (1. choose `Local disk using Maildir`, 2. choose `No, create a new directory for me` (or select LDAP if you have an LDAP server), 3. type in your `$NC_DOMAIN` as `domain name` and `mail.$NC_DOMAIN` as `server hostname`. 4. add `DKIM, SPF and DMARC` as advised to your DNS config, 5. Take note of the administrator credentials, 6. Now the config script should exit and automatically restart the container and enable your config.
-- See https://stalw.art/docs/directory/types/memory/ how you can easily create new user accounts. (Alternatively see https://stalw.art/docs/directory/types/ldap if you have an LDAP server). You can edit the config file with `sudo docker exec -it nextcloud-aio-stalwart vi /opt/stalwart-mail/etc/config.toml`. Also, you might want to enable logging to stdout so that you can see the stalwart logs in your container logs via `sudo docker exec -it nextcloud-aio-stalwart vi /opt/stalwart-mail/etc/common/tracing.toml` (you need to restart the container afterwards with `sudo docker restart nextcloud-aio-stalwart` in order to apply the settings).
-- Afterwards, you can visit the basic admin settings in `https://your-nc-domain.com/settings/admin` and add the your mail server for outgoing mails there.
+- After adding and starting the container, you need to run `docker inspect nextcloud-aio-stalwart  | grep STALWART_USER_PASS` to obtain the system administrator password (username: `admin`). With this information, you can log in to the web interface at `https://mail.your-domain.com/login`
+- See https://stalw.art/docs/install/docker/ for next steps.
 - Additionally, you might want to install and configure [snappymail](https://apps.nextcloud.com/apps/snappymail) or [mail](https://apps.nextcloud.com/apps/mail) inside Nextcloud in order to use your mail accounts for sending and retrieving mails.
 - See https://stalw.art/docs/faq for further faq and docs on the project
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 
 ### Repository
-https://github.com/marcoambrosini/aio-stalwart
+https://github.com/docjyj/aio-stalwart
 
 ### Maintainer
-https://github.com/marcoambrosini
+https://github.com/docjyj

community-containers/stalwart/stalwart.json

@@ -4,9 +4,9 @@
             "container_name": "nextcloud-aio-stalwart",
             "display_name": "Stalwart",
             "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart",
-            "image": "marcoambrosini/aio-stalwart",
-            "image_tag": "v1",
-            "internal_port": "587",
+            "image": "docjyj/aio-stalwart",
+            "image_tag": "%AIO_CHANNEL%",
+            "internal_port": "10003",
             "restart": "unless-stopped",
             "ports": [
                 {
@@ -38,11 +38,20 @@
                   "ip_binding": "",
                   "port_number": "4190",
                   "protocol": "tcp"
+                },
+                {
+                  "ip_binding": "%APACHE_IP_BINDING%",
+                  "port_number": "10003",
+                  "protocol": "tcp"
                 }
             ],
             "environment": [
                 "TZ=%TIMEZONE%",
-                "NC_DOMAIN=%NC_DOMAIN%"
+                "NC_DOMAIN=%NC_DOMAIN%",
+                "STALWART_USER_PASS=%STALWART_USER_PASS%"
+            ],
+            "secrets": [
+                "STALWART_USER_PASS"
             ],
             "volumes": [
                 {

community-containers/stalwart/upgrading.md

@@ -0,0 +1,29 @@
+> [!NOTE]
+> Unless the starting script tells you, you have no action to do to update.
+
+# UPGRADING
+
+During a major server update, this message will be displayed:
+
+> Your data is in an old format.
+> 
+> Make a backup and see https://github.com/nextcloud/all-in-one/blob/main/community-containers/stalwart/upgrading.md
+> 
+> To avoid any loss of data, Stalwart will not launch.
+
+If there is no update, delete the `/opt/stalwart-mail/aio.lock` file from the container. Beware of data loss.
+
+See https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md
+
+> [!CAUTION]
+> Before each update don't forget to make a backup.
+
+## Upgrading from 0.7.x to 0.8.x
+
+Before upgrading, do a backup of your data !
+
+```bash
+sudo docker run --rm -v nextcloud_aio_stalwart:/opt/stalwart-mail -it --entrypoint /usr/local/bin/stalwart-mail stalwartlabs/mail-server:v0.7.3 --config /opt/stalwart-mail/etc/config.toml --export /opt/stalwart-mail/export
+sudo docker run --rm -v nextcloud_aio_stalwart:/opt/stalwart-mail -it --entrypoint /usr/local/bin/stalwart-mail stalwartlabs/mail-server:v0.8.0 --config /opt/stalwart-mail/etc/config.toml --import /opt/stalwart-mail/export
+sudo docker run --rm -v nextcloud_aio_stalwart:/opt/stalwart-mail -it --entrypoint /bin/rm alpine /opt/stalwart-mail/aio.lock
+```

community-containers/vaultwarden/readme.md

@@ -7,6 +7,7 @@ This container bundles vaultwarden and auto-configures it for you.
 - If you want to secure the installation with fail2ban, you might want to check out https://github.com/nextcloud/all-in-one/tree/main/community-containers/fail2ban
 - The data of Vaultwarden will be automatically included in AIOs backup solution!
 - After adding and starting the container, you need to visit `https://bw.your-domain.com/admin` in order to log in with the admin key that you can retrieve when running `sudo docker inspect nextcloud-aio-vaultwarden | grep ADMIN_TOKEN`. There you can configure smtp first and then invite users via mail. After this is done, you might disable the admin panel via the reverse proxy by blocking connections to the subdirectory.
+- If using the caddy community container, the vaultwarden admin interface can be disabled by creating a `block-vaultwarden-admin` file in the `nextcloud-aio-caddy` folder when you open the Nextcloud files app with the default `admin` user. Afterwards restart all containers from the AIO interface and the admin interface should be disabled! You can unlock the admin interface by removing the file again and afterwards restarting the containers via the AIO interface.
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
 
 ### Repository

compose.yaml

@@ -7,33 +7,31 @@ services:
     volumes:
       - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
       - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
+    network_mode: bridge # add to the same network as docker run would do
     ports:
       - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
       - 8080:8080
       - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
     # environment: # Is needed when using any of the options below
-      # - AIO_DISABLE_BACKUP_SECTION=false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
-      # - APACHE_PORT=11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-      # - APACHE_IP_BINDING=127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
-      # - BORG_RETENTION_POLICY=--keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
-      # - COLLABORA_SECCOMP_DISABLED=false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
-      # - NEXTCLOUD_DATADIR=/mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
-      # - NEXTCLOUD_MOUNT=/mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
-      # - NEXTCLOUD_UPLOAD_LIMIT=10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
-      # - NEXTCLOUD_MAX_TIME=3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
-      # - NEXTCLOUD_MEMORY_LIMIT=512M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
-      # - NEXTCLOUD_TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
-      # - NEXTCLOUD_STARTUP_APPS=deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
-      # - NEXTCLOUD_ADDITIONAL_APKS=imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
-      # - NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
-      # - NEXTCLOUD_ENABLE_DRI_DEVICE=true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
-      # - NEXTCLOUD_KEEP_DISABLED_APPS=false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps
-      # - TALK_PORT=3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
-      # - WATCHTOWER_DOCKER_SOCKET_PATH=/var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
-    # networks: # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
-      # - nextcloud-aio # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file
-    # # Uncomment the following line when using SELinux
-    # security_opt: ["label:disable"]
+      # AIO_DISABLE_BACKUP_SECTION: false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section
+      # APACHE_PORT: 11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      # APACHE_IP_BINDING: 127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
+      # BORG_RETENTION_POLICY: --keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy
+      # COLLABORA_SECCOMP_DISABLED: false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
+      # NEXTCLOUD_DATADIR: /mnt/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir
+      # NEXTCLOUD_MOUNT: /mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host
+      # NEXTCLOUD_UPLOAD_LIMIT: 10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
+      # NEXTCLOUD_MAX_TIME: 3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
+      # NEXTCLOUD_MEMORY_LIMIT: 512M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud
+      # NEXTCLOUD_TRUSTED_CACERTS_DIR: /path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca
+      # NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup
+      # NEXTCLOUD_ADDITIONAL_APKS: imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container
+      # NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container
+      # NEXTCLOUD_ENABLE_DRI_DEVICE: true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud
+      # NEXTCLOUD_KEEP_DISABLED_APPS: false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps
+      # TALK_PORT: 3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port
+      # WATCHTOWER_DOCKER_SOCKET_PATH: /var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock'
+    # security_opt: ["label:disable"] # Is needed when using SELinux
 
   # # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
   # # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
@@ -53,14 +51,3 @@ volumes: # If you want to store the data on a different drive, see https://githu
   nextcloud_aio_mastercontainer:
     name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work
 
