diff --git a/.github/workflows/recording-update.yml b/.github/workflows/recording-update.yml
new file mode 100644
index 000000000000..e946e5d7f2d5
--- /dev/null
+++ b/.github/workflows/recording-update.yml
@@ -0,0 +1,36 @@
+name: recording-update
+
+on:
+  workflow_dispatch:
+  schedule:
+  - cron:  '00 12 * * *'
+
+jobs:
+  run_update:
+    name: update spreed
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Run spreed-update
+      run: |
+        # Spreed
+        spreed_version="$(
+          git ls-remote https://github.com/nextcloud/spreed v*.*.* \
+            | cut -d/ -f3 \
+            | sort -V \
+            | grep -E "^v[0-9]+\.[0-9]+\.[0-9]+$" \
+            | tail -1
+        )"
+        sed -i "s|git clone --recursive https://github.com/nextcloud/spreed --branch .* /src; \\\|git clone --recursive https://github.com/nextcloud/spreed --branch $spreed_version /src; \\\|" ./Containers/recording/Dockerfile
+        curl -L "https://raw.githubusercontent.com/nextcloud/spreed/$spreed_version/recording/server.conf.in" -o Containers/recording/recording.conf
+        
+    - name: Create Pull Request
+      uses: peter-evans/create-pull-request@v5
+      with:
+        commit-message: recording-update automated change
+        signoff: true
+        title: recording update
+        body: Automated recording container update
+        labels: dependencies, 3. to review
+        milestone: next
+        branch: recording-container-update
diff --git a/Containers/apache/Caddyfile b/Containers/apache/Caddyfile
index 6006fee4b43b..444afb83a488 100644
--- a/Containers/apache/Caddyfile
+++ b/Containers/apache/Caddyfile
@@ -47,6 +47,10 @@
         uri strip_prefix /standalone-signaling
         reverse_proxy {$TALK_HOST}:8081
     }
+    route /recording/* {
+        uri strip_prefix /recording
+        reverse_proxy {$TALK_HOST}:1234
+    }
 
