fix: pre-fill timezone with host timezone in advanced settings

Advanced Settings Wizard (28 steps):
- Step 18: FUSE Support (inherits var_fuse)
- Step 19: TUN/TAP Support (inherits var_tun)
- Step 20: Nesting Support (inherits var_nesting)
- Step 21: GPU Passthrough (inherits var_gpu)
- Step 22: Keyctl Support (inherits var_keyctl)
- Step 23: APT Cacher Proxy (inherits var_apt_cacher/var_apt_cacher_ip)
- Step 24: Container Timezone (inherits var_timezone)
- Step 25: Container Protection (inherits var_protection)
- Step 26: Device Node Creation (inherits var_mknod)
- Step 27: Mount Filesystems (inherits var_mount_fs)
- Step 28: Verbose Mode & Confirmation

All var_* from CT scripts now pre-populate wizard fields with '(App default: X)' hints.

Documentation:
- New BUILD_FUNC_ADVANCED_SETTINGS.md with full wizard reference
- Updated BUILD_FUNC_ENVIRONMENT_VARIABLES.md with all feature flags
- Updated README.md with new documentation link

CHANGELOG.md

@@ -10,8 +10,65 @@
 > [!CAUTION]
 Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit the project's popularity for potentially malicious purposes.
 
+## 2025-12-08
+
+### 🚀 Updated Scripts
+
+  - typo: tandoor instead of trandoor [@Neonize](https://github.com/Neonize) ([#9771](https://github.com/community-scripts/ProxmoxVE/pull/9771))
+
+  - #### ✨ New Features
+
+    - feat: Add var_gpu flag for GPU passthrough configuration [@MickLesk](https://github.com/MickLesk) ([#9764](https://github.com/community-scripts/ProxmoxVE/pull/9764))
+
+### 💾 Core
+
+  - #### 🐞 Bug Fixes
+
+    - fix: always show SSH access dialog in advanced settings [@MickLesk](https://github.com/MickLesk) ([#9765](https://github.com/community-scripts/ProxmoxVE/pull/9765))
+
+## 2025-12-07
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - wanderer: add meilisearch dumpless upgrade for database migration [@MickLesk](https://github.com/MickLesk) ([#9749](https://github.com/community-scripts/ProxmoxVE/pull/9749))
+
+  - #### 💥 Breaking Changes
+
+    - Refactor: Inventree (uses now ubuntu 24.04) [@MickLesk](https://github.com/MickLesk) ([#9752](https://github.com/community-scripts/ProxmoxVE/pull/9752))
+    - Revert Zammad: use Debian 12 and dynamic APT source version [@MickLesk](https://github.com/MickLesk) ([#9750](https://github.com/community-scripts/ProxmoxVE/pull/9750))
+
+### 💾 Core
+
+  - #### 🐞 Bug Fixes
+
+    - tools.func: handle empty grep results in stop_all_services [@MickLesk](https://github.com/MickLesk) ([#9748](https://github.com/community-scripts/ProxmoxVE/pull/9748))
+    - Remove Debian from GPU passthrough [@MickLesk](https://github.com/MickLesk) ([#9754](https://github.com/community-scripts/ProxmoxVE/pull/9754))
+
+  - #### ✨ New Features
+
+    - core: motd - dynamically read OS version on each login [@MickLesk](https://github.com/MickLesk) ([#9751](https://github.com/community-scripts/ProxmoxVE/pull/9751))
+
+### 🌐 Website
+
+  - FAQ update [@tremor021](https://github.com/tremor021) ([#9742](https://github.com/community-scripts/ProxmoxVE/pull/9742))
+
 ## 2025-12-06
 
+### 🚀 Updated Scripts
+
+  - Update domain-locker-install.sh to enable auto-start after reboot [@alexindigo](https://github.com/alexindigo) ([#9715](https://github.com/community-scripts/ProxmoxVE/pull/9715))
+
+  - #### 🐞 Bug Fixes
+
+    - InfluxDB: Remove InfluxData source list post-installation [@tremor021](https://github.com/tremor021) ([#9723](https://github.com/community-scripts/ProxmoxVE/pull/9723))
+    - InfluxDB: Update InfluxDB repository key URL [@tremor021](https://github.com/tremor021) ([#9720](https://github.com/community-scripts/ProxmoxVE/pull/9720))
+
+  - #### ✨ New Features
+
+    - pin Portainer Update to CE Version only [@sgaert](https://github.com/sgaert) ([#9710](https://github.com/community-scripts/ProxmoxVE/pull/9710))
+
 ## 2025-12-05
 
 ### 🆕 New Scripts

ct/bookstack.sh

@@ -51,7 +51,7 @@ function update_script() {
     msg_info "Configuring BookStack"
     cd /opt/bookstack
     export COMPOSER_ALLOW_SUPERUSER=1
-    $STD composer install --no-dev
+    $STD /usr/local/bin/composer install --no-dev
     $STD php artisan migrate --force
     chown www-data:www-data -R /opt/bookstack /opt/bookstack/bootstrap/cache /opt/bookstack/public/uploads /opt/bookstack/storage
     chmod -R 755 /opt/bookstack /opt/bookstack/bootstrap/cache /opt/bookstack/public/uploads /opt/bookstack/storage

ct/channels.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-8}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-12}"
 var_unprivileged="${var_unprivileged:-0}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables
@@ -38,4 +39,4 @@ description
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW} Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8089${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8089${CL}"

ct/comfyui.sh

@@ -24,11 +24,11 @@ function update_script() {
   check_container_storage
   check_container_resources
 
-  if [[ ! -f /opt/${APP} ]]; then
+  if [[ ! -d /opt/ComfyUI ]]; then
     msg_error "No ${APP} Installation Found!"
     exit
   fi
-  msg_error "To update use the ${APP} Manager."
+  msg_error "To update use the ComfyUI Manager."
   exit
 }
 

ct/dispatcharr.sh

@@ -87,6 +87,11 @@ function update_script() {
       mv /tmp/start-daphne.sh.backup /opt/dispatcharr/start-daphne.sh
     fi
 
+    if ! grep -q "DJANGO_SECRET_KEY" /opt/dispatcharr/.env; then
+        DJANGO_SECRET=$(openssl rand -base64 48 | tr -dc 'a-zA-Z0-9' | cut -c1-50)
+        echo "DJANGO_SECRET_KEY=$DJANGO_SECRET" >> /opt/dispatcharr/.env
+    fi
+
     cd /opt/dispatcharr
     rm -rf .venv
     $STD uv venv

ct/docker.sh

@@ -47,7 +47,7 @@ function update_script() {
     msg_ok "Docker Compose updated"
   fi
 
-  if docker ps -a --format '{{.Names}}' | grep -q '^portainer$'; then
+  if docker ps -a --format '{{.Image}}' | grep -q '^portainer/portainer-ce:latest$'; then
     msg_info "Updating Portainer"
     $STD docker pull portainer/portainer-ce:latest
     $STD docker stop portainer && docker rm portainer

ct/emby.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-8}"
 var_os="${var_os:-ubuntu}"
 var_version="${var_version:-24.04}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/ersatztv.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-5}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-12}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/fileflows.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-8}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-12}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/frigate.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-20}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-11}"
 var_unprivileged="${var_unprivileged:-0}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables
@@ -38,4 +39,4 @@ description
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW} Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:5000${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:5000${CL}"

ct/immich.sh

@@ -13,6 +13,7 @@ var_ram="${var_ram:-4096}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/inventree.sh

@@ -10,8 +10,8 @@ var_tags="${var_tags:-inventory}"
 var_cpu="${var_cpu:-2}"
 var_ram="${var_ram:-2048}"
 var_disk="${var_disk:-6}"
-var_os="${var_os:-debian}"
-var_version="${var_version:-13}"
+var_os="${var_os:-ubuntu}"
+var_version="${var_version:-24.04}"
 var_unprivileged="${var_unprivileged:-1}"
 
 header_info "$APP"
@@ -28,10 +28,16 @@ function update_script() {
     msg_error "No ${APP} Installation Found!"
     exit
   fi
-  msg_info "Updating $APP"
+
+  if ! grep -qE "^ID=(ubuntu)$" /etc/os-release; then
+    msg_error "Unsupported OS. InvenTree requires Ubuntu (20.04/22.04/24.04)."
+    exit
+  fi
+
+  msg_info "Updating InvenTree"
   $STD apt update
   $STD apt install --only-upgrade inventree -y
-  msg_ok "Updated $APP"
+  msg_ok "Updated InvenTree"
   msg_ok "Updated successfully!"
   exit
 }

ct/jellyfin.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-16}"
 var_os="${var_os:-ubuntu}"
 var_version="${var_version:-24.04}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/ollama.sh

@@ -12,6 +12,7 @@ var_ram="${var_ram:-4096}"
 var_disk="${var_disk:-35}"
 var_os="${var_os:-ubuntu}"
 var_version="${var_version:-24.04}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/openwebui.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-25}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/plex.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-8}"
 var_os="${var_os:-ubuntu}"
 var_version="${var_version:-24.04}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables
@@ -23,8 +24,8 @@ function update_script() {
   header_info
   check_container_storage
   check_container_resources
-  if [[ ! -f /etc/apt/sources.list.d/plexmediaserver.list ]] \
-   && [[ ! -f /etc/apt/sources.list.d/plexmediaserver.sources ]]; then
+  if [[ ! -f /etc/apt/sources.list.d/plexmediaserver.list ]] &&
+    [[ ! -f /etc/apt/sources.list.d/plexmediaserver.sources ]]; then
     msg_error "No ${APP} Installation Found!"
     exit
   fi

ct/tandoor.sh

@@ -65,7 +65,7 @@ EOF
     $STD /opt/tandoor/.venv/bin/python manage.py migrate
     $STD /opt/tandoor/.venv/bin/python manage.py collectstatic --no-input
     rm -rf /opt/tandoor.bak
-    msg_ok "Updated Trandoor"
+    msg_ok "Updated Tandoor"
 
     msg_info "Starting Service"
     systemctl start tandoor

ct/tdarr.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-4}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/tunarr.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-5}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/unmanic.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-4}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_unprivileged="${var_unprivileged:-0}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/wanderer.sh

@@ -55,7 +55,8 @@ function update_script() {
         systemctl stop wanderer-web
         msg_ok "Stopped service"
 
-    		fetch_and_deploy_gh_release "meilisearch" "meilisearch/meilisearch" "binary" "latest" "/opt/wanderer/source/search"
+        fetch_and_deploy_gh_release "meilisearch" "meilisearch/meilisearch" "binary" "latest" "/opt/wanderer/source/search"
+        grep -q -- '--experimental-dumpless-upgrade' /opt/wanderer/start.sh || sed -i 's|meilisearch --master-key|meilisearch --experimental-dumpless-upgrade --master-key|' /opt/wanderer/start.sh
 
         msg_info "Starting service"
         systemctl start wanderer-web

ct/zammad.sh

@@ -11,7 +11,7 @@ var_disk="${var_disk:-8}"
 var_cpu="${var_cpu:-2}"
 var_ram="${var_ram:-4096}"
 var_os="${var_os:-debian}"
-var_version="${var_version:-13}"
+var_version="${var_version:-12}"
 var_unprivileged="${var_unprivileged:-1}"
 
 header_info "$APP"

docs/TECHNICAL_REFERENCE.md

@@ -1,8 +1,8 @@
 # Technical Reference: Configuration System Architecture
 
 > **For Developers and Advanced Users**
-> 
-> *Deep dive into how the defaults and configuration system works*
+>
+> _Deep dive into how the defaults and configuration system works_
 
