Merge branch 'main' into container-create-to-aiodocker

Bump aiodns from 3.6.0 to 3.6.1 (#6423 )
Bumps [aiodns](https://github.com/saghul/aiodns) from 3.6.0 to 3.6.1. - [Release notes](https://github.com/saghul/aiodns/releases) - [Changelog](https://github.com/aio-libs/aiodns/blob/master/ChangeLog) - [Commits](https://github.com/saghul/aiodns/compare/v3.6.0...v3.6.1) --- updated-dependencies: - dependency-name: aiodns dependency-version: 3.6.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-12 10:58:41 +00:00 · 2025-12-11 23:45:39 +01:00 · 2025-12-11 23:42:40 +01:00 · 2025-12-11 20:10:12 +00:00 · 2025-12-11 20:04:55 +00:00 · 2025-12-11 20:04:54 +00:00
165 changed files with 5190 additions and 3146 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +1,7 @@
 # General files
 .git
 .github
+.gitkeep
 .devcontainer
 .vscode

--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -34,6 +34,9 @@ on:

 env:
  DEFAULT_PYTHON: "3.13"
+  COSIGN_VERSION: "v2.5.3"
+  CRANE_VERSION: "v0.20.7"
+  CRANE_SHA256: "8ef3564d264e6b5ca93f7b7f5652704c4dd29d33935aff6947dd5adefd05953e"
  BUILD_NAME: supervisor
  BUILD_TYPE: supervisor

@@ -50,10 +53,10 @@ jobs:
      version: ${{ steps.version.outputs.version }}
      channel: ${{ steps.version.outputs.channel }}
      publish: ${{ steps.version.outputs.publish }}
-      requirements: ${{ steps.requirements.outputs.changed }}
+      build_wheels: ${{ steps.requirements.outputs.build_wheels }}
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

@@ -69,20 +72,25 @@ jobs:

      - name: Get changed files
        id: changed_files
-        if: steps.version.outputs.publish == 'false'
+        if: github.event_name != 'release'
        uses: masesgroup/retrieve-changed-files@491e80760c0e28d36ca6240a27b1ccb8e1402c13 # v3.0.0

      - name: Check if requirements files changed
        id: requirements
        run: |
-          if [[ "${{ steps.changed_files.outputs.all }}" =~ (requirements.txt|build.yaml) ]]; then
-            echo "changed=true" >> "$GITHUB_OUTPUT"
+          # No wheels build necessary for releases
+          if [[ "${{ github.event_name }}" == "release" ]]; then
+            echo "build_wheels=false" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ steps.changed_files.outputs.all }}" =~ (requirements\.txt|build\.yaml|\.github/workflows/builder\.yml) ]]; then
+            echo "build_wheels=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "build_wheels=false" >> "$GITHUB_OUTPUT"
          fi

  build:
    name: Build ${{ matrix.arch }} supervisor
    needs: init
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runs-on }}
    permissions:
      contents: read
      id-token: write
@@ -90,34 +98,66 @@ jobs:
    strategy:
      matrix:
        arch: ${{ fromJson(needs.init.outputs.architectures) }}
+        include:
+          - runs-on: ubuntu-24.04
+          - runs-on: ubuntu-24.04-arm
+            arch: aarch64
+    env:
+      WHEELS_ABI: cp313
+      WHEELS_TAG: musllinux_1_2
+      WHEELS_APK_DEPS: "libffi-dev;openssl-dev;yaml-dev"
+      WHEELS_SKIP_BINARY: aiohttp
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

-      - name: Write env-file
-        if: needs.init.outputs.requirements == 'true'
+      - name: Write env-file for wheels build
+        if: needs.init.outputs.build_wheels == 'true'
        run: |
          (
            # Fix out of memory issues with rust
            echo "CARGO_NET_GIT_FETCH_WITH_CLI=true"
          ) > .env_file

-      # home-assistant/wheels doesn't support sha pinning
-      - name: Build wheels
-        if: needs.init.outputs.requirements == 'true'
-        uses: home-assistant/wheels@2025.10.0
+      - name: Build and publish wheels
+        if: needs.init.outputs.build_wheels == 'true' && needs.init.outputs.publish == 'true'
+        uses: home-assistant/wheels@e5742a69d69f0e274e2689c998900c7d19652c21 # 2025.12.0
        with:
-          abi: cp313
-          tag: musllinux_1_2
-          arch: ${{ matrix.arch }}
          wheels-key: ${{ secrets.WHEELS_KEY }}
-          apk: "libffi-dev;openssl-dev;yaml-dev"
-          skip-binary: aiohttp
+          abi: ${{ env.WHEELS_ABI }}
+          tag: ${{ env.WHEELS_TAG }}
+          arch: ${{ matrix.arch }}
+          apk: ${{ env.WHEELS_APK_DEPS }}
+          skip-binary: ${{ env.WHEELS_SKIP_BINARY }}
          env-file: true
          requirements: "requirements.txt"

+      - name: Build local wheels
+        if: needs.init.outputs.build_wheels == 'true' && needs.init.outputs.publish == 'false'
+        uses: home-assistant/wheels@e5742a69d69f0e274e2689c998900c7d19652c21 # 2025.12.0
+        with:
+          wheels-host: ""
+          wheels-user: ""
+          wheels-key: ""
+          local-wheels-repo-path: "wheels/"
+          abi: ${{ env.WHEELS_ABI }}
+          tag: ${{ env.WHEELS_TAG }}
+          arch: ${{ matrix.arch }}
+          apk: ${{ env.WHEELS_APK_DEPS }}
+          skip-binary: ${{ env.WHEELS_SKIP_BINARY }}
+          env-file: true
+          requirements: "requirements.txt"
+
+      - name: Upload local wheels artifact
+        if: needs.init.outputs.build_wheels == 'true' && needs.init.outputs.publish == 'false'
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: wheels-${{ matrix.arch }}
+          path: wheels
+          retention-days: 1
+
      - name: Set version
        if: needs.init.outputs.publish == 'true'
        uses: home-assistant/actions/helpers/version@master
@@ -126,7 +166,7 @@ jobs:

      - name: Set up Python ${{ env.DEFAULT_PYTHON }}
        if: needs.init.outputs.publish == 'true'
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.DEFAULT_PYTHON }}

@@ -134,7 +174,7 @@ jobs:
        if: needs.init.outputs.publish == 'true'
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
        with:
-          cosign-release: "v2.5.3"
+          cosign-release: ${{ env.COSIGN_VERSION }}

      - name: Install dirhash and calc hash
        if: needs.init.outputs.publish == 'true'
@@ -162,25 +202,24 @@ jobs:

      # home-assistant/builder doesn't support sha pinning
      - name: Build supervisor
-        uses: home-assistant/builder@2025.09.0
+        uses: home-assistant/builder@2025.11.0
        with:
+          image: ${{ matrix.arch }}
          args: |
            $BUILD_ARGS \
            --${{ matrix.arch }} \
            --target /data \
            --cosign \
            --generic ${{ needs.init.outputs.version }}
-        env:
-          CAS_API_KEY: ${{ secrets.CAS_TOKEN }}

  version:
    name: Update version
-    needs: ["init", "run_supervisor"]
+    needs: ["init", "run_supervisor", "retag_deprecated"]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout the repository
        if: needs.init.outputs.publish == 'true'
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Initialize git
        if: needs.init.outputs.publish == 'true'
@@ -205,12 +244,19 @@ jobs:
    timeout-minutes: 60
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Download local wheels artifact
+        if: needs.init.outputs.build_wheels == 'true' && needs.init.outputs.publish == 'false'
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          name: wheels-amd64
+          path: wheels

      # home-assistant/builder doesn't support sha pinning
      - name: Build the Supervisor
        if: needs.init.outputs.publish != 'true'
-        uses: home-assistant/builder@2025.09.0
+        uses: home-assistant/builder@2025.11.0
        with:
          args: |
            --test \
@@ -293,33 +339,6 @@ jobs:
            exit 1
          fi

-      - name: Check the Supervisor code sign
-        if: needs.init.outputs.publish == 'true'
-        run: |
-          echo "Enable Content-Trust"
-          test=$(docker exec hassio_cli ha security options --content-trust=true --no-progress --raw-json | jq -r '.result')
-          if [ "$test" != "ok" ]; then
-            exit 1
-          fi
-
-          echo "Run supervisor health check"
-          test=$(docker exec hassio_cli ha resolution healthcheck --no-progress --raw-json | jq -r '.result')
-          if [ "$test" != "ok" ]; then
-            exit 1
-          fi
-
-          echo "Check supervisor unhealthy"
-          test=$(docker exec hassio_cli ha resolution info --no-progress --raw-json | jq -r '.data.unhealthy[]')
-          if [ "$test" != "" ]; then
-            exit 1
-          fi
-
-          echo "Check supervisor supported"
-          test=$(docker exec hassio_cli ha resolution info --no-progress --raw-json | jq -r '.data.unsupported[]')
-          if [[ "$test" =~ source_mods ]]; then
-            exit 1
-          fi
-
      - name: Create full backup
        id: backup
        run: |
@@ -381,3 +400,50 @@ jobs:
      - name: Get supervisor logs on failiure
        if: ${{ cancelled() || failure() }}
        run: docker logs hassio_supervisor
+
+  retag_deprecated:
+    needs: ["build", "init"]
+    name: Re-tag deprecated ${{ matrix.arch }} images
+    if: needs.init.outputs.publish == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    strategy:
+      matrix:
+        arch: ["armhf", "armv7", "i386"]
+    env:
+      # Last available release for deprecated architectures
+      FROZEN_VERSION: "2025.11.5"
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        with:
+          cosign-release: ${{ env.COSIGN_VERSION }}
+
+      - name: Install crane
+        run: |
+          curl -sLO https://github.com/google/go-containerregistry/releases/download/${{ env.CRANE_VERSION }}/go-containerregistry_Linux_x86_64.tar.gz
+          echo "${{ env.CRANE_SHA256 }}  go-containerregistry_Linux_x86_64.tar.gz" | sha256sum -c -
+          tar xzf go-containerregistry_Linux_x86_64.tar.gz crane
+          sudo mv crane /usr/local/bin/
+
+      - name: Re-tag deprecated image with updated version label
+        run: |
+          crane auth login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
+          crane mutate \
+            --label io.hass.version=${{ needs.init.outputs.version }} \
+            --tag ghcr.io/home-assistant/${{ matrix.arch }}-hassio-supervisor:${{ needs.init.outputs.version }} \
+            ghcr.io/home-assistant/${{ matrix.arch }}-hassio-supervisor:${{ env.FROZEN_VERSION }}
+
+      - name: Sign image with Cosign
+        run: |
+          cosign sign --yes ghcr.io/home-assistant/${{ matrix.arch }}-hassio-supervisor:${{ needs.init.outputs.version }}
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -26,10 +26,10 @@ jobs:
    name: Prepare Python dependencies
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python
        id: python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.DEFAULT_PYTHON }}
      - name: Restore Python virtual environment
@@ -68,9 +68,9 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
@@ -111,9 +111,9 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
@@ -154,7 +154,7 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Register hadolint problem matcher
        run: |
          echo "::add-matcher::.github/workflows/matchers/hadolint.json"
@@ -169,9 +169,9 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
@@ -213,9 +213,9 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
@@ -257,9 +257,9 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
@@ -293,9 +293,9 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
@@ -339,9 +339,9 @@ jobs:
    name: Run tests Python ${{ needs.prepare.outputs.python-version }}
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
@@ -398,9 +398,9 @@ jobs:
    needs: ["pytest", "prepare"]
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
@@ -428,4 +428,4 @@ jobs:
          coverage report
          coverage xml
      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -11,7 +11,7 @@ jobs:
    name: Release Drafter
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

--- a/.github/workflows/sentry.yaml
+++ b/.github/workflows/sentry.yaml
@@ -10,9 +10,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Sentry Release
-        uses: getsentry/action-release@4f502acc1df792390abe36f2dcb03612ef144818 # v3.3.0
+        uses: getsentry/action-release@128c5058bbbe93c8e02147fe0a9c713f166259a6 # v3.4.0
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -9,7 +9,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
+      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-stale: 30
--- a/.github/workflows/update_frontend.yml
+++ b/.github/workflows/update_frontend.yml
@@ -14,7 +14,7 @@ jobs:
      latest_version: ${{ steps.latest_frontend_version.outputs.latest_tag }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Get latest frontend release
        id: latest_frontend_version
        uses: abatilo/release-info-action@32cb932219f1cee3fc4f4a298fd65ead5d35b661 # v1.3.3
@@ -49,7 +49,7 @@ jobs:
    if: needs.check-version.outputs.skip != 'true'
    steps:
      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Clear www folder
        run: |
          rm -rf supervisor/api/panel/*
@@ -68,7 +68,7 @@ jobs:
        run: |
          rm -f supervisor/api/panel/home_assistant_frontend_supervisor-*.tar.gz
      - name: Create PR
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          commit-message: "Update frontend to version ${{ needs.check-version.outputs.latest_version }}"
          branch: autoupdate-frontend
--- a/.gitignore
+++ b/.gitignore
@@ -24,6 +24,9 @@ var/
 .installed.cfg
 *.egg

+# Local wheels
+wheels/**/*.whl
+
 # PyInstaller
 #  Usually these files are written by a python script from a template
 #  before PyInstaller builds the exe, so as to inject date/other infos into it.
@@ -102,4 +105,4 @@ ENV/
 /.dmypy.json

 # Mac
-.DS_Store
+.DS_Store
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.11.10
+    rev: v0.14.3
    hooks:
      - id: ruff
        args:
--- a/22
+++ b/22
@@ -8,9 +8,7 @@ ENV \
    UV_SYSTEM_PYTHON=true

 ARG \
-    COSIGN_VERSION \
-    BUILD_ARCH \
-    QEMU_CPU
+    COSIGN_VERSION

 # Install base
 WORKDIR /usr/src
@@ -32,15 +30,19 @@ RUN \
    && pip3 install uv==0.8.9

 # Install requirements
-COPY requirements.txt .
 RUN \
-    if [ "${BUILD_ARCH}" = "i386" ]; then \
-        setarch="linux32"; \
+    --mount=type=bind,source=./requirements.txt,target=/usr/src/requirements.txt \
+    --mount=type=bind,source=./wheels,target=/usr/src/wheels \
+    if ls /usr/src/wheels/musllinux/* >/dev/null 2>&1; then \
+        LOCAL_WHEELS=/usr/src/wheels/musllinux; \
+        echo "Using local wheels from: $LOCAL_WHEELS"; \
    else \
-        setarch=""; \
-    fi \
-    && ${setarch} uv pip install --compile-bytecode --no-cache --no-build -r requirements.txt \
-    && rm -f requirements.txt
+        LOCAL_WHEELS=; \
+        echo "No local wheels found"; \
+    fi && \
+    uv pip install --compile-bytecode --no-cache --no-build \
+        -r requirements.txt \
+        ${LOCAL_WHEELS:+--find-links $LOCAL_WHEELS}

 # Install Home Assistant Supervisor
 COPY . supervisor
--- a/build.yaml
+++ b/build.yaml
@@ -1,13 +1,7 @@
 image: ghcr.io/home-assistant/{arch}-hassio-supervisor
 build_from:
-  aarch64: ghcr.io/home-assistant/aarch64-base-python:3.13-alpine3.22
-  armhf: ghcr.io/home-assistant/armhf-base-python:3.13-alpine3.22
-  armv7: ghcr.io/home-assistant/armv7-base-python:3.13-alpine3.22
-  amd64: ghcr.io/home-assistant/amd64-base-python:3.13-alpine3.22
-  i386: ghcr.io/home-assistant/i386-base-python:3.13-alpine3.22
-codenotary:
-  signer: notary@home-assistant.io
-  base_image: notary@home-assistant.io
+  aarch64: ghcr.io/home-assistant/aarch64-base-python:3.13-alpine3.22-2025.11.1
+  amd64: ghcr.io/home-assistant/amd64-base-python:3.13-alpine3.22-2025.11.1
 cosign:
  base_identity: https://github.com/home-assistant/docker-base/.*
  identity: https://github.com/home-assistant/supervisor/.*
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -321,8 +321,6 @@ lint.ignore = [
    "PLW2901", # Outer {outer_kind} variable {name} overwritten by inner {inner_kind} target
    "UP006",   # keep type annotation style as is
    "UP007",   # keep type annotation style as is
-    # Ignored due to performance: https://github.com/charliermarsh/ruff/issues/2923
-    "UP038", # Use `X | Y` in `isinstance` call instead of `(X, Y)`

    # May conflict with the formatter, https://docs.astral.sh/ruff/formatter/#conflicting-lint-rules
    "W191",
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,10 +1,12 @@
-aiodns==3.5.0
-aiohttp==3.13.1
+aiodns==3.6.1
+aiodocker==0.24.0
+aiohttp==3.13.2
 atomicwrites-homeassistant==1.4.1
 attrs==25.4.0
 awesomeversion==25.8.0
-blockbuster==1.5.25
-brotli==1.1.0
+backports.zstd==1.2.0
+blockbuster==1.5.26
+brotli==1.2.0
 ciso8601==2.3.3
 colorlog==6.10.1
 cpe==1.3.1
@@ -17,14 +19,14 @@ faust-cchardet==2.1.19
 gitpython==3.1.45
 jinja2==3.1.6
 log-rate-limit==1.4.2
-orjson==3.11.4
+orjson==3.11.5
 pulsectl==24.12.0
 pyudev==0.24.4
 PyYAML==6.0.3
 requests==2.32.5
-securetar==2025.2.1
-sentry-sdk==2.42.1
+securetar==2025.12.0
+sentry-sdk==2.47.0
 setuptools==80.9.0
 voluptuous==0.15.2
-dbus-fast==2.44.5
+dbus-fast==3.1.2
 zlib-fast==0.2.1
--- a/requirements_tests.txt
+++ b/requirements_tests.txt
@@ -1,16 +1,16 @@
-astroid==4.0.1
-coverage==7.11.0
-mypy==1.18.2
-pre-commit==4.3.0
-pylint==4.0.2
+astroid==4.0.2
+coverage==7.13.0
+mypy==1.19.0
+pre-commit==4.5.0
+pylint==4.0.4
 pytest-aiohttp==1.1.0
-pytest-asyncio==0.25.2
+pytest-asyncio==1.3.0
 pytest-cov==7.0.0
 pytest-timeout==2.4.0
-pytest==8.4.2
-ruff==0.14.2
-time-machine==2.19.0
-types-docker==7.1.0.20251009
+pytest==9.0.2
+ruff==0.14.8
+time-machine==3.1.0
+types-docker==7.1.0.20251202
 types-pyyaml==6.0.12.20250915
 types-requests==2.32.4.20250913
-urllib3==2.5.0
+urllib3==2.6.1
--- a/supervisor/addons/addon.py
+++ b/supervisor/addons/addon.py
@@ -66,13 +66,22 @@ from ..docker.const import ContainerState
 from ..docker.monitor import DockerContainerStateEvent
 from ..docker.stats import DockerStats
 from ..exceptions import (
-    AddonConfigurationError,
+    AddonBackupMetadataInvalidError,
+    AddonBuildFailedUnknownError,
+    AddonConfigurationInvalidError,
+    AddonNotRunningError,
    AddonNotSupportedError,
+    AddonNotSupportedWriteStdinError,
+    AddonPrePostBackupCommandReturnedError,
    AddonsError,
    AddonsJobError,
+    AddonUnknownError,
+    BackupRestoreUnknownError,
    ConfigurationFileError,
+    DockerBuildError,
    DockerError,
    HostAppArmorError,
+    StoreAddonNotFoundError,
 )
 from ..hardware.data import Device
 from ..homeassistant.const import WSEvent
@@ -235,7 +244,7 @@ class Addon(AddonModel):
            await self.instance.check_image(self.version, default_image, self.arch)
        except DockerError:
            _LOGGER.info("No %s addon Docker image %s found", self.slug, self.image)
-            with suppress(DockerError):
+            with suppress(DockerError, AddonNotSupportedError):
                await self.instance.install(self.version, default_image, arch=self.arch)

        self.persist[ATTR_IMAGE] = default_image
@@ -718,18 +727,16 @@ class Addon(AddonModel):
            options = self.schema.validate(self.options)
            await self.sys_run_in_executor(write_json_file, self.path_options, options)
        except vol.Invalid as ex:
-            _LOGGER.error(
-                "Add-on %s has invalid options: %s",
-                self.slug,
-                humanize_error(self.options, ex),
-            )
-        except ConfigurationFileError:
+            raise AddonConfigurationInvalidError(
+                _LOGGER.error,
+                addon=self.slug,
+                validation_error=humanize_error(self.options, ex),
+            ) from None
+        except ConfigurationFileError as err:
            _LOGGER.error("Add-on %s can't write options", self.slug)
-        else:
-            _LOGGER.debug("Add-on %s write options: %s", self.slug, options)
-            return
+            raise AddonUnknownError(addon=self.slug) from err

-        raise AddonConfigurationError()
+        _LOGGER.debug("Add-on %s write options: %s", self.slug, options)

    @Job(
        name="addon_unload",
@@ -772,7 +779,7 @@ class Addon(AddonModel):
    async def install(self) -> None:
        """Install and setup this addon."""
        if not self.addon_store:
-            raise AddonsError("Missing from store, cannot install!")
+            raise StoreAddonNotFoundError(addon=self.slug)

        await self.sys_addons.data.install(self.addon_store)

@@ -793,9 +800,17 @@ class Addon(AddonModel):
            await self.instance.install(
                self.latest_version, self.addon_store.image, arch=self.arch
            )
-        except DockerError as err:
+        except AddonsError:
            await self.sys_addons.data.uninstall(self)
-            raise AddonsError() from err
+            raise
+        except DockerBuildError as err:
+            _LOGGER.error("Could not build image for addon %s: %s", self.slug, err)
+            await self.sys_addons.data.uninstall(self)
+            raise AddonBuildFailedUnknownError(addon=self.slug) from err
+        except DockerError as err:
+            _LOGGER.error("Could not pull image to update addon %s: %s", self.slug, err)
+            await self.sys_addons.data.uninstall(self)
+            raise AddonUnknownError(addon=self.slug) from err

        # Finish initialization and set up listeners
        await self.load()
@@ -819,7 +834,8 @@ class Addon(AddonModel):
        try:
            await self.instance.remove(remove_image=remove_image)
        except DockerError as err:
-            raise AddonsError() from err
+            _LOGGER.error("Could not remove image for addon %s: %s", self.slug, err)
+            raise AddonUnknownError(addon=self.slug) from err

        self.state = AddonState.UNKNOWN

@@ -884,7 +900,7 @@ class Addon(AddonModel):
        if it was running. Else nothing is returned.
        """
        if not self.addon_store:
-            raise AddonsError("Missing from store, cannot update!")
+            raise StoreAddonNotFoundError(addon=self.slug)

        old_image = self.image
        # Cache data to prevent races with other updates to global
@@ -892,8 +908,12 @@ class Addon(AddonModel):

        try:
            await self.instance.update(store.version, store.image, arch=self.arch)
+        except DockerBuildError as err:
+            _LOGGER.error("Could not build image for addon %s: %s", self.slug, err)
+            raise AddonBuildFailedUnknownError(addon=self.slug) from err
        except DockerError as err:
-            raise AddonsError() from err
+            _LOGGER.error("Could not pull image to update addon %s: %s", self.slug, err)
+            raise AddonUnknownError(addon=self.slug) from err

        # Stop the addon if running
        if (last_state := self.state) in {AddonState.STARTED, AddonState.STARTUP}:
@@ -935,12 +955,23 @@ class Addon(AddonModel):
        """
        last_state: AddonState = self.state
        try:
-            # remove docker container but not addon config
+            # remove docker container and image but not addon config
            try:
                await self.instance.remove()
-                await self.instance.install(self.version)
            except DockerError as err:
-                raise AddonsError() from err
+                _LOGGER.error("Could not remove image for addon %s: %s", self.slug, err)
+                raise AddonUnknownError(addon=self.slug) from err
+
+            try:
+                await self.instance.install(self.version)
+            except DockerBuildError as err:
+                _LOGGER.error("Could not build image for addon %s: %s", self.slug, err)
+                raise AddonBuildFailedUnknownError(addon=self.slug) from err
+            except DockerError as err:
+                _LOGGER.error(
+                    "Could not pull image to update addon %s: %s", self.slug, err
+                )
+                raise AddonUnknownError(addon=self.slug) from err

            if self.addon_store:
                await self.sys_addons.data.update(self.addon_store)
@@ -1111,8 +1142,9 @@ class Addon(AddonModel):
        try:
            await self.instance.run()
        except DockerError as err:
+            _LOGGER.error("Could not start container for addon %s: %s", self.slug, err)
            self.state = AddonState.ERROR
-            raise AddonsError() from err
+            raise AddonUnknownError(addon=self.slug) from err

        return self.sys_create_task(self._wait_for_startup())

@@ -1127,8 +1159,9 @@ class Addon(AddonModel):
        try:
            await self.instance.stop()
        except DockerError as err:
+            _LOGGER.error("Could not stop container for addon %s: %s", self.slug, err)
            self.state = AddonState.ERROR
-            raise AddonsError() from err
+            raise AddonUnknownError(addon=self.slug) from err

    @Job(
        name="addon_restart",
@@ -1161,9 +1194,15 @@ class Addon(AddonModel):
    async def stats(self) -> DockerStats:
        """Return stats of container."""
        try:
+            if not await self.is_running():
+                raise AddonNotRunningError(_LOGGER.warning, addon=self.slug)
+
            return await self.instance.stats()
        except DockerError as err:
-            raise AddonsError() from err
+            _LOGGER.error(
+                "Could not get stats of container for addon %s: %s", self.slug, err
+            )
+            raise AddonUnknownError(addon=self.slug) from err

    @Job(
        name="addon_write_stdin",
@@ -1173,14 +1212,18 @@ class Addon(AddonModel):
    async def write_stdin(self, data) -> None:
        """Write data to add-on stdin."""
        if not self.with_stdin:
-            raise AddonNotSupportedError(
-                f"Add-on {self.slug} does not support writing to stdin!", _LOGGER.error
-            )
+            raise AddonNotSupportedWriteStdinError(_LOGGER.error, addon=self.slug)

        try:
-            return await self.instance.write_stdin(data)
+            if not await self.is_running():
+                raise AddonNotRunningError(_LOGGER.warning, addon=self.slug)
+
+            await self.instance.write_stdin(data)
        except DockerError as err:
-            raise AddonsError() from err
+            _LOGGER.error(
+                "Could not write stdin to container for addon %s: %s", self.slug, err
+            )
+            raise AddonUnknownError(addon=self.slug) from err

    async def _backup_command(self, command: str) -> None:
        try:
@@ -1189,15 +1232,14 @@ class Addon(AddonModel):
                _LOGGER.debug(
                    "Pre-/Post backup command failed with: %s", command_return.output
                )
-                raise AddonsError(
-                    f"Pre-/Post backup command returned error code: {command_return.exit_code}",
-                    _LOGGER.error,
+                raise AddonPrePostBackupCommandReturnedError(
+                    _LOGGER.error, addon=self.slug, exit_code=command_return.exit_code
                )
        except DockerError as err:
-            raise AddonsError(
-                f"Failed running pre-/post backup command {command}: {str(err)}",
-                _LOGGER.error,
-            ) from err
+            _LOGGER.error(
+                "Failed running pre-/post backup command %s: %s", command, err
+            )
+            raise AddonUnknownError(addon=self.slug) from err

    @Job(
        name="addon_begin_backup",
@@ -1286,15 +1328,14 @@ class Addon(AddonModel):
                    try:
                        self.instance.export_image(temp_path.joinpath("image.tar"))
                    except DockerError as err:
-                        raise AddonsError() from err
+                        raise BackupRestoreUnknownError() from err

                # Store local configs/state
                try:
                    write_json_file(temp_path.joinpath("addon.json"), metadata)
                except ConfigurationFileError as err:
-                    raise AddonsError(
-                        f"Can't save meta for {self.slug}", _LOGGER.error
-                    ) from err
+                    _LOGGER.error("Can't save meta for %s: %s", self.slug, err)
+                    raise BackupRestoreUnknownError() from err

                # Store AppArmor Profile
                if apparmor_profile:
@@ -1304,9 +1345,7 @@ class Addon(AddonModel):
                            apparmor_profile, profile_backup_file
                        )
                    except HostAppArmorError as err:
-                        raise AddonsError(
-                            "Can't backup AppArmor profile", _LOGGER.error
-                        ) from err
+                        raise BackupRestoreUnknownError() from err

                # Write tarfile
                with tar_file as backup:
@@ -1360,7 +1399,8 @@ class Addon(AddonModel):
            )
            _LOGGER.info("Finish backup for addon %s", self.slug)
        except (tarfile.TarError, OSError, AddFileError) as err:
-            raise AddonsError(f"Can't write tarfile: {err}", _LOGGER.error) from err
+            _LOGGER.error("Can't write backup tarfile for addon %s: %s", self.slug, err)
+            raise BackupRestoreUnknownError() from err
        finally:
            if was_running:
                wait_for_start = await self.end_backup()
@@ -1402,28 +1442,24 @@ class Addon(AddonModel):
        try:
            tmp, data = await self.sys_run_in_executor(_extract_tarfile)
        except tarfile.TarError as err:
-            raise AddonsError(
-                f"Can't read tarfile {tar_file}: {err}", _LOGGER.error
-            ) from err
+            _LOGGER.error("Can't extract backup tarfile for %s: %s", self.slug, err)
+            raise BackupRestoreUnknownError() from err
        except ConfigurationFileError as err:
-            raise AddonsError() from err
+            raise AddonUnknownError(addon=self.slug) from err

        try:
            # Validate
            try:
                data = SCHEMA_ADDON_BACKUP(data)
            except vol.Invalid as err:
-                raise AddonsError(
-                    f"Can't validate {self.slug}, backup data: {humanize_error(data, err)}",
+                raise AddonBackupMetadataInvalidError(
                    _LOGGER.error,
+                    addon=self.slug,
+                    validation_error=humanize_error(data, err),
                ) from err

-            # If available
-            if not self._available(data[ATTR_SYSTEM]):
-                raise AddonNotSupportedError(
-                    f"Add-on {self.slug} is not available for this platform",
-                    _LOGGER.error,
-                )
+            # Validate availability. Raises if not
+            self._validate_availability(data[ATTR_SYSTEM], logger=_LOGGER.error)

            # Restore local add-on information
            _LOGGER.info("Restore config for addon %s", self.slug)
@@ -1482,9 +1518,10 @@ class Addon(AddonModel):
                try:
                    await self.sys_run_in_executor(_restore_data)
                except shutil.Error as err:
-                    raise AddonsError(
-                        f"Can't restore origin data: {err}", _LOGGER.error
-                    ) from err
+                    _LOGGER.error(
+                        "Can't restore origin data for %s: %s", self.slug, err
+                    )
+                    raise BackupRestoreUnknownError() from err

                # Restore AppArmor
                profile_file = Path(tmp.name, "apparmor.txt")
@@ -1495,10 +1532,11 @@ class Addon(AddonModel):
                        )
                    except HostAppArmorError as err:
                        _LOGGER.error(
-                            "Can't restore AppArmor profile for add-on %s",
+                            "Can't restore AppArmor profile for add-on %s: %s",
                            self.slug,
+                            err,
                        )
-                        raise AddonsError() from err
+                        raise BackupRestoreUnknownError() from err

            finally:
                # Is add-on loaded
@@ -1513,13 +1551,6 @@ class Addon(AddonModel):
        _LOGGER.info("Finished restore for add-on %s", self.slug)
        return wait_for_start

-    def check_trust(self) -> Awaitable[None]:
-        """Calculate Addon docker content trust.
-
-        Return Coroutine.
-        """
-        return self.instance.check_trust()
-
    @Job(
        name="addon_restart_after_problem",
        throttle_period=WATCHDOG_THROTTLE_PERIOD,
--- a/supervisor/addons/build.py
+++ b/supervisor/addons/build.py
@@ -2,7 +2,10 @@

 from __future__ import annotations

+import base64
 from functools import cached_property
+import json
+import logging
 from pathlib import Path
 from typing import TYPE_CHECKING, Any

