diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 836c629a..055972c0 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -4,7 +4,7 @@ set -eu
 ###############################################################################
 # Entrypoint script for Nextcloud Docker container
 ###############################################################################
-
+#
 # Handles container-specific operations such as initialization, automatic configuration,
 # user/group ID management, and setup checks. Also runs Nextcloud Server’s built-in
 # installation and upgrade routines in a way that fits the container environment.
@@ -14,41 +14,240 @@ set -eu
 # of select parameters via environment variables - except NEXTCLOUD_TRUSTED_DOMAINS
 # and those set by the Nextcloud installer.
 #
-# REMINDER: This script must work with non-interactive, POSIX-compliant shells used in our
-# images. Do not use Bash-specific syntax ("bashisms"): /bin/sh is always either 'ash'
-# (BusyBox) or 'dash' (Debian), not Bash. Stick to standard POSIX shell features.
-# Resources for writing portable shell scripts:
+# See README.md for more details and usage examples:
+#    https://github.com/nextcloud/docker?tab=readme-ov-file
+#
+# REMINDER (to modifiers/contributors): This script must work with non-interactive,
+# POSIX-compliant shells used in our images. Do not use Bash-specific syntax ("bashisms"):
+# /bin/sh is always either 'ash' (BusyBox) or 'dash' (Debian), not Bash. Stick to standard
+# POSIX shell features. Resources for writing portable shell scripts:
 #   - checkbashisms (Alpine: checkbashisms; Debian: devscripts)
 #   - https://mywiki.wooledge.org/Bashism
 #   - https://www.shellcheck.net/
 # Same also applies to any commands called too (e.g., GNU find versus Busybox find).
 
+###############################################################################
+# Supported Environment Variables
+#
+# NEXTCLOUD_ADMIN_USER         - Username for initial admin account (install only)
+# NEXTCLOUD_ADMIN_PASSWORD     - Password for initial admin account (install only)
+# NEXTCLOUD_TRUSTED_DOMAINS    - Space-separated list of trusted domains
+# NEXTCLOUD_DATA_DIR           - Path to Nextcloud data directory
+# MYSQL_DATABASE, MYSQL_USER, MYSQL_PASSWORD, MYSQL_HOST
+# POSTGRES_DB, POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_HOST
+# SQLITE_DATABASE
+# REDIS_HOST, REDIS_HOST_USER, REDIS_HOST_PASSWORD, REDIS_HOST_PORT
+# APACHE_RUN_USER, APACHE_RUN_GROUP
+# APACHE_DISABLE_REWRITE_IP    - If present, disables Apache remoteip module
+# NEXTCLOUD_UPDATE             - If set (e.g., to 1), forces update logic
+# NEXTCLOUD_INIT_HTACCESS      - If set, runs htaccess maintenance after upgrade
+# *_FILE variants for secrets  - For sensitive values, use *_FILE pattern with Docker secrets
+###############################################################################
+
 ###############################################################################
 # Utility Functions
 ###############################################################################
 
+# The entrypoint command's first argument
+ENTRYPOINT_ARGV1="${1:-}"
+
+# OCC
 # Command for running `occ`
 OCC="php /var/www/html/occ"
 
+###############################################################################
 # version_greater
 # Compare two version strings (A and B).
 # Arguments:
 #   $1: Version string A
 #   $2: Version string B
 # Returns: 0 (true) if version A is greater than B; 1 (false) otherwise.
+###############################################################################
 version_greater() {
     [ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
 }
 
+###############################################################################
+# version_greater_major
+# Compare major version numbers of two version strings.
+# Arguments:
+#   $1: Version string A (e.g., "18.0.4")
+#   $2: Version string B (e.g., "16.0.7")
+#   $3: Delta (e.g., 1 for "at most one major ahead")
+# Returns: 0 (true) if major version of A > major version of B + delta; 1 (false) otherwise.
+###############################################################################
+version_greater_major() {
+    major_a="${1%%.*}"
+    major_b="${2%%.*}"
+    delta="${3:-0}"
+    [ "$major_a" -gt "$((major_b + delta))" ]
+}
+
+###############################################################################
 # directory_empty
 # Check if a directory is empty.
 # Arguments:
 #   $1: Directory path.
 # Returns: 0 (true) if directory is empty; 1 (false) otherwise.
+###############################################################################
 directory_empty() {
     [ -z "$(ls -A "$1/")" ]
 }
 