 ---
 
@@ -123,13 +123,13 @@ VAR_VALUE  := [^\n]*  # Any printable characters except newline
 
 **Constraints**:
 
-| Constraint | Value |
-|-----------|-------|
-| Max file size | 64 KB |
-| Max line length | 1024 bytes |
-| Max variables | 100 |
-| Allowed var names | `var_[a-z_]+` |
-| Value validation | Whitelist + Sanitization |
+| Constraint        | Value                    |
+| ----------------- | ------------------------ |
+| Max file size     | 64 KB                    |
+| Max line length   | 1024 bytes               |
+| Max variables     | 100                      |
+| Allowed var names | `var_[a-z_]+`            |
+| Value validation  | Whitelist + Sanitization |
 
 **Example Valid File**:
 
@@ -206,21 +206,24 @@ var_tags=dns,pihole
 **Purpose**: Safely load variables from .vars files without using `source` or `eval`
 
 **Signature**:
+
 ```bash
 load_vars_file(filepath)
 ```
 
 **Parameters**:
 
-| Param | Type | Required | Example |
-|-------|------|----------|---------|
-| filepath | String | Yes | `/usr/local/community-scripts/default.vars` |
+| Param    | Type   | Required | Example                                     |
+| -------- | ------ | -------- | ------------------------------------------- |
+| filepath | String | Yes      | `/usr/local/community-scripts/default.vars` |
 
 **Returns**:
+
 - `0` on success
 - `1` on error (file missing, parse error, etc.)
 
 **Environment Side Effects**:
+
 - Sets all parsed `var_*` variables as shell variables
 - Does NOT unset variables if file missing (safe)
 - Does NOT affect other variables
@@ -230,25 +233,25 @@ load_vars_file(filepath)
 ```bash
 load_vars_file() {
   local file="$1"
-  
+
   # File must exist
   [ -f "$file" ] || return 0
-  
+
   # Parse line by line (not with source/eval)
   local line key val
   while IFS='=' read -r key val || [ -n "$key" ]; do
     # Skip comments and empty lines
     [[ "$key" =~ ^[[:space:]]*# ]] && continue
     [[ -z "$key" ]] && continue
-    
+
     # Validate key is in whitelist
     _is_whitelisted_key "$key" || continue
-    
+
     # Sanitize and export value
     val="$(_sanitize_value "$val")"
     [ $? -eq 0 ] && export "$key=$val"
   done < "$file"
-  
+
   return 0
 }
 ```
@@ -281,6 +284,7 @@ echo "Allocating ${var_ram} MB RAM"
 **Purpose**: Get the full path for app-specific defaults file
 
 **Signature**:
+
 ```bash
 get_app_defaults_path()
 ```
@@ -288,6 +292,7 @@ get_app_defaults_path()
 **Parameters**: None
 
 **Returns**:
+
 - String: Full path to app defaults file
 
 **Implementation**:
@@ -322,6 +327,7 @@ load_vars_file "$(get_app_defaults_path)"
 **Purpose**: Load and display user global defaults
 
 **Signature**:
+
 ```bash
 default_var_settings()
 ```
@@ -329,6 +335,7 @@ default_var_settings()
 **Parameters**: None
 
 **Returns**:
+
 - `0` on success
 - `1` on error
 
@@ -337,15 +344,15 @@ default_var_settings()
 ```
 1. Find default.vars location
    (usually /usr/local/community-scripts/default.vars)
-   
+
 2. Create if missing
-   
+
 3. Load variables from file
-   
+
 4. Map var_verbose → VERBOSE variable
-   
+
 5. Call base_settings (apply to container config)
-   
+
 6. Call echo_default (display summary)
 ```
 
@@ -354,20 +361,20 @@ default_var_settings()
 ```bash
 default_var_settings() {
   local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu
     var_gateway var_hostname var_ipv6_method var_mac var_mtu
     var_net var_ns var_pw var_ram var_tags var_tun var_unprivileged
     var_verbose var_vlan var_ssh var_ssh_authorized_key
     var_container_storage var_template_storage
   )
-  
+
   # Ensure file exists
   _ensure_default_vars
-  
+
   # Find and load
   local dv="$(_find_default_vars)"
   load_vars_file "$dv"
-  
+
   # Map verbose flag
   if [[ -n "${var_verbose:-}" ]]; then
     case "${var_verbose,,}" in
@@ -375,7 +382,7 @@ default_var_settings() {
       *) VERBOSE="${var_verbose}" ;;
     esac
   fi
-  
+
   # Apply and display
   base_settings "$VERBOSE"
   echo_default
@@ -389,6 +396,7 @@ default_var_settings() {
 **Purpose**: Offer to save current settings as app-specific defaults
 
 **Signature**:
+
 ```bash
 maybe_offer_save_app_defaults()
 ```
@@ -413,10 +421,10 @@ maybe_offer_save_app_defaults()
 ```bash
 maybe_offer_save_app_defaults() {
   local app_vars_path="$(get_app_defaults_path)"
-  
+
   # Build current settings from memory
   local new_tmp="$(_build_current_app_vars_tmp)"
-  
+
   # Check if already exists
   if [ -f "$app_vars_path" ]; then
     # Show diff and ask: Update? Keep? View Diff?
@@ -438,29 +446,31 @@ maybe_offer_save_app_defaults() {
 **Purpose**: Remove dangerous characters/patterns from configuration values
 
 **Signature**:
+
 ```bash
 _sanitize_value(value)
 ```
 
 **Parameters**:
 
-| Param | Type | Required |
-|-------|------|----------|
-| value | String | Yes |
+| Param | Type   | Required |
+| ----- | ------ | -------- |
+| value | String | Yes      |
 
 **Returns**:
+
 - `0` (success) + sanitized value on stdout
 - `1` (failure) + nothing if dangerous
 
 **Dangerous Patterns**:
 
-| Pattern | Threat | Example |
-|---------|--------|---------|
-| `$(...)` | Command substitution | `$(rm -rf /)` |
-| `` ` ` `` | Command substitution | `` `whoami` `` |
-| `;` | Command separator | `value; rm -rf /` |
-| `&` | Background execution | `value & malicious` |
-| `<(` | Process substitution | `<(cat /etc/passwd)` |
+| Pattern   | Threat               | Example              |
+| --------- | -------------------- | -------------------- |
+| `$(...)`  | Command substitution | `$(rm -rf /)`        |
+| `` ` ` `` | Command substitution | `` `whoami` ``       |
+| `;`       | Command separator    | `value; rm -rf /`    |
+| `&`       | Background execution | `value & malicious`  |
+| `<(`      | Process substitution | `<(cat /etc/passwd)` |
 
 **Implementation**:
 
@@ -501,17 +511,19 @@ fi
 **Purpose**: Check if variable name is in allowed whitelist
 
 **Signature**:
+
 ```bash
 _is_whitelisted_key(key)
 ```
 
 **Parameters**:
 
-| Param | Type | Required | Example |
-|-------|------|----------|---------|
-| key | String | Yes | `var_cpu` |
+| Param | Type   | Required | Example   |
+| ----- | ------ | -------- | --------- |
+| key   | String | Yes      | `var_cpu` |
 
 **Returns**:
+
 - `0` if key is whitelisted
 - `1` if key is NOT whitelisted
 
@@ -573,6 +585,7 @@ Step 4: Use BUILT-IN DEFAULTS
 ### Precedence Examples
 
 **Example 1: Environment Variable Wins**
+
 ```bash
 # Shell environment has highest priority
 $ export var_cpu=16
@@ -583,6 +596,7 @@ $ bash pihole-install.sh
 ```
 
 **Example 2: App Defaults Override User Defaults**
+
 ```bash
 # User Defaults: var_cpu=4
 # App Defaults: var_cpu=2
@@ -593,6 +607,7 @@ $ bash pihole-install.sh
 ```
 
 **Example 3: All Defaults Missing (Built-ins Used)**
+
 ```bash
 # No environment variables set
 # No app defaults file
@@ -611,21 +626,21 @@ $ bash pihole-install.sh
 base_settings() {
   # Priority 1: Environment variables (already set if export used)
   CT_TYPE=${var_unprivileged:-"1"}          # Use existing or default
-  
+
   # Priority 2: Load app defaults (may override above)
   if [ -f "$(get_app_defaults_path)" ]; then
     load_vars_file "$(get_app_defaults_path)"
   fi
-  
+
   # Priority 3: Load user defaults
   if [ -f "/usr/local/community-scripts/default.vars" ]; then
     load_vars_file "/usr/local/community-scripts/default.vars"
   fi
-  
+
   # Priority 4: Apply built-in defaults (lowest)
   CORE_COUNT=${var_cpu:-"${APP_CPU_DEFAULT:-2}"}
   RAM_SIZE=${var_ram:-"${APP_RAM_DEFAULT:-1024}"}
-  
+
   # Result: var_cpu has been set through precedence chain
 }
 ```
@@ -734,14 +749,14 @@ CONTAINER CREATION STARTED
 
 ### Threat Model
 
-| Threat | Mitigation |
-|--------|-----------|
-| **Arbitrary Code Execution** | No `source` or `eval`; manual parsing only |
-| **Variable Injection** | Whitelist of allowed variable names |
-| **Command Substitution** | `_sanitize_value()` blocks `$()`, backticks, etc. |
-| **Path Traversal** | Files locked to `/usr/local/community-scripts/` |
-| **Permission Escalation** | Files created with restricted permissions |
-| **Information Disclosure** | Sensitive variables not logged |
+| Threat                       | Mitigation                                        |
+| ---------------------------- | ------------------------------------------------- |
+| **Arbitrary Code Execution** | No `source` or `eval`; manual parsing only        |
+| **Variable Injection**       | Whitelist of allowed variable names               |
+| **Command Substitution**     | `_sanitize_value()` blocks `$()`, backticks, etc. |
+| **Path Traversal**           | Files locked to `/usr/local/community-scripts/`   |
+| **Permission Escalation**    | Files created with restricted permissions         |
+| **Information Disclosure**   | Sensitive variables not logged                    |
 
 ### Security Controls
 
@@ -798,6 +813,7 @@ fi
 ### Module: `build.func`
 
 **Load Order** (in actual scripts):
+
 1. `#!/usr/bin/env bash` - Shebang
 2. `source /dev/stdin <<<$(curl ... api.func)` - API functions
 3. `source /dev/stdin <<<$(curl ... build.func)` - Build functions
@@ -832,17 +848,17 @@ fi
 
