The previous logic using 'file | grep PGP' was inverted — both
ASCII-armored and binary GPG keys matched the pattern, causing
ASCII-armored keys to be copied directly instead of being
dearmored. This resulted in APT failing with NO_PUBKEY errors
on Debian 12 (bookworm).
Use 'grep BEGIN PGP' to reliably detect ASCII-armored keys and
dearmor them, otherwise copy binary keys directly.
gpg --dearmor creates files with restrictive permissions (600),
which prevents Debian 13's sqv signature verifier from reading
the keyring files. This causes apt update to fail with
'Permission denied' errors for all repositories using custom
GPG keys (adoptium, pgdg, pdm, etc.).
Set chmod 644 after creating .gpg files in both setup_deb822_repo()
and the MongoDB GPG key import in manage_tool_repository().
The UniFi GPG key at dl.ui.com/unifi/unifi-repo.gpg is already in binary
format. setup_deb822_repo unconditionally ran gpg --dearmor which expects
ASCII-armored input, corrupting binary keys and causing apt to fail with
'Unable to locate package unifi'.
setup_deb822_repo now downloads the key to a temp file first and uses
the file command to detect whether it is already a binary PGP/GPG key.
Binary keys are copied directly; armored keys are dearmored as before.
This also reverts unifi-install.sh back to using setup_deb822_repo for
consistency with all other install scripts.
Add missing libmfx-gen1.2 package to _setup_intel_arc() for both
Ubuntu and Debian. Without this package, QSV hardware acceleration
fails with 'Error creating a MFX session: -9'.
The package was already present in _setup_intel_modern() (Gen9+)
but missing from the Arc GPU path.
Closes#11701
When fetch_and_deploy_gh_release fails to find a matching asset in the
target release (binary/prebuild/singlefile modes), scan up to 15 older
releases for a compatible asset. Prompts the user with a 60s timeout
(default: yes) before using the fallback version.
Addresses issues like SigNoz #11652 where the latest release has no
matching OTel collector binary.
- Add Codeberg API functions: codeberg_api_call, get_latest_codeberg_release, check_for_codeberg_release
- Add fetch_and_deploy_codeberg_release function for Codeberg releases
- Update autocaliweb install and update scripts to use Codeberg
- Update autocaliweb.json documentation and website URLs
Changes to setup_php():
- Add version detection for PHP 8.5+ built-in opcache
- Define BUILTIN_MODULES list for modules included in php-common
(ctype, fileinfo, iconv, tokenizer, phar, posix, etc.)
- Filter out built-in modules before attempting installation
- Verify each package exists via apt-cache before adding to install list
- Skip unavailable packages with informational message instead of error
- Add extended default modules (mysql, sqlite3, pgsql, redis, imagick,
bz2, apcu) to cover ~90% of typical use cases
- Improve error handling with graceful degradation
This prevents installation failures when:
- PHP version has module built into core (e.g., opcache in 8.5+)
- Module is provided by php-common (ctype, fileinfo, etc.)
- Package is renamed or unavailable in specific PHP version
Fixes#11359
Bug fixes:
- dumpUid is only available AFTER the dump task completes, not in the
initial POST /dumps response. Fixed the extraction logic to wait for
task completion first, then extract dumpUid from the task result.
- Removed non-existent API endpoint /dumps/{uid}/import - Meilisearch
only supports dump import via CLI flag --import-dump
Improvements:
- If dump creation fails, backup the data directory before proceeding
instead of just overwriting (allows manual recovery)
- Better error messages with actual API response content
- Proper health check loop during import with process monitoring
- Clear user guidance about what to do after failed migration
Fixes#11349
Meilisearch requires a dump/restore process when upgrading between
incompatible versions (different major.minor). The previous update
logic simply replaced the binary, causing database corruption.
This fix:
- Detects version changes that require migration
- Creates a data dump before upgrading
- Removes old incompatible data after binary update
- Imports the dump to restore data in new format
- Falls back to --import-dump CLI flag for older API versions
- Adds proper error handling and timeouts
Fixes#11349
Set SYSTEMD_OFFLINE=1 for apt/dpkg in binary mode to prevent systemd-tmpfiles
'unsafe path transition' errors in unprivileged containers (Debian 13+/systemd 257+).