@@ -12,20 +15,31 @@ from ..const import (
    ATTR_ARGS,
    ATTR_BUILD_FROM,
    ATTR_LABELS,
+    ATTR_PASSWORD,
    ATTR_SQUASH,
+    ATTR_USERNAME,
    FILE_SUFFIX_CONFIGURATION,
    META_ADDON,
    SOCKET_DOCKER,
+    CpuArch,
 )
 from ..coresys import CoreSys, CoreSysAttributes
+from ..docker.const import DOCKER_HUB, DOCKER_HUB_LEGACY
 from ..docker.interface import MAP_ARCH
-from ..exceptions import ConfigurationFileError, HassioArchNotFound
+from ..exceptions import (
+    AddonBuildArchitectureNotSupportedError,
+    AddonBuildDockerfileMissingError,
+    ConfigurationFileError,
+    HassioArchNotFound,
+)
 from ..utils.common import FileConfiguration, find_one_filetype
 from .validate import SCHEMA_BUILD_CONFIG

 if TYPE_CHECKING:
    from .manager import AnyAddon

+_LOGGER: logging.Logger = logging.getLogger(__name__)
+

 class AddonBuild(FileConfiguration, CoreSysAttributes):
    """Handle build options for add-ons."""
@@ -62,7 +76,7 @@ class AddonBuild(FileConfiguration, CoreSysAttributes):
        raise RuntimeError()

    @cached_property
-    def arch(self) -> str:
+    def arch(self) -> CpuArch:
        """Return arch of the add-on."""
        return self.sys_arch.match([self.addon.arch])

@@ -106,7 +120,7 @@ class AddonBuild(FileConfiguration, CoreSysAttributes):
            return self.addon.path_location.joinpath(f"Dockerfile.{self.arch}")
        return self.addon.path_location.joinpath("Dockerfile")

-    async def is_valid(self) -> bool:
+    async def is_valid(self) -> None:
        """Return true if the build env is valid."""

        def build_is_valid() -> bool:
@@ -118,12 +132,58 @@ class AddonBuild(FileConfiguration, CoreSysAttributes):
            )

        try:
-            return await self.sys_run_in_executor(build_is_valid)
+            if not await self.sys_run_in_executor(build_is_valid):
+                raise AddonBuildDockerfileMissingError(
+                    _LOGGER.error, addon=self.addon.slug
+                )
        except HassioArchNotFound:
-            return False
+            raise AddonBuildArchitectureNotSupportedError(
+                _LOGGER.error,
+                addon=self.addon.slug,
+                addon_arch_list=self.addon.supported_arch,
+                system_arch_list=[arch.value for arch in self.sys_arch.supported],
+            ) from None
+
+    def get_docker_config_json(self) -> str | None:
+        """Generate Docker config.json content with registry credentials for base image.
+
+        Returns a JSON string with registry credentials for the base image's registry,
+        or None if no matching registry is configured.
+
+        Raises:
+            HassioArchNotFound: If the add-on is not supported on the current architecture.
+
+        """
+        # Early return before accessing base_image to avoid unnecessary arch lookup
+        if not self.sys_docker.config.registries:
+            return None
+
+        registry = self.sys_docker.config.get_registry_for_image(self.base_image)
+        if not registry:
+            return None
+
+        stored = self.sys_docker.config.registries[registry]
+        username = stored[ATTR_USERNAME]
+        password = stored[ATTR_PASSWORD]
+
+        # Docker config.json uses base64-encoded "username:password" for auth
+        auth_string = base64.b64encode(f"{username}:{password}".encode()).decode()
+
+        # Use the actual registry URL for the key
+        # Docker Hub uses "https://index.docker.io/v1/" as the key
+        # Support both docker.io (official) and hub.docker.com (legacy)
+        registry_key = (
+            "https://index.docker.io/v1/"
+            if registry in (DOCKER_HUB, DOCKER_HUB_LEGACY)
+            else registry
+        )
+
+        config = {"auths": {registry_key: {"auth": auth_string}}}
+
+        return json.dumps(config)

    def get_docker_args(
-        self, version: AwesomeVersion, image_tag: str
+        self, version: AwesomeVersion, image_tag: str, docker_config_path: Path | None
    ) -> dict[str, Any]:
        """Create a dict with Docker run args."""
        dockerfile_path = self.get_dockerfile().relative_to(self.addon.path_location)
@@ -172,12 +232,24 @@ class AddonBuild(FileConfiguration, CoreSysAttributes):
            self.addon.path_location
        )

+        volumes = {
+            SOCKET_DOCKER: {"bind": "/var/run/docker.sock", "mode": "rw"},
+            addon_extern_path: {"bind": "/addon", "mode": "ro"},
+        }
+
+        # Mount Docker config with registry credentials if available
+        if docker_config_path:
+            docker_config_extern_path = self.sys_config.local_to_extern_path(
+                docker_config_path
+            )
+            volumes[docker_config_extern_path] = {
+                "bind": "/root/.docker/config.json",
+                "mode": "ro",
+            }
+
        return {
            "command": build_cmd,
-            "volumes": {
-                SOCKET_DOCKER: {"bind": "/var/run/docker.sock", "mode": "rw"},
-                addon_extern_path: {"bind": "/addon", "mode": "ro"},
-            },
+            "volumes": volumes,
            "working_dir": "/addon",
        }

--- a/supervisor/addons/model.py
+++ b/supervisor/addons/model.py
@@ -87,6 +87,7 @@ from ..const import (
    AddonBootConfig,
    AddonStage,
    AddonStartup,
+    CpuArch,
 )
 from ..coresys import CoreSys
 from ..docker.const import Capabilities
@@ -103,7 +104,6 @@ from .configuration import FolderMapping
 from .const import (
    ATTR_BACKUP,
    ATTR_BREAKING_VERSIONS,
-    ATTR_CODENOTARY,
    ATTR_PATH,
    ATTR_READ_ONLY,
    AddonBackupMode,
@@ -316,12 +316,12 @@ class AddonModel(JobGroup, ABC):

    @property
    def panel_title(self) -> str:
-        """Return panel icon for Ingress frame."""
+        """Return panel title for Ingress frame."""
        return self.data.get(ATTR_PANEL_TITLE, self.name)

    @property
-    def panel_admin(self) -> str:
-        """Return panel icon for Ingress frame."""
+    def panel_admin(self) -> bool:
+        """Return if panel is only available for admin users."""
        return self.data[ATTR_PANEL_ADMIN]

    @property
@@ -489,7 +489,7 @@ class AddonModel(JobGroup, ABC):
        return self.data[ATTR_DEVICETREE]

    @property
-    def with_tmpfs(self) -> str | None:
+    def with_tmpfs(self) -> bool:
        """Return if tmp is in memory of add-on."""
        return self.data[ATTR_TMPFS]

@@ -509,7 +509,7 @@ class AddonModel(JobGroup, ABC):
        return self.data[ATTR_VIDEO]

    @property
-    def homeassistant_version(self) -> str | None:
+    def homeassistant_version(self) -> AwesomeVersion | None:
        """Return min Home Assistant version they needed by Add-on."""
        return self.data.get(ATTR_HOMEASSISTANT)

@@ -549,7 +549,7 @@ class AddonModel(JobGroup, ABC):
        return self.data.get(ATTR_MACHINE, [])

    @property
-    def arch(self) -> str:
+    def arch(self) -> CpuArch:
        """Return architecture to use for the addon's image."""
        if ATTR_IMAGE in self.data:
            return self.sys_arch.match(self.data[ATTR_ARCH])
@@ -632,13 +632,8 @@ class AddonModel(JobGroup, ABC):

    @property
    def signed(self) -> bool:
-        """Return True if the image is signed."""
-        return ATTR_CODENOTARY in self.data
-
-    @property
-    def codenotary(self) -> str | None:
-        """Return Signer email address for CAS."""
-        return self.data.get(ATTR_CODENOTARY)
+        """Currently no signing support."""
+        return False

    @property
    def breaking_versions(self) -> list[AwesomeVersion]:
--- a/supervisor/addons/options.py
+++ b/supervisor/addons/options.py
@@ -75,7 +75,7 @@ class AddonOptions(CoreSysAttributes):
        """Create a schema for add-on options."""
        return vol.Schema(vol.All(dict, self))

-    def __call__(self, struct):
+    def __call__(self, struct: dict[str, Any]) -> dict[str, Any]:
        """Create schema validator for add-ons options."""
        options = {}

@@ -193,9 +193,7 @@ class AddonOptions(CoreSysAttributes):
            f"Fatal error for option '{key}' with type '{typ}' in {self._name} ({self._slug})"
        ) from None

-    def _nested_validate_list(
-        self, typ: Any, data_list: list[Any], key: str
-    ) -> list[Any]:
+    def _nested_validate_list(self, typ: Any, data_list: Any, key: str) -> list[Any]:
        """Validate nested items."""
        options = []

@@ -213,7 +211,7 @@ class AddonOptions(CoreSysAttributes):
        return options

    def _nested_validate_dict(
-        self, typ: dict[Any, Any], data_dict: dict[Any, Any], key: str
+        self, typ: dict[Any, Any], data_dict: Any, key: str
    ) -> dict[Any, Any]:
        """Validate nested items."""
        options = {}
@@ -264,7 +262,7 @@ class UiOptions(CoreSysAttributes):

    def __init__(self, coresys: CoreSys) -> None:
        """Initialize UI option render."""
-        self.coresys = coresys
+        self.coresys: CoreSys = coresys

    def __call__(self, raw_schema: dict[str, Any]) -> list[dict[str, Any]]:
        """Generate UI schema."""
@@ -279,10 +277,10 @@ class UiOptions(CoreSysAttributes):
    def _ui_schema_element(
        self,
        ui_schema: list[dict[str, Any]],
-        value: str,
+        value: str | list[Any] | dict[str, Any],
        key: str,
        multiple: bool = False,
-    ):
+    ) -> None:
        if isinstance(value, list):
            # nested value list
            assert not multiple
--- a/supervisor/addons/validate.py
+++ b/supervisor/addons/validate.py
@@ -207,6 +207,12 @@ def _warn_addon_config(config: dict[str, Any]):
            name,
        )

+    if ATTR_CODENOTARY in config:
+        _LOGGER.warning(
+            "Add-on '%s' uses deprecated 'codenotary' field in config. This field is no longer used and will be ignored. Please report this to the maintainer.",
+            name,
+        )
+
    return config


@@ -417,7 +423,6 @@ _SCHEMA_ADDON_CONFIG = vol.Schema(
        vol.Optional(ATTR_BACKUP, default=AddonBackupMode.HOT): vol.Coerce(
            AddonBackupMode
        ),
-        vol.Optional(ATTR_CODENOTARY): vol.Email(),
        vol.Optional(ATTR_OPTIONS, default={}): dict,
        vol.Optional(ATTR_SCHEMA, default={}): vol.Any(
            vol.Schema({str: SCHEMA_ELEMENT}),
--- a/supervisor/api/init.py
+++ b/supervisor/api/init.py
@@ -152,6 +152,7 @@ class RestAPI(CoreSysAttributes):
                        self._api_host.advanced_logs,
                        identifier=syslog_identifier,
                        latest=True,
+                        no_colors=True,
                    ),
                ),
                web.get(
@@ -449,6 +450,7 @@ class RestAPI(CoreSysAttributes):
                    await async_capture_exception(err)
                kwargs.pop("follow", None)  # Follow is not supported for Docker logs
                kwargs.pop("latest", None)  # Latest is not supported for Docker logs
+                kwargs.pop("no_colors", None)  # no_colors not supported for Docker logs
                return await api_supervisor.logs(*args, **kwargs)

        self.webapp.add_routes(
@@ -460,7 +462,7 @@ class RestAPI(CoreSysAttributes):
                ),
                web.get(
                    "/supervisor/logs/latest",
-                    partial(get_supervisor_logs, latest=True),
+                    partial(get_supervisor_logs, latest=True, no_colors=True),
                ),
                web.get("/supervisor/logs/boots/{bootid}", get_supervisor_logs),
                web.get(
@@ -576,7 +578,7 @@ class RestAPI(CoreSysAttributes):
                ),
                web.get(
                    "/addons/{addon}/logs/latest",
-                    partial(get_addon_logs, latest=True),
+                    partial(get_addon_logs, latest=True, no_colors=True),
                ),
                web.get("/addons/{addon}/logs/boots/{bootid}", get_addon_logs),
                web.get(
@@ -811,6 +813,10 @@ class RestAPI(CoreSysAttributes):
        self.webapp.add_routes(
            [
                web.get("/docker/info", api_docker.info),
+                web.post(
+                    "/docker/migrate-storage-driver",
+                    api_docker.migrate_docker_storage_driver,
+                ),
                web.post("/docker/options", api_docker.options),
                web.get("/docker/registries", api_docker.registries),
                web.post("/docker/registries", api_docker.create_registry),
--- a/supervisor/api/addons.py
+++ b/supervisor/api/addons.py
@@ -100,6 +100,9 @@ from ..const import (
 from ..coresys import CoreSysAttributes
 from ..docker.stats import DockerStats
 from ..exceptions import (
+    AddonBootConfigCannotChangeError,
+    AddonConfigurationInvalidError,
+    AddonNotSupportedWriteStdinError,
    APIAddonNotInstalled,
    APIError,
    APIForbidden,
@@ -125,6 +128,7 @@ SCHEMA_OPTIONS = vol.Schema(
        vol.Optional(ATTR_AUDIO_INPUT): vol.Maybe(str),
        vol.Optional(ATTR_INGRESS_PANEL): vol.Boolean(),
        vol.Optional(ATTR_WATCHDOG): vol.Boolean(),
+        vol.Optional(ATTR_OPTIONS): vol.Maybe(dict),
    }
 )

@@ -300,19 +304,24 @@ class APIAddons(CoreSysAttributes):
        # Update secrets for validation
        await self.sys_homeassistant.secrets.reload()

-        # Extend schema with add-on specific validation
-        addon_schema = SCHEMA_OPTIONS.extend(
-            {vol.Optional(ATTR_OPTIONS): vol.Maybe(addon.schema)}
-        )
-
        # Validate/Process Body
-        body = await api_validate(addon_schema, request)
+        body = await api_validate(SCHEMA_OPTIONS, request)
        if ATTR_OPTIONS in body:
-            addon.options = body[ATTR_OPTIONS]
+            # None resets options to defaults, otherwise validate the options
+            if body[ATTR_OPTIONS] is None:
+                addon.options = None
+            else:
+                try:
+                    addon.options = addon.schema(body[ATTR_OPTIONS])
+                except vol.Invalid as ex:
+                    raise AddonConfigurationInvalidError(
+                        addon=addon.slug,
+                        validation_error=humanize_error(body[ATTR_OPTIONS], ex),
+                    ) from None
        if ATTR_BOOT in body:
            if addon.boot_config == AddonBootConfig.MANUAL_ONLY:
-                raise APIError(
-                    f"Addon {addon.slug} boot option is set to {addon.boot_config} so it cannot be changed"
+                raise AddonBootConfigCannotChangeError(
+                    addon=addon.slug, boot_config=addon.boot_config.value
                )
            addon.boot = body[ATTR_BOOT]
        if ATTR_AUTO_UPDATE in body:
@@ -385,7 +394,7 @@ class APIAddons(CoreSysAttributes):
        return data

    @api_process
-    async def options_config(self, request: web.Request) -> None:
+    async def options_config(self, request: web.Request) -> dict[str, Any]:
        """Validate user options for add-on."""
        slug: str = request.match_info["addon"]
        if slug != "self":
@@ -430,11 +439,11 @@ class APIAddons(CoreSysAttributes):
        }

    @api_process
-    async def uninstall(self, request: web.Request) -> Awaitable[None]:
+    async def uninstall(self, request: web.Request) -> None:
        """Uninstall add-on."""
        addon = self.get_addon_for_request(request)
        body: dict[str, Any] = await api_validate(SCHEMA_UNINSTALL, request)
-        return await asyncio.shield(
+        await asyncio.shield(
            self.sys_addons.uninstall(
                addon.slug, remove_config=body[ATTR_REMOVE_CONFIG]
            )
@@ -476,7 +485,7 @@ class APIAddons(CoreSysAttributes):
        """Write to stdin of add-on."""
        addon = self.get_addon_for_request(request)
        if not addon.with_stdin:
-            raise APIError(f"STDIN not supported the {addon.slug} add-on")
+            raise AddonNotSupportedWriteStdinError(_LOGGER.error, addon=addon.slug)

        data = await request.read()
        await asyncio.shield(addon.write_stdin(data))
--- a/supervisor/api/auth.py
+++ b/supervisor/api/auth.py
@@ -15,7 +15,7 @@ import voluptuous as vol
 from ..addons.addon import Addon
 from ..const import ATTR_NAME, ATTR_PASSWORD, ATTR_USERNAME, REQUEST_FROM
 from ..coresys import CoreSysAttributes
-from ..exceptions import APIForbidden
+from ..exceptions import APIForbidden, AuthInvalidNonStringValueError
 from .const import (
    ATTR_GROUP_IDS,
    ATTR_IS_ACTIVE,
@@ -69,7 +69,9 @@ class APIAuth(CoreSysAttributes):
        try:
            _ = username.encode and password.encode  # type: ignore
        except AttributeError:
-            raise HTTPUnauthorized(headers=REALM_HEADER) from None
+            raise AuthInvalidNonStringValueError(
+                _LOGGER.error, headers=REALM_HEADER
+            ) from None

        return self.sys_auth.check_login(
            addon, cast(str, username), cast(str, password)
--- a/supervisor/api/backups.py
+++ b/supervisor/api/backups.py
@@ -211,7 +211,7 @@ class APIBackups(CoreSysAttributes):
        await self.sys_backups.save_data()

    @api_process
-    async def reload(self, _):
+    async def reload(self, _: web.Request) -> bool:
        """Reload backup list."""
        await asyncio.shield(self.sys_backups.reload())
        return True
@@ -421,7 +421,7 @@ class APIBackups(CoreSysAttributes):
        await self.sys_backups.remove(backup, locations=locations)

    @api_process
-    async def download(self, request: web.Request):
+    async def download(self, request: web.Request) -> web.StreamResponse:
        """Download a backup file."""
        backup = self._extract_slug(request)
        # Query will give us '' for /backups, convert value to None
@@ -451,7 +451,7 @@ class APIBackups(CoreSysAttributes):
        return response

    @api_process
-    async def upload(self, request: web.Request):
+    async def upload(self, request: web.Request) -> dict[str, str] | bool:
        """Upload a backup file."""
        location: LOCATION_TYPE = None
        locations: list[LOCATION_TYPE] | None = None
--- a/supervisor/api/docker.py
+++ b/supervisor/api/docker.py
@@ -4,6 +4,7 @@ import logging
 from typing import Any

 from aiohttp import web
+from awesomeversion import AwesomeVersion
 import voluptuous as vol

 from supervisor.resolution.const import ContextType, IssueType, SuggestionType
@@ -16,6 +17,7 @@ from ..const import (
    ATTR_PASSWORD,
    ATTR_REGISTRIES,
    ATTR_STORAGE,
+    ATTR_STORAGE_DRIVER,
    ATTR_USERNAME,
    ATTR_VERSION,
 )
@@ -42,12 +44,18 @@ SCHEMA_OPTIONS = vol.Schema(
    }
 )

+SCHEMA_MIGRATE_DOCKER_STORAGE_DRIVER = vol.Schema(
+    {
+        vol.Required(ATTR_STORAGE_DRIVER): vol.In(["overlayfs"]),
+    }
+)
+

 class APIDocker(CoreSysAttributes):
    """Handle RESTful API for Docker configuration."""

    @api_process
-    async def info(self, request: web.Request):
+    async def info(self, request: web.Request) -> dict[str, Any]:
        """Get docker info."""
        data_registries = {}
        for hostname, registry in self.sys_docker.config.registries.items():
@@ -105,7 +113,7 @@ class APIDocker(CoreSysAttributes):
        return {ATTR_REGISTRIES: data_registries}

    @api_process
-    async def create_registry(self, request: web.Request):
+    async def create_registry(self, request: web.Request) -> None:
        """Create a new docker registry."""
        body = await api_validate(SCHEMA_DOCKER_REGISTRY, request)

@@ -115,7 +123,7 @@ class APIDocker(CoreSysAttributes):
        await self.sys_docker.config.save_data()

    @api_process
-    async def remove_registry(self, request: web.Request):
+    async def remove_registry(self, request: web.Request) -> None:
        """Delete a docker registry."""
        hostname = request.match_info.get(ATTR_HOSTNAME)
        if hostname not in self.sys_docker.config.registries:
@@ -123,3 +131,27 @@ class APIDocker(CoreSysAttributes):

        del self.sys_docker.config.registries[hostname]
        await self.sys_docker.config.save_data()
+
+    @api_process
+    async def migrate_docker_storage_driver(self, request: web.Request) -> None:
+        """Migrate Docker storage driver."""
+        if (
+            not self.coresys.os.available
+            or not self.coresys.os.version
+            or self.coresys.os.version < AwesomeVersion("17.0.dev0")
+        ):
+            raise APINotFound(
+                "Home Assistant OS 17.0 or newer required for Docker storage driver migration"
+            )
+
+        body = await api_validate(SCHEMA_MIGRATE_DOCKER_STORAGE_DRIVER, request)
+        await self.sys_dbus.agent.system.migrate_docker_storage_driver(
+            body[ATTR_STORAGE_DRIVER]
+        )
+
+        _LOGGER.info("Host system reboot required to apply Docker storage migration")
+        self.sys_resolution.create_issue(
+            IssueType.REBOOT_REQUIRED,
+            ContextType.SYSTEM,
+            suggestions=[SuggestionType.EXECUTE_REBOOT],
+        )
--- a/supervisor/api/homeassistant.py
+++ b/supervisor/api/homeassistant.py
@@ -18,6 +18,7 @@ from ..const import (
    ATTR_BLK_WRITE,
    ATTR_BOOT,
    ATTR_CPU_PERCENT,
+    ATTR_DUPLICATE_LOG_FILE,
    ATTR_IMAGE,
    ATTR_IP_ADDRESS,
    ATTR_JOB_ID,
@@ -55,6 +56,7 @@ SCHEMA_OPTIONS = vol.Schema(
        vol.Optional(ATTR_AUDIO_OUTPUT): vol.Maybe(str),
        vol.Optional(ATTR_AUDIO_INPUT): vol.Maybe(str),
        vol.Optional(ATTR_BACKUPS_EXCLUDE_DATABASE): vol.Boolean(),
+        vol.Optional(ATTR_DUPLICATE_LOG_FILE): vol.Boolean(),
    }
 )

@@ -112,6 +114,7 @@ class APIHomeAssistant(CoreSysAttributes):
            ATTR_AUDIO_INPUT: self.sys_homeassistant.audio_input,
            ATTR_AUDIO_OUTPUT: self.sys_homeassistant.audio_output,
            ATTR_BACKUPS_EXCLUDE_DATABASE: self.sys_homeassistant.backups_exclude_database,
+            ATTR_DUPLICATE_LOG_FILE: self.sys_homeassistant.duplicate_log_file,
        }

    @api_process
@@ -151,10 +154,13 @@ class APIHomeAssistant(CoreSysAttributes):
                ATTR_BACKUPS_EXCLUDE_DATABASE
            ]

+        if ATTR_DUPLICATE_LOG_FILE in body:
+            self.sys_homeassistant.duplicate_log_file = body[ATTR_DUPLICATE_LOG_FILE]
+
        await self.sys_homeassistant.save_data()

    @api_process
-    async def stats(self, request: web.Request) -> dict[Any, str]:
+    async def stats(self, request: web.Request) -> dict[str, Any]:
        """Return resource information."""
        stats = await self.sys_homeassistant.core.stats()
        if not stats:
@@ -191,7 +197,7 @@ class APIHomeAssistant(CoreSysAttributes):
        return await update_task

    @api_process
-    async def stop(self, request: web.Request) -> Awaitable[None]:
+    async def stop(self, request: web.Request) -> None:
        """Stop Home Assistant."""
        body = await api_validate(SCHEMA_STOP, request)
        await self._check_offline_migration(force=body[ATTR_FORCE])
--- a/supervisor/api/host.py
+++ b/supervisor/api/host.py
@@ -1,6 +1,7 @@
 """Init file for Supervisor host RESTful API."""

 import asyncio
+from collections.abc import Awaitable
 from contextlib import suppress
 import json
 import logging
@@ -99,7 +100,7 @@ class APIHost(CoreSysAttributes):
            )

    @api_process
-    async def info(self, request):
+    async def info(self, request: web.Request) -> dict[str, Any]:
        """Return host information."""
        return {
            ATTR_AGENT_VERSION: self.sys_dbus.agent.version,
@@ -128,7 +129,7 @@ class APIHost(CoreSysAttributes):
        }

    @api_process
-    async def options(self, request):
+    async def options(self, request: web.Request) -> None:
        """Edit host settings."""
        body = await api_validate(SCHEMA_OPTIONS, request)

@@ -139,7 +140,7 @@ class APIHost(CoreSysAttributes):
            )

    @api_process
-    async def reboot(self, request):
+    async def reboot(self, request: web.Request) -> None:
        """Reboot host."""
        body = await api_validate(SCHEMA_SHUTDOWN, request)
        await self._check_ha_offline_migration(force=body[ATTR_FORCE])
@@ -147,7 +148,7 @@ class APIHost(CoreSysAttributes):
        return await asyncio.shield(self.sys_host.control.reboot())

    @api_process
-    async def shutdown(self, request):
+    async def shutdown(self, request: web.Request) -> None:
        """Poweroff host."""
        body = await api_validate(SCHEMA_SHUTDOWN, request)
        await self._check_ha_offline_migration(force=body[ATTR_FORCE])
@@ -155,12 +156,12 @@ class APIHost(CoreSysAttributes):
        return await asyncio.shield(self.sys_host.control.shutdown())

    @api_process
-    def reload(self, request):
+    def reload(self, request: web.Request) -> Awaitable[None]:
        """Reload host data."""
        return asyncio.shield(self.sys_host.reload())

    @api_process
-    async def services(self, request):
+    async def services(self, request: web.Request) -> dict[str, Any]:
        """Return list of available services."""
        services = []
        for unit in self.sys_host.services:
@@ -175,7 +176,7 @@ class APIHost(CoreSysAttributes):
        return {ATTR_SERVICES: services}

    @api_process
-    async def list_boots(self, _: web.Request):
+    async def list_boots(self, _: web.Request) -> dict[str, Any]:
        """Return a list of boot IDs."""
        boot_ids = await self.sys_host.logs.get_boot_ids()
        return {
@@ -186,7 +187,7 @@ class APIHost(CoreSysAttributes):
        }

    @api_process
-    async def list_identifiers(self, _: web.Request):
+    async def list_identifiers(self, _: web.Request) -> dict[str, list[str]]:
        """Return a list of syslog identifiers."""
        return {ATTR_IDENTIFIERS: await self.sys_host.logs.get_identifiers()}

@@ -206,6 +207,7 @@ class APIHost(CoreSysAttributes):
        identifier: str | None = None,
        follow: bool = False,
        latest: bool = False,
+        no_colors: bool = False,
    ) -> web.StreamResponse:
        """Return systemd-journald logs."""
        log_formatter = LogFormatter.PLAIN
@@ -251,6 +253,9 @@ class APIHost(CoreSysAttributes):
        if "verbose" in request.query or request.headers[ACCEPT] == CONTENT_TYPE_X_LOG:
            log_formatter = LogFormatter.VERBOSE

+        if "no_colors" in request.query:
+            no_colors = True
+
        if "lines" in request.query:
            lines = request.query.get("lines", DEFAULT_LINES)
            try:
@@ -280,7 +285,9 @@ class APIHost(CoreSysAttributes):
                response = web.StreamResponse()
                response.content_type = CONTENT_TYPE_TEXT
                headers_returned = False
-                async for cursor, line in journal_logs_reader(resp, log_formatter):
+                async for cursor, line in journal_logs_reader(
+                    resp, log_formatter, no_colors
+                ):
                    try:
                        if not headers_returned:
                            if cursor:
@@ -318,12 +325,15 @@ class APIHost(CoreSysAttributes):
        identifier: str | None = None,
        follow: bool = False,
        latest: bool = False,
+        no_colors: bool = False,
    ) -> web.StreamResponse:
        """Return systemd-journald logs. Wrapped as standard API handler."""
-        return await self.advanced_logs_handler(request, identifier, follow, latest)
+        return await self.advanced_logs_handler(
+            request, identifier, follow, latest, no_colors
+        )

    @api_process
-    async def disk_usage(self, request: web.Request) -> dict:
+    async def disk_usage(self, request: web.Request) -> dict[str, Any]:
        """Return a breakdown of storage usage for the system."""

        max_depth = request.query.get(ATTR_MAX_DEPTH, 1)
@@ -334,10 +344,14 @@ class APIHost(CoreSysAttributes):

        disk = self.sys_hardware.disk

-        total, used, _ = await self.sys_run_in_executor(
+        total, _, free = await self.sys_run_in_executor(
            disk.disk_usage, self.sys_config.path_supervisor
        )

+        # Calculate used by subtracting free makes sure we include reserved space
+        # in used space reporting.
+        used = total - free
+
        known_paths = await self.sys_run_in_executor(
            disk.get_dir_sizes,
            {
--- a/supervisor/api/ingress.py
+++ b/supervisor/api/ingress.py
@@ -253,18 +253,28 @@ class APIIngress(CoreSysAttributes):
            skip_auto_headers={hdrs.CONTENT_TYPE},
        ) as result:
            headers = _response_header(result)
+
            # Avoid parsing content_type in simple cases for better performance
            if maybe_content_type := result.headers.get(hdrs.CONTENT_TYPE):
                content_type = (maybe_content_type.partition(";"))[0].strip()
            else:
                content_type = result.content_type
+
+            # Empty body responses (304, 204, HEAD, etc.) should not be streamed,
+            # otherwise aiohttp < 3.9.0 may generate an invalid "0\r\n\r\n" chunk
+            # This also avoids setting content_type for empty responses.
+            if must_be_empty_body(request.method, result.status):
+                # If upstream contains content-type, preserve it (e.g. for HEAD requests)
+                if maybe_content_type:
+                    headers[hdrs.CONTENT_TYPE] = content_type
+                return web.Response(
+                    headers=headers,
+                    status=result.status,
+                )
+
            # Simple request
            if (
-                # empty body responses should not be streamed,
-                # otherwise aiohttp < 3.9.0 may generate
-                # an invalid "0\r\n\r\n" chunk instead of an empty response.
-                must_be_empty_body(request.method, result.status)
-                or hdrs.CONTENT_LENGTH in result.headers
+                hdrs.CONTENT_LENGTH in result.headers
                and int(result.headers.get(hdrs.CONTENT_LENGTH, 0)) < 4_194_000
            ):
                # Return Response
--- a/supervisor/api/middleware/security.py
+++ b/supervisor/api/middleware/security.py
@@ -1,12 +1,12 @@
 """Handle security part of this API."""

-from collections.abc import Callable
+from collections.abc import Awaitable, Callable
 import logging
 import re
 from typing import Final
 from urllib.parse import unquote

-from aiohttp.web import Request, Response, middleware
+from aiohttp.web import Request, StreamResponse, middleware
 from aiohttp.web_exceptions import HTTPBadRequest, HTTPForbidden, HTTPUnauthorized
 from awesomeversion import AwesomeVersion

@@ -89,7 +89,7 @@ CORE_ONLY_PATHS: Final = re.compile(
 )

 # Policy role add-on API access
-ADDONS_ROLE_ACCESS: dict[str, re.Pattern] = {
+ADDONS_ROLE_ACCESS: dict[str, re.Pattern[str]] = {
    ROLE_DEFAULT: re.compile(
        r"^(?:"
        r"|/.+/info"
@@ -180,7 +180,9 @@ class SecurityMiddleware(CoreSysAttributes):
        return unquoted

    @middleware
-    async def block_bad_requests(self, request: Request, handler: Callable) -> Response:
+    async def block_bad_requests(
+        self, request: Request, handler: Callable[[Request], Awaitable[StreamResponse]]
+    ) -> StreamResponse:
        """Process request and tblock commonly known exploit attempts."""
        if FILTERS.search(self._recursive_unquote(request.path)):
            _LOGGER.warning(
@@ -198,7 +200,9 @@ class SecurityMiddleware(CoreSysAttributes):
        return await handler(request)

    @middleware
-    async def system_validation(self, request: Request, handler: Callable) -> Response:
+    async def system_validation(
+        self, request: Request, handler: Callable[[Request], Awaitable[StreamResponse]]
+    ) -> StreamResponse:
        """Check if core is ready to response."""
        if self.sys_core.state not in VALID_API_STATES:
            return api_return_error(
@@ -208,7 +212,9 @@ class SecurityMiddleware(CoreSysAttributes):
        return await handler(request)

    @middleware
-    async def token_validation(self, request: Request, handler: Callable) -> Response:
+    async def token_validation(
+        self, request: Request, handler: Callable[[Request], Awaitable[StreamResponse]]
+    ) -> StreamResponse:
        """Check security access of this layer."""
        request_from: CoreSysAttributes | None = None
        supervisor_token = extract_supervisor_token(request)
@@ -279,7 +285,9 @@ class SecurityMiddleware(CoreSysAttributes):
        raise HTTPForbidden()

    @middleware
-    async def core_proxy(self, request: Request, handler: Callable) -> Response:
+    async def core_proxy(
+        self, request: Request, handler: Callable[[Request], Awaitable[StreamResponse]]
+    ) -> StreamResponse:
        """Validate user from Core API proxy."""
        if (
            request[REQUEST_FROM] != self.sys_homeassistant
--- a/supervisor/api/security.py
+++ b/supervisor/api/security.py
@@ -1,24 +1,20 @@
 """Init file for Supervisor Security RESTful API."""