 # Section 6: Installation Flow
 - install_script()         # Main entry point
-- advanced_settings()      # 19-step wizard
+- advanced_settings()      # 20-step wizard
 ```
 
 ### Regex Patterns Used
 
-| Pattern | Purpose | Example Match |
-|---------|---------|---|
-| `^[0-9]+([.][0-9]+)?$` | Integer validation | `4`, `192.168` |
-| `^var_[a-z_]+$` | Variable name | `var_cpu`, `var_ssh` |
-| `*'$('*` | Command substitution | `$(whoami)` |
-| `*\`*` | Backtick substitution | `` `cat /etc/passwd` `` |
+| Pattern                | Purpose               | Example Match           |
+| ---------------------- | --------------------- | ----------------------- |
+| `^[0-9]+([.][0-9]+)?$` | Integer validation    | `4`, `192.168`          |
+| `^var_[a-z_]+$`        | Variable name         | `var_cpu`, `var_ssh`    |
+| `*'$('*`               | Command substitution  | `$(whoami)`             |
+| `*\`\*`                | Backtick substitution | `` `cat /etc/passwd` `` |
 
 ---
 
@@ -869,12 +885,12 @@ fi
 
 ### Function Mapping
 
-| Old | New | Location |
-|-----|-----|----------|
-| `read_config()` | `load_vars_file()` | build.func |
-| `write_config()` | `_build_current_app_vars_tmp()` | build.func |
-| None | `maybe_offer_save_app_defaults()` | build.func |
-| None | `get_app_defaults_path()` | build.func |
+| Old              | New                               | Location   |
+| ---------------- | --------------------------------- | ---------- |
+| `read_config()`  | `load_vars_file()`                | build.func |
+| `write_config()` | `_build_current_app_vars_tmp()`   | build.func |
+| None             | `maybe_offer_save_app_defaults()` | build.func |
+| None             | `get_app_defaults_path()`         | build.func |
 
 ---
 

docs/misc/build.func/BUILD_FUNC_ADVANCED_SETTINGS.md

@@ -0,0 +1,164 @@
+# Advanced Settings Wizard Reference
+
+## Overview
+
+The Advanced Settings wizard provides a 28-step interactive configuration for LXC container creation. It allows users to customize every aspect of the container while inheriting sensible defaults from the CT script.
+
+## Key Features
+
+- **Inherit App Defaults**: All `var_*` values from CT scripts pre-populate wizard fields
+- **Back Navigation**: Press Cancel/Back to return to previous step
+- **App Default Hints**: Each dialog shows `(App default: X)` to indicate script defaults
+- **Full Customization**: Every configurable option is accessible
+
+## Wizard Steps
+
+| Step | Title                    | Variable(s)                       | Description                                           |
+| ---- | ------------------------ | --------------------------------- | ----------------------------------------------------- |
+| 1    | Container Type           | `var_unprivileged`                | Privileged (0) or Unprivileged (1) container          |
+| 2    | Root Password            | `var_pw`                          | Set password or use automatic login                   |
+| 3    | Container ID             | `var_ctid`                        | Unique container ID (auto-suggested)                  |
+| 4    | Hostname                 | `var_hostname`                    | Container hostname                                    |
+| 5    | Disk Size                | `var_disk`                        | Disk size in GB                                       |
+| 6    | CPU Cores                | `var_cpu`                         | Number of CPU cores                                   |
+| 7    | RAM Size                 | `var_ram`                         | RAM size in MiB                                       |
+| 8    | Network Bridge           | `var_brg`                         | Network bridge (vmbr0, etc.)                          |
+| 9    | IPv4 Configuration       | `var_net`, `var_gateway`          | DHCP or static IP with gateway                        |
+| 10   | IPv6 Configuration       | `var_ipv6_method`                 | Auto, DHCP, Static, or None                           |
+| 11   | MTU Size                 | `var_mtu`                         | Network MTU (default: 1500)                           |
+| 12   | DNS Search Domain        | `var_searchdomain`                | DNS search domain                                     |
+| 13   | DNS Server               | `var_ns`                          | Custom DNS server IP                                  |
+| 14   | MAC Address              | `var_mac`                         | Custom MAC address (auto-generated if empty)          |
+| 15   | VLAN Tag                 | `var_vlan`                        | VLAN tag ID                                           |
+| 16   | Tags                     | `var_tags`                        | Container tags (comma/semicolon separated)            |
+| 17   | SSH Settings             | `var_ssh`                         | SSH key selection and root access                     |
+| 18   | FUSE Support             | `var_fuse`                        | Enable FUSE for rclone, mergerfs, AppImage            |
+| 19   | TUN/TAP Support          | `var_tun`                         | Enable for VPN apps (WireGuard, OpenVPN, Tailscale)   |
+| 20   | Nesting Support          | `var_nesting`                     | Enable for Docker, LXC in LXC, Podman                 |
+| 21   | GPU Passthrough          | `var_gpu`                         | Auto-detect and pass through Intel/AMD/NVIDIA GPUs    |
+| 22   | Keyctl Support           | `var_keyctl`                      | Enable for Docker, systemd-networkd                   |
+| 23   | APT Cacher Proxy         | `var_apt_cacher`, `var_apt_cacher_ip` | Use apt-cacher-ng for faster downloads            |
+| 24   | Container Timezone       | `var_timezone`                    | Set timezone (e.g., Europe/Berlin)                    |
+| 25   | Container Protection     | `var_protection`                  | Prevent accidental deletion                           |
+| 26   | Device Node Creation     | `var_mknod`                       | Allow mknod (experimental, kernel 5.3+)               |
+| 27   | Mount Filesystems        | `var_mount_fs`                    | Allow specific mounts: nfs, cifs, fuse, etc.          |
+| 28   | Verbose Mode & Confirm   | `var_verbose`                     | Enable verbose output + final confirmation            |
+
+## Default Value Inheritance
+
+The wizard inherits defaults from multiple sources:
+
+```text
+CT Script (var_*) → default.vars → app.vars → User Input
+```
+
+### Example: VPN Container (alpine-wireguard.sh)
+
+```bash
+# CT script sets:
+var_tun="${var_tun:-1}"  # TUN enabled by default
+
+# In Advanced Settings Step 19:
+# Dialog shows: "(App default: 1)" and pre-selects "Yes"
+```
+
+### Example: Media Server (jellyfin.sh)
+
+```bash
+# CT script sets:
+var_gpu="${var_gpu:-yes}"  # GPU enabled by default
+
+# In Advanced Settings Step 21:
+# Dialog shows: "(App default: yes)" and pre-selects "Yes"
+```
+
+## Feature Matrix
+
+| Feature           | Variable         | When to Enable                                      |
+| ----------------- | ---------------- | --------------------------------------------------- |
+| FUSE              | `var_fuse`       | rclone, mergerfs, AppImage, SSHFS                   |
+| TUN/TAP           | `var_tun`        | WireGuard, OpenVPN, Tailscale, VPN containers       |
+| Nesting           | `var_nesting`    | Docker, Podman, LXC-in-LXC, systemd-nspawn          |
+| GPU Passthrough   | `var_gpu`        | Plex, Jellyfin, Emby, Frigate, Ollama, ComfyUI      |
+| Keyctl            | `var_keyctl`     | Docker (unprivileged), systemd-networkd             |
+| Protection        | `var_protection` | Production containers, prevent accidental deletion  |
+| Mknod             | `var_mknod`      | Device node creation (experimental)                 |
+| Mount FS          | `var_mount_fs`   | NFS mounts, CIFS shares, custom filesystems         |
+| APT Cacher        | `var_apt_cacher` | Speed up downloads with local apt-cacher-ng         |
+
+## Confirmation Summary
+
+Step 28 displays a comprehensive summary before creation:
+
+```text
+Container Type: Unprivileged
+Container ID: 100
+Hostname: jellyfin
+
+Resources:
+  Disk: 8 GB
+  CPU: 2 cores
+  RAM: 2048 MiB
+
+Network:
+  Bridge: vmbr0
+  IPv4: dhcp
+  IPv6: auto
+
+Features:
+  FUSE: no | TUN: no
+  Nesting: Enabled | Keyctl: Disabled
+  GPU: yes | Protection: No
+
+Advanced:
+  Timezone: Europe/Berlin
+  APT Cacher: no
+  Verbose: no
+```
+
+## Usage Examples
+
+### Skip to Advanced Settings
+
+```bash
+# Run script, select "Advanced" from menu
+bash -c "$(curl -fsSL https://...jellyfin.sh)"
+# Then select option 3 "Advanced"
+```
+
+### Pre-set Defaults via Environment
+
+```bash
+# Set defaults before running
+export var_cpu=4
+export var_ram=4096
+export var_gpu=yes
+bash -c "$(curl -fsSL https://...jellyfin.sh)"
+# Advanced settings will inherit these values
+```
+
+### Non-Interactive with All Options
+
+```bash
+# Set all variables for fully automated deployment
+export var_unprivileged=1
+export var_cpu=2
+export var_ram=2048
+export var_disk=8
+export var_net=dhcp
+export var_fuse=no
+export var_tun=no
+export var_gpu=yes
+export var_nesting=1
+export var_protection=no
+export var_verbose=no
+bash -c "$(curl -fsSL https://...jellyfin.sh)"
+```
+
+## Notes
+
+- **Cancel at Step 1**: Exits the script entirely
+- **Cancel at Steps 2-28**: Goes back to previous step
+- **Empty fields**: Use default value
+- **Keyctl**: Automatically enabled for unprivileged containers
+- **Nesting**: Enabled by default (required for many apps)

docs/misc/build.func/BUILD_FUNC_ENVIRONMENT_VARIABLES.md

@@ -8,103 +8,142 @@ This document provides a comprehensive reference of all environment variables us
 
 ### Core Container Variables
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `APP` | Application name (e.g., "plex", "nextcloud") | - | Environment | Throughout |
-| `NSAPP` | Namespace application name | `$APP` | Environment | Throughout |
-| `CTID` | Container ID | - | Environment | Container creation |
-| `CT_TYPE` | Container type ("install" or "update") | "install" | Environment | Entry point |
-| `CT_NAME` | Container name | `$APP` | Environment | Container creation |
+| Variable  | Description                                  | Default   | Set In      | Used In            |
+| --------- | -------------------------------------------- | --------- | ----------- | ------------------ |
+| `APP`     | Application name (e.g., "plex", "nextcloud") | -         | Environment | Throughout         |
+| `NSAPP`   | Namespace application name                   | `$APP`    | Environment | Throughout         |
+| `CTID`    | Container ID                                 | -         | Environment | Container creation |
+| `CT_TYPE` | Container type ("install" or "update")       | "install" | Environment | Entry point        |
+| `CT_NAME` | Container name                               | `$APP`    | Environment | Container creation |
 
 ### Operating System Variables
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `var_os` | Operating system selection | "debian" | base_settings() | OS selection |
-| `var_version` | OS version | "12" | base_settings() | Template selection |
-| `var_template` | Template name | Auto-generated | base_settings() | Template download |
+| Variable       | Description                | Default        | Set In          | Used In            |
+| -------------- | -------------------------- | -------------- | --------------- | ------------------ |
+| `var_os`       | Operating system selection | "debian"       | base_settings() | OS selection       |
+| `var_version`  | OS version                 | "12"           | base_settings() | Template selection |
+| `var_template` | Template name              | Auto-generated | base_settings() | Template download  |
 
 ### Resource Configuration Variables
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `var_cpu` | CPU cores | "2" | base_settings() | Container creation |
-| `var_ram` | RAM in MB | "2048" | base_settings() | Container creation |
-| `var_disk` | Disk size in GB | "8" | base_settings() | Container creation |
-| `DISK_SIZE` | Disk size (alternative) | `$var_disk` | Environment | Container creation |
-| `CORE_COUNT` | CPU cores (alternative) | `$var_cpu` | Environment | Container creation |
-| `RAM_SIZE` | RAM size (alternative) | `$var_ram` | Environment | Container creation |
+| Variable     | Description             | Default     | Set In          | Used In            |
+| ------------ | ----------------------- | ----------- | --------------- | ------------------ |
+| `var_cpu`    | CPU cores               | "2"         | base_settings() | Container creation |
+| `var_ram`    | RAM in MB               | "2048"      | base_settings() | Container creation |
+| `var_disk`   | Disk size in GB         | "8"         | base_settings() | Container creation |
+| `DISK_SIZE`  | Disk size (alternative) | `$var_disk` | Environment     | Container creation |
+| `CORE_COUNT` | CPU cores (alternative) | `$var_cpu`  | Environment     | Container creation |
+| `RAM_SIZE`   | RAM size (alternative)  | `$var_ram`  | Environment     | Container creation |
 
 ### Network Configuration Variables
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `var_net` | Network interface | "vmbr0" | base_settings() | Network config |
