diff --git a/13/alpine3.21/Dockerfile b/13/alpine3.21/Dockerfile
deleted file mode 100644
index c79dfd0bb7..0000000000
--- a/13/alpine3.21/Dockerfile
+++ /dev/null
@@ -1,224 +0,0 @@
-#
-# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
-#
-# PLEASE DO NOT EDIT IT DIRECTLY.
-#
-
-FROM alpine:3.21
-
-# 70 is the standard uid/gid for "postgres" in Alpine
-# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
-RUN set -eux; \
-	addgroup -g 70 -S postgres; \
-	adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
-# also create the postgres user's home directory with appropriate permissions
-# see https://github.com/docker-library/postgres/issues/274
-	install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
-
-# grab gosu for easy step-down from root
-# https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
-RUN set -eux; \
-	\
-	apk add --no-cache --virtual .gosu-deps \
-		ca-certificates \
-		dpkg \
-		gnupg \
-	; \
-	\
-	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
-	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
-	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
-	\
-# verify the signature
-	export GNUPGHOME="$(mktemp -d)"; \
-	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
-	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-	gpgconf --kill all; \
-	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
-	\
-# clean up fetch dependencies
-	apk del --no-network .gosu-deps; \
-	\
-	chmod +x /usr/local/bin/gosu; \
-# verify that the binary works
-	gosu --version; \
-	gosu nobody true
-RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
-
-# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
-# alpine doesn't require explicit locale-file generation
-ENV LANG en_US.utf8
-
-RUN mkdir /docker-entrypoint-initdb.d
-
-ENV PG_MAJOR 13
-ENV PG_VERSION 13.21
-ENV PG_SHA256 dcda1294df45f033b0656cf7a8e4afbbc624c25e1b144aec79530f74d7ef4ab4
-
-ENV DOCKER_PG_LLVM_DEPS \
-		llvm19-dev \
-		clang19
-
-RUN set -eux; \
-	\
-	wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
-	echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
-	mkdir -p /usr/src/postgresql; \
-	tar \
-		--extract \
-		--file postgresql.tar.bz2 \
-		--directory /usr/src/postgresql \
-		--strip-components 1 \
-	; \
-	rm postgresql.tar.bz2; \
-	\
-	apk add --no-cache --virtual .build-deps \
-		$DOCKER_PG_LLVM_DEPS \
-		bison \
-		coreutils \
-		dpkg-dev dpkg \
-		flex \
-		g++ \
-		gcc \
-		krb5-dev \
-		libc-dev \
-		libedit-dev \
-		libxml2-dev \
-		libxslt-dev \
-		linux-headers \
-		make \
-		openldap-dev \
-		openssl-dev \
-		perl-dev \
-		perl-ipc-run \
-		perl-utils \
-		python3-dev \
-		tcl-dev \
-		util-linux-dev \
-		zlib-dev \
-# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
-		icu-dev \
-	; \
-	\
-	cd /usr/src/postgresql; \
-# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
-# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
-	awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
-	grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
-	mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
-	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
-	\
-# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG")
-	export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
-# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
-	export CLANG=clang-19; \
-	\
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
-	./configure \
-		--enable-option-checking=fatal \
-		--build="$gnuArch" \
-# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
-#		--enable-nls \
-		--enable-integer-datetimes \
-		--enable-thread-safety \
-		--enable-tap-tests \
-# skip debugging info -- we want tiny size instead
-#		--enable-debug \
-		--disable-rpath \
-		--with-uuid=e2fs \
-		--with-gnu-ld \
-		--with-pgport=5432 \
-		--with-system-tzdata=/usr/share/zoneinfo \
-		--prefix=/usr/local \
-		--with-includes=/usr/local/include \
-		--with-libraries=/usr/local/lib \
-		--with-gssapi \
-		--with-ldap \
-		--with-tcl \
-		--with-perl \
-		--with-python \
-#		--with-pam \
-		--with-openssl \
-		--with-libxml \
-		--with-libxslt \
-		--with-icu \
-		--with-llvm \
-	; \
-	make -j "$(nproc)" world-bin; \
-	make install-world-bin; \
-	make -C contrib install; \
-	\
-	runDeps="$( \
-		scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
-			| tr ',' '\n' \
-			| sort -u \
-			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
-# Remove plperl, plpython and pltcl dependencies by default to save image size
-# To use the pl extensions, those have to be installed in a derived image
-			| grep -v -e perl -e python -e tcl \
-	)"; \
-	apk add --no-cache --virtual .postgresql-rundeps \
-		$runDeps \
-		bash \
-		tzdata \
-		zstd \
-# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
-		icu-data-full \
-# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults")
-		$([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
-	; \
-	apk del --no-network .build-deps; \
-	cd /; \
-	rm -rf \
-		/usr/src/postgresql \
-		/usr/local/share/doc \
-		/usr/local/share/man \
-	; \
-	\
-	postgres --version
-
-# make the sample config easier to munge (and "correct by default")
-RUN set -eux; \
-	cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
-	sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
-	grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
-
-RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
-
-ENV PGDATA /var/lib/postgresql/data
-# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
-RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
-VOLUME /var/lib/postgresql/data
-
-COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
-RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
-# calls "Fast Shutdown mode" wherein new connections are disallowed and any
-# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
-# flush tables to disk.
-#
-# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
-# about available PostgreSQL server shutdown signals.
-#
-# See also https://www.postgresql.org/docs/current/server-start.html for further
-# justification of this as the default value, namely that the example (and
-# shipped) systemd service files use the "Fast Shutdown mode" for service
-# termination.
-#
-STOPSIGNAL SIGINT
-#
-# An additional setting that is recommended for all users regardless of this
-# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
-# equivalent) for controlling how long to wait between sending the defined
-# STOPSIGNAL and sending SIGKILL.
-#
-# The default in most runtimes (such as Docker) is 10 seconds, and the
-# documentation at https://www.postgresql.org/docs/current/server-start.html notes
-# that even 90 seconds may not be long enough in many instances.
-
-EXPOSE 5432
-CMD ["postgres"]
diff --git a/13/alpine3.22/Dockerfile b/13/alpine3.22/Dockerfile
deleted file mode 100644
index ece37e9796..0000000000
--- a/13/alpine3.22/Dockerfile
+++ /dev/null
@@ -1,224 +0,0 @@
-#
-# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
-#
-# PLEASE DO NOT EDIT IT DIRECTLY.
-#
-
-FROM alpine:3.22
-
-# 70 is the standard uid/gid for "postgres" in Alpine
-# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
-RUN set -eux; \
-	addgroup -g 70 -S postgres; \
-	adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
-# also create the postgres user's home directory with appropriate permissions
-# see https://github.com/docker-library/postgres/issues/274
-	install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
-
-# grab gosu for easy step-down from root
-# https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
-RUN set -eux; \
-	\
-	apk add --no-cache --virtual .gosu-deps \
-		ca-certificates \
-		dpkg \
-		gnupg \
-	; \
-	\
-	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
-	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
-	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
-	\
-# verify the signature
-	export GNUPGHOME="$(mktemp -d)"; \
-	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
-	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-	gpgconf --kill all; \
-	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
-	\
-# clean up fetch dependencies
-	apk del --no-network .gosu-deps; \
-	\
-	chmod +x /usr/local/bin/gosu; \
-# verify that the binary works
-	gosu --version; \
-	gosu nobody true
-RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
-
-# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
-# alpine doesn't require explicit locale-file generation
-ENV LANG en_US.utf8
-
-RUN mkdir /docker-entrypoint-initdb.d
-
-ENV PG_MAJOR 13
-ENV PG_VERSION 13.21
-ENV PG_SHA256 dcda1294df45f033b0656cf7a8e4afbbc624c25e1b144aec79530f74d7ef4ab4
-
-ENV DOCKER_PG_LLVM_DEPS \
-		llvm19-dev \
-		clang19
-
-RUN set -eux; \
-	\
-	wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
-	echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
-	mkdir -p /usr/src/postgresql; \
-	tar \
-		--extract \
-		--file postgresql.tar.bz2 \
-		--directory /usr/src/postgresql \
-		--strip-components 1 \
-	; \
-	rm postgresql.tar.bz2; \
-	\
-	apk add --no-cache --virtual .build-deps \
-		$DOCKER_PG_LLVM_DEPS \
-		bison \
-		coreutils \
-		dpkg-dev dpkg \
-		flex \
-		g++ \
-		gcc \
-		krb5-dev \
-		libc-dev \
-		libedit-dev \
-		libxml2-dev \
-		libxslt-dev \
-		linux-headers \
-		make \
-		openldap-dev \
-		openssl-dev \
-		perl-dev \
-		perl-ipc-run \
-		perl-utils \
-		python3-dev \
-		tcl-dev \
-		util-linux-dev \
-		zlib-dev \
-# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
-		icu-dev \
-	; \
-	\
-	cd /usr/src/postgresql; \
-# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
-# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
-	awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
-	grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
-	mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
-	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
-	\
-# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG")
-	export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
-# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
-	export CLANG=clang-19; \
-	\
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
-	./configure \
-		--enable-option-checking=fatal \
-		--build="$gnuArch" \
-# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
-#		--enable-nls \
-		--enable-integer-datetimes \
-		--enable-thread-safety \
-		--enable-tap-tests \
-# skip debugging info -- we want tiny size instead
-#		--enable-debug \
-		--disable-rpath \
-		--with-uuid=e2fs \
-		--with-gnu-ld \
-		--with-pgport=5432 \
-		--with-system-tzdata=/usr/share/zoneinfo \
-		--prefix=/usr/local \
-		--with-includes=/usr/local/include \
-		--with-libraries=/usr/local/lib \
-		--with-gssapi \
-		--with-ldap \
-		--with-tcl \
-		--with-perl \
-		--with-python \
-#		--with-pam \
-		--with-openssl \
-		--with-libxml \
-		--with-libxslt \
-		--with-icu \
-		--with-llvm \
-	; \
-	make -j "$(nproc)" world-bin; \
-	make install-world-bin; \
-	make -C contrib install; \
-	\
-	runDeps="$( \
-		scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
-			| tr ',' '\n' \
-			| sort -u \
-			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
-# Remove plperl, plpython and pltcl dependencies by default to save image size
-# To use the pl extensions, those have to be installed in a derived image
-			| grep -v -e perl -e python -e tcl \
-	)"; \
-	apk add --no-cache --virtual .postgresql-rundeps \
-		$runDeps \
-		bash \
-		tzdata \
-		zstd \
-# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
-		icu-data-full \
-# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults")
-		$([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
-	; \
-	apk del --no-network .build-deps; \
-	cd /; \
-	rm -rf \
-		/usr/src/postgresql \
-		/usr/local/share/doc \
-		/usr/local/share/man \
-	; \
-	\
-	postgres --version
-
-# make the sample config easier to munge (and "correct by default")
-RUN set -eux; \
-	cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
-	sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
-	grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
-
-RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
-
-ENV PGDATA /var/lib/postgresql/data
-# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
-RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
-VOLUME /var/lib/postgresql/data
-
-COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
-RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
-# calls "Fast Shutdown mode" wherein new connections are disallowed and any
-# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
-# flush tables to disk.
-#
-# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
-# about available PostgreSQL server shutdown signals.
-#
-# See also https://www.postgresql.org/docs/current/server-start.html for further
-# justification of this as the default value, namely that the example (and
-# shipped) systemd service files use the "Fast Shutdown mode" for service
-# termination.
-#
-STOPSIGNAL SIGINT
-#
-# An additional setting that is recommended for all users regardless of this
-# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
-# equivalent) for controlling how long to wait between sending the defined
-# STOPSIGNAL and sending SIGKILL.
-#
-# The default in most runtimes (such as Docker) is 10 seconds, and the
-# documentation at https://www.postgresql.org/docs/current/server-start.html notes
-# that even 90 seconds may not be long enough in many instances.
-
-EXPOSE 5432
-CMD ["postgres"]
diff --git a/13/bookworm/Dockerfile b/13/bookworm/Dockerfile
deleted file mode 100644
index 721ad94d09..0000000000
--- a/13/bookworm/Dockerfile
+++ /dev/null
@@ -1,220 +0,0 @@
-#
-# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
-#
-# PLEASE DO NOT EDIT IT DIRECTLY.
-#
-
-FROM debian:bookworm-slim
-
-# explicitly set user/group IDs
-RUN set -eux; \
-	groupadd -r postgres --gid=999; \
-# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
-	useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
-# also create the postgres user's home directory with appropriate permissions
-# see https://github.com/docker-library/postgres/issues/274
-	install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
-
-RUN set -ex; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends \
-		gnupg \
-# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
-# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
-# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
-		less \
-	; \
-	rm -rf /var/lib/apt/lists/*
-
-# grab gosu for easy step-down from root
-# https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
-RUN set -eux; \
-	savedAptMark="$(apt-mark showmanual)"; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends ca-certificates wget; \
-	rm -rf /var/lib/apt/lists/*; \
-	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
-	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
-	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
-	export GNUPGHOME="$(mktemp -d)"; \
-	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
-	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-	gpgconf --kill all; \
-	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
-	apt-mark auto '.*' > /dev/null; \
-	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
-	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
-	chmod +x /usr/local/bin/gosu; \
-	gosu --version; \
-	gosu nobody true
-
-# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
-RUN set -eux; \
-	if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
-# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
-		grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
-		sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
-		! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
-	fi; \
-	apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
-	echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
-	locale-gen; \
-	locale -a | grep 'en_US.utf8'
-ENV LANG en_US.utf8
-
-RUN set -eux; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends \
-		libnss-wrapper \
-		xz-utils \
-		zstd \
-	; \
-	rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /docker-entrypoint-initdb.d
-
-RUN set -ex; \
-# pub   4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
-#       Key fingerprint = B97B 0AFC AA1A 47F0 44F2  44A0 7FCC 7D46 ACCC 4CF8
-# uid                  PostgreSQL Debian Repository
-	key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
-	export GNUPGHOME="$(mktemp -d)"; \
-	mkdir -p /usr/local/share/keyrings/; \
-	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
-	gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
-	gpgconf --kill all; \
-	rm -rf "$GNUPGHOME"
-
-ENV PG_MAJOR 13
-ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
-
-ENV PG_VERSION 13.21-1.pgdg120+1
-
-RUN set -ex; \
-	\
-# see note below about "*.pyc" files
-	export PYTHONDONTWRITEBYTECODE=1; \
-	\
-	dpkgArch="$(dpkg --print-architecture)"; \
-	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
-	case "$dpkgArch" in \
-		amd64 | arm64 | ppc64el) \
-# arches officialy built by upstream
-			echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
-			apt-get update; \
-			;; \
-		*) \
-# we're on an architecture upstream doesn't officially build for
-# let's build binaries from their published source packages
-			echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
-			\
-			savedAptMark="$(apt-mark showmanual)"; \
-			\
-			tempDir="$(mktemp -d)"; \
-			cd "$tempDir"; \
-			\
-# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
-			apt-get update; \
-			apt-get install -y --no-install-recommends dpkg-dev; \
-			echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
-			_update_repo() { \
-				dpkg-scanpackages . > Packages; \
-# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
-#   Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
-#   ...
-#   E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages  Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
-				apt-get -o Acquire::GzipIndexes=false update; \
-			}; \
-			_update_repo; \
-			\
-# build .deb files from upstream's source packages (which are verified by apt-get)
-			nproc="$(nproc)"; \
-			export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
-# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9
-			apt-get build-dep -y postgresql-common-dev; \
-			apt-get source --compile postgresql-common-dev; \
-			_update_repo; \
-# we need DEBIAN_FRONTEND on postgresql-13 for slapd ("Please enter the password for the admin entry in your LDAP directory."); see https://bugs.debian.org/929417
-			DEBIAN_FRONTEND=noninteractive \
-			apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
-			apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
-			\
-# we don't remove APT lists here because they get re-downloaded and removed later
-			\
-# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
-# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
-			apt-mark showmanual | xargs apt-mark auto > /dev/null; \
-			apt-mark manual $savedAptMark; \
-			\
-			ls -lAFh; \
-			_update_repo; \
-			grep '^Package: ' Packages; \
-			cd /; \
-			;; \
-	esac; \
-	\
-	apt-get install -y --no-install-recommends postgresql-common; \
-	sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
-	apt-get install -y --no-install-recommends \
-		"postgresql-$PG_MAJOR=$PG_VERSION" \
-	; \
-	\
-	rm -rf /var/lib/apt/lists/*; \
-	\
-	if [ -n "$tempDir" ]; then \
-# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
-		apt-get purge -y --auto-remove; \
-		rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
-	fi; \
-	\
-# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
-	find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
-	\
-	postgres --version
-
-# make the sample config easier to munge (and "correct by default")
-RUN set -eux; \
-	dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
-	cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
-	ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
-	sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
-	grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
-
-RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
-
-ENV PGDATA /var/lib/postgresql/data
-# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
-RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
-VOLUME /var/lib/postgresql/data
-
-COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
-RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
-# calls "Fast Shutdown mode" wherein new connections are disallowed and any
-# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
-# flush tables to disk.
-#
-# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
-# about available PostgreSQL server shutdown signals.
-#
-# See also https://www.postgresql.org/docs/current/server-start.html for further
-# justification of this as the default value, namely that the example (and
-# shipped) systemd service files use the "Fast Shutdown mode" for service
-# termination.
-#
-STOPSIGNAL SIGINT
-#
-# An additional setting that is recommended for all users regardless of this
-# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
-# equivalent) for controlling how long to wait between sending the defined
-# STOPSIGNAL and sending SIGKILL.
-#
-# The default in most runtimes (such as Docker) is 10 seconds, and the
-# documentation at https://www.postgresql.org/docs/current/server-start.html notes
-# that even 90 seconds may not be long enough in many instances.
-
-EXPOSE 5432
-CMD ["postgres"]
diff --git a/13/bullseye/Dockerfile b/13/bullseye/Dockerfile
deleted file mode 100644
index b914b71ff0..0000000000
--- a/13/bullseye/Dockerfile
+++ /dev/null
@@ -1,220 +0,0 @@
-#
-# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
-#
-# PLEASE DO NOT EDIT IT DIRECTLY.
-#
-
-FROM debian:bullseye-slim
-
-# explicitly set user/group IDs
-RUN set -eux; \
-	groupadd -r postgres --gid=999; \
-# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
-	useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
-# also create the postgres user's home directory with appropriate permissions
-# see https://github.com/docker-library/postgres/issues/274
-	install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
-
-RUN set -ex; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends \
-		gnupg \
-# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
-# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
-# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
-		less \
-	; \
-	rm -rf /var/lib/apt/lists/*
-
-# grab gosu for easy step-down from root
-# https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
-RUN set -eux; \
-	savedAptMark="$(apt-mark showmanual)"; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends ca-certificates wget; \
-	rm -rf /var/lib/apt/lists/*; \
-	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
-	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
-	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
-	export GNUPGHOME="$(mktemp -d)"; \
-	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
-	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-	gpgconf --kill all; \
-	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
-	apt-mark auto '.*' > /dev/null; \
-	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
-	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
-	chmod +x /usr/local/bin/gosu; \
-	gosu --version; \
-	gosu nobody true
-
-# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
-RUN set -eux; \
-	if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
-# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
-		grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
-		sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
-		! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
-	fi; \
-	apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
-	echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
-	locale-gen; \
-	locale -a | grep 'en_US.utf8'
-ENV LANG en_US.utf8
-
-RUN set -eux; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends \
-		libnss-wrapper \
-		xz-utils \
-		zstd \
-	; \
-	rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /docker-entrypoint-initdb.d
-
-RUN set -ex; \
-# pub   4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
-#       Key fingerprint = B97B 0AFC AA1A 47F0 44F2  44A0 7FCC 7D46 ACCC 4CF8
-# uid                  PostgreSQL Debian Repository
-	key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
-	export GNUPGHOME="$(mktemp -d)"; \
-	mkdir -p /usr/local/share/keyrings/; \
-	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
-	gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
-	gpgconf --kill all; \
-	rm -rf "$GNUPGHOME"
-
-ENV PG_MAJOR 13
-ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
-
-ENV PG_VERSION 13.21-1.pgdg110+1
-
-RUN set -ex; \
-	\
-# see note below about "*.pyc" files
-	export PYTHONDONTWRITEBYTECODE=1; \
-	\
-	dpkgArch="$(dpkg --print-architecture)"; \
-	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \
-	case "$dpkgArch" in \
-		amd64 | arm64 | ppc64el) \
-# arches officialy built by upstream
-			echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
-			apt-get update; \
-			;; \
-		*) \
-# we're on an architecture upstream doesn't officially build for
-# let's build binaries from their published source packages
-			echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
-			\
-			savedAptMark="$(apt-mark showmanual)"; \
-			\
-			tempDir="$(mktemp -d)"; \
-			cd "$tempDir"; \
-			\
-# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
-			apt-get update; \
-			apt-get install -y --no-install-recommends dpkg-dev; \
-			echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
-			_update_repo() { \
-				dpkg-scanpackages . > Packages; \
-# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
-#   Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
-#   ...
-#   E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages  Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
-				apt-get -o Acquire::GzipIndexes=false update; \
-			}; \
-			_update_repo; \
-			\
-# build .deb files from upstream's source packages (which are verified by apt-get)
-			nproc="$(nproc)"; \
-			export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
-# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9
-			apt-get build-dep -y postgresql-common-dev; \
-			apt-get source --compile postgresql-common-dev; \
-			_update_repo; \
-# we need DEBIAN_FRONTEND on postgresql-13 for slapd ("Please enter the password for the admin entry in your LDAP directory."); see https://bugs.debian.org/929417
-			DEBIAN_FRONTEND=noninteractive \
-			apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
-			apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
-			\
-# we don't remove APT lists here because they get re-downloaded and removed later
-			\
-# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
-# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
-			apt-mark showmanual | xargs apt-mark auto > /dev/null; \
-			apt-mark manual $savedAptMark; \
-			\
-			ls -lAFh; \
-			_update_repo; \
-			grep '^Package: ' Packages; \
-			cd /; \
-			;; \
-	esac; \
-	\
-	apt-get install -y --no-install-recommends postgresql-common; \
-	sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
-	apt-get install -y --no-install-recommends \
-		"postgresql-$PG_MAJOR=$PG_VERSION" \
-	; \
-	\
-	rm -rf /var/lib/apt/lists/*; \
-	\
-	if [ -n "$tempDir" ]; then \
-# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
-		apt-get purge -y --auto-remove; \
-		rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
-	fi; \
-	\
-# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
-	find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
-	\
-	postgres --version
-
-# make the sample config easier to munge (and "correct by default")
-RUN set -eux; \
-	dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
-	cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
-	ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
-	sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
-	grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
-
-RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
-
-ENV PGDATA /var/lib/postgresql/data
-# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
-RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
-VOLUME /var/lib/postgresql/data
-
-COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
-RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
-# calls "Fast Shutdown mode" wherein new connections are disallowed and any
-# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
-# flush tables to disk.
-#
-# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
-# about available PostgreSQL server shutdown signals.
-#
-# See also https://www.postgresql.org/docs/current/server-start.html for further
-# justification of this as the default value, namely that the example (and
-# shipped) systemd service files use the "Fast Shutdown mode" for service
-# termination.
-#
-STOPSIGNAL SIGINT
-#
-# An additional setting that is recommended for all users regardless of this
-# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
-# equivalent) for controlling how long to wait between sending the defined
-# STOPSIGNAL and sending SIGKILL.
-#
-# The default in most runtimes (such as Docker) is 10 seconds, and the
-# documentation at https://www.postgresql.org/docs/current/server-start.html notes
-# that even 90 seconds may not be long enough in many instances.
-
-EXPOSE 5432
-CMD ["postgres"]
diff --git a/14/alpine3.21/docker-entrypoint.sh b/14/alpine3.21/docker-entrypoint.sh
deleted file mode 100755
index 5a62870b50..0000000000
--- a/14/alpine3.21/docker-entrypoint.sh
+++ /dev/null
@@ -1,391 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-	local var="$1"
-	local fileVar="${var}_FILE"
-	local def="${2:-}"
-	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
-		exit 1
-	fi
-	local val="$def"
-	if [ "${!var:-}" ]; then
-		val="${!var}"
-	elif [ "${!fileVar:-}" ]; then
-		val="$(< "${!fileVar}")"
-	fi
-	export "$var"="$val"
-	unset "$fileVar"
-}
-
-# check to see if this file is being run or sourced from another script
-_is_sourced() {
-	# https://unix.stackexchange.com/a/215279
-	[ "${#FUNCNAME[@]}" -ge 2 ] \
-		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
-		&& [ "${FUNCNAME[1]}" = 'source' ]
-}
-
-# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
-docker_create_db_directories() {
-	local user; user="$(id -u)"
-
-	mkdir -p "$PGDATA"
-	# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
-	chmod 00700 "$PGDATA" || :
-
-	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
-	mkdir -p /var/run/postgresql || :
-	chmod 03775 /var/run/postgresql || :
-
-	# Create the transaction log directory before initdb is run so the directory is owned by the correct user
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		mkdir -p "$POSTGRES_INITDB_WALDIR"
-		if [ "$user" = '0' ]; then
-			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
-		fi
-		chmod 700 "$POSTGRES_INITDB_WALDIR"
-	fi
-
-	# allow the container to be started with `--user`
-	if [ "$user" = '0' ]; then
-		find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
-		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
-	fi
-}
-
-# initialize empty PGDATA directory with new database via 'initdb'
-# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
-# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
-# this is also where the database user is created, specified by `POSTGRES_USER` env
-docker_init_database_dir() {
-	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
-	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
-	local uid; uid="$(id -u)"
-	if ! getent passwd "$uid" &> /dev/null; then
-		# see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
-		local wrapper
-		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
-			if [ -s "$wrapper" ]; then
-				NSS_WRAPPER_PASSWD="$(mktemp)"
-				NSS_WRAPPER_GROUP="$(mktemp)"
-				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-				local gid; gid="$(id -g)"
-				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
-				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
-				break
-			fi
-		done
-	fi
-
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
-	fi
-
-	# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
-	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
-
-	# unset/cleanup "nss_wrapper" bits
-	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
-		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
-		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-	fi
-}
-
-# print large warning if POSTGRES_PASSWORD is long
-# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
-# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
-# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
-docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
-	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		# The - option suppresses leading tabs but *not* spaces. :)
-		cat >&2 <<-'EOE'
-			Error: Database is uninitialized and superuser password is not specified.
-			       You must specify POSTGRES_PASSWORD to a non-empty value for the
-			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
-
-			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
-			       connections without a password. This is *not* recommended.
-
-			       See PostgreSQL documentation about "trust":
-			       https://www.postgresql.org/docs/current/auth-trust.html
-		EOE
-		exit 1
-	fi
-	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		cat >&2 <<-'EOWARN'
-			********************************************************************************
-			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
-			         anyone with access to the Postgres port to access your database without
-			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
-			         documentation about "trust":
-			         https://www.postgresql.org/docs/current/auth-trust.html
-			         In Docker's default configuration, this is effectively any other
-			         container on the same system.
-
-			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
-			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
-			         "docker run".
-			********************************************************************************
-		EOWARN
-	fi
-}
-# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
-docker_error_old_databases() {
-	if [ -n "${OLD_DATABASES[0]:-}" ]; then
-		cat >&2 <<-EOE
-			Error: in 18+, these Docker images are configured to store database data in a
-			       format which is compatible with "pg_ctlcluster" (specifically, using
-			       major-version-specific directory names).  This better reflects how
-			       PostgreSQL itself works, and how upgrades are to be performed.
-
-			       See also https://github.com/docker-library/postgres/pull/1259
-
-			       Counter to that, there appears to be PostgreSQL data in:
-			         ${OLD_DATABASES[*]}
-
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
-
-			       See https://github.com/docker-library/postgres/issues/37 for a (long)
-			       discussion around this process, and suggestions for how to do so.
-		EOE
-		exit 1
-	fi
-}
-
-# usage: docker_process_init_files [file [file [...]]]
-#    ie: docker_process_init_files /always-initdb.d/*
-# process initializer files, based on file extensions and permissions
-docker_process_init_files() {
-	# psql here for backwards compatibility "${psql[@]}"
-	psql=( docker_process_sql )
-
-	printf '\n'
-	local f
-	for f; do
-		case "$f" in
-			*.sh)
-				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
-				# https://github.com/docker-library/postgres/pull/452
-				if [ -x "$f" ]; then
-					printf '%s: running %s\n' "$0" "$f"
-					"$f"
-				else
-					printf '%s: sourcing %s\n' "$0" "$f"
-					. "$f"
-				fi
-				;;
-			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
-			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
-			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
-		esac
-		printf '\n'
-	done
-}
-
-# Execute sql script, passed via stdin (or -f flag of pqsl)
-# usage: docker_process_sql [psql-cli-args]
-#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
-#    ie: docker_process_sql -f my-file.sql
-#    ie: docker_process_sql <my-file.sql
-docker_process_sql() {
-	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
-	if [ -n "$POSTGRES_DB" ]; then
-		query_runner+=( --dbname "$POSTGRES_DB" )
-	fi
-
-	PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
-}
-
-# create initial database
-# uses environment variables for input: POSTGRES_DB
-docker_setup_db() {
-	local dbAlreadyExists
-	dbAlreadyExists="$(
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
-			SELECT 1 FROM pg_database WHERE datname = :'db' ;
-		EOSQL
-	)"
-	if [ -z "$dbAlreadyExists" ]; then
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
-			CREATE DATABASE :"db" ;
-		EOSQL
-		printf '\n'
-	fi
-}
-
-# Loads various settings that are used elsewhere in the script
-# This should be called before any other functions
-docker_setup_env() {
-	file_env 'POSTGRES_PASSWORD'
-
-	file_env 'POSTGRES_USER' 'postgres'
-	file_env 'POSTGRES_DB' "$POSTGRES_USER"
-	file_env 'POSTGRES_INITDB_ARGS'
-	: "${POSTGRES_HOST_AUTH_METHOD:=}"
-
-	declare -g DATABASE_ALREADY_EXISTS
-	: "${DATABASE_ALREADY_EXISTS:=}"
-	declare -ag OLD_DATABASES=()
-	# look specifically for PG_VERSION, as it is expected in the DB dir
-	if [ -s "$PGDATA/PG_VERSION" ]; then
-		DATABASE_ALREADY_EXISTS='true'
-	elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
-		# https://github.com/docker-library/postgres/pull/1259
-		for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
-			if [ -s "$d/PG_VERSION" ]; then
-				OLD_DATABASES+=( "$d" )
-			fi
-		done
-	fi
-}
-
-# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
-# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
-pg_setup_hba_conf() {
-	# default authentication method is md5 on versions before 14
-	# https://www.postgresql.org/about/news/postgresql-14-released-2318/
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-	local auth
-	# check the default/configured encryption and use that as the auth method
-	auth="$(postgres -C password_encryption "$@")"
-	: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
-	{
-		printf '\n'
-		if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-			printf '# warning trust is enabled for all connections\n'
-			printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
-		fi
-		printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
-	} >> "$PGDATA/pg_hba.conf"
-}
-
-# start socket-only postgresql server for setting up or running scripts
-# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
-docker_temp_server_start() {
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-
-	# internal start of server in order to allow setup using psql client
-	# does not listen on external TCP/IP and waits until start finishes
-	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
-
-	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
-	# any process supervisor.
-	NOTIFY_SOCKET= \
-	PGUSER="${PGUSER:-$POSTGRES_USER}" \
-	pg_ctl -D "$PGDATA" \
-		-o "$(printf '%q ' "$@")" \
-		-w start
-}
-
-# stop postgresql server after done setting up user and running scripts
-docker_temp_server_stop() {
-	PGUSER="${PGUSER:-postgres}" \
-	pg_ctl -D "$PGDATA" -m fast -w stop
-}
-
-# check arguments for an option that would cause postgres to stop
-# return true if there is one
-_pg_want_help() {
-	local arg
-	for arg; do
-		case "$arg" in
-			# postgres --help | grep 'then exit'
-			# leaving out -C on purpose since it always fails and is unhelpful:
-			# postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
-			-'?'|--help|--describe-config|-V|--version)
-				return 0
-				;;
-		esac
-	done
-	return 1
-}
-
-_main() {
-	# if first arg looks like a flag, assume we want to run postgres server
-	if [ "${1:0:1}" = '-' ]; then
-		set -- postgres "$@"
-	fi
-
-	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
-		docker_setup_env
-		# setup data directories and permissions (when run as root)
-		docker_create_db_directories
-		if [ "$(id -u)" = '0' ]; then
-			# then restart script as postgres user
-			exec gosu postgres "$BASH_SOURCE" "$@"
-		fi
-
-		# only run initialization on an empty data directory
-		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-			docker_verify_minimum_env
-			docker_error_old_databases
-
-			# check dir permissions to reduce likelihood of half-initialized database
-			ls /docker-entrypoint-initdb.d/ > /dev/null
-
-			docker_init_database_dir
-			pg_setup_hba_conf "$@"
-
-			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
-			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
-			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
-			docker_temp_server_start "$@"
-
-			docker_setup_db
-			docker_process_init_files /docker-entrypoint-initdb.d/*
-
-			docker_temp_server_stop
-			unset PGPASSWORD
-
-			cat <<-'EOM'
-
-				PostgreSQL init process complete; ready for start up.
-
-			EOM
-		else
-			cat <<-'EOM'
-
-				PostgreSQL Database directory appears to contain a database; Skipping initialization
-
-			EOM
-		fi
-	fi
-
-	exec "$@"
-}
-
-if ! _is_sourced; then
-	_main "$@"
-fi
diff --git a/14/alpine3.22/Dockerfile b/14/alpine3.22/Dockerfile
index 238930ef21..45f005d6cb 100644
--- a/14/alpine3.22/Dockerfile
+++ b/14/alpine3.22/Dockerfile
@@ -17,7 +17,7 @@ RUN set -eux; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	\
 	apk add --no-cache --virtual .gosu-deps \
@@ -53,8 +53,8 @@ ENV LANG en_US.utf8
 RUN mkdir /docker-entrypoint-initdb.d
 