-# # Optional: If you need ipv6, follow step 1 and 2 of https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md first and then uncomment the below config in order to activate ipv6 for the internal nextcloud-aio network.
-# # Please make sure to uncomment also the networking lines of the mastercontainer above in order to actually create the network with docker-compose
-# networks:
-#   nextcloud-aio:
-#     name: nextcloud-aio # This line is not allowed to be changed as otherwise the created network will not be used by the other containers of AIO
-#     driver: bridge
-#     enable_ipv6: true
-#     ipam:
-#       driver: default
-#       config:
-#         - subnet: fd12:3456:789a:2::/64 # IPv6 subnet to use

docker-ipv6-support.md

@@ -1,18 +1,12 @@
 # IPv6-Support for Docker
 
-Before enabling IPv6-Support for Docker, please note that there are still some unresolved problems in regards to IPv6-Support in Docker. See https://github.com/nextcloud/all-in-one/discussions/2557 for more details on this.
-
-Now that this was mentioned, see the instructions below on how to enable IPv6 for Docker.
-
 ## Docker on Linux and Docker-rootless
-1.  Edit `/etc/docker/daemon.json` (or `~/.config/docker/daemon.json` in case of docker-rootless), set the `ipv6` key to `true` and the `fixed-cidr-v6` key to your IPv6 subnet. In this example we are setting it to `fd12:3456:789a:1::/64`. Additionally set `experimental` to `true` and `ip6tables` to `true` as well. If you are using mailcow and enabled IPv6 with the update.sh, you can keep their daemon.json, it will work too.
+First of all upgrade your docker installation to v27.0.1 or higher.
+1. Then edit `/etc/docker/daemon.json` (or `~/.config/docker/daemon.json` in case of docker-rootless), add the below json:
 
     ```json
     {
-      "ipv6": true,
-      "fixed-cidr-v6": "fd12:3456:789a:1::/64",
-      "experimental": true,
-      "ip6tables": true
+      "default-network-opts": {"bridge":{"com.docker.network.enable_ipv6":"true"}}
     }
     ```
 
@@ -23,23 +17,21 @@ Now that this was mentioned, see the instructions below on how to enable IPv6 fo
     ```console
     sudo systemctl restart docker
     ```
-3. Make sure that ipv6 is enabled for the internal `nextcloud-aio` network by running `sudo docker network inspect nextcloud-aio | grep EnableIPv6`. On a new instance, this command should return that it did not find a network with this name. Then you can run `sudo docker network create --subnet="fd12:3456:789a:2::/64" --driver bridge --ipv6 nextcloud-aio` in order to create the network with ipv6-support. However if it finds the network and its value `EnableIPv6` is set to false, make sure to follow https://github.com/nextcloud/all-in-one/discussions/2045 in order to recreate the network and enable ipv6 for it.
+3. Make sure that ipv6 is enabled for the internal `nextcloud-aio` network by running `sudo docker network inspect nextcloud-aio | grep EnableIPv6`. On a new instance, this command should return that it did not find a network with this name. Then you can run `sudo docker network create nextcloud-aio` in order to create the network with ipv6-support. However if it finds the network and its value `EnableIPv6` is set to false, make sure to follow https://github.com/nextcloud/all-in-one/discussions/4989 in order to recreate the network and enable ipv6 for it.
 
 ## Docker Desktop (Windows and macOS)
-On Windows and macOS which use Docker Desktop, you need to go into the settings, and select `Docker Engine`. There you should see the currently used daemon.json file. 
+First of all upgrade your docker desktop installation to v4.32.0 or higher.
+Then, on Windows and macOS which use Docker Desktop, you need to go into the settings, and select `Docker Engine`. There you should see the currently used daemon.json file. 
 
-1. You need to now adjust this json file by setting the `ipv6` key to `true` and the `fixed-cidr-v6` key to your IPv6 subnet. In this example we are setting it to `fd12:3456:789a:1::/64`. Additionally set `experimental` to `true` and `ip6tables` to `true` as well.
+1. You need to now adjust this json file:
 
     ```
-    "ipv6": true,
-    "fixed-cidr-v6": "fd12:3456:789a:1::/64",
-    "experimental": true,
-    "ip6tables": true
+    "default-network-opts": {"bridge":{"com.docker.network.enable_ipv6":"true"}}
     ```
 
 2. Add these values to the json and make sure to keep the other currently values and that you don't see `Unexpected token in JSON at position ...` before attempting to restart by clicking on `Apply & restart`.
-3. Make sure that ipv6 is enabled for the internal `nextcloud-aio` network by running `docker network inspect nextcloud-aio`. On a new instance, this command should return that it did not find a network with this name. Then you can run `docker network create --subnet="fd12:3456:789a:2::/64" --driver bridge --ipv6 nextcloud-aio` in order to create the network with ipv6-support. However if it finds the network and its value `EnableIPv6` is set to false, make sure to follow https://github.com/nextcloud/all-in-one/discussions/2045 in order to recreate the network and enable ipv6 for it.
+3. Make sure that ipv6 is enabled for the internal `nextcloud-aio` network by running `sudo docker network inspect nextcloud-aio | grep EnableIPv6`. On a new instance, this command should return that it did not find a network with this name. Then you can run `sudo docker network create nextcloud-aio` in order to create the network with ipv6-support. However if it finds the network and its value `EnableIPv6` is set to false, make sure to follow https://github.com/nextcloud/all-in-one/discussions/4989 in order to recreate the network and enable ipv6 for it.
 
 ---
 
-**Note**: This is a copy of the original docker docs at https://docs.docker.com/config/daemon/ipv6/ which apparently are not correct. However experimental is set to true which the ip6tables feature needs. Thus it will not get included into the official docs. However it is needed to make it work in our testing.
+**Note**: This is a copy of the original docker docs at https://docs.docker.com/config/daemon/ipv6/ which apparently are not correct.

manual-install/latest.yml

@@ -24,6 +24,7 @@ services:
     environment:
       - NC_DOMAIN=${NC_DOMAIN}
       - NEXTCLOUD_HOST=nextcloud-aio-nextcloud
+      - APACHE_HOST=nextcloud-aio-apache
       - COLLABORA_HOST=nextcloud-aio-collabora
       - TALK_HOST=nextcloud-aio-talk
       - APACHE_PORT=${APACHE_PORT}
@@ -45,6 +46,8 @@ services:
       - /usr/local/apache2/logs
       - /tmp
       - /home/www-data
+    cap_drop:
+      - NET_RAW
 
   nextcloud-aio-database:
     image: nextcloud/aio-postgresql:latest
@@ -68,6 +71,8 @@ services:
     read_only: true
     tmpfs:
       - /var/run/postgresql
+    cap_drop:
+      - NET_RAW
 
   nextcloud-aio-nextcloud:
     depends_on:
@@ -101,6 +106,7 @@ services:
       - ${NEXTCLOUD_TRUSTED_CACERTS_DIR}:/usr/local/share/ca-certificates:ro
     environment:
       - POSTGRES_HOST=nextcloud-aio-database
+      - POSTGRES_PORT=5432
       - POSTGRES_PASSWORD=${DATABASE_PASSWORD}
       - POSTGRES_DB=nextcloud_database
       - POSTGRES_USER=nextcloud
@@ -128,6 +134,7 @@ services:
       - TALK_PORT=${TALK_PORT}
       - IMAGINARY_ENABLED=${IMAGINARY_ENABLED}
       - IMAGINARY_HOST=nextcloud-aio-imaginary
+      - CLAMAV_MAX_SIZE=${APACHE_MAX_SIZE}
       - PHP_UPLOAD_LIMIT=${NEXTCLOUD_UPLOAD_LIMIT}
       - PHP_MEMORY_LIMIT=${NEXTCLOUD_MEMORY_LIMIT}
       - FULLTEXTSEARCH_ENABLED=${FULLTEXTSEARCH_ENABLED}
@@ -144,11 +151,13 @@ services:
       - FULLTEXTSEARCH_PASSWORD=${FULLTEXTSEARCH_PASSWORD}
       - REMOVE_DISABLED_APPS=${REMOVE_DISABLED_APPS}
       - APACHE_PORT=${APACHE_PORT}
-      - APACHE_IP_BINDING=${APACHE_IP_BINDING}
+      - IMAGINARY_SECRET=${IMAGINARY_SECRET}
     stop_grace_period: 600s
     restart: unless-stopped
     networks:
       - nextcloud-aio
+    cap_drop:
+      - NET_RAW
 