- nvidia-utils is a virtual package and requires version suffix (e.g. nvidia-utils-580)
- Use nvidia_major_version to install correct versioned packages
- Show helpful warning message instead of crashing on failure
Fixes installation failures on Ubuntu 24.04 with NVIDIA 580.x drivers
* fix(core): add IPv6 fallback support to get_current_ip functions
Fixes IP detection in IPv6-only environments by adding fallback:
- Try IPv4 first (existing behavior)
- Fall back to IPv6 via interface lookup (eth0 scope global)
- Fall back to IPv6 routing with Google/Cloudflare DNS targets
Closes #issue-ipv6-only-environment
* fix(build): use SSH_AUTHORIZED_KEY from user defaults when no SSH_KEYS_FILE exists
When using 'User Defaults' with var_ssh_authorized_key set in default.vars,
the SSH key was not being installed because install_ssh_keys_into_ct() only
checked for SSH_KEYS_FILE (which is only created in Advanced Settings).
Now the function also checks SSH_AUTHORIZED_KEY and creates a temporary
SSH_KEYS_FILE if needed.
Fixes#11062
- Changed setup_mariadb() to use Debian/Ubuntu distribution packages by default
- Official MariaDB repository only used when specific version is requested
- Added cleanup logic for old/orphaned repository files with apt update
- Added version comparison to prevent downgrades (keeps higher version installed)
- Added automatic fallback to distro packages if repo installation fails
- Extracted _setup_mariadb_runtime_dir() helper function
- Updated all related documentation
This change improves reliability by avoiding MariaDB mirror issues
(HTTPS->HTTP redirects, geographic availability problems) for standard
installations while still allowing specific versions when needed.
Switches to using the ondrej/php PPA for Ubuntu and retains the Sury repository for Debian when setting up PHP. This ensures compatibility with the respective distributions' recommended PHP sources.
Replaces all apt commands with apt-get for consistency and adds noninteractive environment variables to prevent interactive dialogs during NVIDIA GPU driver installation. Also adds --force-confold to preserve existing config files and ensures smoother automated installs.
- Check if beignet-opencl-icd package is available before installation
- Package was removed in Debian 12+ and Ubuntu 22.04+
- VA-API hardware acceleration still works without OpenCL
- Prevents installation failure on systems with Intel HD 2000-5999 GPUs
- libigdgmm12: Fetch from intel/compute-runtime (not gmmlib which has no releases)
- intel-igc-core-2: Correct pattern with -2 suffix
- intel-igc-opencl-2: Correct pattern with -2 suffix
- libze-intel-gpu1: Correct package name (was intel-level-zero-gpu)
- Remove libigdgmm12 from apt install (already fetched from GitHub)
- Only fetch GitHub packages for Trixie/Sid (Bookworm uses repos)
Verified all patterns against actual GitHub release assets.
- Fix ((gpu_count++)) returning exit code 1 when count=0
- Fix ((failed_modules++)) same issue in setup_nodejs
- Add || true to all arithmetic increments starting from 0
- Export ENABLE_GPU from build.func to container
- Check ENABLE_GPU instead of var_gpu in setup_hwaccel
The bash arithmetic expansion ((0)) and ((x++)) when x=0
returns exit code 1, which causes immediate script abort
when set -e is active.
Refactored various shell functions to add more robust error handling by redirecting stderr to /dev/null and using '|| true' to prevent script failures. Enhanced npm cache cleanup to remove both _cacache and _logs directories, and improved reliability of version and keyring extraction commands. These changes increase script resilience and prevent unnecessary errors from halting execution.
* fix(jellyfin): use setup_hwaccel for robust hardware acceleration
Replaces manual hardware acceleration setup with the centralized
setup_hwaccel function from tools.func.
This fixes the installation failure in privileged containers where
/dev/dri does not exist (e.g., when no GPU is passed through).