+###############################################################################
+# is_root
+# Check if the current process is running as root.
+# Arguments: none (uses $uid global).
+# Returns: 0 (true) if running as root (UID 0), 1 (false) otherwise.
+###############################################################################
+is_root() {
+    [ "$uid" -eq 0 ]
+}
+
+###############################################################################
+# is_apache
+# Check if the script's first argument indicates Apache.
+# Arguments: none (uses ENTRYPOINT_ARGV1).
+# Returns: 0 (true) if $1 matches "apache" or starts with "apache2", 1 (false) otherwise.
+###############################################################################
+is_apache() {
+    case "$ENTRYPOINT_ARGV1" in
+        apache|apache2*)
+            return 0
+            ;;
+        *)
+            return 1
+            ;;
+    esac
+}
+
+###############################################################################
+# is_php_fpm
+# Check if the script's first argument indicates PHP-FPM.
+# Arguments: none (uses ENTRYPOINT_ARGV1).
+# Returns: 0 (true) if $1 starts with "php-fpm", 1 (false) otherwise.
+###############################################################################
+is_php_fpm() {
+    case "$ENTRYPOINT_ARGV1" in
+        php-fpm*)
+            return 0
+            ;;
+        *)
+            return 1
+            ;;
+    esac
+}
+
+###############################################################################
+# set_user_group
+# Sets global $user and $group variables according to the entrypoint command and UID/GID context.
+# Arguments: none. Uses is_root, is_apache, is_php_fpm, $APACHE_RUN_USER, $APACHE_RUN_GROUP, $uid, $gid.
+# Sets: $user, $group, $uid, $gid.
+###############################################################################
+set_user_group() {
+    user='www-data'
+    group='www-data'
+    uid="$(id -u)"
+    gid="$(id -g)"
+
+    if is_root; then
+        if is_apache; then
+            user="${APACHE_RUN_USER:-www-data}"
+            group="${APACHE_RUN_GROUP:-www-data}"
+            # Apache config may specify user/group as "#1000", so remove leading '#' if present
+            user="${user#'#'}"
+            group="${group#'#'}"
+        elif is_php_fpm; then
+            user='www-data'
+            group='www-data'
+        fi
+    else
+        user="$uid"
+        group="$gid"
+    fi
+}
+
+###############################################################################
+# configure_redis_session_handler
+# Configures PHP sessions to use Redis if REDIS_HOST is set.
+# Arguments: none. Uses env vars.
+###############################################################################
+configure_redis_session_handler() {
+    if [ -n "${REDIS_HOST+x}" ]; then
+        echo "Configuring Redis as session handler"
+
+        file_env REDIS_HOST_PASSWORD
+
+        # Determine the prefix for REDIS_HOST to decide between Unix socket and TCP connection
+        first_char=$(printf '%s' "$REDIS_HOST" | cut -c1-1)
+        if [ "$first_char" = "/" ]; then
+            # Using Unix socket for Redis connection
+            if [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
+                if [ -n "${REDIS_HOST_USER+x}" ]; then
+                    redis_save_path="unix://${REDIS_HOST}?auth[]=${REDIS_HOST_USER}&auth[]=${REDIS_HOST_PASSWORD}"
+                else
+                    redis_save_path="unix://${REDIS_HOST}?auth=${REDIS_HOST_PASSWORD}"
+                fi
+            else
+                redis_save_path="unix://${REDIS_HOST}"
+            fi
+        elif [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
+            # Using TCP connection with password
+            if [ -n "${REDIS_HOST_USER+x}" ]; then
+                redis_save_path="tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth[]=${REDIS_HOST_USER}&auth[]=${REDIS_HOST_PASSWORD}"
+            else
+                redis_save_path="tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}"
+            fi
+        else
+            # Using TCP connection without password
+            redis_save_path="tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}"
+        fi
+
+        # Write the configuration file using a heredoc.
+        cat > /usr/local/etc/php/conf.d/redis-session.ini <<EOF
+session.save_handler = redis
+session.save_path = "${redis_save_path}"
+redis.session.locking_enabled = 1
+redis.session.lock_retries = -1
+# redis.session.lock_wait_time is specified in microseconds.
+# Wait 10ms before retrying the lock rather than the default 2ms.
+redis.session.lock_wait_time = 10000
+EOF
+    fi
+}
+
+###############################################################################
+# get_nextcloud_versions
+# Sets installed_version and image_version variables.
+# - installed_version: detected from /var/www/html/version.php or set to 0.0.0.0 if not present
+# - image_version: detected from /usr/src/nextcloud/version.php
+# Arguments: none
+# Globals set: installed_version, image_version
+###############################################################################
+get_nextcloud_versions() {
+    # Default value used to indicate a new install
+    installed_version="0.0.0.0"
+    if [ -f /var/www/html/version.php ]; then
+        # TODO: Improve error handling in case of syntax errors/missing $OC_Version/etc
+        # shellcheck disable=SC2016
+        installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
+    fi
+
+    # TODO: Improve error handling here too (though far less likely to fail)
+    # shellcheck disable=SC2016
+    image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
+}
+
+###############################################################################
+# is_installed
+# Returns 0 (true) if Nextcloud is installed (installed_version is not 0.0.0.0), else 1 (false)
+# Arguments: none. Uses global $installed_version.
+###############################################################################
+is_installed() {
+    [ "$installed_version" != "0.0.0.0" ]
+}
+
+###############################################################################
 # run_as
 # Run a command as the specified user if running as root, otherwise as current user.
 # Arguments:
@@ -56,22 +255,22 @@ directory_empty() {
 # Globals:
 #   user - Username to switch to (when running as root).
 # Returns: the exit code of the executed command.
-# TODO:
-#   Consider printing error message then returning (or exiting the script) if a command fails.
-#   If some callers want to handle errors, hide behind optional flag ("--exit-on-error").
+###############################################################################
 run_as() {
-    if [ "$(id -u)" = 0 ]; then
+    if is_root; then
         su -p "$user" -s /bin/sh -c "$1"
     else
         sh -c "$1"
     fi
 }
 