   nextcloud-aio-notify-push:
     image: nextcloud/aio-notify-push:latest
@@ -163,6 +172,7 @@ services:
       - REDIS_HOST=nextcloud-aio-redis
       - REDIS_HOST_PASSWORD=${REDIS_PASSWORD}
       - POSTGRES_HOST=nextcloud-aio-database
+      - POSTGRES_PORT=5432
       - POSTGRES_PASSWORD=${DATABASE_PASSWORD}
       - POSTGRES_DB=nextcloud_database
       - POSTGRES_USER=nextcloud
@@ -170,6 +180,8 @@ services:
     networks:
       - nextcloud-aio
     read_only: true
+    cap_drop:
+      - NET_RAW
 
   nextcloud-aio-redis:
     image: nextcloud/aio-redis:latest
@@ -185,6 +197,8 @@ services:
     networks:
       - nextcloud-aio
     read_only: true
+    cap_drop:
+      - NET_RAW
 
   nextcloud-aio-collabora:
     image: nextcloud/aio-collabora:latest
@@ -205,6 +219,9 @@ services:
       - nextcloud-aio
     cap_add:
       - MKNOD
+      - SYS_ADMIN
+    cap_drop:
+      - NET_RAW
 
   nextcloud-aio-talk:
     image: nextcloud/aio-talk:latest
@@ -216,6 +233,7 @@ services:
       - "8081"
     environment:
       - NC_DOMAIN=${NC_DOMAIN}
+      - TALK_HOST=nextcloud-aio-talk
       - TURN_SECRET=${TURN_SECRET}
       - SIGNALING_SECRET=${SIGNALING_SECRET}
       - TZ=${TIMEZONE}
@@ -234,6 +252,8 @@ services:
       - /opt/eturnal/run
       - /conf
       - /tmp
+    cap_drop:
+      - NET_RAW
 
   nextcloud-aio-talk-recording:
     image: nextcloud/aio-talk-recording:latest
@@ -255,6 +275,8 @@ services:
     tmpfs:
       - /tmp
       - /conf
+    cap_drop:
+      - NET_RAW
 
   nextcloud-aio-clamav:
     image: nextcloud/aio-clamav:latest
@@ -263,6 +285,7 @@ services:
       - "3310"
     environment:
       - TZ=${TIMEZONE}
+      - MAX_SIZE=${NEXTCLOUD_UPLOAD_LIMIT}
       - CLAMD_STARTUP_TIMEOUT=90
     volumes:
       - nextcloud_aio_clamav:/var/lib/clamav:rw
@@ -276,6 +299,8 @@ services:
       - /var/lock
       - /var/log/clamav
       - /tmp
+    cap_drop:
+      - NET_RAW
 
   nextcloud-aio-onlyoffice:
     image: nextcloud/aio-onlyoffice:latest
@@ -294,6 +319,8 @@ services:
       - onlyoffice
     networks:
       - nextcloud-aio
+    cap_drop:
+      - NET_RAW
 
   nextcloud-aio-imaginary:
     image: nextcloud/aio-imaginary:latest
@@ -302,9 +329,12 @@ services:
       - "9000"
     environment:
       - TZ=${TIMEZONE}
+      - IMAGINARY_SECRET=${IMAGINARY_SECRET}
     restart: unless-stopped
     cap_add:
       - SYS_NICE
+    cap_drop:
+      - NET_RAW
     profiles:
       - imaginary
     networks:
@@ -336,6 +366,8 @@ services:
       - fulltextsearch
     networks:
       - nextcloud-aio
+    cap_drop:
+      - NET_RAW
 
 volumes:
   nextcloud_aio_apache:
@@ -357,13 +389,6 @@ volumes:
   nextcloud_aio_nextcloud_data:
     name: nextcloud_aio_nextcloud_data
 
-# Inspired by https://github.com/mailcow/mailcow-dockerized/blob/master/docker-compose.yml
 networks:
   nextcloud-aio:
     name: nextcloud-aio
-    driver: bridge
-    enable_ipv6: true
-    ipam:
-      driver: default
-      config:
-        - subnet: ${IPV6_NETWORK}