 ENV PG_MAJOR 14
-ENV PG_VERSION 14.18
-ENV PG_SHA256 83ab29d6bfc3dc58b2ed3c664114fdfbeb6a0450c4b8d7fa69aee91e3ca14f8e
+ENV PG_VERSION 14.20
+ENV PG_SHA256 7527f10f1640761bc280ad97d105d286d0cf72e54d36d78cf68e5e5f752b646b
 
 ENV DOCKER_PG_LLVM_DEPS \
 		llvm19-dev \
@@ -116,8 +116,8 @@ RUN set -eux; \
 # https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
 	export CLANG=clang-19; \
 	\
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+# configure options mostly copying Debian:
+# https://salsa.debian.org/postgresql/postgresql-common/-/blob/6e26b5107295170cc8731a3acbf13228ea15941e/server/postgresql.mk#L32
 	./configure \
 		--enable-option-checking=fatal \
 		--build="$gnuArch" \
@@ -137,17 +137,17 @@ RUN set -eux; \
 		--with-includes=/usr/local/include \
 		--with-libraries=/usr/local/lib \
 		--with-gssapi \
+		--with-icu \
 		--with-ldap \
-		--with-tcl \
-		--with-perl \
-		--with-python \
-#		--with-pam \
-		--with-openssl \
 		--with-libxml \
 		--with-libxslt \
-		--with-icu \
 		--with-llvm \
 		--with-lz4 \
+		--with-openssl \
+#		--with-pam \
+		--with-perl \
+		--with-python \
+		--with-tcl \
 	; \
 	make -j "$(nproc)" world-bin; \
 	make install-world-bin; \
diff --git a/14/alpine3.22/docker-entrypoint.sh b/14/alpine3.22/docker-entrypoint.sh
index 5a62870b50..c3432be675 100755
--- a/14/alpine3.22/docker-entrypoint.sh
+++ b/14/alpine3.22/docker-entrypoint.sh
@@ -103,24 +103,6 @@ docker_init_database_dir() {
 # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
 # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
 docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
 	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
 		# The - option suppresses leading tabs but *not* spaces. :)
 		cat >&2 <<-'EOE'
@@ -168,8 +150,14 @@ docker_error_old_databases() {
 			       Counter to that, there appears to be PostgreSQL data in:
 			         ${OLD_DATABASES[*]}
 
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
 
 			       See https://github.com/docker-library/postgres/issues/37 for a (long)
 			       discussion around this process, and suggestions for how to do so.
@@ -264,6 +252,9 @@ docker_setup_env() {
 				OLD_DATABASES+=( "$d" )
 			fi
 		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
 	fi
 }
 
diff --git a/14/alpine3.21/Dockerfile b/14/alpine3.23/Dockerfile
similarity index 96%
rename from 14/alpine3.21/Dockerfile
rename to 14/alpine3.23/Dockerfile
index 49eb44c2c7..818ed90b05 100644
--- a/14/alpine3.21/Dockerfile
+++ b/14/alpine3.23/Dockerfile
@@ -4,7 +4,7 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
-FROM alpine:3.21
+FROM alpine:3.23
 
 # 70 is the standard uid/gid for "postgres" in Alpine
 # https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
@@ -17,7 +17,7 @@ RUN set -eux; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	\
 	apk add --no-cache --virtual .gosu-deps \
@@ -53,8 +53,8 @@ ENV LANG en_US.utf8
 RUN mkdir /docker-entrypoint-initdb.d
 
 ENV PG_MAJOR 14
-ENV PG_VERSION 14.18
-ENV PG_SHA256 83ab29d6bfc3dc58b2ed3c664114fdfbeb6a0450c4b8d7fa69aee91e3ca14f8e
+ENV PG_VERSION 14.20
+ENV PG_SHA256 7527f10f1640761bc280ad97d105d286d0cf72e54d36d78cf68e5e5f752b646b
 
 ENV DOCKER_PG_LLVM_DEPS \
 		llvm19-dev \
@@ -116,8 +116,8 @@ RUN set -eux; \
 # https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
 	export CLANG=clang-19; \
 	\
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+# configure options mostly copying Debian:
+# https://salsa.debian.org/postgresql/postgresql-common/-/blob/6e26b5107295170cc8731a3acbf13228ea15941e/server/postgresql.mk#L32
 	./configure \
 		--enable-option-checking=fatal \
 		--build="$gnuArch" \
@@ -137,17 +137,17 @@ RUN set -eux; \
 		--with-includes=/usr/local/include \
 		--with-libraries=/usr/local/lib \
 		--with-gssapi \
+		--with-icu \
 		--with-ldap \
-		--with-tcl \
-		--with-perl \
-		--with-python \
-#		--with-pam \
-		--with-openssl \
 		--with-libxml \
 		--with-libxslt \
-		--with-icu \
 		--with-llvm \
 		--with-lz4 \
+		--with-openssl \
+#		--with-pam \
+		--with-perl \
+		--with-python \
+		--with-tcl \
 	; \
 	make -j "$(nproc)" world-bin; \
 	make install-world-bin; \
diff --git a/13/alpine3.21/docker-ensure-initdb.sh b/14/alpine3.23/docker-ensure-initdb.sh
similarity index 100%
rename from 13/alpine3.21/docker-ensure-initdb.sh
rename to 14/alpine3.23/docker-ensure-initdb.sh
diff --git a/13/bullseye/docker-entrypoint.sh b/14/alpine3.23/docker-entrypoint.sh
similarity index 94%
rename from 13/bullseye/docker-entrypoint.sh
rename to 14/alpine3.23/docker-entrypoint.sh
index 5a62870b50..c3432be675 100755
--- a/13/bullseye/docker-entrypoint.sh
+++ b/14/alpine3.23/docker-entrypoint.sh
@@ -103,24 +103,6 @@ docker_init_database_dir() {
 # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
 # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
 docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
 	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
 		# The - option suppresses leading tabs but *not* spaces. :)
 		cat >&2 <<-'EOE'
@@ -168,8 +150,14 @@ docker_error_old_databases() {
 			       Counter to that, there appears to be PostgreSQL data in:
 			         ${OLD_DATABASES[*]}
 
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
 
 			       See https://github.com/docker-library/postgres/issues/37 for a (long)
 			       discussion around this process, and suggestions for how to do so.
@@ -264,6 +252,9 @@ docker_setup_env() {
 				OLD_DATABASES+=( "$d" )
 			fi
 		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
 	fi
 }
 
diff --git a/14/bookworm/Dockerfile b/14/bookworm/Dockerfile
index e9a0e21b1c..be874fb6bb 100644
--- a/14/bookworm/Dockerfile
+++ b/14/bookworm/Dockerfile
@@ -28,7 +28,7 @@ RUN set -ex; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update; \
@@ -89,7 +89,7 @@ RUN set -ex; \
 ENV PG_MAJOR 14
 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
 
-ENV PG_VERSION 14.18-1.pgdg120+1
+ENV PG_VERSION 14.20-1.pgdg12+1
 
 RUN set -ex; \
 	\
@@ -97,7 +97,7 @@ RUN set -ex; \
 	export PYTHONDONTWRITEBYTECODE=1; \
 	\
 	dpkgArch="$(dpkg --print-architecture)"; \
-	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
+	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt bookworm-pgdg main $PG_MAJOR"; \
 	case "$dpkgArch" in \
 		amd64 | arm64 | ppc64el) \
 # arches officialy built by upstream
diff --git a/14/bookworm/docker-entrypoint.sh b/14/bookworm/docker-entrypoint.sh
index 5a62870b50..c3432be675 100755
--- a/14/bookworm/docker-entrypoint.sh
+++ b/14/bookworm/docker-entrypoint.sh
@@ -103,24 +103,6 @@ docker_init_database_dir() {
 # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
 # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
 docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
 	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
 		# The - option suppresses leading tabs but *not* spaces. :)
 		cat >&2 <<-'EOE'
@@ -168,8 +150,14 @@ docker_error_old_databases() {
 			       Counter to that, there appears to be PostgreSQL data in:
 			         ${OLD_DATABASES[*]}
 
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
 
 			       See https://github.com/docker-library/postgres/issues/37 for a (long)
 			       discussion around this process, and suggestions for how to do so.
@@ -264,6 +252,9 @@ docker_setup_env() {
 				OLD_DATABASES+=( "$d" )
 			fi
 		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
 	fi
 }
 
diff --git a/14/bullseye/docker-entrypoint.sh b/14/bullseye/docker-entrypoint.sh
deleted file mode 100755
index 5a62870b50..0000000000
--- a/14/bullseye/docker-entrypoint.sh
+++ /dev/null
@@ -1,391 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-	local var="$1"
-	local fileVar="${var}_FILE"
-	local def="${2:-}"
-	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
-		exit 1
-	fi
-	local val="$def"
-	if [ "${!var:-}" ]; then
-		val="${!var}"
-	elif [ "${!fileVar:-}" ]; then
-		val="$(< "${!fileVar}")"
-	fi
-	export "$var"="$val"
-	unset "$fileVar"
-}
-
-# check to see if this file is being run or sourced from another script
-_is_sourced() {
-	# https://unix.stackexchange.com/a/215279
-	[ "${#FUNCNAME[@]}" -ge 2 ] \
-		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
-		&& [ "${FUNCNAME[1]}" = 'source' ]
-}
-
-# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
-docker_create_db_directories() {
-	local user; user="$(id -u)"
-
-	mkdir -p "$PGDATA"
-	# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
-	chmod 00700 "$PGDATA" || :
-
-	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
-	mkdir -p /var/run/postgresql || :
-	chmod 03775 /var/run/postgresql || :
-
-	# Create the transaction log directory before initdb is run so the directory is owned by the correct user
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		mkdir -p "$POSTGRES_INITDB_WALDIR"
-		if [ "$user" = '0' ]; then
-			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
-		fi
-		chmod 700 "$POSTGRES_INITDB_WALDIR"
-	fi
-
-	# allow the container to be started with `--user`
-	if [ "$user" = '0' ]; then
-		find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
-		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
-	fi
-}
-
-# initialize empty PGDATA directory with new database via 'initdb'
-# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
-# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
-# this is also where the database user is created, specified by `POSTGRES_USER` env
-docker_init_database_dir() {
-	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
-	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
-	local uid; uid="$(id -u)"
-	if ! getent passwd "$uid" &> /dev/null; then
-		# see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
-		local wrapper
-		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
-			if [ -s "$wrapper" ]; then
-				NSS_WRAPPER_PASSWD="$(mktemp)"
-				NSS_WRAPPER_GROUP="$(mktemp)"
-				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-				local gid; gid="$(id -g)"
-				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
-				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
-				break
-			fi
-		done
-	fi
-
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
-	fi
-
-	# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
-	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
-
-	# unset/cleanup "nss_wrapper" bits
-	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
-		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
-		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-	fi
-}
-
-# print large warning if POSTGRES_PASSWORD is long
-# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
-# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
-# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
-docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
-	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		# The - option suppresses leading tabs but *not* spaces. :)
-		cat >&2 <<-'EOE'
-			Error: Database is uninitialized and superuser password is not specified.
-			       You must specify POSTGRES_PASSWORD to a non-empty value for the
-			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
-
-			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
-			       connections without a password. This is *not* recommended.
-
-			       See PostgreSQL documentation about "trust":
-			       https://www.postgresql.org/docs/current/auth-trust.html
-		EOE
-		exit 1
-	fi
-	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		cat >&2 <<-'EOWARN'
-			********************************************************************************
-			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
-			         anyone with access to the Postgres port to access your database without
-			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
-			         documentation about "trust":
-			         https://www.postgresql.org/docs/current/auth-trust.html
-			         In Docker's default configuration, this is effectively any other
-			         container on the same system.
-
-			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
-			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
-			         "docker run".
-			********************************************************************************
-		EOWARN
-	fi
-}
-# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
-docker_error_old_databases() {
-	if [ -n "${OLD_DATABASES[0]:-}" ]; then
-		cat >&2 <<-EOE
-			Error: in 18+, these Docker images are configured to store database data in a
-			       format which is compatible with "pg_ctlcluster" (specifically, using
-			       major-version-specific directory names).  This better reflects how
-			       PostgreSQL itself works, and how upgrades are to be performed.
-
-			       See also https://github.com/docker-library/postgres/pull/1259
-
-			       Counter to that, there appears to be PostgreSQL data in:
-			         ${OLD_DATABASES[*]}
-
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
-
-			       See https://github.com/docker-library/postgres/issues/37 for a (long)
-			       discussion around this process, and suggestions for how to do so.
-		EOE
-		exit 1
-	fi
-}
-
-# usage: docker_process_init_files [file [file [...]]]
-#    ie: docker_process_init_files /always-initdb.d/*
-# process initializer files, based on file extensions and permissions
-docker_process_init_files() {
-	# psql here for backwards compatibility "${psql[@]}"
-	psql=( docker_process_sql )
-
-	printf '\n'
-	local f
-	for f; do
-		case "$f" in
-			*.sh)
-				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
-				# https://github.com/docker-library/postgres/pull/452
-				if [ -x "$f" ]; then
-					printf '%s: running %s\n' "$0" "$f"
-					"$f"
-				else
-					printf '%s: sourcing %s\n' "$0" "$f"
-					. "$f"
-				fi
-				;;
-			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
-			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
-			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
-		esac
-		printf '\n'
-	done
-}
-
-# Execute sql script, passed via stdin (or -f flag of pqsl)
-# usage: docker_process_sql [psql-cli-args]
-#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
-#    ie: docker_process_sql -f my-file.sql
-#    ie: docker_process_sql <my-file.sql
-docker_process_sql() {
-	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
-	if [ -n "$POSTGRES_DB" ]; then
-		query_runner+=( --dbname "$POSTGRES_DB" )
-	fi
-
-	PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
-}
-
-# create initial database
-# uses environment variables for input: POSTGRES_DB
-docker_setup_db() {
-	local dbAlreadyExists
-	dbAlreadyExists="$(
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
-			SELECT 1 FROM pg_database WHERE datname = :'db' ;
-		EOSQL
-	)"
-	if [ -z "$dbAlreadyExists" ]; then
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
-			CREATE DATABASE :"db" ;
-		EOSQL
-		printf '\n'
-	fi
-}
-
-# Loads various settings that are used elsewhere in the script
-# This should be called before any other functions
-docker_setup_env() {
-	file_env 'POSTGRES_PASSWORD'
-
-	file_env 'POSTGRES_USER' 'postgres'
-	file_env 'POSTGRES_DB' "$POSTGRES_USER"
-	file_env 'POSTGRES_INITDB_ARGS'
-	: "${POSTGRES_HOST_AUTH_METHOD:=}"
-
-	declare -g DATABASE_ALREADY_EXISTS
-	: "${DATABASE_ALREADY_EXISTS:=}"
-	declare -ag OLD_DATABASES=()
-	# look specifically for PG_VERSION, as it is expected in the DB dir
-	if [ -s "$PGDATA/PG_VERSION" ]; then
-		DATABASE_ALREADY_EXISTS='true'
-	elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
-		# https://github.com/docker-library/postgres/pull/1259
-		for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
-			if [ -s "$d/PG_VERSION" ]; then
-				OLD_DATABASES+=( "$d" )
-			fi
-		done
-	fi
-}
-
-# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
-# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
-pg_setup_hba_conf() {
-	# default authentication method is md5 on versions before 14
-	# https://www.postgresql.org/about/news/postgresql-14-released-2318/
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-	local auth
-	# check the default/configured encryption and use that as the auth method
-	auth="$(postgres -C password_encryption "$@")"
-	: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
-	{
-		printf '\n'
-		if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-			printf '# warning trust is enabled for all connections\n'
-			printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
-		fi
-		printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
-	} >> "$PGDATA/pg_hba.conf"
-}
-
-# start socket-only postgresql server for setting up or running scripts
-# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
-docker_temp_server_start() {
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-
-	# internal start of server in order to allow setup using psql client
-	# does not listen on external TCP/IP and waits until start finishes
-	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
-
-	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
-	# any process supervisor.
-	NOTIFY_SOCKET= \
-	PGUSER="${PGUSER:-$POSTGRES_USER}" \
-	pg_ctl -D "$PGDATA" \
-		-o "$(printf '%q ' "$@")" \
-		-w start
-}
-
-# stop postgresql server after done setting up user and running scripts
-docker_temp_server_stop() {
-	PGUSER="${PGUSER:-postgres}" \
-	pg_ctl -D "$PGDATA" -m fast -w stop
-}
-
-# check arguments for an option that would cause postgres to stop
-# return true if there is one
-_pg_want_help() {
-	local arg
-	for arg; do
-		case "$arg" in
-			# postgres --help | grep 'then exit'
-			# leaving out -C on purpose since it always fails and is unhelpful:
-			# postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
-			-'?'|--help|--describe-config|-V|--version)
-				return 0
-				;;
-		esac
-	done
-	return 1
-}
-
-_main() {
-	# if first arg looks like a flag, assume we want to run postgres server
-	if [ "${1:0:1}" = '-' ]; then
-		set -- postgres "$@"
-	fi
-
-	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
-		docker_setup_env
-		# setup data directories and permissions (when run as root)
-		docker_create_db_directories
-		if [ "$(id -u)" = '0' ]; then
-			# then restart script as postgres user
-			exec gosu postgres "$BASH_SOURCE" "$@"
-		fi
-
-		# only run initialization on an empty data directory
-		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-			docker_verify_minimum_env
-			docker_error_old_databases
-
-			# check dir permissions to reduce likelihood of half-initialized database
-			ls /docker-entrypoint-initdb.d/ > /dev/null
-
-			docker_init_database_dir
-			pg_setup_hba_conf "$@"
-
-			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
-			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
-			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
-			docker_temp_server_start "$@"
-
-			docker_setup_db
-			docker_process_init_files /docker-entrypoint-initdb.d/*
-
-			docker_temp_server_stop
-			unset PGPASSWORD
-
-			cat <<-'EOM'
-
-				PostgreSQL init process complete; ready for start up.
-
-			EOM
-		else
-			cat <<-'EOM'
-
-				PostgreSQL Database directory appears to contain a database; Skipping initialization
-
-			EOM
-		fi
-	fi
-
-	exec "$@"
-}
-
-if ! _is_sourced; then
-	_main "$@"
-fi
diff --git a/14/bullseye/Dockerfile b/14/trixie/Dockerfile
similarity index 98%
rename from 14/bullseye/Dockerfile
rename to 14/trixie/Dockerfile
index ff863ef774..7825c51e61 100644
--- a/14/bullseye/Dockerfile
+++ b/14/trixie/Dockerfile
@@ -4,7 +4,7 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
-FROM debian:bullseye-slim
+FROM debian:trixie-slim
 
 # explicitly set user/group IDs
 RUN set -eux; \
@@ -28,7 +28,7 @@ RUN set -ex; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update; \
@@ -89,7 +89,7 @@ RUN set -ex; \
 ENV PG_MAJOR 14
 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
 
-ENV PG_VERSION 14.18-1.pgdg110+1
+ENV PG_VERSION 14.20-1.pgdg13+1
 
 RUN set -ex; \
 	\
@@ -97,7 +97,7 @@ RUN set -ex; \
 	export PYTHONDONTWRITEBYTECODE=1; \
 	\
 	dpkgArch="$(dpkg --print-architecture)"; \
-	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \
+	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt trixie-pgdg main $PG_MAJOR"; \
 	case "$dpkgArch" in \
 		amd64 | arm64 | ppc64el) \
 # arches officialy built by upstream
diff --git a/13/alpine3.22/docker-ensure-initdb.sh b/14/trixie/docker-ensure-initdb.sh
similarity index 100%
rename from 13/alpine3.22/docker-ensure-initdb.sh
rename to 14/trixie/docker-ensure-initdb.sh
diff --git a/13/alpine3.21/docker-entrypoint.sh b/14/trixie/docker-entrypoint.sh
similarity index 94%
rename from 13/alpine3.21/docker-entrypoint.sh
rename to 14/trixie/docker-entrypoint.sh
index 5a62870b50..c3432be675 100755
--- a/13/alpine3.21/docker-entrypoint.sh
+++ b/14/trixie/docker-entrypoint.sh
@@ -103,24 +103,6 @@ docker_init_database_dir() {
 # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
 # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
 docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
 	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
 		# The - option suppresses leading tabs but *not* spaces. :)
 		cat >&2 <<-'EOE'
@@ -168,8 +150,14 @@ docker_error_old_databases() {
 			       Counter to that, there appears to be PostgreSQL data in:
 			         ${OLD_DATABASES[*]}
 
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
 
 			       See https://github.com/docker-library/postgres/issues/37 for a (long)
 			       discussion around this process, and suggestions for how to do so.
@@ -264,6 +252,9 @@ docker_setup_env() {
 				OLD_DATABASES+=( "$d" )
 			fi
 		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
 	fi
 }
 
diff --git a/15/alpine3.21/docker-entrypoint.sh b/15/alpine3.21/docker-entrypoint.sh
deleted file mode 100755
index 5a62870b50..0000000000
--- a/15/alpine3.21/docker-entrypoint.sh
+++ /dev/null
@@ -1,391 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-	local var="$1"
-	local fileVar="${var}_FILE"
-	local def="${2:-}"
-	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
-		exit 1
-	fi
-	local val="$def"
-	if [ "${!var:-}" ]; then
-		val="${!var}"
-	elif [ "${!fileVar:-}" ]; then
-		val="$(< "${!fileVar}")"
-	fi
-	export "$var"="$val"
-	unset "$fileVar"
-}
-
-# check to see if this file is being run or sourced from another script
-_is_sourced() {
-	# https://unix.stackexchange.com/a/215279
-	[ "${#FUNCNAME[@]}" -ge 2 ] \
-		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
-		&& [ "${FUNCNAME[1]}" = 'source' ]
-}
-
-# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
-docker_create_db_directories() {
-	local user; user="$(id -u)"
-
-	mkdir -p "$PGDATA"
-	# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
-	chmod 00700 "$PGDATA" || :
-
-	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
-	mkdir -p /var/run/postgresql || :
-	chmod 03775 /var/run/postgresql || :
-
-	# Create the transaction log directory before initdb is run so the directory is owned by the correct user
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		mkdir -p "$POSTGRES_INITDB_WALDIR"
-		if [ "$user" = '0' ]; then
-			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
-		fi
-		chmod 700 "$POSTGRES_INITDB_WALDIR"
-	fi
-
-	# allow the container to be started with `--user`
-	if [ "$user" = '0' ]; then
-		find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
-		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
-	fi
-}
-
-# initialize empty PGDATA directory with new database via 'initdb'
-# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
-# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
-# this is also where the database user is created, specified by `POSTGRES_USER` env
-docker_init_database_dir() {
-	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
-	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
-	local uid; uid="$(id -u)"
-	if ! getent passwd "$uid" &> /dev/null; then
-		# see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
-		local wrapper
-		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
-			if [ -s "$wrapper" ]; then
-				NSS_WRAPPER_PASSWD="$(mktemp)"
-				NSS_WRAPPER_GROUP="$(mktemp)"
-				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-				local gid; gid="$(id -g)"
-				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
-				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
-				break
-			fi
-		done
-	fi
-
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
-	fi
-
-	# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
-	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
-
-	# unset/cleanup "nss_wrapper" bits
-	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
-		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
-		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-	fi
-}
-
-# print large warning if POSTGRES_PASSWORD is long
-# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
-# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
-# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
-docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
-	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		# The - option suppresses leading tabs but *not* spaces. :)
-		cat >&2 <<-'EOE'
-			Error: Database is uninitialized and superuser password is not specified.
-			       You must specify POSTGRES_PASSWORD to a non-empty value for the
-			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
-
-			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
-			       connections without a password. This is *not* recommended.
-
-			       See PostgreSQL documentation about "trust":
-			       https://www.postgresql.org/docs/current/auth-trust.html
-		EOE
-		exit 1
-	fi
-	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		cat >&2 <<-'EOWARN'
-			********************************************************************************
-			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
-			         anyone with access to the Postgres port to access your database without
-			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
-			         documentation about "trust":
-			         https://www.postgresql.org/docs/current/auth-trust.html
-			         In Docker's default configuration, this is effectively any other
-			         container on the same system.
-
-			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
-			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
-			         "docker run".
-			********************************************************************************
-		EOWARN
-	fi
-}
-# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
-docker_error_old_databases() {
-	if [ -n "${OLD_DATABASES[0]:-}" ]; then
-		cat >&2 <<-EOE
-			Error: in 18+, these Docker images are configured to store database data in a
-			       format which is compatible with "pg_ctlcluster" (specifically, using
-			       major-version-specific directory names).  This better reflects how
-			       PostgreSQL itself works, and how upgrades are to be performed.
-
-			       See also https://github.com/docker-library/postgres/pull/1259
-
-			       Counter to that, there appears to be PostgreSQL data in:
-			         ${OLD_DATABASES[*]}
-
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
-
-			       See https://github.com/docker-library/postgres/issues/37 for a (long)
-			       discussion around this process, and suggestions for how to do so.
-		EOE
-		exit 1
-	fi
-}
-
-# usage: docker_process_init_files [file [file [...]]]
-#    ie: docker_process_init_files /always-initdb.d/*
-# process initializer files, based on file extensions and permissions
-docker_process_init_files() {
-	# psql here for backwards compatibility "${psql[@]}"
-	psql=( docker_process_sql )
-
-	printf '\n'
-	local f
-	for f; do
-		case "$f" in
-			*.sh)
-				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
-				# https://github.com/docker-library/postgres/pull/452
-				if [ -x "$f" ]; then
-					printf '%s: running %s\n' "$0" "$f"
-					"$f"
-				else
-					printf '%s: sourcing %s\n' "$0" "$f"
-					. "$f"
-				fi
-				;;
-			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
-			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
-			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
-		esac
-		printf '\n'
-	done
-}
-
-# Execute sql script, passed via stdin (or -f flag of pqsl)
-# usage: docker_process_sql [psql-cli-args]
-#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
-#    ie: docker_process_sql -f my-file.sql
-#    ie: docker_process_sql <my-file.sql
-docker_process_sql() {
-	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
-	if [ -n "$POSTGRES_DB" ]; then
-		query_runner+=( --dbname "$POSTGRES_DB" )
-	fi
-
-	PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
-}
-
-# create initial database
-# uses environment variables for input: POSTGRES_DB
-docker_setup_db() {
-	local dbAlreadyExists
-	dbAlreadyExists="$(
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
-			SELECT 1 FROM pg_database WHERE datname = :'db' ;
-		EOSQL
-	)"
-	if [ -z "$dbAlreadyExists" ]; then
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
-			CREATE DATABASE :"db" ;
-		EOSQL
-		printf '\n'
-	fi
-}
-
-# Loads various settings that are used elsewhere in the script
-# This should be called before any other functions
-docker_setup_env() {
-	file_env 'POSTGRES_PASSWORD'
-
-	file_env 'POSTGRES_USER' 'postgres'
-	file_env 'POSTGRES_DB' "$POSTGRES_USER"
-	file_env 'POSTGRES_INITDB_ARGS'
-	: "${POSTGRES_HOST_AUTH_METHOD:=}"
-
-	declare -g DATABASE_ALREADY_EXISTS
-	: "${DATABASE_ALREADY_EXISTS:=}"
-	declare -ag OLD_DATABASES=()
-	# look specifically for PG_VERSION, as it is expected in the DB dir
-	if [ -s "$PGDATA/PG_VERSION" ]; then
-		DATABASE_ALREADY_EXISTS='true'
-	elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
-		# https://github.com/docker-library/postgres/pull/1259
-		for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
-			if [ -s "$d/PG_VERSION" ]; then
-				OLD_DATABASES+=( "$d" )
-			fi
-		done
-	fi
-}
-
-# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
-# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
-pg_setup_hba_conf() {
-	# default authentication method is md5 on versions before 14
-	# https://www.postgresql.org/about/news/postgresql-14-released-2318/
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-	local auth
-	# check the default/configured encryption and use that as the auth method
-	auth="$(postgres -C password_encryption "$@")"
-	: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
-	{
-		printf '\n'
-		if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-			printf '# warning trust is enabled for all connections\n'
-			printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
-		fi
-		printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
-	} >> "$PGDATA/pg_hba.conf"
-}
-
-# start socket-only postgresql server for setting up or running scripts
-# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
-docker_temp_server_start() {
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-
-	# internal start of server in order to allow setup using psql client
-	# does not listen on external TCP/IP and waits until start finishes
-	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
-
-	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
-	# any process supervisor.
-	NOTIFY_SOCKET= \
-	PGUSER="${PGUSER:-$POSTGRES_USER}" \
-	pg_ctl -D "$PGDATA" \
-		-o "$(printf '%q ' "$@")" \
-		-w start
-}
-
-# stop postgresql server after done setting up user and running scripts
-docker_temp_server_stop() {
-	PGUSER="${PGUSER:-postgres}" \
-	pg_ctl -D "$PGDATA" -m fast -w stop
-}
-
-# check arguments for an option that would cause postgres to stop
-# return true if there is one
-_pg_want_help() {
-	local arg
-	for arg; do
-		case "$arg" in
-			# postgres --help | grep 'then exit'
-			# leaving out -C on purpose since it always fails and is unhelpful:
-			# postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
-			-'?'|--help|--describe-config|-V|--version)
-				return 0
-				;;
-		esac
-	done
-	return 1
-}
-
-_main() {
-	# if first arg looks like a flag, assume we want to run postgres server
-	if [ "${1:0:1}" = '-' ]; then
-		set -- postgres "$@"
-	fi
-
-	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
-		docker_setup_env
-		# setup data directories and permissions (when run as root)
-		docker_create_db_directories
-		if [ "$(id -u)" = '0' ]; then
-			# then restart script as postgres user
-			exec gosu postgres "$BASH_SOURCE" "$@"
-		fi
-
-		# only run initialization on an empty data directory
-		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-			docker_verify_minimum_env
-			docker_error_old_databases
-
-			# check dir permissions to reduce likelihood of half-initialized database
-			ls /docker-entrypoint-initdb.d/ > /dev/null
-
-			docker_init_database_dir
-			pg_setup_hba_conf "$@"
-
-			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
-			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
-			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
-			docker_temp_server_start "$@"
-
-			docker_setup_db
-			docker_process_init_files /docker-entrypoint-initdb.d/*
-
-			docker_temp_server_stop
-			unset PGPASSWORD
-
-			cat <<-'EOM'
-
-				PostgreSQL init process complete; ready for start up.
-
-			EOM
-		else
-			cat <<-'EOM'
-
-				PostgreSQL Database directory appears to contain a database; Skipping initialization
-
-			EOM
-		fi
-	fi
-
-	exec "$@"
-}
-
-if ! _is_sourced; then
-	_main "$@"
-fi
diff --git a/15/alpine3.22/Dockerfile b/15/alpine3.22/Dockerfile
index 201065d8a3..d37be5769c 100644
--- a/15/alpine3.22/Dockerfile
+++ b/15/alpine3.22/Dockerfile
@@ -17,7 +17,7 @@ RUN set -eux; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	\
 	apk add --no-cache --virtual .gosu-deps \
@@ -53,8 +53,8 @@ ENV LANG en_US.utf8
 RUN mkdir /docker-entrypoint-initdb.d
 
