Word/Excel/PowerPoint to PDF conversion uses LibreOffice WASM which
requires SharedArrayBuffer. SharedArrayBuffer only works when the server
sends Cross-Origin-Opener-Policy: same-origin and
Cross-Origin-Embedder-Policy: require-corp headers.
The previous http-server setup did not send these headers, causing WASM
initialization to time out for office-format conversions.
Fix: replace http-server with nginx and configure COOP/COEP headers in the
nginx site config, matching the upstream Docker image's nginx.conf.
Also adds a one-time migration path in update_script for existing installs
running the old http-server service.
Helmet's useDefaults adds upgrade-insecure-requests to the CSP,
which forces browsers to upgrade all HTTP requests to HTTPS.
Since most LXC users access Immich directly via HTTP, this breaks
the web UI completely (CORS errors, spinning logo).
Patch helmet.json after deploy to explicitly null out the directive,
keeping CSP benefits while allowing HTTP access.
Fixes#13597
* Rename gokapi binary and update service
Change the installed binary name from pre-v2.2.4 `gokapi-linux_amd64` to v2.2.4+ `gokapi` and update service configuration accordingly. Add a migration step to remove any legacy `gokapi-linux_amd64` binary file, update binary reference in existing `gokapi.service`, and reload systemd before starting the service.
* Update comment for binary name migration
---------
Co-authored-by: Tobias <96661824+CrazyWolf13@users.noreply.github.com>
* fix(immich): use start.sh in service, ensure DB_HOSTNAME in .env
* Bump Immich to v2.6.2 and adjust chown handling
Update Immich release references from v2.6.1 to v2.6.2 in ct/immich.sh and install/immich-install.sh. Replace broad recursive chown -R on the install dir with a safer approach that avoids recursing into the upload directory (which may be a mounted volume with restricted permissions): set ownership on the install dir itself, chown each top-level entry except 'upload', and attempt to chown the upload path while ignoring errors. Also adjust ordering for /var/log/immich chown to avoid permission issues when enabling services.
* fix(nginxproxymanager): build OpenResty from source via GitHub releases
Replace the unreliable openresty.org apt repository with building
OpenResty from source. Uses fetch_and_deploy_gh_release to download
from github.com/openresty/openresty/releases, then compiles locally.
The apt mirror frequently has sync issues (mismatched file sizes/hashes)
causing 'apt update' to fail with exit code 100.
Changes:
- Use fetch_and_deploy_gh_release for OpenResty source download
- Compile with configure/make/make install
- Add build dependencies (libpcre3-dev, libssl-dev, zlib1g-dev)
- Create systemd service unit for source-built OpenResty
- Update script: remove old apt repo, migrate to source build
* Fix installation command syntax for dependencies
* bump from ved testing
* fix(kometa): fix config.yml sed patterns, add Quickstart integration
- Fix sed commands for plex token and tmdb apikey (empty values in template, not hash placeholders)
- Use section-aware sed to avoid replacing wrong token/apikey fields
- Add Kometa Quickstart web UI on port 7171
* Enhance kometa-install.sh for virtualenv and services
Updated the installation script to include a virtual environment setup and modified service enabling commands.
* Update install/kometa-install.sh
Co-authored-by: Tobias <96661824+CrazyWolf13@users.noreply.github.com>
---------
Co-authored-by: Slaviša Arežina <58952836+tremor021@users.noreply.github.com>
Co-authored-by: Tobias <96661824+CrazyWolf13@users.noreply.github.com>