-import asyncio
-import logging
 from typing import Any

 from aiohttp import web
-import attr
 import voluptuous as vol

-from ..const import ATTR_CONTENT_TRUST, ATTR_FORCE_SECURITY, ATTR_PWNED
+from supervisor.exceptions import APIGone
+
+from ..const import ATTR_FORCE_SECURITY, ATTR_PWNED
 from ..coresys import CoreSysAttributes
 from .utils import api_process, api_validate

-_LOGGER: logging.Logger = logging.getLogger(__name__)
-
 # pylint: disable=no-value-for-parameter
 SCHEMA_OPTIONS = vol.Schema(
    {
        vol.Optional(ATTR_PWNED): vol.Boolean(),
-        vol.Optional(ATTR_CONTENT_TRUST): vol.Boolean(),
        vol.Optional(ATTR_FORCE_SECURITY): vol.Boolean(),
    }
 )
@@ -31,7 +27,6 @@ class APISecurity(CoreSysAttributes):
    async def info(self, request: web.Request) -> dict[str, Any]:
        """Return Security information."""
        return {
-            ATTR_CONTENT_TRUST: self.sys_security.content_trust,
            ATTR_PWNED: self.sys_security.pwned,
            ATTR_FORCE_SECURITY: self.sys_security.force,
        }
@@ -43,8 +38,6 @@ class APISecurity(CoreSysAttributes):

        if ATTR_PWNED in body:
            self.sys_security.pwned = body[ATTR_PWNED]
-        if ATTR_CONTENT_TRUST in body:
-            self.sys_security.content_trust = body[ATTR_CONTENT_TRUST]
        if ATTR_FORCE_SECURITY in body:
            self.sys_security.force = body[ATTR_FORCE_SECURITY]

@@ -54,6 +47,9 @@ class APISecurity(CoreSysAttributes):

    @api_process
    async def integrity_check(self, request: web.Request) -> dict[str, Any]:
-        """Run backend integrity check."""
-        result = await asyncio.shield(self.sys_security.integrity_check())
-        return attr.asdict(result)
+        """Run backend integrity check.
+
+        CodeNotary integrity checking has been removed. This endpoint now returns
+        an error indicating the feature is gone.
+        """
+        raise APIGone("Integrity check feature has been removed.")
--- a/supervisor/api/services.py
+++ b/supervisor/api/services.py
@@ -1,5 +1,9 @@
 """Init file for Supervisor network RESTful API."""

+from typing import Any
+
+from aiohttp import web
+
 from ..const import (
    ATTR_AVAILABLE,
    ATTR_PROVIDERS,
@@ -25,7 +29,7 @@ class APIServices(CoreSysAttributes):
        return service

    @api_process
-    async def list_services(self, request):
+    async def list_services(self, request: web.Request) -> dict[str, Any]:
        """Show register services."""
        services = []
        for service in self.sys_services.list_services:
@@ -40,7 +44,7 @@ class APIServices(CoreSysAttributes):
        return {ATTR_SERVICES: services}

    @api_process
-    async def set_service(self, request):
+    async def set_service(self, request: web.Request) -> None:
        """Write data into a service."""
        service = self._extract_service(request)
        body = await api_validate(service.schema, request)
@@ -50,7 +54,7 @@ class APIServices(CoreSysAttributes):
        await service.set_service_data(addon, body)

    @api_process
-    async def get_service(self, request):
+    async def get_service(self, request: web.Request) -> dict[str, Any]:
        """Read data into a service."""
        service = self._extract_service(request)

@@ -62,7 +66,7 @@ class APIServices(CoreSysAttributes):
        return service.get_service_data()

    @api_process
-    async def del_service(self, request):
+    async def del_service(self, request: web.Request) -> None:
        """Delete data into a service."""
        service = self._extract_service(request)
        addon = request[REQUEST_FROM]
--- a/supervisor/api/store.py
+++ b/supervisor/api/store.py
@@ -53,7 +53,7 @@ from ..const import (
    REQUEST_FROM,
 )
 from ..coresys import CoreSysAttributes
-from ..exceptions import APIError, APIForbidden, APINotFound
+from ..exceptions import APIError, APIForbidden, APINotFound, StoreAddonNotFoundError
 from ..store.addon import AddonStore
 from ..store.repository import Repository
 from ..store.validate import validate_repository
@@ -104,7 +104,7 @@ class APIStore(CoreSysAttributes):
        addon_slug: str = request.match_info["addon"]

        if not (addon := self.sys_addons.get(addon_slug)):
-            raise APINotFound(f"Addon {addon_slug} does not exist")
+            raise StoreAddonNotFoundError(addon=addon_slug)

        if installed and not addon.is_installed:
            raise APIError(f"Addon {addon_slug} is not installed")
@@ -112,7 +112,7 @@ class APIStore(CoreSysAttributes):
        if not installed and addon.is_installed:
            addon = cast(Addon, addon)
            if not addon.addon_store:
-                raise APINotFound(f"Addon {addon_slug} does not exist in the store")
+                raise StoreAddonNotFoundError(addon=addon_slug)
            return addon.addon_store

        return addon
@@ -349,13 +349,13 @@ class APIStore(CoreSysAttributes):
        return self._generate_repository_information(repository)

    @api_process
-    async def add_repository(self, request: web.Request):
+    async def add_repository(self, request: web.Request) -> None:
        """Add repository to the store."""
        body = await api_validate(SCHEMA_ADD_REPOSITORY, request)
        await asyncio.shield(self.sys_store.add_repository(body[ATTR_REPOSITORY]))

    @api_process
-    async def remove_repository(self, request: web.Request):
+    async def remove_repository(self, request: web.Request) -> None:
        """Remove repository from the store."""
        repository: Repository = self._extract_repository(request)
        await asyncio.shield(self.sys_store.remove_repository(repository))
--- a/supervisor/api/supervisor.py
+++ b/supervisor/api/supervisor.py
@@ -16,14 +16,12 @@ from ..const import (
    ATTR_BLK_READ,
    ATTR_BLK_WRITE,
    ATTR_CHANNEL,
-    ATTR_CONTENT_TRUST,
    ATTR_COUNTRY,
    ATTR_CPU_PERCENT,
    ATTR_DEBUG,
    ATTR_DEBUG_BLOCK,
    ATTR_DETECT_BLOCKING_IO,
    ATTR_DIAGNOSTICS,
-    ATTR_FORCE_SECURITY,
    ATTR_HEALTHY,
    ATTR_ICON,
    ATTR_IP_ADDRESS,
@@ -69,8 +67,6 @@ SCHEMA_OPTIONS = vol.Schema(
        vol.Optional(ATTR_DEBUG): vol.Boolean(),
        vol.Optional(ATTR_DEBUG_BLOCK): vol.Boolean(),
        vol.Optional(ATTR_DIAGNOSTICS): vol.Boolean(),
-        vol.Optional(ATTR_CONTENT_TRUST): vol.Boolean(),
-        vol.Optional(ATTR_FORCE_SECURITY): vol.Boolean(),
        vol.Optional(ATTR_AUTO_UPDATE): vol.Boolean(),
        vol.Optional(ATTR_DETECT_BLOCKING_IO): vol.Coerce(DetectBlockingIO),
        vol.Optional(ATTR_COUNTRY): str,
@@ -84,7 +80,7 @@ class APISupervisor(CoreSysAttributes):
    """Handle RESTful API for Supervisor functions."""

    @api_process
-    async def ping(self, request):
+    async def ping(self, request: web.Request) -> bool:
        """Return ok for signal that the API is ready."""
        return True

--- a/supervisor/api/utils.py
+++ b/supervisor/api/utils.py
@@ -1,7 +1,7 @@
 """Init file for Supervisor util for RESTful API."""

 import asyncio
-from collections.abc import Callable
+from collections.abc import Callable, Mapping
 import json
 from typing import Any, cast

@@ -26,7 +26,7 @@ from ..const import (
    RESULT_OK,
 )
 from ..coresys import CoreSys, CoreSysAttributes
-from ..exceptions import APIError, BackupFileNotFoundError, DockerAPIError, HassioError
+from ..exceptions import APIError, DockerAPIError, HassioError
 from ..jobs import JobSchedulerOptions, SupervisorJob
 from ..utils import check_exception_chain, get_message_from_exception_chain
 from ..utils.json import json_dumps, json_loads as json_loads_util
@@ -63,16 +63,14 @@ def json_loads(data: Any) -> dict[str, Any]:
 def api_process(method):
    """Wrap function with true/false calls to rest api."""

-    async def wrap_api(
-        api: CoreSysAttributes, *args, **kwargs
-    ) -> web.Response | web.StreamResponse:
+    async def wrap_api(*args, **kwargs) -> web.Response | web.StreamResponse:
        """Return API information."""
        try:
-            answer = await method(api, *args, **kwargs)
-        except BackupFileNotFoundError as err:
-            return api_return_error(err, status=404)
+            answer = await method(*args, **kwargs)
        except APIError as err:
-            return api_return_error(err, status=err.status, job_id=err.job_id)
+            return api_return_error(
+                err, status=err.status, job_id=err.job_id, headers=err.headers
+            )
        except HassioError as err:
            return api_return_error(err)

@@ -109,12 +107,10 @@ def api_process_raw(content, *, error_type=None):
    def wrap_method(method):
        """Wrap function with raw output to rest api."""

-        async def wrap_api(
-            api: CoreSysAttributes, *args, **kwargs
-        ) -> web.Response | web.StreamResponse:
+        async def wrap_api(*args, **kwargs) -> web.Response | web.StreamResponse:
            """Return api information."""
            try:
-                msg_data = await method(api, *args, **kwargs)
+                msg_data = await method(*args, **kwargs)
            except APIError as err:
                return api_return_error(
                    err,
@@ -143,6 +139,7 @@ def api_return_error(
    error_type: str | None = None,
    status: int = 400,
    *,
+    headers: Mapping[str, str] | None = None,
    job_id: str | None = None,
 ) -> web.Response:
    """Return an API error message."""
@@ -151,14 +148,19 @@ def api_return_error(
        if check_exception_chain(error, DockerAPIError):
            message = format_message(message)
    if not message:
-        message = "Unknown error, see supervisor"
+        message = "Unknown error, see Supervisor logs (check with 'ha supervisor logs')"

    match error_type:
        case const.CONTENT_TYPE_TEXT:
-            return web.Response(body=message, content_type=error_type, status=status)
+            return web.Response(
+                body=message, content_type=error_type, status=status, headers=headers
+            )
        case const.CONTENT_TYPE_BINARY:
            return web.Response(
-                body=message.encode(), content_type=error_type, status=status
+                body=message.encode(),
+                content_type=error_type,
+                status=status,
+                headers=headers,
            )
        case _:
            result: dict[str, Any] = {
@@ -176,6 +178,7 @@ def api_return_error(
        result,
        status=status,
        dumps=json_dumps,
+        headers=headers,
    )


--- a/supervisor/arch.py
+++ b/supervisor/arch.py
@@ -4,6 +4,7 @@ import logging
 from pathlib import Path
 import platform

+from .const import CpuArch
 from .coresys import CoreSys, CoreSysAttributes
 from .exceptions import ConfigurationFileError, HassioArchNotFound
 from .utils.json import read_json_file
@@ -12,38 +13,40 @@ _LOGGER: logging.Logger = logging.getLogger(__name__)

 ARCH_JSON: Path = Path(__file__).parent.joinpath("data/arch.json")

-MAP_CPU = {
-    "armv7": "armv7",
-    "armv6": "armhf",
-    "armv8": "aarch64",
-    "aarch64": "aarch64",
-    "i686": "i386",
-    "x86_64": "amd64",
+MAP_CPU: dict[str, CpuArch] = {
+    "armv7": CpuArch.ARMV7,
+    "armv6": CpuArch.ARMHF,
+    "armv8": CpuArch.AARCH64,
+    "aarch64": CpuArch.AARCH64,
+    "i686": CpuArch.I386,
+    "x86_64": CpuArch.AMD64,
 }


-class CpuArch(CoreSysAttributes):
+class CpuArchManager(CoreSysAttributes):
    """Manage available architectures."""

    def __init__(self, coresys: CoreSys) -> None:
        """Initialize CPU Architecture handler."""
        self.coresys = coresys
-        self._supported_arch: list[str] = []
-        self._supported_set: set[str] = set()
-        self._default_arch: str
+        self._supported_arch: list[CpuArch] = []
+        self._supported_set: set[CpuArch] = set()
+        self._default_arch: CpuArch

    @property
-    def default(self) -> str:
+    def default(self) -> CpuArch:
        """Return system default arch."""
        return self._default_arch

    @property
-    def supervisor(self) -> str:
+    def supervisor(self) -> CpuArch:
        """Return supervisor arch."""
-        return self.sys_supervisor.arch or self._default_arch
+        if self.sys_supervisor.arch:
+            return CpuArch(self.sys_supervisor.arch)
+        return self._default_arch

    @property
-    def supported(self) -> list[str]:
+    def supported(self) -> list[CpuArch]:
        """Return support arch by CPU/Machine."""
        return self._supported_arch

@@ -65,7 +68,7 @@ class CpuArch(CoreSysAttributes):
            return

        # Use configs from arch.json
-        self._supported_arch.extend(arch_data[self.sys_machine])
+        self._supported_arch.extend(CpuArch(a) for a in arch_data[self.sys_machine])
        self._default_arch = self.supported[0]

        # Make sure native support is in supported list
@@ -78,14 +81,14 @@ class CpuArch(CoreSysAttributes):
        """Return True if there is a supported arch by this platform."""
        return not self._supported_set.isdisjoint(arch_list)

-    def match(self, arch_list: list[str]) -> str:
+    def match(self, arch_list: list[str]) -> CpuArch:
        """Return best match for this CPU/Platform."""
        for self_arch in self.supported:
            if self_arch in arch_list:
                return self_arch
        raise HassioArchNotFound()

-    def detect_cpu(self) -> str:
+    def detect_cpu(self) -> CpuArch:
        """Return the arch type of local CPU."""
        cpu = platform.machine()
        for check, value in MAP_CPU.items():
@@ -96,9 +99,10 @@ class CpuArch(CoreSysAttributes):
                "Unknown CPU architecture %s, falling back to Supervisor architecture.",
                cpu,
            )
-            return self.sys_supervisor.arch
+            return CpuArch(self.sys_supervisor.arch)
        _LOGGER.warning(
            "Unknown CPU architecture %s, assuming CPU architecture equals Supervisor architecture.",
            cpu,
        )
-        return cpu
+        # Return the cpu string as-is, wrapped in CpuArch (may fail if invalid)
+        return CpuArch(cpu)
--- a/supervisor/auth.py
+++ b/supervisor/auth.py
@@ -9,8 +9,10 @@ from .addons.addon import Addon
 from .const import ATTR_PASSWORD, ATTR_TYPE, ATTR_USERNAME, FILE_HASSIO_AUTH
 from .coresys import CoreSys, CoreSysAttributes
 from .exceptions import (
-    AuthError,
+    AuthHomeAssistantAPIValidationError,
+    AuthInvalidNonStringValueError,
    AuthListUsersError,
+    AuthListUsersNoneResponseError,
    AuthPasswordResetError,
    HomeAssistantAPIError,
    HomeAssistantWSError,
@@ -83,10 +85,8 @@ class Auth(FileConfiguration, CoreSysAttributes):
        self, addon: Addon, username: str | None, password: str | None
    ) -> bool:
        """Check username login."""
-        if password is None:
-            raise AuthError("None as password is not supported!", _LOGGER.error)
-        if username is None:
-            raise AuthError("None as username is not supported!", _LOGGER.error)
+        if username is None or password is None:
+            raise AuthInvalidNonStringValueError(_LOGGER.error)

        _LOGGER.info("Auth request from '%s' for '%s'", addon.slug, username)

@@ -137,7 +137,7 @@ class Auth(FileConfiguration, CoreSysAttributes):
        finally:
            self._running.pop(username, None)

-        raise AuthError()
+        raise AuthHomeAssistantAPIValidationError()

    async def change_password(self, username: str, password: str) -> None:
        """Change user password login."""
@@ -155,7 +155,7 @@ class Auth(FileConfiguration, CoreSysAttributes):
        except HomeAssistantAPIError as err:
            _LOGGER.error("Can't request password reset on Home Assistant: %s", err)

-        raise AuthPasswordResetError()
+        raise AuthPasswordResetError(user=username)

    async def list_users(self) -> list[dict[str, Any]]:
        """List users on the Home Assistant instance."""
@@ -166,15 +166,12 @@ class Auth(FileConfiguration, CoreSysAttributes):
                {ATTR_TYPE: "config/auth/list"}
            )
        except HomeAssistantWSError as err:
-            raise AuthListUsersError(
-                f"Can't request listing users on Home Assistant: {err}", _LOGGER.error
-            ) from err
+            _LOGGER.error("Can't request listing users on Home Assistant: %s", err)
+            raise AuthListUsersError() from err

        if users is not None:
            return users
-        raise AuthListUsersError(
-            "Can't request listing users on Home Assistant!", _LOGGER.error
-        )
+        raise AuthListUsersNoneResponseError(_LOGGER.error)

    @staticmethod
    def _rehash(value: str, salt2: str = "") -> str:
--- a/supervisor/backups/backup.py
+++ b/supervisor/backups/backup.py
@@ -60,7 +60,6 @@ from ..utils.dt import parse_datetime, utcnow
 from ..utils.json import json_bytes
 from ..utils.sentinel import DEFAULT
 from .const import BUF_SIZE, LOCATION_CLOUD_BACKUP, BackupType
-from .utils import password_to_key
 from .validate import SCHEMA_BACKUP

 IGNORED_COMPARISON_FIELDS = {ATTR_PROTECTED, ATTR_CRYPTO, ATTR_DOCKER}
@@ -101,7 +100,7 @@ class Backup(JobGroup):
        self._data: dict[str, Any] = data or {ATTR_SLUG: slug}
        self._tmp: TemporaryDirectory | None = None
        self._outer_secure_tarfile: SecureTarFile | None = None
-        self._key: bytes | None = None
+        self._password: str | None = None
        self._locations: dict[str | None, BackupLocation] = {
            location: BackupLocation(
                path=tar_file,
@@ -327,7 +326,7 @@ class Backup(JobGroup):

        # Set password
        if password:
-            self._init_password(password)
+            self._password = password
            self._data[ATTR_PROTECTED] = True
            self._data[ATTR_CRYPTO] = CRYPTO_AES128
            self._locations[self.location].protected = True
@@ -337,14 +336,7 @@ class Backup(JobGroup):

    def set_password(self, password: str | None) -> None:
        """Set the password for an existing backup."""
-        if password:
-            self._init_password(password)
-        else:
-            self._key = None
-
-    def _init_password(self, password: str) -> None:
-        """Create key from password."""
-        self._key = password_to_key(password)
+        self._password = password

    async def validate_backup(self, location: str | None) -> None:
        """Validate backup.
@@ -374,9 +366,9 @@ class Backup(JobGroup):
                    with SecureTarFile(
                        ending,  # Not used
                        gzip=self.compressed,
-                        key=self._key,
                        mode="r",
                        fileobj=test_tar_file,
+                        password=self._password,
                    ):
                        # If we can read the tar file, the password is correct
                        return
@@ -592,7 +584,7 @@ class Backup(JobGroup):
        addon_file = self._outer_secure_tarfile.create_inner_tar(
            f"./{tar_name}",
            gzip=self.compressed,
-            key=self._key,
+            password=self._password,
        )
        # Take backup
        try:
@@ -628,9 +620,6 @@ class Backup(JobGroup):
                if start_task := await self._addon_save(addon):
                    start_tasks.append(start_task)
            except BackupError as err:
-                err = BackupError(
-                    f"Can't backup add-on {addon.slug}: {str(err)}", _LOGGER.error
-                )
                self.sys_jobs.current.capture_error(err)

        return start_tasks
@@ -646,9 +635,9 @@ class Backup(JobGroup):
        addon_file = SecureTarFile(
            Path(self._tmp.name, tar_name),
            "r",
-            key=self._key,
            gzip=self.compressed,
            bufsize=BUF_SIZE,
+            password=self._password,
        )

        # If exists inside backup
@@ -744,7 +733,7 @@ class Backup(JobGroup):
            with outer_secure_tarfile.create_inner_tar(
                f"./{tar_name}",
                gzip=self.compressed,
-                key=self._key,
+                password=self._password,
            ) as tar_file:
                atomic_contents_add(
                    tar_file,
@@ -805,9 +794,9 @@ class Backup(JobGroup):
                with SecureTarFile(
                    tar_name,
                    "r",
-                    key=self._key,
                    gzip=self.compressed,
                    bufsize=BUF_SIZE,
+                    password=self._password,
                ) as tar_file:
                    tar_file.extractall(
                        path=origin_dir, members=tar_file, filter="fully_trusted"
@@ -868,7 +857,7 @@ class Backup(JobGroup):
        homeassistant_file = self._outer_secure_tarfile.create_inner_tar(
            f"./{tar_name}",
            gzip=self.compressed,
-            key=self._key,
+            password=self._password,
        )

        await self.sys_homeassistant.backup(homeassistant_file, exclude_database)
@@ -891,7 +880,11 @@ class Backup(JobGroup):
            self._tmp.name, f"homeassistant.tar{'.gz' if self.compressed else ''}"
        )
        homeassistant_file = SecureTarFile(
-            tar_name, "r", key=self._key, gzip=self.compressed, bufsize=BUF_SIZE
+            tar_name,
+            "r",
+            gzip=self.compressed,
+            bufsize=BUF_SIZE,
+            password=self._password,
        )

        await self.sys_homeassistant.restore(
--- a/supervisor/backups/utils.py
+++ b/supervisor/backups/utils.py
@@ -6,21 +6,6 @@ import re
 RE_DIGITS = re.compile(r"\d+")


-def password_to_key(password: str) -> bytes:
-    """Generate a AES Key from password."""
-    key: bytes = password.encode()
-    for _ in range(100):
-        key = hashlib.sha256(key).digest()
-    return key[:16]
-
-
-def key_to_iv(key: bytes) -> bytes:
-    """Generate an iv from Key."""
-    for _ in range(100):
-        key = hashlib.sha256(key).digest()
-    return key[:16]
-
-
 def create_slug(name: str, date_str: str) -> str:
    """Generate a hash from repository."""
    key = f"{date_str} - {name}".lower().encode()
--- a/supervisor/bootstrap.py
+++ b/supervisor/bootstrap.py
@@ -13,7 +13,7 @@ from colorlog import ColoredFormatter

 from .addons.manager import AddonManager
 from .api import RestAPI
-from .arch import CpuArch
+from .arch import CpuArchManager
 from .auth import Auth
 from .backups.manager import BackupManager
 from .bus import Bus
@@ -71,7 +71,7 @@ async def initialize_coresys() -> CoreSys:
    coresys.jobs = await JobManager(coresys).load_config()
    coresys.core = await Core(coresys).post_init()
    coresys.plugins = await PluginManager(coresys).load_config()
-    coresys.arch = CpuArch(coresys)
+    coresys.arch = CpuArchManager(coresys)
    coresys.auth = await Auth(coresys).load_config()
    coresys.updater = await Updater(coresys).load_config()
    coresys.api = RestAPI(coresys)
@@ -105,7 +105,6 @@ async def initialize_coresys() -> CoreSys:

    if coresys.dev:
        coresys.updater.channel = UpdateChannel.DEV
-        coresys.security.content_trust = False

    # Convert datetime
    logging.Formatter.converter = lambda *args: coresys.now().timetuple()
--- a/supervisor/bus.py
+++ b/supervisor/bus.py
@@ -2,6 +2,7 @@

 from __future__ import annotations

+from asyncio import Task
 from collections.abc import Callable, Coroutine
 import logging
 from typing import Any
@@ -38,11 +39,13 @@ class Bus(CoreSysAttributes):
        self._listeners.setdefault(event, []).append(listener)
        return listener

-    def fire_event(self, event: BusEvent, reference: Any) -> None:
+    def fire_event(self, event: BusEvent, reference: Any) -> list[Task]:
        """Fire an event to the bus."""
        _LOGGER.debug("Fire event '%s' with '%s'", event, reference)
+        tasks: list[Task] = []
        for listener in self._listeners.get(event, []):
-            self.sys_create_task(listener.callback(reference))
+            tasks.append(self.sys_create_task(listener.callback(reference)))
+        return tasks

    def remove_listener(self, listener: EventListener) -> None:
        """Unregister an listener."""
--- a/supervisor/const.py
+++ b/supervisor/const.py
@@ -179,6 +179,7 @@ ATTR_DOCKER = "docker"
 ATTR_DOCKER_API = "docker_api"
 ATTR_DOCUMENTATION = "documentation"
 ATTR_DOMAINS = "domains"
+ATTR_DUPLICATE_LOG_FILE = "duplicate_log_file"
 ATTR_ENABLE = "enable"
 ATTR_ENABLE_IPV6 = "enable_ipv6"
 ATTR_ENABLED = "enabled"
@@ -328,6 +329,7 @@ ATTR_STATE = "state"
 ATTR_STATIC = "static"
 ATTR_STDIN = "stdin"
 ATTR_STORAGE = "storage"
+ATTR_STORAGE_DRIVER = "storage_driver"
 ATTR_SUGGESTIONS = "suggestions"
 ATTR_SUPERVISOR = "supervisor"
 ATTR_SUPERVISOR_INTERNET = "supervisor_internet"
--- a/supervisor/coresys.py
+++ b/supervisor/coresys.py
@@ -9,6 +9,7 @@ from datetime import UTC, datetime, tzinfo
 from functools import partial
 import logging
 import os
+import time
 from types import MappingProxyType
 from typing import TYPE_CHECKING, Any, Self, TypeVar

@@ -28,7 +29,7 @@ from .const import (
 if TYPE_CHECKING:
    from .addons.manager import AddonManager
    from .api import RestAPI
-    from .arch import CpuArch
+    from .arch import CpuArchManager
    from .auth import Auth
    from .backups.manager import BackupManager
    from .bus import Bus
@@ -77,7 +78,7 @@ class CoreSys:
        # Internal objects pointers
        self._docker: DockerAPI | None = None
        self._core: Core | None = None
-        self._arch: CpuArch | None = None
+        self._arch: CpuArchManager | None = None
        self._auth: Auth | None = None
        self._homeassistant: HomeAssistant | None = None
        self._supervisor: Supervisor | None = None
@@ -265,17 +266,17 @@ class CoreSys:
        self._plugins = value

    @property
-    def arch(self) -> CpuArch:
-        """Return CpuArch object."""
+    def arch(self) -> CpuArchManager:
+        """Return CpuArchManager object."""
        if self._arch is None:
-            raise RuntimeError("CpuArch not set!")
+            raise RuntimeError("CpuArchManager not set!")
        return self._arch

    @arch.setter
-    def arch(self, value: CpuArch) -> None:
-        """Set a CpuArch object."""
+    def arch(self, value: CpuArchManager) -> None:
+        """Set a CpuArchManager object."""
        if self._arch:
-            raise RuntimeError("CpuArch already set!")
+            raise RuntimeError("CpuArchManager already set!")
        self._arch = value

    @property
@@ -655,8 +656,14 @@ class CoreSys:
        if kwargs:
            funct = partial(funct, **kwargs)

+        # Convert datetime to event loop time base
+        # If datetime is in the past, delay will be negative and call_at will
+        # schedule the call as soon as possible.
+        delay = when.timestamp() - time.time()
+        loop_time = self.loop.time() + delay
+
        return self.loop.call_at(
-            when.timestamp(), funct, *args, context=self._create_context()
+            loop_time, funct, *args, context=self._create_context()
        )


@@ -726,8 +733,8 @@ class CoreSysAttributes:
        return self.coresys.plugins

    @property
-    def sys_arch(self) -> CpuArch:
-        """Return CpuArch object."""
+    def sys_arch(self) -> CpuArchManager:
+        """Return CpuArchManager object."""
        return self.coresys.arch

    @property
--- a/supervisor/dbus/agent/system.py
+++ b/supervisor/dbus/agent/system.py
@@ -15,3 +15,8 @@ class System(DBusInterface):
    async def schedule_wipe_device(self) -> bool:
        """Schedule a factory reset on next system boot."""
        return await self.connected_dbus.System.call("schedule_wipe_device")
+
+    @dbus_connected
+    async def migrate_docker_storage_driver(self, backend: str) -> None:
+        """Migrate Docker storage driver."""
+        await self.connected_dbus.System.call("migrate_docker_storage_driver", backend)
--- a/supervisor/dbus/const.py
+++ b/supervisor/dbus/const.py
@@ -250,7 +250,7 @@ class ConnectionType(StrEnum):
    WIRELESS = "802-11-wireless"


-class ConnectionStateType(IntEnum):
+class ConnectionState(IntEnum):
    """Connection states.

    https://networkmanager.dev/docs/api/latest/nm-dbus-types.html#NMActiveConnectionState
@@ -306,6 +306,8 @@ class DeviceType(IntEnum):
    VLAN = 11
    TUN = 16
    VETH = 20
+    WIREGUARD = 29
+    LOOPBACK = 32


 class WirelessMethodType(IntEnum):
--- a/supervisor/dbus/manager.py
+++ b/supervisor/dbus/manager.py
@@ -115,7 +115,7 @@ class DBusManager(CoreSysAttributes):

    async def load(self) -> None:
        """Connect interfaces to D-Bus."""
-        if not SOCKET_DBUS.exists():
+        if not await self.sys_run_in_executor(SOCKET_DBUS.exists):
            _LOGGER.error(
                "No D-Bus support on Host. Disabled any kind of host control!"
            )
--- a/supervisor/dbus/network/init.py
+++ b/supervisor/dbus/network/init.py
@@ -134,9 +134,10 @@ class NetworkManager(DBusInterfaceProxy):
    async def check_connectivity(self, *, force: bool = False) -> ConnectivityState:
        """Check the connectivity of the host."""
        if force:
-            return await self.connected_dbus.call("check_connectivity")
-        else:
-            return await self.connected_dbus.get("connectivity")
+            return ConnectivityState(
+                await self.connected_dbus.call("check_connectivity")
+            )
+        return ConnectivityState(await self.connected_dbus.get("connectivity"))

    async def connect(self, bus: MessageBus) -> None:
        """Connect to system's D-Bus."""
--- a/supervisor/dbus/network/configuration.py
+++ b/supervisor/dbus/network/configuration.py
@@ -90,8 +90,8 @@ class Ip4Properties(IpProperties):
 class Ip6Properties(IpProperties):
    """IPv6 properties object for Network Manager."""

-    addr_gen_mode: int
-    ip6_privacy: int
+    addr_gen_mode: int | None
+    ip6_privacy: int | None
    dns: list[bytes] | None


--- a/supervisor/dbus/network/connection.py
+++ b/supervisor/dbus/network/connection.py
@@ -16,8 +16,8 @@ from ..const import (
    DBUS_IFACE_CONNECTION_ACTIVE,
    DBUS_NAME_NM,
    DBUS_OBJECT_BASE,
+    ConnectionState,
    ConnectionStateFlags,
-    ConnectionStateType,
 )
 from ..interface import DBusInterfaceProxy, dbus_property
 from ..utils import dbus_connected
@@ -67,9 +67,9 @@ class NetworkConnection(DBusInterfaceProxy):

    @property
    @dbus_property
-    def state(self) -> ConnectionStateType:
+    def state(self) -> ConnectionState:
        """Return the state of the connection."""
-        return self.properties[DBUS_ATTR_STATE]
+        return ConnectionState(self.properties[DBUS_ATTR_STATE])

    @property
    def state_flags(self) -> set[ConnectionStateFlags]:
--- a/supervisor/dbus/network/interface.py
+++ b/supervisor/dbus/network/interface.py
@@ -1,5 +1,6 @@
 """NetworkInterface object for Network Manager."""