 ENV PG_MAJOR 15
-ENV PG_VERSION 15.13
-ENV PG_SHA256 4f62e133d22ea08a0401b0840920e26698644d01a80c34341fb732dd0a90ca5d
+ENV PG_VERSION 15.15
+ENV PG_SHA256 5753aaeb8b09cbf61016f78aa69bf5cbdf01b43263f010cbf168c82896213aaa
 
 ENV DOCKER_PG_LLVM_DEPS \
 		llvm19-dev \
@@ -118,8 +118,8 @@ RUN set -eux; \
 # https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
 	export CLANG=clang-19; \
 	\
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+# configure options mostly copying Debian:
+# https://salsa.debian.org/postgresql/postgresql-common/-/blob/6e26b5107295170cc8731a3acbf13228ea15941e/server/postgresql.mk#L32
 	./configure \
 		--enable-option-checking=fatal \
 		--build="$gnuArch" \
@@ -139,17 +139,17 @@ RUN set -eux; \
 		--with-includes=/usr/local/include \
 		--with-libraries=/usr/local/lib \
 		--with-gssapi \
+		--with-icu \
 		--with-ldap \
-		--with-tcl \
-		--with-perl \
-		--with-python \
-#		--with-pam \
-		--with-openssl \
 		--with-libxml \
 		--with-libxslt \
-		--with-icu \
 		--with-llvm \
 		--with-lz4 \
+		--with-openssl \
+#		--with-pam \
+		--with-perl \
+		--with-python \
+		--with-tcl \
 		--with-zstd \
 	; \
 	make -j "$(nproc)" world-bin; \
diff --git a/15/alpine3.22/docker-entrypoint.sh b/15/alpine3.22/docker-entrypoint.sh
index 5a62870b50..c3432be675 100755
--- a/15/alpine3.22/docker-entrypoint.sh
+++ b/15/alpine3.22/docker-entrypoint.sh
@@ -103,24 +103,6 @@ docker_init_database_dir() {
 # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
 # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
 docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
 	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
 		# The - option suppresses leading tabs but *not* spaces. :)
 		cat >&2 <<-'EOE'
@@ -168,8 +150,14 @@ docker_error_old_databases() {
 			       Counter to that, there appears to be PostgreSQL data in:
 			         ${OLD_DATABASES[*]}
 
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
 
 			       See https://github.com/docker-library/postgres/issues/37 for a (long)
 			       discussion around this process, and suggestions for how to do so.
@@ -264,6 +252,9 @@ docker_setup_env() {
 				OLD_DATABASES+=( "$d" )
 			fi
 		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
 	fi
 }
 
diff --git a/15/alpine3.21/Dockerfile b/15/alpine3.23/Dockerfile
similarity index 96%
rename from 15/alpine3.21/Dockerfile
rename to 15/alpine3.23/Dockerfile
index 91ab89c023..ba3e564b0e 100644
--- a/15/alpine3.21/Dockerfile
+++ b/15/alpine3.23/Dockerfile
@@ -4,7 +4,7 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
-FROM alpine:3.21
+FROM alpine:3.23
 
 # 70 is the standard uid/gid for "postgres" in Alpine
 # https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
@@ -17,7 +17,7 @@ RUN set -eux; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	\
 	apk add --no-cache --virtual .gosu-deps \
@@ -53,8 +53,8 @@ ENV LANG en_US.utf8
 RUN mkdir /docker-entrypoint-initdb.d
 
 ENV PG_MAJOR 15
-ENV PG_VERSION 15.13
-ENV PG_SHA256 4f62e133d22ea08a0401b0840920e26698644d01a80c34341fb732dd0a90ca5d
+ENV PG_VERSION 15.15
+ENV PG_SHA256 5753aaeb8b09cbf61016f78aa69bf5cbdf01b43263f010cbf168c82896213aaa
 
 ENV DOCKER_PG_LLVM_DEPS \
 		llvm19-dev \
@@ -118,8 +118,8 @@ RUN set -eux; \
 # https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
 	export CLANG=clang-19; \
 	\
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+# configure options mostly copying Debian:
+# https://salsa.debian.org/postgresql/postgresql-common/-/blob/6e26b5107295170cc8731a3acbf13228ea15941e/server/postgresql.mk#L32
 	./configure \
 		--enable-option-checking=fatal \
 		--build="$gnuArch" \
@@ -139,17 +139,17 @@ RUN set -eux; \
 		--with-includes=/usr/local/include \
 		--with-libraries=/usr/local/lib \
 		--with-gssapi \
+		--with-icu \
 		--with-ldap \
-		--with-tcl \
-		--with-perl \
-		--with-python \
-#		--with-pam \
-		--with-openssl \
 		--with-libxml \
 		--with-libxslt \
-		--with-icu \
 		--with-llvm \
 		--with-lz4 \
+		--with-openssl \
+#		--with-pam \
+		--with-perl \
+		--with-python \
+		--with-tcl \
 		--with-zstd \
 	; \
 	make -j "$(nproc)" world-bin; \
diff --git a/13/bookworm/docker-ensure-initdb.sh b/15/alpine3.23/docker-ensure-initdb.sh
similarity index 100%
rename from 13/bookworm/docker-ensure-initdb.sh
rename to 15/alpine3.23/docker-ensure-initdb.sh
diff --git a/13/bookworm/docker-entrypoint.sh b/15/alpine3.23/docker-entrypoint.sh
similarity index 94%
rename from 13/bookworm/docker-entrypoint.sh
rename to 15/alpine3.23/docker-entrypoint.sh
index 5a62870b50..c3432be675 100755
--- a/13/bookworm/docker-entrypoint.sh
+++ b/15/alpine3.23/docker-entrypoint.sh
@@ -103,24 +103,6 @@ docker_init_database_dir() {
 # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
 # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
 docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
 	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
 		# The - option suppresses leading tabs but *not* spaces. :)
 		cat >&2 <<-'EOE'
@@ -168,8 +150,14 @@ docker_error_old_databases() {
 			       Counter to that, there appears to be PostgreSQL data in:
 			         ${OLD_DATABASES[*]}
 
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
 
 			       See https://github.com/docker-library/postgres/issues/37 for a (long)
 			       discussion around this process, and suggestions for how to do so.
@@ -264,6 +252,9 @@ docker_setup_env() {
 				OLD_DATABASES+=( "$d" )
 			fi
 		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
 	fi
 }
 
diff --git a/15/bookworm/Dockerfile b/15/bookworm/Dockerfile
index d58f9ab6a4..16b8d24c99 100644
--- a/15/bookworm/Dockerfile
+++ b/15/bookworm/Dockerfile
@@ -28,7 +28,7 @@ RUN set -ex; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update; \
@@ -89,7 +89,7 @@ RUN set -ex; \
 ENV PG_MAJOR 15
 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
 
-ENV PG_VERSION 15.13-1.pgdg120+1
+ENV PG_VERSION 15.15-1.pgdg12+1
 
 RUN set -ex; \
 	\
@@ -97,7 +97,7 @@ RUN set -ex; \
 	export PYTHONDONTWRITEBYTECODE=1; \
 	\
 	dpkgArch="$(dpkg --print-architecture)"; \
-	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
+	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt bookworm-pgdg main $PG_MAJOR"; \
 	case "$dpkgArch" in \
 		amd64 | arm64 | ppc64el) \
 # arches officialy built by upstream
diff --git a/15/bookworm/docker-entrypoint.sh b/15/bookworm/docker-entrypoint.sh
index 5a62870b50..c3432be675 100755
--- a/15/bookworm/docker-entrypoint.sh
+++ b/15/bookworm/docker-entrypoint.sh
@@ -103,24 +103,6 @@ docker_init_database_dir() {
 # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
 # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
 docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
 	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
 		# The - option suppresses leading tabs but *not* spaces. :)
 		cat >&2 <<-'EOE'
@@ -168,8 +150,14 @@ docker_error_old_databases() {
 			       Counter to that, there appears to be PostgreSQL data in:
 			         ${OLD_DATABASES[*]}
 
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
 
 			       See https://github.com/docker-library/postgres/issues/37 for a (long)
 			       discussion around this process, and suggestions for how to do so.
@@ -264,6 +252,9 @@ docker_setup_env() {
 				OLD_DATABASES+=( "$d" )
 			fi
 		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
 	fi
 }
 
diff --git a/15/bullseye/docker-entrypoint.sh b/15/bullseye/docker-entrypoint.sh
deleted file mode 100755
index 5a62870b50..0000000000
--- a/15/bullseye/docker-entrypoint.sh
+++ /dev/null
@@ -1,391 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-	local var="$1"
-	local fileVar="${var}_FILE"
-	local def="${2:-}"
-	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
-		exit 1
-	fi
-	local val="$def"
-	if [ "${!var:-}" ]; then
-		val="${!var}"
-	elif [ "${!fileVar:-}" ]; then
-		val="$(< "${!fileVar}")"
-	fi
-	export "$var"="$val"
-	unset "$fileVar"
-}
-
-# check to see if this file is being run or sourced from another script
-_is_sourced() {
-	# https://unix.stackexchange.com/a/215279
-	[ "${#FUNCNAME[@]}" -ge 2 ] \
-		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
-		&& [ "${FUNCNAME[1]}" = 'source' ]
-}
-
-# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
-docker_create_db_directories() {
-	local user; user="$(id -u)"
-
-	mkdir -p "$PGDATA"
-	# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
-	chmod 00700 "$PGDATA" || :
-
-	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
-	mkdir -p /var/run/postgresql || :
-	chmod 03775 /var/run/postgresql || :
-
-	# Create the transaction log directory before initdb is run so the directory is owned by the correct user
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		mkdir -p "$POSTGRES_INITDB_WALDIR"
-		if [ "$user" = '0' ]; then
-			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
-		fi
-		chmod 700 "$POSTGRES_INITDB_WALDIR"
-	fi
-
-	# allow the container to be started with `--user`
-	if [ "$user" = '0' ]; then
-		find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
-		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
-	fi
-}
-
-# initialize empty PGDATA directory with new database via 'initdb'
-# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
-# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
-# this is also where the database user is created, specified by `POSTGRES_USER` env
-docker_init_database_dir() {
-	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
-	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
-	local uid; uid="$(id -u)"
-	if ! getent passwd "$uid" &> /dev/null; then
-		# see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
-		local wrapper
-		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
-			if [ -s "$wrapper" ]; then
-				NSS_WRAPPER_PASSWD="$(mktemp)"
-				NSS_WRAPPER_GROUP="$(mktemp)"
-				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-				local gid; gid="$(id -g)"
-				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
-				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
-				break
-			fi
-		done
-	fi
-
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
-	fi
-
-	# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
-	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
-
-	# unset/cleanup "nss_wrapper" bits
-	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
-		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
-		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-	fi
-}
-
-# print large warning if POSTGRES_PASSWORD is long
-# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
-# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
-# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
-docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
-	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		# The - option suppresses leading tabs but *not* spaces. :)
-		cat >&2 <<-'EOE'
-			Error: Database is uninitialized and superuser password is not specified.
-			       You must specify POSTGRES_PASSWORD to a non-empty value for the
-			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
-
-			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
-			       connections without a password. This is *not* recommended.
-
-			       See PostgreSQL documentation about "trust":
-			       https://www.postgresql.org/docs/current/auth-trust.html
-		EOE
-		exit 1
-	fi
-	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		cat >&2 <<-'EOWARN'
-			********************************************************************************
-			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
-			         anyone with access to the Postgres port to access your database without
-			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
-			         documentation about "trust":
-			         https://www.postgresql.org/docs/current/auth-trust.html
-			         In Docker's default configuration, this is effectively any other
-			         container on the same system.
-
-			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
-			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
-			         "docker run".
-			********************************************************************************
-		EOWARN
-	fi
-}
-# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
-docker_error_old_databases() {
-	if [ -n "${OLD_DATABASES[0]:-}" ]; then
-		cat >&2 <<-EOE
-			Error: in 18+, these Docker images are configured to store database data in a
-			       format which is compatible with "pg_ctlcluster" (specifically, using
-			       major-version-specific directory names).  This better reflects how
-			       PostgreSQL itself works, and how upgrades are to be performed.
-
-			       See also https://github.com/docker-library/postgres/pull/1259
-
-			       Counter to that, there appears to be PostgreSQL data in:
-			         ${OLD_DATABASES[*]}
-
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
-
-			       See https://github.com/docker-library/postgres/issues/37 for a (long)
-			       discussion around this process, and suggestions for how to do so.
-		EOE
-		exit 1
-	fi
-}
-
-# usage: docker_process_init_files [file [file [...]]]
-#    ie: docker_process_init_files /always-initdb.d/*
-# process initializer files, based on file extensions and permissions
-docker_process_init_files() {
-	# psql here for backwards compatibility "${psql[@]}"
-	psql=( docker_process_sql )
-
-	printf '\n'
-	local f
-	for f; do
-		case "$f" in
-			*.sh)
-				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
-				# https://github.com/docker-library/postgres/pull/452
-				if [ -x "$f" ]; then
-					printf '%s: running %s\n' "$0" "$f"
-					"$f"
-				else
-					printf '%s: sourcing %s\n' "$0" "$f"
-					. "$f"
-				fi
-				;;
-			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
-			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
-			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
-		esac
-		printf '\n'
-	done
-}
-
-# Execute sql script, passed via stdin (or -f flag of pqsl)
-# usage: docker_process_sql [psql-cli-args]
-#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
-#    ie: docker_process_sql -f my-file.sql
-#    ie: docker_process_sql <my-file.sql
-docker_process_sql() {
-	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
-	if [ -n "$POSTGRES_DB" ]; then
-		query_runner+=( --dbname "$POSTGRES_DB" )
-	fi
-
-	PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
-}
-
-# create initial database
-# uses environment variables for input: POSTGRES_DB
-docker_setup_db() {
-	local dbAlreadyExists
-	dbAlreadyExists="$(
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
-			SELECT 1 FROM pg_database WHERE datname = :'db' ;
-		EOSQL
-	)"
-	if [ -z "$dbAlreadyExists" ]; then
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
-			CREATE DATABASE :"db" ;
-		EOSQL
-		printf '\n'
-	fi
-}
-
-# Loads various settings that are used elsewhere in the script
-# This should be called before any other functions
-docker_setup_env() {
-	file_env 'POSTGRES_PASSWORD'
-
-	file_env 'POSTGRES_USER' 'postgres'
-	file_env 'POSTGRES_DB' "$POSTGRES_USER"
-	file_env 'POSTGRES_INITDB_ARGS'
-	: "${POSTGRES_HOST_AUTH_METHOD:=}"
-
-	declare -g DATABASE_ALREADY_EXISTS
-	: "${DATABASE_ALREADY_EXISTS:=}"
-	declare -ag OLD_DATABASES=()
-	# look specifically for PG_VERSION, as it is expected in the DB dir
-	if [ -s "$PGDATA/PG_VERSION" ]; then
-		DATABASE_ALREADY_EXISTS='true'
-	elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
-		# https://github.com/docker-library/postgres/pull/1259
-		for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
-			if [ -s "$d/PG_VERSION" ]; then
-				OLD_DATABASES+=( "$d" )
-			fi
-		done
-	fi
-}
-
-# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
-# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
-pg_setup_hba_conf() {
-	# default authentication method is md5 on versions before 14
-	# https://www.postgresql.org/about/news/postgresql-14-released-2318/
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-	local auth
-	# check the default/configured encryption and use that as the auth method
-	auth="$(postgres -C password_encryption "$@")"
-	: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
-	{
-		printf '\n'
-		if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-			printf '# warning trust is enabled for all connections\n'
-			printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
-		fi
-		printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
-	} >> "$PGDATA/pg_hba.conf"
-}
-
-# start socket-only postgresql server for setting up or running scripts
-# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
-docker_temp_server_start() {
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-
-	# internal start of server in order to allow setup using psql client
-	# does not listen on external TCP/IP and waits until start finishes
-	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
-
-	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
-	# any process supervisor.
-	NOTIFY_SOCKET= \
-	PGUSER="${PGUSER:-$POSTGRES_USER}" \
-	pg_ctl -D "$PGDATA" \
-		-o "$(printf '%q ' "$@")" \
-		-w start
-}
-
-# stop postgresql server after done setting up user and running scripts
-docker_temp_server_stop() {
-	PGUSER="${PGUSER:-postgres}" \
-	pg_ctl -D "$PGDATA" -m fast -w stop
-}
-
-# check arguments for an option that would cause postgres to stop
-# return true if there is one
-_pg_want_help() {
-	local arg
-	for arg; do
-		case "$arg" in
-			# postgres --help | grep 'then exit'
-			# leaving out -C on purpose since it always fails and is unhelpful:
-			# postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
-			-'?'|--help|--describe-config|-V|--version)
-				return 0
-				;;
-		esac
-	done
-	return 1
-}
-
-_main() {
-	# if first arg looks like a flag, assume we want to run postgres server
-	if [ "${1:0:1}" = '-' ]; then
-		set -- postgres "$@"
-	fi
-
-	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
-		docker_setup_env
-		# setup data directories and permissions (when run as root)
-		docker_create_db_directories
-		if [ "$(id -u)" = '0' ]; then
-			# then restart script as postgres user
-			exec gosu postgres "$BASH_SOURCE" "$@"
-		fi
-
-		# only run initialization on an empty data directory
-		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-			docker_verify_minimum_env
-			docker_error_old_databases
-
-			# check dir permissions to reduce likelihood of half-initialized database
-			ls /docker-entrypoint-initdb.d/ > /dev/null
-
-			docker_init_database_dir
-			pg_setup_hba_conf "$@"
-
-			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
-			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
-			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
-			docker_temp_server_start "$@"
-
-			docker_setup_db
-			docker_process_init_files /docker-entrypoint-initdb.d/*
-
-			docker_temp_server_stop
-			unset PGPASSWORD
-
-			cat <<-'EOM'
-
-				PostgreSQL init process complete; ready for start up.
-
-			EOM
-		else
-			cat <<-'EOM'
-
-				PostgreSQL Database directory appears to contain a database; Skipping initialization
-
-			EOM
-		fi
-	fi
-
-	exec "$@"
-}
-
-if ! _is_sourced; then
-	_main "$@"
-fi
diff --git a/15/bullseye/Dockerfile b/15/trixie/Dockerfile
similarity index 98%
rename from 15/bullseye/Dockerfile
rename to 15/trixie/Dockerfile
index ec325d7c88..2c7f3beb62 100644
--- a/15/bullseye/Dockerfile
+++ b/15/trixie/Dockerfile
@@ -4,7 +4,7 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
-FROM debian:bullseye-slim
+FROM debian:trixie-slim
 
 # explicitly set user/group IDs
 RUN set -eux; \
@@ -28,7 +28,7 @@ RUN set -ex; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update; \
@@ -89,7 +89,7 @@ RUN set -ex; \
 ENV PG_MAJOR 15
 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
 
-ENV PG_VERSION 15.13-1.pgdg110+1
+ENV PG_VERSION 15.15-1.pgdg13+1
 
 RUN set -ex; \
 	\
@@ -97,7 +97,7 @@ RUN set -ex; \
 	export PYTHONDONTWRITEBYTECODE=1; \
 	\
 	dpkgArch="$(dpkg --print-architecture)"; \
-	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \
+	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt trixie-pgdg main $PG_MAJOR"; \
 	case "$dpkgArch" in \
 		amd64 | arm64 | ppc64el) \
 # arches officialy built by upstream
diff --git a/13/bullseye/docker-ensure-initdb.sh b/15/trixie/docker-ensure-initdb.sh
similarity index 100%
rename from 13/bullseye/docker-ensure-initdb.sh
rename to 15/trixie/docker-ensure-initdb.sh
diff --git a/13/alpine3.22/docker-entrypoint.sh b/15/trixie/docker-entrypoint.sh
similarity index 94%
rename from 13/alpine3.22/docker-entrypoint.sh
rename to 15/trixie/docker-entrypoint.sh
index 5a62870b50..c3432be675 100755
--- a/13/alpine3.22/docker-entrypoint.sh
+++ b/15/trixie/docker-entrypoint.sh
@@ -103,24 +103,6 @@ docker_init_database_dir() {
 # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
 # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
 docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
 	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
 		# The - option suppresses leading tabs but *not* spaces. :)
 		cat >&2 <<-'EOE'
@@ -168,8 +150,14 @@ docker_error_old_databases() {
 			       Counter to that, there appears to be PostgreSQL data in:
 			         ${OLD_DATABASES[*]}
 
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
 
 			       See https://github.com/docker-library/postgres/issues/37 for a (long)
 			       discussion around this process, and suggestions for how to do so.
@@ -264,6 +252,9 @@ docker_setup_env() {
 				OLD_DATABASES+=( "$d" )
 			fi
 		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
 	fi
 }
 
diff --git a/16/alpine3.21/docker-entrypoint.sh b/16/alpine3.21/docker-entrypoint.sh
deleted file mode 100755
index 5a62870b50..0000000000
--- a/16/alpine3.21/docker-entrypoint.sh
+++ /dev/null
@@ -1,391 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-	local var="$1"
-	local fileVar="${var}_FILE"
-	local def="${2:-}"
-	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
-		exit 1
-	fi
-	local val="$def"
-	if [ "${!var:-}" ]; then
-		val="${!var}"
-	elif [ "${!fileVar:-}" ]; then
-		val="$(< "${!fileVar}")"
-	fi
-	export "$var"="$val"
-	unset "$fileVar"
-}
-
-# check to see if this file is being run or sourced from another script
-_is_sourced() {
-	# https://unix.stackexchange.com/a/215279
-	[ "${#FUNCNAME[@]}" -ge 2 ] \
-		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
-		&& [ "${FUNCNAME[1]}" = 'source' ]
-}
-
-# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
-docker_create_db_directories() {
-	local user; user="$(id -u)"
-
-	mkdir -p "$PGDATA"
-	# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
-	chmod 00700 "$PGDATA" || :
-
-	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
-	mkdir -p /var/run/postgresql || :
-	chmod 03775 /var/run/postgresql || :
-
-	# Create the transaction log directory before initdb is run so the directory is owned by the correct user
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		mkdir -p "$POSTGRES_INITDB_WALDIR"
-		if [ "$user" = '0' ]; then
-			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
-		fi
-		chmod 700 "$POSTGRES_INITDB_WALDIR"
-	fi
-
-	# allow the container to be started with `--user`
-	if [ "$user" = '0' ]; then
-		find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
-		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
-	fi
-}
-
-# initialize empty PGDATA directory with new database via 'initdb'
-# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
-# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
-# this is also where the database user is created, specified by `POSTGRES_USER` env
-docker_init_database_dir() {
-	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
-	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
-	local uid; uid="$(id -u)"
-	if ! getent passwd "$uid" &> /dev/null; then
-		# see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
-		local wrapper
-		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
-			if [ -s "$wrapper" ]; then
-				NSS_WRAPPER_PASSWD="$(mktemp)"
-				NSS_WRAPPER_GROUP="$(mktemp)"
-				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-				local gid; gid="$(id -g)"
-				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
-				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
-				break
-			fi
-		done
-	fi
-
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
-	fi
-
-	# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
-	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
-
-	# unset/cleanup "nss_wrapper" bits
-	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
-		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
-		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-	fi
-}
-
-# print large warning if POSTGRES_PASSWORD is long
-# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
-# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
-# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
-docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
-	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		# The - option suppresses leading tabs but *not* spaces. :)
-		cat >&2 <<-'EOE'
-			Error: Database is uninitialized and superuser password is not specified.
-			       You must specify POSTGRES_PASSWORD to a non-empty value for the
-			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
-
-			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
-			       connections without a password. This is *not* recommended.
-
-			       See PostgreSQL documentation about "trust":
-			       https://www.postgresql.org/docs/current/auth-trust.html
-		EOE
-		exit 1
-	fi
-	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		cat >&2 <<-'EOWARN'
-			********************************************************************************
-			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
-			         anyone with access to the Postgres port to access your database without
-			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
-			         documentation about "trust":
-			         https://www.postgresql.org/docs/current/auth-trust.html
-			         In Docker's default configuration, this is effectively any other
-			         container on the same system.
-
-			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
-			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
-			         "docker run".
-			********************************************************************************
-		EOWARN
-	fi
-}
-# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
-docker_error_old_databases() {
-	if [ -n "${OLD_DATABASES[0]:-}" ]; then
-		cat >&2 <<-EOE
-			Error: in 18+, these Docker images are configured to store database data in a
-			       format which is compatible with "pg_ctlcluster" (specifically, using
-			       major-version-specific directory names).  This better reflects how
-			       PostgreSQL itself works, and how upgrades are to be performed.
-
-			       See also https://github.com/docker-library/postgres/pull/1259
-
-			       Counter to that, there appears to be PostgreSQL data in:
-			         ${OLD_DATABASES[*]}
-
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
-
-			       See https://github.com/docker-library/postgres/issues/37 for a (long)
-			       discussion around this process, and suggestions for how to do so.
-		EOE
-		exit 1
-	fi
-}
-
-# usage: docker_process_init_files [file [file [...]]]
-#    ie: docker_process_init_files /always-initdb.d/*
-# process initializer files, based on file extensions and permissions
-docker_process_init_files() {
-	# psql here for backwards compatibility "${psql[@]}"
-	psql=( docker_process_sql )
-
-	printf '\n'
-	local f
-	for f; do
-		case "$f" in
-			*.sh)
-				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
-				# https://github.com/docker-library/postgres/pull/452
-				if [ -x "$f" ]; then
-					printf '%s: running %s\n' "$0" "$f"
-					"$f"
-				else
-					printf '%s: sourcing %s\n' "$0" "$f"
-					. "$f"
-				fi
-				;;
-			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
-			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
-			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
-		esac
-		printf '\n'
-	done
-}
-
-# Execute sql script, passed via stdin (or -f flag of pqsl)
-# usage: docker_process_sql [psql-cli-args]
-#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
-#    ie: docker_process_sql -f my-file.sql
-#    ie: docker_process_sql <my-file.sql
-docker_process_sql() {
-	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
-	if [ -n "$POSTGRES_DB" ]; then
-		query_runner+=( --dbname "$POSTGRES_DB" )
-	fi
-
-	PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
-}
-
-# create initial database
-# uses environment variables for input: POSTGRES_DB
-docker_setup_db() {
-	local dbAlreadyExists
-	dbAlreadyExists="$(
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
-			SELECT 1 FROM pg_database WHERE datname = :'db' ;
-		EOSQL
-	)"
-	if [ -z "$dbAlreadyExists" ]; then
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
-			CREATE DATABASE :"db" ;
-		EOSQL
-		printf '\n'
-	fi
-}
-
-# Loads various settings that are used elsewhere in the script
-# This should be called before any other functions
-docker_setup_env() {
-	file_env 'POSTGRES_PASSWORD'
-
-	file_env 'POSTGRES_USER' 'postgres'
-	file_env 'POSTGRES_DB' "$POSTGRES_USER"
-	file_env 'POSTGRES_INITDB_ARGS'
-	: "${POSTGRES_HOST_AUTH_METHOD:=}"
-
-	declare -g DATABASE_ALREADY_EXISTS
-	: "${DATABASE_ALREADY_EXISTS:=}"
-	declare -ag OLD_DATABASES=()
-	# look specifically for PG_VERSION, as it is expected in the DB dir
-	if [ -s "$PGDATA/PG_VERSION" ]; then
-		DATABASE_ALREADY_EXISTS='true'
-	elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
-		# https://github.com/docker-library/postgres/pull/1259
-		for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
-			if [ -s "$d/PG_VERSION" ]; then
-				OLD_DATABASES+=( "$d" )
-			fi
-		done
-	fi
-}
-
-# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
-# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
-pg_setup_hba_conf() {
-	# default authentication method is md5 on versions before 14
-	# https://www.postgresql.org/about/news/postgresql-14-released-2318/
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-	local auth
-	# check the default/configured encryption and use that as the auth method
-	auth="$(postgres -C password_encryption "$@")"
-	: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
-	{
-		printf '\n'
-		if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-			printf '# warning trust is enabled for all connections\n'
-			printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
-		fi
-		printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
-	} >> "$PGDATA/pg_hba.conf"
-}
-
-# start socket-only postgresql server for setting up or running scripts
-# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
-docker_temp_server_start() {
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-
-	# internal start of server in order to allow setup using psql client
-	# does not listen on external TCP/IP and waits until start finishes
-	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
-
-	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
-	# any process supervisor.
-	NOTIFY_SOCKET= \
-	PGUSER="${PGUSER:-$POSTGRES_USER}" \
-	pg_ctl -D "$PGDATA" \
-		-o "$(printf '%q ' "$@")" \
-		-w start
-}
-
-# stop postgresql server after done setting up user and running scripts
-docker_temp_server_stop() {
-	PGUSER="${PGUSER:-postgres}" \
-	pg_ctl -D "$PGDATA" -m fast -w stop
-}
-
-# check arguments for an option that would cause postgres to stop
-# return true if there is one
-_pg_want_help() {
-	local arg
-	for arg; do
-		case "$arg" in
-			# postgres --help | grep 'then exit'
-			# leaving out -C on purpose since it always fails and is unhelpful:
-			# postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
-			-'?'|--help|--describe-config|-V|--version)
-				return 0
-				;;
-		esac
-	done
-	return 1
-}
-
-_main() {
-	# if first arg looks like a flag, assume we want to run postgres server
-	if [ "${1:0:1}" = '-' ]; then
-		set -- postgres "$@"
-	fi
-
-	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
-		docker_setup_env
-		# setup data directories and permissions (when run as root)
-		docker_create_db_directories
-		if [ "$(id -u)" = '0' ]; then
-			# then restart script as postgres user
-			exec gosu postgres "$BASH_SOURCE" "$@"
-		fi
-
-		# only run initialization on an empty data directory
-		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-			docker_verify_minimum_env
-			docker_error_old_databases
-
-			# check dir permissions to reduce likelihood of half-initialized database
-			ls /docker-entrypoint-initdb.d/ > /dev/null
-
-			docker_init_database_dir
-			pg_setup_hba_conf "$@"
-
-			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
-			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
-			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
-			docker_temp_server_start "$@"
-
-			docker_setup_db
-			docker_process_init_files /docker-entrypoint-initdb.d/*
-
-			docker_temp_server_stop
-			unset PGPASSWORD
-
-			cat <<-'EOM'
-
-				PostgreSQL init process complete; ready for start up.
-
-			EOM
-		else
-			cat <<-'EOM'
-
-				PostgreSQL Database directory appears to contain a database; Skipping initialization
-
-			EOM
-		fi
-	fi
-
-	exec "$@"
-}
-
-if ! _is_sourced; then
-	_main "$@"
-fi
diff --git a/16/alpine3.22/Dockerfile b/16/alpine3.22/Dockerfile
index 902de7538f..5fadb2017e 100644
--- a/16/alpine3.22/Dockerfile
+++ b/16/alpine3.22/Dockerfile
@@ -17,7 +17,7 @@ RUN set -eux; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	\
 	apk add --no-cache --virtual .gosu-deps \
@@ -53,8 +53,8 @@ ENV LANG en_US.utf8
 RUN mkdir /docker-entrypoint-initdb.d
 