-| `var_bridge` | Bridge interface | "vmbr0" | base_settings() | Network config |
-| `var_gateway` | Gateway IP | "192.168.1.1" | base_settings() | Network config |
-| `var_ip` | Container IP address | - | User input | Network config |
-| `var_ipv6` | IPv6 address | - | User input | Network config |
-| `var_vlan` | VLAN ID | - | User input | Network config |
-| `var_mtu` | MTU size | "1500" | base_settings() | Network config |
-| `var_mac` | MAC address | Auto-generated | base_settings() | Network config |
-| `NET` | Network interface (alternative) | `$var_net` | Environment | Network config |
-| `BRG` | Bridge interface (alternative) | `$var_bridge` | Environment | Network config |
-| `GATE` | Gateway IP (alternative) | `$var_gateway` | Environment | Network config |
-| `IPV6_METHOD` | IPv6 configuration method | "none" | Environment | Network config |
-| `VLAN` | VLAN ID (alternative) | `$var_vlan` | Environment | Network config |
-| `MTU` | MTU size (alternative) | `$var_mtu` | Environment | Network config |
-| `MAC` | MAC address (alternative) | `$var_mac` | Environment | Network config |
+| Variable      | Description                     | Default        | Set In          | Used In        |
+| ------------- | ------------------------------- | -------------- | --------------- | -------------- |
+| `var_net`     | Network interface               | "vmbr0"        | base_settings() | Network config |
+| `var_bridge`  | Bridge interface                | "vmbr0"        | base_settings() | Network config |
+| `var_gateway` | Gateway IP                      | "192.168.1.1"  | base_settings() | Network config |
+| `var_ip`      | Container IP address            | -              | User input      | Network config |
+| `var_ipv6`    | IPv6 address                    | -              | User input      | Network config |
+| `var_vlan`    | VLAN ID                         | -              | User input      | Network config |
+| `var_mtu`     | MTU size                        | "1500"         | base_settings() | Network config |
+| `var_mac`     | MAC address                     | Auto-generated | base_settings() | Network config |
+| `NET`         | Network interface (alternative) | `$var_net`     | Environment     | Network config |
+| `BRG`         | Bridge interface (alternative)  | `$var_bridge`  | Environment     | Network config |
+| `GATE`        | Gateway IP (alternative)        | `$var_gateway` | Environment     | Network config |
+| `IPV6_METHOD` | IPv6 configuration method       | "none"         | Environment     | Network config |
+| `VLAN`        | VLAN ID (alternative)           | `$var_vlan`    | Environment     | Network config |
+| `MTU`         | MTU size (alternative)          | `$var_mtu`     | Environment     | Network config |
+| `MAC`         | MAC address (alternative)       | `$var_mac`     | Environment     | Network config |
 
 ### Storage Configuration Variables
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `var_template_storage` | Storage for templates | - | select_storage() | Template storage |
-| `var_container_storage` | Storage for container disks | - | select_storage() | Container storage |
-| `TEMPLATE_STORAGE` | Template storage (alternative) | `$var_template_storage` | Environment | Template storage |
-| `CONTAINER_STORAGE` | Container storage (alternative) | `$var_container_storage` | Environment | Container storage |
+| Variable                | Description                     | Default                  | Set In           | Used In           |
+| ----------------------- | ------------------------------- | ------------------------ | ---------------- | ----------------- |
+| `var_template_storage`  | Storage for templates           | -                        | select_storage() | Template storage  |
+| `var_container_storage` | Storage for container disks     | -                        | select_storage() | Container storage |
+| `TEMPLATE_STORAGE`      | Template storage (alternative)  | `$var_template_storage`  | Environment      | Template storage  |
+| `CONTAINER_STORAGE`     | Container storage (alternative) | `$var_container_storage` | Environment      | Container storage |
 
 ### Feature Flags
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `ENABLE_FUSE` | Enable FUSE support | "true" | base_settings() | Container features |
-| `ENABLE_TUN` | Enable TUN/TAP support | "true" | base_settings() | Container features |
-| `ENABLE_KEYCTL` | Enable keyctl support | "true" | base_settings() | Container features |
-| `ENABLE_MOUNT` | Enable mount support | "true" | base_settings() | Container features |
-| `ENABLE_NESTING` | Enable nesting support | "false" | base_settings() | Container features |
-| `ENABLE_PRIVILEGED` | Enable privileged mode | "false" | base_settings() | Container features |
-| `ENABLE_UNPRIVILEGED` | Enable unprivileged mode | "true" | base_settings() | Container features |
-| `VERBOSE` | Enable verbose output | "false" | Environment | Logging |
-| `SSH` | Enable SSH key provisioning | "true" | base_settings() | SSH setup |
+| Variable         | Description                    | Default | Set In                          | Used In            |
+| ---------------- | ------------------------------ | ------- | ------------------------------- | ------------------ |
+| `var_fuse`       | Enable FUSE support            | "no"    | CT script / Advanced Settings   | Container features |
+| `var_tun`        | Enable TUN/TAP support         | "no"    | CT script / Advanced Settings   | Container features |
+| `var_nesting`    | Enable nesting support         | "1"     | CT script / Advanced Settings   | Container features |
+| `var_keyctl`     | Enable keyctl support          | "0"     | CT script / Advanced Settings   | Container features |
+| `var_mknod`      | Allow device node creation     | "0"     | CT script / Advanced Settings   | Container features |
+| `var_mount_fs`   | Allowed filesystem mounts      | ""      | CT script / Advanced Settings   | Container features |
+| `var_protection` | Enable container protection    | "no"    | CT script / Advanced Settings   | Container creation |
+| `var_timezone`   | Container timezone             | ""      | CT script / Advanced Settings   | Container creation |
+| `var_verbose`    | Enable verbose output          | "no"    | Environment / Advanced Settings | Logging            |
+| `var_ssh`        | Enable SSH key provisioning    | "no"    | CT script / Advanced Settings   | SSH setup          |
+| `ENABLE_FUSE`    | FUSE flag (internal)           | "no"    | Advanced Settings               | Container creation |
+| `ENABLE_TUN`     | TUN/TAP flag (internal)        | "no"    | Advanced Settings               | Container creation |
+| `ENABLE_NESTING` | Nesting flag (internal)        | "1"     | Advanced Settings               | Container creation |
+| `ENABLE_KEYCTL`  | Keyctl flag (internal)         | "0"     | Advanced Settings               | Container creation |
+| `ENABLE_MKNOD`   | Mknod flag (internal)          | "0"     | Advanced Settings               | Container creation |
+| `PROTECT_CT`     | Protection flag (internal)     | "no"    | Advanced Settings               | Container creation |
+| `CT_TIMEZONE`    | Timezone setting (internal)    | ""      | Advanced Settings               | Container creation |
+| `VERBOSE`        | Verbose mode flag              | "no"    | Environment                     | Logging            |
+| `SSH`            | SSH access flag                | "no"    | Advanced Settings               | SSH setup          |
+
+### APT Cacher Configuration
+
+| Variable           | Description              | Default | Set In                        | Used In             |
+| ------------------ | ------------------------ | ------- | ----------------------------- | ------------------- |
+| `var_apt_cacher`   | Enable APT cacher proxy  | "no"    | CT script / Advanced Settings | Package management  |
+| `var_apt_cacher_ip`| APT cacher server IP     | ""      | CT script / Advanced Settings | Package management  |
+| `APT_CACHER`       | APT cacher flag          | "no"    | Advanced Settings             | Container creation  |
+| `APT_CACHER_IP`    | APT cacher IP (internal) | ""      | Advanced Settings             | Container creation  |
 
 ### GPU Passthrough Variables
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `GPU_APPS` | List of apps that support GPU | - | Environment | GPU detection |
-| `var_gpu` | GPU selection | - | User input | GPU passthrough |
-| `var_gpu_type` | GPU type (intel/amd/nvidia) | - | detect_gpu_devices() | GPU passthrough |
-| `var_gpu_devices` | GPU device list | - | detect_gpu_devices() | GPU passthrough |
+| Variable     | Description                     | Default | Set In                                      | Used In            |
+| ------------ | ------------------------------- | ------- | ------------------------------------------- | ------------------ |
+| `var_gpu`    | Enable GPU passthrough          | "no"    | CT script / Environment / Advanced Settings | GPU passthrough    |
+| `ENABLE_GPU` | GPU passthrough flag (internal) | "no"    | Advanced Settings                           | Container creation |
+
+**Note**: GPU passthrough is controlled via `var_gpu`. Apps that benefit from GPU acceleration (media servers, AI/ML, transcoding) have `var_gpu=yes` as default in their CT scripts.
+
+**Apps with GPU enabled by default**:
+
+- Media: jellyfin, plex, emby, channels, ersatztv, tunarr, immich
+- Transcoding: tdarr, unmanic, fileflows
+- AI/ML: ollama, openwebui
+- NVR: frigate
+
+**Usage Examples**:
+
+```bash
+# Disable GPU for a specific installation
+var_gpu=no bash -c "$(curl -fsSL https://...jellyfin.sh)"
+
+# Enable GPU for apps without default GPU support
+var_gpu=yes bash -c "$(curl -fsSL https://...debian.sh)"
+
+# Set in default.vars for all apps
+echo "var_gpu=yes" >> /usr/local/community-scripts/default.vars
+```
 
 ### API and Diagnostics Variables
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `DIAGNOSTICS` | Enable diagnostics mode | "false" | Environment | Diagnostics |
-| `METHOD` | Installation method | "install" | Environment | Installation flow |
-| `RANDOM_UUID` | Random UUID for tracking | - | Environment | Logging |
-| `API_TOKEN` | Proxmox API token | - | Environment | API calls |
-| `API_USER` | Proxmox API user | - | Environment | API calls |
+| Variable      | Description              | Default   | Set In      | Used In           |
+| ------------- | ------------------------ | --------- | ----------- | ----------------- |
+| `DIAGNOSTICS` | Enable diagnostics mode  | "false"   | Environment | Diagnostics       |
+| `METHOD`      | Installation method      | "install" | Environment | Installation flow |
+| `RANDOM_UUID` | Random UUID for tracking | -         | Environment | Logging           |
+| `API_TOKEN`   | Proxmox API token        | -         | Environment | API calls         |
+| `API_USER`    | Proxmox API user         | -         | Environment | API calls         |
 
 ### Settings Persistence Variables
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `SAVE_DEFAULTS` | Save settings as defaults | "false" | User input | Settings persistence |
-| `SAVE_APP_DEFAULTS` | Save app-specific defaults | "false" | User input | Settings persistence |
-| `DEFAULT_VARS_FILE` | Path to default.vars | "/usr/local/community-scripts/default.vars" | Environment | Settings persistence |
-| `APP_DEFAULTS_FILE` | Path to app.vars | "/usr/local/community-scripts/defaults/$APP.vars" | Environment | Settings persistence |
+| Variable            | Description                | Default                                           | Set In      | Used In              |
+| ------------------- | -------------------------- | ------------------------------------------------- | ----------- | -------------------- |
+| `SAVE_DEFAULTS`     | Save settings as defaults  | "false"                                           | User input  | Settings persistence |
+| `SAVE_APP_DEFAULTS` | Save app-specific defaults | "false"                                           | User input  | Settings persistence |
+| `DEFAULT_VARS_FILE` | Path to default.vars       | "/usr/local/community-scripts/default.vars"       | Environment | Settings persistence |
+| `APP_DEFAULTS_FILE` | Path to app.vars           | "/usr/local/community-scripts/defaults/$APP.vars" | Environment | Settings persistence |
 
 ## Variable Precedence Chain
 
@@ -152,6 +191,7 @@ export SSH="true"
 ## Environment Variable Usage Patterns
 
 ### 1. Container Creation
+
 ```bash
 # Basic container creation
 export APP="nextcloud"
@@ -170,6 +210,7 @@ export var_container_storage="local"
 ```
 
 ### 2. GPU Passthrough
+
 ```bash
 # Enable GPU passthrough
 export GPU_APPS="plex,jellyfin,emby"
@@ -178,6 +219,7 @@ export ENABLE_PRIVILEGED="true"
 ```
 
 ### 3. Advanced Network Configuration
+
 ```bash
 # VLAN and IPv6 configuration
 export var_vlan="100"
@@ -187,6 +229,7 @@ export var_mtu="9000"
 ```
 
 ### 4. Storage Configuration
+
 ```bash
 # Custom storage locations
 export var_template_storage="nfs-storage"
@@ -206,6 +249,7 @@ The script validates variables at several points:
 ## Common Variable Combinations
 