+###############################################################################
 # run_path
 # Execute all executable .sh files in the specified hook folder, in alphanumeric order.
 # Arguments:
 #   $1: Name of the hook folder inside /docker-entrypoint-hooks.d/
 # Returns: 0 on success; exits the script on any hook failure.
+###############################################################################
 run_path() {
     hook_folder_path="/docker-entrypoint-hooks.d/$1"
     return_code=0
@@ -112,12 +311,15 @@ run_path() {
     )
 }
 
+###############################################################################
 # file_env
 # Load an environment variable from a file if available (supporting Docker secrets).
 # Arguments:
 #   $1: Name of the environment variable.
 #   $2: (Optional) Default value if not set.
 # Returns: Sets the environment variable named by $1.
+# Supports Docker secrets by allowing *_FILE environment variables for sensitive values.
+###############################################################################
 file_env() {
     var="$1"
     fileVar="${var}_FILE"
@@ -139,7 +341,7 @@ file_env() {
 }
 
 ###############################################################################
-# rsync_wrapper
+# rsync
 # Helper to invoke rsync with the appropriate options depending on user/group.
 # Arguments:
 #   $@ - Additional rsync arguments and paths.
@@ -151,145 +353,241 @@ file_env() {
 #   - SC2086 and word-splitting safely
 #   - DRY invocation of rsync for all sync operations
 ###############################################################################
-rsync_wrapper() {
-    if [ "$(id -u)" = 0 ]; then
+rsync() {
+    if is_root; then
         set -- -rlDog --chown "$user:$group" "$@"
     else
         set -- -rlD "$@"
     fi
-    rsync "$@"
+    command rsync "$@"
 }
 
 ###############################################################################
-# Main Entrypoint Logic
+# copy_if_missing_or_empty
+# Copy a directory from source to destination if missing or empty.
+# Arguments:
+#   $1: Directory name
+#   $2: Source base path
+#   $3: Destination base path
+# We only copy these directories if they're missing or empty, to avoid overwriting
+# user data. This is especially important for config and data directories.
 ###############################################################################
+copy_if_missing_or_empty() {
+    dir="$1"
+    src="$2"
+    dest="$3"
+    if [ ! -d "$dest/$dir" ] || directory_empty "$dest/$dir"; then
+        rsync --include "/$dir/" --exclude '/*' "$src/" "$dest/"
+    fi
+}
 
-# Disable the Apache remoteip configuration if requested via environment variable.
-# TODO: This probably be moved inside the main initialization/upgrade block below.
-if expr "$1" : "apache" 1>/dev/null; then
-    if [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
-        a2disconf remoteip
+###############################################################################
+# set_trusted_domains
+# Configure Nextcloud trusted domains from environment variable.
+# Arguments: none (uses NEXTCLOUD_TRUSTED_DOMAINS global)
+# Trusted domains are set during installation. Changing them after install may break existing clients.
+###############################################################################
+set_trusted_domains() {
+    if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then
+        # turn off glob
+        set -f
+        NC_TRUSTED_DOMAIN_IDX=1
+        for DOMAIN in ${NEXTCLOUD_TRUSTED_DOMAINS}; do
+            DOMAIN=$(echo "${DOMAIN}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
+            run_as \
+                "$OCC config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=\"${DOMAIN}\""
+            NC_TRUSTED_DOMAIN_IDX=$((NC_TRUSTED_DOMAIN_IDX+1))
+        done
+        # turn glob back on
+        set +f
     fi
-fi
+}
 
