actually make the inversion of installing apks work

Signed-off-by: Simon L <szaimen@e.mail.de>

Containers/apache/Dockerfile

@@ -53,6 +53,12 @@ RUN set -ex; \
         /usr/local/apache2/conf/httpd.conf; \
     echo "Include conf/nextcloud.conf" | tee -a /usr/local/apache2/conf/httpd.conf; \
     echo "ServerName localhost" | tee -a /usr/local/apache2/conf/httpd.conf; \
+# Sync this with max db connections and pm.max_children
+# We don't actually expect so many workers but don't want to limit it artificially because people will report issues otherwise.
+    sed -i 's|MaxRequestWorkers.*|MaxRequestWorkers 5000|' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
+    grep -q '<IfModule mpm_event_module>' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
+# ServerLimit needs to be set to MaxRequestWorkers divided by ThreadsPerChild which is set to 25 by default
+    sed -i '/<IfModule mpm_event_module>/a\ \ \ \ ServerLimit 200' /usr/local/apache2/conf/extra/httpd-mpm.conf; \
     \
     rm -rf /usr/local/apache2/conf/original /var/www; \
     mkdir -p /var/www; \

Containers/borgbackup/backupscript.sh

@@ -69,6 +69,11 @@ if [ "$BORG_MODE" = backup ]; then
         exit 1
     elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_database_dump/database-dump.sql" ]; then
         echo "database-dump is missing. Cannot perform backup!"
+        echo "Please check the database container logs!"
+        exit 1
+    elif ! [ -f "/nextcloud_aio_volumes/nextcloud_aio_nextcloud_data/.ocdata" ]; then
+        echo "The .ocdata file is missing in Nextcloud datadir which means it is invalid!"
+        echo "Is the drive where the datadir is located on still mounted?"
         exit 1
     fi
 

Containers/clamav/Dockerfile

@@ -1,5 +1,5 @@
 # Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/1.1/alpine/Dockerfile
-FROM clamav/clamav:1.2.1-24
+FROM clamav/clamav:1.2.1-26
 
 COPY clamav.conf /tmp/clamav.conf
 

Containers/collabora/Dockerfile

@@ -1,5 +1,5 @@
 # From a file located probably somewhere here: https://github.com/CollaboraOnline/online/tree/master/docker
-FROM collabora/code:23.05.6.4.1
+FROM collabora/code:23.05.7.2.1
 
 USER root
 

Containers/imaginary/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.21.5-alpine3.18 as go
+FROM golang:1.21.6-alpine3.18 as go
 
 ENV IMAGINARY_HASH 6cd9edd1d3fb151eb773c14552886e4fc8e50138
 

Containers/mastercontainer/start.sh

@@ -70,6 +70,7 @@ fi
 # Check if api version is supported
 if ! sudo -u www-data docker info &>/dev/null; then
     print_red "Cannot connect to the docker socket. Cannot proceed."
+    echo "Did you maybe remove group read permissions for the docker socket? AIO needs them in order to access the docker socket."
     echo "If SELinux is enabled on your host, see https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled"
     echo "If you are on TrueNas SCALE, see https://github.com/nextcloud/all-in-one#can-i-run-aio-on-truenas-scale"
     exit 1

Containers/nextcloud/Dockerfile

@@ -191,11 +191,12 @@ RUN set -ex; \
         grep \
         nodejs \
         bind-tools \
+        imagemagick \
         coreutils; \
     \
     grep -q '^pm = dynamic' /usr/local/etc/php-fpm.d/www.conf; \
     sed -i 's/^pm = dynamic/pm = ondemand/' /usr/local/etc/php-fpm.d/www.conf; \
-# Sync this with max db connections
+# Sync this with max db connections and MaxRequestWorkers
 # We don't actually expect so many children but don't want to limit it artificially because people will report issues otherwise.
 # Also children will usually be terminated again after the process is done due to the ondemand setting
     sed -i 's/^pm.max_children =.*/pm.max_children = 5000/' /usr/local/etc/php-fpm.d/www.conf; \