 ### Development Container
+
 ```bash
 export APP="dev-container"
 export CTID="200"
@@ -220,6 +264,7 @@ export ENABLE_PRIVILEGED="true"
 ```
 
 ### Media Server with GPU
+
 ```bash
 export APP="plex"
 export CTID="300"
@@ -235,6 +280,7 @@ export ENABLE_PRIVILEGED="true"
 ```
 
 ### Lightweight Service
+
 ```bash
 export APP="nginx"
 export CTID="400"

docs/misc/build.func/BUILD_FUNC_FUNCTIONS_REFERENCE.md

@@ -9,30 +9,35 @@ This document provides a comprehensive reference of all functions in `build.func
 ### Initialization Functions
 
 #### `start()`
+
 **Purpose**: Main entry point when build.func is sourced or executed
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Detects execution context (Proxmox host vs container)
 - Captures hard environment variables
 - Sets CT_TYPE based on context
 - Routes to appropriate workflow (install_script or update_script)
-**Dependencies**: None
-**Environment Variables Used**: `CT_TYPE`, `APP`, `CTID`
+  **Dependencies**: None
+  **Environment Variables Used**: `CT_TYPE`, `APP`, `CTID`
 
 #### `variables()`
+
 **Purpose**: Load and resolve all configuration variables using precedence chain
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Loads app-specific .vars file
 - Loads global default.vars file
 - Applies variable precedence chain
 - Sets all configuration variables
-**Dependencies**: `base_settings()`
-**Environment Variables Used**: All configuration variables
+  **Dependencies**: `base_settings()`
+  **Environment Variables Used**: All configuration variables
 
 #### `base_settings()`
+
 **Purpose**: Set built-in default values for all configuration variables
 **Parameters**: None
 **Returns**: None
@@ -43,28 +48,33 @@ This document provides a comprehensive reference of all functions in `build.func
 ### UI and Menu Functions
 
 #### `install_script()`
+
 **Purpose**: Main installation workflow coordinator
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Displays installation mode selection menu
 - Coordinates the entire installation process
 - Handles user interaction and validation
-**Dependencies**: `variables()`, `build_container()`, `default_var_settings()`
-**Environment Variables Used**: `APP`, `CTID`, `var_hostname`
+  **Dependencies**: `variables()`, `build_container()`, `default_var_settings()`
+  **Environment Variables Used**: `APP`, `CTID`, `var_hostname`
 
 #### `advanced_settings()`
+
 **Purpose**: Provide advanced configuration options via whiptail menus
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Displays whiptail menus for configuration
 - Updates configuration variables based on user input
 - Validates user selections
-**Dependencies**: `select_storage()`, `detect_gpu_devices()`
-**Environment Variables Used**: All configuration variables
+  **Dependencies**: `select_storage()`, `detect_gpu_devices()`
+  **Environment Variables Used**: All configuration variables
 
 #### `settings_menu()`
+
 **Purpose**: Display and handle settings configuration menu
 **Parameters**: None
 **Returns**: None
@@ -75,58 +85,68 @@ This document provides a comprehensive reference of all functions in `build.func
 ### Storage Functions
 
 #### `select_storage()`
+
 **Purpose**: Handle storage selection for templates and containers
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Resolves storage preselection
 - Prompts user for storage selection if needed
 - Validates storage availability
 - Sets var_template_storage and var_container_storage
-**Dependencies**: `resolve_storage_preselect()`, `choose_and_set_storage_for_file()`
-**Environment Variables Used**: `var_template_storage`, `var_container_storage`, `TEMPLATE_STORAGE`, `CONTAINER_STORAGE`
+  **Dependencies**: `resolve_storage_preselect()`, `choose_and_set_storage_for_file()`
+  **Environment Variables Used**: `var_template_storage`, `var_container_storage`, `TEMPLATE_STORAGE`, `CONTAINER_STORAGE`
 
 #### `resolve_storage_preselect()`
+
 **Purpose**: Resolve preselected storage options
 **Parameters**:
+
 - `storage_type`: Type of storage (template or container)
-**Returns**: Storage name if valid, empty if invalid
-**Side Effects**: Validates storage availability
-**Dependencies**: None
-**Environment Variables Used**: `var_template_storage`, `var_container_storage`
+  **Returns**: Storage name if valid, empty if invalid
+  **Side Effects**: Validates storage availability
+  **Dependencies**: None
+  **Environment Variables Used**: `var_template_storage`, `var_container_storage`
 
 #### `choose_and_set_storage_for_file()`
+
 **Purpose**: Interactive storage selection via whiptail
 **Parameters**:
+
 - `storage_type`: Type of storage (template or container)
 - `content_type`: Content type (vztmpl or rootdir)
-**Returns**: None
-**Side Effects**:
+  **Returns**: None
+  **Side Effects**:
 - Displays whiptail menu
 - Updates storage variables
 - Validates selection
-**Dependencies**: None
-**Environment Variables Used**: `var_template_storage`, `var_container_storage`
+  **Dependencies**: None
+  **Environment Variables Used**: `var_template_storage`, `var_container_storage`
 
 ### Container Creation Functions
 
 #### `build_container()`
+
 **Purpose**: Validate settings and prepare container creation
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Validates all configuration
 - Checks for conflicts
 - Prepares container configuration
 - Calls create_lxc_container()
-**Dependencies**: `create_lxc_container()`
-**Environment Variables Used**: All configuration variables
+  **Dependencies**: `create_lxc_container()`
+  **Environment Variables Used**: All configuration variables
 
 #### `create_lxc_container()`
+
 **Purpose**: Create the actual LXC container
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Creates LXC container with basic configuration
 - Configures network settings
 - Sets up storage and mount points
@@ -134,108 +154,176 @@ This document provides a comprehensive reference of all functions in `build.func
 - Sets resource limits
 - Configures startup options
 - Starts container
-**Dependencies**: `configure_gpu_passthrough()`, `fix_gpu_gids()`
-**Environment Variables Used**: All configuration variables
+  **Dependencies**: `configure_gpu_passthrough()`, `fix_gpu_gids()`
+  **Environment Variables Used**: All configuration variables
 
 ### GPU and Hardware Functions
 
 #### `detect_gpu_devices()`
+
 **Purpose**: Detect available GPU hardware on the system
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Scans for Intel, AMD, and NVIDIA GPUs
 - Updates var_gpu_type and var_gpu_devices
 - Determines GPU capabilities
-**Dependencies**: None
-**Environment Variables Used**: `var_gpu_type`, `var_gpu_devices`, `GPU_APPS`
+  **Dependencies**: None
+  **Environment Variables Used**: `var_gpu_type`, `var_gpu_devices`, `GPU_APPS`
 
 #### `configure_gpu_passthrough()`
+
 **Purpose**: Configure GPU passthrough for the container
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Adds GPU device entries to container config
 - Configures proper device permissions
 - Sets up device mapping
 - Updates /etc/pve/lxc/<ctid>.conf
-**Dependencies**: `detect_gpu_devices()`
-**Environment Variables Used**: `var_gpu`, `var_gpu_type`, `var_gpu_devices`, `CTID`
+  **Dependencies**: `detect_gpu_devices()`
+  **Environment Variables Used**: `var_gpu`, `var_gpu_type`, `var_gpu_devices`, `CTID`
 
 #### `fix_gpu_gids()`
+
 **Purpose**: Fix GPU group IDs after container creation
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Updates GPU group IDs in container
 - Ensures proper GPU access permissions
 - Configures video and render groups
-**Dependencies**: `configure_gpu_passthrough()`
-**Environment Variables Used**: `CTID`, `var_gpu_type`
+  **Dependencies**: `configure_gpu_passthrough()`
+  **Environment Variables Used**: `CTID`, `var_gpu_type`
+
+### SSH Configuration Functions
+
+#### `configure_ssh_settings()`
+
+**Purpose**: Interactive SSH key and access configuration wizard
+**Parameters**:
+
+- `step_info` (optional): Step indicator string (e.g., "Step 17/19") for consistent dialog headers
+  **Returns**: None
+  **Side Effects**:
+- Creates temporary file for SSH keys
+- Discovers and presents available SSH keys from host
+- Allows manual key entry or folder/glob scanning
+- Sets `SSH` variable to "yes" or "no" based on user selection
+- Sets `SSH_AUTHORIZED_KEY` if manual key provided
+- Populates `SSH_KEYS_FILE` with selected keys
+  **Dependencies**: `ssh_discover_default_files()`, `ssh_build_choices_from_files()`
+  **Environment Variables Used**: `SSH`, `SSH_AUTHORIZED_KEY`, `SSH_KEYS_FILE`
+
+**SSH Key Source Options**:
+
+1. `found` - Select from auto-detected host keys
+2. `manual` - Paste a single public key
+3. `folder` - Scan custom folder or glob pattern
+4. `none` - No SSH keys
+
+**Note**: The "Enable root SSH access?" dialog is always shown, regardless of whether SSH keys or password are configured. This ensures users can always enable SSH access even with automatic login.
+
+#### `ssh_discover_default_files()`
+
+**Purpose**: Discover SSH public key files on the host system
+**Parameters**: None
+**Returns**: Array of discovered key file paths
+**Side Effects**: Scans common SSH key locations
+**Dependencies**: None
+**Environment Variables Used**: `var_ssh_import_glob`
+
+#### `ssh_build_choices_from_files()`
+
+**Purpose**: Build whiptail checklist choices from SSH key files
+**Parameters**:
+
+- Array of file paths to process
+  **Returns**: None
+  **Side Effects**:
+- Sets `CHOICES` array for whiptail checklist
+- Sets `COUNT` variable with number of keys found
+- Creates `MAPFILE` for key tag to content mapping
+  **Dependencies**: None
+  **Environment Variables Used**: `CHOICES`, `COUNT`, `MAPFILE`
 
 ### Settings Persistence Functions
 
 #### `default_var_settings()`
+
 **Purpose**: Offer to save current settings as defaults
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Prompts user to save settings
 - Saves to default.vars file
 - Saves to app-specific .vars file
-**Dependencies**: `maybe_offer_save_app_defaults()`
-**Environment Variables Used**: All configuration variables
+  **Dependencies**: `maybe_offer_save_app_defaults()`
+  **Environment Variables Used**: All configuration variables
 
 #### `maybe_offer_save_app_defaults()`
+
 **Purpose**: Offer to save app-specific defaults
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Prompts user to save app-specific settings
 - Saves to app.vars file
 - Updates app-specific configuration
-**Dependencies**: None
-**Environment Variables Used**: `APP`, `SAVE_APP_DEFAULTS`
+  **Dependencies**: None
+  **Environment Variables Used**: `APP`, `SAVE_APP_DEFAULTS`
 
 ### Utility Functions
 
 #### `validate_settings()`
+
 **Purpose**: Validate all configuration settings
 **Parameters**: None
 **Returns**: 0 if valid, 1 if invalid
 **Side Effects**:
+
 - Checks for configuration conflicts
 - Validates resource limits
 - Validates network configuration
 - Validates storage configuration
-**Dependencies**: None
-**Environment Variables Used**: All configuration variables
+  **Dependencies**: None
+  **Environment Variables Used**: All configuration variables
 
 #### `check_conflicts()`
+
 **Purpose**: Check for configuration conflicts
 **Parameters**: None
 **Returns**: 0 if no conflicts, 1 if conflicts found
 **Side Effects**:
+
 - Checks for conflicting settings
 - Validates resource allocation
 - Checks network configuration
-**Dependencies**: None
-**Environment Variables Used**: All configuration variables
+  **Dependencies**: None
+  **Environment Variables Used**: All configuration variables
 
 #### `cleanup_on_error()`
+
 **Purpose**: Clean up resources on error
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Removes partially created containers
 - Cleans up temporary files
 - Resets configuration
-**Dependencies**: None
-**Environment Variables Used**: `CTID`
+  **Dependencies**: None
+  **Environment Variables Used**: `CTID`
 
 ## Function Call Flow
 
 ### Main Installation Flow
+
 ```
 start()
 ├── variables()
@@ -259,6 +347,7 @@ start()
 ```
 
 ### Error Handling Flow
+
 ```
 Error Detection
 ├── validate_settings()
@@ -271,24 +360,29 @@ Error Detection
 ## Function Dependencies
 