manual-install/readme.md

@@ -22,7 +22,8 @@ First, install docker and docker-compose (v2) if not already done. Then simply r
 git clone https://github.com/nextcloud/all-in-one.git
 cd all-in-one/manual-install
 ```
-Then copy the sample.conf to default environment file, e.g. `cp sample.conf .env`, open the new conf file, e.g. with `nano .env`, edit all values that are marked with `# TODO!`, close and save the file. (Note: there is no clamav image for arm64).
+Then copy the sample.conf to default environment file, e.g. `cp sample.conf .env`, open the new conf file, e.g. with `nano .env`, edit all values that are marked with `# TODO!`, close and save the file. (Note: there is no clamav image for arm64).<br>
+⚠️ **Warning**: Do not use the symbols `@` and `:` in your passwords. These symbols are used to build database connection strings. You will experience issues when using these symbols!
 
 Now copy the provided yaml file to a compose.yaml file by running `cp latest.yml compose.yaml`.
 

manual-install/sample.conf

@@ -1,5 +1,6 @@
 DATABASE_PASSWORD=          # TODO! This needs to be a unique and good password!
 FULLTEXTSEARCH_PASSWORD=          # TODO! This needs to be a unique and good password!
+IMAGINARY_SECRET=          # TODO! This needs to be a unique and good password!
 NC_DOMAIN=yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.
 NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".
 ONLYOFFICE_SECRET=          # TODO! This needs to be a unique and good password!
@@ -36,4 +37,3 @@ NEXTCLOUD_UPLOAD_LIMIT=10G          # This allows to change the upload limit of
 REMOVE_DISABLED_APPS=yes        # Setting this to no keep Nextcloud apps that are disabled via their switch and not uninstall them if they should be installed in Nextcloud.
 TALK_PORT=3478          # This allows to adjust the port that the talk container is using.
 UPDATE_NEXTCLOUD_APPS="no"          # When setting to "yes" (with quotes), it will automatically update all installed Nextcloud apps upon container startup on saturdays.
-IPV6_NETWORK=fd12:3456:789a:2::/64 # IPv6 subnet to use

manual-install/update-yaml.sh

@@ -95,7 +95,6 @@ sed -i 's|NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS=|NEXTCLOUD_ADDITIONAL_PHP_EXTENSIO
 sed -i 's|INSTALL_LATEST_MAJOR=|INSTALL_LATEST_MAJOR=no        # Setting this to yes will install the latest Major Nextcloud version upon the first installation|' sample.conf
 sed -i 's|REMOVE_DISABLED_APPS=|REMOVE_DISABLED_APPS=yes        # Setting this to no keep Nextcloud apps that are disabled via their switch and not uninstall them if they should be installed in Nextcloud.|' sample.conf
 sed -i 's|=$|=          # TODO! This needs to be a unique and good password!|' sample.conf
-echo 'IPV6_NETWORK=fd12:3456:789a:2::/64 # IPv6 subnet to use' >> sample.conf
 
 grep  '# TODO!' sample.conf > todo.conf
 grep -v '# TODO!\|_ENABLED' sample.conf > temp.conf
@@ -139,16 +138,9 @@ done
 
 cat << NETWORK >> containers.yml
 
-# Inspired by https://github.com/mailcow/mailcow-dockerized/blob/master/docker-compose.yml
 networks:
   nextcloud-aio:
     name: nextcloud-aio
-    driver: bridge
-    enable_ipv6: true
-    ipam:
-      driver: default
-      config:
-        - subnet: \${IPV6_NETWORK}
 NETWORK
 
 cat containers.yml > latest.yml

manual-upgrade.md

@@ -1,26 +1,123 @@
 # Manual upgrade
 
-If you do not install any upgrade for around 6-12 months or longer, it can happen that your instance is so outdated that in the meantime the PHP version of the Nextcloud container got bumped to a version that is not compatible with your currently installed Nextcloud version which means that after doing an upgrade after this long time, Nextcloud will suddenly not work anymore. There is unfortunately no way to fix this from the maintainer side if you refrain from upgrading for so long.
+If you do not update Nextcloud AIO for a long time (6+ months), when you eventually update in the AIO interface you will find Nextcloud no longer works. This is due to incompatible PHP versions within the nextcloud container.
+There is unfortunately no way to fix this from a maintainer POV if you refrain from upgrading for so long.
 
-The only way to fix this on your side is upgrading regularly (e.g. by enabling daily backups which will also automatically upgrade all containers) and following the steps below:
+The only way to fix this on your side is upgrading regularly (e.g. by enabling daily backups which will also automatically upgrade all containers) and following the steps below to get back to a normal state:
 
-1. Start all containers from the aio interface (now, it will report that Nextcloud is restarting because it is not able to start due to the above mentioned problem)
-1. Do **not** click on `Stop containers` because you will need them running going forward, see below
-1. Find out with which PHP version your installed Nextcloud is compatible by running `sudo docker exec nextcloud-aio-nextcloud cat lib/versioncheck.php`. (There you will find information about the max. supported PHP version.)
+---
 
-1. Stop the Nextcloud container and the Apache container by running `sudo docker stop nextcloud-aio-nextcloud && sudo docker stop nextcloud-aio-apache`.
-1. Run the following commands in order to reverse engineer the Nextcloud container:
+## Method 1
+
+1. Start all containers from the AIO interface 
+    - Now, it will report that Nextcloud is restarting because it is not able to start due to the above mentioned problem
+    - #### Do **not** click on `Stop containers` because you will need them running going forward, see below
+2. Find out with which PHP version your installed Nextcloud is compatible by running `sudo docker exec nextcloud-aio-nextcloud cat lib/versioncheck.php`. 
+    - There you will find information about the max. supported PHP version
+    - **Make a mental note of this**
+3. Stop the Nextcloud container and the Apache container by running 
+    ```bash
+        sudo docker stop nextcloud-aio-nextcloud && sudo docker stop nextcloud-aio-apache
+    ```
+4. Run the following commands in order to reverse engineer the Nextcloud container:
     ```bash
         sudo docker pull assaflavie/runlike
         echo '#!/bin/bash' > /tmp/nextcloud-aio-nextcloud
         sudo docker run --rm -v /var/run/docker.sock:/var/run/docker.sock assaflavie/runlike -p nextcloud-aio-nextcloud >> /tmp/nextcloud-aio-nextcloud
         sudo chown root:root /tmp/nextcloud-aio-nextcloud
     ```
-1. Now open the file with e.g. nano: `sudo nano /tmp/nextcloud-aio-nextcloud` and change the line that should probably be `nextcloud/aio-nextcloud:latest` on x64 or `nextcloud/aio-nextcloud:latest-arm64` on arm64 to the highest compatible PHP version: E.g. `nextcloud/aio-nextcloud:php8.0-latest`. Then save the file and close it with `[Ctrl]+[o]` -> `[Enter]` and `[Ctrl]+[x]`.
-1. After doing so, remove the Nextcloud container with `sudo docker rm nextcloud-aio-nextcloud`.
-1. Now start the Nextcloud container with the new tag by simply running `sudo bash /tmp/nextcloud-aio-nextcloud` which at startup should automatically upgrade Nextcloud to a more recent version. If not, make sure that there is no `skip.update` file in the Nextcloud datadir. If there is such a file, simply delete the file and restart the container again.<br>
+5. Now open `/tmp/nextcloud-aio-nextcloud` with a text editor, and edit the container tag:
+
+
+| To change                              | Replace with                                        |
+|----------------------------------------|-----------------------------------------------------|
+| `nextcloud/aio-nextcloud:latest`       | `nextcloud/aio-nextcloud:php{version}-latest`       |
+| `nextcloud/aio-nextcloud:latest-arm64` | `nextcloud/aio-nextcloud:php{version}-latest-arm64` |
+
+
+
+ - e.g. `nextcloud/aio-nextcloud:php8.0-latest` or `nextcloud/aio-nextcloud:php8.0-latest-arm64`
+ - However, if you are unsure check the docker hub (https://hub.docker.com/r/nextcloud/aio-nextcloud/tags)
+ - Using nano and the arrow keys to navigate:
+  - `sudo nano /tmp/nextcloud-aio-nextcloud` making changes as above, then `[Ctrl]+[o]` -> `[Enter]` and `[Ctrl]+[x]` to save and exit.
+6. Next, stop and remove the current container: 
+    ```bash
+        sudo docker stop nextcloud-aio-nextcloud
+        sudo docker rm nextcloud-aio-nextcloud
+    ```
+7. Now start the Nextcloud container with the new tag by simply running `sudo bash /tmp/nextcloud-aio-nextcloud` which at startup should automatically upgrade Nextcloud to a more recent version. If not, make sure that there is no `skip.update` file in the Nextcloud datadir. If there is such a file, simply delete the file and restart the container again.<br>
 **Info**: You can open the Nextcloud container logs with `sudo docker logs -f nextcloud-aio-nextcloud`.
-1. After the Nextcloud container is started (you can tell by looking at the logs), simply restart the container again with `sudo docker restart nextcloud-aio-nextcloud` until it does not install a new Nextcloud update anymore upon the container startup.
-1. Now, you should be able to use the AIO interface again by simply stopping the AIO containers and starting them again which should finally bring up your instance again.
-1. If not and if you get the same error again, you may repeat the process starting from the beginning again until your Nextcloud version is finally up-to-date.
-1. Now, if everything is finally running as usual again, it is recommended to create a backup in order to save the current state. Also you should think about enabling daily backups if doing regularl upgrades is too much effort for you.
+8. After the Nextcloud container is started (you can tell by looking at the logs), simply restart the container again with `sudo docker restart nextcloud-aio-nextcloud` until it does not install a new Nextcloud update anymore upon the container startup.
+9. Now, you should be able to use the AIO interface again by simply stopping the AIO containers and starting them again which should finally bring up your instance again.
+10. If not and if you get the same error again, you may repeat the process starting from the beginning again until your Nextcloud version is finally up-to-date.