+import logging
 from typing import Any

 from dbus_fast.aio.message_bus import MessageBus
@@ -23,6 +24,8 @@ from .connection import NetworkConnection
 from .setting import NetworkSetting
 from .wireless import NetworkWireless

+_LOGGER: logging.Logger = logging.getLogger(__name__)
+

 class NetworkInterface(DBusInterfaceProxy):
    """NetworkInterface object represents Network Manager Device objects.
@@ -57,7 +60,15 @@ class NetworkInterface(DBusInterfaceProxy):
    @dbus_property
    def type(self) -> DeviceType:
        """Return interface type."""
-        return self.properties[DBUS_ATTR_DEVICE_TYPE]
+        try:
+            return DeviceType(self.properties[DBUS_ATTR_DEVICE_TYPE])
+        except ValueError:
+            _LOGGER.debug(
+                "Unknown device type %s for %s, treating as UNKNOWN",
+                self.properties[DBUS_ATTR_DEVICE_TYPE],
+                self.object_path,
+            )
+            return DeviceType.UNKNOWN

    @property
    @dbus_property
--- a/supervisor/dbus/network/setting/generate.py
+++ b/supervisor/dbus/network/setting/generate.py
@@ -16,7 +16,11 @@ from ....host.const import (
    InterfaceType,
    MulticastDnsMode,
 )
-from ...const import MulticastDnsValue
+from ...const import (
+    InterfaceAddrGenMode as NMInterfaceAddrGenMode,
+    InterfaceIp6Privacy as NMInterfaceIp6Privacy,
+    MulticastDnsValue,
+)
 from .. import NetworkManager
 from . import (
    CONF_ATTR_802_ETHERNET,
@@ -118,24 +122,41 @@ def _get_ipv6_connection_settings(
        ipv6[CONF_ATTR_IPV6_METHOD] = Variant("s", "auto")
        if ipv6setting:
            if ipv6setting.addr_gen_mode == InterfaceAddrGenMode.EUI64:
-                ipv6[CONF_ATTR_IPV6_ADDR_GEN_MODE] = Variant("i", 0)
+                ipv6[CONF_ATTR_IPV6_ADDR_GEN_MODE] = Variant(
+                    "i", NMInterfaceAddrGenMode.EUI64.value
+                )
            elif (
                not support_addr_gen_mode_defaults
                or ipv6setting.addr_gen_mode == InterfaceAddrGenMode.STABLE_PRIVACY
            ):
-                ipv6[CONF_ATTR_IPV6_ADDR_GEN_MODE] = Variant("i", 1)
+                ipv6[CONF_ATTR_IPV6_ADDR_GEN_MODE] = Variant(
+                    "i", NMInterfaceAddrGenMode.STABLE_PRIVACY.value
+                )
            elif ipv6setting.addr_gen_mode == InterfaceAddrGenMode.DEFAULT_OR_EUI64:
-                ipv6[CONF_ATTR_IPV6_ADDR_GEN_MODE] = Variant("i", 2)
+                ipv6[CONF_ATTR_IPV6_ADDR_GEN_MODE] = Variant(
+                    "i", NMInterfaceAddrGenMode.DEFAULT_OR_EUI64.value
+                )
            else:
-                ipv6[CONF_ATTR_IPV6_ADDR_GEN_MODE] = Variant("i", 3)
+                ipv6[CONF_ATTR_IPV6_ADDR_GEN_MODE] = Variant(
+                    "i", NMInterfaceAddrGenMode.DEFAULT.value
+                )
+
            if ipv6setting.ip6_privacy == InterfaceIp6Privacy.DISABLED:
-                ipv6[CONF_ATTR_IPV6_PRIVACY] = Variant("i", 0)
+                ipv6[CONF_ATTR_IPV6_PRIVACY] = Variant(
+                    "i", NMInterfaceIp6Privacy.DISABLED.value
+                )
            elif ipv6setting.ip6_privacy == InterfaceIp6Privacy.ENABLED_PREFER_PUBLIC:
-                ipv6[CONF_ATTR_IPV6_PRIVACY] = Variant("i", 1)
+                ipv6[CONF_ATTR_IPV6_PRIVACY] = Variant(
+                    "i", NMInterfaceIp6Privacy.ENABLED_PREFER_PUBLIC.value
+                )
            elif ipv6setting.ip6_privacy == InterfaceIp6Privacy.ENABLED:
-                ipv6[CONF_ATTR_IPV6_PRIVACY] = Variant("i", 2)
+                ipv6[CONF_ATTR_IPV6_PRIVACY] = Variant(
+                    "i", NMInterfaceIp6Privacy.ENABLED.value
+                )
            else:
-                ipv6[CONF_ATTR_IPV6_PRIVACY] = Variant("i", -1)
+                ipv6[CONF_ATTR_IPV6_PRIVACY] = Variant(
+                    "i", NMInterfaceIp6Privacy.DEFAULT.value
+                )
    elif ipv6setting.method == InterfaceMethod.DISABLED:
        ipv6[CONF_ATTR_IPV6_METHOD] = Variant("s", "link-local")
    elif ipv6setting.method == InterfaceMethod.STATIC:
--- a/supervisor/dbus/resolved.py
+++ b/supervisor/dbus/resolved.py
@@ -75,7 +75,7 @@ class Resolved(DBusInterfaceProxy):
    @dbus_property
    def current_dns_server(
        self,
-    ) -> list[tuple[int, DNSAddressFamily, bytes]] | None:
+    ) -> tuple[int, DNSAddressFamily, bytes] | None:
        """Return current DNS server."""
        return self.properties[DBUS_ATTR_CURRENT_DNS_SERVER]

@@ -83,7 +83,7 @@ class Resolved(DBusInterfaceProxy):
    @dbus_property
    def current_dns_server_ex(
        self,
-    ) -> list[tuple[int, DNSAddressFamily, bytes, int, str]] | None:
+    ) -> tuple[int, DNSAddressFamily, bytes, int, str] | None:
        """Return current DNS server including port and server name."""
        return self.properties[DBUS_ATTR_CURRENT_DNS_SERVER_EX]

--- a/supervisor/dbus/systemd.py
+++ b/supervisor/dbus/systemd.py
@@ -70,7 +70,7 @@ class SystemdUnit(DBusInterface):
    @dbus_connected
    async def get_active_state(self) -> UnitActiveState:
        """Get active state of the unit."""
-        return await self.connected_dbus.Unit.get("active_state")
+        return UnitActiveState(await self.connected_dbus.Unit.get("active_state"))

    @dbus_connected
    def properties_changed(self) -> DBusSignalWrapper:
--- a/supervisor/dbus/udisks2/data.py
+++ b/supervisor/dbus/udisks2/data.py
@@ -9,7 +9,7 @@ from dbus_fast import Variant
 from .const import EncryptType, EraseMode


-def udisks2_bytes_to_path(path_bytes: bytearray) -> Path:
+def udisks2_bytes_to_path(path_bytes: bytes) -> Path:
    """Convert bytes to path object without null character on end."""
    if path_bytes and path_bytes[-1] == 0:
        return Path(path_bytes[:-1].decode())
@@ -73,7 +73,7 @@ FormatOptionsDataType = TypedDict(
    {
        "label": NotRequired[str],
        "take-ownership": NotRequired[bool],
-        "encrypt.passphrase": NotRequired[bytearray],
+        "encrypt.passphrase": NotRequired[bytes],
        "encrypt.type": NotRequired[str],
        "erase": NotRequired[str],
        "update-partition-type": NotRequired[bool],
--- a/supervisor/docker/addon.py
+++ b/supervisor/docker/addon.py
@@ -2,18 +2,21 @@

 from __future__ import annotations

+from collections.abc import Awaitable
 from contextlib import suppress
 from ipaddress import IPv4Address
 import logging
 import os
 from pathlib import Path
-from typing import TYPE_CHECKING, cast
+from socket import SocketIO
+import tempfile
+from typing import TYPE_CHECKING, Literal, cast

+import aiodocker
 from attr import evolve
 from awesomeversion import AwesomeVersion
 import docker
 import docker.errors
-from docker.types import Mount
 import requests

 from ..addons.build import AddonBuild
@@ -32,6 +35,7 @@ from ..coresys import CoreSys
 from ..exceptions import (
    CoreDNSError,
    DBusError,
+    DockerBuildError,
    DockerError,
    DockerJobError,
    DockerNotFound,
@@ -63,8 +67,11 @@ from .const import (
    PATH_SHARE,
    PATH_SSL,
    Capabilities,
+    DockerMount,
+    MountBindOptions,
    MountType,
    PropagationMode,
+    Ulimit,
 )
 from .interface import DockerInterface

@@ -267,7 +274,7 @@ class DockerAddon(DockerInterface):
        }

    @property
-    def network_mode(self) -> str | None:
+    def network_mode(self) -> Literal["host"] | None:
        """Return network mode for add-on."""
        if self.addon.host_network:
            return "host"
@@ -306,28 +313,28 @@ class DockerAddon(DockerInterface):
        return None

    @property
-    def ulimits(self) -> list[docker.types.Ulimit] | None:
+    def ulimits(self) -> list[Ulimit] | None:
        """Generate ulimits for add-on."""
-        limits: list[docker.types.Ulimit] = []
+        limits: list[Ulimit] = []

        # Need schedule functions
        if self.addon.with_realtime:
-            limits.append(docker.types.Ulimit(name="rtprio", soft=90, hard=99))
+            limits.append(Ulimit(name="rtprio", soft=90, hard=99))

            # Set available memory for memlock to 128MB
            mem = 128 * 1024 * 1024
-            limits.append(docker.types.Ulimit(name="memlock", soft=mem, hard=mem))
+            limits.append(Ulimit(name="memlock", soft=mem, hard=mem))

        # Add configurable ulimits from add-on config
        for name, config in self.addon.ulimits.items():
            if isinstance(config, int):
                # Simple format: both soft and hard limits are the same
-                limits.append(docker.types.Ulimit(name=name, soft=config, hard=config))
+                limits.append(Ulimit(name=name, soft=config, hard=config))
            elif isinstance(config, dict):
                # Detailed format: both soft and hard limits are mandatory
                soft = config["soft"]
                hard = config["hard"]
-                limits.append(docker.types.Ulimit(name=name, soft=soft, hard=hard))
+                limits.append(Ulimit(name=name, soft=soft, hard=hard))

        # Return None if no ulimits are present
        if limits:
@@ -346,7 +353,7 @@ class DockerAddon(DockerInterface):
        return None

    @property
-    def mounts(self) -> list[Mount]:
+    def mounts(self) -> list[DockerMount]:
        """Return mounts for container."""
        addon_mapping = self.addon.map_volumes

@@ -356,8 +363,8 @@ class DockerAddon(DockerInterface):

        mounts = [
            MOUNT_DEV,
-            Mount(
-                type=MountType.BIND.value,
+            DockerMount(
+                type=MountType.BIND,
                source=self.addon.path_extern_data.as_posix(),
                target=target_data_path or PATH_PRIVATE_DATA.as_posix(),
                read_only=False,
@@ -367,8 +374,8 @@ class DockerAddon(DockerInterface):
        # setup config mappings
        if MappingType.CONFIG in addon_mapping:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_homeassistant.as_posix(),
                    target=addon_mapping[MappingType.CONFIG].path
                    or PATH_HOMEASSISTANT_CONFIG_LEGACY.as_posix(),
@@ -380,8 +387,8 @@ class DockerAddon(DockerInterface):
            # Map addon's public config folder if not using deprecated config option
            if self.addon.addon_config_used:
                mounts.append(
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=self.addon.path_extern_config.as_posix(),
                        target=addon_mapping[MappingType.ADDON_CONFIG].path
                        or PATH_PUBLIC_CONFIG.as_posix(),
@@ -392,8 +399,8 @@ class DockerAddon(DockerInterface):
            # Map Home Assistant config in new way
            if MappingType.HOMEASSISTANT_CONFIG in addon_mapping:
                mounts.append(
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=self.sys_config.path_extern_homeassistant.as_posix(),
                        target=addon_mapping[MappingType.HOMEASSISTANT_CONFIG].path
                        or PATH_HOMEASSISTANT_CONFIG.as_posix(),
@@ -405,8 +412,8 @@ class DockerAddon(DockerInterface):

        if MappingType.ALL_ADDON_CONFIGS in addon_mapping:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_addon_configs.as_posix(),
                    target=addon_mapping[MappingType.ALL_ADDON_CONFIGS].path
                    or PATH_ALL_ADDON_CONFIGS.as_posix(),
@@ -416,8 +423,8 @@ class DockerAddon(DockerInterface):

        if MappingType.SSL in addon_mapping:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_ssl.as_posix(),
                    target=addon_mapping[MappingType.SSL].path or PATH_SSL.as_posix(),
                    read_only=addon_mapping[MappingType.SSL].read_only,
@@ -426,8 +433,8 @@ class DockerAddon(DockerInterface):

        if MappingType.ADDONS in addon_mapping:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_addons_local.as_posix(),
                    target=addon_mapping[MappingType.ADDONS].path
                    or PATH_LOCAL_ADDONS.as_posix(),
@@ -437,8 +444,8 @@ class DockerAddon(DockerInterface):

        if MappingType.BACKUP in addon_mapping:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_backup.as_posix(),
                    target=addon_mapping[MappingType.BACKUP].path
                    or PATH_BACKUP.as_posix(),
@@ -448,25 +455,25 @@ class DockerAddon(DockerInterface):

        if MappingType.SHARE in addon_mapping:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_share.as_posix(),
                    target=addon_mapping[MappingType.SHARE].path
                    or PATH_SHARE.as_posix(),
                    read_only=addon_mapping[MappingType.SHARE].read_only,
-                    propagation=PropagationMode.RSLAVE,
+                    bind_options=MountBindOptions(propagation=PropagationMode.RSLAVE),
                )
            )

        if MappingType.MEDIA in addon_mapping:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_media.as_posix(),
                    target=addon_mapping[MappingType.MEDIA].path
                    or PATH_MEDIA.as_posix(),
                    read_only=addon_mapping[MappingType.MEDIA].read_only,
-                    propagation=PropagationMode.RSLAVE,
+                    bind_options=MountBindOptions(propagation=PropagationMode.RSLAVE),
                )
            )

@@ -478,8 +485,8 @@ class DockerAddon(DockerInterface):
                if not Path(gpio_path).exists():
                    continue
                mounts.append(
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=gpio_path,
                        target=gpio_path,
                        read_only=False,
@@ -489,8 +496,8 @@ class DockerAddon(DockerInterface):
        # DeviceTree support
        if self.addon.with_devicetree:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source="/sys/firmware/devicetree/base",
                    target="/device-tree",
                    read_only=True,
@@ -504,8 +511,8 @@ class DockerAddon(DockerInterface):
        # Kernel Modules support
        if self.addon.with_kernel_modules:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source="/lib/modules",
                    target="/lib/modules",
                    read_only=True,
@@ -523,20 +530,20 @@ class DockerAddon(DockerInterface):
        # Configuration Audio
        if self.addon.with_audio:
            mounts += [
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.addon.path_extern_pulse.as_posix(),
                    target="/etc/pulse/client.conf",
                    read_only=True,
                ),
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_plugins.audio.path_extern_pulse.as_posix(),
                    target="/run/audio",
                    read_only=True,
                ),
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_plugins.audio.path_extern_asound.as_posix(),
                    target="/etc/asound.conf",
                    read_only=True,
@@ -546,14 +553,14 @@ class DockerAddon(DockerInterface):
        # System Journal access
        if self.addon.with_journald:
            mounts += [
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=SYSTEMD_JOURNAL_PERSISTENT.as_posix(),
                    target=SYSTEMD_JOURNAL_PERSISTENT.as_posix(),
                    read_only=True,
                ),
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=SYSTEMD_JOURNAL_VOLATILE.as_posix(),
                    target=SYSTEMD_JOURNAL_VOLATILE.as_posix(),
                    read_only=True,
@@ -679,13 +686,12 @@ class DockerAddon(DockerInterface):
    async def _build(self, version: AwesomeVersion, image: str | None = None) -> None:
        """Build a Docker container."""
        build_env = await AddonBuild(self.coresys, self.addon).load_config()
-        if not await build_env.is_valid():
-            _LOGGER.error("Invalid build environment, can't build this add-on!")
-            raise DockerError()
+        # Check if the build environment is valid, raises if not
+        await build_env.is_valid()

        _LOGGER.info("Starting build for %s:%s", self.image, version)

-        def build_image():
+        def build_image() -> tuple[str, str]:
            if build_env.squash:
                _LOGGER.warning(
                    "Ignoring squash build option for %s as Docker BuildKit does not support it.",
@@ -702,14 +708,42 @@ class DockerAddon(DockerInterface):
            # Remove dangling builder container if it exists by any chance
            # E.g. because of an abrupt host shutdown/reboot during a build
            with suppress(docker.errors.NotFound):
-                self.sys_docker.containers.get(builder_name).remove(force=True, v=True)
+                self.sys_docker.containers_legacy.get(builder_name).remove(
+                    force=True, v=True
+                )

-            result = self.sys_docker.run_command(
-                ADDON_BUILDER_IMAGE,
-                version=builder_version_tag,
-                name=builder_name,
-                **build_env.get_docker_args(version, addon_image_tag),
-            )
+            # Generate Docker config with registry credentials for base image if needed
+            docker_config_path: Path | None = None
+            docker_config_content = build_env.get_docker_config_json()
+            temp_dir: tempfile.TemporaryDirectory | None = None
+
+            try:
+                if docker_config_content:
+                    # Create temporary directory for docker config
+                    temp_dir = tempfile.TemporaryDirectory(
+                        prefix="hassio_build_", dir=self.sys_config.path_tmp
+                    )
+                    docker_config_path = Path(temp_dir.name) / "config.json"
+                    docker_config_path.write_text(
+                        docker_config_content, encoding="utf-8"
+                    )
+                    _LOGGER.debug(
+                        "Created temporary Docker config for build at %s",
+                        docker_config_path,
+                    )
+
+                result = self.sys_docker.run_command(
+                    ADDON_BUILDER_IMAGE,
+                    version=builder_version_tag,
+                    name=builder_name,
+                    **build_env.get_docker_args(
+                        version, addon_image_tag, docker_config_path
+                    ),
+                )
+            finally:
+                # Clean up temporary directory
+                if temp_dir:
+                    temp_dir.cleanup()

            logs = result.output.decode("utf-8")

@@ -717,21 +751,24 @@ class DockerAddon(DockerInterface):
                error_message = f"Docker build failed for {addon_image_tag} (exit code {result.exit_code}). Build output:\n{logs}"
                raise docker.errors.DockerException(error_message)

-            addon_image = self.sys_docker.images.get(addon_image_tag)
-
-            return addon_image, logs
+            return addon_image_tag, logs

        try:
-            docker_image, log = await self.sys_run_in_executor(build_image)
+            addon_image_tag, log = await self.sys_run_in_executor(build_image)

            _LOGGER.debug("Build %s:%s done: %s", self.image, version, log)

            # Update meta data
-            self._meta = docker_image.attrs
+            self._meta = await self.sys_docker.images.inspect(addon_image_tag)

-        except (docker.errors.DockerException, requests.RequestException) as err:
-            _LOGGER.error("Can't build %s:%s: %s", self.image, version, err)
-            raise DockerError() from err
+        except (
+            docker.errors.DockerException,
+            requests.RequestException,
+            aiodocker.DockerError,
+        ) as err:
+            raise DockerBuildError(
+                f"Can't build {self.image}:{version}: {err!s}", _LOGGER.error
+            ) from err

        _LOGGER.info("Build %s:%s done", self.image, version)

@@ -751,11 +788,8 @@ class DockerAddon(DockerInterface):
    )
    async def import_image(self, tar_file: Path) -> None:
        """Import a tar file as image."""
-        docker_image = await self.sys_run_in_executor(
-            self.sys_docker.import_image, tar_file
-        )
-        if docker_image:
-            self._meta = docker_image.attrs
+        if docker_image := await self.sys_docker.import_image(tar_file):
+            self._meta = docker_image
            _LOGGER.info("Importing image %s and version %s", tar_file, self.version)

            with suppress(DockerError):
@@ -769,17 +803,21 @@ class DockerAddon(DockerInterface):
        version: AwesomeVersion | None = None,
    ) -> None:
        """Check if old version exists and cleanup other versions of image not in use."""
-        await self.sys_run_in_executor(
-            self.sys_docker.cleanup_old_images,
-            (image := image or self.image),
-            version or self.version,
+        if not (use_image := image or self.image):
+            raise DockerError("Cannot determine image from metadata!", _LOGGER.error)
+        if not (use_version := version or self.version):
+            raise DockerError("Cannot determine version from metadata!", _LOGGER.error)
+
+        await self.sys_docker.cleanup_old_images(
+            use_image,
+            use_version,
            {old_image} if old_image else None,
            keep_images={
                f"{addon.image}:{addon.version}"
                for addon in self.sys_addons.installed
                if addon.slug != self.addon.slug
                and addon.image
-                and addon.image in {old_image, image}
+                and addon.image in {old_image, use_image}
            },
        )

@@ -788,12 +826,9 @@ class DockerAddon(DockerInterface):
        on_condition=DockerJobError,
        concurrency=JobConcurrency.GROUP_REJECT,
    )
-    async def write_stdin(self, data: bytes) -> None:
+    def write_stdin(self, data: bytes) -> Awaitable[None]:
        """Write to add-on stdin."""
-        if not await self.is_running():
-            raise DockerError()
-
-        await self.sys_run_in_executor(self._write_stdin, data)
+        return self.sys_run_in_executor(self._write_stdin, data)

    def _write_stdin(self, data: bytes) -> None:
        """Write to add-on stdin.
@@ -802,8 +837,11 @@ class DockerAddon(DockerInterface):
        """
        try:
            # Load needed docker objects
-            container = self.sys_docker.containers.get(self.name)
-            socket = container.attach_socket(params={"stdin": 1, "stream": 1})
+            container = self.sys_docker.containers_legacy.get(self.name)
+            # attach_socket returns SocketIO for local Docker connections (Unix socket)
+            socket = cast(
+                SocketIO, container.attach_socket(params={"stdin": 1, "stream": 1})
+            )
        except (docker.errors.DockerException, requests.RequestException) as err:
            _LOGGER.error("Can't attach to %s stdin: %s", self.name, err)
            raise DockerError() from err
@@ -846,16 +884,6 @@ class DockerAddon(DockerInterface):
        ):
            self.sys_resolution.dismiss_issue(self.addon.device_access_missing_issue)

-    async def _validate_trust(self, image_id: str) -> None:
-        """Validate trust of content."""
-        if not self.addon.signed:
-            return
-
-        checksum = image_id.partition(":")[2]
-        return await self.sys_security.verify_content(
-            cast(str, self.addon.codenotary), checksum
-        )
-
    @Job(
        name="docker_addon_hardware_events",
        conditions=[JobCondition.OS_AGENT],
@@ -872,7 +900,7 @@ class DockerAddon(DockerInterface):

        try:
            docker_container = await self.sys_run_in_executor(
-                self.sys_docker.containers.get, self.name
+                self.sys_docker.containers_legacy.get, self.name
            )
        except docker.errors.NotFound:
            if self._hw_listener:
--- a/supervisor/docker/audio.py
+++ b/supervisor/docker/audio.py
@@ -2,9 +2,6 @@

 import logging

-import docker
-from docker.types import Mount
-
 from ..const import DOCKER_CPU_RUNTIME_ALLOCATION
 from ..coresys import CoreSysAttributes
 from ..exceptions import DockerJobError
@@ -19,7 +16,9 @@ from .const import (
    MOUNT_UDEV,
    PATH_PRIVATE_DATA,
    Capabilities,
+    DockerMount,
    MountType,
+    Ulimit,
 )
 from .interface import DockerInterface

@@ -42,12 +41,12 @@ class DockerAudio(DockerInterface, CoreSysAttributes):
        return AUDIO_DOCKER_NAME

    @property
-    def mounts(self) -> list[Mount]:
+    def mounts(self) -> list[DockerMount]:
        """Return mounts for container."""
        mounts = [
            MOUNT_DEV,
-            Mount(
-                type=MountType.BIND.value,
+            DockerMount(
+                type=MountType.BIND,
                source=self.sys_config.path_extern_audio.as_posix(),
                target=PATH_PRIVATE_DATA.as_posix(),
                read_only=False,
@@ -75,10 +74,10 @@ class DockerAudio(DockerInterface, CoreSysAttributes):
        return [Capabilities.SYS_NICE, Capabilities.SYS_RESOURCE]

    @property
-    def ulimits(self) -> list[docker.types.Ulimit]:
+    def ulimits(self) -> list[Ulimit]:
        """Generate ulimits for audio."""
        # Pulseaudio by default tries to use real-time scheduling with priority of 5.
-        return [docker.types.Ulimit(name="rtprio", soft=10, hard=10)]
+        return [Ulimit(name="rtprio", soft=10, hard=10)]

    @property
    def cpu_rt_runtime(self) -> int | None:
--- a/supervisor/docker/const.py
+++ b/supervisor/docker/const.py
@@ -3,18 +3,24 @@
 from __future__ import annotations

 from contextlib import suppress
+from dataclasses import dataclass
 from enum import Enum, StrEnum
 from functools import total_ordering
 from pathlib import PurePath
 import re
-from typing import cast
-
-from docker.types import Mount
+from typing import Any, cast

 from ..const import MACHINE_ID

 RE_RETRYING_DOWNLOAD_STATUS = re.compile(r"Retrying in \d+ seconds?")

+# Docker Hub registry identifier (official default)
+# Docker's default registry is docker.io
+DOCKER_HUB = "docker.io"
+
+# Legacy Docker Hub identifier for backward compatibility
+DOCKER_HUB_LEGACY = "hub.docker.com"
+

 class Capabilities(StrEnum):
    """Linux Capabilities."""
@@ -126,33 +132,94 @@ class PullImageLayerStage(Enum):
        return None


+@dataclass(slots=True, frozen=True)
+class MountBindOptions:
+    """Bind options for docker mount."""
+
+    propagation: PropagationMode | None = None
+    read_only_non_recursive: bool | None = None
+
+    def to_dict(self) -> dict[str, Any]:
+        """To dictionary representation."""
+        out: dict[str, Any] = {}
+        if self.propagation:
+            out["Propagation"] = self.propagation.value
+        if self.read_only_non_recursive is not None:
+            out["ReadOnlyNonRecursive"] = self.read_only_non_recursive
+        return out
+
+
+@dataclass(slots=True, frozen=True)
+class DockerMount:
+    """A docker mount."""
+
+    type: MountType
+    source: str
+    target: str
+    read_only: bool
+    bind_options: MountBindOptions | None = None
+
+    def to_dict(self) -> dict[str, Any]:
+        """To dictionary representation."""
+        out: dict[str, Any] = {
+            "Type": self.type.value,
+            "Source": self.source,
+            "Target": self.target,
+            "ReadOnly": self.read_only,
+        }
+        if self.bind_options:
+            out["BindOptions"] = self.bind_options.to_dict()
+        return out
+
+
+@dataclass(slots=True, frozen=True)
+class Ulimit:
+    """A linux user limit."""
+
+    name: str
+    soft: int
+    hard: int
+
+    def to_dict(self) -> dict[str, str | int]:
+        """To dictionary representation."""
+        return {
+            "Name": self.name,
+            "Soft": self.soft,
+            "Hard": self.hard,
+        }
+
+
+ENV_DUPLICATE_LOG_FILE = "HA_DUPLICATE_LOG_FILE"
 ENV_TIME = "TZ"
 ENV_TOKEN = "SUPERVISOR_TOKEN"
 ENV_TOKEN_OLD = "HASSIO_TOKEN"

 LABEL_MANAGED = "supervisor_managed"

-MOUNT_DBUS = Mount(
-    type=MountType.BIND.value, source="/run/dbus", target="/run/dbus", read_only=True
+MOUNT_DBUS = DockerMount(
+    type=MountType.BIND, source="/run/dbus", target="/run/dbus", read_only=True
 )
-MOUNT_DEV = Mount(
-    type=MountType.BIND.value, source="/dev", target="/dev", read_only=True
+MOUNT_DEV = DockerMount(
+    type=MountType.BIND,
+    source="/dev",
+    target="/dev",
+    read_only=True,
+    bind_options=MountBindOptions(read_only_non_recursive=True),
 )
-MOUNT_DEV.setdefault("BindOptions", {})["ReadOnlyNonRecursive"] = True
-MOUNT_DOCKER = Mount(
-    type=MountType.BIND.value,
+MOUNT_DOCKER = DockerMount(
+    type=MountType.BIND,
    source="/run/docker.sock",
    target="/run/docker.sock",
    read_only=True,
 )
-MOUNT_MACHINE_ID = Mount(
-    type=MountType.BIND.value,
+MOUNT_MACHINE_ID = DockerMount(
+    type=MountType.BIND,
    source=MACHINE_ID.as_posix(),
    target=MACHINE_ID.as_posix(),
    read_only=True,
 )
-MOUNT_UDEV = Mount(
-    type=MountType.BIND.value, source="/run/udev", target="/run/udev", read_only=True
+MOUNT_UDEV = DockerMount(
+    type=MountType.BIND, source="/run/udev", target="/run/udev", read_only=True
 )

 PATH_PRIVATE_DATA = PurePath("/data")
--- a/supervisor/docker/dns.py
+++ b/supervisor/docker/dns.py
@@ -2,13 +2,11 @@

 import logging

-from docker.types import Mount
-
 from ..coresys import CoreSysAttributes
 from ..exceptions import DockerJobError
 from ..jobs.const import JobConcurrency
 from ..jobs.decorator import Job
-from .const import ENV_TIME, MOUNT_DBUS, MountType
+from .const import ENV_TIME, MOUNT_DBUS, DockerMount, MountType
 from .interface import DockerInterface

 _LOGGER: logging.Logger = logging.getLogger(__name__)
@@ -47,8 +45,8 @@ class DockerDNS(DockerInterface, CoreSysAttributes):
            security_opt=self.security_opt,
            environment={ENV_TIME: self.sys_timezone},
            mounts=[
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_dns.as_posix(),
                    target="/config",
                    read_only=False,
--- a/supervisor/docker/homeassistant.py
+++ b/supervisor/docker/homeassistant.py
@@ -1,12 +1,10 @@
 """Init file for Supervisor Docker object."""