-# Only run this block if entrypoint command is Apache|PHP-FPM, or if explicitly requested.
-# TODO: This huge block should probably be broken into several discrete functions for maintainability.
-if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
+###############################################################################
+# show_disabled_apps
+# Display apps disabled after upgrade.
+# Arguments: none (uses /tmp/list_before and /tmp/list_after)
+###############################################################################
+show_disabled_apps() {
+    echo "The following apps have been disabled:"
+    diff /tmp/list_before /tmp/list_after \
+        | grep '<' | cut -d- -f2 | cut -d: -f1
+    rm -f /tmp/list_before /tmp/list_after
+}
 
-    uid="$(id -u)"
-    gid="$(id -g)"
+###############################################################################
+# warn_config_diffs
+# Warn if config files in persistent storage differ from image defaults.
+# Arguments: none.
+###############################################################################
+warn_config_diffs() {
+    for cfgPath in /usr/src/nextcloud/config/*.php; do
+        cfgFile=$(basename "$cfgPath")
+        if [ "$cfgFile" != "config.sample.php" ] \
+            && [ "$cfgFile" != "autoconfig.php" ]; then
+            if ! cmp -s "/usr/src/nextcloud/config/$cfgFile" "/var/www/html/config/$cfgFile"; then
+                echo "Warning: /var/www/html/config/$cfgFile differs from the image default at"
+                echo "  /usr/src/nextcloud/config/$cfgFile"
+            fi
+        fi
+    done
+}
 
-    # Determine effective user and group for Nextcloud operations.
-    if [ "$uid" = '0' ]; then
-        case "$1" in
-            apache2*)
-                user="${APACHE_RUN_USER:-www-data}"
-                group="${APACHE_RUN_GROUP:-www-data}"
-                # Strip off any '#' symbol ('#1000' is valid syntax for Apache)
-                user="${user#'#'}"
-                group="${group#'#'}"
-                ;;
-            *) # php-fpm
-                user='www-data'
-                group='www-data'
-                ;;
-        esac
-    else
-        user="$uid"
-        group="$gid"
+###############################################################################
+# assemble_db_install_options
+# Sets database related install_options for the Nextcloud installer, and set trigger_installer flag if config is sufficient.
+# Arguments: none (uses env vars)
+# Sets: install_options (global), trigger_installer (global)
+###############################################################################
+assemble_db_install_options() {
+    
+    # Handle database configuration (if specified)
+    file_env MYSQL_DATABASE
+    file_env MYSQL_PASSWORD
+    file_env MYSQL_USER
+    file_env POSTGRES_DB
+    file_env POSTGRES_PASSWORD
+    file_env POSTGRES_USER
+
+    if [ -n "${SQLITE_DATABASE+x}" ]; then
+        echo "Installing with SQLite database"
+        install_options="$install_options \
+            --database-name \"$SQLITE_DATABASE\""
+        # We have enough for the automated installer; indicate we can bypass the Installation Wizard
+        trigger_installer=true
+    elif [ -n "${MYSQL_DATABASE+x}" ] && [ -n "${MYSQL_USER+x}" ] && [ -n "${MYSQL_PASSWORD+x}" ] && [ -n "${MYSQL_HOST+x}" ]; then
+        echo "Installing with MySQL database"
+        install_options="$install_options \
+            --database mysql \
+            --database-name \"$MYSQL_DATABASE\" \
+            --database-user \"$MYSQL_USER\" \
+            --database-pass \"$MYSQL_PASSWORD\" \
+            --database-host \"$MYSQL_HOST\""
+        # We have enough for the automated installer; indicate we can bypass the Installation Wizard
+        trigger_installer=true
+    elif [ -n "${POSTGRES_DB+x}" ] && [ -n "${POSTGRES_USER+x}" ] && [ -n "${POSTGRES_PASSWORD+x}" ] && [ -n "${POSTGRES_HOST+x}" ]; then
+        echo "Installing with PostgreSQL database"
+        install_options="$install_options \
+            --database pgsql \
+            --database-name \"$POSTGRES_DB\" \
+            --database-user \"$POSTGRES_USER\" \
+            --database-pass \"$POSTGRES_PASSWORD\" \
+            --database-host \"$POSTGRES_HOST\""
+        # We have enough for the automated installer; indicate we can bypass the Installation Wizard
+        trigger_installer=true
     fi
+}
 