+11. Now, if everything is finally running as usual again, it is recommended to create a backup in order to save the current state. Consider enabling daily backups if doing regular upgrades is a hassle for you. 
+
+---
+
+## Method 2
+#### *Approach using portainer if method 1 does not work for you*
+
+Prerequisite: have all containers from AIO interface running.
+
+<details>
+<summary>Click to expand</summary>
+
+##### 1. Install portainer if not installed:
+```bash
+docker volume create portainer_data
+docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest
+```
+- If you have a reverse proxy
+    - you can setup and navigate using a domain name.
+- For the **standard** AIO install
+    - Open port 9443 on your firewall
+    - navigate to `https://<server-ip>:9443`
+- Accept the insecure self-signed certificate and set an admin password
+- If prompted to add an environment
+    - add local
+
+##### 2. Within the local portainer environment navigate to the **containers** tab 
+- Here you should see all the various containers running
+
+##### 3. Now we need to stop the `nextcloud-aio-nextcloud` and `nextcloud-aio-apache` containers
+
+-  This can be done by selecting the checkbox's next to the containers' name and clicking the **Stop** button at the top
+    - or you can click into individual containers and stop them there
+
+##### 4. Find the version of PHP compatible with the running nextcloud container
+- navigate to ```nextcloud-aio-nextcloud``` and click on ```logs```, you should see something along the lines of:
+```logs
+This version of nextcloud is not compatible with >=php 8.2, you are currently running php 8.2.18
+```
+Make **note** of the version which is compatible, rounding down to 1 digit after the dot. 
+ - In this example we would want php 8.1 since anything with 8.2 or above is incompatible
+
+##### 5. Find the correct container version
+In general it should be ```nextcloud/aio-nextcloud:php8.x-latest-arm64``` or `nextcloud/aio-nextcloud:php8.x-latest` replacing `x` with the version you require.
+However, if you are unsure check the docker hub (https://hub.docker.com/r/nextcloud/aio-nextcloud/tags)
+
+##### 6. Replace the container
+- Navigate to the ```nextcloud-aio-nextcloud``` container within portainer
+- Click ```Duplicate/Edit```
+- Within image, change this to the correct version from Step 5
+- Click ```Deploy the container```
+    - if you are prompted to force repull the image click the slider and press pull image
+
+*Navigate to the nextcloud-aio-nextcloud logs and you will see the container updating*
+
+Once you see no more activities in the logs or a message like ```NOTICE: ready to handle connections```, we've done it!
+
+#### Now you can handle everything through the AIO admin interface and stop and restart the containers normally.
+
+---
+
+##### 7. Last Step is removing portainer if you don't want to keep it
+
+```bash
+docker stop portainer
+docker rm portainer
+docker volume rm portainer_data
+```
+- Make sure you close port 9443 on your firewall and delete any necessary reverse proxy hosts.
+
+</details>

migration.md

@@ -33,7 +33,7 @@ The procedure for migrating the files and the database works like this:
         ```
     1. Create a new database by running:
         ```
-        export PG_USER="ncadmin"
+        export PG_USER="ncadmin" # This is a temporary user that gets created for the dump but is then overwritten by the correct one later on
         export PG_PASSWORD="my-temporary-password"
         export PG_DATABASE="nextcloud_db"
         sudo -u postgres psql <<END
@@ -68,7 +68,8 @@ The procedure for migrating the files and the database works like this:
     1. Change it to look like this: `local::/mnt/ncdata/`.
     1. Now save the file by pressing `[CTRL] + [o]` then `[ENTER]` and close nano by pressing `[CTRL] + [x]`
     1. In order to make sure that everything is good, you can now run `grep "/your/old/datadir" database-dump.sql` which should not bring up further results.<br>
-    1. **Please note:** Unfortunately it is not possible to import a database dump from a former database owner with the name `nextcloud`. You can check if that is the case with this command: `grep "Name: oc_appconfig; Type: TABLE; Schema: public; Owner:" database-dump.sql | grep -oP 'Owner:.*$' | sed 's|Owner:||;s| ||g'`. If it returns `nextcloud`, you need to rename the owner in the dump file manually. A command like the following should work, however please note that it is possible that it will overwrite wrong lines. You can thus first check which lines it will change with `grep "Owner: nextcloud$" database-dump.sql`. If only correct  looking lines get returned, feel free to change them with `sed -i 's|Owner: nextcloud$|Owner: ncadmin|' database-dump.sql`. 
+    1. **Please note:** Unfortunately it is not possible to import a database dump from a former database owner with the name `nextcloud`. You can check if that is the case with this command: `grep "Name: oc_appconfig; Type: TABLE; Schema: public; Owner:" database-dump.sql | grep -oP 'Owner:.*$' | sed 's|Owner:||;s| ||g'`. If it returns `nextcloud`, you need to rename the owner in the dump file manually. A command like the following should work, however please note that it is possible that it will overwrite wrong lines. You can thus first check which lines it will change with `grep "Owner: nextcloud$" database-dump.sql`. If only correct looking lines get returned, feel free to change them with `sed -i 's|Owner: nextcloud$|Owner: ncadmin|' database-dump.sql`.
+The same applies for the second statement, check with `grep " OWNER TO nextcloud;$" database-dump.sql` and replace with `sed -i 's| OWNER TO nextcloud;$| OWNER TO ncadmin;|' database-dump.sql`.
 1. Next, copy the database dump into the correct place and prepare the database container which will import from the database dump automatically the next container start: 
     ```
     sudo docker run --rm --volume nextcloud_aio_database_dump:/mnt/data:rw alpine rm /mnt/data/database-dump.sql

multiple-instances.md

@@ -3,17 +3,224 @@ It is possible to run multiple instances of AIO on one server.
 
 There are two ways to achieve this: The normal way is creating multiple VMs, installing AIO in [reverse proxy mode](./reverse-proxy.md) in each of them and having one reverse proxy in front of them that points to each VM (you also need to [use a different `TALK_PORT`](https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port) for each of them). The second and more advanced way is creating multiple users on the server and using docker rootless for each of them in order to install multiple instances on the same server. 
 
-Below is described more in detail how the the second way works.
 
 ## Run multiple AIO instances on the same server with docker rootless
 1. Create as many linux users as you need first. The easiest way is to use `sudo adduser` and follow the setup for that. Make sure to create a strong unique password for each of them and write it down!
 1. Log in as each of the users by opening a new SSH connection as the user and install docker rootless for each of them by following step 0-1 and 3-4 of the [docker rootless documentation](./docker-rootless.md) (you can skip step 2 in this case).
-1. Then install AIO in reverse proxy mode by using the command that is descriebed in step 2 and 3 of the [reverse proxy documentation](./reverse-proxy.md) but use a different `APACHE_PORT` and [`TALK_PORT`](https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port) for each instance as otherwise it will bug out. Also make sure to adjust the docker socket and `WATCHTOWER_DOCKER_SOCKET_PATH` correctly for each of them by following step 6 of the [docker rootless documentation](./docker-rootless.md). Additionally, modify `--publish 8080:8080` to a different port for each container, e.g. `8081:8080` as otherwise it will not work.<br>
+1. Then install AIO in reverse proxy mode by using the command that is described in step 2 and 3 of the [reverse proxy documentation](./reverse-proxy.md) but use a different `APACHE_PORT` and [`TALK_PORT`](https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port) for each instance as otherwise it will bug out. Also make sure to adjust the docker socket and `WATCHTOWER_DOCKER_SOCKET_PATH` correctly for each of them by following step 6 of the [docker rootless documentation](./docker-rootless.md). Additionally, modify `--publish 8080:8080` to a different port for each container, e.g. `8081:8080` as otherwise it will not work.<br>
 **⚠️ Please note:** If you want to adjust the `NEXTCLOUD_DATADIR`, make sure to apply the correct permissions to the chosen path as documented at the bottom of the [docker rootless documentation](./docker-rootless.md). Also for the built-in backup to work, the target path needs to have the correct permissions as documented there, too.
 1. Now install your webserver of choice on the host system. It is recommended to use caddy for this as it is by far the easiest solution. You can do so by following https://caddyserver.com/docs/install#debian-ubuntu-raspbian or below. (It needs to be installed directly on the host or on a different server in the same network).
 1. Next create your Caddyfile with multiple entries and domains for the different instances like described in step 1 of the [reverse proxy documentation](./reverse-proxy.md). Obviously each domain needs to point correctly to the chosen `APACHE_PORT` that you've configured before. Then start Caddy which should automatically get the needed certificates for you if your domains are configured correctly and ports 80 and 443 are forwarded to your server.
 1. Now open each of the AIO interfaces by opening `https://ip.address.of.this.server:8080` or e.g. `https://ip.address.of.this.server:8081` or as chosen during step 3 of this documentation. 
 1. Finally type in the domain that you've configured for each of the instances during step 5 of this documentation and you are done.
-1. Please also do not forget to open/forward each chosen `TALK_PORT` UPD and TCP in your firewall/router as otherwise Talk will not work correctly!
+1. Please also do not forget to open/forward each chosen `TALK_PORT` UDP and TCP in your firewall/router as otherwise Talk will not work correctly!
 
 Now everything should be set up correctly and you should have created multiple working instances of AIO on the same server!