-from collections.abc import Awaitable
 from ipaddress import IPv4Address
 import logging
 import re

-from awesomeversion import AwesomeVersion, AwesomeVersionCompareException
-from docker.types import Mount
+from awesomeversion import AwesomeVersion

 from ..const import LABEL_MACHINE
 from ..exceptions import DockerJobError
@@ -15,6 +13,7 @@ from ..homeassistant.const import LANDINGPAGE
 from ..jobs.const import JobConcurrency
 from ..jobs.decorator import Job
 from .const import (
+    ENV_DUPLICATE_LOG_FILE,
    ENV_TIME,
    ENV_TOKEN,
    ENV_TOKEN_OLD,
@@ -26,6 +25,8 @@ from .const import (
    PATH_PUBLIC_CONFIG,
    PATH_SHARE,
    PATH_SSL,
+    DockerMount,
+    MountBindOptions,
    MountType,
    PropagationMode,
 )
@@ -91,15 +92,15 @@ class DockerHomeAssistant(DockerInterface):
        )

    @property
-    def mounts(self) -> list[Mount]:
+    def mounts(self) -> list[DockerMount]:
        """Return mounts for container."""
        mounts = [
            MOUNT_DEV,
            MOUNT_DBUS,
            MOUNT_UDEV,
            # HA config folder
-            Mount(
-                type=MountType.BIND.value,
+            DockerMount(
+                type=MountType.BIND,
                source=self.sys_config.path_extern_homeassistant.as_posix(),
                target=PATH_PUBLIC_CONFIG.as_posix(),
                read_only=False,
@@ -111,41 +112,45 @@ class DockerHomeAssistant(DockerInterface):
            mounts.extend(
                [
                    # All other folders
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=self.sys_config.path_extern_ssl.as_posix(),
                        target=PATH_SSL.as_posix(),
                        read_only=True,
                    ),
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=self.sys_config.path_extern_share.as_posix(),
                        target=PATH_SHARE.as_posix(),
                        read_only=False,
-                        propagation=PropagationMode.RSLAVE.value,
+                        bind_options=MountBindOptions(
+                            propagation=PropagationMode.RSLAVE
+                        ),
                    ),
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=self.sys_config.path_extern_media.as_posix(),
                        target=PATH_MEDIA.as_posix(),
                        read_only=False,
-                        propagation=PropagationMode.RSLAVE.value,
+                        bind_options=MountBindOptions(
+                            propagation=PropagationMode.RSLAVE
+                        ),
                    ),
                    # Configuration audio
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=self.sys_homeassistant.path_extern_pulse.as_posix(),
                        target="/etc/pulse/client.conf",
                        read_only=True,
                    ),
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=self.sys_plugins.audio.path_extern_pulse.as_posix(),
                        target="/run/audio",
                        read_only=True,
                    ),
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=self.sys_plugins.audio.path_extern_asound.as_posix(),
                        target="/etc/asound.conf",
                        read_only=True,
@@ -175,6 +180,8 @@ class DockerHomeAssistant(DockerInterface):
        }
        if restore_job_id:
            environment[ENV_RESTORE_JOB_ID] = restore_job_id
+        if self.sys_homeassistant.duplicate_log_file:
+            environment[ENV_DUPLICATE_LOG_FILE] = "1"
        await self._run(
            tag=(self.sys_homeassistant.version),
            name=self.name,
@@ -214,20 +221,20 @@ class DockerHomeAssistant(DockerInterface):
            init=True,
            entrypoint=[],
            mounts=[
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_homeassistant.as_posix(),
                    target="/config",
                    read_only=False,
                ),
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_ssl.as_posix(),
                    target="/ssl",
                    read_only=True,
                ),
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_share.as_posix(),
                    target="/share",
                    read_only=False,
@@ -236,21 +243,10 @@ class DockerHomeAssistant(DockerInterface):
            environment={ENV_TIME: self.sys_timezone},
        )

-    def is_initialize(self) -> Awaitable[bool]:
+    async def is_initialize(self) -> bool:
        """Return True if Docker container exists."""
-        return self.sys_run_in_executor(
-            self.sys_docker.container_is_initialized,
-            self.name,
-            self.image,
-            self.sys_homeassistant.version,
+        if not self.sys_homeassistant.version:
+            return False
+        return await self.sys_docker.container_is_initialized(
+            self.name, self.image, self.sys_homeassistant.version
        )
-
-    async def _validate_trust(self, image_id: str) -> None:
-        """Validate trust of content."""
-        try:
-            if self.version in {None, LANDINGPAGE} or self.version < _VERIFY_TRUST:
-                return
-        except AwesomeVersionCompareException:
-            return
-
-        await super()._validate_trust(image_id)
--- a/supervisor/docker/interface.py
+++ b/supervisor/docker/interface.py
@@ -6,17 +6,17 @@ from abc import ABC, abstractmethod
 from collections import defaultdict
 from collections.abc import Awaitable
 from contextlib import suppress
+from http import HTTPStatus
 import logging
-import re
 from time import time
 from typing import Any, cast
 from uuid import uuid4

+import aiodocker
 from awesomeversion import AwesomeVersion
 from awesomeversion.strategy import AwesomeVersionStrategy
 import docker
 from docker.models.containers import Container
-from docker.models.images import Image
 import requests

 from ..bus import EventListener
@@ -31,15 +31,13 @@ from ..const import (
 )
 from ..coresys import CoreSys
 from ..exceptions import (
-    CodeNotaryError,
-    CodeNotaryUntrusted,
    DockerAPIError,
    DockerError,
+    DockerHubRateLimitExceeded,
    DockerJobError,
    DockerLogOutOfOrder,
    DockerNotFound,
    DockerRequestError,
-    DockerTrustError,
 )
 from ..jobs import SupervisorJob
 from ..jobs.const import JOB_GROUP_DOCKER_INTERFACE, JobConcurrency
@@ -47,17 +45,20 @@ from ..jobs.decorator import Job
 from ..jobs.job_group import JobGroup
 from ..resolution.const import ContextType, IssueType, SuggestionType
 from ..utils.sentry import async_capture_exception
-from .const import ContainerState, PullImageLayerStage, RestartPolicy
+from .const import (
+    DOCKER_HUB,
+    DOCKER_HUB_LEGACY,
+    ContainerState,
+    PullImageLayerStage,
+    RestartPolicy,
+)
 from .manager import CommandReturn, PullLogEntry
 from .monitor import DockerContainerStateEvent
 from .stats import DockerStats

 _LOGGER: logging.Logger = logging.getLogger(__name__)

-IMAGE_WITH_HOST = re.compile(r"^((?:[a-z0-9]+(?:-[a-z0-9]+)*\.)+[a-z]{2,})\/.+")
-DOCKER_HUB = "hub.docker.com"
-
-MAP_ARCH: dict[CpuArch | str, str] = {
+MAP_ARCH: dict[CpuArch, str] = {
    CpuArch.ARMV7: "linux/arm/v7",
    CpuArch.ARMHF: "linux/arm/v6",
    CpuArch.AARCH64: "linux/arm64",
@@ -181,25 +182,17 @@ class DockerInterface(JobGroup, ABC):
        return self.meta_config.get("Healthcheck")

    def _get_credentials(self, image: str) -> dict:
-        """Return a dictionay with credentials for docker login."""
-        registry = None
+        """Return a dictionary with credentials for docker login."""
        credentials = {}
-        matcher = IMAGE_WITH_HOST.match(image)
-
-        # Custom registry
-        if matcher:
-            if matcher.group(1) in self.sys_docker.config.registries:
-                registry = matcher.group(1)
-                credentials[ATTR_REGISTRY] = registry
-
-        # If no match assume "dockerhub" as registry
-        elif DOCKER_HUB in self.sys_docker.config.registries:
-            registry = DOCKER_HUB
+        registry = self.sys_docker.config.get_registry_for_image(image)

        if registry:
            stored = self.sys_docker.config.registries[registry]
            credentials[ATTR_USERNAME] = stored[ATTR_USERNAME]
            credentials[ATTR_PASSWORD] = stored[ATTR_PASSWORD]
+            # Don't include registry for Docker Hub (both official and legacy)
+            if registry not in (DOCKER_HUB, DOCKER_HUB_LEGACY):
+                credentials[ATTR_REGISTRY] = registry

            _LOGGER.debug(
                "Logging in to %s as %s",
@@ -209,18 +202,7 @@ class DockerInterface(JobGroup, ABC):

        return credentials

-    async def _docker_login(self, image: str) -> None:
-        """Try to log in to the registry if there are credentials available."""
-        if not self.sys_docker.config.registries:
-            return
-
-        credentials = self._get_credentials(image)
-        if not credentials:
-            return
-
-        await self.sys_run_in_executor(self.sys_docker.docker.login, **credentials)
-
-    def _process_pull_image_log(
+    def _process_pull_image_log(  # noqa: C901
        self, install_job_id: str, reference: PullLogEntry
    ) -> None:
        """Process events fired from a docker while pulling an image, filtered to a given job id."""
@@ -251,28 +233,16 @@ class DockerInterface(JobGroup, ABC):
                job = j
                break

-        # This likely only occurs if the logs came in out of sync and we got progress before the Pulling FS Layer one
+        # There should no longer be any real risk of logs out of order anymore.
+        # However tests with very small images have shown that sometimes Docker
+        # skips stages in log. So keeping this one as a safety check on null job
        if not job:
            raise DockerLogOutOfOrder(
                f"Received pull image log with status {reference.status} for image id {reference.id} and parent job {install_job_id} but could not find a matching job, skipping",
                _LOGGER.debug,
            )

-        # Hopefully these come in order but if they sometimes get out of sync, avoid accidentally going backwards
-        # If it happens a lot though we may need to reconsider the value of this feature
-        if job.done:
-            raise DockerLogOutOfOrder(
-                f"Received pull image log with status {reference.status} for job {job.uuid} but job was done, skipping",
-                _LOGGER.debug,
-            )
-
-        if job.stage and stage < PullImageLayerStage.from_status(job.stage):
-            raise DockerLogOutOfOrder(
-                f"Received pull image log with status {reference.status} for job {job.uuid} but job was already on stage {job.stage}, skipping",
-                _LOGGER.debug,
-            )
-
-        # For progress calcuation we assume downloading and extracting are each 50% of the time and others stages negligible
+        # For progress calculation we assume downloading is 70% of time, extracting is 30% and others stages negligible
        progress = job.progress
        match stage:
            case PullImageLayerStage.DOWNLOADING | PullImageLayerStage.EXTRACTING:
@@ -281,22 +251,26 @@ class DockerInterface(JobGroup, ABC):
                    and reference.progress_detail.current
                    and reference.progress_detail.total
                ):
-                    progress = 50 * (
+                    progress = (
                        reference.progress_detail.current
                        / reference.progress_detail.total
                    )
-                    if stage == PullImageLayerStage.EXTRACTING:
-                        progress += 50
+                    if stage == PullImageLayerStage.DOWNLOADING:
+                        progress = 70 * progress
+                    else:
+                        progress = 70 + 30 * progress
            case (
                PullImageLayerStage.VERIFYING_CHECKSUM
                | PullImageLayerStage.DOWNLOAD_COMPLETE
            ):
-                progress = 50
+                progress = 70
            case PullImageLayerStage.PULL_COMPLETE:
                progress = 100
            case PullImageLayerStage.RETRYING_DOWNLOAD:
                progress = 0

+        # No real risk of getting things out of order in current implementation
+        # but keeping this one in case another change to these trips us up.
        if stage != PullImageLayerStage.RETRYING_DOWNLOAD and progress < job.progress:
            raise DockerLogOutOfOrder(
                f"Received pull image log with status {reference.status} for job {job.uuid} that implied progress was {progress} but current progress is {job.progress}, skipping",
@@ -311,6 +285,8 @@ class DockerInterface(JobGroup, ABC):
        if (
            stage in {PullImageLayerStage.DOWNLOADING, PullImageLayerStage.EXTRACTING}
            and reference.progress_detail
+            and reference.progress_detail.current is not None
+            and reference.progress_detail.total is not None
        ):
            job.update(
                progress=progress,
@@ -321,13 +297,17 @@ class DockerInterface(JobGroup, ABC):
                },
            )
        else:
+            # If we reach DOWNLOAD_COMPLETE without ever having set extra (small layers that skip
+            # the downloading phase), set a minimal extra so aggregate progress calculation can proceed
+            extra = job.extra
+            if stage == PullImageLayerStage.DOWNLOAD_COMPLETE and not job.extra:
+                extra = {"current": 1, "total": 1}
+
            job.update(
                progress=progress,
                stage=stage.status,
                done=stage == PullImageLayerStage.PULL_COMPLETE,
-                extra=None
-                if stage == PullImageLayerStage.RETRYING_DOWNLOAD
-                else job.extra,
+                extra=None if stage == PullImageLayerStage.RETRYING_DOWNLOAD else extra,
            )

        # Once we have received a progress update for every child job, start to set status of the main one
@@ -354,7 +334,7 @@ class DockerInterface(JobGroup, ABC):
        progress = 0.0
        stage = PullImageLayerStage.PULL_COMPLETE
        for job in layer_jobs:
-            if not job.extra:
+            if not job.extra or not job.extra.get("total"):
                return
            progress += job.progress * (job.extra["total"] / total)
            job_stage = PullImageLayerStage.from_status(cast(str, job.stage))
@@ -393,14 +373,13 @@ class DockerInterface(JobGroup, ABC):
        if not image:
            raise ValueError("Cannot pull without an image!")

-        image_arch = str(arch) if arch else self.sys_arch.supervisor
+        image_arch = arch or self.sys_arch.supervisor
        listener: EventListener | None = None

        _LOGGER.info("Downloading docker image %s with tag %s.", image, version)
        try:
-            if self.sys_docker.config.registries:
-                # Try login if we have defined credentials
-                await self._docker_login(image)
+            # Get credentials for private registries to pass to aiodocker
+            credentials = self._get_credentials(image) or None

            curr_job_id = self.sys_jobs.current.uuid

@@ -416,106 +395,96 @@ class DockerInterface(JobGroup, ABC):
                BusEvent.DOCKER_IMAGE_PULL_UPDATE, process_pull_image_log
            )

-            # Pull new image
-            docker_image = await self.sys_run_in_executor(
-                self.sys_docker.pull_image,
+            # Pull new image, passing credentials to aiodocker
+            docker_image = await self.sys_docker.pull_image(
                self.sys_jobs.current.uuid,
                image,
                str(version),
                platform=MAP_ARCH[image_arch],
+                auth=credentials,
            )

-            # Validate content
-            try:
-                await self._validate_trust(cast(str, docker_image.id))
-            except CodeNotaryError:
-                with suppress(docker.errors.DockerException):
-                    await self.sys_run_in_executor(
-                        self.sys_docker.images.remove,
-                        image=f"{image}:{version!s}",
-                        force=True,
-                    )
-                raise
-
            # Tag latest
            if latest:
                _LOGGER.info(
                    "Tagging image %s with version %s as latest", image, version
                )
-                await self.sys_run_in_executor(docker_image.tag, image, tag="latest")
+                await self.sys_docker.images.tag(
+                    docker_image["Id"], image, tag="latest"
+                )
        except docker.errors.APIError as err:
-            if err.status_code == 429:
+            if err.status_code == HTTPStatus.TOO_MANY_REQUESTS:
                self.sys_resolution.create_issue(
                    IssueType.DOCKER_RATELIMIT,
                    ContextType.SYSTEM,
                    suggestions=[SuggestionType.REGISTRY_LOGIN],
                )
-                _LOGGER.info(
-                    "Your IP address has made too many requests to Docker Hub which activated a rate limit. "
-                    "For more details see https://www.home-assistant.io/more-info/dockerhub-rate-limit"
-                )
+                raise DockerHubRateLimitExceeded(_LOGGER.error) from err
+            await async_capture_exception(err)
            raise DockerError(
                f"Can't install {image}:{version!s}: {err}", _LOGGER.error
            ) from err
-        except (docker.errors.DockerException, requests.RequestException) as err:
+        except aiodocker.DockerError as err:
+            if err.status == HTTPStatus.TOO_MANY_REQUESTS:
+                self.sys_resolution.create_issue(
+                    IssueType.DOCKER_RATELIMIT,
+                    ContextType.SYSTEM,
+                    suggestions=[SuggestionType.REGISTRY_LOGIN],
+                )
+                raise DockerHubRateLimitExceeded(_LOGGER.error) from err
+            await async_capture_exception(err)
+            raise DockerError(
+                f"Can't install {image}:{version!s}: {err}", _LOGGER.error
+            ) from err
+        except (
+            docker.errors.DockerException,
+            requests.RequestException,
+        ) as err:
            await async_capture_exception(err)
            raise DockerError(
                f"Unknown error with {image}:{version!s} -> {err!s}", _LOGGER.error
            ) from err
-        except CodeNotaryUntrusted as err:
-            raise DockerTrustError(
-                f"Pulled image {image}:{version!s} failed on content-trust verification!",
-                _LOGGER.critical,
-            ) from err
-        except CodeNotaryError as err:
-            raise DockerTrustError(
-                f"Error happened on Content-Trust check for {image}:{version!s}: {err!s}",
-                _LOGGER.error,
-            ) from err
        finally:
            if listener:
                self.sys_bus.remove_listener(listener)

-        self._meta = docker_image.attrs
+        self._meta = docker_image

    async def exists(self) -> bool:
        """Return True if Docker image exists in local repository."""
-        with suppress(docker.errors.DockerException, requests.RequestException):
-            await self.sys_run_in_executor(
-                self.sys_docker.images.get, f"{self.image}:{self.version!s}"
-            )
+        with suppress(aiodocker.DockerError, requests.RequestException):
+            await self.sys_docker.images.inspect(f"{self.image}:{self.version!s}")
            return True
        return False

-    async def is_running(self) -> bool:
-        """Return True if Docker is running."""
+    async def _get_container(self) -> Container | None:
+        """Get docker container, returns None if not found."""
        try:
-            docker_container = await self.sys_run_in_executor(
-                self.sys_docker.containers.get, self.name
+            return await self.sys_run_in_executor(
+                self.sys_docker.containers_legacy.get, self.name
            )
        except docker.errors.NotFound:
-            return False
+            return None
        except docker.errors.DockerException as err:
-            raise DockerAPIError() from err
+            raise DockerAPIError(
+                f"Docker API error occurred while getting container information: {err!s}"
+            ) from err
        except requests.RequestException as err:
-            raise DockerRequestError() from err
+            raise DockerRequestError(
+                f"Error communicating with Docker to get container information: {err!s}"
+            ) from err

-        return docker_container.status == "running"
+    async def is_running(self) -> bool:
+        """Return True if Docker is running."""
+        if docker_container := await self._get_container():
+            return docker_container.status == "running"
+        return False

    async def current_state(self) -> ContainerState:
        """Return current state of container."""
-        try:
-            docker_container = await self.sys_run_in_executor(
-                self.sys_docker.containers.get, self.name
-            )
-        except docker.errors.NotFound:
-            return ContainerState.UNKNOWN
-        except docker.errors.DockerException as err:
-            raise DockerAPIError() from err
-        except requests.RequestException as err:
-            raise DockerRequestError() from err
-
-        return _container_state_from_model(docker_container)
+        if docker_container := await self._get_container():
+            return _container_state_from_model(docker_container)
+        return ContainerState.UNKNOWN

    @Job(name="docker_interface_attach", concurrency=JobConcurrency.GROUP_QUEUE)
    async def attach(
@@ -524,7 +493,7 @@ class DockerInterface(JobGroup, ABC):
        """Attach to running Docker container."""
        with suppress(docker.errors.DockerException, requests.RequestException):
            docker_container = await self.sys_run_in_executor(
-                self.sys_docker.containers.get, self.name
+                self.sys_docker.containers_legacy.get, self.name
            )
            self._meta = docker_container.attrs
            self.sys_docker.monitor.watch_container(docker_container)
@@ -542,15 +511,17 @@ class DockerInterface(JobGroup, ABC):
                    ),
                )

-        with suppress(docker.errors.DockerException, requests.RequestException):
+        with suppress(aiodocker.DockerError, requests.RequestException):
            if not self._meta and self.image:
-                self._meta = self.sys_docker.images.get(
+                self._meta = await self.sys_docker.images.inspect(
                    f"{self.image}:{version!s}"
-                ).attrs
+                )

        # Successful?
        if not self._meta:
-            raise DockerError()
+            raise DockerError(
+                f"Could not get metadata on container or image for {self.name}"
+            )
        _LOGGER.info("Attaching to %s with version %s", self.image, self.version)

    @Job(
@@ -562,8 +533,11 @@ class DockerInterface(JobGroup, ABC):
        """Run Docker image."""
        raise NotImplementedError()

-    async def _run(self, **kwargs) -> None:
-        """Run Docker image with retry inf necessary."""
+    async def _run(self, *, name: str, **kwargs) -> None:
+        """Run Docker image with retry if necessary."""
+        if not (image := self.image):
+            raise ValueError(f"Cannot determine image to use to run {self.name}!")
+
        if await self.is_running():
            return

@@ -572,16 +546,14 @@ class DockerInterface(JobGroup, ABC):

        # Create & Run container
        try:
-            docker_container = await self.sys_run_in_executor(
-                self.sys_docker.run, self.image, **kwargs
-            )
+            container_metadata = await self.sys_docker.run(image, name=name, **kwargs)
        except DockerNotFound as err:
            # If image is missing, capture the exception as this shouldn't happen
            await async_capture_exception(err)
            raise

        # Store metadata
-        self._meta = docker_container.attrs
+        self._meta = container_metadata

    @Job(
        name="docker_interface_stop",
@@ -614,14 +586,17 @@ class DockerInterface(JobGroup, ABC):
    )
    async def remove(self, *, remove_image: bool = True) -> None:
        """Remove Docker images."""
+        if not self.image or not self.version:
+            raise DockerError(
+                "Cannot determine image and/or version from metadata!", _LOGGER.error
+            )
+
        # Cleanup container
        with suppress(DockerError):
            await self.stop()

        if remove_image:
-            await self.sys_run_in_executor(
-                self.sys_docker.remove_image, self.image, self.version
-            )
+            await self.sys_docker.remove_image(self.image, self.version)

        self._meta = None

@@ -637,29 +612,25 @@ class DockerInterface(JobGroup, ABC):
        expected_cpu_arch: CpuArch | None = None,
    ) -> None:
        """Check we have expected image with correct arch."""
-        expected_image_cpu_arch = (
-            str(expected_cpu_arch) if expected_cpu_arch else self.sys_arch.supervisor
-        )
+        arch = expected_cpu_arch or self.sys_arch.supervisor
        image_name = f"{expected_image}:{version!s}"
        if self.image == expected_image:
            try:
-                image: Image = await self.sys_run_in_executor(
-                    self.sys_docker.images.get, image_name
-                )
-            except (docker.errors.DockerException, requests.RequestException) as err:
+                image = await self.sys_docker.images.inspect(image_name)
+            except (aiodocker.DockerError, requests.RequestException) as err:
                raise DockerError(
                    f"Could not get {image_name} for check due to: {err!s}",
                    _LOGGER.error,
                ) from err

-            image_arch = f"{image.attrs['Os']}/{image.attrs['Architecture']}"
-            if "Variant" in image.attrs:
-                image_arch = f"{image_arch}/{image.attrs['Variant']}"
+            image_arch = f"{image['Os']}/{image['Architecture']}"
+            if "Variant" in image:
+                image_arch = f"{image_arch}/{image['Variant']}"

            # If we have an image and its the right arch, all set
            # It seems that newer Docker version return a variant for arm64 images.
            # Make sure we match linux/arm64 and linux/arm64/v8.
-            expected_image_arch = MAP_ARCH[expected_image_cpu_arch]
+            expected_image_arch = MAP_ARCH[arch]
            if image_arch.startswith(expected_image_arch):
                return
            _LOGGER.info(
@@ -672,7 +643,7 @@ class DockerInterface(JobGroup, ABC):
        # We're missing the image we need. Stop and clean up what we have then pull the right one
        with suppress(DockerError):
            await self.remove()
-        await self.install(version, expected_image, arch=expected_image_cpu_arch)
+        await self.install(version, expected_image, arch=arch)

    @Job(
        name="docker_interface_update",
@@ -716,11 +687,13 @@ class DockerInterface(JobGroup, ABC):
        version: AwesomeVersion | None = None,
    ) -> None:
        """Check if old version exists and cleanup."""
-        await self.sys_run_in_executor(
-            self.sys_docker.cleanup_old_images,
-            image or self.image,
-            version or self.version,
-            {old_image} if old_image else None,
+        if not (use_image := image or self.image):
+            raise DockerError("Cannot determine image from metadata!", _LOGGER.error)
+        if not (use_version := version or self.version):
+            raise DockerError("Cannot determine version from metadata!", _LOGGER.error)
+
+        await self.sys_docker.cleanup_old_images(
+            use_image, use_version, {old_image} if old_image else None
        )

    @Job(
@@ -752,14 +725,8 @@ class DockerInterface(JobGroup, ABC):

    async def is_failed(self) -> bool:
        """Return True if Docker is failing state."""
-        try:
-            docker_container = await self.sys_run_in_executor(
-                self.sys_docker.containers.get, self.name
-            )
-        except docker.errors.NotFound:
+        if not (docker_container := await self._get_container()):
            return False
-        except (docker.errors.DockerException, requests.RequestException) as err:
-            raise DockerError() from err

        # container is not running
        if docker_container.status != "exited":
@@ -772,10 +739,10 @@ class DockerInterface(JobGroup, ABC):
        """Return latest version of local image."""
        available_version: list[AwesomeVersion] = []
        try:
-            for image in await self.sys_run_in_executor(
-                self.sys_docker.images.list, self.image
+            for image in await self.sys_docker.images.list(
+                filters=f'{{"reference": ["{self.image}"]}}'
            ):
-                for tag in image.tags:
+                for tag in image["RepoTags"]:
                    version = AwesomeVersion(tag.partition(":")[2])
                    if version.strategy == AwesomeVersionStrategy.UNKNOWN:
                        continue
@@ -784,7 +751,7 @@ class DockerInterface(JobGroup, ABC):
            if not available_version:
                raise ValueError()

-        except (docker.errors.DockerException, ValueError) as err:
+        except (aiodocker.DockerError, ValueError) as err:
            raise DockerNotFound(
                f"No version found for {self.image}", _LOGGER.info
            ) from err
@@ -809,24 +776,3 @@ class DockerInterface(JobGroup, ABC):
        return self.sys_run_in_executor(
            self.sys_docker.container_run_inside, self.name, command
        )
-
-    async def _validate_trust(self, image_id: str) -> None:
-        """Validate trust of content."""
-        checksum = image_id.partition(":")[2]
-        return await self.sys_security.verify_own_content(checksum)
-
-    @Job(
-        name="docker_interface_check_trust",
-        on_condition=DockerJobError,
-        concurrency=JobConcurrency.GROUP_REJECT,
-    )
-    async def check_trust(self) -> None:
-        """Check trust of exists Docker image."""
-        try:
-            image = await self.sys_run_in_executor(
-                self.sys_docker.images.get, f"{self.image}:{self.version!s}"
-            )
-        except (docker.errors.DockerException, requests.RequestException):
-            return
-
-        await self._validate_trust(cast(str, image.id))
--- a/supervisor/docker/manager.py
+++ b/supervisor/docker/manager.py
--- a/supervisor/docker/monitor.py
+++ b/supervisor/docker/monitor.py
@@ -89,7 +89,7 @@ class DockerMonitor(CoreSysAttributes, Thread):
                        DockerContainerStateEvent(
                            name=attributes["name"],
                            state=container_state,
-                            id=event["id"],
+                            id=event["Actor"]["ID"],
                            time=event["time"],
                        ),
                    )
--- a/supervisor/docker/network.py
+++ b/supervisor/docker/network.py
@@ -7,6 +7,7 @@ import logging
 from typing import Self, cast

 import docker
+from docker.models.networks import Network
 import requests

 from ..const import (
@@ -59,7 +60,7 @@ class DockerNetwork:
    def __init__(self, docker_client: docker.DockerClient):
        """Initialize internal Supervisor network."""
        self.docker: docker.DockerClient = docker_client
-        self._network: docker.models.networks.Network
+        self._network: Network

    async def post_init(
        self, enable_ipv6: bool | None = None, mtu: int | None = None
@@ -76,7 +77,7 @@ class DockerNetwork:
        return DOCKER_NETWORK

    @property
-    def network(self) -> docker.models.networks.Network:
+    def network(self) -> Network:
        """Return docker network."""
        return self._network

@@ -117,7 +118,7 @@ class DockerNetwork:

    def _get_network(
        self, enable_ipv6: bool | None = None, mtu: int | None = None
-    ) -> docker.models.networks.Network:
+    ) -> Network:
        """Get supervisor network."""
        try:
            if network := self.docker.networks.get(DOCKER_NETWORK):
@@ -218,7 +219,8 @@ class DockerNetwork:

    def attach_container(
        self,
-        container: docker.models.containers.Container,
+        container_id: str,
+        name: str,
        alias: list[str] | None = None,
        ipv4: IPv4Address | None = None,
    ) -> None:
@@ -231,15 +233,15 @@ class DockerNetwork:
            self.network.reload()

        # Check stale Network
-        if container.name and container.name in (
+        if name in (
            val.get("Name") for val in self.network.attrs.get("Containers", {}).values()
        ):
-            self.stale_cleanup(container.name)
+            self.stale_cleanup(name)

        # Attach Network
        try:
            self.network.connect(
-                container, aliases=alias, ipv4_address=str(ipv4) if ipv4 else None
+                container_id, aliases=alias, ipv4_address=str(ipv4) if ipv4 else None
            )
        except (
            docker.errors.NotFound,
@@ -248,7 +250,7 @@ class DockerNetwork:
            requests.RequestException,
        ) as err:
            raise DockerError(
-                f"Can't connect {container.name} to Supervisor network: {err}",
+                f"Can't connect {name} to Supervisor network: {err}",
                _LOGGER.error,
            ) from err

@@ -272,19 +274,20 @@ class DockerNetwork:
        ) as err:
            raise DockerError(f"Can't find {name}: {err}", _LOGGER.error) from err

-        if container.id not in self.containers:
-            self.attach_container(container, alias, ipv4)
+        if not (container_id := container.id):
+            raise DockerError(f"Received invalid metadata from docker for {name}")

-    def detach_default_bridge(
-        self, container: docker.models.containers.Container
-    ) -> None:
+        if container_id not in self.containers:
+            self.attach_container(container_id, name, alias, ipv4)
+
+    def detach_default_bridge(self, container_id: str, name: str) -> None:
        """Detach default Docker bridge.

        Need run inside executor.
        """
        try:
            default_network = self.docker.networks.get(DOCKER_NETWORK_DRIVER)
-            default_network.disconnect(container)
+            default_network.disconnect(container_id)
        except docker.errors.NotFound:
            pass
        except (
@@ -293,7 +296,7 @@ class DockerNetwork:
            requests.RequestException,
        ) as err:
            raise DockerError(
-                f"Can't disconnect {container.name} from default network: {err}",
+                f"Can't disconnect {name} from default network: {err}",
                _LOGGER.warning,
            ) from err

--- a/supervisor/docker/supervisor.py
+++ b/supervisor/docker/supervisor.py
@@ -1,10 +1,12 @@
 """Init file for Supervisor Docker object."""

+import asyncio
 from collections.abc import Awaitable
 from ipaddress import IPv4Address
 import logging
 import os

+import aiodocker
 from awesomeversion.awesomeversion import AwesomeVersion
 import docker
 import requests
@@ -52,7 +54,7 @@ class DockerSupervisor(DockerInterface):
        """Attach to running docker container."""
        try:
            docker_container = await self.sys_run_in_executor(
-                self.sys_docker.containers.get, self.name
+                self.sys_docker.containers_legacy.get, self.name
            )
        except (docker.errors.DockerException, requests.RequestException) as err:
            raise DockerError() from err
@@ -72,7 +74,8 @@ class DockerSupervisor(DockerInterface):
        _LOGGER.info("Connecting Supervisor to hassio-network")
        await self.sys_run_in_executor(
            self.sys_docker.network.attach_container,
-            docker_container,
+            docker_container.id,
+            self.name,
            alias=["supervisor"],
            ipv4=self.sys_docker.network.supervisor,
        )
@@ -88,7 +91,7 @@ class DockerSupervisor(DockerInterface):
        Need run inside executor.
        """
        try:
-            docker_container = self.sys_docker.containers.get(self.name)
+            docker_container = self.sys_docker.containers_legacy.get(self.name)
        except (docker.errors.DockerException, requests.RequestException) as err:
            raise DockerError(
                f"Could not get Supervisor container for retag: {err}", _LOGGER.error
@@ -112,19 +115,18 @@ class DockerSupervisor(DockerInterface):
        name="docker_supervisor_update_start_tag",
        concurrency=JobConcurrency.GROUP_QUEUE,
    )
-    def update_start_tag(self, image: str, version: AwesomeVersion) -> Awaitable[None]:
+    async def update_start_tag(self, image: str, version: AwesomeVersion) -> None:
        """Update start tag to new version."""
-        return self.sys_run_in_executor(self._update_start_tag, image, version)
-
-    def _update_start_tag(self, image: str, version: AwesomeVersion) -> None:
-        """Update start tag to new version.
-
-        Need run inside executor.
-        """
        try:
-            docker_container = self.sys_docker.containers.get(self.name)
-            docker_image = self.sys_docker.images.get(f"{image}:{version!s}")
-        except (docker.errors.DockerException, requests.RequestException) as err:
+            docker_container = await self.sys_run_in_executor(
+                self.sys_docker.containers_legacy.get, self.name
+            )
+            docker_image = await self.sys_docker.images.inspect(f"{image}:{version!s}")
+        except (
+            aiodocker.DockerError,
+            docker.errors.DockerException,
+            requests.RequestException,
+        ) as err:
            raise DockerError(
                f"Can't get image or container to fix start tag: {err}", _LOGGER.error
            ) from err
@@ -144,8 +146,14 @@ class DockerSupervisor(DockerInterface):
                # If version tag
                if start_tag != "latest":
                    continue
-                docker_image.tag(start_image, start_tag)
-                docker_image.tag(start_image, version.string)
+                await asyncio.gather(
+                    self.sys_docker.images.tag(
+                        docker_image["Id"], start_image, tag=start_tag
+                    ),
+                    self.sys_docker.images.tag(
+                        docker_image["Id"], start_image, tag=version.string
+                    ),
+                )

-        except (docker.errors.DockerException, requests.RequestException) as err:
+        except (aiodocker.DockerError, requests.RequestException) as err:
            raise DockerError(f"Can't fix start tag: {err}", _LOGGER.error) from err
--- a/supervisor/docker/utils.py
+++ b/supervisor/docker/utils.py
@@ -0,0 +1,57 @@
+"""Docker utilities."""
+
+from __future__ import annotations
+
+import re
+
+# Docker image reference domain regex
+# Based on Docker's reference implementation:
+# vendor/github.com/distribution/reference/normalize.go
+#
+# A domain is detected if the part before the first / contains:
+# - "localhost" (with optional port)
+# - Contains "." (like registry.example.com or 127.0.0.1)
+# - Contains ":" (like myregistry:5000)
+# - IPv6 addresses in brackets (like [::1]:5000)
+#
+# Note: Docker also treats uppercase letters as registry indicators since
+# namespaces must be lowercase, but this regex handles lowercase matching
+# and the get_registry_from_image() function validates the registry rules.
+IMAGE_REGISTRY_REGEX = re.compile(
+    r"^(?P<registry>"
+    r"localhost(?::[0-9]+)?|"  # localhost with optional port
+    r"(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])"  # domain component
+    r"(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))*"  # more components
+    r"(?::[0-9]+)?|"  # optional port
+    r"\[[a-fA-F0-9:]+\](?::[0-9]+)?"  # IPv6 with optional port
+    r")/"  # must be followed by /
+)
+
+
+def get_registry_from_image(image_ref: str) -> str | None:
+    """Extract registry from Docker image reference.
+
+    Returns the registry if the image reference contains one,
+    or None if the image uses Docker Hub (docker.io).
+
+    Based on Docker's reference implementation:
+    vendor/github.com/distribution/reference/normalize.go
+
+    Examples:
+        get_registry_from_image("nginx")                        -> None (docker.io)
+        get_registry_from_image("library/nginx")                -> None (docker.io)
+        get_registry_from_image("myregistry.com/nginx")         -> "myregistry.com"
+        get_registry_from_image("localhost/myimage")            -> "localhost"
+        get_registry_from_image("localhost:5000/myimage")       -> "localhost:5000"
+        get_registry_from_image("registry.io:5000/org/app:v1")  -> "registry.io:5000"
+        get_registry_from_image("[::1]:5000/myimage")           -> "[::1]:5000"
+
+    """
+    match = IMAGE_REGISTRY_REGEX.match(image_ref)
+    if match:
+        registry = match.group("registry")
+        # Must contain '.' or ':' or be 'localhost' to be a real registry
+        # This prevents treating "myuser/myimage" as having registry "myuser"
+        if "." in registry or ":" in registry or registry == "localhost":
+            return registry
+    return None  # No registry = Docker Hub (docker.io)
--- a/supervisor/exceptions.py
+++ b/supervisor/exceptions.py
@@ -1,25 +1,25 @@
 """Core Exceptions."""