-    # If REDIS_HOST is set, configure PHP sessions to use Redis.
-    if [ -n "${REDIS_HOST+x}" ]; then
-        echo "Configuring Redis as session handler"
+###############################################################################
+# run_nextcloud_installer
+# Runs the Nextcloud command-line installer with retry logic for DB startup delays.
+# Arguments:
+#   $1: install options string (quoted)
+# Globals:
+#   OCC, user
+###############################################################################
+run_nextcloud_installer() {
+    echo "Starting nextcloud installation"
+    # Retry Nextcloud installation up to 10 times to handle possible database startup delays
+    # TODO:
+    # - Handle this better somehow and/or handle upstream.
+    # - Confirm these retries are still even needed.
+    max_retries=10
+    try=0
+    until [ "$try" -gt "$max_retries" ] || run_as \
+        "$OCC maintenance:install $1"
+    do
+        echo "Retrying install..."
+        try=$((try+1))
+        sleep 10s
+    done
+    if [ "$try" -gt "$max_retries" ]; then
+        echo "Installation of nextcloud failed!"
+        exit 1
+    fi
+}
 
-        file_env REDIS_HOST_PASSWORD
+###############################################################################
+# Main Entrypoint Logic
+###############################################################################
 
-        # Determine session.save_path depending on socket or TCP and credentials.
-        redis_save_path=""
-        first_char=$(printf '%s' "$REDIS_HOST" | cut -c1-1)
-        if [ "$first_char" = "/" ]; then
-            # Unix socket
-            if [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
-                if [ -n "${REDIS_HOST_USER+x}" ]; then
-                    redis_save_path="unix://${REDIS_HOST}?auth[]=${REDIS_HOST_USER}&auth[]=${REDIS_HOST_PASSWORD}"
-                else
-                    redis_save_path="unix://${REDIS_HOST}?auth=${REDIS_HOST_PASSWORD}"
-                fi
-            else
-                redis_save_path="unix://${REDIS_HOST}"
-            fi
-        elif [ -n "${REDIS_HOST_PASSWORD+x}" ]; then
-            # TCP with password
-            if [ -n "${REDIS_HOST_USER+x}" ]; then
-                redis_save_path="tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth[]=${REDIS_HOST_USER}&auth[]=${REDIS_HOST_PASSWORD}"
-            else
-                redis_save_path="tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}?auth=${REDIS_HOST_PASSWORD}"
-            fi
-        else
-            # TCP without password
-            redis_save_path="tcp://${REDIS_HOST}:${REDIS_HOST_PORT:=6379}"
-        fi
+# Permit disabling of the Apache remoteip configuration.
+if is_apache && [ -n "${APACHE_DISABLE_REWRITE_IP+x}" ]; then
+    echo "Disabling Apache IP rewrite (APACHE_DISABLE_REWRITE=1 specified)"
+    echo "See https://github.com/nextcloud/docker?tab=readme-ov-file#using-the-image-behind-a-reverse-proxy-and-specifying-the-server-host-and-protocol"
+    a2disconf remoteip
+fi
 
-        # Write the configuration file using a heredoc.
-        cat > /usr/local/etc/php/conf.d/redis-session.ini <<EOF
-session.save_handler = redis
-session.save_path = "${redis_save_path}"
-redis.session.locking_enabled = 1
-redis.session.lock_retries = -1
-# redis.session.lock_wait_time is specified in microseconds.
-# Wait 10ms before retrying the lock rather than the default 2ms.
-redis.session.lock_wait_time = 10000
-EOF
-    fi
+# Warn if default entrypoint cmd parameter was overriden since it disables upgrades
+# TODO: This belongs above the prior block, but this avoids a possible BC (though unlikely).
+if ! is_apache && ! is_php_fpm && [ "${NEXTCLOUD_UPDATE:-0}" -eq 0 ]; then
+    echo "NOTICE: Skipping upgrades and installation because default command overridden and NEXTCLOUD_UPDATE is not set to 1."
+    echo "See https://github.com/nextcloud/docker/?tab=readme-ov-file#image-specific"
+fi
+
+# As long as we're running normally (or NEXTCLOUD_UPDATE was specified), proceed as normal
+if is_apache || is_php_fpm || [ "${NEXTCLOUD_UPDATE:-0}" -eq 1 ]; then
 
-    # Use file locking to ensure only one initialization or upgrade runs at a time.
+    # Populate global $user / $group / $uid / $gid variables according to the entrypoint command and UID/GID context.
+    set_user_group
+    # Configure PHP sessions to use Redis if configured
+    configure_redis_session_handler
+
+    # Guard against starting if another instance is running and already upgrading/initializing Nextcloud
+    # - This may happen in Kubernetes or other orchestrated environments with parallel startup.
     (
+        # Use flock to prevent concurrent initialization.
         if ! flock -n 9; then
             echo "Another process is initializing Nextcloud. Waiting..."
             flock 9
         fi
 
-        installed_version="0.0.0.0"
-        if [ -f /var/www/html/version.php ]; then
-            # TODO: The error handling should be improved here in case of syntax/etc errors
-            # shellcheck disable=SC2016
-            installed_version="$(php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);')"
-        fi
+        # Get Nextcloud versions (installed and image)
+        get_nextcloud_versions
 