+
+
+## Run multiple AIO instances on the same server inside their own virtual machines
+This guide will walk you through creating and configuring two (or more) Debian-based VMs (with "reverse proxy mode" Nextcloud AIO installed in each VM), behind one Caddy reverse proxy, all running on one host physical machine (like a laptop or desktop PC). It's highly recommend to follow the steps in order. Steps 1 through 4 will need to be repeated. Steps 5 through 8 only need to be completed once. All commands are expected to be run as root.
+
+<details><summary><strong>PLEASE READ: A few expectations about your network</strong></summary>
+This guide assumes that you have forwarded ports 443 and 8443 to your host physical machine via your router's configuration page, and either set up Dynamic DNS or obtained a static outbound IP address from your ISP. If this is not the case, or if you are brand-new to networking, you probably should not proceed with this guide, unless you are just using it for educational purposes. Proper network setup and security is critical when it comes to keeping your data safe. You may consider hosting using a VPS instead, or choosing one of <a href="https://nextcloud.com/providers/">Nextcloud's trusted providers.</a>
+</details>
+
+<details><summary><strong>A note for VPS users</strong></summary>
+If you want to do this on a VPS, and your VPS is KVM-based and provides a static IP address, you can likely benefit from this guide too! Simply replace the words "host physical machine" with "VPS" and follow along.
+</details>
+
+**Before starting:** Make sure your host physical machine has enough resources. A host machine with 8GB RAM and 100GB storage is sufficient for running two fairly minimal VMs, with 2GB RAM and 32GB storage allocated to each VM. This guide assumes you have these resources at the minimum. This is fine for just testing the setup, but you will probably want to allocate more resources to your VMs if you plan to use this for day-to-day use.
+If your host machine has more than 8GB memory available, and you plan to enable any of the optional containers (Nextcloud Office, Talk, Imaginary, etc.) in any of your instances, then you should definitely allocate more memory to the VM hosting that instance. In other words, before turning on any extra features inside a particular AIO interface, make sure you've first allocated enough resources to the VM that the instance is running inside. If in doubt, the AIO interface itself gives great recommendations for extra CPU and RAM allocation.
+
+**Additional prerequisites:** Your host physical machine needs to have virtualization enabled in it's UEFI/BIOS. It also needs a few tools installed in order to create VMs. Assuming your host machine is a bare-bones Ubuntu or Debian Linux server without a desktop environment installed, the easiest way to create VMs is to install *QEMU*, *virsh*, *virt-install*, and a few extra packages to support UEFI booting and network config ([more info](https://wiki.debian.org/KVM)). You only need to do this once. To do this, run this command (**on the host physical machine**):
+<!--
+```shell
+# For host machines running Ubuntu Server:
+apt install --no-install-recommends qemu-system libvirt-clients libvirt-daemon-system virtinst ovmf bridge-utils
+```
+```shell
+# For host machines running Debian:
+apt install --no-install-recommends qemu-system qemu-utils libvirt-clients libvirt-daemon-system virtinst ovmf bridge-utils dnsmasq-base
+```
+-->
+```shell
+# For host machines running Ubuntu Server or Debian:
+apt install --no-install-recommends qemu-system qemu-utils libvirt-clients libvirt-daemon-system virtinst ovmf bridge-utils dnsmasq-base
+```
+
+**Let's begin!** This guide assumes that you have two domains where you would like to host two individual AIO instances (one instance per domain). Let's call these domains `example1.com` and `example2.com`. Therefore, we'll create two VMs named `example1-com` and `example2-com` (These are the VM names we'll use below in step 1).
+
+**Once you're ready, follow steps 1-4 below to set up your VMs. You will configure them one at a time.**
+
+1. Choose a name for your VM. A good choice is to name each VM the same as the domain name that will be used to access it.
+2. Choose the distribution you'd like to install within the VM:
+   <details><summary><strong>Ubuntu Server 22.04.4 LTS</strong></summary>
+       <h4>Downloading the .ISO image</h4>
+       You must first download an .ISO image to your host machine, and then provide virt-install with the path to that image.
+       <!-- This step is required because Ubuntu no longer hosts their "Legacy Ubuntu Server Installer" images, meaning we can no longer pass a URL to virt-install to use as a location. -->
+       <pre><code># Skip this part if you've already downloaded this image
+   curl -o /tmp/ubuntu-22.04.4-live-server-amd64.iso https://releases.ubuntu.com/jammy/ubuntu-22.04.4-live-server-amd64.iso
+   </code></pre>
+       <em>Note: You may choose a different place to store the .ISO file, but it needs to be somewhere accessible by QEMU. "/tmp" and "/home" work well, but choosing a location like "/root" will cause the next command to fail.</em>
+       <h4>Creating the VM</h4>
+       Now create the Ubuntu Server VM (Don't forget to replace [VM_NAME]):
+       <pre><code>virt-install \
+   --name [VM_NAME] \
+   --virt-type kvm \
+   --location /tmp/ubuntu-22.04.4-live-server-amd64.iso,kernel=casper/vmlinuz,initrd=casper/initrd \
+   --os-variant ubuntujammy \
+   --disk size=32 \
+   --memory 2048 \
+   --graphics none \
+   --console pty,target_type=serial \
+   --extra-args "console=ttyS0" \
+   --autostart \
+   --boot uefi
+   </code></pre>
+       <h4>Using a different version of Ubuntu Server</h4>
+       To use a different Ubuntu Server release, visit <a href="https://releases.ubuntu.com">this page</a> and find the version you want. You will need to adjust the filename and URL for the curl command, and the location and os-variant for the virt-install command, accordingly.
+   </details>
+   <details><summary><strong>Debian 11</strong></summary>
+       <h4>Creating the VM</h4>
+       Create the Debian VM (Don't forget to replace [VM_NAME]):
+       <pre><code>virt-install \
+   --name [VM_NAME] \
+   --virt-type kvm \
+   --location http://deb.debian.org/debian/dists/bullseye/main/installer-amd64/ \
+   --os-variant debian11 \
+   --disk size=32 \
+   --memory 2048 \
+   --graphics none \
+   --console pty,target_type=serial \
+   --extra-args "console=ttyS0" \
+   --autostart \
+   --boot uefi
+   </code></pre>
+   </details>
+   <details><summary><strong>Debian 12</strong></summary>
+       <h4>Creating the VM</h4>
+       Create the Debian VM (Don't forget to replace [VM_NAME]):
+       <pre><code># If the os-variant "debian12" is unknown, try "debiantesting" instead
+   virt-install \
+   --name [VM_NAME] \
+   --virt-type kvm \
+   --location http://deb.debian.org/debian/dists/bookworm/main/installer-amd64/ \
+   --os-variant debian12 \
+   --disk size=32 \
+   --memory 2048 \
+   --graphics none \
+   --console pty,target_type=serial \
+   --extra-args "console=ttyS0" \
+   --autostart \
+   --boot uefi
+   </code></pre>
+   </details>
+   <!--To learn more about virt-install or automating this process, see <a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-guest_virtual_machine_installation_overview-creating_guests_with_virt_install">this guide</a>.-->
+3. Navigate through the text-based installer. Most options can remain as default, but here are some tips:
+   <details><summary><strong>For the Ubuntu Server installer</strong></summary>
+   When asked about the "type of installation", you can leave the default "Ubuntu Server" without third-party drivers. You can leave the HTTP proxy information blank. In the "Profile Configuration" section, you can set "Your servers name" (hostname) to the same value as the name you gave to your VM (for example, "example1-com"). The installer will only let you create a non-root user. Note down the password you use here! You may skip enabling Ubuntu Pro. You can allow the partitioner to use the entire disk, this only uses the virtual disk that you defined above in step 2. You'll eventually be given the option to install additional software. Although "Nextcloud" is listed here, you almost certainly do <strong>not</strong> want to select this option, since you are setting up Nextcloud AIO. You'll be asked about installing "SSH server", this is entirely optional (This lets you easily SSH into the VM in the future in case you have to perform any maintenance, but even if you do not install an SSH server, you can still log in using the "virsh console" command). Finally, disregard the "[FAILED] Failed unmounting /cdrom." message, and press return.
+   </details>
+   <details><summary><strong>For the Debian installer</strong></summary>
+   When asked, you can set the hostname to the same value as the name you gave to your VM (for example, "example1-com"). You can leave the domain name and HTTP proxy information blank. Allow the installer to create both a root and a non-root user. Note down the password(s) you use here! You can allow the partitioner to use the entire disk, this only uses the virtual disk that you defined above in step 2. When tasksel (Software selection) runs and asks if you want to install additional software, use spacebar and your arrow keys to un-check the "Debian desktop environment" and "GNOME" options. The "SSH server" option is entirely optional (This lets you easily SSH into the VM in the future in case you have to perform any maintenance, but even if you do not install an SSH server, you can still log in using the "virsh console" command). Make sure "standard system utilities" is also checked. Hit tab to select "Continue". Finally, disregard the warning about GRUB, allow it to install to your "primary drive" (again, it's only virtual, and this only applies to the VM- this will not affect the boot configuration of your host physical machine) and select "/dev/vda" for the bootable device.
+   </details>
+4. Configure your new VM:
+