 ENV PG_MAJOR 16
-ENV PG_VERSION 16.9
-ENV PG_SHA256 07c00fb824df0a0c295f249f44691b86e3266753b380c96f633c3311e10bd005
+ENV PG_VERSION 16.11
+ENV PG_SHA256 6deb08c23d03d77d8f8bd1c14049eeef64aef8968fd8891df2dfc0b42f178eac
 
 ENV DOCKER_PG_LLVM_DEPS \
 		llvm19-dev \
@@ -118,8 +118,8 @@ RUN set -eux; \
 # https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
 	export CLANG=clang-19; \
 	\
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+# configure options mostly copying Debian:
+# https://salsa.debian.org/postgresql/postgresql-common/-/blob/6e26b5107295170cc8731a3acbf13228ea15941e/server/postgresql.mk#L32
 	./configure \
 		--enable-option-checking=fatal \
 		--build="$gnuArch" \
@@ -138,17 +138,17 @@ RUN set -eux; \
 		--with-includes=/usr/local/include \
 		--with-libraries=/usr/local/lib \
 		--with-gssapi \
+		--with-icu \
 		--with-ldap \
-		--with-tcl \
-		--with-perl \
-		--with-python \
-#		--with-pam \
-		--with-openssl \
 		--with-libxml \
 		--with-libxslt \
-		--with-icu \
 		--with-llvm \
 		--with-lz4 \
+		--with-openssl \
+#		--with-pam \
+		--with-perl \
+		--with-python \
+		--with-tcl \
 		--with-zstd \
 	; \
 	make -j "$(nproc)" world-bin; \
diff --git a/16/alpine3.22/docker-entrypoint.sh b/16/alpine3.22/docker-entrypoint.sh
index 5a62870b50..c3432be675 100755
--- a/16/alpine3.22/docker-entrypoint.sh
+++ b/16/alpine3.22/docker-entrypoint.sh
@@ -103,24 +103,6 @@ docker_init_database_dir() {
 # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
 # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
 docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
 	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
 		# The - option suppresses leading tabs but *not* spaces. :)
 		cat >&2 <<-'EOE'
@@ -168,8 +150,14 @@ docker_error_old_databases() {
 			       Counter to that, there appears to be PostgreSQL data in:
 			         ${OLD_DATABASES[*]}
 
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
 
 			       See https://github.com/docker-library/postgres/issues/37 for a (long)
 			       discussion around this process, and suggestions for how to do so.
@@ -264,6 +252,9 @@ docker_setup_env() {
 				OLD_DATABASES+=( "$d" )
 			fi
 		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
 	fi
 }
 
diff --git a/16/alpine3.21/Dockerfile b/16/alpine3.23/Dockerfile
similarity index 96%
rename from 16/alpine3.21/Dockerfile
rename to 16/alpine3.23/Dockerfile
index 1bf2cab5a5..d58865524c 100644
--- a/16/alpine3.21/Dockerfile
+++ b/16/alpine3.23/Dockerfile
@@ -4,7 +4,7 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
-FROM alpine:3.21
+FROM alpine:3.23
 
 # 70 is the standard uid/gid for "postgres" in Alpine
 # https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
@@ -17,7 +17,7 @@ RUN set -eux; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	\
 	apk add --no-cache --virtual .gosu-deps \
@@ -53,8 +53,8 @@ ENV LANG en_US.utf8
 RUN mkdir /docker-entrypoint-initdb.d
 
 ENV PG_MAJOR 16
-ENV PG_VERSION 16.9
-ENV PG_SHA256 07c00fb824df0a0c295f249f44691b86e3266753b380c96f633c3311e10bd005
+ENV PG_VERSION 16.11
+ENV PG_SHA256 6deb08c23d03d77d8f8bd1c14049eeef64aef8968fd8891df2dfc0b42f178eac
 
 ENV DOCKER_PG_LLVM_DEPS \
 		llvm19-dev \
@@ -118,8 +118,8 @@ RUN set -eux; \
 # https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
 	export CLANG=clang-19; \
 	\
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+# configure options mostly copying Debian:
+# https://salsa.debian.org/postgresql/postgresql-common/-/blob/6e26b5107295170cc8731a3acbf13228ea15941e/server/postgresql.mk#L32
 	./configure \
 		--enable-option-checking=fatal \
 		--build="$gnuArch" \
@@ -138,17 +138,17 @@ RUN set -eux; \
 		--with-includes=/usr/local/include \
 		--with-libraries=/usr/local/lib \
 		--with-gssapi \
+		--with-icu \
 		--with-ldap \
-		--with-tcl \
-		--with-perl \
-		--with-python \
-#		--with-pam \
-		--with-openssl \
 		--with-libxml \
 		--with-libxslt \
-		--with-icu \
 		--with-llvm \
 		--with-lz4 \
+		--with-openssl \
+#		--with-pam \
+		--with-perl \
+		--with-python \
+		--with-tcl \
 		--with-zstd \
 	; \
 	make -j "$(nproc)" world-bin; \
diff --git a/14/alpine3.21/docker-ensure-initdb.sh b/16/alpine3.23/docker-ensure-initdb.sh
similarity index 100%
rename from 14/alpine3.21/docker-ensure-initdb.sh
rename to 16/alpine3.23/docker-ensure-initdb.sh
diff --git a/16/alpine3.23/docker-entrypoint.sh b/16/alpine3.23/docker-entrypoint.sh
new file mode 100755
index 0000000000..c3432be675
--- /dev/null
+++ b/16/alpine3.23/docker-entrypoint.sh
@@ -0,0 +1,382 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+	# https://unix.stackexchange.com/a/215279
+	[ "${#FUNCNAME[@]}" -ge 2 ] \
+		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+		&& [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+	local user; user="$(id -u)"
+
+	mkdir -p "$PGDATA"
+	# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+	chmod 00700 "$PGDATA" || :
+
+	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+	mkdir -p /var/run/postgresql || :
+	chmod 03775 /var/run/postgresql || :
+
+	# Create the transaction log directory before initdb is run so the directory is owned by the correct user
+	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+		mkdir -p "$POSTGRES_INITDB_WALDIR"
+		if [ "$user" = '0' ]; then
+			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+		fi
+		chmod 700 "$POSTGRES_INITDB_WALDIR"
+	fi
+
+	# allow the container to be started with `--user`
+	if [ "$user" = '0' ]; then
+		find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+	fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+	local uid; uid="$(id -u)"
+	if ! getent passwd "$uid" &> /dev/null; then
+		# see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+		local wrapper
+		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+			if [ -s "$wrapper" ]; then
+				NSS_WRAPPER_PASSWD="$(mktemp)"
+				NSS_WRAPPER_GROUP="$(mktemp)"
+				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+				local gid; gid="$(id -g)"
+				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+				break
+			fi
+		done
+	fi
+
+	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+	fi
+
+	# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+	# unset/cleanup "nss_wrapper" bits
+	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+	fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+		# The - option suppresses leading tabs but *not* spaces. :)
+		cat >&2 <<-'EOE'
+			Error: Database is uninitialized and superuser password is not specified.
+			       You must specify POSTGRES_PASSWORD to a non-empty value for the
+			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+			       connections without a password. This is *not* recommended.
+
+			       See PostgreSQL documentation about "trust":
+			       https://www.postgresql.org/docs/current/auth-trust.html
+		EOE
+		exit 1
+	fi
+	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+		cat >&2 <<-'EOWARN'
+			********************************************************************************
+			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+			         anyone with access to the Postgres port to access your database without
+			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+			         documentation about "trust":
+			         https://www.postgresql.org/docs/current/auth-trust.html
+			         In Docker's default configuration, this is effectively any other
+			         container on the same system.
+
+			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+			         "docker run".
+			********************************************************************************
+		EOWARN
+	fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+	if [ -n "${OLD_DATABASES[0]:-}" ]; then
+		cat >&2 <<-EOE
+			Error: in 18+, these Docker images are configured to store database data in a
+			       format which is compatible with "pg_ctlcluster" (specifically, using
+			       major-version-specific directory names).  This better reflects how
+			       PostgreSQL itself works, and how upgrades are to be performed.
+
+			       See also https://github.com/docker-library/postgres/pull/1259
+
+			       Counter to that, there appears to be PostgreSQL data in:
+			         ${OLD_DATABASES[*]}
+
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
+
+			       See https://github.com/docker-library/postgres/issues/37 for a (long)
+			       discussion around this process, and suggestions for how to do so.
+		EOE
+		exit 1
+	fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+#    ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+	# psql here for backwards compatibility "${psql[@]}"
+	psql=( docker_process_sql )
+
+	printf '\n'
+	local f
+	for f; do
+		case "$f" in
+			*.sh)
+				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+				# https://github.com/docker-library/postgres/pull/452
+				if [ -x "$f" ]; then
+					printf '%s: running %s\n' "$0" "$f"
+					"$f"
+				else
+					printf '%s: sourcing %s\n' "$0" "$f"
+					. "$f"
+				fi
+				;;
+			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
+		esac
+		printf '\n'
+	done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+#    ie: docker_process_sql -f my-file.sql
+#    ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+	if [ -n "$POSTGRES_DB" ]; then
+		query_runner+=( --dbname "$POSTGRES_DB" )
+	fi
+
+	PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+	local dbAlreadyExists
+	dbAlreadyExists="$(
+		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+			SELECT 1 FROM pg_database WHERE datname = :'db' ;
+		EOSQL
+	)"
+	if [ -z "$dbAlreadyExists" ]; then
+		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+			CREATE DATABASE :"db" ;
+		EOSQL
+		printf '\n'
+	fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+	file_env 'POSTGRES_PASSWORD'
+
+	file_env 'POSTGRES_USER' 'postgres'
+	file_env 'POSTGRES_DB' "$POSTGRES_USER"
+	file_env 'POSTGRES_INITDB_ARGS'
+	: "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+	declare -g DATABASE_ALREADY_EXISTS
+	: "${DATABASE_ALREADY_EXISTS:=}"
+	declare -ag OLD_DATABASES=()
+	# look specifically for PG_VERSION, as it is expected in the DB dir
+	if [ -s "$PGDATA/PG_VERSION" ]; then
+		DATABASE_ALREADY_EXISTS='true'
+	elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+		# https://github.com/docker-library/postgres/pull/1259
+		for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+			if [ -s "$d/PG_VERSION" ]; then
+				OLD_DATABASES+=( "$d" )
+			fi
+		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
+	fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+	# default authentication method is md5 on versions before 14
+	# https://www.postgresql.org/about/news/postgresql-14-released-2318/
+	if [ "$1" = 'postgres' ]; then
+		shift
+	fi
+	local auth
+	# check the default/configured encryption and use that as the auth method
+	auth="$(postgres -C password_encryption "$@")"
+	: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+	{
+		printf '\n'
+		if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+			printf '# warning trust is enabled for all connections\n'
+			printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+		fi
+		printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+	} >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+	if [ "$1" = 'postgres' ]; then
+		shift
+	fi
+
+	# internal start of server in order to allow setup using psql client
+	# does not listen on external TCP/IP and waits until start finishes
+	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+	# any process supervisor.
+	NOTIFY_SOCKET= \
+	PGUSER="${PGUSER:-$POSTGRES_USER}" \
+	pg_ctl -D "$PGDATA" \
+		-o "$(printf '%q ' "$@")" \
+		-w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+	PGUSER="${PGUSER:-postgres}" \
+	pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+	local arg
+	for arg; do
+		case "$arg" in
+			# postgres --help | grep 'then exit'
+			# leaving out -C on purpose since it always fails and is unhelpful:
+			# postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+			-'?'|--help|--describe-config|-V|--version)
+				return 0
+				;;
+		esac
+	done
+	return 1
+}
+
+_main() {
+	# if first arg looks like a flag, assume we want to run postgres server
+	if [ "${1:0:1}" = '-' ]; then
+		set -- postgres "$@"
+	fi
+
+	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+		docker_setup_env
+		# setup data directories and permissions (when run as root)
+		docker_create_db_directories
+		if [ "$(id -u)" = '0' ]; then
+			# then restart script as postgres user
+			exec gosu postgres "$BASH_SOURCE" "$@"
+		fi
+
+		# only run initialization on an empty data directory
+		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+			docker_verify_minimum_env
+			docker_error_old_databases
+
+			# check dir permissions to reduce likelihood of half-initialized database
+			ls /docker-entrypoint-initdb.d/ > /dev/null
+
+			docker_init_database_dir
+			pg_setup_hba_conf "$@"
+
+			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+			docker_temp_server_start "$@"
+
+			docker_setup_db
+			docker_process_init_files /docker-entrypoint-initdb.d/*
+
+			docker_temp_server_stop
+			unset PGPASSWORD
+
+			cat <<-'EOM'
+
+				PostgreSQL init process complete; ready for start up.
+
+			EOM
+		else
+			cat <<-'EOM'
+
+				PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+			EOM
+		fi
+	fi
+
+	exec "$@"
+}
+
+if ! _is_sourced; then
+	_main "$@"
+fi
diff --git a/16/bookworm/Dockerfile b/16/bookworm/Dockerfile
index 7421ccaf0a..670bec87fd 100644
--- a/16/bookworm/Dockerfile
+++ b/16/bookworm/Dockerfile
@@ -28,7 +28,7 @@ RUN set -ex; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update; \
@@ -89,7 +89,7 @@ RUN set -ex; \
 ENV PG_MAJOR 16
 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
 
-ENV PG_VERSION 16.9-1.pgdg120+1
+ENV PG_VERSION 16.11-1.pgdg12+1
 
 RUN set -ex; \
 	\
@@ -97,7 +97,7 @@ RUN set -ex; \
 	export PYTHONDONTWRITEBYTECODE=1; \
 	\
 	dpkgArch="$(dpkg --print-architecture)"; \
-	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
+	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt bookworm-pgdg main $PG_MAJOR"; \
 	case "$dpkgArch" in \
 		amd64 | arm64 | ppc64el) \
 # arches officialy built by upstream
diff --git a/16/bookworm/docker-entrypoint.sh b/16/bookworm/docker-entrypoint.sh
index 5a62870b50..c3432be675 100755
--- a/16/bookworm/docker-entrypoint.sh
+++ b/16/bookworm/docker-entrypoint.sh
@@ -103,24 +103,6 @@ docker_init_database_dir() {
 # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
 # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
 docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
 	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
 		# The - option suppresses leading tabs but *not* spaces. :)
 		cat >&2 <<-'EOE'
@@ -168,8 +150,14 @@ docker_error_old_databases() {
 			       Counter to that, there appears to be PostgreSQL data in:
 			         ${OLD_DATABASES[*]}
 
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
 
 			       See https://github.com/docker-library/postgres/issues/37 for a (long)
 			       discussion around this process, and suggestions for how to do so.
@@ -264,6 +252,9 @@ docker_setup_env() {
 				OLD_DATABASES+=( "$d" )
 			fi
 		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
 	fi
 }
 
diff --git a/16/bullseye/docker-entrypoint.sh b/16/bullseye/docker-entrypoint.sh
deleted file mode 100755
index 5a62870b50..0000000000
--- a/16/bullseye/docker-entrypoint.sh
+++ /dev/null
@@ -1,391 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-	local var="$1"
-	local fileVar="${var}_FILE"
-	local def="${2:-}"
-	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
-		exit 1
-	fi
-	local val="$def"
-	if [ "${!var:-}" ]; then
-		val="${!var}"
-	elif [ "${!fileVar:-}" ]; then
-		val="$(< "${!fileVar}")"
-	fi
-	export "$var"="$val"
-	unset "$fileVar"
-}
-
-# check to see if this file is being run or sourced from another script
-_is_sourced() {
-	# https://unix.stackexchange.com/a/215279
-	[ "${#FUNCNAME[@]}" -ge 2 ] \
-		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
-		&& [ "${FUNCNAME[1]}" = 'source' ]
-}
-
-# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
-docker_create_db_directories() {
-	local user; user="$(id -u)"
-
-	mkdir -p "$PGDATA"
-	# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
-	chmod 00700 "$PGDATA" || :
-
-	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
-	mkdir -p /var/run/postgresql || :
-	chmod 03775 /var/run/postgresql || :
-
-	# Create the transaction log directory before initdb is run so the directory is owned by the correct user
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		mkdir -p "$POSTGRES_INITDB_WALDIR"
-		if [ "$user" = '0' ]; then
-			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
-		fi
-		chmod 700 "$POSTGRES_INITDB_WALDIR"
-	fi
-
-	# allow the container to be started with `--user`
-	if [ "$user" = '0' ]; then
-		find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
-		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
-	fi
-}
-
-# initialize empty PGDATA directory with new database via 'initdb'
-# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
-# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
-# this is also where the database user is created, specified by `POSTGRES_USER` env
-docker_init_database_dir() {
-	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
-	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
-	local uid; uid="$(id -u)"
-	if ! getent passwd "$uid" &> /dev/null; then
-		# see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
-		local wrapper
-		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
-			if [ -s "$wrapper" ]; then
-				NSS_WRAPPER_PASSWD="$(mktemp)"
-				NSS_WRAPPER_GROUP="$(mktemp)"
-				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-				local gid; gid="$(id -g)"
-				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
-				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
-				break
-			fi
-		done
-	fi
-
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
-	fi
-
-	# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
-	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
-
-	# unset/cleanup "nss_wrapper" bits
-	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
-		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
-		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-	fi
-}
-
-# print large warning if POSTGRES_PASSWORD is long
-# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
-# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
-# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
-docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
-	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		# The - option suppresses leading tabs but *not* spaces. :)
-		cat >&2 <<-'EOE'
-			Error: Database is uninitialized and superuser password is not specified.
-			       You must specify POSTGRES_PASSWORD to a non-empty value for the
-			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
-
-			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
-			       connections without a password. This is *not* recommended.
-
-			       See PostgreSQL documentation about "trust":
-			       https://www.postgresql.org/docs/current/auth-trust.html
-		EOE
-		exit 1
-	fi
-	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		cat >&2 <<-'EOWARN'
-			********************************************************************************
-			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
-			         anyone with access to the Postgres port to access your database without
-			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
-			         documentation about "trust":
-			         https://www.postgresql.org/docs/current/auth-trust.html
-			         In Docker's default configuration, this is effectively any other
-			         container on the same system.
-
-			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
-			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
-			         "docker run".
-			********************************************************************************
-		EOWARN
-	fi
-}
-# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
-docker_error_old_databases() {
-	if [ -n "${OLD_DATABASES[0]:-}" ]; then
-		cat >&2 <<-EOE
-			Error: in 18+, these Docker images are configured to store database data in a
-			       format which is compatible with "pg_ctlcluster" (specifically, using
-			       major-version-specific directory names).  This better reflects how
-			       PostgreSQL itself works, and how upgrades are to be performed.
-
-			       See also https://github.com/docker-library/postgres/pull/1259
-
-			       Counter to that, there appears to be PostgreSQL data in:
-			         ${OLD_DATABASES[*]}
-
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
-
-			       See https://github.com/docker-library/postgres/issues/37 for a (long)
-			       discussion around this process, and suggestions for how to do so.
-		EOE
-		exit 1
-	fi
-}
-
-# usage: docker_process_init_files [file [file [...]]]
-#    ie: docker_process_init_files /always-initdb.d/*
-# process initializer files, based on file extensions and permissions
-docker_process_init_files() {
-	# psql here for backwards compatibility "${psql[@]}"
-	psql=( docker_process_sql )
-
-	printf '\n'
-	local f
-	for f; do
-		case "$f" in
-			*.sh)
-				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
-				# https://github.com/docker-library/postgres/pull/452
-				if [ -x "$f" ]; then
-					printf '%s: running %s\n' "$0" "$f"
-					"$f"
-				else
-					printf '%s: sourcing %s\n' "$0" "$f"
-					. "$f"
-				fi
-				;;
-			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
-			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
-			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
-		esac
-		printf '\n'
-	done
-}
-
-# Execute sql script, passed via stdin (or -f flag of pqsl)
-# usage: docker_process_sql [psql-cli-args]
-#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
-#    ie: docker_process_sql -f my-file.sql
-#    ie: docker_process_sql <my-file.sql
-docker_process_sql() {
-	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
-	if [ -n "$POSTGRES_DB" ]; then
-		query_runner+=( --dbname "$POSTGRES_DB" )
-	fi
-
-	PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
-}
-
-# create initial database
-# uses environment variables for input: POSTGRES_DB
-docker_setup_db() {
-	local dbAlreadyExists
-	dbAlreadyExists="$(
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
-			SELECT 1 FROM pg_database WHERE datname = :'db' ;
-		EOSQL
-	)"
-	if [ -z "$dbAlreadyExists" ]; then
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
-			CREATE DATABASE :"db" ;
-		EOSQL
-		printf '\n'
-	fi
-}
-
-# Loads various settings that are used elsewhere in the script
-# This should be called before any other functions
-docker_setup_env() {
-	file_env 'POSTGRES_PASSWORD'
-
-	file_env 'POSTGRES_USER' 'postgres'
-	file_env 'POSTGRES_DB' "$POSTGRES_USER"
-	file_env 'POSTGRES_INITDB_ARGS'
-	: "${POSTGRES_HOST_AUTH_METHOD:=}"
-
-	declare -g DATABASE_ALREADY_EXISTS
-	: "${DATABASE_ALREADY_EXISTS:=}"
-	declare -ag OLD_DATABASES=()
-	# look specifically for PG_VERSION, as it is expected in the DB dir
-	if [ -s "$PGDATA/PG_VERSION" ]; then
-		DATABASE_ALREADY_EXISTS='true'
-	elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
-		# https://github.com/docker-library/postgres/pull/1259
-		for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
-			if [ -s "$d/PG_VERSION" ]; then
-				OLD_DATABASES+=( "$d" )
-			fi
-		done
-	fi
-}
-
-# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
-# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
-pg_setup_hba_conf() {
-	# default authentication method is md5 on versions before 14
-	# https://www.postgresql.org/about/news/postgresql-14-released-2318/
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-	local auth
-	# check the default/configured encryption and use that as the auth method
-	auth="$(postgres -C password_encryption "$@")"
-	: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
-	{
-		printf '\n'
-		if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-			printf '# warning trust is enabled for all connections\n'
-			printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
-		fi
-		printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
-	} >> "$PGDATA/pg_hba.conf"
-}
-
-# start socket-only postgresql server for setting up or running scripts
-# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
-docker_temp_server_start() {
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-
-	# internal start of server in order to allow setup using psql client
-	# does not listen on external TCP/IP and waits until start finishes
-	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
-
-	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
-	# any process supervisor.
-	NOTIFY_SOCKET= \
-	PGUSER="${PGUSER:-$POSTGRES_USER}" \
-	pg_ctl -D "$PGDATA" \
-		-o "$(printf '%q ' "$@")" \
-		-w start
-}
-
-# stop postgresql server after done setting up user and running scripts
-docker_temp_server_stop() {
-	PGUSER="${PGUSER:-postgres}" \
-	pg_ctl -D "$PGDATA" -m fast -w stop
-}
-
-# check arguments for an option that would cause postgres to stop
-# return true if there is one
-_pg_want_help() {
-	local arg
-	for arg; do
-		case "$arg" in
-			# postgres --help | grep 'then exit'
-			# leaving out -C on purpose since it always fails and is unhelpful:
-			# postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
-			-'?'|--help|--describe-config|-V|--version)
-				return 0
-				;;
-		esac
-	done
-	return 1
-}
-
-_main() {
-	# if first arg looks like a flag, assume we want to run postgres server
-	if [ "${1:0:1}" = '-' ]; then
-		set -- postgres "$@"
-	fi
-
-	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
-		docker_setup_env
-		# setup data directories and permissions (when run as root)
-		docker_create_db_directories
-		if [ "$(id -u)" = '0' ]; then
-			# then restart script as postgres user
-			exec gosu postgres "$BASH_SOURCE" "$@"
-		fi
-
-		# only run initialization on an empty data directory
-		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-			docker_verify_minimum_env
-			docker_error_old_databases
-
-			# check dir permissions to reduce likelihood of half-initialized database
-			ls /docker-entrypoint-initdb.d/ > /dev/null
-
-			docker_init_database_dir
-			pg_setup_hba_conf "$@"
-
-			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
-			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
-			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
-			docker_temp_server_start "$@"
-
-			docker_setup_db
-			docker_process_init_files /docker-entrypoint-initdb.d/*
-
-			docker_temp_server_stop
-			unset PGPASSWORD
-
-			cat <<-'EOM'
-
-				PostgreSQL init process complete; ready for start up.
-
-			EOM
-		else
-			cat <<-'EOM'
-
-				PostgreSQL Database directory appears to contain a database; Skipping initialization
-
-			EOM
-		fi
-	fi
-
-	exec "$@"
-}
-
-if ! _is_sourced; then
-	_main "$@"
-fi
diff --git a/16/bullseye/Dockerfile b/16/trixie/Dockerfile
similarity index 98%
rename from 16/bullseye/Dockerfile
rename to 16/trixie/Dockerfile
index a3ac0c55ab..af747b281b 100644
--- a/16/bullseye/Dockerfile
+++ b/16/trixie/Dockerfile
@@ -4,7 +4,7 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
-FROM debian:bullseye-slim
+FROM debian:trixie-slim
 
 # explicitly set user/group IDs
 RUN set -eux; \
@@ -28,7 +28,7 @@ RUN set -ex; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update; \
@@ -89,7 +89,7 @@ RUN set -ex; \
 ENV PG_MAJOR 16
 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
 