-        # TODO: The error handling should be improved here in case of syntax/etc errors
-        # shellcheck disable=SC2016
-        image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')"
-
-        if version_greater "$installed_version" "$image_version"; then
+        # Guard against Downgrading.
+        # - Prevent container startup if persisted code version is newer than image version.
+        # - This indicates a downgrade attempt, which is not supported by image / Nextcloud.
+        if is_installed && version_greater "$installed_version" "$image_version"; then
             echo "Can't start Nextcloud: data version ($installed_version) is higher than"
-            echo "docker image version ($image_version); downgrading is not supported."
-            echo "Are you sure you have pulled a newer image version?"
+            echo "image version ($image_version); downgrading is not supported."
+            echo "Are you sure you pulled a newer image version?"
+            echo "See: https://github.com/nextcloud/docker/#update-to-a-newer-version"
+            exit 1
+        fi
+
+        # Guard against major version jumps.
+        # - Prevent container startup if image version is more than one major version higher than persisted code version.
+        # - This indicates an overly aggressive major version jump attempt, which is not supported by image / Nextcloud.
+        if is_installed && version_greater_major "$image_version" "$installed_version" 1; then
+            echo "ERROR: Can't start Nextcloud: upgrading from $installed_version to $image_version is not supported."
+            echo "You can upgrade only one major version at a time."
+            echo "E.g., to upgrade from 14 to 16, first upgrade 14 to 15, then 15 to 16."
+            echo "See: https://docs.nextcloud.com/server/latest/admin_manual/maintenance/upgrade.html"
+            echo "See: https://github.com/docker-library/docs/tree/master/nextcloud#supported-tags-and-respective-dockerfile-links"
             exit 1
         fi
 
-        # Image version needs to be > installed version to proceed farther.
-        # NOTE: Also true if there is no installed version.
-        if version_greater "$image_version" "$installed_version"; then
+        # Instalization block.
+        # - Initialization is only for new installs or upgrades.
+        # - Bypassed if there's nothing to do
+        if ! is installed || version_greater "$image_version" "$installed_version"; then
             echo "Initializing nextcloud $image_version ..."
 
-            # Check for an already installed version that isn't in allowable upgrade jump range.
-            if [ "$installed_version" != "0.0.0.0" ]; then
-                if [ "${image_version%%.*}" -gt "$((${installed_version%%.*} + 1))" ]; then
-                    echo "Can't start Nextcloud: upgrading from $installed_version to"
-                    echo "$image_version is not supported."
-                    echo "You can upgrade only one major version at a time."
-                    echo "E.g., to upgrade from 14 to 16, first upgrade 14 to 15, then 15 to 16."
-                    exit 1
-                fi
-                # Installed version has been deemed within allow upgrade jump range...
+            # A prior version is already installed, and has been deemed within allowed upgrade jump range so proceed.
+            if is_installed; then
                 echo "Upgrading nextcloud from $installed_version ..."
+                # Save pre-upgrade enabled/disabled apps list
+                # TODO: Determine if tracking app list is still relevant
                 run_as "$OCC app:list" | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
             fi
 
-            # Deploy image code onto the persistent storage volume.
+            # Code deployment block.
+            # - Deploys image code onto the persistent storage volume
+            # TODO: Move code deployment block (below) to its own function(s)
+
             ##########################################################################################
-            # Why we copy Nextcloud code from the image to persistent storage
+            # Why we copy Nextcloud code from the image to persistent storage...
             #
             # Nextcloud's application directory needs to be on persistent storage, not just inside
             # the container's writable/read-only layers. This ensures:
@@ -337,8 +635,7 @@ EOF
             # Notes:
             #   - The current rsync approach works for local filesystems but may be slow or appear
             #     to hang on networked storage.
-
-            rsync_wrapper \
+            rsync \
                 --delete \
                 --exclude-from=/upgrade.exclude \
                 /usr/src/nextcloud/ \
@@ -350,25 +647,22 @@ EOF
             #   - custom_apps/
             #   - themes/
             #
+            # We only copy these directories if they're missing or empty, to avoid overwriting
+            # user data. This is especially important for config and data directories.
+            #
             # TODO:
-            #   - Consider updating only 'themes/' here, and move handling of 'config/', 'data/', and
-            #     'custom_apps/' into the install block. These directories should not be modified during a
-            #     regular update/upgrade.
-            #   - Review whether this change would cause any unexpected behavior or introduce breaking
-            #     changes.
-            
+            #   - Consider updating only 'themes/' here, and move handling of 'config/', 'data/', and 'custom_apps/'
+            #     into the install block. These directories should not be modified during a regular update/upgrade.
+            #   - Review whether modifying these directories outside of installation could cause data loss or unexpected behavior.
             for dir in config data custom_apps themes; do
-                if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
-                    rsync_wrapper \
-                        --include "/$dir/" \
-                        --exclude '/*' \
-                        /usr/src/nextcloud/ \
-                        /var/www/html/
-                fi
+                copy_if_missing_or_empty \
+                    "$dir" \
+                    "/usr/src/nextcloud" \
+                    "/var/www/html"
             done
 