-from collections.abc import Callable
+from collections.abc import Callable, Mapping
 from typing import Any

+MESSAGE_CHECK_SUPERVISOR_LOGS = (
+    "Check supervisor logs for details (check with '{logs_command}')"
+)
+EXTRA_FIELDS_LOGS_COMMAND = {"logs_command": "ha supervisor logs"}
+

 class HassioError(Exception):
    """Root exception."""

    error_key: str | None = None
    message_template: str | None = None
+    extra_fields: dict[str, Any] | None = None

    def __init__(
-        self,
-        message: str | None = None,
-        logger: Callable[..., None] | None = None,
-        *,
-        extra_fields: dict[str, Any] | None = None,
+        self, message: str | None = None, logger: Callable[..., None] | None = None
    ) -> None:
        """Raise & log."""
-        self.extra_fields = extra_fields or {}
-
        if not message and self.message_template:
            message = (
                self.message_template.format(**self.extra_fields)
@@ -41,6 +41,94 @@ class HassioNotSupportedError(HassioError):
    """Function is not supported."""


+# API
+
+
+class APIError(HassioError, RuntimeError):
+    """API errors."""
+
+    status = 400
+    headers: Mapping[str, str] | None = None
+
+    def __init__(
+        self,
+        message: str | None = None,
+        logger: Callable[..., None] | None = None,
+        *,
+        headers: Mapping[str, str] | None = None,
+        job_id: str | None = None,
+    ) -> None:
+        """Raise & log, optionally with job."""
+        super().__init__(message, logger)
+        self.headers = headers
+        self.job_id = job_id
+
+
+class APIUnauthorized(APIError):
+    """API unauthorized error."""
+
+    status = 401
+
+
+class APIForbidden(APIError):
+    """API forbidden error."""
+
+    status = 403
+
+
+class APINotFound(APIError):
+    """API not found error."""
+
+    status = 404
+
+
+class APIGone(APIError):
+    """API is no longer available."""
+
+    status = 410
+
+
+class APITooManyRequests(APIError):
+    """API too many requests error."""
+
+    status = 429
+
+
+class APIInternalServerError(APIError):
+    """API internal server error."""
+
+    status = 500
+
+
+class APIAddonNotInstalled(APIError):
+    """Not installed addon requested at addons API."""
+
+
+class APIDBMigrationInProgress(APIError):
+    """Service is unavailable due to an offline DB migration is in progress."""
+
+    status = 503
+
+
+class APIUnknownSupervisorError(APIError):
+    """Unknown error occurred within supervisor. Adds supervisor check logs rider to message template."""
+
+    status = 500
+
+    def __init__(
+        self,
+        logger: Callable[..., None] | None = None,
+        *,
+        job_id: str | None = None,
+    ) -> None:
+        """Initialize exception."""
+        self.message_template = (
+            f"{self.message_template}. {MESSAGE_CHECK_SUPERVISOR_LOGS}"
+        )
+        self.extra_fields = (self.extra_fields or {}) | EXTRA_FIELDS_LOGS_COMMAND
+        super().__init__(None, logger, job_id=job_id)
+
+
 # JobManager


@@ -122,6 +210,13 @@ class SupervisorAppArmorError(SupervisorError):
    """Supervisor AppArmor error."""


+class SupervisorUnknownError(SupervisorError, APIUnknownSupervisorError):
+    """Raise when an unknown error occurs interacting with Supervisor or its container."""
+
+    error_key = "supervisor_unknown_error"
+    message_template = "An unknown error occurred with Supervisor"
+
+
 class SupervisorJobError(SupervisorError, JobException):
    """Raise on job errors."""

@@ -250,6 +345,54 @@ class AddonConfigurationError(AddonsError):
    """Error with add-on configuration."""


+class AddonConfigurationInvalidError(AddonConfigurationError, APIError):
+    """Raise if invalid configuration provided for addon."""
+
+    error_key = "addon_configuration_invalid_error"
+    message_template = "Add-on {addon} has invalid options: {validation_error}"
+
+    def __init__(
+        self,
+        logger: Callable[..., None] | None = None,
+        *,
+        addon: str,
+        validation_error: str,
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon, "validation_error": validation_error}
+        super().__init__(None, logger)
+
+
+class AddonBootConfigCannotChangeError(AddonsError, APIError):
+    """Raise if user attempts to change addon boot config when it can't be changed."""
+
+    error_key = "addon_boot_config_cannot_change_error"
+    message_template = (
+        "Addon {addon} boot option is set to {boot_config} so it cannot be changed"
+    )
+
+    def __init__(
+        self, logger: Callable[..., None] | None = None, *, addon: str, boot_config: str
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon, "boot_config": boot_config}
+        super().__init__(None, logger)
+
+
+class AddonNotRunningError(AddonsError, APIError):
+    """Raise when an addon is not running."""
+
+    error_key = "addon_not_running_error"
+    message_template = "Add-on {addon} is not running"
+
+    def __init__(
+        self, logger: Callable[..., None] | None = None, *, addon: str
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon}
+        super().__init__(None, logger)
+
+
 class AddonNotSupportedError(HassioNotSupportedError):
    """Addon doesn't support a function."""

@@ -268,11 +411,8 @@ class AddonNotSupportedArchitectureError(AddonNotSupportedError):
        architectures: list[str],
    ) -> None:
        """Initialize exception."""
-        super().__init__(
-            None,
-            logger,
-            extra_fields={"slug": slug, "architectures": ", ".join(architectures)},
-        )
+        self.extra_fields = {"slug": slug, "architectures": ", ".join(architectures)}
+        super().__init__(None, logger)


 class AddonNotSupportedMachineTypeError(AddonNotSupportedError):
@@ -289,11 +429,8 @@ class AddonNotSupportedMachineTypeError(AddonNotSupportedError):
        machine_types: list[str],
    ) -> None:
        """Initialize exception."""
-        super().__init__(
-            None,
-            logger,
-            extra_fields={"slug": slug, "machine_types": ", ".join(machine_types)},
-        )
+        self.extra_fields = {"slug": slug, "machine_types": ", ".join(machine_types)}
+        super().__init__(None, logger)


 class AddonNotSupportedHomeAssistantVersionError(AddonNotSupportedError):
@@ -310,11 +447,96 @@ class AddonNotSupportedHomeAssistantVersionError(AddonNotSupportedError):
        version: str,
    ) -> None:
        """Initialize exception."""
-        super().__init__(
-            None,
-            logger,
-            extra_fields={"slug": slug, "version": version},
-        )
+        self.extra_fields = {"slug": slug, "version": version}
+        super().__init__(None, logger)
+
+
+class AddonNotSupportedWriteStdinError(AddonNotSupportedError, APIError):
+    """Addon does not support writing to stdin."""
+
+    error_key = "addon_not_supported_write_stdin_error"
+    message_template = "Add-on {addon} does not support writing to stdin"
+
+    def __init__(
+        self, logger: Callable[..., None] | None = None, *, addon: str
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon}
+        super().__init__(None, logger)
+
+
+class AddonBuildDockerfileMissingError(AddonNotSupportedError, APIError):
+    """Raise when addon build invalid because dockerfile is missing."""
+
+    error_key = "addon_build_dockerfile_missing_error"
+    message_template = (
+        "Cannot build addon '{addon}' because dockerfile is missing. A repair "
+        "using '{repair_command}' will fix this if the cause is data "
+        "corruption. Otherwise please report this to the addon developer."
+    )
+
+    def __init__(
+        self, logger: Callable[..., None] | None = None, *, addon: str
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon, "repair_command": "ha supervisor repair"}
+        super().__init__(None, logger)
+
+
+class AddonBuildArchitectureNotSupportedError(AddonNotSupportedError, APIError):
+    """Raise when addon cannot be built on system because it doesn't support its architecture."""
+
+    error_key = "addon_build_architecture_not_supported_error"
+    message_template = (
+        "Cannot build addon '{addon}' because its supported architectures "
+        "({addon_arches}) do not match the system supported architectures ({system_arches})"
+    )
+
+    def __init__(
+        self,
+        logger: Callable[..., None] | None = None,
+        *,
+        addon: str,
+        addon_arch_list: list[str],
+        system_arch_list: list[str],
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {
+            "addon": addon,
+            "addon_arches": ", ".join(addon_arch_list),
+            "system_arches": ", ".join(system_arch_list),
+        }
+        super().__init__(None, logger)
+
+
+class AddonUnknownError(AddonsError, APIUnknownSupervisorError):
+    """Raise when unknown error occurs taking an action for an addon."""
+
+    error_key = "addon_unknown_error"
+    message_template = "An unknown error occurred with addon {addon}"
+
+    def __init__(
+        self, logger: Callable[..., None] | None = None, *, addon: str
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon}
+        super().__init__(logger)
+
+
+class AddonBuildFailedUnknownError(AddonsError, APIUnknownSupervisorError):
+    """Raise when the build failed for an addon due to an unknown error."""
+
+    error_key = "addon_build_failed_unknown_error"
+    message_template = (
+        "An unknown error occurred while trying to build the image for addon {addon}"
+    )
+
+    def __init__(
+        self, logger: Callable[..., None] | None = None, *, addon: str
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon}
+        super().__init__(logger)


 class AddonsJobError(AddonsError, JobException):
@@ -346,13 +568,64 @@ class AuthError(HassioError):
    """Auth errors."""


-class AuthPasswordResetError(HassioError):
+class AuthPasswordResetError(AuthError, APIError):
    """Auth error if password reset failed."""

+    error_key = "auth_password_reset_error"
+    message_template = "Username '{user}' does not exist. Check list of users using '{auth_list_command}'."

-class AuthListUsersError(HassioError):
+    def __init__(
+        self,
+        logger: Callable[..., None] | None = None,
+        *,
+        user: str,
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"user": user, "auth_list_command": "ha auth list"}
+        super().__init__(None, logger)
+
+
+class AuthListUsersError(AuthError, APIUnknownSupervisorError):
    """Auth error if listing users failed."""

+    error_key = "auth_list_users_error"
+    message_template = "Can't request listing users on Home Assistant"
+
+
+class AuthListUsersNoneResponseError(AuthError, APIInternalServerError):
+    """Auth error if listing users returned invalid None response."""
+
+    error_key = "auth_list_users_none_response_error"
+    message_template = "Home Assistant returned invalid response of `{none}` instead of a list of users. Check Home Assistant logs for details (check with `{logs_command}`)"
+    extra_fields = {"none": "None", "logs_command": "ha core logs"}
+
+    def __init__(self, logger: Callable[..., None] | None = None) -> None:
+        """Initialize exception."""
+        super().__init__(None, logger)
+
+
+class AuthInvalidNonStringValueError(AuthError, APIUnauthorized):
+    """Auth error if something besides a string provided as username or password."""
+
+    error_key = "auth_invalid_non_string_value_error"
+    message_template = "Username and password must be strings"
+
+    def __init__(
+        self,
+        logger: Callable[..., None] | None = None,
+        *,
+        headers: Mapping[str, str] | None = None,
+    ) -> None:
+        """Initialize exception."""
+        super().__init__(None, logger, headers=headers)
+
+
+class AuthHomeAssistantAPIValidationError(AuthError, APIUnknownSupervisorError):
+    """Error encountered trying to validate auth details via Home Assistant API."""
+
+    error_key = "auth_home_assistant_api_validation_error"
+    message_template = "Unable to validate authentication details with Home Assistant"
+

 # Host

@@ -385,54 +658,6 @@ class HostLogError(HostError):
    """Internal error with host log."""


-# API
-
-
-class APIError(HassioError, RuntimeError):
-    """API errors."""
-
-    status = 400
-
-    def __init__(
-        self,
-        message: str | None = None,
-        logger: Callable[..., None] | None = None,
-        *,
-        job_id: str | None = None,
-        error: HassioError | None = None,
-    ) -> None:
-        """Raise & log, optionally with job."""
-        # Allow these to be set from another error here since APIErrors essentially wrap others to add a status
-        self.error_key = error.error_key if error else None
-        self.message_template = error.message_template if error else None
-        super().__init__(
-            message, logger, extra_fields=error.extra_fields if error else None
-        )
-        self.job_id = job_id
-
-
-class APIForbidden(APIError):
-    """API forbidden error."""
-
-    status = 403
-
-
-class APINotFound(APIError):
-    """API not found error."""
-
-    status = 404
-
-
-class APIAddonNotInstalled(APIError):
-    """Not installed addon requested at addons API."""
-
-
-class APIDBMigrationInProgress(APIError):
-    """Service is unavailable due to an offline DB migration is in progress."""
-
-    status = 503
-
-
 # Service / Discovery


@@ -577,21 +802,6 @@ class PwnedConnectivityError(PwnedError):
    """Connectivity errors while checking pwned passwords."""


-# util/codenotary
-
-
-class CodeNotaryError(HassioError):
-    """Error general with CodeNotary."""
-
-
-class CodeNotaryUntrusted(CodeNotaryError):
-    """Error on untrusted content."""
-
-
-class CodeNotaryBackendError(CodeNotaryError):
-    """CodeNotary backend error happening."""
-
-
 # util/whoami


@@ -625,6 +835,10 @@ class DockerError(HassioError):
    """Docker API/Transport errors."""


+class DockerBuildError(DockerError):
+    """Docker error during build."""
+
+
 class DockerAPIError(DockerError):
    """Docker API error."""

@@ -648,9 +862,29 @@ class DockerLogOutOfOrder(DockerError):
 class DockerNoSpaceOnDevice(DockerError):
    """Raise if a docker pull fails due to available space."""

+    error_key = "docker_no_space_on_device"
+    message_template = "No space left on disk"
+
    def __init__(self, logger: Callable[..., None] | None = None) -> None:
        """Raise & log."""
-        super().__init__("No space left on disk", logger=logger)
+        super().__init__(None, logger=logger)
+
+
+class DockerHubRateLimitExceeded(DockerError, APITooManyRequests):
+    """Raise for docker hub rate limit exceeded error."""
+
+    error_key = "dockerhub_rate_limit_exceeded"
+    message_template = (
+        "Your IP address has made too many requests to Docker Hub which activated a rate limit. "
+        "For more details see {dockerhub_rate_limit_url}"
+    )
+    extra_fields = {
+        "dockerhub_rate_limit_url": "https://www.home-assistant.io/more-info/dockerhub-rate-limit"
+    }
+
+    def __init__(self, logger: Callable[..., None] | None = None) -> None:
+        """Raise & log."""
+        super().__init__(None, logger=logger)


 class DockerJobError(DockerError, JobException):
@@ -721,6 +955,20 @@ class StoreNotFound(StoreError):
    """Raise if slug is not known."""


+class StoreAddonNotFoundError(StoreError, APINotFound):
+    """Raise if a requested addon is not in the store."""
+
+    error_key = "store_addon_not_found_error"
+    message_template = "Addon {addon} does not exist in the store"
+
+    def __init__(
+        self, logger: Callable[..., None] | None = None, *, addon: str
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon}
+        super().__init__(None, logger)
+
+
 class StoreJobError(StoreError, JobException):
    """Raise on job error with git."""

@@ -756,7 +1004,7 @@ class BackupJobError(BackupError, JobException):
    """Raise on Backup job error."""


-class BackupFileNotFoundError(BackupError):
+class BackupFileNotFoundError(BackupError, APINotFound):
    """Raise if the backup file hasn't been found."""


@@ -768,6 +1016,55 @@ class BackupFileExistError(BackupError):
    """Raise if the backup file already exists."""


+class AddonBackupMetadataInvalidError(BackupError, APIError):
+    """Raise if invalid metadata file provided for addon in backup."""
+
+    error_key = "addon_backup_metadata_invalid_error"
+    message_template = (
+        "Metadata file for add-on {addon} in backup is invalid: {validation_error}"
+    )
+
+    def __init__(
+        self,
+        logger: Callable[..., None] | None = None,
+        *,
+        addon: str,
+        validation_error: str,
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon, "validation_error": validation_error}
+        super().__init__(None, logger)
+
+
+class AddonPrePostBackupCommandReturnedError(BackupError, APIError):
+    """Raise when addon's pre/post backup command returns an error."""
+
+    error_key = "addon_pre_post_backup_command_returned_error"
+    message_template = (
+        "Pre-/Post backup command for add-on {addon} returned error code: "
+        "{exit_code}. Please report this to the addon developer. Enable debug "
+        "logging to capture complete command output using {debug_logging_command}"
+    )
+
+    def __init__(
+        self, logger: Callable[..., None] | None = None, *, addon: str, exit_code: int
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {
+            "addon": addon,
+            "exit_code": exit_code,
+            "debug_logging_command": "ha supervisor options --logging debug",
+        }
+        super().__init__(None, logger)
+
+
+class BackupRestoreUnknownError(BackupError, APIUnknownSupervisorError):
+    """Raise when an unknown error occurs during backup or restore."""
+
+    error_key = "backup_restore_unknown_error"
+    message_template = "An unknown error occurred during backup/restore"
+
+
 # Security


--- a/supervisor/homeassistant/core.py
+++ b/supervisor/homeassistant/core.py
@@ -48,7 +48,7 @@ _LOGGER: logging.Logger = logging.getLogger(__name__)

 SECONDS_BETWEEN_API_CHECKS: Final[int] = 5
 # Core Stage 1 and some wiggle room
-STARTUP_API_RESPONSE_TIMEOUT: Final[timedelta] = timedelta(minutes=3)
+STARTUP_API_RESPONSE_TIMEOUT: Final[timedelta] = timedelta(minutes=10)
 # All stages plus event start timeout and some wiggle rooom
 STARTUP_API_CHECK_RUNNING_TIMEOUT: Final[timedelta] = timedelta(minutes=15)
 # While database migration is running, the timeout will be extended
@@ -428,13 +428,6 @@ class HomeAssistantCore(JobGroup):
        """
        return self.instance.logs()

-    def check_trust(self) -> Awaitable[None]:
-        """Calculate HomeAssistant docker content trust.
-
-        Return Coroutine.
-        """
-        return self.instance.check_trust()
-
    async def stats(self) -> DockerStats:
        """Return stats of Home Assistant."""
        try:
--- a/supervisor/homeassistant/module.py
+++ b/supervisor/homeassistant/module.py
@@ -23,6 +23,7 @@ from ..const import (
    ATTR_AUDIO_OUTPUT,
    ATTR_BACKUPS_EXCLUDE_DATABASE,
    ATTR_BOOT,
+    ATTR_DUPLICATE_LOG_FILE,
    ATTR_IMAGE,
    ATTR_MESSAGE,
    ATTR_PORT,
@@ -299,6 +300,16 @@ class HomeAssistant(FileConfiguration, CoreSysAttributes):
        """Set whether backups should exclude database by default."""
        self._data[ATTR_BACKUPS_EXCLUDE_DATABASE] = value

+    @property
+    def duplicate_log_file(self) -> bool:
+        """Return True if Home Assistant should duplicate logs to file."""
+        return self._data[ATTR_DUPLICATE_LOG_FILE]
+
+    @duplicate_log_file.setter
+    def duplicate_log_file(self, value: bool) -> None:
+        """Set whether Home Assistant should duplicate logs to file."""
+        self._data[ATTR_DUPLICATE_LOG_FILE] = value
+
    async def load(self) -> None:
        """Prepare Home Assistant object."""
        await asyncio.wait(
--- a/supervisor/homeassistant/validate.py
+++ b/supervisor/homeassistant/validate.py
@@ -10,6 +10,7 @@ from ..const import (
    ATTR_AUDIO_OUTPUT,
    ATTR_BACKUPS_EXCLUDE_DATABASE,
    ATTR_BOOT,
+    ATTR_DUPLICATE_LOG_FILE,
    ATTR_IMAGE,
    ATTR_PORT,
    ATTR_REFRESH_TOKEN,
@@ -36,6 +37,7 @@ SCHEMA_HASS_CONFIG = vol.Schema(
        vol.Optional(ATTR_AUDIO_OUTPUT, default=None): vol.Maybe(str),
        vol.Optional(ATTR_AUDIO_INPUT, default=None): vol.Maybe(str),
        vol.Optional(ATTR_BACKUPS_EXCLUDE_DATABASE, default=False): vol.Boolean(),
+        vol.Optional(ATTR_DUPLICATE_LOG_FILE, default=False): vol.Boolean(),
        vol.Optional(ATTR_OVERRIDE_IMAGE, default=False): vol.Boolean(),
    },
    extra=vol.REMOVE_EXTRA,
--- a/supervisor/host/configuration.py
+++ b/supervisor/host/configuration.py
@@ -6,8 +6,8 @@ import logging
 import socket

 from ..dbus.const import (
+    ConnectionState,
    ConnectionStateFlags,
-    ConnectionStateType,
    DeviceType,
    InterfaceAddrGenMode as NMInterfaceAddrGenMode,
    InterfaceIp6Privacy as NMInterfaceIp6Privacy,
@@ -267,25 +267,47 @@ class Interface:
        return InterfaceMethod.DISABLED

    @staticmethod
-    def _map_nm_addr_gen_mode(addr_gen_mode: int) -> InterfaceAddrGenMode:
-        """Map IPv6 interface addr_gen_mode."""
+    def _map_nm_addr_gen_mode(addr_gen_mode: int | None) -> InterfaceAddrGenMode:
+        """Map IPv6 interface addr_gen_mode.
+
+        NetworkManager omits the addr_gen_mode property when set to DEFAULT, so we
+        treat None as DEFAULT here.
+        """
        mapping = {
            NMInterfaceAddrGenMode.EUI64.value: InterfaceAddrGenMode.EUI64,
            NMInterfaceAddrGenMode.STABLE_PRIVACY.value: InterfaceAddrGenMode.STABLE_PRIVACY,
            NMInterfaceAddrGenMode.DEFAULT_OR_EUI64.value: InterfaceAddrGenMode.DEFAULT_OR_EUI64,
+            NMInterfaceAddrGenMode.DEFAULT.value: InterfaceAddrGenMode.DEFAULT,
+            None: InterfaceAddrGenMode.DEFAULT,
        }

+        if addr_gen_mode not in mapping:
+            _LOGGER.warning(
+                "Unknown addr_gen_mode value from NetworkManager: %s", addr_gen_mode
+            )
+
        return mapping.get(addr_gen_mode, InterfaceAddrGenMode.DEFAULT)

    @staticmethod
-    def _map_nm_ip6_privacy(ip6_privacy: int) -> InterfaceIp6Privacy:
-        """Map IPv6 interface ip6_privacy."""
+    def _map_nm_ip6_privacy(ip6_privacy: int | None) -> InterfaceIp6Privacy:
+        """Map IPv6 interface ip6_privacy.
+
+        NetworkManager omits the ip6_privacy property when set to DEFAULT, so we
+        treat None as DEFAULT here.
+        """
        mapping = {
            NMInterfaceIp6Privacy.DISABLED.value: InterfaceIp6Privacy.DISABLED,
            NMInterfaceIp6Privacy.ENABLED_PREFER_PUBLIC.value: InterfaceIp6Privacy.ENABLED_PREFER_PUBLIC,
            NMInterfaceIp6Privacy.ENABLED.value: InterfaceIp6Privacy.ENABLED,
+            NMInterfaceIp6Privacy.DEFAULT.value: InterfaceIp6Privacy.DEFAULT,
+            None: InterfaceIp6Privacy.DEFAULT,
        }

+        if ip6_privacy not in mapping:
+            _LOGGER.warning(
+                "Unknown ip6_privacy value from NetworkManager: %s", ip6_privacy
+            )
+
        return mapping.get(ip6_privacy, InterfaceIp6Privacy.DEFAULT)

    @staticmethod
@@ -295,8 +317,8 @@ class Interface:
            return False

        return connection.state in (
-            ConnectionStateType.ACTIVATED,
-            ConnectionStateType.ACTIVATING,
+            ConnectionState.ACTIVATED,
+            ConnectionState.ACTIVATING,
        )

    @staticmethod
--- a/supervisor/host/network.py
+++ b/supervisor/host/network.py
@@ -16,7 +16,7 @@ from ..dbus.const import (
    DBUS_IFACE_DNS,
    DBUS_IFACE_NM,
    DBUS_SIGNAL_NM_CONNECTION_ACTIVE_CHANGED,
-    ConnectionStateType,
+    ConnectionState,
    ConnectivityState,
    DeviceType,
    WirelessMethodType,
@@ -338,16 +338,16 @@ class NetworkManager(CoreSysAttributes):
                # the state change before this point. Get the state currently to
                # avoid any race condition.
                await con.update()
-                state: ConnectionStateType = con.state
+                state: ConnectionState = con.state

-                while state != ConnectionStateType.ACTIVATED:
-                    if state == ConnectionStateType.DEACTIVATED:
+                while state != ConnectionState.ACTIVATED:
+                    if state == ConnectionState.DEACTIVATED:
                        raise HostNetworkError(
                            "Activating connection failed, check connection settings."
                        )

                    msg = await signal.wait_for_signal()
-                    state = msg[0]
+                    state = ConnectionState(msg[0])
                    _LOGGER.debug("Active connection state changed to %s", state)

        # update_only means not done by user so don't force a check afterwards
--- a/supervisor/jobs/init.py
+++ b/supervisor/jobs/init.py
@@ -9,7 +9,7 @@ from contextvars import Context, ContextVar, Token
 from dataclasses import dataclass
 from datetime import datetime
 import logging
-from typing import Any, Self
+from typing import Any, Self, cast
 from uuid import uuid4

 from attr.validators import gt, lt
@@ -98,15 +98,21 @@ class SupervisorJobError:
    """Representation of an error occurring during a supervisor job."""

    type_: type[HassioError] = HassioError
-    message: str = "Unknown error, see supervisor logs"
+    message: str = (
+        "Unknown error, see Supervisor logs (check with 'ha supervisor logs')"
+    )
    stage: str | None = None
+    error_key: str | None = None
+    extra_fields: dict[str, Any] | None = None

-    def as_dict(self) -> dict[str, str | None]:
+    def as_dict(self) -> dict[str, Any]:
        """Return dictionary representation."""
        return {
            "type": self.type_.__name__,
            "message": self.message,
            "stage": self.stage,
+            "error_key": self.error_key,
+            "extra_fields": self.extra_fields,
        }


@@ -156,7 +162,9 @@ class SupervisorJob:
    def capture_error(self, err: HassioError | None = None) -> None:
        """Capture an error or record that an unknown error has occurred."""
        if err:
-            new_error = SupervisorJobError(type(err), str(err), self.stage)
+            new_error = SupervisorJobError(
+                type(err), str(err), self.stage, err.error_key, err.extra_fields
+            )
        else:
            new_error = SupervisorJobError(stage=self.stage)
        self.errors += [new_error]
@@ -194,7 +202,7 @@ class SupervisorJob:
        self,
        progress: float | None = None,
        stage: str | None = None,
-        extra: dict[str, Any] | None = DEFAULT,  # type: ignore
+        extra: dict[str, Any] | None | type[DEFAULT] = DEFAULT,
        done: bool | None = None,
    ) -> None:
        """Update multiple fields with one on change event."""
@@ -205,8 +213,8 @@ class SupervisorJob:
            self.progress = progress
        if stage is not None:
            self.stage = stage
-        if extra != DEFAULT:
-            self.extra = extra
+        if extra is not DEFAULT:
+            self.extra = cast(dict[str, Any] | None, extra)

        # Done has special event. use that to trigger on change if included
        # If not then just use any other field to trigger
@@ -304,19 +312,21 @@ class JobManager(FileConfiguration, CoreSysAttributes):
        reference: str | None = None,
        initial_stage: str | None = None,
        internal: bool = False,
-        parent_id: str | None = DEFAULT,  # type: ignore
+        parent_id: str | None | type[DEFAULT] = DEFAULT,
        child_job_syncs: list[ChildJobSyncFilter] | None = None,
    ) -> SupervisorJob:
        """Create a new job."""
-        job = SupervisorJob(
-            name,
-            reference=reference,
-            stage=initial_stage,
-            on_change=self._on_job_change,
-            internal=internal,
-            child_job_syncs=child_job_syncs,
-            **({} if parent_id == DEFAULT else {"parent_id": parent_id}),  # type: ignore
-        )
+        kwargs: dict[str, Any] = {
+            "reference": reference,
+            "stage": initial_stage,
+            "on_change": self._on_job_change,
+            "internal": internal,
+            "child_job_syncs": child_job_syncs,
+        }
+        if parent_id is not DEFAULT:
+            kwargs["parent_id"] = parent_id
+
+        job = SupervisorJob(name, **kwargs)

        # Shouldn't happen but inability to find a parent for progress reporting
        # shouldn't raise and break the active job
@@ -327,6 +337,17 @@ class JobManager(FileConfiguration, CoreSysAttributes):
                if not curr_parent.child_job_syncs:
                    continue

+                # HACK: If parent trigger the same child job, we just skip this second
+                # sync. Maybe it would be better to have this reflected in the job stage
+                # and reset progress to 0 instead? There is no support for such stage
+                # information on Core update entities today though.
+                if curr_parent.done is True or curr_parent.progress >= 100:
+                    _LOGGER.debug(
+                        "Skipping parent job sync for done parent job %s",
+                        curr_parent.name,
+                    )
+                    continue
+
                # Break after first match at each parent as it doesn't make sense
                # to match twice. But it could match multiple parents
                for sync in curr_parent.child_job_syncs:
--- a/supervisor/jobs/const.py
+++ b/supervisor/jobs/const.py
@@ -34,6 +34,7 @@ class JobCondition(StrEnum):
    PLUGINS_UPDATED = "plugins_updated"
    RUNNING = "running"
    SUPERVISOR_UPDATED = "supervisor_updated"
+    ARCHITECTURE_SUPPORTED = "architecture_supported"


 class JobConcurrency(StrEnum):
--- a/supervisor/jobs/decorator.py
+++ b/supervisor/jobs/decorator.py
@@ -441,6 +441,14 @@ class Job(CoreSysAttributes):
            raise JobConditionException(
                f"'{method_name}' blocked from execution, supervisor needs to be updated first"
            )
+        if (
+            JobCondition.ARCHITECTURE_SUPPORTED in used_conditions
+            and UnsupportedReason.SYSTEM_ARCHITECTURE
+            in coresys.sys_resolution.unsupported
+        ):
+            raise JobConditionException(
+                f"'{method_name}' blocked from execution, unsupported system architecture"
+            )

        if JobCondition.PLUGINS_UPDATED in used_conditions and (
            out_of_date := [
--- a/supervisor/misc/filter.py
+++ b/supervisor/misc/filter.py
@@ -64,6 +64,19 @@ def filter_data(coresys: CoreSys, event: Event, hint: Hint) -> Event | None:

    # Not full startup - missing information
    if coresys.core.state in (CoreState.INITIALIZE, CoreState.SETUP):
+        # During SETUP, we have basic system info available for better debugging
+        if coresys.core.state == CoreState.SETUP:
+            event.setdefault("contexts", {}).update(
+                {
+                    "versions": {
+                        "docker": coresys.docker.info.version,
+                        "supervisor": coresys.supervisor.version,
+                    },
+                    "host": {
+                        "machine": coresys.machine,
+                    },
+                }
+            )
        return event

    # List installed addons
--- a/supervisor/misc/tasks.py
+++ b/supervisor/misc/tasks.py
@@ -1,5 +1,6 @@
 """A collection of tasks."""