-ENV PG_VERSION 16.9-1.pgdg110+1
+ENV PG_VERSION 16.11-1.pgdg13+1
 
 RUN set -ex; \
 	\
@@ -97,7 +97,7 @@ RUN set -ex; \
 	export PYTHONDONTWRITEBYTECODE=1; \
 	\
 	dpkgArch="$(dpkg --print-architecture)"; \
-	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \
+	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt trixie-pgdg main $PG_MAJOR"; \
 	case "$dpkgArch" in \
 		amd64 | arm64 | ppc64el) \
 # arches officialy built by upstream
diff --git a/14/bullseye/docker-ensure-initdb.sh b/16/trixie/docker-ensure-initdb.sh
similarity index 100%
rename from 14/bullseye/docker-ensure-initdb.sh
rename to 16/trixie/docker-ensure-initdb.sh
diff --git a/16/trixie/docker-entrypoint.sh b/16/trixie/docker-entrypoint.sh
new file mode 100755
index 0000000000..c3432be675
--- /dev/null
+++ b/16/trixie/docker-entrypoint.sh
@@ -0,0 +1,382 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+	# https://unix.stackexchange.com/a/215279
+	[ "${#FUNCNAME[@]}" -ge 2 ] \
+		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+		&& [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+	local user; user="$(id -u)"
+
+	mkdir -p "$PGDATA"
+	# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+	chmod 00700 "$PGDATA" || :
+
+	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+	mkdir -p /var/run/postgresql || :
+	chmod 03775 /var/run/postgresql || :
+
+	# Create the transaction log directory before initdb is run so the directory is owned by the correct user
+	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+		mkdir -p "$POSTGRES_INITDB_WALDIR"
+		if [ "$user" = '0' ]; then
+			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+		fi
+		chmod 700 "$POSTGRES_INITDB_WALDIR"
+	fi
+
+	# allow the container to be started with `--user`
+	if [ "$user" = '0' ]; then
+		find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+	fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+	local uid; uid="$(id -u)"
+	if ! getent passwd "$uid" &> /dev/null; then
+		# see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+		local wrapper
+		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+			if [ -s "$wrapper" ]; then
+				NSS_WRAPPER_PASSWD="$(mktemp)"
+				NSS_WRAPPER_GROUP="$(mktemp)"
+				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+				local gid; gid="$(id -g)"
+				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+				break
+			fi
+		done
+	fi
+
+	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+	fi
+
+	# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+	# unset/cleanup "nss_wrapper" bits
+	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+	fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+		# The - option suppresses leading tabs but *not* spaces. :)
+		cat >&2 <<-'EOE'
+			Error: Database is uninitialized and superuser password is not specified.
+			       You must specify POSTGRES_PASSWORD to a non-empty value for the
+			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+			       connections without a password. This is *not* recommended.
+
+			       See PostgreSQL documentation about "trust":
+			       https://www.postgresql.org/docs/current/auth-trust.html
+		EOE
+		exit 1
+	fi
+	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+		cat >&2 <<-'EOWARN'
+			********************************************************************************
+			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+			         anyone with access to the Postgres port to access your database without
+			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+			         documentation about "trust":
+			         https://www.postgresql.org/docs/current/auth-trust.html
+			         In Docker's default configuration, this is effectively any other
+			         container on the same system.
+
+			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+			         "docker run".
+			********************************************************************************
+		EOWARN
+	fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+	if [ -n "${OLD_DATABASES[0]:-}" ]; then
+		cat >&2 <<-EOE
+			Error: in 18+, these Docker images are configured to store database data in a
+			       format which is compatible with "pg_ctlcluster" (specifically, using
+			       major-version-specific directory names).  This better reflects how
+			       PostgreSQL itself works, and how upgrades are to be performed.
+
+			       See also https://github.com/docker-library/postgres/pull/1259
+
+			       Counter to that, there appears to be PostgreSQL data in:
+			         ${OLD_DATABASES[*]}
+
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
+
+			       See https://github.com/docker-library/postgres/issues/37 for a (long)
+			       discussion around this process, and suggestions for how to do so.
+		EOE
+		exit 1
+	fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+#    ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+	# psql here for backwards compatibility "${psql[@]}"
+	psql=( docker_process_sql )
+
+	printf '\n'
+	local f
+	for f; do
+		case "$f" in
+			*.sh)
+				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+				# https://github.com/docker-library/postgres/pull/452
+				if [ -x "$f" ]; then
+					printf '%s: running %s\n' "$0" "$f"
+					"$f"
+				else
+					printf '%s: sourcing %s\n' "$0" "$f"
+					. "$f"
+				fi
+				;;
+			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
+		esac
+		printf '\n'
+	done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+#    ie: docker_process_sql -f my-file.sql
+#    ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+	if [ -n "$POSTGRES_DB" ]; then
+		query_runner+=( --dbname "$POSTGRES_DB" )
+	fi
+
+	PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+	local dbAlreadyExists
+	dbAlreadyExists="$(
+		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+			SELECT 1 FROM pg_database WHERE datname = :'db' ;
+		EOSQL
+	)"
+	if [ -z "$dbAlreadyExists" ]; then
+		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+			CREATE DATABASE :"db" ;
+		EOSQL
+		printf '\n'
+	fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+	file_env 'POSTGRES_PASSWORD'
+
+	file_env 'POSTGRES_USER' 'postgres'
+	file_env 'POSTGRES_DB' "$POSTGRES_USER"
+	file_env 'POSTGRES_INITDB_ARGS'
+	: "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+	declare -g DATABASE_ALREADY_EXISTS
+	: "${DATABASE_ALREADY_EXISTS:=}"
+	declare -ag OLD_DATABASES=()
+	# look specifically for PG_VERSION, as it is expected in the DB dir
+	if [ -s "$PGDATA/PG_VERSION" ]; then
+		DATABASE_ALREADY_EXISTS='true'
+	elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+		# https://github.com/docker-library/postgres/pull/1259
+		for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+			if [ -s "$d/PG_VERSION" ]; then
+				OLD_DATABASES+=( "$d" )
+			fi
+		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
+	fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+	# default authentication method is md5 on versions before 14
+	# https://www.postgresql.org/about/news/postgresql-14-released-2318/
+	if [ "$1" = 'postgres' ]; then
+		shift
+	fi
+	local auth
+	# check the default/configured encryption and use that as the auth method
+	auth="$(postgres -C password_encryption "$@")"
+	: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+	{
+		printf '\n'
+		if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+			printf '# warning trust is enabled for all connections\n'
+			printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+		fi
+		printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+	} >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+	if [ "$1" = 'postgres' ]; then
+		shift
+	fi
+
+	# internal start of server in order to allow setup using psql client
+	# does not listen on external TCP/IP and waits until start finishes
+	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+	# any process supervisor.
+	NOTIFY_SOCKET= \
+	PGUSER="${PGUSER:-$POSTGRES_USER}" \
+	pg_ctl -D "$PGDATA" \
+		-o "$(printf '%q ' "$@")" \
+		-w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+	PGUSER="${PGUSER:-postgres}" \
+	pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+	local arg
+	for arg; do
+		case "$arg" in
+			# postgres --help | grep 'then exit'
+			# leaving out -C on purpose since it always fails and is unhelpful:
+			# postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+			-'?'|--help|--describe-config|-V|--version)
+				return 0
+				;;
+		esac
+	done
+	return 1
+}
+
+_main() {
+	# if first arg looks like a flag, assume we want to run postgres server
+	if [ "${1:0:1}" = '-' ]; then
+		set -- postgres "$@"
+	fi
+
+	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+		docker_setup_env
+		# setup data directories and permissions (when run as root)
+		docker_create_db_directories
+		if [ "$(id -u)" = '0' ]; then
+			# then restart script as postgres user
+			exec gosu postgres "$BASH_SOURCE" "$@"
+		fi
+
+		# only run initialization on an empty data directory
+		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+			docker_verify_minimum_env
+			docker_error_old_databases
+
+			# check dir permissions to reduce likelihood of half-initialized database
+			ls /docker-entrypoint-initdb.d/ > /dev/null
+
+			docker_init_database_dir
+			pg_setup_hba_conf "$@"
+
+			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+			docker_temp_server_start "$@"
+
+			docker_setup_db
+			docker_process_init_files /docker-entrypoint-initdb.d/*
+
+			docker_temp_server_stop
+			unset PGPASSWORD
+
+			cat <<-'EOM'
+
+				PostgreSQL init process complete; ready for start up.
+
+			EOM
+		else
+			cat <<-'EOM'
+
+				PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+			EOM
+		fi
+	fi
+
+	exec "$@"
+}
+
+if ! _is_sourced; then
+	_main "$@"
+fi
diff --git a/17/alpine3.21/docker-ensure-initdb.sh b/17/alpine3.21/docker-ensure-initdb.sh
deleted file mode 100755
index e9b15ef77d..0000000000
--- a/17/alpine3.21/docker-ensure-initdb.sh
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/usr/bin/env bash
-set -Eeuo pipefail
-
-#
-# This script is intended for three main use cases:
-#
-#  1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
-#
-#  2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
-#       (no-op if database is already initialized)
-#
-#  3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
-#       (error if database is already initialized)
-#
-
-source /usr/local/bin/docker-entrypoint.sh
-
-# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
-if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
-	set -- postgres "$@"
-fi
-
-# see also "_main" in "docker-entrypoint.sh"
-
-docker_setup_env
-# setup data directories and permissions (when run as root)
-docker_create_db_directories
-if [ "$(id -u)" = '0' ]; then
-	# then restart script as postgres user
-	exec gosu postgres "$BASH_SOURCE" "$@"
-fi
-
-# only run initialization on an empty data directory
-if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-	docker_verify_minimum_env
-	docker_error_old_databases
-
-	# check dir permissions to reduce likelihood of half-initialized database
-	ls /docker-entrypoint-initdb.d/ > /dev/null
-
-	docker_init_database_dir
-	pg_setup_hba_conf "$@"
-
-	# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
-	# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
-	export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
-	docker_temp_server_start "$@"
-
-	docker_setup_db
-	docker_process_init_files /docker-entrypoint-initdb.d/*
-
-	docker_temp_server_stop
-	unset PGPASSWORD
-else
-	self="$(basename "$0")"
-	case "$self" in
-		docker-ensure-initdb.sh)
-			echo >&2 "$self: note: database already initialized in '$PGDATA'!"
-			exit 0
-			;;
-
-		docker-enforce-initdb.sh)
-			echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
-			exit 1
-			;;
-
-		*)
-			echo >&2 "$self: error: unknown file name: $self"
-			exit 99
-			;;
-	esac
-fi
diff --git a/17/alpine3.21/docker-entrypoint.sh b/17/alpine3.21/docker-entrypoint.sh
deleted file mode 100755
index 5a62870b50..0000000000
--- a/17/alpine3.21/docker-entrypoint.sh
+++ /dev/null
@@ -1,391 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-	local var="$1"
-	local fileVar="${var}_FILE"
-	local def="${2:-}"
-	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
-		exit 1
-	fi
-	local val="$def"
-	if [ "${!var:-}" ]; then
-		val="${!var}"
-	elif [ "${!fileVar:-}" ]; then
-		val="$(< "${!fileVar}")"
-	fi
-	export "$var"="$val"
-	unset "$fileVar"
-}
-
-# check to see if this file is being run or sourced from another script
-_is_sourced() {
-	# https://unix.stackexchange.com/a/215279
-	[ "${#FUNCNAME[@]}" -ge 2 ] \
-		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
-		&& [ "${FUNCNAME[1]}" = 'source' ]
-}
-
-# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
-docker_create_db_directories() {
-	local user; user="$(id -u)"
-
-	mkdir -p "$PGDATA"
-	# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
-	chmod 00700 "$PGDATA" || :
-
-	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
-	mkdir -p /var/run/postgresql || :
-	chmod 03775 /var/run/postgresql || :
-
-	# Create the transaction log directory before initdb is run so the directory is owned by the correct user
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		mkdir -p "$POSTGRES_INITDB_WALDIR"
-		if [ "$user" = '0' ]; then
-			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
-		fi
-		chmod 700 "$POSTGRES_INITDB_WALDIR"
-	fi
-
-	# allow the container to be started with `--user`
-	if [ "$user" = '0' ]; then
-		find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
-		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
-	fi
-}
-
-# initialize empty PGDATA directory with new database via 'initdb'
-# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
-# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
-# this is also where the database user is created, specified by `POSTGRES_USER` env
-docker_init_database_dir() {
-	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
-	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
-	local uid; uid="$(id -u)"
-	if ! getent passwd "$uid" &> /dev/null; then
-		# see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
-		local wrapper
-		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
-			if [ -s "$wrapper" ]; then
-				NSS_WRAPPER_PASSWD="$(mktemp)"
-				NSS_WRAPPER_GROUP="$(mktemp)"
-				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-				local gid; gid="$(id -g)"
-				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
-				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
-				break
-			fi
-		done
-	fi
-
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
-	fi
-
-	# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
-	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
-
-	# unset/cleanup "nss_wrapper" bits
-	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
-		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
-		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-	fi
-}
-
-# print large warning if POSTGRES_PASSWORD is long
-# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
-# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
-# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
-docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
-	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		# The - option suppresses leading tabs but *not* spaces. :)
-		cat >&2 <<-'EOE'
-			Error: Database is uninitialized and superuser password is not specified.
-			       You must specify POSTGRES_PASSWORD to a non-empty value for the
-			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
-
-			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
-			       connections without a password. This is *not* recommended.
-
-			       See PostgreSQL documentation about "trust":
-			       https://www.postgresql.org/docs/current/auth-trust.html
-		EOE
-		exit 1
-	fi
-	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		cat >&2 <<-'EOWARN'
-			********************************************************************************
-			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
-			         anyone with access to the Postgres port to access your database without
-			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
-			         documentation about "trust":
-			         https://www.postgresql.org/docs/current/auth-trust.html
-			         In Docker's default configuration, this is effectively any other
-			         container on the same system.
-
-			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
-			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
-			         "docker run".
-			********************************************************************************
-		EOWARN
-	fi
-}
-# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
-docker_error_old_databases() {
-	if [ -n "${OLD_DATABASES[0]:-}" ]; then
-		cat >&2 <<-EOE
-			Error: in 18+, these Docker images are configured to store database data in a
-			       format which is compatible with "pg_ctlcluster" (specifically, using
-			       major-version-specific directory names).  This better reflects how
-			       PostgreSQL itself works, and how upgrades are to be performed.
-
-			       See also https://github.com/docker-library/postgres/pull/1259
-
-			       Counter to that, there appears to be PostgreSQL data in:
-			         ${OLD_DATABASES[*]}
-
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
-
-			       See https://github.com/docker-library/postgres/issues/37 for a (long)
-			       discussion around this process, and suggestions for how to do so.
-		EOE
-		exit 1
-	fi
-}
-
-# usage: docker_process_init_files [file [file [...]]]
-#    ie: docker_process_init_files /always-initdb.d/*
-# process initializer files, based on file extensions and permissions
-docker_process_init_files() {
-	# psql here for backwards compatibility "${psql[@]}"
-	psql=( docker_process_sql )
-
-	printf '\n'
-	local f
-	for f; do
-		case "$f" in
-			*.sh)
-				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
-				# https://github.com/docker-library/postgres/pull/452
-				if [ -x "$f" ]; then
-					printf '%s: running %s\n' "$0" "$f"
-					"$f"
-				else
-					printf '%s: sourcing %s\n' "$0" "$f"
-					. "$f"
-				fi
-				;;
-			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
-			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
-			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
-		esac
-		printf '\n'
-	done
-}
-
-# Execute sql script, passed via stdin (or -f flag of pqsl)
-# usage: docker_process_sql [psql-cli-args]
-#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
-#    ie: docker_process_sql -f my-file.sql
-#    ie: docker_process_sql <my-file.sql
-docker_process_sql() {
-	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
-	if [ -n "$POSTGRES_DB" ]; then
-		query_runner+=( --dbname "$POSTGRES_DB" )
-	fi
-
-	PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
-}
-
-# create initial database
-# uses environment variables for input: POSTGRES_DB
-docker_setup_db() {
-	local dbAlreadyExists
-	dbAlreadyExists="$(
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
-			SELECT 1 FROM pg_database WHERE datname = :'db' ;
-		EOSQL
-	)"
-	if [ -z "$dbAlreadyExists" ]; then
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
-			CREATE DATABASE :"db" ;
-		EOSQL
-		printf '\n'
-	fi
-}
-
-# Loads various settings that are used elsewhere in the script
-# This should be called before any other functions
-docker_setup_env() {
-	file_env 'POSTGRES_PASSWORD'
-
-	file_env 'POSTGRES_USER' 'postgres'
-	file_env 'POSTGRES_DB' "$POSTGRES_USER"
-	file_env 'POSTGRES_INITDB_ARGS'
-	: "${POSTGRES_HOST_AUTH_METHOD:=}"
-
-	declare -g DATABASE_ALREADY_EXISTS
-	: "${DATABASE_ALREADY_EXISTS:=}"
-	declare -ag OLD_DATABASES=()
-	# look specifically for PG_VERSION, as it is expected in the DB dir
-	if [ -s "$PGDATA/PG_VERSION" ]; then
-		DATABASE_ALREADY_EXISTS='true'
-	elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
-		# https://github.com/docker-library/postgres/pull/1259
-		for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
-			if [ -s "$d/PG_VERSION" ]; then
-				OLD_DATABASES+=( "$d" )
-			fi
-		done
-	fi
-}
-
-# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
-# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
-pg_setup_hba_conf() {
-	# default authentication method is md5 on versions before 14
-	# https://www.postgresql.org/about/news/postgresql-14-released-2318/
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-	local auth
-	# check the default/configured encryption and use that as the auth method
-	auth="$(postgres -C password_encryption "$@")"
-	: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
-	{
-		printf '\n'
-		if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-			printf '# warning trust is enabled for all connections\n'
-			printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
-		fi
-		printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
-	} >> "$PGDATA/pg_hba.conf"
-}
-
-# start socket-only postgresql server for setting up or running scripts
-# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
-docker_temp_server_start() {
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-
-	# internal start of server in order to allow setup using psql client
-	# does not listen on external TCP/IP and waits until start finishes
-	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
-
-	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
-	# any process supervisor.
-	NOTIFY_SOCKET= \
-	PGUSER="${PGUSER:-$POSTGRES_USER}" \
-	pg_ctl -D "$PGDATA" \
-		-o "$(printf '%q ' "$@")" \
-		-w start
-}
-
-# stop postgresql server after done setting up user and running scripts
-docker_temp_server_stop() {
-	PGUSER="${PGUSER:-postgres}" \
-	pg_ctl -D "$PGDATA" -m fast -w stop
-}
-
-# check arguments for an option that would cause postgres to stop
-# return true if there is one
-_pg_want_help() {
-	local arg
-	for arg; do
-		case "$arg" in
-			# postgres --help | grep 'then exit'
-			# leaving out -C on purpose since it always fails and is unhelpful:
-			# postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
-			-'?'|--help|--describe-config|-V|--version)
-				return 0
-				;;
-		esac
-	done
-	return 1
-}
-
-_main() {
-	# if first arg looks like a flag, assume we want to run postgres server
-	if [ "${1:0:1}" = '-' ]; then
-		set -- postgres "$@"
-	fi
-
-	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
-		docker_setup_env
-		# setup data directories and permissions (when run as root)
-		docker_create_db_directories
-		if [ "$(id -u)" = '0' ]; then
-			# then restart script as postgres user
-			exec gosu postgres "$BASH_SOURCE" "$@"
-		fi
-
-		# only run initialization on an empty data directory
-		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-			docker_verify_minimum_env
-			docker_error_old_databases
-
-			# check dir permissions to reduce likelihood of half-initialized database
-			ls /docker-entrypoint-initdb.d/ > /dev/null
-
-			docker_init_database_dir
-			pg_setup_hba_conf "$@"
-
-			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
-			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
-			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
-			docker_temp_server_start "$@"
-
-			docker_setup_db
-			docker_process_init_files /docker-entrypoint-initdb.d/*
-
-			docker_temp_server_stop
-			unset PGPASSWORD
-
-			cat <<-'EOM'
-
-				PostgreSQL init process complete; ready for start up.
-
-			EOM
-		else
-			cat <<-'EOM'
-
-				PostgreSQL Database directory appears to contain a database; Skipping initialization
-
-			EOM
-		fi
-	fi
-
-	exec "$@"
-}
-
-if ! _is_sourced; then
-	_main "$@"
-fi
diff --git a/17/alpine3.22/Dockerfile b/17/alpine3.22/Dockerfile
index 5c303bd7d0..c5b5b15bc6 100644
--- a/17/alpine3.22/Dockerfile
+++ b/17/alpine3.22/Dockerfile
@@ -17,7 +17,7 @@ RUN set -eux; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	\
 	apk add --no-cache --virtual .gosu-deps \
@@ -52,8 +52,8 @@ ENV LANG en_US.utf8
 RUN mkdir /docker-entrypoint-initdb.d
 
 ENV PG_MAJOR 17
-ENV PG_VERSION 17.5
-ENV PG_SHA256 fcb7ab38e23b264d1902cb25e6adafb4525a6ebcbd015434aeef9eda80f528d8
+ENV PG_VERSION 17.7
+ENV PG_SHA256 ef9e343302eccd33112f1b2f0247be493cb5768313adeb558b02de8797a2e9b5
 
 ENV DOCKER_PG_LLVM_DEPS \
 		llvm19-dev \
@@ -117,8 +117,8 @@ RUN set -eux; \
 # https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
 	export CLANG=clang-19; \
 	\
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+# configure options mostly copying Debian:
+# https://salsa.debian.org/postgresql/postgresql-common/-/blob/6e26b5107295170cc8731a3acbf13228ea15941e/server/postgresql.mk#L32
 	./configure \
 		--enable-option-checking=fatal \
 		--build="$gnuArch" \
@@ -136,17 +136,17 @@ RUN set -eux; \
 		--with-includes=/usr/local/include \
 		--with-libraries=/usr/local/lib \
 		--with-gssapi \
+		--with-icu \
 		--with-ldap \
-		--with-tcl \
-		--with-perl \
-		--with-python \
-#		--with-pam \
-		--with-openssl \
 		--with-libxml \
 		--with-libxslt \
-		--with-icu \
 		--with-llvm \
 		--with-lz4 \
+		--with-openssl \
+#		--with-pam \
+		--with-perl \
+		--with-python \
+		--with-tcl \
 		--with-zstd \
 	; \
 	make -j "$(nproc)" world-bin; \
diff --git a/17/alpine3.22/docker-entrypoint.sh b/17/alpine3.22/docker-entrypoint.sh
index 5a62870b50..c3432be675 100755
--- a/17/alpine3.22/docker-entrypoint.sh
+++ b/17/alpine3.22/docker-entrypoint.sh
@@ -103,24 +103,6 @@ docker_init_database_dir() {
 # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
 # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
 docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
 	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
 		# The - option suppresses leading tabs but *not* spaces. :)
 		cat >&2 <<-'EOE'
@@ -168,8 +150,14 @@ docker_error_old_databases() {
 			       Counter to that, there appears to be PostgreSQL data in:
 			         ${OLD_DATABASES[*]}
 
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
 
 			       See https://github.com/docker-library/postgres/issues/37 for a (long)
 			       discussion around this process, and suggestions for how to do so.
@@ -264,6 +252,9 @@ docker_setup_env() {
 				OLD_DATABASES+=( "$d" )
 			fi
 		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
 	fi
 }
 
diff --git a/17/alpine3.21/Dockerfile b/17/alpine3.23/Dockerfile
similarity index 96%
rename from 17/alpine3.21/Dockerfile
rename to 17/alpine3.23/Dockerfile
index c3c81bd437..b5ace65f2a 100644
--- a/17/alpine3.21/Dockerfile
+++ b/17/alpine3.23/Dockerfile
@@ -4,7 +4,7 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
-FROM alpine:3.21
+FROM alpine:3.23
 
 # 70 is the standard uid/gid for "postgres" in Alpine
 # https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
@@ -17,7 +17,7 @@ RUN set -eux; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	\
 	apk add --no-cache --virtual .gosu-deps \
@@ -52,8 +52,8 @@ ENV LANG en_US.utf8
 RUN mkdir /docker-entrypoint-initdb.d
 
 ENV PG_MAJOR 17
-ENV PG_VERSION 17.5
-ENV PG_SHA256 fcb7ab38e23b264d1902cb25e6adafb4525a6ebcbd015434aeef9eda80f528d8
+ENV PG_VERSION 17.7
+ENV PG_SHA256 ef9e343302eccd33112f1b2f0247be493cb5768313adeb558b02de8797a2e9b5
 
 ENV DOCKER_PG_LLVM_DEPS \
 		llvm19-dev \
@@ -117,8 +117,8 @@ RUN set -eux; \
 # https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
 	export CLANG=clang-19; \
 	\
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+# configure options mostly copying Debian:
+# https://salsa.debian.org/postgresql/postgresql-common/-/blob/6e26b5107295170cc8731a3acbf13228ea15941e/server/postgresql.mk#L32
 	./configure \
 		--enable-option-checking=fatal \
 		--build="$gnuArch" \
@@ -136,17 +136,17 @@ RUN set -eux; \
 		--with-includes=/usr/local/include \
 		--with-libraries=/usr/local/lib \
 		--with-gssapi \
+		--with-icu \
 		--with-ldap \
-		--with-tcl \
-		--with-perl \
-		--with-python \
-#		--with-pam \
-		--with-openssl \
 		--with-libxml \
 		--with-libxslt \
-		--with-icu \
 		--with-llvm \
 		--with-lz4 \
+		--with-openssl \
+#		--with-pam \
+		--with-perl \
+		--with-python \
+		--with-tcl \
 		--with-zstd \
 	; \
 	make -j "$(nproc)" world-bin; \
diff --git a/15/alpine3.21/docker-ensure-initdb.sh b/17/alpine3.23/docker-ensure-initdb.sh
similarity index 100%
rename from 15/alpine3.21/docker-ensure-initdb.sh
rename to 17/alpine3.23/docker-ensure-initdb.sh
diff --git a/17/alpine3.23/docker-entrypoint.sh b/17/alpine3.23/docker-entrypoint.sh
new file mode 100755
index 0000000000..c3432be675
--- /dev/null
+++ b/17/alpine3.23/docker-entrypoint.sh
@@ -0,0 +1,382 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+	# https://unix.stackexchange.com/a/215279
+	[ "${#FUNCNAME[@]}" -ge 2 ] \
+		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+		&& [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+	local user; user="$(id -u)"
+
+	mkdir -p "$PGDATA"
+	# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+	chmod 00700 "$PGDATA" || :
+
+	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+	mkdir -p /var/run/postgresql || :
+	chmod 03775 /var/run/postgresql || :
+
+	# Create the transaction log directory before initdb is run so the directory is owned by the correct user
+	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+		mkdir -p "$POSTGRES_INITDB_WALDIR"
+		if [ "$user" = '0' ]; then
+			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+		fi
+		chmod 700 "$POSTGRES_INITDB_WALDIR"
+	fi
+
+	# allow the container to be started with `--user`
+	if [ "$user" = '0' ]; then
+		find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+	fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+	local uid; uid="$(id -u)"
+	if ! getent passwd "$uid" &> /dev/null; then
+		# see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+		local wrapper
+		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+			if [ -s "$wrapper" ]; then
+				NSS_WRAPPER_PASSWD="$(mktemp)"
+				NSS_WRAPPER_GROUP="$(mktemp)"
+				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+				local gid; gid="$(id -g)"
+				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+				break
+			fi
+		done
+	fi
+
+	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+	fi
+
+	# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+	# unset/cleanup "nss_wrapper" bits
+	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+	fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+		# The - option suppresses leading tabs but *not* spaces. :)
+		cat >&2 <<-'EOE'
+			Error: Database is uninitialized and superuser password is not specified.
+			       You must specify POSTGRES_PASSWORD to a non-empty value for the
+			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+			       connections without a password. This is *not* recommended.
+
+			       See PostgreSQL documentation about "trust":
+			       https://www.postgresql.org/docs/current/auth-trust.html
+		EOE
+		exit 1
+	fi
+	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+		cat >&2 <<-'EOWARN'
+			********************************************************************************
+			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+			         anyone with access to the Postgres port to access your database without
+			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+			         documentation about "trust":
+			         https://www.postgresql.org/docs/current/auth-trust.html
+			         In Docker's default configuration, this is effectively any other
+			         container on the same system.
+
+			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+			         "docker run".
+			********************************************************************************
+		EOWARN
+	fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+	if [ -n "${OLD_DATABASES[0]:-}" ]; then
+		cat >&2 <<-EOE
+			Error: in 18+, these Docker images are configured to store database data in a
+			       format which is compatible with "pg_ctlcluster" (specifically, using
+			       major-version-specific directory names).  This better reflects how
+			       PostgreSQL itself works, and how upgrades are to be performed.
+
+			       See also https://github.com/docker-library/postgres/pull/1259
+
+			       Counter to that, there appears to be PostgreSQL data in:
+			         ${OLD_DATABASES[*]}
+
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
+
+			       See https://github.com/docker-library/postgres/issues/37 for a (long)
+			       discussion around this process, and suggestions for how to do so.
+		EOE
+		exit 1
+	fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+#    ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+	# psql here for backwards compatibility "${psql[@]}"
+	psql=( docker_process_sql )
+
+	printf '\n'
+	local f
+	for f; do
+		case "$f" in
+			*.sh)
+				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+				# https://github.com/docker-library/postgres/pull/452
+				if [ -x "$f" ]; then
+					printf '%s: running %s\n' "$0" "$f"
+					"$f"
+				else
+					printf '%s: sourcing %s\n' "$0" "$f"
+					. "$f"
+				fi
+				;;
+			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
+		esac
+		printf '\n'
+	done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+#    ie: docker_process_sql -f my-file.sql
+#    ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+	if [ -n "$POSTGRES_DB" ]; then
+		query_runner+=( --dbname "$POSTGRES_DB" )
+	fi
+
+	PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+	local dbAlreadyExists
+	dbAlreadyExists="$(
+		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+			SELECT 1 FROM pg_database WHERE datname = :'db' ;
+		EOSQL
+	)"
+	if [ -z "$dbAlreadyExists" ]; then
+		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+			CREATE DATABASE :"db" ;
+		EOSQL
+		printf '\n'
+	fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+	file_env 'POSTGRES_PASSWORD'
+
+	file_env 'POSTGRES_USER' 'postgres'
+	file_env 'POSTGRES_DB' "$POSTGRES_USER"
+	file_env 'POSTGRES_INITDB_ARGS'
+	: "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+	declare -g DATABASE_ALREADY_EXISTS
+	: "${DATABASE_ALREADY_EXISTS:=}"
+	declare -ag OLD_DATABASES=()
+	# look specifically for PG_VERSION, as it is expected in the DB dir
+	if [ -s "$PGDATA/PG_VERSION" ]; then
+		DATABASE_ALREADY_EXISTS='true'
+	elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+		# https://github.com/docker-library/postgres/pull/1259
+		for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+			if [ -s "$d/PG_VERSION" ]; then
+				OLD_DATABASES+=( "$d" )
+			fi
+		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
+	fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+	# default authentication method is md5 on versions before 14
+	# https://www.postgresql.org/about/news/postgresql-14-released-2318/
+	if [ "$1" = 'postgres' ]; then
+		shift
+	fi
+	local auth
+	# check the default/configured encryption and use that as the auth method
+	auth="$(postgres -C password_encryption "$@")"
+	: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+	{
+		printf '\n'
+		if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+			printf '# warning trust is enabled for all connections\n'
+			printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+		fi
+		printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+	} >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+	if [ "$1" = 'postgres' ]; then
+		shift
+	fi
+
+	# internal start of server in order to allow setup using psql client
+	# does not listen on external TCP/IP and waits until start finishes
+	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+	# any process supervisor.
+	NOTIFY_SOCKET= \
+	PGUSER="${PGUSER:-$POSTGRES_USER}" \
+	pg_ctl -D "$PGDATA" \
+		-o "$(printf '%q ' "$@")" \
+		-w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+	PGUSER="${PGUSER:-postgres}" \
+	pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+	local arg
+	for arg; do
+		case "$arg" in
+			# postgres --help | grep 'then exit'
+			# leaving out -C on purpose since it always fails and is unhelpful:
+			# postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+			-'?'|--help|--describe-config|-V|--version)
+				return 0
+				;;
+		esac
+	done
+	return 1
+}
+
+_main() {
+	# if first arg looks like a flag, assume we want to run postgres server
+	if [ "${1:0:1}" = '-' ]; then
+		set -- postgres "$@"
+	fi
+
+	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+		docker_setup_env
+		# setup data directories and permissions (when run as root)
+		docker_create_db_directories
+		if [ "$(id -u)" = '0' ]; then
+			# then restart script as postgres user
+			exec gosu postgres "$BASH_SOURCE" "$@"
+		fi
+
+		# only run initialization on an empty data directory
+		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+			docker_verify_minimum_env
+			docker_error_old_databases
+
+			# check dir permissions to reduce likelihood of half-initialized database
+			ls /docker-entrypoint-initdb.d/ > /dev/null
+
+			docker_init_database_dir
+			pg_setup_hba_conf "$@"
+
+			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+			docker_temp_server_start "$@"
+
+			docker_setup_db
+			docker_process_init_files /docker-entrypoint-initdb.d/*
+
+			docker_temp_server_stop
+			unset PGPASSWORD
+
+			cat <<-'EOM'
+
+				PostgreSQL init process complete; ready for start up.
+
+			EOM
+		else
+			cat <<-'EOM'
+
+				PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+			EOM
+		fi
+	fi
+
+	exec "$@"
+}
+
+if ! _is_sourced; then
+	_main "$@"
+fi
diff --git a/17/bookworm/Dockerfile b/17/bookworm/Dockerfile
index 25c2142f1f..9deef94095 100644
--- a/17/bookworm/Dockerfile
+++ b/17/bookworm/Dockerfile
@@ -28,7 +28,7 @@ RUN set -ex; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update; \
@@ -89,7 +89,7 @@ RUN set -ex; \
 ENV PG_MAJOR 17
 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
 