Containers/nextcloud/start.sh

@@ -54,11 +54,17 @@ sudo -u www-data rm -f "$NEXTCLOUD_DATA_DIR/this-is-a-test-file"
 # Install additional dependencies
 if [ -n "$ADDITIONAL_APKS" ]; then
     if ! [ -f "/additional-apks-are-installed" ]; then
+        # Allow to disable imagemagick without having to download it each time
+        if ! echo "$ADDITIONAL_APKS" | grep -q imagemagick; then
+            apk del imagemagick;
+        fi
         read -ra ADDITIONAL_APKS_ARRAY <<< "$ADDITIONAL_APKS"
         for app in "${ADDITIONAL_APKS_ARRAY[@]}"; do
-            echo "Installing $app via apk..."
-            if ! apk add --no-cache "$app" >/dev/null; then
-                echo "The packet $app was not installed!"
+            if [ "$app" != imagemagick ]; then
+                echo "Installing $app via apk..."
+                if ! apk add --no-cache "$app" >/dev/null; then
+                    echo "The packet $app was not installed!"
+                fi
             fi
         done
     fi

Containers/notify-push/start.sh

@@ -45,7 +45,7 @@ fi
 echo "notify-push was started"
 
 # Set sensitive values as env
-export DATABASE_URL="postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST/$POSTGRES_DB"
+export DATABASE_URL="postgres://oc_$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST/$POSTGRES_DB"
 export REDIS_URL="redis://:$REDIS_HOST_PASSWORD@$REDIS_HOST"
 
 # Run it

Containers/postgresql/start.sh

@@ -150,6 +150,7 @@ fi
 if [ -f "/var/lib/postgresql/data/postgresql.conf" ]; then
     echo "Setting postgres values..."
 
+    # Sync this with max pm.max_children and MaxRequestWorkers
     # 5000 connections is apparently the highest possible value with postgres so set it to that so that we don't run into a limit here.
     # We don't actually expect so many connections but don't want to limit it artificially because people will report issues otherwise
     # Also connections should usually be closed again after the process is done

Containers/redis/Dockerfile

@@ -1,5 +1,5 @@
 # From https://github.com/docker-library/redis/blob/master/7.0/alpine/Dockerfile
-FROM redis:7.2.3-alpine
+FROM redis:7.2.4-alpine
 
 COPY --chmod=775 start.sh /start.sh
 

Containers/talk/Dockerfile

@@ -1,4 +1,4 @@
-FROM nats:2.10.7-scratch as nats
+FROM nats:2.10.9-scratch as nats
 FROM eturnal/eturnal:1.12.0 AS eturnal
 FROM strukturag/nextcloud-spreed-signaling:1.2.2 as signaling
 FROM alpine:3.18.5 as janus

community-containers/facerecognition/facerecognition.json

@@ -0,0 +1,35 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-facerecognition",
+            "display_name": "Computing container for facerecognition",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/facerecognition",
+            "image": "matiasdelellis/facerecognition-external-model",
+            "image_tag": "v1",
+            "internal_port": "5000",
+            "restart": "unless-stopped",
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "API_KEY=some-super-secret-api-key"
+            ],
+            "aio_variables": [
+                "nextcloud_memory_limit=4096M"
+            ],
+            "nextcloud_exec_commands": [
+                "php /var/www/html/occ app:install facerecognition",
+                "php /var/www/html/occ app:enable facerecognition", 
+                "php /var/www/html/occ config:system:set facerecognition.external_model_url --value nextcloud-aio-facerecognition:5000",
+                "php /var/www/html/occ config:system:set facerecognition.external_model_api_key --value some-super-secret-api-key",
+                "php /var/www/html/occ face:setup -m 5",
+                "php /var/www/html/occ face:setup -M 4G",
+                "php /var/www/html/occ config:app:set facerecognition analysis_image_area --value 4320000",
+                "php /var/www/html/occ config:system:set enabledFaceRecognitionMimetype 0 --value image/jpeg",
+                "php /var/www/html/occ config:system:set enabledFaceRecognitionMimetype 1 --value image/png",
+                "php /var/www/html/occ config:system:set enabledFaceRecognitionMimetype 2 --value image/heic",
+                "php /var/www/html/occ config:system:set enabledFaceRecognitionMimetype 3 --value image/tiff",
+                "php /var/www/html/occ config:system:set enabledFaceRecognitionMimetype 4 --value image/webp",
+                "php /var/www/html/occ face:background_job --defer-clustering &"
+            ]
+        }
+    ]
+}