+from contextlib import suppress
 from datetime import datetime, timedelta
 import logging
 from typing import cast
@@ -13,6 +14,7 @@ from ..exceptions import (
    BackupFileNotFoundError,
    HomeAssistantError,
    ObserverError,
+    SupervisorUpdateError,
 )
 from ..homeassistant.const import LANDINGPAGE, WSType
 from ..jobs.const import JobConcurrency
@@ -161,6 +163,7 @@ class Tasks(CoreSysAttributes):
            JobCondition.INTERNET_HOST,
            JobCondition.OS_SUPPORTED,
            JobCondition.RUNNING,
+            JobCondition.ARCHITECTURE_SUPPORTED,
        ],
        concurrency=JobConcurrency.REJECT,
    )
@@ -173,7 +176,11 @@ class Tasks(CoreSysAttributes):
            "Found new Supervisor version %s, updating",
            self.sys_supervisor.latest_version,
        )
-        await self.sys_supervisor.update()
+
+        # Errors are logged by the exceptions, we can't really do something
+        # if an update fails here.
+        with suppress(SupervisorUpdateError):
+            await self.sys_supervisor.update()

    async def _watchdog_homeassistant_api(self):
        """Create scheduler task for monitoring running state of API.
--- a/supervisor/mounts/mount.py
+++ b/supervisor/mounts/mount.py
@@ -135,7 +135,7 @@ class Mount(CoreSysAttributes, ABC):
    @property
    def state(self) -> UnitActiveState | None:
        """Get state of mount."""
-        return self._state
+        return UnitActiveState(self._state) if self._state is not None else None

    @cached_property
    def local_where(self) -> Path:
--- a/supervisor/plugins/base.py
+++ b/supervisor/plugins/base.py
@@ -76,13 +76,6 @@ class PluginBase(ABC, FileConfiguration, CoreSysAttributes):
        """Return True if a task is in progress."""
        return self.instance.in_progress

-    def check_trust(self) -> Awaitable[None]:
-        """Calculate plugin docker content trust.
-
-        Return Coroutine.
-        """
-        return self.instance.check_trust()
-
    def logs(self) -> Awaitable[bytes]:
        """Get docker plugin logs.

--- a/supervisor/plugins/const.py
+++ b/supervisor/plugins/const.py
@@ -23,4 +23,5 @@ PLUGIN_UPDATE_CONDITIONS = [
    JobCondition.HEALTHY,
    JobCondition.INTERNET_HOST,
    JobCondition.SUPERVISOR_UPDATED,
+    JobCondition.ARCHITECTURE_SUPPORTED,
 ]
--- a/supervisor/resolution/checks/network_interface_ipv4.py
+++ b/supervisor/resolution/checks/network_interface_ipv4.py
@@ -2,7 +2,7 @@

 from ...const import CoreState
 from ...coresys import CoreSys
-from ...dbus.const import ConnectionStateFlags, ConnectionStateType
+from ...dbus.const import ConnectionState, ConnectionStateFlags
 from ...dbus.network.interface import NetworkInterface
 from ...exceptions import NetworkInterfaceNotFound
 from ..const import ContextType, IssueType
@@ -47,7 +47,7 @@ class CheckNetworkInterfaceIPV4(CheckBase):

        return not (
            interface.connection.state
-            in [ConnectionStateType.ACTIVATED, ConnectionStateType.ACTIVATING]
+            in [ConnectionState.ACTIVATED, ConnectionState.ACTIVATING]
            and ConnectionStateFlags.IP4_READY in interface.connection.state_flags
        )

--- a/supervisor/resolution/checks/supervisor_trust.py
+++ b/supervisor/resolution/checks/supervisor_trust.py
@@ -1,59 +0,0 @@
-"""Helpers to check supervisor trust."""
-
-import logging
-
-from ...const import CoreState
-from ...coresys import CoreSys
-from ...exceptions import CodeNotaryError, CodeNotaryUntrusted
-from ..const import ContextType, IssueType, UnhealthyReason
-from .base import CheckBase
-
-_LOGGER: logging.Logger = logging.getLogger(__name__)
-
-
-def setup(coresys: CoreSys) -> CheckBase:
-    """Check setup function."""
-    return CheckSupervisorTrust(coresys)
-
-
-class CheckSupervisorTrust(CheckBase):
-    """CheckSystemTrust class for check."""
-
-    async def run_check(self) -> None:
-        """Run check if not affected by issue."""
-        if not self.sys_security.content_trust:
-            _LOGGER.warning(
-                "Skipping %s, content_trust is globally disabled", self.slug
-            )
-            return
-
-        try:
-            await self.sys_supervisor.check_trust()
-        except CodeNotaryUntrusted:
-            self.sys_resolution.add_unhealthy_reason(UnhealthyReason.UNTRUSTED)
-            self.sys_resolution.create_issue(IssueType.TRUST, ContextType.SUPERVISOR)
-        except CodeNotaryError:
-            pass
-
-    async def approve_check(self, reference: str | None = None) -> bool:
-        """Approve check if it is affected by issue."""
-        try:
-            await self.sys_supervisor.check_trust()
-        except CodeNotaryError:
-            return True
-        return False
-
-    @property
-    def issue(self) -> IssueType:
-        """Return a IssueType enum."""
-        return IssueType.TRUST
-
-    @property
-    def context(self) -> ContextType:
-        """Return a ContextType enum."""
-        return ContextType.SUPERVISOR
-
-    @property
-    def states(self) -> list[CoreState]:
-        """Return a list of valid states when this check can run."""
-        return [CoreState.RUNNING, CoreState.STARTUP]
--- a/supervisor/resolution/const.py
+++ b/supervisor/resolution/const.py
@@ -39,7 +39,6 @@ class UnsupportedReason(StrEnum):
    APPARMOR = "apparmor"
    CGROUP_VERSION = "cgroup_version"
    CONNECTIVITY_CHECK = "connectivity_check"
-    CONTENT_TRUST = "content_trust"
    DBUS = "dbus"
    DNS_SERVER = "dns_server"
    DOCKER_CONFIGURATION = "docker_configuration"
@@ -54,12 +53,12 @@ class UnsupportedReason(StrEnum):
    PRIVILEGED = "privileged"
    RESTART_POLICY = "restart_policy"
    SOFTWARE = "software"
-    SOURCE_MODS = "source_mods"
    SUPERVISOR_VERSION = "supervisor_version"
    SYSTEMD = "systemd"
    SYSTEMD_JOURNAL = "systemd_journal"
    SYSTEMD_RESOLVED = "systemd_resolved"
    VIRTUALIZATION_IMAGE = "virtualization_image"
+    SYSTEM_ARCHITECTURE = "system_architecture"


 class UnhealthyReason(StrEnum):
@@ -103,7 +102,6 @@ class IssueType(StrEnum):
    PWNED = "pwned"
    REBOOT_REQUIRED = "reboot_required"
    SECURITY = "security"
-    TRUST = "trust"
    UPDATE_FAILED = "update_failed"
    UPDATE_ROLLBACK = "update_rollback"

@@ -115,7 +113,6 @@ class SuggestionType(StrEnum):
    CLEAR_FULL_BACKUP = "clear_full_backup"
    CREATE_FULL_BACKUP = "create_full_backup"
    DISABLE_BOOT = "disable_boot"
-    EXECUTE_INTEGRITY = "execute_integrity"
    EXECUTE_REBOOT = "execute_reboot"
    EXECUTE_REBUILD = "execute_rebuild"
    EXECUTE_RELOAD = "execute_reload"
--- a/supervisor/resolution/evaluate.py
+++ b/supervisor/resolution/evaluate.py
@@ -13,7 +13,6 @@ from .validate import get_valid_modules
 _LOGGER: logging.Logger = logging.getLogger(__name__)

 UNHEALTHY = [
-    UnsupportedReason.DOCKER_VERSION,
    UnsupportedReason.LXC,
    UnsupportedReason.PRIVILEGED,
 ]
--- a/supervisor/resolution/evaluations/container.py
+++ b/supervisor/resolution/evaluations/container.py
@@ -74,7 +74,9 @@ class EvaluateContainer(EvaluateBase):
        self._images.clear()

        try:
-            containers = await self.sys_run_in_executor(self.sys_docker.containers.list)
+            containers = await self.sys_run_in_executor(
+                self.sys_docker.containers_legacy.list
+            )
        except (DockerException, RequestException) as err:
            _LOGGER.error("Corrupt docker overlayfs detect: %s", err)
            self.sys_resolution.create_issue(
--- a/supervisor/resolution/evaluations/operating_system.py
+++ b/supervisor/resolution/evaluations/operating_system.py
@@ -5,8 +5,6 @@ from ...coresys import CoreSys
 from ..const import UnsupportedReason
 from .base import EvaluateBase

-SUPPORTED_OS = ["Debian GNU/Linux 12 (bookworm)"]
-

 def setup(coresys: CoreSys) -> EvaluateBase:
    """Initialize evaluation-setup function."""
@@ -33,6 +31,4 @@ class EvaluateOperatingSystem(EvaluateBase):

    async def evaluate(self) -> bool:
        """Run evaluation."""
-        if self.sys_os.available:
-            return False
-        return self.sys_host.info.operating_system not in SUPPORTED_OS
+        return not self.sys_os.available
--- a/supervisor/resolution/evaluations/source_mods.py
+++ b/supervisor/resolution/evaluations/source_mods.py
@@ -1,72 +0,0 @@
-"""Evaluation class for Content Trust."""
-
-import errno
-import logging
-from pathlib import Path
-
-from ...const import CoreState
-from ...coresys import CoreSys
-from ...exceptions import CodeNotaryError, CodeNotaryUntrusted
-from ...utils.codenotary import calc_checksum_path_sourcecode
-from ..const import ContextType, IssueType, UnhealthyReason, UnsupportedReason
-from .base import EvaluateBase
-
-_SUPERVISOR_SOURCE = Path("/usr/src/supervisor/supervisor")
-_LOGGER: logging.Logger = logging.getLogger(__name__)
-
-
-def setup(coresys: CoreSys) -> EvaluateBase:
-    """Initialize evaluation-setup function."""
-    return EvaluateSourceMods(coresys)
-
-
-class EvaluateSourceMods(EvaluateBase):
-    """Evaluate supervisor source modifications."""
-
-    @property
-    def reason(self) -> UnsupportedReason:
-        """Return a UnsupportedReason enum."""
-        return UnsupportedReason.SOURCE_MODS
-
-    @property
-    def on_failure(self) -> str:
-        """Return a string that is printed when self.evaluate is True."""
-        return "System detect unauthorized source code modifications."
-
-    @property
-    def states(self) -> list[CoreState]:
-        """Return a list of valid states when this evaluation can run."""
-        return [CoreState.RUNNING]
-
-    async def evaluate(self) -> bool:
-        """Run evaluation."""
-        if not self.sys_security.content_trust:
-            _LOGGER.warning("Disabled content-trust, skipping evaluation")
-            return False
-
-        # Calculate sume of the sourcecode
-        try:
-            checksum = await self.sys_run_in_executor(
-                calc_checksum_path_sourcecode, _SUPERVISOR_SOURCE
-            )
-        except OSError as err:
-            if err.errno == errno.EBADMSG:
-                self.sys_resolution.add_unhealthy_reason(
-                    UnhealthyReason.OSERROR_BAD_MESSAGE
-                )
-
-            self.sys_resolution.create_issue(
-                IssueType.CORRUPT_FILESYSTEM, ContextType.SYSTEM
-            )
-            _LOGGER.error("Can't calculate checksum of source code: %s", err)
-            return False
-
-        # Validate checksum
-        try:
-            await self.sys_security.verify_own_content(checksum)
-        except CodeNotaryUntrusted:
-            return True
-        except CodeNotaryError:
-            pass
-
-        return False
--- a/supervisor/resolution/evaluations/system_architecture.py
+++ b/supervisor/resolution/evaluations/system_architecture.py
@@ -1,4 +1,4 @@
-"""Evaluation class for Content Trust."""
+"""Evaluation class for system architecture support."""

 from ...const import CoreState
 from ...coresys import CoreSys
@@ -8,27 +8,31 @@ from .base import EvaluateBase

 def setup(coresys: CoreSys) -> EvaluateBase:
    """Initialize evaluation-setup function."""
-    return EvaluateContentTrust(coresys)
+    return EvaluateSystemArchitecture(coresys)


-class EvaluateContentTrust(EvaluateBase):
-    """Evaluate system content trust level."""
+class EvaluateSystemArchitecture(EvaluateBase):
+    """Evaluate if the current Supervisor architecture is supported."""

    @property
    def reason(self) -> UnsupportedReason:
        """Return a UnsupportedReason enum."""
-        return UnsupportedReason.CONTENT_TRUST
+        return UnsupportedReason.SYSTEM_ARCHITECTURE

    @property
    def on_failure(self) -> str:
        """Return a string that is printed when self.evaluate is True."""
-        return "System run with disabled trusted content security."
+        return "System architecture is no longer supported. Move to a supported system architecture."

    @property
    def states(self) -> list[CoreState]:
        """Return a list of valid states when this evaluation can run."""
-        return [CoreState.INITIALIZE, CoreState.SETUP, CoreState.RUNNING]
+        return [CoreState.INITIALIZE]

-    async def evaluate(self) -> bool:
+    async def evaluate(self):
        """Run evaluation."""
-        return not self.sys_security.content_trust
+        return self.sys_host.info.sys_arch.supervisor in {
+            "i386",
+            "armhf",
+            "armv7",
+        }
--- a/supervisor/resolution/fixups/system_execute_integrity.py
+++ b/supervisor/resolution/fixups/system_execute_integrity.py
@@ -1,67 +0,0 @@
-"""Helpers to check and fix issues with free space."""
-
-from datetime import timedelta
-import logging
-
-from ...coresys import CoreSys
-from ...exceptions import ResolutionFixupError, ResolutionFixupJobError
-from ...jobs.const import JobCondition, JobThrottle
-from ...jobs.decorator import Job
-from ...security.const import ContentTrustResult
-from ..const import ContextType, IssueType, SuggestionType
-from .base import FixupBase
-
-_LOGGER: logging.Logger = logging.getLogger(__name__)
-
-
-def setup(coresys: CoreSys) -> FixupBase:
-    """Check setup function."""
-    return FixupSystemExecuteIntegrity(coresys)
-
-
-class FixupSystemExecuteIntegrity(FixupBase):
-    """Storage class for fixup."""
-
-    @Job(
-        name="fixup_system_execute_integrity_process",
-        conditions=[JobCondition.INTERNET_SYSTEM],
-        on_condition=ResolutionFixupJobError,
-        throttle_period=timedelta(hours=8),
-        throttle=JobThrottle.THROTTLE,
-    )
-    async def process_fixup(self, reference: str | None = None) -> None:
-        """Initialize the fixup class."""
-        result = await self.sys_security.integrity_check()
-
-        if ContentTrustResult.FAILED in (result.core, result.supervisor):
-            raise ResolutionFixupError()
-
-        for plugin in result.plugins:
-            if plugin != ContentTrustResult.FAILED:
-                continue
-            raise ResolutionFixupError()
-
-        for addon in result.addons:
-            if addon != ContentTrustResult.FAILED:
-                continue
-            raise ResolutionFixupError()
-
-    @property
-    def suggestion(self) -> SuggestionType:
-        """Return a SuggestionType enum."""
-        return SuggestionType.EXECUTE_INTEGRITY
-
-    @property
-    def context(self) -> ContextType:
-        """Return a ContextType enum."""
-        return ContextType.SYSTEM
-
-    @property
-    def issues(self) -> list[IssueType]:
-        """Return a IssueType enum list."""
-        return [IssueType.TRUST]
-
-    @property
-    def auto(self) -> bool:
-        """Return if a fixup can be apply as auto fix."""
-        return True
--- a/supervisor/security/const.py
+++ b/supervisor/security/const.py
@@ -1,24 +0,0 @@
-"""Security constants."""
-
-from enum import StrEnum
-
-import attr
-
-
-class ContentTrustResult(StrEnum):
-    """Content trust result enum."""
-
-    PASS = "pass"
-    ERROR = "error"
-    FAILED = "failed"
-    UNTESTED = "untested"
-
-
-@attr.s
-class IntegrityResult:
-    """Result of a full integrity check."""
-
-    supervisor: ContentTrustResult = attr.ib(default=ContentTrustResult.UNTESTED)
-    core: ContentTrustResult = attr.ib(default=ContentTrustResult.UNTESTED)
-    plugins: dict[str, ContentTrustResult] = attr.ib(default={})
-    addons: dict[str, ContentTrustResult] = attr.ib(default={})
--- a/supervisor/security/module.py
+++ b/supervisor/security/module.py
@@ -4,27 +4,12 @@ from __future__ import annotations

 import logging

-from ..const import (
-    ATTR_CONTENT_TRUST,
-    ATTR_FORCE_SECURITY,
-    ATTR_PWNED,
-    FILE_HASSIO_SECURITY,
-)
+from ..const import ATTR_FORCE_SECURITY, ATTR_PWNED, FILE_HASSIO_SECURITY
 from ..coresys import CoreSys, CoreSysAttributes
-from ..exceptions import (
-    CodeNotaryError,
-    CodeNotaryUntrusted,
-    PwnedError,
-    SecurityJobError,
-)
-from ..jobs.const import JobConcurrency
-from ..jobs.decorator import Job, JobCondition
-from ..resolution.const import ContextType, IssueType, SuggestionType
-from ..utils.codenotary import cas_validate
+from ..exceptions import PwnedError
 from ..utils.common import FileConfiguration
 from ..utils.pwned import check_pwned_password
 from ..validate import SCHEMA_SECURITY_CONFIG
-from .const import ContentTrustResult, IntegrityResult

 _LOGGER: logging.Logger = logging.getLogger(__name__)

@@ -37,16 +22,6 @@ class Security(FileConfiguration, CoreSysAttributes):
        super().__init__(FILE_HASSIO_SECURITY, SCHEMA_SECURITY_CONFIG)
        self.coresys = coresys

-    @property
-    def content_trust(self) -> bool:
-        """Return if content trust is enabled/disabled."""
-        return self._data[ATTR_CONTENT_TRUST]
-
-    @content_trust.setter
-    def content_trust(self, value: bool) -> None:
-        """Set content trust is enabled/disabled."""
-        self._data[ATTR_CONTENT_TRUST] = value
-
    @property
    def force(self) -> bool:
        """Return if force security is enabled/disabled."""
@@ -67,30 +42,6 @@ class Security(FileConfiguration, CoreSysAttributes):
        """Set pwned is enabled/disabled."""
        self._data[ATTR_PWNED] = value

-    async def verify_content(self, signer: str, checksum: str) -> None:
-        """Verify content on CAS."""
-        if not self.content_trust:
-            _LOGGER.warning("Disabled content-trust, skip validation")
-            return
-
-        try:
-            await cas_validate(signer, checksum)
-        except CodeNotaryUntrusted:
-            raise
-        except CodeNotaryError:
-            if self.force:
-                raise
-            self.sys_resolution.create_issue(
-                IssueType.TRUST,
-                ContextType.SYSTEM,
-                suggestions=[SuggestionType.EXECUTE_INTEGRITY],
-            )
-            return
-
-    async def verify_own_content(self, checksum: str) -> None:
-        """Verify content from HA org."""
-        return await self.verify_content("notary@home-assistant.io", checksum)
-
    async def verify_secret(self, pwned_hash: str) -> None:
        """Verify pwned state of a secret."""
        if not self.pwned:
@@ -103,73 +54,3 @@ class Security(FileConfiguration, CoreSysAttributes):
            if self.force:
                raise
            return
-
-    @Job(
-        name="security_manager_integrity_check",
-        conditions=[JobCondition.INTERNET_SYSTEM],
-        on_condition=SecurityJobError,
-        concurrency=JobConcurrency.REJECT,
-    )
-    async def integrity_check(self) -> IntegrityResult:
-        """Run a full system integrity check of the platform.
-
-        We only allow to install trusted content.
-        This is a out of the band manual check.
-        """
-        result: IntegrityResult = IntegrityResult()
-        if not self.content_trust:
-            _LOGGER.warning(
-                "Skipping integrity check, content_trust is globally disabled"
-            )
-            return result
-
-        # Supervisor
-        try:
-            await self.sys_supervisor.check_trust()
-            result.supervisor = ContentTrustResult.PASS
-        except CodeNotaryUntrusted:
-            result.supervisor = ContentTrustResult.ERROR
-            self.sys_resolution.create_issue(IssueType.TRUST, ContextType.SUPERVISOR)
-        except CodeNotaryError:
-            result.supervisor = ContentTrustResult.FAILED
-
-        # Core
-        try:
-            await self.sys_homeassistant.core.check_trust()
-            result.core = ContentTrustResult.PASS
-        except CodeNotaryUntrusted:
-            result.core = ContentTrustResult.ERROR
-            self.sys_resolution.create_issue(IssueType.TRUST, ContextType.CORE)
-        except CodeNotaryError:
-            result.core = ContentTrustResult.FAILED
-
-        # Plugins
-        for plugin in self.sys_plugins.all_plugins:
-            try:
-                await plugin.check_trust()
-                result.plugins[plugin.slug] = ContentTrustResult.PASS
-            except CodeNotaryUntrusted:
-                result.plugins[plugin.slug] = ContentTrustResult.ERROR
-                self.sys_resolution.create_issue(
-                    IssueType.TRUST, ContextType.PLUGIN, reference=plugin.slug
-                )
-            except CodeNotaryError:
-                result.plugins[plugin.slug] = ContentTrustResult.FAILED
-
-        # Add-ons
-        for addon in self.sys_addons.installed:
-            if not addon.signed:
-                result.addons[addon.slug] = ContentTrustResult.UNTESTED
-                continue
-            try:
-                await addon.check_trust()
-                result.addons[addon.slug] = ContentTrustResult.PASS
-            except CodeNotaryUntrusted:
-                result.addons[addon.slug] = ContentTrustResult.ERROR
-                self.sys_resolution.create_issue(
-                    IssueType.TRUST, ContextType.ADDON, reference=addon.slug
-                )
-            except CodeNotaryError:
-                result.addons[addon.slug] = ContentTrustResult.FAILED
-
-        return result
--- a/supervisor/store/git.py
+++ b/supervisor/store/git.py
@@ -183,19 +183,22 @@ class GitRepo(CoreSysAttributes):
                raise StoreGitError() from err

            try:
-                branch = self.repo.active_branch.name
+                repo = self.repo

-                # Download data
-                await self.sys_run_in_executor(
-                    ft.partial(
-                        self.repo.remotes.origin.fetch,
-                        **{"update-shallow": True, "depth": 1},  # type: ignore
+                def _fetch_and_check() -> tuple[str, bool]:
+                    """Fetch from origin and check if changed."""
+                    # This property access is I/O bound
+                    branch = repo.active_branch.name
+                    repo.remotes.origin.fetch(
+                        **{"update-shallow": True, "depth": 1}  # type: ignore[arg-type]
                    )
-                )
+                    changed = repo.commit(branch) != repo.commit(f"origin/{branch}")
+                    return branch, changed

-                if changed := self.repo.commit(branch) != self.repo.commit(
-                    f"origin/{branch}"
-                ):
+                # Download data and check for changes
+                branch, changed = await self.sys_run_in_executor(_fetch_and_check)
+
+                if changed:
                    # Jump on top of that
                    await self.sys_run_in_executor(
                        ft.partial(self.repo.git.reset, f"origin/{branch}", hard=True)
@@ -224,6 +227,7 @@ class GitRepo(CoreSysAttributes):
                git.CommandError,
                ValueError,
                AssertionError,
+                AttributeError,
                UnicodeDecodeError,
            ) as err:
                _LOGGER.error("Can't update %s repo: %s.", self.url, err)
--- a/supervisor/supervisor.py
+++ b/supervisor/supervisor.py
@@ -25,19 +25,16 @@ from .coresys import CoreSys, CoreSysAttributes
 from .docker.stats import DockerStats
 from .docker.supervisor import DockerSupervisor
 from .exceptions import (
-    CodeNotaryError,
-    CodeNotaryUntrusted,
    DockerError,
    HostAppArmorError,
    SupervisorAppArmorError,
-    SupervisorError,
    SupervisorJobError,
+    SupervisorUnknownError,
    SupervisorUpdateError,
 )
 from .jobs.const import JobCondition, JobThrottle
 from .jobs.decorator import Job
 from .resolution.const import ContextType, IssueType, UnhealthyReason
-from .utils.codenotary import calc_checksum
 from .utils.sentry import async_capture_exception

 _LOGGER: logging.Logger = logging.getLogger(__name__)
@@ -150,20 +147,6 @@ class Supervisor(CoreSysAttributes):
                _LOGGER.error,
            ) from err

-        # Validate
-        try:
-            await self.sys_security.verify_own_content(calc_checksum(data))
-        except CodeNotaryUntrusted as err:
-            raise SupervisorAppArmorError(
-                "Content-Trust is broken for the AppArmor profile fetch!",
-                _LOGGER.critical,
-            ) from err
-        except CodeNotaryError as err:
-            raise SupervisorAppArmorError(
-                f"CodeNotary error while processing AppArmor fetch: {err!s}",
-                _LOGGER.error,
-            ) from err
-
        # Load
        temp_dir: TemporaryDirectory | None = None

@@ -273,19 +256,12 @@ class Supervisor(CoreSysAttributes):
        """
        return self.instance.logs()

-    def check_trust(self) -> Awaitable[None]:
-        """Calculate Supervisor docker content trust.
-
-        Return Coroutine.
-        """
-        return self.instance.check_trust()
-
    async def stats(self) -> DockerStats:
        """Return stats of Supervisor."""
        try:
            return await self.instance.stats()
        except DockerError as err:
-            raise SupervisorError() from err
+            raise SupervisorUnknownError() from err

    async def repair(self):
        """Repair local Supervisor data."""
--- a/supervisor/updater.py
+++ b/supervisor/updater.py
@@ -31,14 +31,8 @@ from .const import (
    UpdateChannel,
 )
 from .coresys import CoreSys, CoreSysAttributes
-from .exceptions import (
-    CodeNotaryError,
-    CodeNotaryUntrusted,
-    UpdaterError,
-    UpdaterJobError,
-)
+from .exceptions import UpdaterError, UpdaterJobError
 from .jobs.decorator import Job, JobCondition
-from .utils.codenotary import calc_checksum
 from .utils.common import FileConfiguration
 from .validate import SCHEMA_UPDATER_CONFIG

@@ -248,9 +242,10 @@ class Updater(FileConfiguration, CoreSysAttributes):
    @Job(
        name="updater_fetch_data",
        conditions=[
+            JobCondition.ARCHITECTURE_SUPPORTED,
            JobCondition.INTERNET_SYSTEM,
-            JobCondition.OS_SUPPORTED,
            JobCondition.HOME_ASSISTANT_CORE_SUPPORTED,
+            JobCondition.OS_SUPPORTED,
        ],
        on_condition=UpdaterJobError,
        throttle_period=timedelta(seconds=30),
@@ -289,19 +284,6 @@ class Updater(FileConfiguration, CoreSysAttributes):
            self.sys_bus.remove_listener(self._connectivity_listener)
            self._connectivity_listener = None

-        # Validate
-        try:
-            await self.sys_security.verify_own_content(calc_checksum(data))
-        except CodeNotaryUntrusted as err:
-            raise UpdaterError(
-                "Content-Trust is broken for the version file fetch!", _LOGGER.critical
-            ) from err
-        except CodeNotaryError as err:
-            raise UpdaterError(
-                f"CodeNotary error while processing version fetch: {err!s}",
-                _LOGGER.error,
-            ) from err
-
        # Parse data
        try:
            data = json.loads(data)
--- a/supervisor/utils/codenotary.py
+++ b/supervisor/utils/codenotary.py
@@ -1,109 +0,0 @@
-"""Small wrapper for CodeNotary."""
-
-from __future__ import annotations
-
-import asyncio
-import hashlib
-import json
-import logging
-from pathlib import Path
-import shlex
-from typing import Final
-
-from dirhash import dirhash
-
-from ..exceptions import CodeNotaryBackendError, CodeNotaryError, CodeNotaryUntrusted
-from . import clean_env
-
-_LOGGER: logging.Logger = logging.getLogger(__name__)
-
-_CAS_CMD: str = (
-    "cas authenticate --signerID {signer} --silent --output json --hash {sum}"
-)
-_CACHE: set[tuple[str, str]] = set()
-
-
-_ATTR_ERROR: Final = "error"
-_ATTR_STATUS: Final = "status"
-_FALLBACK_ERROR: Final = "Unknown CodeNotary backend issue"
-
-
-def calc_checksum(data: str | bytes) -> str:
-    """Generate checksum for CodeNotary."""
-    if isinstance(data, str):
-        return hashlib.sha256(data.encode()).hexdigest()
-    return hashlib.sha256(data).hexdigest()
-
-
-def calc_checksum_path_sourcecode(folder: Path) -> str:
-    """Calculate checksum for a path source code.
-
-    Need catch OSError.
-    """
-    return dirhash(folder.as_posix(), "sha256", match=["*.py"])
-
-
-# pylint: disable=unreachable
-async def cas_validate(
-    signer: str,
-    checksum: str,
-) -> None:
-    """Validate data against CodeNotary."""
-    return
-    if (checksum, signer) in _CACHE:
-        return
-
-    # Generate command for request
-    command = shlex.split(_CAS_CMD.format(signer=signer, sum=checksum))
-
-    # Request notary authorization
-    _LOGGER.debug("Send cas command: %s", command)
-    try:
-        proc = await asyncio.create_subprocess_exec(
-            *command,
-            stdin=asyncio.subprocess.DEVNULL,
-            stdout=asyncio.subprocess.PIPE,
-            stderr=asyncio.subprocess.PIPE,
-            env=clean_env(),
-        )
-
-        async with asyncio.timeout(15):
-            data, error = await proc.communicate()
-    except TimeoutError:
-        raise CodeNotaryBackendError(
-            "Timeout while processing CodeNotary", _LOGGER.warning
-        ) from None
-    except OSError as err:
-        raise CodeNotaryError(
-            f"CodeNotary fatal error: {err!s}", _LOGGER.critical
-        ) from err
-
-    # Check if Notarized
-    if proc.returncode != 0 and not data:
-        if error:
-            try:
-                error = error.decode("utf-8")
-            except UnicodeDecodeError as err:
-                raise CodeNotaryBackendError(_FALLBACK_ERROR, _LOGGER.warning) from err
-            if "not notarized" in error:
-                raise CodeNotaryUntrusted()
-        else:
-            error = _FALLBACK_ERROR
-        raise CodeNotaryBackendError(error, _LOGGER.warning)
-
-    # Parse data
-    try:
-        data_json = json.loads(data)
-        _LOGGER.debug("CodeNotary response with: %s", data_json)
-    except (json.JSONDecodeError, UnicodeDecodeError) as err:
-        raise CodeNotaryError(
-            f"Can't parse CodeNotary output: {data!s} - {err!s}", _LOGGER.error
-        ) from err
-
-    if _ATTR_ERROR in data_json:
-        raise CodeNotaryBackendError(data_json[_ATTR_ERROR], _LOGGER.warning)
-
-    if data_json[_ATTR_STATUS] == 0:
-        _CACHE.add((checksum, signer))
-    else:
-        raise CodeNotaryUntrusted()
--- a/supervisor/utils/dbus.py
+++ b/supervisor/utils/dbus.py
@@ -7,13 +7,7 @@ from collections.abc import Awaitable, Callable
 import logging
 from typing import Any, Protocol, cast

-from dbus_fast import (
-    ErrorType,
-    InvalidIntrospectionError,
-    Message,
-    MessageType,
-    Variant,
-)
+from dbus_fast import ErrorType, InvalidIntrospectionError, Message, MessageType
 from dbus_fast.aio.message_bus import MessageBus
 from dbus_fast.aio.proxy_object import ProxyInterface, ProxyObject
 from dbus_fast.errors import DBusError as DBusFastDBusError
@@ -265,7 +259,7 @@ class DBus:
        """

        async def sync_property_change(
-            prop_interface: str, changed: dict[str, Variant], invalidated: list[str]
+            prop_interface: str, changed: dict[str, Any], invalidated: list[str]
        ) -> None:
            """Sync property changes to cache."""
            if interface != prop_interface:
--- a/supervisor/utils/systemd_journal.py
+++ b/supervisor/utils/systemd_journal.py
@@ -5,12 +5,20 @@ from collections.abc import AsyncGenerator
 from datetime import UTC, datetime
 from functools import wraps
 import json
+import re

 from aiohttp import ClientResponse

 from supervisor.exceptions import MalformedBinaryEntryError
 from supervisor.host.const import LogFormatter

+_RE_ANSI_CSI_COLORS_PATTERN = re.compile(r"\x1B\[[0-9;]*m")
+
+
+def _strip_ansi_colors(message: str) -> str:
+    """Remove ANSI color codes from a message string."""
+    return _RE_ANSI_CSI_COLORS_PATTERN.sub("", message)
+

 def formatter(required_fields: list[str]):
    """Decorate journal entry formatters with list of required fields.
@@ -31,9 +39,9 @@ def formatter(required_fields: list[str]):


@formatter(["MESSAGE"])
-def journal_plain_formatter(entries: dict[str, str]) -> str:
+def journal_plain_formatter(entries: dict[str, str], no_colors: bool = False) -> str:
    """Format parsed journal entries as a plain message."""
-    return entries["MESSAGE"]
+    return _strip_ansi_colors(entries["MESSAGE"]) if no_colors else entries["MESSAGE"]


@formatter(
@@ -45,7 +53,7 @@ def journal_plain_formatter(entries: dict[str, str]) -> str:
        "MESSAGE",
    ]
 )
-def journal_verbose_formatter(entries: dict[str, str]) -> str:
+def journal_verbose_formatter(entries: dict[str, str], no_colors: bool = False) -> str:
    """Format parsed journal entries to a journalctl-like format."""
    ts = datetime.fromtimestamp(
        int(entries["__REALTIME_TIMESTAMP"]) / 1e6, UTC
@@ -58,14 +66,24 @@ def journal_verbose_formatter(entries: dict[str, str]) -> str:
        else entries.get("SYSLOG_IDENTIFIER", "_UNKNOWN_")
    )

-    return f"{ts} {entries.get('_HOSTNAME', '')} {identifier}: {entries.get('MESSAGE', '')}"
+    message = (
+        _strip_ansi_colors(entries.get("MESSAGE", ""))
+        if no_colors
+        else entries.get("MESSAGE", "")
+    )
+
+    return f"{ts} {entries.get('_HOSTNAME', '')} {identifier}: {message}"


 async def journal_logs_reader(
-    journal_logs: ClientResponse, log_formatter: LogFormatter = LogFormatter.PLAIN
+    journal_logs: ClientResponse,
+    log_formatter: LogFormatter = LogFormatter.PLAIN,
+    no_colors: bool = False,
 ) -> AsyncGenerator[tuple[str | None, str]]:
    """Read logs from systemd journal line by line, formatted using the given formatter.