-ENV PG_VERSION 17.5-1.pgdg120+1
+ENV PG_VERSION 17.7-3.pgdg12+1
 
 RUN set -ex; \
 	\
@@ -97,7 +97,7 @@ RUN set -ex; \
 	export PYTHONDONTWRITEBYTECODE=1; \
 	\
 	dpkgArch="$(dpkg --print-architecture)"; \
-	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
+	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt bookworm-pgdg main $PG_MAJOR"; \
 	case "$dpkgArch" in \
 		amd64 | arm64 | ppc64el) \
 # arches officialy built by upstream
diff --git a/17/bookworm/docker-entrypoint.sh b/17/bookworm/docker-entrypoint.sh
index 5a62870b50..c3432be675 100755
--- a/17/bookworm/docker-entrypoint.sh
+++ b/17/bookworm/docker-entrypoint.sh
@@ -103,24 +103,6 @@ docker_init_database_dir() {
 # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
 # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
 docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
 	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
 		# The - option suppresses leading tabs but *not* spaces. :)
 		cat >&2 <<-'EOE'
@@ -168,8 +150,14 @@ docker_error_old_databases() {
 			       Counter to that, there appears to be PostgreSQL data in:
 			         ${OLD_DATABASES[*]}
 
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
 
 			       See https://github.com/docker-library/postgres/issues/37 for a (long)
 			       discussion around this process, and suggestions for how to do so.
@@ -264,6 +252,9 @@ docker_setup_env() {
 				OLD_DATABASES+=( "$d" )
 			fi
 		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
 	fi
 }
 
diff --git a/17/bullseye/docker-ensure-initdb.sh b/17/bullseye/docker-ensure-initdb.sh
deleted file mode 100755
index e9b15ef77d..0000000000
--- a/17/bullseye/docker-ensure-initdb.sh
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/usr/bin/env bash
-set -Eeuo pipefail
-
-#
-# This script is intended for three main use cases:
-#
-#  1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
-#
-#  2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
-#       (no-op if database is already initialized)
-#
-#  3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
-#       (error if database is already initialized)
-#
-
-source /usr/local/bin/docker-entrypoint.sh
-
-# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
-if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
-	set -- postgres "$@"
-fi
-
-# see also "_main" in "docker-entrypoint.sh"
-
-docker_setup_env
-# setup data directories and permissions (when run as root)
-docker_create_db_directories
-if [ "$(id -u)" = '0' ]; then
-	# then restart script as postgres user
-	exec gosu postgres "$BASH_SOURCE" "$@"
-fi
-
-# only run initialization on an empty data directory
-if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-	docker_verify_minimum_env
-	docker_error_old_databases
-
-	# check dir permissions to reduce likelihood of half-initialized database
-	ls /docker-entrypoint-initdb.d/ > /dev/null
-
-	docker_init_database_dir
-	pg_setup_hba_conf "$@"
-
-	# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
-	# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
-	export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
-	docker_temp_server_start "$@"
-
-	docker_setup_db
-	docker_process_init_files /docker-entrypoint-initdb.d/*
-
-	docker_temp_server_stop
-	unset PGPASSWORD
-else
-	self="$(basename "$0")"
-	case "$self" in
-		docker-ensure-initdb.sh)
-			echo >&2 "$self: note: database already initialized in '$PGDATA'!"
-			exit 0
-			;;
-
-		docker-enforce-initdb.sh)
-			echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
-			exit 1
-			;;
-
-		*)
-			echo >&2 "$self: error: unknown file name: $self"
-			exit 99
-			;;
-	esac
-fi
diff --git a/17/bullseye/docker-entrypoint.sh b/17/bullseye/docker-entrypoint.sh
deleted file mode 100755
index 5a62870b50..0000000000
--- a/17/bullseye/docker-entrypoint.sh
+++ /dev/null
@@ -1,391 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-	local var="$1"
-	local fileVar="${var}_FILE"
-	local def="${2:-}"
-	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
-		exit 1
-	fi
-	local val="$def"
-	if [ "${!var:-}" ]; then
-		val="${!var}"
-	elif [ "${!fileVar:-}" ]; then
-		val="$(< "${!fileVar}")"
-	fi
-	export "$var"="$val"
-	unset "$fileVar"
-}
-
-# check to see if this file is being run or sourced from another script
-_is_sourced() {
-	# https://unix.stackexchange.com/a/215279
-	[ "${#FUNCNAME[@]}" -ge 2 ] \
-		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
-		&& [ "${FUNCNAME[1]}" = 'source' ]
-}
-
-# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
-docker_create_db_directories() {
-	local user; user="$(id -u)"
-
-	mkdir -p "$PGDATA"
-	# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
-	chmod 00700 "$PGDATA" || :
-
-	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
-	mkdir -p /var/run/postgresql || :
-	chmod 03775 /var/run/postgresql || :
-
-	# Create the transaction log directory before initdb is run so the directory is owned by the correct user
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		mkdir -p "$POSTGRES_INITDB_WALDIR"
-		if [ "$user" = '0' ]; then
-			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
-		fi
-		chmod 700 "$POSTGRES_INITDB_WALDIR"
-	fi
-
-	# allow the container to be started with `--user`
-	if [ "$user" = '0' ]; then
-		find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
-		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
-	fi
-}
-
-# initialize empty PGDATA directory with new database via 'initdb'
-# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
-# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
-# this is also where the database user is created, specified by `POSTGRES_USER` env
-docker_init_database_dir() {
-	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
-	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
-	local uid; uid="$(id -u)"
-	if ! getent passwd "$uid" &> /dev/null; then
-		# see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
-		local wrapper
-		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
-			if [ -s "$wrapper" ]; then
-				NSS_WRAPPER_PASSWD="$(mktemp)"
-				NSS_WRAPPER_GROUP="$(mktemp)"
-				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-				local gid; gid="$(id -g)"
-				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
-				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
-				break
-			fi
-		done
-	fi
-
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
-	fi
-
-	# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
-	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
-
-	# unset/cleanup "nss_wrapper" bits
-	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
-		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
-		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-	fi
-}
-
-# print large warning if POSTGRES_PASSWORD is long
-# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
-# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
-# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
-docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
-	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		# The - option suppresses leading tabs but *not* spaces. :)
-		cat >&2 <<-'EOE'
-			Error: Database is uninitialized and superuser password is not specified.
-			       You must specify POSTGRES_PASSWORD to a non-empty value for the
-			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
-
-			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
-			       connections without a password. This is *not* recommended.
-
-			       See PostgreSQL documentation about "trust":
-			       https://www.postgresql.org/docs/current/auth-trust.html
-		EOE
-		exit 1
-	fi
-	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		cat >&2 <<-'EOWARN'
-			********************************************************************************
-			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
-			         anyone with access to the Postgres port to access your database without
-			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
-			         documentation about "trust":
-			         https://www.postgresql.org/docs/current/auth-trust.html
-			         In Docker's default configuration, this is effectively any other
-			         container on the same system.
-
-			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
-			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
-			         "docker run".
-			********************************************************************************
-		EOWARN
-	fi
-}
-# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
-docker_error_old_databases() {
-	if [ -n "${OLD_DATABASES[0]:-}" ]; then
-		cat >&2 <<-EOE
-			Error: in 18+, these Docker images are configured to store database data in a
-			       format which is compatible with "pg_ctlcluster" (specifically, using
-			       major-version-specific directory names).  This better reflects how
-			       PostgreSQL itself works, and how upgrades are to be performed.
-
-			       See also https://github.com/docker-library/postgres/pull/1259
-
-			       Counter to that, there appears to be PostgreSQL data in:
-			         ${OLD_DATABASES[*]}
-
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
-
-			       See https://github.com/docker-library/postgres/issues/37 for a (long)
-			       discussion around this process, and suggestions for how to do so.
-		EOE
-		exit 1
-	fi
-}
-
-# usage: docker_process_init_files [file [file [...]]]
-#    ie: docker_process_init_files /always-initdb.d/*
-# process initializer files, based on file extensions and permissions
-docker_process_init_files() {
-	# psql here for backwards compatibility "${psql[@]}"
-	psql=( docker_process_sql )
-
-	printf '\n'
-	local f
-	for f; do
-		case "$f" in
-			*.sh)
-				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
-				# https://github.com/docker-library/postgres/pull/452
-				if [ -x "$f" ]; then
-					printf '%s: running %s\n' "$0" "$f"
-					"$f"
-				else
-					printf '%s: sourcing %s\n' "$0" "$f"
-					. "$f"
-				fi
-				;;
-			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
-			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
-			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
-		esac
-		printf '\n'
-	done
-}
-
-# Execute sql script, passed via stdin (or -f flag of pqsl)
-# usage: docker_process_sql [psql-cli-args]
-#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
-#    ie: docker_process_sql -f my-file.sql
-#    ie: docker_process_sql <my-file.sql
-docker_process_sql() {
-	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
-	if [ -n "$POSTGRES_DB" ]; then
-		query_runner+=( --dbname "$POSTGRES_DB" )
-	fi
-
-	PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
-}
-
-# create initial database
-# uses environment variables for input: POSTGRES_DB
-docker_setup_db() {
-	local dbAlreadyExists
-	dbAlreadyExists="$(
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
-			SELECT 1 FROM pg_database WHERE datname = :'db' ;
-		EOSQL
-	)"
-	if [ -z "$dbAlreadyExists" ]; then
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
-			CREATE DATABASE :"db" ;
-		EOSQL
-		printf '\n'
-	fi
-}
-
-# Loads various settings that are used elsewhere in the script
-# This should be called before any other functions
-docker_setup_env() {
-	file_env 'POSTGRES_PASSWORD'
-
-	file_env 'POSTGRES_USER' 'postgres'
-	file_env 'POSTGRES_DB' "$POSTGRES_USER"
-	file_env 'POSTGRES_INITDB_ARGS'
-	: "${POSTGRES_HOST_AUTH_METHOD:=}"
-
-	declare -g DATABASE_ALREADY_EXISTS
-	: "${DATABASE_ALREADY_EXISTS:=}"
-	declare -ag OLD_DATABASES=()
-	# look specifically for PG_VERSION, as it is expected in the DB dir
-	if [ -s "$PGDATA/PG_VERSION" ]; then
-		DATABASE_ALREADY_EXISTS='true'
-	elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
-		# https://github.com/docker-library/postgres/pull/1259
-		for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
-			if [ -s "$d/PG_VERSION" ]; then
-				OLD_DATABASES+=( "$d" )
-			fi
-		done
-	fi
-}
-
-# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
-# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
-pg_setup_hba_conf() {
-	# default authentication method is md5 on versions before 14
-	# https://www.postgresql.org/about/news/postgresql-14-released-2318/
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-	local auth
-	# check the default/configured encryption and use that as the auth method
-	auth="$(postgres -C password_encryption "$@")"
-	: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
-	{
-		printf '\n'
-		if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-			printf '# warning trust is enabled for all connections\n'
-			printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
-		fi
-		printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
-	} >> "$PGDATA/pg_hba.conf"
-}
-
-# start socket-only postgresql server for setting up or running scripts
-# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
-docker_temp_server_start() {
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-
-	# internal start of server in order to allow setup using psql client
-	# does not listen on external TCP/IP and waits until start finishes
-	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
-
-	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
-	# any process supervisor.
-	NOTIFY_SOCKET= \
-	PGUSER="${PGUSER:-$POSTGRES_USER}" \
-	pg_ctl -D "$PGDATA" \
-		-o "$(printf '%q ' "$@")" \
-		-w start
-}
-
-# stop postgresql server after done setting up user and running scripts
-docker_temp_server_stop() {
-	PGUSER="${PGUSER:-postgres}" \
-	pg_ctl -D "$PGDATA" -m fast -w stop
-}
-
-# check arguments for an option that would cause postgres to stop
-# return true if there is one
-_pg_want_help() {
-	local arg
-	for arg; do
-		case "$arg" in
-			# postgres --help | grep 'then exit'
-			# leaving out -C on purpose since it always fails and is unhelpful:
-			# postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
-			-'?'|--help|--describe-config|-V|--version)
-				return 0
-				;;
-		esac
-	done
-	return 1
-}
-
-_main() {
-	# if first arg looks like a flag, assume we want to run postgres server
-	if [ "${1:0:1}" = '-' ]; then
-		set -- postgres "$@"
-	fi
-
-	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
-		docker_setup_env
-		# setup data directories and permissions (when run as root)
-		docker_create_db_directories
-		if [ "$(id -u)" = '0' ]; then
-			# then restart script as postgres user
-			exec gosu postgres "$BASH_SOURCE" "$@"
-		fi
-
-		# only run initialization on an empty data directory
-		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-			docker_verify_minimum_env
-			docker_error_old_databases
-
-			# check dir permissions to reduce likelihood of half-initialized database
-			ls /docker-entrypoint-initdb.d/ > /dev/null
-
-			docker_init_database_dir
-			pg_setup_hba_conf "$@"
-
-			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
-			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
-			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
-			docker_temp_server_start "$@"
-
-			docker_setup_db
-			docker_process_init_files /docker-entrypoint-initdb.d/*
-
-			docker_temp_server_stop
-			unset PGPASSWORD
-
-			cat <<-'EOM'
-
-				PostgreSQL init process complete; ready for start up.
-
-			EOM
-		else
-			cat <<-'EOM'
-
-				PostgreSQL Database directory appears to contain a database; Skipping initialization
-
-			EOM
-		fi
-	fi
-
-	exec "$@"
-}
-
-if ! _is_sourced; then
-	_main "$@"
-fi
diff --git a/17/bullseye/Dockerfile b/17/trixie/Dockerfile
similarity index 98%
rename from 17/bullseye/Dockerfile
rename to 17/trixie/Dockerfile
index fc554d1fae..fa272a4fd3 100644
--- a/17/bullseye/Dockerfile
+++ b/17/trixie/Dockerfile
@@ -4,7 +4,7 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
-FROM debian:bullseye-slim
+FROM debian:trixie-slim
 
 # explicitly set user/group IDs
 RUN set -eux; \
@@ -28,7 +28,7 @@ RUN set -ex; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update; \
@@ -89,7 +89,7 @@ RUN set -ex; \
 ENV PG_MAJOR 17
 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
 
-ENV PG_VERSION 17.5-1.pgdg110+1
+ENV PG_VERSION 17.7-3.pgdg13+1
 
 RUN set -ex; \
 	\
@@ -97,7 +97,7 @@ RUN set -ex; \
 	export PYTHONDONTWRITEBYTECODE=1; \
 	\
 	dpkgArch="$(dpkg --print-architecture)"; \
-	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \
+	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt trixie-pgdg main $PG_MAJOR"; \
 	case "$dpkgArch" in \
 		amd64 | arm64 | ppc64el) \
 # arches officialy built by upstream
diff --git a/15/bullseye/docker-ensure-initdb.sh b/17/trixie/docker-ensure-initdb.sh
similarity index 100%
rename from 15/bullseye/docker-ensure-initdb.sh
rename to 17/trixie/docker-ensure-initdb.sh
diff --git a/17/trixie/docker-entrypoint.sh b/17/trixie/docker-entrypoint.sh
new file mode 100755
index 0000000000..c3432be675
--- /dev/null
+++ b/17/trixie/docker-entrypoint.sh
@@ -0,0 +1,382 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+	# https://unix.stackexchange.com/a/215279
+	[ "${#FUNCNAME[@]}" -ge 2 ] \
+		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+		&& [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+	local user; user="$(id -u)"
+
+	mkdir -p "$PGDATA"
+	# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+	chmod 00700 "$PGDATA" || :
+
+	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+	mkdir -p /var/run/postgresql || :
+	chmod 03775 /var/run/postgresql || :
+
+	# Create the transaction log directory before initdb is run so the directory is owned by the correct user
+	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+		mkdir -p "$POSTGRES_INITDB_WALDIR"
+		if [ "$user" = '0' ]; then
+			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+		fi
+		chmod 700 "$POSTGRES_INITDB_WALDIR"
+	fi
+
+	# allow the container to be started with `--user`
+	if [ "$user" = '0' ]; then
+		find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+	fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+	local uid; uid="$(id -u)"
+	if ! getent passwd "$uid" &> /dev/null; then
+		# see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+		local wrapper
+		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+			if [ -s "$wrapper" ]; then
+				NSS_WRAPPER_PASSWD="$(mktemp)"
+				NSS_WRAPPER_GROUP="$(mktemp)"
+				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+				local gid; gid="$(id -g)"
+				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+				break
+			fi
+		done
+	fi
+
+	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+	fi
+
+	# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+	# unset/cleanup "nss_wrapper" bits
+	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+	fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+		# The - option suppresses leading tabs but *not* spaces. :)
+		cat >&2 <<-'EOE'
+			Error: Database is uninitialized and superuser password is not specified.
+			       You must specify POSTGRES_PASSWORD to a non-empty value for the
+			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+			       connections without a password. This is *not* recommended.
+
+			       See PostgreSQL documentation about "trust":
+			       https://www.postgresql.org/docs/current/auth-trust.html
+		EOE
+		exit 1
+	fi
+	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+		cat >&2 <<-'EOWARN'
+			********************************************************************************
+			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+			         anyone with access to the Postgres port to access your database without
+			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+			         documentation about "trust":
+			         https://www.postgresql.org/docs/current/auth-trust.html
+			         In Docker's default configuration, this is effectively any other
+			         container on the same system.
+
+			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+			         "docker run".
+			********************************************************************************
+		EOWARN
+	fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+	if [ -n "${OLD_DATABASES[0]:-}" ]; then
+		cat >&2 <<-EOE
+			Error: in 18+, these Docker images are configured to store database data in a
+			       format which is compatible with "pg_ctlcluster" (specifically, using
+			       major-version-specific directory names).  This better reflects how
+			       PostgreSQL itself works, and how upgrades are to be performed.
+
+			       See also https://github.com/docker-library/postgres/pull/1259
+
+			       Counter to that, there appears to be PostgreSQL data in:
+			         ${OLD_DATABASES[*]}
+
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
+
+			       See https://github.com/docker-library/postgres/issues/37 for a (long)
+			       discussion around this process, and suggestions for how to do so.
+		EOE
+		exit 1
+	fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+#    ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+	# psql here for backwards compatibility "${psql[@]}"
+	psql=( docker_process_sql )
+
+	printf '\n'
+	local f
+	for f; do
+		case "$f" in
+			*.sh)
+				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+				# https://github.com/docker-library/postgres/pull/452
+				if [ -x "$f" ]; then
+					printf '%s: running %s\n' "$0" "$f"
+					"$f"
+				else
+					printf '%s: sourcing %s\n' "$0" "$f"
+					. "$f"
+				fi
+				;;
+			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
+		esac
+		printf '\n'
+	done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+#    ie: docker_process_sql -f my-file.sql
+#    ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+	if [ -n "$POSTGRES_DB" ]; then
+		query_runner+=( --dbname "$POSTGRES_DB" )
+	fi
+
+	PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+	local dbAlreadyExists
+	dbAlreadyExists="$(
+		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+			SELECT 1 FROM pg_database WHERE datname = :'db' ;
+		EOSQL
+	)"
+	if [ -z "$dbAlreadyExists" ]; then
+		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+			CREATE DATABASE :"db" ;
+		EOSQL
+		printf '\n'
+	fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+	file_env 'POSTGRES_PASSWORD'
+
+	file_env 'POSTGRES_USER' 'postgres'
+	file_env 'POSTGRES_DB' "$POSTGRES_USER"
+	file_env 'POSTGRES_INITDB_ARGS'
+	: "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+	declare -g DATABASE_ALREADY_EXISTS
+	: "${DATABASE_ALREADY_EXISTS:=}"
+	declare -ag OLD_DATABASES=()
+	# look specifically for PG_VERSION, as it is expected in the DB dir
+	if [ -s "$PGDATA/PG_VERSION" ]; then
+		DATABASE_ALREADY_EXISTS='true'
+	elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+		# https://github.com/docker-library/postgres/pull/1259
+		for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+			if [ -s "$d/PG_VERSION" ]; then
+				OLD_DATABASES+=( "$d" )
+			fi
+		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
+	fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+	# default authentication method is md5 on versions before 14
+	# https://www.postgresql.org/about/news/postgresql-14-released-2318/
+	if [ "$1" = 'postgres' ]; then
+		shift
+	fi
+	local auth
+	# check the default/configured encryption and use that as the auth method
+	auth="$(postgres -C password_encryption "$@")"
+	: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+	{
+		printf '\n'
+		if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+			printf '# warning trust is enabled for all connections\n'
+			printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+		fi
+		printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+	} >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+	if [ "$1" = 'postgres' ]; then
+		shift
+	fi
+
+	# internal start of server in order to allow setup using psql client
+	# does not listen on external TCP/IP and waits until start finishes
+	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+	# any process supervisor.
+	NOTIFY_SOCKET= \
+	PGUSER="${PGUSER:-$POSTGRES_USER}" \
+	pg_ctl -D "$PGDATA" \
+		-o "$(printf '%q ' "$@")" \
+		-w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+	PGUSER="${PGUSER:-postgres}" \
+	pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+	local arg
+	for arg; do
+		case "$arg" in
+			# postgres --help | grep 'then exit'
+			# leaving out -C on purpose since it always fails and is unhelpful:
+			# postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+			-'?'|--help|--describe-config|-V|--version)
+				return 0
+				;;
+		esac
+	done
+	return 1
+}
+
+_main() {
+	# if first arg looks like a flag, assume we want to run postgres server
+	if [ "${1:0:1}" = '-' ]; then
+		set -- postgres "$@"
+	fi
+
+	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+		docker_setup_env
+		# setup data directories and permissions (when run as root)
+		docker_create_db_directories
+		if [ "$(id -u)" = '0' ]; then
+			# then restart script as postgres user
+			exec gosu postgres "$BASH_SOURCE" "$@"
+		fi
+
+		# only run initialization on an empty data directory
+		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+			docker_verify_minimum_env
+			docker_error_old_databases
+
+			# check dir permissions to reduce likelihood of half-initialized database
+			ls /docker-entrypoint-initdb.d/ > /dev/null
+
+			docker_init_database_dir
+			pg_setup_hba_conf "$@"
+
+			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+			docker_temp_server_start "$@"
+
+			docker_setup_db
+			docker_process_init_files /docker-entrypoint-initdb.d/*
+
+			docker_temp_server_stop
+			unset PGPASSWORD
+
+			cat <<-'EOM'
+
+				PostgreSQL init process complete; ready for start up.
+
+			EOM
+		else
+			cat <<-'EOM'
+
+				PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+			EOM
+		fi
+	fi
+
+	exec "$@"
+}
+
+if ! _is_sourced; then
+	_main "$@"
+fi
diff --git a/18/alpine3.21/docker-ensure-initdb.sh b/18/alpine3.21/docker-ensure-initdb.sh
deleted file mode 100755
index e9b15ef77d..0000000000
--- a/18/alpine3.21/docker-ensure-initdb.sh
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/usr/bin/env bash
-set -Eeuo pipefail
-
-#
-# This script is intended for three main use cases:
-#
-#  1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
-#
-#  2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
-#       (no-op if database is already initialized)
-#
-#  3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
-#       (error if database is already initialized)
-#
-
-source /usr/local/bin/docker-entrypoint.sh
-
-# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
-if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
-	set -- postgres "$@"
-fi
-
-# see also "_main" in "docker-entrypoint.sh"
-
-docker_setup_env
-# setup data directories and permissions (when run as root)
-docker_create_db_directories
-if [ "$(id -u)" = '0' ]; then
-	# then restart script as postgres user
-	exec gosu postgres "$BASH_SOURCE" "$@"
-fi
-
-# only run initialization on an empty data directory
-if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-	docker_verify_minimum_env
-	docker_error_old_databases
-
-	# check dir permissions to reduce likelihood of half-initialized database
-	ls /docker-entrypoint-initdb.d/ > /dev/null
-
-	docker_init_database_dir
-	pg_setup_hba_conf "$@"
-
-	# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
-	# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
-	export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
-	docker_temp_server_start "$@"
-
-	docker_setup_db
-	docker_process_init_files /docker-entrypoint-initdb.d/*
-
-	docker_temp_server_stop
-	unset PGPASSWORD
-else
-	self="$(basename "$0")"
-	case "$self" in
-		docker-ensure-initdb.sh)
-			echo >&2 "$self: note: database already initialized in '$PGDATA'!"
-			exit 0
-			;;
-
-		docker-enforce-initdb.sh)
-			echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
-			exit 1
-			;;
-
-		*)
-			echo >&2 "$self: error: unknown file name: $self"
-			exit 99
-			;;
-	esac
-fi
diff --git a/18/alpine3.21/docker-entrypoint.sh b/18/alpine3.21/docker-entrypoint.sh
deleted file mode 100755
index 5a62870b50..0000000000
--- a/18/alpine3.21/docker-entrypoint.sh
+++ /dev/null
@@ -1,391 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-	local var="$1"
-	local fileVar="${var}_FILE"
-	local def="${2:-}"
-	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
-		exit 1
-	fi
-	local val="$def"
-	if [ "${!var:-}" ]; then
-		val="${!var}"
-	elif [ "${!fileVar:-}" ]; then
-		val="$(< "${!fileVar}")"
-	fi
-	export "$var"="$val"
-	unset "$fileVar"
-}
-
-# check to see if this file is being run or sourced from another script
-_is_sourced() {
-	# https://unix.stackexchange.com/a/215279
-	[ "${#FUNCNAME[@]}" -ge 2 ] \
-		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
-		&& [ "${FUNCNAME[1]}" = 'source' ]
-}
-
-# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
-docker_create_db_directories() {
-	local user; user="$(id -u)"
-
-	mkdir -p "$PGDATA"
-	# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
-	chmod 00700 "$PGDATA" || :
-
-	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
-	mkdir -p /var/run/postgresql || :
-	chmod 03775 /var/run/postgresql || :
-
-	# Create the transaction log directory before initdb is run so the directory is owned by the correct user
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		mkdir -p "$POSTGRES_INITDB_WALDIR"
-		if [ "$user" = '0' ]; then
-			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
-		fi
-		chmod 700 "$POSTGRES_INITDB_WALDIR"
-	fi
-
-	# allow the container to be started with `--user`
-	if [ "$user" = '0' ]; then
-		find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
-		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
-	fi
-}
-
-# initialize empty PGDATA directory with new database via 'initdb'
-# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
-# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
-# this is also where the database user is created, specified by `POSTGRES_USER` env
-docker_init_database_dir() {
-	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
-	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
-	local uid; uid="$(id -u)"
-	if ! getent passwd "$uid" &> /dev/null; then
-		# see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
-		local wrapper
-		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
-			if [ -s "$wrapper" ]; then
-				NSS_WRAPPER_PASSWD="$(mktemp)"
-				NSS_WRAPPER_GROUP="$(mktemp)"
-				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-				local gid; gid="$(id -g)"
-				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
-				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
-				break
-			fi
-		done
-	fi
-
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
-	fi
-
-	# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
-	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
-
-	# unset/cleanup "nss_wrapper" bits
-	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
-		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
-		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-	fi
-}
-
-# print large warning if POSTGRES_PASSWORD is long
-# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
-# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
-# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
-docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
-	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		# The - option suppresses leading tabs but *not* spaces. :)
-		cat >&2 <<-'EOE'
-			Error: Database is uninitialized and superuser password is not specified.
-			       You must specify POSTGRES_PASSWORD to a non-empty value for the
-			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
-
-			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
-			       connections without a password. This is *not* recommended.
-
-			       See PostgreSQL documentation about "trust":
-			       https://www.postgresql.org/docs/current/auth-trust.html
-		EOE
-		exit 1
-	fi
-	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		cat >&2 <<-'EOWARN'
-			********************************************************************************
-			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
-			         anyone with access to the Postgres port to access your database without
-			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
-			         documentation about "trust":
-			         https://www.postgresql.org/docs/current/auth-trust.html
-			         In Docker's default configuration, this is effectively any other
-			         container on the same system.
-
-			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
-			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
-			         "docker run".
-			********************************************************************************
-		EOWARN
-	fi
-}
-# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
-docker_error_old_databases() {
-	if [ -n "${OLD_DATABASES[0]:-}" ]; then
-		cat >&2 <<-EOE
-			Error: in 18+, these Docker images are configured to store database data in a
-			       format which is compatible with "pg_ctlcluster" (specifically, using
-			       major-version-specific directory names).  This better reflects how
-			       PostgreSQL itself works, and how upgrades are to be performed.
-
-			       See also https://github.com/docker-library/postgres/pull/1259
-
-			       Counter to that, there appears to be PostgreSQL data in:
-			         ${OLD_DATABASES[*]}
-
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
-
-			       See https://github.com/docker-library/postgres/issues/37 for a (long)
-			       discussion around this process, and suggestions for how to do so.
-		EOE
-		exit 1
-	fi
-}
-
-# usage: docker_process_init_files [file [file [...]]]
-#    ie: docker_process_init_files /always-initdb.d/*
-# process initializer files, based on file extensions and permissions
-docker_process_init_files() {
-	# psql here for backwards compatibility "${psql[@]}"
-	psql=( docker_process_sql )
-
-	printf '\n'
-	local f
-	for f; do
-		case "$f" in
-			*.sh)
-				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
-				# https://github.com/docker-library/postgres/pull/452
-				if [ -x "$f" ]; then
-					printf '%s: running %s\n' "$0" "$f"
-					"$f"
-				else
-					printf '%s: sourcing %s\n' "$0" "$f"
-					. "$f"
-				fi
-				;;
-			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
-			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
-			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
-		esac
-		printf '\n'
-	done
-}
-
-# Execute sql script, passed via stdin (or -f flag of pqsl)
-# usage: docker_process_sql [psql-cli-args]
-#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
-#    ie: docker_process_sql -f my-file.sql
-#    ie: docker_process_sql <my-file.sql
-docker_process_sql() {
-	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
-	if [ -n "$POSTGRES_DB" ]; then
-		query_runner+=( --dbname "$POSTGRES_DB" )
-	fi
-
-	PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
-}
-
-# create initial database
-# uses environment variables for input: POSTGRES_DB
-docker_setup_db() {
-	local dbAlreadyExists
-	dbAlreadyExists="$(
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
-			SELECT 1 FROM pg_database WHERE datname = :'db' ;
-		EOSQL
-	)"
-	if [ -z "$dbAlreadyExists" ]; then
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
-			CREATE DATABASE :"db" ;
-		EOSQL
-		printf '\n'
-	fi
-}
-
-# Loads various settings that are used elsewhere in the script
-# This should be called before any other functions
-docker_setup_env() {
-	file_env 'POSTGRES_PASSWORD'
-
-	file_env 'POSTGRES_USER' 'postgres'
-	file_env 'POSTGRES_DB' "$POSTGRES_USER"
-	file_env 'POSTGRES_INITDB_ARGS'
-	: "${POSTGRES_HOST_AUTH_METHOD:=}"
-
-	declare -g DATABASE_ALREADY_EXISTS
-	: "${DATABASE_ALREADY_EXISTS:=}"
-	declare -ag OLD_DATABASES=()
-	# look specifically for PG_VERSION, as it is expected in the DB dir
-	if [ -s "$PGDATA/PG_VERSION" ]; then
-		DATABASE_ALREADY_EXISTS='true'
-	elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
-		# https://github.com/docker-library/postgres/pull/1259
-		for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
-			if [ -s "$d/PG_VERSION" ]; then
-				OLD_DATABASES+=( "$d" )
-			fi
-		done
-	fi
-}
-
-# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
-# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
-pg_setup_hba_conf() {
-	# default authentication method is md5 on versions before 14
-	# https://www.postgresql.org/about/news/postgresql-14-released-2318/
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-	local auth
-	# check the default/configured encryption and use that as the auth method
-	auth="$(postgres -C password_encryption "$@")"
-	: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
-	{
-		printf '\n'
-		if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-			printf '# warning trust is enabled for all connections\n'
-			printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
-		fi
-		printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
-	} >> "$PGDATA/pg_hba.conf"
-}
-
-# start socket-only postgresql server for setting up or running scripts
-# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
-docker_temp_server_start() {
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-
-	# internal start of server in order to allow setup using psql client
-	# does not listen on external TCP/IP and waits until start finishes
-	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
-
-	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
-	# any process supervisor.
-	NOTIFY_SOCKET= \
-	PGUSER="${PGUSER:-$POSTGRES_USER}" \
-	pg_ctl -D "$PGDATA" \
-		-o "$(printf '%q ' "$@")" \
-		-w start
-}
-
-# stop postgresql server after done setting up user and running scripts
-docker_temp_server_stop() {
-	PGUSER="${PGUSER:-postgres}" \
-	pg_ctl -D "$PGDATA" -m fast -w stop
-}
-
-# check arguments for an option that would cause postgres to stop
-# return true if there is one
-_pg_want_help() {
-	local arg
-	for arg; do
-		case "$arg" in
-			# postgres --help | grep 'then exit'
-			# leaving out -C on purpose since it always fails and is unhelpful:
-			# postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
-			-'?'|--help|--describe-config|-V|--version)
-				return 0
-				;;
-		esac
-	done
-	return 1
-}
-
-_main() {
-	# if first arg looks like a flag, assume we want to run postgres server
-	if [ "${1:0:1}" = '-' ]; then
-		set -- postgres "$@"
-	fi
-
-	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
-		docker_setup_env
-		# setup data directories and permissions (when run as root)
-		docker_create_db_directories
-		if [ "$(id -u)" = '0' ]; then
-			# then restart script as postgres user
-			exec gosu postgres "$BASH_SOURCE" "$@"
-		fi
-
-		# only run initialization on an empty data directory
-		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-			docker_verify_minimum_env
-			docker_error_old_databases
-
-			# check dir permissions to reduce likelihood of half-initialized database
-			ls /docker-entrypoint-initdb.d/ > /dev/null
-
-			docker_init_database_dir
-			pg_setup_hba_conf "$@"
-
-			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
-			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
-			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
-			docker_temp_server_start "$@"
-
-			docker_setup_db
-			docker_process_init_files /docker-entrypoint-initdb.d/*
-
-			docker_temp_server_stop
-			unset PGPASSWORD
-
-			cat <<-'EOM'
-
-				PostgreSQL init process complete; ready for start up.
-
-			EOM
-		else
-			cat <<-'EOM'
-
-				PostgreSQL Database directory appears to contain a database; Skipping initialization
-
-			EOM
-		fi
-	fi
-
-	exec "$@"
-}
-
-if ! _is_sourced; then
-	_main "$@"
-fi
diff --git a/18/alpine3.22/Dockerfile b/18/alpine3.22/Dockerfile
index 248d5cb987..dbfd50a247 100644
--- a/18/alpine3.22/Dockerfile
+++ b/18/alpine3.22/Dockerfile
@@ -17,7 +17,7 @@ RUN set -eux; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	\
 	apk add --no-cache --virtual .gosu-deps \
@@ -52,8 +52,8 @@ ENV LANG en_US.utf8
 RUN mkdir /docker-entrypoint-initdb.d
 