     # Others
     import /mnt/data/caddy-imports/*
diff --git a/Containers/recording/Dockerfile b/Containers/recording/Dockerfile
new file mode 100644
index 000000000000..9c705b6c0387
--- /dev/null
+++ b/Containers/recording/Dockerfile
@@ -0,0 +1,41 @@
+FROM python:3.11.3-alpine3.18
+
+COPY --chmod=775 start.sh /usr/bin/start.sh
+COPY --chmod=664 recording.conf /etc/recording.conf
+
+RUN set -ex; \
+    apk add --no-cache \
+        ca-certificates \
+        tzdata \
+        bash \
+        ffmpeg \
+        libpulse \
+        bind-tools \
+        netcat-openbsd \
+        git \
+        wget \
+        shadow; \
+    # xvfb firefox chromium chromium-chromedriver?
+    # apk add --no-cache geckodriver --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing; \
+    useradd --system recordning; \
+    git clone --recursive https://github.com/nextcloud/spreed --branch v16.0.3 /src; \
+    mv -v /src/recording/pyproject.toml /src/recording/src/pyproject.toml; \
+    python3 -m pip install /src/recording/src; \
+    rm -rf /src; \
+    apk del --no-cache \
+        git \
+        wget \
+        shadow; \
+    \
+# Give root a random password
+    echo "root:$(openssl rand -base64 12)" | chpasswd; \
+    \
+    chown recordning:recordning -R \
+        /tmp;
+
+USER recordning
+ENTRYPOINT ["start.sh"]
+CMD ["python", "-m", "nextcloud.talk.recording", "--config", "/etc/recording.conf"]
+
+HEALTHCHECK CMD nc -z localhost 1234 || exit 1
+LABEL com.centurylinklabs.watchtower.monitor-only="true"
diff --git a/Containers/recording/recording.conf b/Containers/recording/recording.conf
new file mode 100644
index 000000000000..5495333cc969
--- /dev/null
+++ b/Containers/recording/recording.conf
@@ -0,0 +1,111 @@
+[logs]
+# Log level based on numeric values of Python logging levels:
+# - Critical: 50
+# - Error:    40
+# - Warning:  30
+# - Info:     20
+# - Debug:    10
+# - Not set:   0
+#level = 20
+
+[http]
+# IP and port to listen on for HTTP requests.
+listen = 0.0.0.0:1234
+
+[backend]
+# Allow any hostname as backend endpoint. This is extremely insecure and should
+# only be used during development.
+#allowall = false
+
+# Common shared secret for requests from and to the backend servers if
+# "allowall" is enabled. This must be the same value as configured in the
+# Nextcloud admin ui.
+#secret = the-shared-secret
+
+# Comma-separated list of backend ids allowed to connect.
+#backends = backend-id, another-backend
+
+# If set to "true", certificate validation of backend endpoints will be skipped.
+# This should only be enabled during development, e.g. to work with self-signed
+# certificates.
+# Overridable by backend.
+#skipverify = false
+
+# Maximum allowed size in bytes for messages sent by the backend.
+# Overridable by backend.
+#maxmessagesize = 1024
+
+# Width for recorded videos.
+# Overridable by backend.
+#videowidth = 1920
+
+# Height for recorded videos.
+# Overridable by backend.
+#videoheight = 1080
+
+# Temporary directory used to store recordings until uploaded. It must be
+# writable by the user running the recording server.
+# Overridable by backend.
+#directory = /tmp
+
+# Backend configurations as defined in the "[backend]" section above. The
+# section names must match the ids used in "backends" above.
+#[backend-id]
+# URL of the Nextcloud instance
+#url = https://cloud.domain.invalid
+
+# Shared secret for requests from and to the backend servers. This must be the
+# same value as configured in the Nextcloud admin ui.
+#secret = the-shared-secret
+
+#[another-backend]
+# URL of the Nextcloud instance
+#url = https://cloud.otherdomain.invalid
+
+# Shared secret for requests from and to the backend servers. This must be the
+# same value as configured in the Nextcloud admin ui.
+#secret = the-shared-secret
+
+[signaling]
+# Common shared secret for authenticating as an internal client of signaling
+# servers if a specific secret is not set for a signaling server. This must be
+# the same value as configured in the signaling server configuration file.
+#internalsecret = the-shared-secret-for-internal-clients
+
+# Comma-separated list of signaling servers with specific internal secrets.
+#signalings = signaling-id, another-signaling
+
+# Signaling server configurations as defined in the "[signaling]" section above.
+# The section names must match the ids used in "signalings" above.
+#[signaling-id]
+# URL of the signaling server
+#url = https://signaling.domain.invalid
+
+# Shared secret for authenticating as an internal client of signaling servers.
+# This must be the same value as configured in the signaling server
+# configuration file.
+#internalsecret = the-shared-secret-for-internal-clients
+
+#[another-signaling]
+# URL of the signaling server
+#url = https://signaling.otherdomain.invalid
+
+# Shared secret for authenticating as an internal client of signaling servers.
+# This must be the same value as configured in the signaling server
+# configuration file.
+#internalsecret = the-shared-secret-for-internal-clients
+
+[ffmpeg]
+# The options given to FFmpeg to encode the audio output. The options given here
+# fully override the default options for the audio output.
+#outputaudio = -c:a libopus
+
+# The options given to FFmpeg to encode the video output. The options given here
+# fully override the default options for the video output.
+#outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
+
+# The extension of the file for audio only recordings.
+#extensionaudio = .ogg
+
+# The extension of the file for audio and video recordings.
+#extensionvideo = .webm
diff --git a/Containers/recording/start.sh b/Containers/recording/start.sh
new file mode 100644
index 000000000000..052f8f43dc82
--- /dev/null
+++ b/Containers/recording/start.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Variables
+if [ -z "$NC_DOMAIN" ]; then
+    echo "You need to provide the NC_DOMAIN."
+    exit 1
+elif [ -z "$SIGNALING_SECRET" ]; then
+    echo "You need to provide the SIGNALING_SECRET."
+    exit 1
+elif [ -z "$RECORDING_SECRET" ]; then
+    echo "You need to provide the RECORDING_SECRET."
+    exit 1
+fi
+
+set -x
+IPv4_ADDRESS_TALK="$(dig nextcloud-aio-talk A +short)"
+set +x
+
+# TODO: Check if using IP of signaling container is enough or if nc_domain/standalone-signaling is enough
+cat << RECORDING_CONF > "/etc/recording.conf"
+[logs]
+level = 20
+
+[http]
+listen = 0.0.0.0:1234
+
+[backend]
+allowall = false
+secret = ${RECORDING_SECRET}
+url = https://${NC_DOMAIN}
+skipverify = false
+maxmessagesize = 1024
+videowidth = 1920
+videoheight = 1080
+directory = /tmp
+
+[signaling]
+internalsecret = ${SIGNALING_SECRET}
+url = http://${IPv4_ADDRESS_TALK}:8081
+
+[ffmpeg]
+outputaudio = -c:a libopus
+outputvideo = -c:v libvpx -deadline:v realtime -crf 10 -b:v 1M
+extensionaudio = .ogg
+extensionvideo = .webm
+RECORDING_CONF
+
+exec "$@"
diff --git a/Containers/talk/Dockerfile b/Containers/talk/Dockerfile
index bc6ab53db8a6..1d5f38993aa1 100644
--- a/Containers/talk/Dockerfile
+++ b/Containers/talk/Dockerfile
@@ -63,7 +63,7 @@ ENV TALK_PORT=3478
 
 USER talk
 ENTRYPOINT ["start.sh"]
-CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
+CMD ["supervisord", "-c", "/supervisord.conf"]
 
 HEALTHCHECK CMD (nc -z localhost 8081 && nc -z localhost 8188 && nc -z localhost 4222 && nc -z localhost "$TALK_PORT" && nc -z "$NC_DOMAIN" "$TALK_PORT") || exit 1
 LABEL com.centurylinklabs.watchtower.monitor-only="true"