-            # Replace installed code's version.php with newer image code version
-            rsync_wrapper \
+             # Replace installed code's version.php with newer image code version
+            rsync \
                 --include '/version.php' \
                 --exclude '/*' \
                 /usr/src/nextcloud/ \
@@ -376,17 +670,21 @@ EOF
 
             # Install block for fresh instances.
             # TODO: Consider moving install block to a dedicated function
-            if [ "$installed_version" = "0.0.0.0" ]; then
+            if ! is_installed; then
                 echo "New nextcloud instance"
 
+                # Base options for Nextcloud's command-line installer
+                # TODO: Consider enabling verbose mode too
+                install_options="--no-interaction"
+                # Tracks whether we have enough automatic configuration parameters to bypass the Installation Wizard
+                trigger_installer=false
+
                 # Handle initial admin credentials (if provided)
-                file_env NEXTCLOUD_ADMIN_PASSWORD
                 file_env NEXTCLOUD_ADMIN_USER
+                file_env NEXTCLOUD_ADMIN_PASSWORD
 
-                install=false
-                if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] \
-                    && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
-                    install_options="-n \
+                if [ -n "${NEXTCLOUD_ADMIN_USER+x}" ] && [ -n "${NEXTCLOUD_ADMIN_PASSWORD+x}" ]; then
+                    install_options="$install_options \
                         --admin-user \"$NEXTCLOUD_ADMIN_USER\" \
                         --admin-pass \"$NEXTCLOUD_ADMIN_PASSWORD\""
 
@@ -395,107 +693,51 @@ EOF
                             --data-dir \"$NEXTCLOUD_DATA_DIR\""
                     fi
 
-                    # Handle database configuration (if specified)
-                    file_env MYSQL_DATABASE
-                    file_env MYSQL_PASSWORD
-                    file_env MYSQL_USER
-                    file_env POSTGRES_DB
-                    file_env POSTGRES_PASSWORD
-                    file_env POSTGRES_USER
+                    # Assemble the database autoconfiguration options (if any)
+                    assemble_db_install_options
 
-                    if [ -n "${SQLITE_DATABASE+x}" ]; then
-                        echo "Installing with SQLite database"
-                        install_options="$install_options \
-                            --database-name \"$SQLITE_DATABASE\""
-                        install=true
-                    elif [ -n "${MYSQL_DATABASE+x}" ] \
-                        && [ -n "${MYSQL_USER+x}" ] \
-                        && [ -n "${MYSQL_PASSWORD+x}" ] \
-                        && [ -n "${MYSQL_HOST+x}" ]; then
-                        echo "Installing with MySQL database"
-                        install_options="$install_options \
-                            --database mysql \
-                            --database-name \"$MYSQL_DATABASE\" \
-                            --database-user \"$MYSQL_USER\" \
-                            --database-pass \"$MYSQL_PASSWORD\" \
-                            --database-host \"$MYSQL_HOST\""
-                        install=true
-                    elif [ -n "${POSTGRES_DB+x}" ] \
-                        && [ -n "${POSTGRES_USER+x}" ] \
-                        && [ -n "${POSTGRES_PASSWORD+x}" ] \
-                        && [ -n "${POSTGRES_HOST+x}" ]; then
-                        echo "Installing with PostgreSQL database"
-                        install_options="$install_options \
-                            --database pgsql \
-                            --database-name \"$POSTGRES_DB\" \
-                            --database-user \"$POSTGRES_USER\" \
-                            --database-pass \"$POSTGRES_PASSWORD\" \
-                            --database-host \"$POSTGRES_HOST\""
-                        install=true
-                    fi
-
-                    # Run Nextcloud installer if we were provided enough auto-config values.
-                    # (if not, we don't trigger the actual Nextcloud installer; the config values
-                    # will need to be provided via the Nextcloud Installer's Web UI / wizard).
-                    if [ "$install" = true ]; then
+                    # If all required configuration values are provided, run the Nextcloud command-line installer 
+                    # automatically. Otherwise, skip the installer and require the user to complete setup through 
+                    # the web-based Installation Wizard. Any missing configuration must be entered in the web UI.
+                    if [ "$trigger_installer" = true ]; then
+                    
                         # Trigger pre-installation hook scripts (if any)
                         run_path pre-installation
 