 ENV PG_MAJOR 18
-ENV PG_VERSION 18beta1
-ENV PG_SHA256 0b7c83df6195398aa67dbf5c002e7fa4082be393aae99aa69926d483f98eb885
+ENV PG_VERSION 18.1
+ENV PG_SHA256 ff86675c336c46e98ac991ebb306d1b67621ece1d06787beaade312c2c915d54
 
 ENV DOCKER_PG_LLVM_DEPS \
 		llvm19-dev \
@@ -102,6 +102,9 @@ RUN set -eux; \
 		lz4-dev \
 # https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
 		zstd-dev \
+# https://salsa.debian.org/postgresql/postgresql-common/-/commit/89c384273f4c4092483598c292b1b1b188816cce
+# https://www.postgresql.org/docs/18/install-make.html#CONFIGURE-OPTION-WITH-LIBURING
+		liburing-dev \
 	; \
 	\
 	cd /usr/src/postgresql; \
@@ -117,8 +120,8 @@ RUN set -eux; \
 # https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
 	export CLANG=clang-19; \
 	\
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+# configure options mostly copying Debian:
+# https://salsa.debian.org/postgresql/postgresql-common/-/blob/6e26b5107295170cc8731a3acbf13228ea15941e/server/postgresql.mk#L32
 	./configure \
 		--enable-option-checking=fatal \
 		--build="$gnuArch" \
@@ -136,17 +139,18 @@ RUN set -eux; \
 		--with-includes=/usr/local/include \
 		--with-libraries=/usr/local/lib \
 		--with-gssapi \
+		--with-icu \
 		--with-ldap \
-		--with-tcl \
-		--with-perl \
-		--with-python \
-#		--with-pam \
-		--with-openssl \
+		--with-liburing \
 		--with-libxml \
 		--with-libxslt \
-		--with-icu \
 		--with-llvm \
 		--with-lz4 \
+		--with-openssl \
+#		--with-pam \
+		--with-perl \
+		--with-python \
+		--with-tcl \
 		--with-zstd \
 	; \
 	make -j "$(nproc)" world-bin; \
diff --git a/18/alpine3.22/docker-entrypoint.sh b/18/alpine3.22/docker-entrypoint.sh
index 5a62870b50..c3432be675 100755
--- a/18/alpine3.22/docker-entrypoint.sh
+++ b/18/alpine3.22/docker-entrypoint.sh
@@ -103,24 +103,6 @@ docker_init_database_dir() {
 # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
 # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
 docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
 	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
 		# The - option suppresses leading tabs but *not* spaces. :)
 		cat >&2 <<-'EOE'
@@ -168,8 +150,14 @@ docker_error_old_databases() {
 			       Counter to that, there appears to be PostgreSQL data in:
 			         ${OLD_DATABASES[*]}
 
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
 
 			       See https://github.com/docker-library/postgres/issues/37 for a (long)
 			       discussion around this process, and suggestions for how to do so.
@@ -264,6 +252,9 @@ docker_setup_env() {
 				OLD_DATABASES+=( "$d" )
 			fi
 		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
 	fi
 }
 
diff --git a/18/alpine3.21/Dockerfile b/18/alpine3.23/Dockerfile
similarity index 93%
rename from 18/alpine3.21/Dockerfile
rename to 18/alpine3.23/Dockerfile
index e9eff8d01f..47a31f6a20 100644
--- a/18/alpine3.21/Dockerfile
+++ b/18/alpine3.23/Dockerfile
@@ -4,7 +4,7 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
-FROM alpine:3.21
+FROM alpine:3.23
 
 # 70 is the standard uid/gid for "postgres" in Alpine
 # https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
@@ -17,7 +17,7 @@ RUN set -eux; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	\
 	apk add --no-cache --virtual .gosu-deps \
@@ -52,8 +52,8 @@ ENV LANG en_US.utf8
 RUN mkdir /docker-entrypoint-initdb.d
 
 ENV PG_MAJOR 18
-ENV PG_VERSION 18beta1
-ENV PG_SHA256 0b7c83df6195398aa67dbf5c002e7fa4082be393aae99aa69926d483f98eb885
+ENV PG_VERSION 18.1
+ENV PG_SHA256 ff86675c336c46e98ac991ebb306d1b67621ece1d06787beaade312c2c915d54
 
 ENV DOCKER_PG_LLVM_DEPS \
 		llvm19-dev \
@@ -102,6 +102,9 @@ RUN set -eux; \
 		lz4-dev \
 # https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
 		zstd-dev \
+# https://salsa.debian.org/postgresql/postgresql-common/-/commit/89c384273f4c4092483598c292b1b1b188816cce
+# https://www.postgresql.org/docs/18/install-make.html#CONFIGURE-OPTION-WITH-LIBURING
+		liburing-dev \
 	; \
 	\
 	cd /usr/src/postgresql; \
@@ -117,8 +120,8 @@ RUN set -eux; \
 # https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
 	export CLANG=clang-19; \
 	\
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+# configure options mostly copying Debian:
+# https://salsa.debian.org/postgresql/postgresql-common/-/blob/6e26b5107295170cc8731a3acbf13228ea15941e/server/postgresql.mk#L32
 	./configure \
 		--enable-option-checking=fatal \
 		--build="$gnuArch" \
@@ -136,17 +139,18 @@ RUN set -eux; \
 		--with-includes=/usr/local/include \
 		--with-libraries=/usr/local/lib \
 		--with-gssapi \
+		--with-icu \
 		--with-ldap \
-		--with-tcl \
-		--with-perl \
-		--with-python \
-#		--with-pam \
-		--with-openssl \
+		--with-liburing \
 		--with-libxml \
 		--with-libxslt \
-		--with-icu \
 		--with-llvm \
 		--with-lz4 \
+		--with-openssl \
+#		--with-pam \
+		--with-perl \
+		--with-python \
+		--with-tcl \
 		--with-zstd \
 	; \
 	make -j "$(nproc)" world-bin; \
diff --git a/16/alpine3.21/docker-ensure-initdb.sh b/18/alpine3.23/docker-ensure-initdb.sh
similarity index 100%
rename from 16/alpine3.21/docker-ensure-initdb.sh
rename to 18/alpine3.23/docker-ensure-initdb.sh
diff --git a/18/alpine3.23/docker-entrypoint.sh b/18/alpine3.23/docker-entrypoint.sh
new file mode 100755
index 0000000000..c3432be675
--- /dev/null
+++ b/18/alpine3.23/docker-entrypoint.sh
@@ -0,0 +1,382 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+	# https://unix.stackexchange.com/a/215279
+	[ "${#FUNCNAME[@]}" -ge 2 ] \
+		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+		&& [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+	local user; user="$(id -u)"
+
+	mkdir -p "$PGDATA"
+	# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+	chmod 00700 "$PGDATA" || :
+
+	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+	mkdir -p /var/run/postgresql || :
+	chmod 03775 /var/run/postgresql || :
+
+	# Create the transaction log directory before initdb is run so the directory is owned by the correct user
+	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+		mkdir -p "$POSTGRES_INITDB_WALDIR"
+		if [ "$user" = '0' ]; then
+			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+		fi
+		chmod 700 "$POSTGRES_INITDB_WALDIR"
+	fi
+
+	# allow the container to be started with `--user`
+	if [ "$user" = '0' ]; then
+		find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+	fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+	local uid; uid="$(id -u)"
+	if ! getent passwd "$uid" &> /dev/null; then
+		# see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+		local wrapper
+		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+			if [ -s "$wrapper" ]; then
+				NSS_WRAPPER_PASSWD="$(mktemp)"
+				NSS_WRAPPER_GROUP="$(mktemp)"
+				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+				local gid; gid="$(id -g)"
+				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+				break
+			fi
+		done
+	fi
+
+	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+	fi
+
+	# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+	# unset/cleanup "nss_wrapper" bits
+	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+	fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+		# The - option suppresses leading tabs but *not* spaces. :)
+		cat >&2 <<-'EOE'
+			Error: Database is uninitialized and superuser password is not specified.
+			       You must specify POSTGRES_PASSWORD to a non-empty value for the
+			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+			       connections without a password. This is *not* recommended.
+
+			       See PostgreSQL documentation about "trust":
+			       https://www.postgresql.org/docs/current/auth-trust.html
+		EOE
+		exit 1
+	fi
+	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+		cat >&2 <<-'EOWARN'
+			********************************************************************************
+			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+			         anyone with access to the Postgres port to access your database without
+			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+			         documentation about "trust":
+			         https://www.postgresql.org/docs/current/auth-trust.html
+			         In Docker's default configuration, this is effectively any other
+			         container on the same system.
+
+			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+			         "docker run".
+			********************************************************************************
+		EOWARN
+	fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+	if [ -n "${OLD_DATABASES[0]:-}" ]; then
+		cat >&2 <<-EOE
+			Error: in 18+, these Docker images are configured to store database data in a
+			       format which is compatible with "pg_ctlcluster" (specifically, using
+			       major-version-specific directory names).  This better reflects how
+			       PostgreSQL itself works, and how upgrades are to be performed.
+
+			       See also https://github.com/docker-library/postgres/pull/1259
+
+			       Counter to that, there appears to be PostgreSQL data in:
+			         ${OLD_DATABASES[*]}
+
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
+
+			       See https://github.com/docker-library/postgres/issues/37 for a (long)
+			       discussion around this process, and suggestions for how to do so.
+		EOE
+		exit 1
+	fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+#    ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+	# psql here for backwards compatibility "${psql[@]}"
+	psql=( docker_process_sql )
+
+	printf '\n'
+	local f
+	for f; do
+		case "$f" in
+			*.sh)
+				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+				# https://github.com/docker-library/postgres/pull/452
+				if [ -x "$f" ]; then
+					printf '%s: running %s\n' "$0" "$f"
+					"$f"
+				else
+					printf '%s: sourcing %s\n' "$0" "$f"
+					. "$f"
+				fi
+				;;
+			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
+		esac
+		printf '\n'
+	done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+#    ie: docker_process_sql -f my-file.sql
+#    ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+	if [ -n "$POSTGRES_DB" ]; then
+		query_runner+=( --dbname "$POSTGRES_DB" )
+	fi
+
+	PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+	local dbAlreadyExists
+	dbAlreadyExists="$(
+		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+			SELECT 1 FROM pg_database WHERE datname = :'db' ;
+		EOSQL
+	)"
+	if [ -z "$dbAlreadyExists" ]; then
+		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+			CREATE DATABASE :"db" ;
+		EOSQL
+		printf '\n'
+	fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+	file_env 'POSTGRES_PASSWORD'
+
+	file_env 'POSTGRES_USER' 'postgres'
+	file_env 'POSTGRES_DB' "$POSTGRES_USER"
+	file_env 'POSTGRES_INITDB_ARGS'
+	: "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+	declare -g DATABASE_ALREADY_EXISTS
+	: "${DATABASE_ALREADY_EXISTS:=}"
+	declare -ag OLD_DATABASES=()
+	# look specifically for PG_VERSION, as it is expected in the DB dir
+	if [ -s "$PGDATA/PG_VERSION" ]; then
+		DATABASE_ALREADY_EXISTS='true'
+	elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+		# https://github.com/docker-library/postgres/pull/1259
+		for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+			if [ -s "$d/PG_VERSION" ]; then
+				OLD_DATABASES+=( "$d" )
+			fi
+		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
+	fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+	# default authentication method is md5 on versions before 14
+	# https://www.postgresql.org/about/news/postgresql-14-released-2318/
+	if [ "$1" = 'postgres' ]; then
+		shift
+	fi
+	local auth
+	# check the default/configured encryption and use that as the auth method
+	auth="$(postgres -C password_encryption "$@")"
+	: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+	{
+		printf '\n'
+		if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+			printf '# warning trust is enabled for all connections\n'
+			printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+		fi
+		printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+	} >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+	if [ "$1" = 'postgres' ]; then
+		shift
+	fi
+
+	# internal start of server in order to allow setup using psql client
+	# does not listen on external TCP/IP and waits until start finishes
+	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+	# any process supervisor.
+	NOTIFY_SOCKET= \
+	PGUSER="${PGUSER:-$POSTGRES_USER}" \
+	pg_ctl -D "$PGDATA" \
+		-o "$(printf '%q ' "$@")" \
+		-w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+	PGUSER="${PGUSER:-postgres}" \
+	pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+	local arg
+	for arg; do
+		case "$arg" in
+			# postgres --help | grep 'then exit'
+			# leaving out -C on purpose since it always fails and is unhelpful:
+			# postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+			-'?'|--help|--describe-config|-V|--version)
+				return 0
+				;;
+		esac
+	done
+	return 1
+}
+
+_main() {
+	# if first arg looks like a flag, assume we want to run postgres server
+	if [ "${1:0:1}" = '-' ]; then
+		set -- postgres "$@"
+	fi
+
+	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+		docker_setup_env
+		# setup data directories and permissions (when run as root)
+		docker_create_db_directories
+		if [ "$(id -u)" = '0' ]; then
+			# then restart script as postgres user
+			exec gosu postgres "$BASH_SOURCE" "$@"
+		fi
+
+		# only run initialization on an empty data directory
+		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+			docker_verify_minimum_env
+			docker_error_old_databases
+
+			# check dir permissions to reduce likelihood of half-initialized database
+			ls /docker-entrypoint-initdb.d/ > /dev/null
+
+			docker_init_database_dir
+			pg_setup_hba_conf "$@"
+
+			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+			docker_temp_server_start "$@"
+
+			docker_setup_db
+			docker_process_init_files /docker-entrypoint-initdb.d/*
+
+			docker_temp_server_stop
+			unset PGPASSWORD
+
+			cat <<-'EOM'
+
+				PostgreSQL init process complete; ready for start up.
+
+			EOM
+		else
+			cat <<-'EOM'
+
+				PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+			EOM
+		fi
+	fi
+
+	exec "$@"
+}
+
+if ! _is_sourced; then
+	_main "$@"
+fi
diff --git a/18/bookworm/Dockerfile b/18/bookworm/Dockerfile
index 0cf4c0fb08..915a039861 100644
--- a/18/bookworm/Dockerfile
+++ b/18/bookworm/Dockerfile
@@ -28,7 +28,7 @@ RUN set -ex; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update; \
@@ -89,7 +89,7 @@ RUN set -ex; \
 ENV PG_MAJOR 18
 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
 
-ENV PG_VERSION 18~beta1-1.pgdg120+1
+ENV PG_VERSION 18.1-1.pgdg12+2
 
 RUN set -ex; \
 	\
@@ -97,7 +97,7 @@ RUN set -ex; \
 	export PYTHONDONTWRITEBYTECODE=1; \
 	\
 	dpkgArch="$(dpkg --print-architecture)"; \
-	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
+	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt bookworm-pgdg main $PG_MAJOR"; \
 	case "$dpkgArch" in \
 		amd64 | arm64 | ppc64el) \
 # arches officialy built by upstream
@@ -189,7 +189,6 @@ RUN install --verbose --directory --owner postgres --group postgres --mode 3777
 # NOTE: in 18+, PGDATA has changed to match the pg_ctlcluster standard directory structure, and the VOLUME has moved from /var/lib/postgresql/data to /var/lib/postgresql
 #
 ENV PGDATA /var/lib/postgresql/18/docker
-RUN ln -svT . /var/lib/postgresql/data # https://github.com/docker-library/postgres/pull/1259#issuecomment-2215477494
 VOLUME /var/lib/postgresql
 # ("/var/lib/postgresql" is already pre-created with suitably usable permissions above)
 
diff --git a/18/bookworm/docker-entrypoint.sh b/18/bookworm/docker-entrypoint.sh
index 5a62870b50..c3432be675 100755
--- a/18/bookworm/docker-entrypoint.sh
+++ b/18/bookworm/docker-entrypoint.sh
@@ -103,24 +103,6 @@ docker_init_database_dir() {
 # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
 # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
 docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
 	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
 		# The - option suppresses leading tabs but *not* spaces. :)
 		cat >&2 <<-'EOE'
@@ -168,8 +150,14 @@ docker_error_old_databases() {
 			       Counter to that, there appears to be PostgreSQL data in:
 			         ${OLD_DATABASES[*]}
 
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
 
 			       See https://github.com/docker-library/postgres/issues/37 for a (long)
 			       discussion around this process, and suggestions for how to do so.
@@ -264,6 +252,9 @@ docker_setup_env() {
 				OLD_DATABASES+=( "$d" )
 			fi
 		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
 	fi
 }
 
diff --git a/18/bullseye/docker-ensure-initdb.sh b/18/bullseye/docker-ensure-initdb.sh
deleted file mode 100755
index e9b15ef77d..0000000000
--- a/18/bullseye/docker-ensure-initdb.sh
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/usr/bin/env bash
-set -Eeuo pipefail
-
-#
-# This script is intended for three main use cases:
-#
-#  1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
-#
-#  2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
-#       (no-op if database is already initialized)
-#
-#  3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
-#       (error if database is already initialized)
-#
-
-source /usr/local/bin/docker-entrypoint.sh
-
-# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
-if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
-	set -- postgres "$@"
-fi
-
-# see also "_main" in "docker-entrypoint.sh"
-
-docker_setup_env
-# setup data directories and permissions (when run as root)
-docker_create_db_directories
-if [ "$(id -u)" = '0' ]; then
-	# then restart script as postgres user
-	exec gosu postgres "$BASH_SOURCE" "$@"
-fi
-
-# only run initialization on an empty data directory
-if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-	docker_verify_minimum_env
-	docker_error_old_databases
-
-	# check dir permissions to reduce likelihood of half-initialized database
-	ls /docker-entrypoint-initdb.d/ > /dev/null
-
-	docker_init_database_dir
-	pg_setup_hba_conf "$@"
-
-	# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
-	# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
-	export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
-	docker_temp_server_start "$@"
-
-	docker_setup_db
-	docker_process_init_files /docker-entrypoint-initdb.d/*
-
-	docker_temp_server_stop
-	unset PGPASSWORD
-else
-	self="$(basename "$0")"
-	case "$self" in
-		docker-ensure-initdb.sh)
-			echo >&2 "$self: note: database already initialized in '$PGDATA'!"
-			exit 0
-			;;
-
-		docker-enforce-initdb.sh)
-			echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
-			exit 1
-			;;
-
-		*)
-			echo >&2 "$self: error: unknown file name: $self"
-			exit 99
-			;;
-	esac
-fi
diff --git a/18/bullseye/docker-entrypoint.sh b/18/bullseye/docker-entrypoint.sh
deleted file mode 100755
index 5a62870b50..0000000000
--- a/18/bullseye/docker-entrypoint.sh
+++ /dev/null
@@ -1,391 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
-	local var="$1"
-	local fileVar="${var}_FILE"
-	local def="${2:-}"
-	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
-		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
-		exit 1
-	fi
-	local val="$def"
-	if [ "${!var:-}" ]; then
-		val="${!var}"
-	elif [ "${!fileVar:-}" ]; then
-		val="$(< "${!fileVar}")"
-	fi
-	export "$var"="$val"
-	unset "$fileVar"
-}
-
-# check to see if this file is being run or sourced from another script
-_is_sourced() {
-	# https://unix.stackexchange.com/a/215279
-	[ "${#FUNCNAME[@]}" -ge 2 ] \
-		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
-		&& [ "${FUNCNAME[1]}" = 'source' ]
-}
-
-# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
-docker_create_db_directories() {
-	local user; user="$(id -u)"
-
-	mkdir -p "$PGDATA"
-	# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
-	chmod 00700 "$PGDATA" || :
-
-	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
-	mkdir -p /var/run/postgresql || :
-	chmod 03775 /var/run/postgresql || :
-
-	# Create the transaction log directory before initdb is run so the directory is owned by the correct user
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		mkdir -p "$POSTGRES_INITDB_WALDIR"
-		if [ "$user" = '0' ]; then
-			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
-		fi
-		chmod 700 "$POSTGRES_INITDB_WALDIR"
-	fi
-
-	# allow the container to be started with `--user`
-	if [ "$user" = '0' ]; then
-		find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
-		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
-	fi
-}
-
-# initialize empty PGDATA directory with new database via 'initdb'
-# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
-# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
-# this is also where the database user is created, specified by `POSTGRES_USER` env
-docker_init_database_dir() {
-	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
-	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
-	local uid; uid="$(id -u)"
-	if ! getent passwd "$uid" &> /dev/null; then
-		# see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
-		local wrapper
-		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
-			if [ -s "$wrapper" ]; then
-				NSS_WRAPPER_PASSWD="$(mktemp)"
-				NSS_WRAPPER_GROUP="$(mktemp)"
-				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-				local gid; gid="$(id -g)"
-				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
-				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
-				break
-			fi
-		done
-	fi
-
-	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
-		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
-	fi
-
-	# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
-	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
-
-	# unset/cleanup "nss_wrapper" bits
-	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
-		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
-		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
-	fi
-}
-
-# print large warning if POSTGRES_PASSWORD is long
-# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
-# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
-# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
-docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
-	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		# The - option suppresses leading tabs but *not* spaces. :)
-		cat >&2 <<-'EOE'
-			Error: Database is uninitialized and superuser password is not specified.
-			       You must specify POSTGRES_PASSWORD to a non-empty value for the
-			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
-
-			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
-			       connections without a password. This is *not* recommended.
-
-			       See PostgreSQL documentation about "trust":
-			       https://www.postgresql.org/docs/current/auth-trust.html
-		EOE
-		exit 1
-	fi
-	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-		cat >&2 <<-'EOWARN'
-			********************************************************************************
-			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
-			         anyone with access to the Postgres port to access your database without
-			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
-			         documentation about "trust":
-			         https://www.postgresql.org/docs/current/auth-trust.html
-			         In Docker's default configuration, this is effectively any other
-			         container on the same system.
-
-			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
-			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
-			         "docker run".
-			********************************************************************************
-		EOWARN
-	fi
-}
-# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
-docker_error_old_databases() {
-	if [ -n "${OLD_DATABASES[0]:-}" ]; then
-		cat >&2 <<-EOE
-			Error: in 18+, these Docker images are configured to store database data in a
-			       format which is compatible with "pg_ctlcluster" (specifically, using
-			       major-version-specific directory names).  This better reflects how
-			       PostgreSQL itself works, and how upgrades are to be performed.
-
-			       See also https://github.com/docker-library/postgres/pull/1259
-
-			       Counter to that, there appears to be PostgreSQL data in:
-			         ${OLD_DATABASES[*]}
-
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
-
-			       See https://github.com/docker-library/postgres/issues/37 for a (long)
-			       discussion around this process, and suggestions for how to do so.
-		EOE
-		exit 1
-	fi
-}
-
-# usage: docker_process_init_files [file [file [...]]]
-#    ie: docker_process_init_files /always-initdb.d/*
-# process initializer files, based on file extensions and permissions
-docker_process_init_files() {
-	# psql here for backwards compatibility "${psql[@]}"
-	psql=( docker_process_sql )
-
-	printf '\n'
-	local f
-	for f; do
-		case "$f" in
-			*.sh)
-				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
-				# https://github.com/docker-library/postgres/pull/452
-				if [ -x "$f" ]; then
-					printf '%s: running %s\n' "$0" "$f"
-					"$f"
-				else
-					printf '%s: sourcing %s\n' "$0" "$f"
-					. "$f"
-				fi
-				;;
-			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
-			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
-			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
-			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
-		esac
-		printf '\n'
-	done
-}
-
-# Execute sql script, passed via stdin (or -f flag of pqsl)
-# usage: docker_process_sql [psql-cli-args]
-#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
-#    ie: docker_process_sql -f my-file.sql
-#    ie: docker_process_sql <my-file.sql
-docker_process_sql() {
-	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
-	if [ -n "$POSTGRES_DB" ]; then
-		query_runner+=( --dbname "$POSTGRES_DB" )
-	fi
-
-	PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
-}
-
-# create initial database
-# uses environment variables for input: POSTGRES_DB
-docker_setup_db() {
-	local dbAlreadyExists
-	dbAlreadyExists="$(
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
-			SELECT 1 FROM pg_database WHERE datname = :'db' ;
-		EOSQL
-	)"
-	if [ -z "$dbAlreadyExists" ]; then
-		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
-			CREATE DATABASE :"db" ;
-		EOSQL
-		printf '\n'
-	fi
-}
-
-# Loads various settings that are used elsewhere in the script
-# This should be called before any other functions
-docker_setup_env() {
-	file_env 'POSTGRES_PASSWORD'
-
-	file_env 'POSTGRES_USER' 'postgres'
-	file_env 'POSTGRES_DB' "$POSTGRES_USER"
-	file_env 'POSTGRES_INITDB_ARGS'
-	: "${POSTGRES_HOST_AUTH_METHOD:=}"
-
-	declare -g DATABASE_ALREADY_EXISTS
-	: "${DATABASE_ALREADY_EXISTS:=}"
-	declare -ag OLD_DATABASES=()
-	# look specifically for PG_VERSION, as it is expected in the DB dir
-	if [ -s "$PGDATA/PG_VERSION" ]; then
-		DATABASE_ALREADY_EXISTS='true'
-	elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
-		# https://github.com/docker-library/postgres/pull/1259
-		for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
-			if [ -s "$d/PG_VERSION" ]; then
-				OLD_DATABASES+=( "$d" )
-			fi
-		done
-	fi
-}
-
-# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
-# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
-pg_setup_hba_conf() {
-	# default authentication method is md5 on versions before 14
-	# https://www.postgresql.org/about/news/postgresql-14-released-2318/
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-	local auth
-	# check the default/configured encryption and use that as the auth method
-	auth="$(postgres -C password_encryption "$@")"
-	: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
-	{
-		printf '\n'
-		if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
-			printf '# warning trust is enabled for all connections\n'
-			printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
-		fi
-		printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
-	} >> "$PGDATA/pg_hba.conf"
-}
-
-# start socket-only postgresql server for setting up or running scripts
-# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
-docker_temp_server_start() {
-	if [ "$1" = 'postgres' ]; then
-		shift
-	fi
-
-	# internal start of server in order to allow setup using psql client
-	# does not listen on external TCP/IP and waits until start finishes
-	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
-
-	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
-	# any process supervisor.
-	NOTIFY_SOCKET= \
-	PGUSER="${PGUSER:-$POSTGRES_USER}" \
-	pg_ctl -D "$PGDATA" \
-		-o "$(printf '%q ' "$@")" \
-		-w start
-}
-
-# stop postgresql server after done setting up user and running scripts
-docker_temp_server_stop() {
-	PGUSER="${PGUSER:-postgres}" \
-	pg_ctl -D "$PGDATA" -m fast -w stop
-}
-
-# check arguments for an option that would cause postgres to stop
-# return true if there is one
-_pg_want_help() {
-	local arg
-	for arg; do
-		case "$arg" in
-			# postgres --help | grep 'then exit'
-			# leaving out -C on purpose since it always fails and is unhelpful:
-			# postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
-			-'?'|--help|--describe-config|-V|--version)
-				return 0
-				;;
-		esac
-	done
-	return 1
-}
-
-_main() {
-	# if first arg looks like a flag, assume we want to run postgres server
-	if [ "${1:0:1}" = '-' ]; then
-		set -- postgres "$@"
-	fi
-
-	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
-		docker_setup_env
-		# setup data directories and permissions (when run as root)
-		docker_create_db_directories
-		if [ "$(id -u)" = '0' ]; then
-			# then restart script as postgres user
-			exec gosu postgres "$BASH_SOURCE" "$@"
-		fi
-
-		# only run initialization on an empty data directory
-		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-			docker_verify_minimum_env
-			docker_error_old_databases
-
-			# check dir permissions to reduce likelihood of half-initialized database
-			ls /docker-entrypoint-initdb.d/ > /dev/null
-
-			docker_init_database_dir
-			pg_setup_hba_conf "$@"
-
-			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
-			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
-			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
-			docker_temp_server_start "$@"
-
-			docker_setup_db
-			docker_process_init_files /docker-entrypoint-initdb.d/*
-
-			docker_temp_server_stop
-			unset PGPASSWORD
-
-			cat <<-'EOM'
-
-				PostgreSQL init process complete; ready for start up.
-
-			EOM
-		else
-			cat <<-'EOM'
-
-				PostgreSQL Database directory appears to contain a database; Skipping initialization
-
-			EOM
-		fi
-	fi
-
-	exec "$@"
-}
-
-if ! _is_sourced; then
-	_main "$@"
-fi
diff --git a/18/bullseye/Dockerfile b/18/trixie/Dockerfile
similarity index 97%
rename from 18/bullseye/Dockerfile
rename to 18/trixie/Dockerfile
index 2a4b74b9ff..1a6ac87ce9 100644
--- a/18/bullseye/Dockerfile
+++ b/18/trixie/Dockerfile
@@ -4,7 +4,7 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
-FROM debian:bullseye-slim
+FROM debian:trixie-slim
 