community-containers/facerecognition/readme.md

@@ -0,0 +1,31 @@
+## Facerecognition
+This container bundles the external model of facerecognition and auto-configures it for you.
+
+### Notes
+- This container needs imaginary in order to analyze modern file format images. Make sure to enable imaginary in the AIO interface before adding this container.
+- Facerecognition is by default disabled for all users, if you want to enable facerecognition for all users, you can run the following before adding this container:
+    ```bash
+    # Go into the container
+    sudo docker exec --user www-data -it nextcloud-aio-nextcloud bash
+    ```
+    Now inside the container:
+    ```bash
+    NC_USERS_NEW=$(php occ user:list | sed 's|^  - ||g' | sed 's|:.*||')
+    mapfile -t NC_USERS_NEW <<< "$NC_USERS_NEW"
+    for user in "${NC_USERS_NEW[@]}"
+    do
+        php occ user:setting "$user" facerecognition full_image_scan_done false
+        php occ user:setting "$user" facerecognition enabled true
+    done
+
+    # Exit the container shell
+    exit
+    ```
+- If facerecognition shall analyze shared files & folders (`sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:app:set facerecognition handle_shared_files --value true`), groupfolders (`sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:app:set facerecognition handle_group_files --value true`) and/or external storages (`sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:app:set facerecognition handle_external_files --value true`) in Nextcloud, you need to enable support for it manually first by running the mentioned commands before adding this container. See https://github.com/matiasdelellis/facerecognition/wiki/Settings#hidden-settings for further notes on each of these settings.
+- See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack
+
+### Repository
+https://github.com/matiasdelellis/facerecognition-external-model
+
+### Maintainer
+https://github.com/matiasdelellis

community-containers/stalwart/readme.md

@@ -3,7 +3,7 @@ This container bundles stalwart mail server and auto-configures it for you.
 
 ### Notes
 - This is only intended to run on a VPS with static ip-address.
-- Check with `sudo netstat -tulpn` that no other service is using port 25, 143, 465, 578, 993 nor 4190 yet as otherwise the container will fail to start.
+- Check with `sudo netstat -tulpn` that no other service is using port 25, 143, 465, 587, 993 nor 4190 yet as otherwise the container will fail to start.
 - You need to configure a reverse proxy in order to run this container since stalwart needs a dedicated (sub)domain! For that, you might have a look at https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy.
 - Currently, only `mail.$NC_DOMAIN` is supported as subdomain! So if Nextcloud is using `your-domain.com`, Stalwart will use `mail.your-domain.com`.
 - The data of Stalwart will be automatically included in AIOs backup solution!

nextcloud-aio-helm-chart/Chart.yaml

@@ -1,6 +1,6 @@
 name: nextcloud-aio-helm-chart
 description: A generated Helm Chart for Nextcloud AIO from Skippbox Kompose
-version: 7.9.0
+version: 7.10.0
 apiVersion: v2
 keywords:
   - latest

nextcloud-aio-helm-chart/templates/nextcloud-aio-apache-deployment.yaml

@@ -57,7 +57,7 @@ spec:
               value: nextcloud-aio-talk
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-apache:20231220_153200-latest
+          image: nextcloud/aio-apache:20240117_083657-latest
           name: nextcloud-aio-apache
           ports:
             - containerPort: {{ .Values.APACHE_PORT }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-clamav-deployment.yaml

@@ -50,7 +50,7 @@ spec:
               value: "90"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-clamav:20231220_153200-latest
+          image: nextcloud/aio-clamav:20240117_083657-latest
           name: nextcloud-aio-clamav
           ports:
             - containerPort: 3310

nextcloud-aio-helm-chart/templates/nextcloud-aio-collabora-deployment.yaml

@@ -37,7 +37,7 @@ spec:
               value: --o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true {{ .Values.COLLABORA_SECCOMP_POLICY }} --o:remote_font_config.url=https://{{ .Values.NC_DOMAIN }}/apps/richdocuments/settings/fonts.json
             - name: server_name
               value: "{{ .Values.NC_DOMAIN }}"
-          image: nextcloud/aio-collabora:20231220_153200-latest
+          image: nextcloud/aio-collabora:20240117_083657-latest
           name: nextcloud-aio-collabora
           ports:
             - containerPort: 9980