 ### Core Dependencies
+
 - `start()` → `install_script()` → `build_container()` → `create_lxc_container()`
 - `variables()` → `base_settings()`
 - `advanced_settings()` → `select_storage()` → `detect_gpu_devices()`
 
 ### Storage Dependencies
+
 - `select_storage()` → `resolve_storage_preselect()`
 - `select_storage()` → `choose_and_set_storage_for_file()`
 
 ### GPU Dependencies
+
 - `configure_gpu_passthrough()` → `detect_gpu_devices()`
 - `fix_gpu_gids()` → `configure_gpu_passthrough()`
 
 ### Settings Dependencies
+
 - `default_var_settings()` → `maybe_offer_save_app_defaults()`
 
 ## Function Usage Examples
 
 ### Basic Container Creation
+
 ```bash
 # Set required variables
 export APP="plex"
@@ -304,6 +398,7 @@ start()  # Entry point
 ```
 
 ### Advanced Configuration
+
 ```bash
 # Set advanced variables
 export var_os="debian"
@@ -319,6 +414,7 @@ advanced_settings()  # Interactive configuration
 ```
 
 ### GPU Passthrough
+
 ```bash
 # Enable GPU passthrough
 export GPU_APPS="plex"
@@ -331,6 +427,7 @@ fix_gpu_gids()  # Fix permissions
 ```
 