 # explicitly set user/group IDs
 RUN set -eux; \
@@ -28,7 +28,7 @@ RUN set -ex; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update; \
@@ -89,7 +89,7 @@ RUN set -ex; \
 ENV PG_MAJOR 18
 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
 
-ENV PG_VERSION 18~beta1-1.pgdg110+1
+ENV PG_VERSION 18.1-1.pgdg13+2
 
 RUN set -ex; \
 	\
@@ -97,7 +97,7 @@ RUN set -ex; \
 	export PYTHONDONTWRITEBYTECODE=1; \
 	\
 	dpkgArch="$(dpkg --print-architecture)"; \
-	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \
+	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt trixie-pgdg main $PG_MAJOR"; \
 	case "$dpkgArch" in \
 		amd64 | arm64 | ppc64el) \
 # arches officialy built by upstream
@@ -189,7 +189,6 @@ RUN install --verbose --directory --owner postgres --group postgres --mode 3777
 # NOTE: in 18+, PGDATA has changed to match the pg_ctlcluster standard directory structure, and the VOLUME has moved from /var/lib/postgresql/data to /var/lib/postgresql
 #
 ENV PGDATA /var/lib/postgresql/18/docker
-RUN ln -svT . /var/lib/postgresql/data # https://github.com/docker-library/postgres/pull/1259#issuecomment-2215477494
 VOLUME /var/lib/postgresql
 # ("/var/lib/postgresql" is already pre-created with suitably usable permissions above)
 
diff --git a/16/bullseye/docker-ensure-initdb.sh b/18/trixie/docker-ensure-initdb.sh
similarity index 100%
rename from 16/bullseye/docker-ensure-initdb.sh
rename to 18/trixie/docker-ensure-initdb.sh
diff --git a/18/trixie/docker-entrypoint.sh b/18/trixie/docker-entrypoint.sh
new file mode 100755
index 0000000000..c3432be675
--- /dev/null
+++ b/18/trixie/docker-entrypoint.sh
@@ -0,0 +1,382 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+	# https://unix.stackexchange.com/a/215279
+	[ "${#FUNCNAME[@]}" -ge 2 ] \
+		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+		&& [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+	local user; user="$(id -u)"
+
+	mkdir -p "$PGDATA"
+	# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+	chmod 00700 "$PGDATA" || :
+
+	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+	mkdir -p /var/run/postgresql || :
+	chmod 03775 /var/run/postgresql || :
+
+	# Create the transaction log directory before initdb is run so the directory is owned by the correct user
+	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+		mkdir -p "$POSTGRES_INITDB_WALDIR"
+		if [ "$user" = '0' ]; then
+			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+		fi
+		chmod 700 "$POSTGRES_INITDB_WALDIR"
+	fi
+
+	# allow the container to be started with `--user`
+	if [ "$user" = '0' ]; then
+		find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+	fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+	local uid; uid="$(id -u)"
+	if ! getent passwd "$uid" &> /dev/null; then
+		# see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+		local wrapper
+		for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+			if [ -s "$wrapper" ]; then
+				NSS_WRAPPER_PASSWD="$(mktemp)"
+				NSS_WRAPPER_GROUP="$(mktemp)"
+				export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+				local gid; gid="$(id -g)"
+				printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+				printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+				break
+			fi
+		done
+	fi
+
+	if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+	fi
+
+	# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+	# unset/cleanup "nss_wrapper" bits
+	if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+	fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+		# The - option suppresses leading tabs but *not* spaces. :)
+		cat >&2 <<-'EOE'
+			Error: Database is uninitialized and superuser password is not specified.
+			       You must specify POSTGRES_PASSWORD to a non-empty value for the
+			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+			       connections without a password. This is *not* recommended.
+
+			       See PostgreSQL documentation about "trust":
+			       https://www.postgresql.org/docs/current/auth-trust.html
+		EOE
+		exit 1
+	fi
+	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+		cat >&2 <<-'EOWARN'
+			********************************************************************************
+			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+			         anyone with access to the Postgres port to access your database without
+			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+			         documentation about "trust":
+			         https://www.postgresql.org/docs/current/auth-trust.html
+			         In Docker's default configuration, this is effectively any other
+			         container on the same system.
+
+			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+			         "docker run".
+			********************************************************************************
+		EOWARN
+	fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+	if [ -n "${OLD_DATABASES[0]:-}" ]; then
+		cat >&2 <<-EOE
+			Error: in 18+, these Docker images are configured to store database data in a
+			       format which is compatible with "pg_ctlcluster" (specifically, using
+			       major-version-specific directory names).  This better reflects how
+			       PostgreSQL itself works, and how upgrades are to be performed.
+
+			       See also https://github.com/docker-library/postgres/pull/1259
+
+			       Counter to that, there appears to be PostgreSQL data in:
+			         ${OLD_DATABASES[*]}
+
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
+
+			       See https://github.com/docker-library/postgres/issues/37 for a (long)
+			       discussion around this process, and suggestions for how to do so.
+		EOE
+		exit 1
+	fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+#    ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+	# psql here for backwards compatibility "${psql[@]}"
+	psql=( docker_process_sql )
+
+	printf '\n'
+	local f
+	for f; do
+		case "$f" in
+			*.sh)
+				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+				# https://github.com/docker-library/postgres/pull/452
+				if [ -x "$f" ]; then
+					printf '%s: running %s\n' "$0" "$f"
+					"$f"
+				else
+					printf '%s: sourcing %s\n' "$0" "$f"
+					. "$f"
+				fi
+				;;
+			*.sql)     printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+			*.sql.gz)  printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+			*.sql.xz)  printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+			*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+			*)         printf '%s: ignoring %s\n' "$0" "$f" ;;
+		esac
+		printf '\n'
+	done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+#    ie: docker_process_sql -f my-file.sql
+#    ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+	if [ -n "$POSTGRES_DB" ]; then
+		query_runner+=( --dbname "$POSTGRES_DB" )
+	fi
+
+	PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+	local dbAlreadyExists
+	dbAlreadyExists="$(
+		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+			SELECT 1 FROM pg_database WHERE datname = :'db' ;
+		EOSQL
+	)"
+	if [ -z "$dbAlreadyExists" ]; then
+		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+			CREATE DATABASE :"db" ;
+		EOSQL
+		printf '\n'
+	fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+	file_env 'POSTGRES_PASSWORD'
+
+	file_env 'POSTGRES_USER' 'postgres'
+	file_env 'POSTGRES_DB' "$POSTGRES_USER"
+	file_env 'POSTGRES_INITDB_ARGS'
+	: "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+	declare -g DATABASE_ALREADY_EXISTS
+	: "${DATABASE_ALREADY_EXISTS:=}"
+	declare -ag OLD_DATABASES=()
+	# look specifically for PG_VERSION, as it is expected in the DB dir
+	if [ -s "$PGDATA/PG_VERSION" ]; then
+		DATABASE_ALREADY_EXISTS='true'
+	elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+		# https://github.com/docker-library/postgres/pull/1259
+		for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+			if [ -s "$d/PG_VERSION" ]; then
+				OLD_DATABASES+=( "$d" )
+			fi
+		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
+	fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+	# default authentication method is md5 on versions before 14
+	# https://www.postgresql.org/about/news/postgresql-14-released-2318/
+	if [ "$1" = 'postgres' ]; then
+		shift
+	fi
+	local auth
+	# check the default/configured encryption and use that as the auth method
+	auth="$(postgres -C password_encryption "$@")"
+	: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+	{
+		printf '\n'
+		if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+			printf '# warning trust is enabled for all connections\n'
+			printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+		fi
+		printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+	} >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+	if [ "$1" = 'postgres' ]; then
+		shift
+	fi
+
+	# internal start of server in order to allow setup using psql client
+	# does not listen on external TCP/IP and waits until start finishes
+	set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+	# unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+	# any process supervisor.
+	NOTIFY_SOCKET= \
+	PGUSER="${PGUSER:-$POSTGRES_USER}" \
+	pg_ctl -D "$PGDATA" \
+		-o "$(printf '%q ' "$@")" \
+		-w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+	PGUSER="${PGUSER:-postgres}" \
+	pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+	local arg
+	for arg; do
+		case "$arg" in
+			# postgres --help | grep 'then exit'
+			# leaving out -C on purpose since it always fails and is unhelpful:
+			# postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+			-'?'|--help|--describe-config|-V|--version)
+				return 0
+				;;
+		esac
+	done
+	return 1
+}
+
+_main() {
+	# if first arg looks like a flag, assume we want to run postgres server
+	if [ "${1:0:1}" = '-' ]; then
+		set -- postgres "$@"
+	fi
+
+	if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+		docker_setup_env
+		# setup data directories and permissions (when run as root)
+		docker_create_db_directories
+		if [ "$(id -u)" = '0' ]; then
+			# then restart script as postgres user
+			exec gosu postgres "$BASH_SOURCE" "$@"
+		fi
+
+		# only run initialization on an empty data directory
+		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+			docker_verify_minimum_env
+			docker_error_old_databases
+
+			# check dir permissions to reduce likelihood of half-initialized database
+			ls /docker-entrypoint-initdb.d/ > /dev/null
+
+			docker_init_database_dir
+			pg_setup_hba_conf "$@"
+
+			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+			docker_temp_server_start "$@"
+
+			docker_setup_db
+			docker_process_init_files /docker-entrypoint-initdb.d/*
+
+			docker_temp_server_stop
+			unset PGPASSWORD
+
+			cat <<-'EOM'
+
+				PostgreSQL init process complete; ready for start up.
+
+			EOM
+		else
+			cat <<-'EOM'
+
+				PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+			EOM
+		fi
+	fi
+
+	exec "$@"
+}
+
+if ! _is_sourced; then
+	_main "$@"
+fi
diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template
index e64ad2fc2f..ad6e1632d6 100644
--- a/Dockerfile-alpine.template
+++ b/Dockerfile-alpine.template
@@ -15,7 +15,7 @@ RUN set -eux; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	\
 	apk add --no-cache --virtual .gosu-deps \
@@ -42,7 +42,7 @@ RUN set -eux; \
 # verify that the binary works
 	gosu --version; \
 	gosu nobody true
-{{ if env.version | IN("13", "14", "15", "16") then ( -}}
+{{ if env.version | IN("14", "15", "16") then ( -}}
 RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
 {{ ) else "" end -}}
 
@@ -103,13 +103,16 @@ RUN set -eux; \
 		zlib-dev \
 # https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
 		icu-dev \
-{{ if .major >= 14 then ( -}}
 # https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
 		lz4-dev \
-{{ ) else "" end -}}
 {{ if .major >= 15 then ( -}}
 # https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
 		zstd-dev \
+{{ ) else "" end -}}
+{{ if .major >= 18 then ( -}}
+# https://salsa.debian.org/postgresql/postgresql-common/-/commit/89c384273f4c4092483598c292b1b1b188816cce
+# https://www.postgresql.org/docs/18/install-make.html#CONFIGURE-OPTION-WITH-LIBURING
+		liburing-dev \
 {{ ) else "" end -}}
 	; \
 	\
@@ -126,8 +129,8 @@ RUN set -eux; \
 # https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
 	export CLANG=clang-{{ llvmver }}; \
 	\
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+# configure options mostly copying Debian:
+# https://salsa.debian.org/postgresql/postgresql-common/-/blob/6e26b5107295170cc8731a3acbf13228ea15941e/server/postgresql.mk#L32
 	./configure \
 		--enable-option-checking=fatal \
 		--build="$gnuArch" \
@@ -154,19 +157,20 @@ RUN set -eux; \
 		--with-includes=/usr/local/include \
 		--with-libraries=/usr/local/lib \
 		--with-gssapi \
+		--with-icu \
 		--with-ldap \
-		--with-tcl \
-		--with-perl \
-		--with-python \
-#		--with-pam \
-		--with-openssl \
+{{ if .major >= 18 then ( -}}
+		--with-liburing \
+{{ ) else "" end -}}
 		--with-libxml \
 		--with-libxslt \
-		--with-icu \
 		--with-llvm \
-{{ if .major >= 14 then ( -}}
 		--with-lz4 \
-{{ ) else "" end -}}
+		--with-openssl \
+#		--with-pam \
+		--with-perl \
+		--with-python \
+		--with-tcl \
 {{ if .major >= 15 then ( -}}
 		--with-zstd \
 {{ ) else "" end -}}
diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template
index 81a6a0a0c5..dc3924575e 100644
--- a/Dockerfile-debian.template
+++ b/Dockerfile-debian.template
@@ -22,7 +22,7 @@ RUN set -ex; \
 
 # grab gosu for easy step-down from root
 # https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.17
+ENV GOSU_VERSION 1.19
 RUN set -eux; \
 	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update; \
@@ -91,7 +91,7 @@ RUN set -ex; \
 	export PYTHONDONTWRITEBYTECODE=1; \
 	\
 	dpkgArch="$(dpkg --print-architecture)"; \
-	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ {{ env.variant }}-pgdg main $PG_MAJOR"; \
+	aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt {{ env.variant }}-pgdg main $PG_MAJOR"; \
 	case "$dpkgArch" in \
 		{{ .[env.variant].arches | join(" | ") }}) \
 # arches officialy built by upstream
@@ -129,10 +129,6 @@ RUN set -ex; \
 			apt-get build-dep -y postgresql-common-dev; \
 			apt-get source --compile postgresql-common-dev; \
 			_update_repo; \
-{{ if .major == 13 then ( -}}
-# we need DEBIAN_FRONTEND on postgresql-13 for slapd ("Please enter the password for the admin entry in your LDAP directory."); see https://bugs.debian.org/929417
-			DEBIAN_FRONTEND=noninteractive \
-{{ ) else "" end -}}
 			apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
 			apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
 			\
@@ -190,7 +186,6 @@ RUN install --verbose --directory --owner postgres --group postgres --mode 3777
 # NOTE: in 18+, PGDATA has changed to match the pg_ctlcluster standard directory structure, and the VOLUME has moved from /var/lib/postgresql/data to /var/lib/postgresql
 #
 ENV PGDATA /var/lib/postgresql/{{ .major | tostring }}/docker
-RUN ln -svT . /var/lib/postgresql/data # https://github.com/docker-library/postgres/pull/1259#issuecomment-2215477494
 VOLUME /var/lib/postgresql
 # ("/var/lib/postgresql" is already pre-created with suitably usable permissions above)
 {{ ) else ( -}}
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 5a62870b50..c3432be675 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -103,24 +103,6 @@ docker_init_database_dir() {
 # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
 # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
 docker_verify_minimum_env() {
-	case "${PG_MAJOR:-}" in
-		13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
-			# check password first so we can output the warning before postgres
-			# messes it up
-			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
-				cat >&2 <<-'EOWARN'
-
-					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
-					  This will not work if used via PGPASSWORD with "psql".
-
-					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
-					  https://github.com/docker-library/postgres/issues/507
-
-				EOWARN
-			fi
-			;;
-	esac
 	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
 		# The - option suppresses leading tabs but *not* spaces. :)
 		cat >&2 <<-'EOE'
@@ -168,8 +150,14 @@ docker_error_old_databases() {
 			       Counter to that, there appears to be PostgreSQL data in:
 			         ${OLD_DATABASES[*]}
 
-			       This is usually the result of upgrading the Docker image without upgrading
-			       the underlying database using "pg_upgrade" (which requires both versions).
+			       This is usually the result of upgrading the Docker image without
+			       upgrading the underlying database using "pg_upgrade" (which requires both
+			       versions).
+
+			       The suggested container configuration for 18+ is to place a single mount
+			       at /var/lib/postgresql which will then place PostgreSQL data in a
+			       subdirectory, allowing usage of "pg_upgrade --link" without mount point
+			       boundary issues.
 
 			       See https://github.com/docker-library/postgres/issues/37 for a (long)
 			       discussion around this process, and suggestions for how to do so.
@@ -264,6 +252,9 @@ docker_setup_env() {
 				OLD_DATABASES+=( "$d" )
 			fi
 		done
+		if [ "${#OLD_DATABASES[@]}" -eq 0 ] && [ "$PG_MAJOR" -ge 18 ] && mountpoint -q /var/lib/postgresql/data; then
+			OLD_DATABASES+=( '/var/lib/postgresql/data (unused mount/volume)' )
+		fi
 	fi
 }
 
diff --git a/generate-stackbrew-library.sh b/generate-stackbrew-library.sh
index 234a5266a1..2c7ac7a666 100755
--- a/generate-stackbrew-library.sh
+++ b/generate-stackbrew-library.sh
@@ -2,7 +2,7 @@
 set -Eeuo pipefail
 
 declare -A aliases=(
-	[17]='latest'
+	[18]='latest'
 )
 
 self="$(basename "$BASH_SOURCE")"
diff --git a/versions.json b/versions.json
index 96e2558966..4d14db0c45 100644
--- a/versions.json
+++ b/versions.json
@@ -1,176 +1,147 @@
 {
-  "13": {
-    "alpine": "3.22",
-    "bookworm": {
-      "arches": [
-        "amd64",
-        "arm64",
-        "ppc64el"
-      ],
-      "version": "13.21-1.pgdg120+1"
-    },
-    "bullseye": {
+  "18": {
+    "alpine": "3.23",
+    "debian": "trixie",
+    "trixie": {
+      "version": "18.1-1.pgdg13+2",
       "arches": [
         "amd64",
         "arm64",
         "ppc64el"
-      ],
-      "version": "13.21-1.pgdg110+1"
+      ]
     },
-    "debian": "bookworm",
-    "major": 13,
-    "sha256": "dcda1294df45f033b0656cf7a8e4afbbc624c25e1b144aec79530f74d7ef4ab4",
     "variants": [
+      "trixie",
       "bookworm",
-      "bullseye",
-      "alpine3.22",
-      "alpine3.21"
+      "alpine3.23",
+      "alpine3.22"
     ],
-    "version": "13.21"
-  },
-  "14": {
-    "alpine": "3.22",
     "bookworm": {
+      "version": "18.1-1.pgdg12+2",
       "arches": [
         "amd64",
         "arm64",
         "ppc64el"
-      ],
-      "version": "14.18-1.pgdg120+1"
+      ]
     },
-    "bullseye": {
+    "version": "18.1",
+    "sha256": "ff86675c336c46e98ac991ebb306d1b67621ece1d06787beaade312c2c915d54",
+    "major": 18
+  },
+  "17": {
+    "alpine": "3.23",
+    "debian": "trixie",
+    "trixie": {
+      "version": "17.7-3.pgdg13+1",
       "arches": [
         "amd64",
         "arm64",
         "ppc64el"
-      ],
-      "version": "14.18-1.pgdg110+1"
+      ]
     },
-    "debian": "bookworm",
-    "major": 14,
-    "sha256": "83ab29d6bfc3dc58b2ed3c664114fdfbeb6a0450c4b8d7fa69aee91e3ca14f8e",
     "variants": [
+      "trixie",
       "bookworm",
-      "bullseye",
-      "alpine3.22",
-      "alpine3.21"
+      "alpine3.23",
+      "alpine3.22"
     ],
-    "version": "14.18"
-  },
-  "15": {
-    "alpine": "3.22",
     "bookworm": {
+      "version": "17.7-3.pgdg12+1",
       "arches": [
         "amd64",
         "arm64",
         "ppc64el"
-      ],
-      "version": "15.13-1.pgdg120+1"
+      ]
     },
-    "bullseye": {
+    "version": "17.7",
+    "sha256": "ef9e343302eccd33112f1b2f0247be493cb5768313adeb558b02de8797a2e9b5",
+    "major": 17
+  },
+  "16": {
+    "alpine": "3.23",
+    "debian": "trixie",
+    "trixie": {
+      "version": "16.11-1.pgdg13+1",
       "arches": [
         "amd64",
         "arm64",
         "ppc64el"
-      ],
-      "version": "15.13-1.pgdg110+1"
+      ]
     },
-    "debian": "bookworm",
-    "major": 15,
-    "sha256": "4f62e133d22ea08a0401b0840920e26698644d01a80c34341fb732dd0a90ca5d",
     "variants": [
+      "trixie",
       "bookworm",
-      "bullseye",
-      "alpine3.22",
-      "alpine3.21"
+      "alpine3.23",
+      "alpine3.22"
     ],
-    "version": "15.13"
-  },
-  "16": {
-    "alpine": "3.22",
     "bookworm": {
+      "version": "16.11-1.pgdg12+1",
       "arches": [
         "amd64",
         "arm64",
         "ppc64el"
-      ],
-      "version": "16.9-1.pgdg120+1"
+      ]
     },
-    "bullseye": {
+    "version": "16.11",
+    "sha256": "6deb08c23d03d77d8f8bd1c14049eeef64aef8968fd8891df2dfc0b42f178eac",
+    "major": 16
+  },
+  "15": {
+    "alpine": "3.23",
+    "debian": "trixie",
+    "trixie": {
+      "version": "15.15-1.pgdg13+1",
       "arches": [
         "amd64",
         "arm64",
         "ppc64el"
-      ],
-      "version": "16.9-1.pgdg110+1"
+      ]
     },
-    "debian": "bookworm",
-    "major": 16,
-    "sha256": "07c00fb824df0a0c295f249f44691b86e3266753b380c96f633c3311e10bd005",
     "variants": [
+      "trixie",
       "bookworm",
-      "bullseye",
-      "alpine3.22",
-      "alpine3.21"
+      "alpine3.23",
+      "alpine3.22"
     ],
-    "version": "16.9"
-  },
-  "17": {
-    "alpine": "3.22",
     "bookworm": {
+      "version": "15.15-1.pgdg12+1",
       "arches": [
         "amd64",
         "arm64",
         "ppc64el"
-      ],
-      "version": "17.5-1.pgdg120+1"
+      ]
     },
-    "bullseye": {
+    "version": "15.15",
+    "sha256": "5753aaeb8b09cbf61016f78aa69bf5cbdf01b43263f010cbf168c82896213aaa",
+    "major": 15
+  },
+  "14": {
+    "alpine": "3.23",
+    "debian": "trixie",
+    "trixie": {
+      "version": "14.20-1.pgdg13+1",
       "arches": [
         "amd64",
         "arm64",
         "ppc64el"
-      ],
-      "version": "17.5-1.pgdg110+1"
+      ]
     },
-    "debian": "bookworm",
-    "major": 17,
-    "sha256": "fcb7ab38e23b264d1902cb25e6adafb4525a6ebcbd015434aeef9eda80f528d8",
     "variants": [
+      "trixie",
       "bookworm",
-      "bullseye",
-      "alpine3.22",
-      "alpine3.21"
+      "alpine3.23",
+      "alpine3.22"
     ],
-    "version": "17.5"
-  },
-  "18": {
-    "alpine": "3.22",
     "bookworm": {
+      "version": "14.20-1.pgdg12+1",
       "arches": [
         "amd64",
         "arm64",
         "ppc64el"
-      ],
-      "version": "18~beta1-1.pgdg120+1"
+      ]
     },
-    "bullseye": {
-      "arches": [
-        "amd64",
-        "arm64",
-        "ppc64el"
-      ],
-      "version": "18~beta1-1.pgdg110+1"
-    },
-    "debian": "bookworm",
-    "major": 18,
-    "sha256": "0b7c83df6195398aa67dbf5c002e7fa4082be393aae99aa69926d483f98eb885",
-    "variants": [
-      "bookworm",
-      "bullseye",
-      "alpine3.22",
-      "alpine3.21"
-    ],
-    "version": "18beta1"
+    "version": "14.20",
+    "sha256": "7527f10f1640761bc280ad97d105d286d0cf72e54d36d78cf68e5e5f752b646b",
+    "major": 14
   }
 }
diff --git a/versions.sh b/versions.sh
index f466ac57a9..f9b78f5f79 100755
--- a/versions.sh
+++ b/versions.sh
@@ -3,12 +3,12 @@ set -Eeuo pipefail
 
 # we will support at most two entries in each of these lists, and both should be in descending order
 supportedDebianSuites=(
+	trixie
 	bookworm
-	bullseye
 )
 supportedAlpineVersions=(
+	3.23
 	3.22
-	3.21
 )
 defaultDebianSuite="${supportedDebianSuites[0]}"
 declare -A debianSuites=(
@@ -151,4 +151,4 @@ for version in "${versions[@]}"; do
 	')"
 done
 
-jq <<<"$json" -S . > versions.json
+jq <<<"$json" 'to_entries | sort_by(.key | split(".") | map(tonumber? // .)) | reverse | from_entries' > versions.json