+   After it has finished installing, the VM will have rebooted and presented you with a login prompt. For Debian, just use `root` as the username, and enter the password you chose during the installation process. Ubuntu restricts root account access, so you'll need to first login with your non-root user, and then run `sudo su -` to elevate your privileges.
+
+   We will now run a few commands to install docker and AIO in reverse proxy mode! As with any other commands, carefully read and try your best to understand them before running them.
+
+   **Each time you reach this step and run the `docker run` command below, you'll need to increment the `TALK_PORT` value. For example: 3478, 3479, etc... You may use other values as long as they don't conflict, and make sure they are [greater than 1024](https://github.com/nextcloud/all-in-one/discussions/2517). Be sure to note down the Talk port number you've assigned to this VM/AIO instance. You will need it later if you decide to enable Nextcloud Talk.**
+
+   Run these commands (**on the VM**):
+   ```shell
+   apt install -y curl
+   
+   curl -fsSL https://get.docker.com | sh
+
+   # Make sure you increment the TALK_PORT value every time you run this!
+   docker run \
+   --init \
+   --sig-proxy=false \
+   --name nextcloud-aio-mastercontainer \
+   --restart always \
+   --publish 8080:8080 \
+   --env APACHE_PORT=11000 \
+   --env APACHE_IP_BINDING=0.0.0.0 \
+   --env TALK_PORT=3478 \
+   --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
+   --volume /var/run/docker.sock:/var/run/docker.sock:ro \
+   nextcloud/all-in-one:latest
+   ```
+   The last command may take a few minutes. When it's finished, you should see a success message, saying "Initial startup of Nextcloud All-in-One complete!". Now exit the console session with `Ctrl + [c]`. This concludes the setup for this particular VM.
+
+   
+   ---
+6. Go ahead and run through steps 1-4 again in order to set up your second VM. When you're finished, proceed down to step 6. *(Note: If you downloaded the Ubuntu .ISO image and no longer need it, you may delete it now.)*
+7. Almost done! All that's left is configuring your reverse proxy. To do this, you first need to [install it](https://caddyserver.com/docs/install#debian-ubuntu-raspbian). Run (**on the host physical machine**):
+   ```shell
+   apt update -y
+   apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
+   curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
+   curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
+   apt update -y
+   apt install -y caddy
+   ```
+   These commands will ensure that your system is up-to-date and install the latest stable version of Caddy via it's official binary source.
+8. To configure Caddy, you need to know the IP address assigned to each VM. Run (**on the host physical machine**):
+    ```shell
+    virsh net-dhcp-leases default
+    ```
+    This will show you the VMs you set up, and the IP address corresponding to each of them. Note down each IP and corresponding hostname.
+    Finally, you will configure Caddy using this information. Open the default Caddyfile with a text editor:
+    ```shell
+    nano /etc/caddy/Caddyfile
+    ```
+    Replace everything in this file with the following configuration. Don't forget to edit this sample configuration and substitute in your own domain names and IP addresses. `[DOMAIN_NAME_*]` should be a domain name like `example1.com`, and `[IP_ADDRESS_*]` should be a local IPv4 address like `192.168.122.225`.
+    ```shell
+    # Virtual machine #1 - "example1-com"
+    https://[DOMAIN_NAME_1]:8443 {
+        reverse_proxy https://[IP_ADDRESS_1]:8080 {
+            transport http {
+                tls_insecure_skip_verify
+            }
+        }
+    }
+    https://[DOMAIN_NAME_1]:443 {
+        reverse_proxy [IP_ADDRESS_1]:11000
+    }
+    
+    # Virtual machine #2 - "example2-com"
+    https://[DOMAIN_NAME_2]:8443 {
+        reverse_proxy https://[IP_ADDRESS_2]:8080 {
+            transport http {
+                tls_insecure_skip_verify
+            }
+        }
+    }
+    https://[DOMAIN_NAME_2]:443 {
+        reverse_proxy [IP_ADDRESS_2]:11000
+    }
+
+    # (Add more configurations here if you set up more than two VMs!)
+    ```
+    After making this change, you'll need to restart Caddy:
+   ```shell
+   systemctl restart caddy
+   ```
+9. That's it! Now, all that's left is to set up your instances through the AIO interface as usual by visiting `https://example1.com:8443` and `https://example2.com:8443` in a browser. Once you're finished going through each setup, you can access your new instances simply through their domain names. You can host as many instances with as many domain names as you want this way, as long as you have enough system resources. Enjoy!
+    
+    <details><summary><strong>A few extra tips for managing this setup</strong></summary>
+        <ul>
+            <li>You can easily connect to a VM to perform maintenance using this command (<strong>on the host physical machine</strong>): <pre><code>virsh console --domain [VM_NAME]</code></pre></li>
+            <li>If you chose to install an SSH Server, you can SSH in using this command (<strong>on the host physical machine</strong>): <pre><code>ssh [NONROOT_USER]@[IP_ADDRESS] # By default, OpenSSH does not allow logging in as root</code></pre></li>
+            <li>If you mess up the configuration of a VM, you may wish to completely delete it and start fresh with a new one. <strong>THIS WILL DELETE ALL DATA ASSOCIATED WITH THE VM INCLUDING ANYTHING IN YOUR AIO DATADIR!</strong> If you are sure you would like to do this, run (<strong>on the host physical machine</strong>): <pre><code>virsh destroy --domain [VM_NAME] ; virsh undefine --nvram --domain [VM_NAME] && rm -rfi /var/lib/libvirt/images/[VM_NAME].qcow2</code></pre></li>
+            <li>Using Nextcloud Talk will require some extra configuration. Back when you set up your VMs, they were (by default) configured with NAT, meaning they are in their own subnet. The VMs must each instead be bridged, so that your router may directly "see" them (as if they were real, physical devices on your network), and each AIO instance inside each VM must be configured with a different Talk port (like 3478, 3479, etc.). You should have already set these port numbers (back when you first configured the VM in step 4 above), but if you still need to set (or want to change) these values, you can remove the mastercontainer and re-run the initial "docker run" command with a modified Talk port <a href="https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port">like so</a>. Then, the Talk port for EACH instance needs to be forwarded in your router's settings DIRECTLY to the VM hosting the instance (completely bypassing your host physical machine/reverse proxy). And finally, inside an admin-privileged account (such as the default "admin" account) in each instance, you must visit <strong>https://[DOMAIN_NAME]/settings/admin/talk</strong> then find the STUN/TURN Settings, and from there set the proper values. If this is too complicated, it may be easier to use public STUN/TURN servers, but I have not tested any of this, rather I'm just sharing what I have found so far (more info available <a href="https://github.com/nextcloud/all-in-one/discussions/2517">here</a>). If you have figured this out or if any of this information is incorrect, please edit this section!</li>
+            <li>Configuring daily automatic backups is a bit more involved with this setup. But for the occasional manual borg backup, you can connect a physical SSD/HDD via a cheap USB SATA adapter/dock to a free USB port on your host physical machine, and then use these commands to pass the disk through to a VM of your choosing (<strong>on the host physical machine and on the VM</strong>): <pre><code>virsh attach-device --live --domain [VM_NAME] --file [USB_DEVICE_DEFINITION.xml]
+   virsh console --domain [VM_NAME]
+   # (Login to the VM with root privileges)
+   mkdir -p /mnt/[MOUNT_NAME]
+   mount /dev/disk/by-label/[DISK_NAME] /mnt/[MOUNT_NAME]</code></pre></li>
+            To create the XML device definition file, see <a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/virtualization_administration_guide/sect-managing_guest_virtual_machines_with_virsh-attaching_and_updating_a_device_with_virsh">this short guide</a>. An SSD/HDD is recommended, but nothing is stopping you from using something as simple as a flash drive for testing if you really want. Finally, to actually perform a manual backup, make sure your disk is properly mounted and then simply use the AIO interface to perform the backup.
+            <li>If you want to shave off around 8-10 seconds of total boot time when you reboot your host physical machine, a simple trick is to lower the GRUB_TIMEOUT from the default five seconds to one second, on both the host physical machine and each of the VMs. You can also remove the delay, but it's generally safer to leave at least one second. (Always be extremely careful when editing GRUB config, especially on the host physical machine, as an incorrect configuration can prevent your device from booting!)</li>
+        </ul>
+    </details>

nextcloud-aio-helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 7.12.0-beta
+version: 9.2.0
 apiVersion: v2
 keywords:
   - latest

nextcloud-aio-helm-chart/readme.md

@@ -18,7 +18,8 @@ You can run the containers that are build for AIO with Kubernetes using this Hel
 
 ## How to use this?
 
-First download this file: https://raw.githubusercontent.com/nextcloud/all-in-one/main/nextcloud-aio-helm-chart/values.yaml and adjust at least all values marked with `# TODO!`
+First download this file: https://raw.githubusercontent.com/nextcloud/all-in-one/main/nextcloud-aio-helm-chart/values.yaml and adjust at least all values marked with `# TODO!`<br>
+⚠️ **Warning**: Do not use the symbols `@` and `:` in your passwords. These symbols are used to build database connection strings. You will experience issues when using these symbols!
 
 Then run:
 

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml

@@ -2,29 +2,34 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
-    kompose.version: 1.32.0 (765fde254)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
+    kompose.version: 1.34.0 (cbf2835db)
   labels:
     io.kompose.service: nextcloud-aio-apache
   name: nextcloud-aio-apache
-  namespace: {{ .Values.NAMESPACE }}
+  namespace: "{{ .Values.NAMESPACE }}"
 spec:
   replicas: 1
   selector:
     matchLabels:
       io.kompose.service: nextcloud-aio-apache
+  strategy:
+    type: Recreate
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
-        kompose.version: 1.32.0 (765fde254)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
+        kompose.version: 1.34.0 (cbf2835db)
       labels:
-        io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-apache
     spec:
       initContainers:
         - name: init-volumes
+          {{- if or .Values.IMAGE_MIRROR_PREFIX .Values.ALPINE_IMAGE_ORG }}
+          image: "{{ .Values.IMAGE_MIRROR_PREFIX }}{{ .Values.ALPINE_IMAGE_ORG}}/alpine"
+          {{- else }}
           image: alpine
+          {{- end }}
           command:
             - chmod
             - "777"
@@ -39,6 +44,8 @@ spec:
         - env:
             - name: ADDITIONAL_TRUSTED_DOMAIN
               value: "{{ .Values.ADDITIONAL_TRUSTED_DOMAIN }}"
+            - name: APACHE_HOST
+              value: nextcloud-aio-apache
             - name: APACHE_MAX_SIZE
               value: "{{ .Values.APACHE_MAX_SIZE }}"
             - name: APACHE_MAX_TIME
@@ -59,14 +66,17 @@ spec:
               value: nextcloud-aio-talk
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-apache:beta
-          imagePullPolicy: Always
+          image: "{{ .Values.IMAGE_MIRROR_PREFIX }}{{ .Values.NEXTCLOUD_IMAGE_ORG }}/aio-apache:20240718_063028"
           name: nextcloud-aio-apache
           ports:
             - containerPort: {{ .Values.APACHE_PORT }}
               protocol: TCP
             - containerPort: {{ .Values.APACHE_PORT }}
               protocol: UDP
+          securityContext:
+            capabilities:
+              drop:
+                - NET_RAW
           volumeMounts:
             - mountPath: /var/www/html
               name: nextcloud-aio-nextcloud

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-persistentvolumeclaim.yaml

@@ -4,7 +4,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-apache
   name: nextcloud-aio-apache
-  namespace: {{ .Values.NAMESPACE }}
+  namespace: "{{ .Values.NAMESPACE }}"
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-service.yaml

@@ -2,12 +2,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
-    kompose.version: 1.32.0 (765fde254)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
+    kompose.version: 1.34.0 (cbf2835db)
   labels:
     io.kompose.service: nextcloud-aio-apache
   name: nextcloud-aio-apache
-  namespace: {{ .Values.NAMESPACE }}
+  namespace: "{{ .Values.NAMESPACE }}"
 spec:
   ipFamilyPolicy: PreferDualStack
   type: LoadBalancer

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml

@@ -3,29 +3,34 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
-    kompose.version: 1.32.0 (765fde254)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
+    kompose.version: 1.34.0 (cbf2835db)
   labels:
     io.kompose.service: nextcloud-aio-clamav
   name: nextcloud-aio-clamav
-  namespace: {{ .Values.NAMESPACE }}
+  namespace: "{{ .Values.NAMESPACE }}"
 spec:
   replicas: 1
   selector:
     matchLabels:
       io.kompose.service: nextcloud-aio-clamav
+  strategy:
+    type: Recreate
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
-        kompose.version: 1.32.0 (765fde254)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
+        kompose.version: 1.34.0 (cbf2835db)
       labels:
-        io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-clamav
     spec:
       initContainers:
         - name: init-subpath
+          {{- if or .Values.IMAGE_MIRROR_PREFIX .Values.ALPINE_IMAGE_ORG }}
+          image: "{{ .Values.IMAGE_MIRROR_PREFIX }}{{ .Values.ALPINE_IMAGE_ORG}}/alpine"
+          {{- else }}
           image: alpine
+          {{- end }}
           command:
             - mkdir
             - "-p"
@@ -35,7 +40,11 @@ spec:
             - name: nextcloud-aio-clamav
               mountPath: /nextcloud-aio-clamav
         - name: init-volumes
+          {{- if or .Values.IMAGE_MIRROR_PREFIX .Values.ALPINE_IMAGE_ORG }}
+          image: "{{ .Values.IMAGE_MIRROR_PREFIX }}{{ .Values.ALPINE_IMAGE_ORG}}/alpine"
+          {{- else }}
           image: alpine
+          {{- end }}
           command:
             - chown
             - 100:100
@@ -48,13 +57,19 @@ spec:
         - env:
             - name: CLAMD_STARTUP_TIMEOUT
               value: "90"
+            - name: MAX_SIZE
+              value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-clamav:20240201_120631-latest
+          image: "{{ .Values.IMAGE_MIRROR_PREFIX }}{{ .Values.NEXTCLOUD_IMAGE_ORG }}/aio-clamav:20240718_063028"
           name: nextcloud-aio-clamav
           ports:
             - containerPort: 3310
               protocol: TCP
+          securityContext:
+            capabilities:
+              drop:
+                - NET_RAW
           volumeMounts:
             - mountPath: /var/lib/clamav
               subPath: data

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-persistentvolumeclaim.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     io.kompose.service: nextcloud-aio-clamav
   name: nextcloud-aio-clamav
-  namespace: {{ .Values.NAMESPACE }}
+  namespace: "{{ .Values.NAMESPACE }}"
 spec:
   {{- if .Values.STORAGE_CLASS }}
   storageClassName: {{ .Values.STORAGE_CLASS }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-service.yaml

@@ -3,12 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
-    kompose.version: 1.32.0 (765fde254)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
+    kompose.version: 1.34.0 (cbf2835db)
   labels:
     io.kompose.service: nextcloud-aio-clamav
   name: nextcloud-aio-clamav
-  namespace: {{ .Values.NAMESPACE }}
+  namespace: "{{ .Values.NAMESPACE }}"
 spec:
   ipFamilyPolicy: PreferDualStack
   ports:

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml

@@ -3,12 +3,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
-    kompose.version: 1.32.0 (765fde254)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
+    kompose.version: 1.34.0 (cbf2835db)
   labels:
     io.kompose.service: nextcloud-aio-collabora
   name: nextcloud-aio-collabora
-  namespace: {{ .Values.NAMESPACE }}
+  namespace: "{{ .Values.NAMESPACE }}"
 spec:
   replicas: 1
   selector:
@@ -17,10 +17,9 @@ spec:
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
-        kompose.version: 1.32.0 (765fde254)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
+        kompose.version: 1.34.0 (cbf2835db)
       labels:
-        io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-collabora
     spec:
       containers:
@@ -37,7 +36,7 @@ spec:
               value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json
             - name: server_name
               value: "{{ .Values.NC_DOMAIN }}"
-          image: nextcloud/aio-collabora:20240201_120631-latest
+          image: "{{ .Values.IMAGE_MIRROR_PREFIX }}{{ .Values.NEXTCLOUD_IMAGE_ORG }}/aio-collabora:20240718_063028"
           name: nextcloud-aio-collabora
           ports:
             - containerPort: 9980
@@ -46,4 +45,7 @@ spec:
             capabilities:
               add:
                 - MKNOD
+                - SYS_ADMIN
+              drop:
+                - NET_RAW
 {{- end }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-service.yaml

@@ -3,12 +3,12 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
-    kompose.version: 1.32.0 (765fde254)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
+    kompose.version: 1.34.0 (cbf2835db)
   labels:
     io.kompose.service: nextcloud-aio-collabora
   name: nextcloud-aio-collabora
-  namespace: {{ .Values.NAMESPACE }}
+  namespace: "{{ .Values.NAMESPACE }}"
 spec:
   ipFamilyPolicy: PreferDualStack
   ports:

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml

@@ -2,29 +2,34 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
-    kompose.version: 1.32.0 (765fde254)
+    kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
+    kompose.version: 1.34.0 (cbf2835db)
   labels:
     io.kompose.service: nextcloud-aio-database
   name: nextcloud-aio-database
-  namespace: {{ .Values.NAMESPACE }}
+  namespace: "{{ .Values.NAMESPACE }}"
 spec:
   replicas: 1
   selector:
     matchLabels:
       io.kompose.service: nextcloud-aio-database
+  strategy:
+    type: Recreate
   template:
     metadata:
       annotations:
-        kompose.cmd: kompose convert -c -f latest.yml --namespace {{ .Values.NAMESPACE }}
-        kompose.version: 1.32.0 (765fde254)
+        kompose.cmd: kompose convert -c -f latest.yml --namespace "{{ .Values.NAMESPACE }}"
+        kompose.version: 1.34.0 (cbf2835db)
       labels:
-        io.kompose.network/nextcloud-aio: "true"
         io.kompose.service: nextcloud-aio-database
     spec:
       initContainers:
         - name: init-subpath
+          {{- if or .Values.IMAGE_MIRROR_PREFIX .Values.ALPINE_IMAGE_ORG }}
+          image: "{{ .Values.IMAGE_MIRROR_PREFIX }}{{ .Values.ALPINE_IMAGE_ORG}}/alpine"
+          {{- else }}
           image: alpine
+          {{- end }}
           command:
             - mkdir
             - "-p"
@@ -37,7 +42,11 @@ spec:
             - name: nextcloud-aio-database
               mountPath: /nextcloud-aio-database
         - name: init-volumes
+          {{- if or .Values.IMAGE_MIRROR_PREFIX .Values.ALPINE_IMAGE_ORG }}
+          image: "{{ .Values.IMAGE_MIRROR_PREFIX }}{{ .Values.ALPINE_IMAGE_ORG}}/alpine"
+          {{- else }}
           image: alpine
+          {{- end }}
           command:
             - chown
             - 999:999
@@ -61,11 +70,15 @@ spec:
               value: nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-postgresql:20240201_120631-latest
+          image: "{{ .Values.IMAGE_MIRROR_PREFIX }}{{ .Values.NEXTCLOUD_IMAGE_ORG }}/aio-postgresql:20240718_063028"
           name: nextcloud-aio-database
           ports:
             - containerPort: 5432
               protocol: TCP
+          securityContext:
+            capabilities:
+              drop:
+                - NET_RAW
           volumeMounts:
             - mountPath: /var/lib/postgresql/data
               subPath: data