 ### Settings Persistence
+
 ```bash
 # Save settings as defaults
 export SAVE_DEFAULTS="true"
@@ -344,15 +441,18 @@ maybe_offer_save_app_defaults()  # Save app defaults
 ## Function Error Handling
 
 ### Validation Functions
+
 - `validate_settings()`: Returns 0 for valid, 1 for invalid
 - `check_conflicts()`: Returns 0 for no conflicts, 1 for conflicts
 
 ### Error Recovery
+
 - `cleanup_on_error()`: Cleans up on any error
 - Error codes are propagated up the call stack
 - Critical errors cause script termination
 
 ### Error Types
+
 1. **Configuration Errors**: Invalid settings or conflicts
 2. **Resource Errors**: Insufficient resources or conflicts
 3. **Network Errors**: Invalid network configuration

docs/misc/build.func/README.md

@@ -6,6 +6,16 @@ This directory contains comprehensive documentation for the `build.func` script,
 
 ## Documentation Files
 
+### 🎛️ [BUILD_FUNC_ADVANCED_SETTINGS.md](./BUILD_FUNC_ADVANCED_SETTINGS.md)
+Complete reference for the 28-step Advanced Settings wizard, including all configurable options and their inheritance behavior.
+
+**Contents:**
+- All 28 wizard steps explained
+- Default value inheritance
+- Feature matrix (when to enable each feature)
+- Confirmation summary format
+- Usage examples
+
 ### 📊 [BUILD_FUNC_FLOWCHART.md](./BUILD_FUNC_FLOWCHART.md)
 Visual ASCII flowchart showing the main execution flow, decision trees, and key decision points in the build.func script.
 

frontend/public/json/inventree.json

@@ -22,8 +22,8 @@
         "cpu": 2,
         "ram": 2048,
         "hdd": 6,
-        "os": "debian",
-        "version": "13"
+        "os": "ubuntu",
+        "version": "24.04"
       }
     }
   ],

frontend/public/json/versions.json

@@ -1,19 +1,189 @@
 [
+  {
+    "name": "openobserve/openobserve",
+    "version": "v0.30.0-rc1",
+    "date": "2025-12-08T11:46:24Z"
+  },
+  {
+    "name": "ventoy/Ventoy",
+    "version": "v1.1.08",
+    "date": "2025-12-08T10:13:51Z"
+  },
+  {
+    "name": "zitadel/zitadel",
+    "version": "v4.7.1",
+    "date": "2025-12-08T10:05:21Z"
+  },
+  {
+    "name": "meilisearch/meilisearch",
+    "version": "latest",
+    "date": "2025-12-08T09:36:54Z"
+  },
+  {
+    "name": "WGDashboard/WGDashboard",
+    "version": "v4.3.0.2",
+    "date": "2025-12-08T09:01:37Z"
+  },
+  {
+    "name": "mattermost/mattermost",
+    "version": "v10.11.8",
+    "date": "2025-11-21T17:06:07Z"
+  },
+  {
+    "name": "nzbgetcom/nzbget",
+    "version": "v25.4",
+    "date": "2025-10-09T10:27:01Z"
+  },
+  {
+    "name": "morpheus65535/bazarr",
+    "version": "v1.5.3",
+    "date": "2025-09-20T12:12:33Z"
+  },
+  {
+    "name": "Jackett/Jackett",
+    "version": "v0.24.420",
+    "date": "2025-12-08T05:55:34Z"
+  },
+  {
+    "name": "firefly-iii/firefly-iii",
+    "version": "v6.4.9",
+    "date": "2025-11-28T20:36:20Z"
+  },
+  {
+    "name": "documenso/documenso",
+    "version": "v2.2.0",
+    "date": "2025-12-08T03:33:34Z"
+  },
+  {
+    "name": "chrisbenincasa/tunarr",
+    "version": "v0.23.0-alpha.31",
+    "date": "2025-12-08T02:39:59Z"
+  },
+  {
+    "name": "jeedom/core",
+    "version": "4.5",
+    "date": "2025-12-08T00:27:05Z"
+  },
+  {
+    "name": "steveiliop56/tinyauth",
+    "version": "v4.1.0",
+    "date": "2025-11-23T12:13:34Z"
+  },
+  {
+    "name": "maxdorninger/MediaManager",
+    "version": "v1.10.0",
+    "date": "2025-12-07T23:41:51Z"
+  },
+  {
+    "name": "Part-DB/Part-DB-server",
+    "version": "v2.3.0",
+    "date": "2025-12-07T21:58:43Z"
+  },
+  {
+    "name": "traccar/traccar",
+    "version": "v6.11.1",
+    "date": "2025-12-07T19:19:08Z"
+  },
+  {
+    "name": "keycloak/keycloak",
+    "version": "26.4.7",
+    "date": "2025-12-01T08:14:11Z"
+  },
+  {
+    "name": "seerr-team/seerr",
+    "version": "preview-test-fix-subscriptions",
+    "date": "2025-12-07T14:31:55Z"
+  },
+  {
+    "name": "bluenviron/mediamtx",
+    "version": "v1.15.5",
+    "date": "2025-12-07T12:24:21Z"
+  },
+  {
+    "name": "BerriAI/litellm",
+    "version": "v1.80.8.rc.1",
+    "date": "2025-12-07T01:36:40Z"
+  },
+  {
+    "name": "umami-software/umami",
+    "version": "v2.20.1",
+    "date": "2025-12-07T01:14:23Z"
+  },
+  {
+    "name": "sysadminsmedia/homebox",
+    "version": "v0.22.0-rc.2",
+    "date": "2025-12-06T21:24:28Z"
+  },
+  {
+    "name": "Koenkk/zigbee2mqtt",
+    "version": "2.7.1",
+    "date": "2025-12-06T20:30:34Z"
+  },
+  {
+    "name": "blakeblackshear/frigate",
+    "version": "v0.14.1",
+    "date": "2024-08-29T22:32:51Z"
+  },
+  {
+    "name": "navidrome/navidrome",
+    "version": "v0.59.0",
+    "date": "2025-12-06T18:08:42Z"
+  },
+  {
+    "name": "Brandawg93/PeaNUT",
+    "version": "v5.19.2",
+    "date": "2025-12-06T14:56:53Z"
+  },
+  {
+    "name": "openhab/openhab-core",
+    "version": "4.3.9",
+    "date": "2025-12-06T14:31:36Z"
+  },
+  {
+    "name": "fuma-nama/fumadocs",
+    "version": "fumadocs-openapi@10.1.1",
+    "date": "2025-12-06T11:27:58Z"
+  },
+  {
+    "name": "YunoHost/yunohost",
+    "version": "debian/13.0.2",
+    "date": "2025-12-06T10:46:12Z"
+  },
+  {
+    "name": "toniebox-reverse-engineering/teddycloud",
+    "version": "tc_v0.6.5",
+    "date": "2025-12-06T10:32:07Z"
+  },
+  {
+    "name": "inspircd/inspircd",
+    "version": "v4.9.0",
+    "date": "2025-12-06T08:58:40Z"
+  },
+  {
+    "name": "chrisvel/tududi",
+    "version": "v0.87",
+    "date": "2025-12-06T07:36:26Z"
+  },
+  {
+    "name": "tobychui/zoraxy",
+    "version": "v3.3.0",
+    "date": "2025-12-06T06:18:23Z"
+  },
+  {
+    "name": "theonedev/onedev",
+    "version": "v13.1.3",
+    "date": "2025-12-06T04:40:09Z"
+  },
+  {
+    "name": "ollama/ollama",
+    "version": "v0.13.2-rc1",
+    "date": "2025-12-04T23:19:06Z"
+  },
   {
     "name": "Stirling-Tools/Stirling-PDF",
     "version": "v2.1.1",
     "date": "2025-12-05T23:48:08Z"
   },
-  {
-    "name": "BerriAI/litellm",
-    "version": "v1.80.7.dev.4",
-    "date": "2025-12-05T23:26:08Z"
-  },
-  {
-    "name": "chrisbenincasa/tunarr",
-    "version": "v0.23.0-alpha.30",
-    "date": "2025-12-05T21:23:38Z"
-  },
   {
     "name": "home-assistant/core",
     "version": "2025.12.1",
@@ -29,11 +199,6 @@
     "version": "v1.45.2",
     "date": "2025-12-05T19:17:09Z"
   },
-  {
-    "name": "umami-software/umami",
-    "version": "v2.20.0",
-    "date": "2025-12-05T18:06:01Z"
-  },
   {
     "name": "booklore-app/booklore",
     "version": "v1.13.2",
@@ -49,11 +214,6 @@
     "version": "flowise@3.0.12",
     "date": "2025-12-05T15:02:01Z"
   },
-  {
-    "name": "Brandawg93/PeaNUT",
-    "version": "v5.19.1",
-    "date": "2025-12-05T14:41:43Z"
-  },
   {
     "name": "emqx/emqx",
     "version": "e6.1.0-streams.1",
@@ -79,36 +239,11 @@
     "version": "2025.12.05",
     "date": "2025-12-05T09:45:02Z"
   },
-  {
-    "name": "Jackett/Jackett",
-    "version": "v0.24.404",
-    "date": "2025-12-05T05:55:24Z"
-  },
   {
     "name": "esphome/esphome",
     "version": "2025.11.4",
     "date": "2025-12-05T03:54:58Z"
   },
-  {
-    "name": "documenso/documenso",
-    "version": "v2.2.4",
-    "date": "2025-12-05T01:23:23Z"
-  },
-  {
-    "name": "jeedom/core",
-    "version": "4.5",
-    "date": "2025-12-05T00:27:08Z"
-  },
-  {
-    "name": "steveiliop56/tinyauth",
-    "version": "v4.1.0",
-    "date": "2025-11-23T12:13:34Z"
-  },
-  {
-    "name": "ollama/ollama",
-    "version": "v0.13.1-rc2",
-    "date": "2025-12-02T17:28:41Z"
-  },
   {
     "name": "transmission/transmission",
     "version": "4.0.1-beta.1",
@@ -134,16 +269,6 @@
     "version": "v0.107.70",
     "date": "2025-12-03T16:12:15Z"
   },
-  {
-    "name": "keycloak/keycloak",
-    "version": "26.4.7",
-    "date": "2025-12-01T08:14:11Z"
-  },
-  {
-    "name": "chrisvel/tududi",
-    "version": "v0.86.1",
-    "date": "2025-11-14T05:05:44Z"
-  },
   {
     "name": "wazuh/wazuh",
     "version": "coverity-w49-4.14.2",
@@ -159,11 +284,6 @@
     "version": "v0.34.2",
     "date": "2025-12-04T13:08:18Z"
   },
-  {
-    "name": "fuma-nama/fumadocs",
-    "version": "fumadocs-mdx@14.1.0",
-    "date": "2025-12-04T09:47:35Z"
-  },
   {
     "name": "glpi-project/glpi",
     "version": "11.0.4",
@@ -174,11 +294,6 @@
     "version": "v1.6.6",
     "date": "2025-11-24T15:30:21Z"
   },
-  {
-    "name": "morpheus65535/bazarr",
-    "version": "v1.5.3",
-    "date": "2025-09-20T12:12:33Z"
-  },
   {
     "name": "kyantech/Palmr",
     "version": "v3.3.1-beta",
@@ -224,11 +339,6 @@
     "version": "v25.11.5",
     "date": "2025-12-03T14:51:03Z"
   },
-  {
-    "name": "meilisearch/meilisearch",
-    "version": "latest",
-    "date": "2025-12-03T14:19:01Z"
-  },
   {
     "name": "Graylog2/graylog2-server",
     "version": "6.2.10",
@@ -244,16 +354,6 @@
     "version": "v0.104.0",
     "date": "2025-12-03T06:48:38Z"
   },
-  {
-    "name": "mattermost/mattermost",
-    "version": "v10.11.8",
-    "date": "2025-11-21T17:06:07Z"
-  },
-  {
-    "name": "openobserve/openobserve",
-    "version": "v0.20.2",
-    "date": "2025-12-03T02:20:57Z"
-  },
   {
     "name": "hyperion-project/hyperion.ng",
     "version": "2.1.1",
@@ -267,7 +367,7 @@
   {
     "name": "mealie-recipes/mealie",
     "version": "v3.6.1",
-    "date": "2025-12-02T23:08:41Z"
+    "date": "2025-12-02T22:54:10Z"
   },
   {
     "name": "apache/tomcat",
@@ -314,16 +414,6 @@
     "version": "jenkins-2.540",
     "date": "2025-12-02T16:56:49Z"
   },
-  {
-    "name": "nzbgetcom/nzbget",
-    "version": "v25.4",
-    "date": "2025-10-09T10:27:01Z"
-  },
-  {
-    "name": "tobychui/zoraxy",
-    "version": "v3.3.0-rc3",
-    "date": "2025-12-02T13:45:13Z"
-  },
   {
     "name": "docker/compose",
     "version": "v5.0.0",
@@ -369,11 +459,6 @@
     "version": "v0.16.0",
     "date": "2025-12-01T21:35:19Z"
   },
-  {
-    "name": "Koenkk/zigbee2mqtt",
-    "version": "2.7.0",
-    "date": "2025-12-01T20:26:49Z"
-  },
   {
     "name": "slskd/slskd",
     "version": "0.24.1",
@@ -409,11 +494,6 @@
     "version": "251130-b3068414c",
     "date": "2025-12-01T05:07:31Z"
   },
-  {
-    "name": "firefly-iii/firefly-iii",
-    "version": "v6.4.9",
-    "date": "2025-11-28T20:36:20Z"
-  },
   {
     "name": "jellyfin/jellyfin",
     "version": "v10.11.4",
@@ -449,11 +529,6 @@
     "version": "0.11.1",
     "date": "2025-11-30T14:54:03Z"
   },
-  {
-    "name": "openhab/openhab-core",
-    "version": "5.1.0.M3",
-    "date": "2025-11-30T14:36:37Z"
-  },
   {
     "name": "healthchecks/healthchecks",
     "version": "v3.13",
@@ -529,21 +604,11 @@
     "version": "v6.3",
     "date": "2025-11-27T18:12:22Z"
   },
-  {
-    "name": "theonedev/onedev",
-    "version": "v13.1.2",
-    "date": "2025-11-27T12:48:22Z"
-  },
   {
     "name": "ipfs/kubo",
     "version": "v0.39.0",
     "date": "2025-11-27T03:47:38Z"
   },
-  {
-    "name": "YunoHost/yunohost",
-    "version": "debian/12.1.36",