nextcloud-aio-helm-chart/templates/nextcloud-aio-database-deployment.yaml

@@ -61,7 +61,7 @@ spec:
               value: nextcloud
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-postgresql:20231220_153200-latest
+          image: nextcloud/aio-postgresql:20240117_083657-latest
           name: nextcloud-aio-database
           ports:
             - containerPort: 5432

nextcloud-aio-helm-chart/templates/nextcloud-aio-fulltextsearch-deployment.yaml

@@ -55,7 +55,7 @@ spec:
               value: basic
             - name: xpack.security.enabled
               value: "false"
-          image: nextcloud/aio-fulltextsearch:20231220_153200-latest
+          image: nextcloud/aio-fulltextsearch:20240117_083657-latest
           name: nextcloud-aio-fulltextsearch
           ports:
             - containerPort: 9200

nextcloud-aio-helm-chart/templates/nextcloud-aio-imaginary-deployment.yaml

@@ -27,7 +27,7 @@ spec:
         - env:
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-imaginary:20231220_153200-latest
+          image: nextcloud/aio-imaginary:20240117_083657-latest
           name: nextcloud-aio-imaginary
           ports:
             - containerPort: 9000

nextcloud-aio-helm-chart/templates/nextcloud-aio-nextcloud-deployment.yaml

@@ -158,7 +158,7 @@ spec:
               value: "{{ .Values.TIMEZONE }}"
             - name: UPDATE_NEXTCLOUD_APPS
               value: "{{ .Values.UPDATE_NEXTCLOUD_APPS }}"
-          image: nextcloud/aio-nextcloud:20231220_153200-latest
+          image: nextcloud/aio-nextcloud:20240117_083657-latest
           name: nextcloud-aio-nextcloud
           ports:
             - containerPort: 9000

nextcloud-aio-helm-chart/templates/nextcloud-aio-notify-push-deployment.yaml

@@ -50,7 +50,7 @@ spec:
               value: nextcloud-aio-redis
             - name: REDIS_HOST_PASSWORD
               value: "{{ .Values.REDIS_PASSWORD }}"
-          image: nextcloud/aio-notify-push:20231220_153200-latest
+          image: nextcloud/aio-notify-push:20240117_083657-latest
           name: nextcloud-aio-notify-push
           ports:
             - containerPort: 7867

nextcloud-aio-helm-chart/templates/nextcloud-aio-onlyoffice-deployment.yaml

@@ -43,7 +43,7 @@ spec:
               value: "{{ .Values.ONLYOFFICE_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-onlyoffice:20231220_153200-latest
+          image: nextcloud/aio-onlyoffice:20240117_083657-latest
           name: nextcloud-aio-onlyoffice
           ports:
             - containerPort: 80

nextcloud-aio-helm-chart/templates/nextcloud-aio-redis-deployment.yaml

@@ -38,7 +38,7 @@ spec:
               value: "{{ .Values.REDIS_PASSWORD }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-redis:20231220_153200-latest
+          image: nextcloud/aio-redis:20240117_083657-latest
           name: nextcloud-aio-redis
           ports:
             - containerPort: 6379

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-deployment.yaml

@@ -37,7 +37,7 @@ spec:
               value: "{{ .Values.TURN_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-talk:20231220_153200-latest
+          image: nextcloud/aio-talk:20240117_083657-latest
           name: nextcloud-aio-talk
           ports:
             - containerPort: {{ .Values.TALK_PORT }}

nextcloud-aio-helm-chart/templates/nextcloud-aio-talk-recording-deployment.yaml

@@ -33,7 +33,7 @@ spec:
               value: "{{ .Values.RECORDING_SECRET }}"
             - name: TZ
               value: "{{ .Values.TIMEZONE }}"
-          image: nextcloud/aio-talk-recording:20231220_153200-latest
+          image: nextcloud/aio-talk-recording:20240117_083657-latest
           name: nextcloud-aio-talk-recording
           ports:
             - containerPort: 1234

php/composer.json

@@ -19,7 +19,7 @@
         "ext-apcu": "*"
     },
     "scripts": {
-		"psalm": "psalm --threads=1",
+		"psalm": "psalm --threads=1 --show-info=true",
 		"psalm:update-baseline": "psalm --threads=1 --update-baseline",
 		"lint": "find . -name \\*.php -not -path './vendor/*' -exec php -l {} \\;",
 		"php-deprecation-detector": "find . -name \\*.php -not -path './vendor/*' -exec phpdd scan {} -n -t 8.2 \\;"