+    Optionally strip ANSI color codes from the entries' messages.
+
    Returns a generator of (cursor, formatted_entry) tuples.
    """
    match log_formatter:
@@ -84,7 +102,10 @@ async def journal_logs_reader(
            # at EOF (likely race between at_eof and EOF check in readuntil)
            if line == b"\n" or not line:
                if entries:
-                    yield entries.get("__CURSOR"), formatter_(entries)
+                    yield (
+                        entries.get("__CURSOR"),
+                        formatter_(entries, no_colors=no_colors),
+                    )
                entries = {}
                continue

--- a/supervisor/validate.py
+++ b/supervisor/validate.py
@@ -12,7 +12,6 @@ from .const import (
    ATTR_AUTO_UPDATE,
    ATTR_CHANNEL,
    ATTR_CLI,
-    ATTR_CONTENT_TRUST,
    ATTR_COUNTRY,
    ATTR_DEBUG,
    ATTR_DEBUG_BLOCK,
@@ -229,7 +228,6 @@ SCHEMA_INGRESS_CONFIG = vol.Schema(
 # pylint: disable=no-value-for-parameter
 SCHEMA_SECURITY_CONFIG = vol.Schema(
    {
-        vol.Optional(ATTR_CONTENT_TRUST, default=True): vol.Boolean(),
        vol.Optional(ATTR_PWNED, default=True): vol.Boolean(),
        vol.Optional(ATTR_FORCE_SECURITY, default=False): vol.Boolean(),
    },
--- a/tests/addons/test_addon.py
+++ b/tests/addons/test_addon.py
@@ -3,24 +3,34 @@
 import asyncio
 from datetime import timedelta
 import errno
+from http import HTTPStatus
 from pathlib import Path
-from unittest.mock import MagicMock, PropertyMock, patch
+from typing import Any
+from unittest.mock import MagicMock, PropertyMock, call, patch

+import aiodocker
 from awesomeversion import AwesomeVersion
-from docker.errors import DockerException, ImageNotFound, NotFound
+from docker.errors import APIError, DockerException, NotFound
 import pytest
 from securetar import SecureTarFile

 from supervisor.addons.addon import Addon
 from supervisor.addons.const import AddonBackupMode
 from supervisor.addons.model import AddonModel
+from supervisor.config import CoreConfig
 from supervisor.const import AddonBoot, AddonState, BusEvent
 from supervisor.coresys import CoreSys
 from supervisor.docker.addon import DockerAddon
 from supervisor.docker.const import ContainerState
-from supervisor.docker.manager import CommandReturn
+from supervisor.docker.manager import CommandReturn, DockerAPI
 from supervisor.docker.monitor import DockerContainerStateEvent
-from supervisor.exceptions import AddonsError, AddonsJobError, AudioUpdateError
+from supervisor.exceptions import (
+    AddonPrePostBackupCommandReturnedError,
+    AddonsJobError,
+    AddonUnknownError,
+    AudioUpdateError,
+    HassioError,
+)
 from supervisor.hardware.helper import HwHelper
 from supervisor.ingress import Ingress
 from supervisor.store.repository import Repository
@@ -217,7 +227,7 @@ async def test_listener_attached_on_install(
    container_collection.get.side_effect = DockerException()
    with (
        patch(
-            "supervisor.docker.manager.DockerAPI.containers",
+            "supervisor.docker.manager.DockerAPI.containers_legacy",
            new=PropertyMock(return_value=container_collection),
        ),
        patch("pathlib.Path.is_dir", return_value=True),
@@ -499,31 +509,26 @@ async def test_backup_with_pre_post_command(


@pytest.mark.parametrize(
-    "get_error,exception_on_exec",
+    ("container_get_side_effect", "exec_run_side_effect", "exc_type_raised"),
    [
-        (NotFound("missing"), False),
-        (DockerException(), False),
-        (None, True),
-        (None, False),
+        (NotFound("missing"), [(1, None)], AddonUnknownError),
+        (DockerException(), [(1, None)], AddonUnknownError),
+        (None, DockerException(), AddonUnknownError),
+        (None, [(1, None)], AddonPrePostBackupCommandReturnedError),
    ],
 )
+@pytest.mark.usefixtures("tmp_supervisor_data", "path_extern")
 async def test_backup_with_pre_command_error(
    coresys: CoreSys,
    install_addon_ssh: Addon,
    container: MagicMock,
-    get_error: DockerException | None,
-    exception_on_exec: bool,
-    tmp_supervisor_data,
-    path_extern,
+    container_get_side_effect: DockerException | None,
+    exec_run_side_effect: DockerException | list[tuple[int, Any]],
+    exc_type_raised: type[HassioError],
 ) -> None:
    """Test backing up an addon with error running pre command."""
-    if get_error:
-        coresys.docker.containers.get.side_effect = get_error
-
-    if exception_on_exec:
-        container.exec_run.side_effect = DockerException()
-    else:
-        container.exec_run.return_value = (1, None)
+    coresys.docker.containers_legacy.get.side_effect = container_get_side_effect
+    container.exec_run.side_effect = exec_run_side_effect

    install_addon_ssh.path_data.mkdir()
    await install_addon_ssh.load()
@@ -532,7 +537,7 @@ async def test_backup_with_pre_command_error(
    with (
        patch.object(DockerAddon, "is_running", return_value=True),
        patch.object(Addon, "backup_pre", new=PropertyMock(return_value="backup_pre")),
-        pytest.raises(AddonsError),
+        pytest.raises(exc_type_raised),
    ):
        assert await install_addon_ssh.backup(tarfile) is None

@@ -861,16 +866,14 @@ async def test_addon_loads_wrong_image(

    container.remove.assert_called_with(force=True, v=True)
    # one for removing the addon, one for removing the addon builder
-    assert coresys.docker.images.remove.call_count == 2
+    assert coresys.docker.images.delete.call_count == 2

-    assert coresys.docker.images.remove.call_args_list[0].kwargs == {
-        "image": "local/aarch64-addon-ssh:latest",
-        "force": True,
-    }
-    assert coresys.docker.images.remove.call_args_list[1].kwargs == {
-        "image": "local/aarch64-addon-ssh:9.2.1",
-        "force": True,
-    }
+    assert coresys.docker.images.delete.call_args_list[0] == call(
+        "local/aarch64-addon-ssh:latest", force=True
+    )
+    assert coresys.docker.images.delete.call_args_list[1] == call(
+        "local/aarch64-addon-ssh:9.2.1", force=True
+    )
    mock_run_command.assert_called_once()
    assert mock_run_command.call_args.args[0] == "docker.io/library/docker"
    assert mock_run_command.call_args.kwargs["version"] == "1.0.0-cli"
@@ -894,7 +897,9 @@ async def test_addon_loads_missing_image(
    mock_amd64_arch_supported,
 ):
    """Test addon corrects a missing image on load."""
-    coresys.docker.images.get.side_effect = ImageNotFound("missing")
+    coresys.docker.images.inspect.side_effect = aiodocker.DockerError(
+        HTTPStatus.NOT_FOUND, {"message": "missing"}
+    )

    with (
        patch("pathlib.Path.is_file", return_value=True),
@@ -926,41 +931,51 @@ async def test_addon_loads_missing_image(
    assert install_addon_ssh.image == "local/amd64-addon-ssh"


+@pytest.mark.parametrize(
+    "pull_image_exc",
+    [APIError("error"), aiodocker.DockerError(400, {"message": "error"})],
+)
+@pytest.mark.usefixtures("container", "mock_amd64_arch_supported")
 async def test_addon_load_succeeds_with_docker_errors(
    coresys: CoreSys,
    install_addon_ssh: Addon,
-    container: MagicMock,
    caplog: pytest.LogCaptureFixture,
-    mock_amd64_arch_supported,
+    pull_image_exc: Exception,
 ):
    """Docker errors while building/pulling an image during load should not raise and fail setup."""
    # Build env invalid failure
-    coresys.docker.images.get.side_effect = ImageNotFound("missing")
+    coresys.docker.images.inspect.side_effect = aiodocker.DockerError(
+        HTTPStatus.NOT_FOUND, {"message": "missing"}
+    )
    caplog.clear()
    await install_addon_ssh.load()
-    assert "Invalid build environment" in caplog.text
+    assert "Cannot build addon 'local_ssh' because dockerfile is missing" in caplog.text

    # Image build failure
-    coresys.docker.images.build.side_effect = DockerException()
    caplog.clear()
    with (
        patch("pathlib.Path.is_file", return_value=True),
        patch.object(
-            type(coresys.config),
-            "local_to_extern_path",
-            return_value="/addon/path/on/host",
+            CoreConfig, "local_to_extern_path", return_value="/addon/path/on/host"
+        ),
+        patch.object(
+            DockerAPI,
+            "run_command",
+            return_value=MagicMock(exit_code=1, output=b"error"),
        ),
    ):
        await install_addon_ssh.load()
-    assert "Can't build local/amd64-addon-ssh:9.2.1" in caplog.text
+    assert (
+        "Can't build local/amd64-addon-ssh:9.2.1: Docker build failed for local/amd64-addon-ssh:9.2.1 (exit code 1). Build output:\nerror"
+        in caplog.text
+    )

    # Image pull failure
    install_addon_ssh.data["image"] = "test/amd64-addon-ssh"
-    coresys.docker.images.build.reset_mock(side_effect=True)
-    coresys.docker.pull_image.side_effect = DockerException()
    caplog.clear()
-    await install_addon_ssh.load()
-    assert "Unknown error with test/amd64-addon-ssh:9.2.1" in caplog.text
+    with patch.object(DockerAPI, "pull_image", side_effect=pull_image_exc):
+        await install_addon_ssh.load()
+    assert "Can't install test/amd64-addon-ssh:9.2.1:" in caplog.text


 async def test_addon_manual_only_boot(coresys: CoreSys, install_addon_example: Addon):
--- a/tests/addons/test_build.py
+++ b/tests/addons/test_build.py
@@ -1,12 +1,18 @@
 """Test addon build."""

+import base64
+import json
+from pathlib import Path
 from unittest.mock import PropertyMock, patch

 from awesomeversion import AwesomeVersion
+import pytest

 from supervisor.addons.addon import Addon
 from supervisor.addons.build import AddonBuild
 from supervisor.coresys import CoreSys
+from supervisor.docker.const import DOCKER_HUB
+from supervisor.exceptions import AddonBuildDockerfileMissingError

 from tests.common import is_in_list

@@ -29,7 +35,7 @@ async def test_platform_set(coresys: CoreSys, install_addon_ssh: Addon):
        ),
    ):
        args = await coresys.run_in_executor(
-            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest"
+            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest", None
        )

    assert is_in_list(["--platform", "linux/amd64"], args["command"])
@@ -53,7 +59,7 @@ async def test_dockerfile_evaluation(coresys: CoreSys, install_addon_ssh: Addon)
        ),
    ):
        args = await coresys.run_in_executor(
-            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest"
+            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest", None
        )

    assert is_in_list(["--file", "Dockerfile"], args["command"])
@@ -81,7 +87,7 @@ async def test_dockerfile_evaluation_arch(coresys: CoreSys, install_addon_ssh: A
        ),
    ):
        args = await coresys.run_in_executor(
-            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest"
+            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest", None
        )

    assert is_in_list(["--file", "Dockerfile.aarch64"], args["command"])
@@ -102,11 +108,11 @@ async def test_build_valid(coresys: CoreSys, install_addon_ssh: Addon):
            type(coresys.arch), "default", new=PropertyMock(return_value="aarch64")
        ),
    ):
-        assert await build.is_valid()
+        assert (await build.is_valid()) is None


 async def test_build_invalid(coresys: CoreSys, install_addon_ssh: Addon):
-    """Test platform set in docker args."""
+    """Test build not supported because Dockerfile missing for specified architecture."""
    build = await AddonBuild(coresys, install_addon_ssh).load_config()
    with (
        patch.object(
@@ -115,5 +121,161 @@ async def test_build_invalid(coresys: CoreSys, install_addon_ssh: Addon):
        patch.object(
            type(coresys.arch), "default", new=PropertyMock(return_value="amd64")
        ),
+        pytest.raises(AddonBuildDockerfileMissingError),
    ):
-        assert not await build.is_valid()
+        await build.is_valid()
+
+
+async def test_docker_config_no_registries(coresys: CoreSys, install_addon_ssh: Addon):
+    """Test docker config generation when no registries configured."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    # No registries configured by default
+    assert build.get_docker_config_json() is None
+
+
+async def test_docker_config_no_matching_registry(
+    coresys: CoreSys, install_addon_ssh: Addon
+):
+    """Test docker config generation when registry doesn't match base image."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    # Configure a registry that doesn't match the base image
+    # pylint: disable-next=protected-access
+    coresys.docker.config._data["registries"] = {
+        "some.other.registry": {"username": "user", "password": "pass"}
+    }
+
+    with (
+        patch.object(
+            type(coresys.arch), "supported", new=PropertyMock(return_value=["amd64"])
+        ),
+        patch.object(
+            type(coresys.arch), "default", new=PropertyMock(return_value="amd64")
+        ),
+    ):
+        # Base image is ghcr.io/home-assistant/... which doesn't match
+        assert build.get_docker_config_json() is None
+
+
+async def test_docker_config_matching_registry(
+    coresys: CoreSys, install_addon_ssh: Addon
+):
+    """Test docker config generation when registry matches base image."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    # Configure ghcr.io registry which matches the default base image
+    # pylint: disable-next=protected-access
+    coresys.docker.config._data["registries"] = {
+        "ghcr.io": {"username": "testuser", "password": "testpass"}
+    }
+
+    with (
+        patch.object(
+            type(coresys.arch), "supported", new=PropertyMock(return_value=["amd64"])
+        ),
+        patch.object(
+            type(coresys.arch), "default", new=PropertyMock(return_value="amd64")
+        ),
+    ):
+        config_json = build.get_docker_config_json()
+        assert config_json is not None
+
+        config = json.loads(config_json)
+        assert "auths" in config
+        assert "ghcr.io" in config["auths"]
+
+        # Verify base64-encoded credentials
+        expected_auth = base64.b64encode(b"testuser:testpass").decode()
+        assert config["auths"]["ghcr.io"]["auth"] == expected_auth
+
+
+async def test_docker_config_docker_hub(coresys: CoreSys, install_addon_ssh: Addon):
+    """Test docker config generation for Docker Hub registry."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    # Configure Docker Hub registry
+    # pylint: disable-next=protected-access
+    coresys.docker.config._data["registries"] = {
+        DOCKER_HUB: {"username": "hubuser", "password": "hubpass"}
+    }
+
+    # Mock base_image to return a Docker Hub image (no registry prefix)
+    with patch.object(
+        type(build),
+        "base_image",
+        new=PropertyMock(return_value="library/alpine:latest"),
+    ):
+        config_json = build.get_docker_config_json()
+        assert config_json is not None
+
+        config = json.loads(config_json)
+        # Docker Hub uses special URL as key
+        assert "https://index.docker.io/v1/" in config["auths"]
+
+        expected_auth = base64.b64encode(b"hubuser:hubpass").decode()
+        assert config["auths"]["https://index.docker.io/v1/"]["auth"] == expected_auth
+
+
+async def test_docker_args_with_config_path(coresys: CoreSys, install_addon_ssh: Addon):
+    """Test docker args include config volume when path provided."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    with (
+        patch.object(
+            type(coresys.arch), "supported", new=PropertyMock(return_value=["amd64"])
+        ),
+        patch.object(
+            type(coresys.arch), "default", new=PropertyMock(return_value="amd64")
+        ),
+        patch.object(
+            type(coresys.config),
+            "local_to_extern_path",
+            side_effect=lambda p: f"/extern{p}",
+        ),
+    ):
+        config_path = Path("/data/supervisor/tmp/config.json")
+        args = await coresys.run_in_executor(
+            build.get_docker_args,
+            AwesomeVersion("latest"),
+            "test-image:latest",
+            config_path,
+        )
+
+    # Check that config is mounted
+    assert "/extern/data/supervisor/tmp/config.json" in args["volumes"]
+    assert (
+        args["volumes"]["/extern/data/supervisor/tmp/config.json"]["bind"]
+        == "/root/.docker/config.json"
+    )
+    assert args["volumes"]["/extern/data/supervisor/tmp/config.json"]["mode"] == "ro"
+
+
+async def test_docker_args_without_config_path(
+    coresys: CoreSys, install_addon_ssh: Addon
+):
+    """Test docker args don't include config volume when no path provided."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    with (
+        patch.object(
+            type(coresys.arch), "supported", new=PropertyMock(return_value=["amd64"])
+        ),
+        patch.object(
+            type(coresys.arch), "default", new=PropertyMock(return_value="amd64")
+        ),
+        patch.object(
+            type(coresys.config),
+            "local_to_extern_path",
+            return_value="/addon/path/on/host",
+        ),
+    ):
+        args = await coresys.run_in_executor(
+            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest", None
+        )
+
+    # Only docker socket and addon path should be mounted
+    assert len(args["volumes"]) == 2
+    # Verify no docker config mount
+    for bind in args["volumes"].values():
+        assert bind["bind"] != "/root/.docker/config.json"
--- a/tests/addons/test_manager.py
+++ b/tests/addons/test_manager.py
@@ -4,13 +4,13 @@ import asyncio
 from collections.abc import AsyncGenerator, Generator
 from copy import deepcopy
 from pathlib import Path
-from unittest.mock import AsyncMock, MagicMock, Mock, PropertyMock, patch
+from unittest.mock import AsyncMock, MagicMock, Mock, PropertyMock, call, patch

 from awesomeversion import AwesomeVersion
 import pytest

 from supervisor.addons.addon import Addon
-from supervisor.arch import CpuArch
+from supervisor.arch import CpuArchManager
 from supervisor.config import CoreConfig
 from supervisor.const import AddonBoot, AddonStartup, AddonState, BusEvent
 from supervisor.coresys import CoreSys
@@ -54,7 +54,9 @@ async def fixture_mock_arch_disk() -> AsyncGenerator[None]:
    """Mock supported arch and disk space."""
    with (
        patch("shutil.disk_usage", return_value=(42, 42, 2 * (1024.0**3))),
-        patch.object(CpuArch, "supported", new=PropertyMock(return_value=["amd64"])),
+        patch.object(
+            CpuArchManager, "supported", new=PropertyMock(return_value=["amd64"])
+        ),
    ):
        yield

@@ -514,19 +516,13 @@ async def test_shared_image_kept_on_uninstall(
    latest = f"{install_addon_example.image}:latest"

    await coresys.addons.uninstall("local_example2")
-    coresys.docker.images.remove.assert_not_called()
+    coresys.docker.images.delete.assert_not_called()
    assert not coresys.addons.get("local_example2", local_only=True)

    await coresys.addons.uninstall("local_example")
-    assert coresys.docker.images.remove.call_count == 2
-    assert coresys.docker.images.remove.call_args_list[0].kwargs == {
-        "image": latest,
-        "force": True,
-    }
-    assert coresys.docker.images.remove.call_args_list[1].kwargs == {
-        "image": image,
-        "force": True,
-    }
+    assert coresys.docker.images.delete.call_count == 2
+    assert coresys.docker.images.delete.call_args_list[0] == call(latest, force=True)
+    assert coresys.docker.images.delete.call_args_list[1] == call(image, force=True)
    assert not coresys.addons.get("local_example", local_only=True)


@@ -554,19 +550,17 @@ async def test_shared_image_kept_on_update(
    assert example_2.version == "1.2.0"
    assert install_addon_example_image.version == "1.2.0"

-    image_new = MagicMock()
-    image_new.id = "image_new"
-    image_old = MagicMock()
-    image_old.id = "image_old"
-    docker.images.get.side_effect = [image_new, image_old]
+    image_new = {"Id": "image_new", "RepoTags": ["image_new:latest"]}
+    image_old = {"Id": "image_old", "RepoTags": ["image_old:latest"]}
+    docker.images.inspect.side_effect = [image_new, image_old]
    docker.images.list.return_value = [image_new, image_old]

    with patch.object(DockerAPI, "pull_image", return_value=image_new):
        await coresys.addons.update("local_example2")
-        docker.images.remove.assert_not_called()
+        docker.images.delete.assert_not_called()
        assert example_2.version == "1.3.0"

-        docker.images.get.side_effect = [image_new]
+        docker.images.inspect.side_effect = [image_new]
        await coresys.addons.update("local_example_image")
-        docker.images.remove.assert_called_once_with("image_old", force=True)
+        docker.images.delete.assert_called_once_with("image_old", force=True)
        assert install_addon_example_image.version == "1.3.0"
--- a/tests/api/init.py
+++ b/tests/api/init.py
@@ -1,95 +1 @@
 """Test for API calls."""
-
-from unittest.mock import AsyncMock, MagicMock
-
-from aiohttp.test_utils import TestClient
-
-from supervisor.coresys import CoreSys
-from supervisor.host.const import LogFormat
-
-DEFAULT_LOG_RANGE = "entries=:-99:100"
-DEFAULT_LOG_RANGE_FOLLOW = "entries=:-99:18446744073709551615"
-
-
-async def common_test_api_advanced_logs(
-    path_prefix: str,
-    syslog_identifier: str,
-    api_client: TestClient,
-    journald_logs: MagicMock,
-    coresys: CoreSys,
-    os_available: None,
-):
-    """Template for tests of endpoints using advanced logs."""
-    resp = await api_client.get(f"{path_prefix}/logs")
-    assert resp.status == 200
-    assert resp.content_type == "text/plain"
-
-    journald_logs.assert_called_once_with(
-        params={"SYSLOG_IDENTIFIER": syslog_identifier},
-        range_header=DEFAULT_LOG_RANGE,
-        accept=LogFormat.JOURNAL,
-    )
-
-    journald_logs.reset_mock()
-
-    resp = await api_client.get(f"{path_prefix}/logs/follow")
-    assert resp.status == 200
-    assert resp.content_type == "text/plain"
-
-    journald_logs.assert_called_once_with(
-        params={"SYSLOG_IDENTIFIER": syslog_identifier, "follow": ""},
-        range_header=DEFAULT_LOG_RANGE_FOLLOW,
-        accept=LogFormat.JOURNAL,
-    )
-
-    journald_logs.reset_mock()
-
-    mock_response = MagicMock()
-    mock_response.text = AsyncMock(
-        return_value='{"CONTAINER_LOG_EPOCH": "12345"}\n{"CONTAINER_LOG_EPOCH": "12345"}\n'
-    )
-    journald_logs.return_value.__aenter__.return_value = mock_response
-
-    resp = await api_client.get(f"{path_prefix}/logs/latest")
-    assert resp.status == 200
-
-    assert journald_logs.call_count == 2
-
-    # Check the first call for getting epoch
-    epoch_call = journald_logs.call_args_list[0]
-    assert epoch_call[1]["params"] == {"CONTAINER_NAME": syslog_identifier}
-    assert epoch_call[1]["range_header"] == "entries=:-1:2"
-
-    # Check the second call for getting logs with the epoch
-    logs_call = journald_logs.call_args_list[1]
-    assert logs_call[1]["params"]["SYSLOG_IDENTIFIER"] == syslog_identifier
-    assert logs_call[1]["params"]["CONTAINER_LOG_EPOCH"] == "12345"
-    assert logs_call[1]["range_header"] == "entries=:0:18446744073709551615"
-
-    journald_logs.reset_mock()
-
-    resp = await api_client.get(f"{path_prefix}/logs/boots/0")
-    assert resp.status == 200
-    assert resp.content_type == "text/plain"
-
-    journald_logs.assert_called_once_with(
-        params={"SYSLOG_IDENTIFIER": syslog_identifier, "_BOOT_ID": "ccc"},
-        range_header=DEFAULT_LOG_RANGE,
-        accept=LogFormat.JOURNAL,
-    )
-
-    journald_logs.reset_mock()
-
-    resp = await api_client.get(f"{path_prefix}/logs/boots/0/follow")
-    assert resp.status == 200
-    assert resp.content_type == "text/plain"
-
-    journald_logs.assert_called_once_with(
-        params={
-            "SYSLOG_IDENTIFIER": syslog_identifier,
-            "_BOOT_ID": "ccc",
-            "follow": "",
-        },
-        range_header=DEFAULT_LOG_RANGE_FOLLOW,
-        accept=LogFormat.JOURNAL,
-    )
--- a/tests/api/conftest.py
+++ b/tests/api/conftest.py
@@ -0,0 +1,149 @@
+"""Fixtures for API tests."""
+
+from collections.abc import Awaitable, Callable
+from unittest.mock import ANY, AsyncMock, MagicMock
+
+from aiohttp.test_utils import TestClient
+import pytest
+
+from supervisor.coresys import CoreSys
+from supervisor.host.const import LogFormat, LogFormatter
+
+DEFAULT_LOG_RANGE = "entries=:-99:100"
+DEFAULT_LOG_RANGE_FOLLOW = "entries=:-99:18446744073709551615"
+
+
+async def _common_test_api_advanced_logs(
+    path_prefix: str,
+    syslog_identifier: str,
+    api_client: TestClient,
+    journald_logs: MagicMock,
+    coresys: CoreSys,
+    os_available: None,
+    journal_logs_reader: MagicMock,
+):
+    """Template for tests of endpoints using advanced logs."""
+    resp = await api_client.get(f"{path_prefix}/logs")
+    assert resp.status == 200
+    assert resp.content_type == "text/plain"
+
+    journald_logs.assert_called_once_with(
+        params={"SYSLOG_IDENTIFIER": syslog_identifier},
+        range_header=DEFAULT_LOG_RANGE,
+        accept=LogFormat.JOURNAL,
+    )
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.PLAIN, False)
+
+    journald_logs.reset_mock()
+    journal_logs_reader.reset_mock()
+
+    resp = await api_client.get(f"{path_prefix}/logs?no_colors")
+    assert resp.status == 200
+    assert resp.content_type == "text/plain"
+
+    journald_logs.assert_called_once_with(
+        params={"SYSLOG_IDENTIFIER": syslog_identifier},
+        range_header=DEFAULT_LOG_RANGE,
+        accept=LogFormat.JOURNAL,
+    )
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.PLAIN, True)
+
+    journald_logs.reset_mock()
+    journal_logs_reader.reset_mock()
+
+    resp = await api_client.get(f"{path_prefix}/logs/follow")
+    assert resp.status == 200
+    assert resp.content_type == "text/plain"
+
+    journald_logs.assert_called_once_with(
+        params={"SYSLOG_IDENTIFIER": syslog_identifier, "follow": ""},
+        range_header=DEFAULT_LOG_RANGE_FOLLOW,
+        accept=LogFormat.JOURNAL,
+    )
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.PLAIN, False)
+
+    journald_logs.reset_mock()
+    journal_logs_reader.reset_mock()
+
+    mock_response = MagicMock()
+    mock_response.text = AsyncMock(
+        return_value='{"CONTAINER_LOG_EPOCH": "12345"}\n{"CONTAINER_LOG_EPOCH": "12345"}\n'
+    )
+    journald_logs.return_value.__aenter__.return_value = mock_response
+
+    resp = await api_client.get(f"{path_prefix}/logs/latest")
+    assert resp.status == 200
+
+    assert journald_logs.call_count == 2
+
+    # Check the first call for getting epoch
+    epoch_call = journald_logs.call_args_list[0]
+    assert epoch_call[1]["params"] == {"CONTAINER_NAME": syslog_identifier}
+    assert epoch_call[1]["range_header"] == "entries=:-1:2"
+
+    # Check the second call for getting logs with the epoch
+    logs_call = journald_logs.call_args_list[1]
+    assert logs_call[1]["params"]["SYSLOG_IDENTIFIER"] == syslog_identifier
+    assert logs_call[1]["params"]["CONTAINER_LOG_EPOCH"] == "12345"
+    assert logs_call[1]["range_header"] == "entries=:0:18446744073709551615"
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.PLAIN, True)
+
+    journald_logs.reset_mock()
+    journal_logs_reader.reset_mock()
+
+    resp = await api_client.get(f"{path_prefix}/logs/boots/0")
+    assert resp.status == 200
+    assert resp.content_type == "text/plain"
+
+    journald_logs.assert_called_once_with(
+        params={"SYSLOG_IDENTIFIER": syslog_identifier, "_BOOT_ID": "ccc"},
+        range_header=DEFAULT_LOG_RANGE,
+        accept=LogFormat.JOURNAL,
+    )
+
+    journald_logs.reset_mock()
+
+    resp = await api_client.get(f"{path_prefix}/logs/boots/0/follow")
+    assert resp.status == 200
+    assert resp.content_type == "text/plain"
+
+    journald_logs.assert_called_once_with(
+        params={
+            "SYSLOG_IDENTIFIER": syslog_identifier,
+            "_BOOT_ID": "ccc",
+            "follow": "",
+        },
+        range_header=DEFAULT_LOG_RANGE_FOLLOW,
+        accept=LogFormat.JOURNAL,
+    )
+
+
+@pytest.fixture
+async def advanced_logs_tester(
+    api_client: TestClient,
+    journald_logs: MagicMock,
+    coresys: CoreSys,
+    os_available,
+    journal_logs_reader: MagicMock,
+) -> Callable[[str, str], Awaitable[None]]:
+    """Fixture that returns a function to test advanced logs endpoints.
+
+    This allows tests to avoid explicitly passing all the required fixtures.
+
+    Usage:
+        async def test_my_logs(advanced_logs_tester):
+            await advanced_logs_tester("/path/prefix", "syslog_identifier")
+    """
+
+    async def test_logs(path_prefix: str, syslog_identifier: str):
+        await _common_test_api_advanced_logs(
+            path_prefix,
+            syslog_identifier,
+            api_client,
+            journald_logs,
+            coresys,
+            os_available,
+            journal_logs_reader,
+        )
+
+    return test_logs
--- a/Show More
+++ b/Show More