-                        echo "Starting nextcloud installation"
-                        max_retries=10
-                        try=0
-                        until [ "$try" -gt "$max_retries" ] || run_as \
-                            "$OCC maintenance:install $install_options"
-                        do
-                            echo "Retrying install..."
-                            try=$((try+1))
-                            sleep 10s
-                        done
-                        if [ "$try" -gt "$max_retries" ]; then
-                            echo "Installation of nextcloud failed!"
-                            exit 1
-                        fi
-
-                        # Configure trusted domains if provided.
+                        # Run the Nextcloud command-line installer
+                        run_nextcloud_installer "$install_options"
+                        
+                        # Configure trusted domains (if specified).
                         # TODO: This could probably be moved elsewhere to permit reconfiguration within existing installs.
-                        if [ -n "${NEXTCLOUD_TRUSTED_DOMAINS+x}" ]; then
-                            echo "Setting trusted_domains…"
-                            set -f # turn off glob
-                            NC_TRUSTED_DOMAIN_IDX=1
-                            for DOMAIN in ${NEXTCLOUD_TRUSTED_DOMAINS}; do
-                                DOMAIN=$(echo "${DOMAIN}" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')
-                                run_as \
-                                    "$OCC config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=\"${DOMAIN}\""
-                                NC_TRUSTED_DOMAIN_IDX=$((NC_TRUSTED_DOMAIN_IDX+1))
-                            done
-                            set +f # turn glob back on
-                        fi
-
-                        # Trigger post-installation hook scripts (if any)
+                        set_trusted_domains
+
+                         # Trigger post-installation hook scripts (if any)
                         run_path post-installation
                     fi
                 fi
 
-                # Not enough parameters specified to do a fully automated installation.
-                if [ "$install" = false ]; then 
+                # Not enough parameters specified to do an automated installation.
+                if [ "$trigger_installer" = false ]; then 
                     echo "Next step: Access your instance to finish the web-based installation!"
                     echo "Hint: Set NEXTCLOUD_ADMIN_USER, NEXTCLOUD_ADMIN_PASSWORD, and DB vars"
                     echo "before first launch to fully automate initial installation."
                 fi
 
             # Upgrade path for existing instances.
-            # TODO: Consider moving upgrade block to a dedicated function
-            else
+            # TODO: Consider moving upgrade block to a dedicated function.
+            else # (i.e. is_installed)
+            
                 # Trigger pre-upgrade hook scripts (if any)
                 run_path pre-upgrade
 
+                # Run Nextcloud database upgrades (and other non-code changes)
                 run_as "$OCC upgrade"
 
+                # Save post-upgrade enabled/disabled apps list.
+                # This is used to determine if there were problematic app upgrades.
                 run_as "$OCC app:list" | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
-                echo "The following apps have been disabled:"
-                diff /tmp/list_before /tmp/list_after \
-                    | grep '<' | cut -d- -f2 | cut -d: -f1
-                rm -f /tmp/list_before /tmp/list_after
+                # Show differences in post-upgrade enabled/disabled apps
+                show_disabled_apps
 
                 # Trigger post-upgrade hook scripts (if any)
                 run_path post-upgrade
@@ -506,25 +748,12 @@ EOF
 
         # Update htaccess after init if requested
         if [ -n "${NEXTCLOUD_INIT_HTACCESS+x}" ] \
-            && [ "$installed_version" != "0.0.0.0" ]; then
+            && is_installed; then
             run_as "$OCC maintenance:update:htaccess"
         fi
     ) 9> /var/www/html/nextcloud-init-sync.lock
 
-    # Warn the user if any config files in persistent storage differ from the image defaults.
-    for cfgPath in /usr/src/nextcloud/config/*.php; do
-        cfgFile=$(basename "$cfgPath")
-
-        if [ "$cfgFile" != "config.sample.php" ] \
-            && [ "$cfgFile" != "autoconfig.php" ]; then
-            if ! cmp -s "/usr/src/nextcloud/config/$cfgFile" "/var/www/html/config/$cfgFile"; then
-                echo "Warning: /var/www/html/config/$cfgFile differs from the image default at"
-                echo "  /usr/src/nextcloud/config/$cfgFile"
-            fi
-        fi
-    done
-
-    # Trigger before-starting hook scripts (if any)
+    warn_config_diffs
     run_path before-starting
 fi
 
@@ -532,5 +761,4 @@ fi
 # Handoff to Main Container Process
 ###############################################################################
 
-# Hand off to the main container process (e.g., Apache, php-fpm, etc.)
 exec "$@"