php/psalm-baseline.xml

@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<files psalm-version="5.18.0@b113f3ed0259fd6e212d87c3df80eec95a6abf19"/>
+<files psalm-version="5.19.0@06b71be009a6bd6d81b9811855d6629b9fe90e1b"/>

php/src/Data/ConfigurationManager.php

@@ -320,7 +320,7 @@ class ConfigurationManager
 
             if (!filter_var($dnsRecordIP, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
                 if ($port === '443') {
-                    throw new InvalidSettingConfigurationException("It seems like the ip-address is set to an internal or reserved ip-address. This is not supported. (It was found to be set to '" . $dnsRecordIP . "')");
+                    throw new InvalidSettingConfigurationException("It seems like the ip-address of the domain is set to an internal or reserved ip-address. This is not supported. (It was found to be set to '" . $dnsRecordIP . "'). Please set it to a public ip-address so that the domain validation can work!");
                 } else {
                     error_log("It seems like the ip-address of " . $domain . " is set to an internal or reserved ip-address. (It was found to be set to '" . $dnsRecordIP . "')");
                 }
@@ -331,7 +331,7 @@ class ConfigurationManager
             if ($connection) {
                 fclose($connection);
             } else {
-                throw new InvalidSettingConfigurationException("The server is not reachable on Port 443. You can verify this e.g. with 'https://portchecker.co/' by entering your domain there as ip-address and port 443 as port.");
+                throw new InvalidSettingConfigurationException("The domain is not reachable on Port 443 from within this container. Have you opened port 443/tcp in your router/firewall? If yes is the problem most likely that the router or firewall forbids local access to your domain. You can work around that by setting up a local DNS-server.");
             }
 
             // Get Instance ID
@@ -359,7 +359,13 @@ class ConfigurationManager
                 error_log('The response of the connection attempt to "' . $testUrl . '" was: ' . $response);
                 error_log('Expected was: ' . $instanceID);
                 error_log('The error message was: ' . curl_error($ch));
-                throw new InvalidSettingConfigurationException("Domain does not point to this server or the reverse proxy is not configured correctly. See the mastercontainer logs for more details. ('sudo docker logs -f nextcloud-aio-mastercontainer')");
+                $notice = "Domain does not point to this server or the reverse proxy is not configured correctly. See the mastercontainer logs for more details. ('sudo docker logs -f nextcloud-aio-mastercontainer')";
+                if ($port === '443') {
+                    $notice .= " If you should be using Cloudflare, make sure to disable the Cloudflare Proxy feature as it might block the domain validation. Same for any other firewall or service that blocks unencrypted access on port 443.";
+                } else {
+                    error_log('Please follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things in order to debug things!');
+                }
+                throw new InvalidSettingConfigurationException($notice);
             }
         }
 

php/src/Docker/DockerActionManager.php

@@ -522,6 +522,9 @@ class DockerActionManager
             $requestBody['HostConfig']['SecurityOpt'] = ["apparmor:unconfined"];
         }
 
+        // Disable SELinux for AIO containers so that it does not break them
+        $requestBody['HostConfig']['SecurityOpt'] = ["label:disable"];
+
         $mounts = [];
 
         // Special things for the backup container which should not be exposed in the containers.json
@@ -553,9 +556,6 @@ class DockerActionManager
                 }
                 $mounts[] = ["Type" => "bind", "Source" => $volume->name, "Target" => $volume->mountPoint, "ReadOnly" => !$volume->isWritable, "BindOptions" => [ "Propagation" => "rshared"]];
             }
-        // Special things for the watchtower and docker-socket-proxy container which should not be exposed in the containers.json
-        } elseif ($container->GetIdentifier() === 'nextcloud-aio-watchtower' || $container->GetIdentifier() === 'nextcloud-aio-docker-socket-proxy') {
-            $requestBody['HostConfig']['SecurityOpt'] = ["label:disable"];
         }
 