The setup_hwaccel function includes:
- Proper error handling for missing /dev/dri
- GPU vendor detection (Intel, AMD, NVIDIA)
- Graceful fallback when no GPU is available
Fixes: Installation fails with 'chgrp: cannot access /dev/dri'
when creating privileged containers without GPU passthrough.
* refactor(hwaccel): standardize hardware acceleration across all install scripts
Migrated all install scripts to use the centralized setup_hwaccel function:
- plex-install.sh
- emby-install.sh
- ersatztv-install.sh
- frigate-install.sh
- tdarr-install.sh
- unmanic-install.sh
- channels-install.sh
- ollama-install.sh
- immich-install.sh (added error handling)
Enhanced setup_hwaccel function in tools.func:
- Added -d /dev/dri check before setting permissions
- Added error handling (2>/dev/null || true) for all /dev/dri operations
- Added adduser error handling for video/render groups
- No longer fails if no GPU is detected (graceful skip)
- Added intel-media-va-driver for newer Intel GPUs
- Improved AMD APU support with firmware packages
- Better NVIDIA handling (warning instead of failure)
This fixes installation failures in privileged containers without GPU
passthrough, where /dev/dri does not exist.
Supports: Ubuntu, Debian 12 (Bookworm), Debian 13 (Trixie)
GPU Support: Intel, AMD, NVIDIA (manual driver)
* refactor(hwaccel): complete migration for all GPU apps
Migrated remaining GPU apps to setup_hwaccel:
- fileflows-install.sh
- openwebui-install.sh (added setup_hwaccel - was missing)
- tunarr-install.sh
Also fixed tools/pve/hw-acceleration.sh:
- Added error handling for /dev/dri operations
- Added chmod 660 /dev/dri/* that was missing
- Added error suppression for adduser commands
All 13 GPU apps (var_gpu=yes) now use centralized setup_hwaccel:
jellyfin, plex, emby, ersatztv, frigate, tdarr, unmanic,
channels, ollama, immich, fileflows, openwebui, tunarr
* feat(hwaccel): complete Intel non-free driver support and GID sync
Enhanced setup_hwaccel function:
- Auto-detect Intel GPU generation (Gen 9+ for non-free drivers)
- Debian 12 (Bookworm): Add non-free repo + intel-media-va-driver-non-free
- Debian 13 (Trixie): Add non-free repo + libvpl2 + mesa-opencl-icd
- Ubuntu: Use ubuntu repos with intel-media-va-driver
- Fallback to open drivers if non-free fails
- GID sync for video/render groups (moved from install scripts)
OpenWebUI: Added Intel oneAPI support when installing Ollama
- Intel Level Zero GPU support
- Intel oneAPI Base Toolkit
- Same setup as standalone Ollama install
Cleanup:
- Removed duplicate GID sync from tdarr-install.sh
- Removed duplicate GID sync from unmanic-install.sh
* fix(ersatztv): remove duplicate HW acceleration code
Removed manual Intel HW acceleration setup that remained after
setup_hwaccel migration. The non-free driver prompt is no longer
needed as setup_hwaccel auto-detects Intel GPU generation.
Add error suppression and || true to awk commands that parse rustc version.
Prevents 'Operation not permitted' errors in containers with restricted syscalls.
* Switch container exec from bash to sh in fix_gpu_gids
Replaces bash with sh for container execution in fix_gpu_gids and updates device matching logic to use a POSIX-compliant case statement. This improves compatibility with containers that may not have bash installed.
* fix(apt): auto-recover from interrupted dpkg operations
When a previous installation is interrupted (e.g., by script error or
user cancellation), dpkg can be left in an inconsistent state requiring
'dpkg --configure -a' to fix.
This change:
- Adds dpkg --configure -a check to ensure_apt_working()
- Adds dpkg --configure -a to retry logic in install_packages_with_retry()
- Adds dpkg --configure -a to retry logic in upgrade_packages_with_retry()
Fixes: Omada Controller update failing after interrupted installation
Reported-in: #9663