         if (count($mounts) > 0) {
@@ -582,12 +582,19 @@ class DockerActionManager
         $imageName = $this->BuildImageName($container);
         $encodedImageName = urlencode($imageName);
         $url = $this->BuildApiUrl(sprintf('images/create?fromImage=%s', $encodedImageName));
+        $imageIsThere = true;
         try {
-            $this->guzzleClient->post($url);
             $imageUrl = $this->BuildApiUrl(sprintf('images/%s/json', $encodedImageName));
             $this->guzzleClient->get($imageUrl)->getBody()->getContents();
         } catch (\Throwable $e) {
-            throw new \Exception("Could not pull image " . $imageName . ". Please run 'sudo docker exec -it nextcloud-aio-mastercontainer docker pull " . $imageName . "' in order to find out why it failed.");
+            $imageIsThere = false;
+        }
+        try {
+            $this->guzzleClient->post($url);
+        } catch (RequestException $e) {
+            if ($imageIsThere === false) {
+                throw new \Exception("Could not pull image " . $imageName . ". Please run 'sudo docker exec -it nextcloud-aio-mastercontainer docker pull " . $imageName . "' in order to find out why it failed.");
+            }
         }
     }
 

php/templates/containers.twig

@@ -16,7 +16,7 @@
     </header>
 
     <div class="content">
-        <h1>Nextcloud AIO v7.9.1</h1>
+        <h1>Nextcloud AIO v7.11.0</h1>
 
         {# Add 2nd tab warning #}
         <script type="text/javascript" src="second-tab-warning.js"></script>

readme.md

@@ -222,7 +222,10 @@ Another but untested way is to install Portainer on your TrueNAS SCALE from here
 Although it does not seems like it is the case but from AIO perspective a Cloudflare Tunnel works like a reverse proxy. So please follow the [reverse proxy documentation](./reverse-proxy.md) where is documented how to make it run behind a Cloudflare Tunnel. However please see the [caveats](https://github.com/nextcloud/all-in-one#notes-on-cloudflare-proxytunnel) before proceeding.
 
 ### Disrecommended VPS providers
-- Stratos VPS crash/freeze/make errors when they reach an extremely low PID limit, which is very quickly reached by AIO, see [here](https://github.com/nextcloud/all-in-one/discussions/1747#discussioncomment-4716164), Strato does normally not increase this limit.
+- *Older* Strato VPS using Virtuozzo caused problems though ones from Q3 2023 and later should work.
+  If your VPS has a `/proc/user_beancounters` file and a low `numproc` limit set in it
+  your server will likely misbehave once it reaches this limit
+  which is very quickly reached by AIO, see [here](https://github.com/nextcloud/all-in-one/discussions/1747#discussioncomment-4716164).
 - Hostingers VPS seem to miss a specific Kernel feature which is required for AIO to run correctly. See [here](https://help.nextcloud.com/t/help-installing-nc-via-aio-on-vps/153956).
 
 ### Recommended VPS
@@ -388,7 +391,7 @@ Not directly but you have multiple options to achieve this:
 ---
 
 #### Failure of the backup container in LXC containers
-If you are running AIO in a LXC container, you need to make sure that FUSE is enabled in the LXC container settings. Otherwise the backup container will not be able to start as FUSE is required for it to work.
+If you are running AIO in a LXC container, you need to make sure that FUSE is enabled in the LXC container settings. Also, if using Alpine Linux as host OS, make sure to add fuse via `apk add fuse`. Otherwise the backup container will not be able to start as FUSE is required for it to work.
 
 ---
 
@@ -663,7 +666,7 @@ Some Nextcloud apps require additional php extensions that must be bundled withi
 You can do so by adding `--env NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS="imagick extension1 extension2"` to the docker run command of the mastercontainer (but before the last line `nextcloud/all-in-one:latest`! If it was started already, you will need to stop the mastercontainer, remove it (no data will be lost) and recreate it using the docker run command that you initially used) and customize the value to your fitting. It must be a string with small letters a-z, digits 0-9, spaces, dots and hyphens or '_'. You can find available extensions here: https://pecl.php.net/packages.php. By default `imagick` is added. If you want to keep it, you need to specify it as well.
 
 ### What about the pdlib PHP extension for the facerecognition app?
-The [facerecognition app](https://apps.nextcloud.com/apps/facerecognition) requires the pdlib PHP extension to be installed. Unfortunately, it is not available on PECL nor via PHP core, so there is no way to add this into AIO currently. However you can vote up [this issue](https://github.com/goodspb/pdlib/issues/56) to bring it to PECL and there is the [recognize app](https://apps.nextcloud.com/apps/recognize) that also allows to do face-recognition.
+The [facerecognition app](https://apps.nextcloud.com/apps/facerecognition) requires the pdlib PHP extension to be installed. Unfortunately, it is not available on PECL nor via PHP core, so there is no way to add this into AIO currently. However you can use [this community container](https://github.com/nextcloud/all-in-one/tree/main/community-containers/facerecognition) in order to run facerecognition.
 
 ### How to enable hardware-transcoding for Nextcloud?
 ⚠️⚠️⚠️ Warning: this only works if the `/dev/dri` device is present on the host! If it does not exists on your host, don't proceed as otherwise the Nextcloud container will fail to start! If you are unsure about this, better do not proceed with the instructions below.

reverse-proxy.md

@@ -556,61 +556,67 @@ The examples below define the dynamic configuration in YAML files. If you rather
     # STATIC CONFIGURATION
    
     entryPoints:
-        https:
-            address: ":443" # Create an entrypoint called "https" that uses port 443
+      https:
+        address: ":443" # Create an entrypoint called "https" that uses port 443
+        # If you want to enable HTTP/3 support, uncomment the line below
+        # http3: {}
     
     certificatesResolvers:
-        # Define "letsencrypt" certificate resolver
-        letsencrypt:
-            acme:
-                storage: /letsencrypt/acme.json # Defines the path where certificates should be stored
-                email: <your-email-address> # Where LE sends notification about certificates expiring
-                tlschallenge: true
+      # Define "letsencrypt" certificate resolver
+      letsencrypt:
+        acme:
+          storage: /letsencrypt/acme.json # Defines the path where certificates should be stored
+          email: <your-email-address> # Where LE sends notification about certificates expiring
+          tlschallenge: true
    
     providers:
-        file:
-            directory: "/path/to/dynamic/conf" # Adjust the path according your needs.
-            watch: true
+      file:
+        directory: "/path/to/dynamic/conf" # Adjust the path according your needs.
+        watch: true
+
+    # Enable HTTP/3 feature by uncommenting the lines below. Don't forget to route 443 UDP to Traefik (Firewall\NAT\Traefik Container)
+    # experimental:
+      # http3: true
     ```
 
 1. Declare the router, service and middlewares for Nextcloud in `/path/to/dynamic/conf/nextcloud.yml`:
 
     ```yml
     http:
-        routers:
-            nextcloud:
-                rule: "Host(`<your-nc-domain>`)"
-                entrypoints:
-                    - "https"
-                service: nextcloud
-                middlewares:
-                    - nextcloud-chain
-                tls:
-                    certresolver: "letsencrypt"
+      routers:
+        nextcloud:
+          rule: "Host(`<your-nc-domain>`)"
+          entrypoints:
+            - "https"
+          service: nextcloud
+          middlewares:
+            - nextcloud-chain
+          tls:
+            certresolver: "letsencrypt"
 
-        services:
-            nextcloud:
-                loadBalancer:
-                    servers:
-                        - url: "http://localhost:11000" # Use the host's IP address if Traefik runs outside the host network
+      services:
+        nextcloud:
+          loadBalancer:
+            servers:
+              - url: "http://localhost:11000" # Use the host's IP address if Traefik runs outside the host network
 
-        middlewares:
-            nextcloud-secure-headers:
-                headers:
-                    hostsProxyHeaders:
-                        - "X-Forwarded-Host"
-                    referrerPolicy: "same-origin"
+      middlewares:
+        nextcloud-secure-headers:
+          headers:
+            hostsProxyHeaders:
+              - "X-Forwarded-Host"
+            referrerPolicy: "same-origin"
 
-            https-redirect:
-                redirectscheme:
-                    scheme: https 
-   
-            nextcloud-chain:
-                chain:
-                    middlewares:
-                        # - ... (e.g. rate limiting middleware)
-                        - https-redirect
-                        - nextcloud-secure-headers
+        https-redirect:
+          redirectscheme:
+            scheme: https 
+
+        nextcloud-chain:
+          chain:
+            middlewares:
+              # - ... (e.g. rate limiting middleware)
+              - https-redirect
+              - nextcloud-secure-headers
     ```
 
 ---