-    "date": "2025-11-27T00:33:48Z"
-  },
   {
     "name": "gristlabs/grist-core",
     "version": "v1.7.8",
@@ -579,11 +644,6 @@
     "version": "release-1.24.2",
     "date": "2025-11-26T11:22:30Z"
   },
-  {
-    "name": "seerr-team/seerr",
-    "version": "preview-test-fix-subscriptions",
-    "date": "2025-11-25T22:11:46Z"
-  },
   {
     "name": "wizarrrr/wizarr",
     "version": "v2025.11.3",
@@ -694,11 +754,6 @@
     "version": "mariadb-12.1.2",
     "date": "2025-11-18T15:16:21Z"
   },
-  {
-    "name": "bluenviron/mediamtx",
-    "version": "v1.15.4",
-    "date": "2025-11-21T01:21:03Z"
-  },
   {
     "name": "TasmoAdmin/TasmoAdmin",
     "version": "v4.3.2",
@@ -809,11 +864,6 @@
     "version": "v6.0.4.10291",
     "date": "2025-11-16T22:39:01Z"
   },
-  {
-    "name": "sysadminsmedia/homebox",
-    "version": "v0.21.0",
-    "date": "2025-08-23T18:33:53Z"
-  },
   {
     "name": "binwiederhier/ntfy",
     "version": "v2.15.0",
@@ -839,11 +889,6 @@
     "version": "4.10.1",
     "date": "2025-11-15T04:36:48Z"
   },
-  {
-    "name": "zitadel/zitadel",
-    "version": "v4.7.0",
-    "date": "2025-11-14T09:45:13Z"
-  },
   {
     "name": "runtipi/runtipi",
     "version": "v4.6.5",
@@ -879,11 +924,6 @@
     "version": "REL_13_23",
     "date": "2025-11-10T21:59:18Z"
   },
-  {
-    "name": "navidrome/navidrome",
-    "version": "v0.58.5",
-    "date": "2025-11-09T19:12:41Z"
-  },
   {
     "name": "pelican-dev/panel",
     "version": "v1.0.0-beta28",
@@ -974,11 +1014,6 @@
     "version": "v3.0.9",
     "date": "2025-11-04T07:28:45Z"
   },
-  {
-    "name": "maxdorninger/MediaManager",
-    "version": "v1.9.1",
-    "date": "2025-11-02T21:14:50Z"
-  },
   {
     "name": "motioneye-project/motioneye",
     "version": "0.42.1",
@@ -1044,11 +1079,6 @@
     "version": "2.0.2",
     "date": "2025-10-22T17:03:54Z"
   },
-  {
-    "name": "Part-DB/Part-DB-server",
-    "version": "v2.2.1",
-    "date": "2025-10-19T14:30:11Z"
-  },
   {
     "name": "benzino77/tasmocompiler",
     "version": "v13.0.0",
@@ -1074,11 +1104,6 @@
     "version": "v2.13.1",
     "date": "2025-10-15T13:29:37Z"
   },
-  {
-    "name": "blakeblackshear/frigate",
-    "version": "v0.14.1",
-    "date": "2024-08-29T22:32:51Z"
-  },
   {
     "name": "rogerfar/rdt-client",
     "version": "v2.0.119",
@@ -1144,11 +1169,6 @@
     "version": "v2.7.3",
     "date": "2025-09-21T12:07:19Z"
   },
-  {
-    "name": "traccar/traccar",
-    "version": "v6.10.0",
-    "date": "2025-09-20T15:40:36Z"
-  },
   {
     "name": "mmastrac/stylus",
     "version": "v0.17.0",
@@ -1169,11 +1189,6 @@
     "version": "v0.23.0",
     "date": "2025-09-17T10:15:51Z"
   },
-  {
-    "name": "WGDashboard/WGDashboard",
-    "version": "v4.3.0.1",
-    "date": "2025-09-17T08:50:39Z"
-  },
   {
     "name": "Checkmk/checkmk",
     "version": "v2.4.0p12",
@@ -1239,11 +1254,6 @@
     "version": "0.6.25",
     "date": "2025-08-24T08:51:55Z"
   },
-  {
-    "name": "ventoy/Ventoy",
-    "version": "v1.1.07",
-    "date": "2025-08-18T16:13:54Z"
-  },
   {
     "name": "lldap/lldap",
     "version": "v0.6.2",
@@ -1289,11 +1299,6 @@
     "version": "v1.28.3",
     "date": "2025-08-06T12:32:02Z"
   },
-  {
-    "name": "inspircd/inspircd",
-    "version": "v4.8.0",
-    "date": "2025-08-02T09:12:10Z"
-  },
   {
     "name": "Suwayomi/Suwayomi-Server",
     "version": "v2.1.1867",
@@ -1454,11 +1459,6 @@
     "version": "v2.4.2",
     "date": "2025-03-08T10:49:04Z"
   },
-  {
-    "name": "toniebox-reverse-engineering/teddycloud",
-    "version": "tc_v0.6.4",
-    "date": "2025-03-05T15:43:40Z"
-  },
   {
     "name": "bitmagnet-io/bitmagnet",
     "version": "v0.10.0",

frontend/public/json/zammad.json

@@ -23,7 +23,7 @@
         "ram": 4096,
         "hdd": 8,
         "os": "debian",
-        "version": "13"
+        "version": "12"
       }
     }
   ],

frontend/src/config/faq-config.tsx

@@ -34,9 +34,4 @@ export const FAQ_Items = [
     content:
       "If an LXC script fails, run it again using Verbose mode. Standard mode hides detailed output for neatness, showing only progress. Verbose mode displays all messages, which helps you (and us) diagnose the error. Include this verbose output if you report the issue.",
   },
-  {
-    title: "What does \"Updatable\" and \"Not updatable\" mean?",
-    content:
-      "Updatable means that script has a function that is used to update the installed application to the latest version available. Not updatable means that script doesn't have a function that can safely update the application to the latest version available, so only the LXC OS is updated.",
-  },
 ];

install/dispatcharr-install.sh

@@ -62,11 +62,13 @@ install -d -m 755 \
     /data/uploads/{m3us,epgs} \
     /data/{m3us,epgs}
 chown -R root:root /data
+DJANGO_SECRET=$(openssl rand -base64 48 | tr -dc 'a-zA-Z0-9' | cut -c1-50)
 export DATABASE_URL="postgresql://${DB_USER}:${DB_PASS}@localhost:5432/${DB_NAME}"
 export POSTGRES_DB=$DB_NAME
 export POSTGRES_USER=$DB_USER
 export POSTGRES_PASSWORD=$DB_PASS
 export POSTGRES_HOST=localhost
+export DJANGO_SECRET_KEY=$DJANGO_SECRET
 $STD uv run python manage.py migrate --noinput
 $STD uv run python manage.py collectstatic --noinput
 cat <<EOF >/opt/dispatcharr/.env
@@ -76,6 +78,7 @@ POSTGRES_USER=$DB_USER
 POSTGRES_PASSWORD=$DB_PASS
 POSTGRES_HOST=localhost
 CELERY_BROKER_URL=redis://localhost:6379/0
+DJANGO_SECRET_KEY=$DJANGO_SECRET
 EOF
 cd /opt/dispatcharr/frontend
 $STD npm install --legacy-peer-deps

install/domain-locker-install.sh

@@ -64,7 +64,7 @@ Restart=always
 [Install]
 WantedBy=multi-user.target
 EOF
-systemctl start --now -q domain-locker
+systemctl enable -q --now domain-locker
 msg_info "Created Service"
 
 motd_ssh

install/influxdb-install.sh

@@ -16,7 +16,7 @@ update_os
 msg_info "Setting up InfluxDB Repository"
 setup_deb822_repo \
   "influxdata" \
-  "https://repos.influxdata.com/influxdata-archive_compat.key" \
+  "https://repos.influxdata.com/influxdata-archive.key" \
   "https://repos.influxdata.com/$(get_os_info id)" \
   "stable"
 msg_ok "Set up InfluxDB Repository"
@@ -38,6 +38,7 @@ else
   $STD dpkg -i chronograf_1.10.8_amd64.deb
   rm -rf /chronograf_1.10.8_amd64.deb
 fi
+rm /etc/apt/sources.list.d/influxdata.list
 $STD systemctl enable --now influxdb
 msg_ok "Installed InfluxDB"
 

install/inventree-install.sh

@@ -13,23 +13,27 @@ setting_up_container
 network_check
 update_os
 
-msg_info "Installing Dependencies"
-temp_file=$(mktemp)
-curl -fsSL "http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2_amd64.deb" -o "$temp_file"
-$STD dpkg -i $temp_file
-rm -f $temp_file
-msg_ok "Installed Dependencies"
-
 msg_info "Setting up InvenTree Repository"
-mkdir -p /etc/apt/keyrings
-curl -fsSL https://dl.packager.io/srv/inventree/InvenTree/key | gpg --dearmor -o /etc/apt/keyrings/inventree.gpg
-echo "deb [signed-by=/etc/apt/keyrings/inventree.gpg] https://dl.packager.io/srv/deb/inventree/InvenTree/stable/ubuntu 20.04 main" >/etc/apt/sources.list.d/inventree.list
+setup_deb822_repo \
+  "inventree" \
+  "https://dl.packager.io/srv/inventree/InvenTree/key" \
+  "https://dl.packager.io/srv/deb/inventree/InvenTree/stable/$(get_os_info id)" \
+  "$(get_os_info version)" \
+  "main"
 msg_ok "Set up InvenTree Repository"
 
-msg_info "Setup ${APPLICATION} (Patience)"
-$STD apt-get update
-$STD apt-get install -y inventree
-msg_ok "Setup ${APPLICATION}"
+msg_info "Installing InvenTree (Patience)"
+export SETUP_NO_CALLS=true
+$STD apt install -y inventree
+msg_ok "Installed InvenTree"
+
+msg_info "Configuring InvenTree"
+LOCAL_IP="$(hostname -I | awk '{print $1}')"
+if [[ -f /etc/inventree/config.yaml ]]; then
+  sed -i "s|site_url:.*|site_url: http://${LOCAL_IP}|" /etc/inventree/config.yaml
+fi
+$STD inventree run invoke update
+msg_ok "Configured InvenTree"
 
 motd_ssh
 customize

install/wanderer-install.sh

@@ -52,7 +52,7 @@ cat <<EOF >/opt/wanderer/start.sh
 
 trap "kill 0" EXIT
 
-cd /opt/wanderer/source/search && meilisearch --master-key \$MEILI_MASTER_KEY &
+cd /opt/wanderer/source/search && meilisearch --experimental-dumpless-upgrade --master-key \$MEILI_MASTER_KEY &
 sleep 1
 cd /opt/wanderer/source/db && ./pocketbase serve --http=\$PB_URL --dir=\$PB_DB_LOCATION &
 cd /opt/wanderer/source/web && node build &

install/zammad-install.sh

@@ -21,15 +21,12 @@ $STD apt install -y \
 msg_ok "Installed Dependencies"
 
 msg_info "Setting up Elasticsearch"
-curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
-cat <<EOF | sudo tee /etc/apt/sources.list.d/elasticsearch.sources >/dev/null
-Types: deb
-URIs: https://artifacts.elastic.co/packages/7.x/apt
-Suites: stable
-Components: main
-Signed-By: /usr/share/keyrings/elasticsearch-keyring.gpg
-EOF
-$STD apt update
+setup_deb822_repo \
+  "elasticsearch" \
+  "https://artifacts.elastic.co/GPG-KEY-elasticsearch" \
+  "https://artifacts.elastic.co/packages/7.x/apt" \
+  "stable" \
+  "main"
 $STD apt -y install elasticsearch
 echo "-Xms2g" >>/etc/elasticsearch/jvm.options
 echo "-Xmx2g" >>/etc/elasticsearch/jvm.options
@@ -39,15 +36,12 @@ systemctl restart -q elasticsearch
 msg_ok "Setup Elasticsearch"
 
 msg_info "Installing Zammad"
-curl -fsSL https://dl.packager.io/srv/zammad/zammad/key | gpg --dearmor | sudo tee /etc/apt/keyrings/pkgr-zammad.gpg >/dev/null
-cat <<EOF | sudo tee /etc/apt/sources.list.d/zammad.sources >/dev/null
-Types: deb
-URIs: https://dl.packager.io/srv/deb/zammad/zammad/stable/debian
-Suites: 12
-Components: main
-Signed-By: /etc/apt/keyrings/pkgr-zammad.gpg
-EOF
-$STD apt update
+setup_deb822_repo \
+  "zammad" \
+  "https://dl.packager.io/srv/zammad/zammad/key" \
+  "https://dl.packager.io/srv/deb/zammad/zammad/stable/debian" \
+  "$(get_os_info version_id)" \
+  "main"
 $STD apt -y install zammad
 $STD zammad run rails r "Setting.set('es_url', 'http://localhost:9200')"
 $STD zammad run rake zammad:searchindex:rebuild

misc/alpine-install.func

@@ -125,22 +125,13 @@ update_os() {
 # This function modifies the message of the day (motd) and SSH settings
 motd_ssh() {
   echo "export TERM='xterm-256color'" >>/root/.bashrc
-  IP=$(ip -4 addr show eth0 | awk '/inet / {print $2}' | cut -d/ -f1 | head -n 1)
-
-  if [ -f "/etc/os-release" ]; then
-    OS_NAME=$(grep ^NAME /etc/os-release | cut -d= -f2 | tr -d '"')
-    OS_VERSION=$(grep ^VERSION_ID /etc/os-release | cut -d= -f2 | tr -d '"')
-  else
-    OS_NAME="Alpine Linux"
-    OS_VERSION="Unknown"
-  fi
 
   PROFILE_FILE="/etc/profile.d/00_lxc-details.sh"
   echo "echo -e \"\"" >"$PROFILE_FILE"
   echo -e "echo -e \"${BOLD}${APPLICATION} LXC Container${CL}"\" >>"$PROFILE_FILE"
   echo -e "echo -e \"${TAB}${GATEWAY}${YW} Provided by: ${GN}community-scripts ORG ${YW}| GitHub: ${GN}https://github.com/community-scripts/ProxmoxVE${CL}\"" >>"$PROFILE_FILE"
   echo "echo \"\"" >>"$PROFILE_FILE"
-  echo -e "echo -e \"${TAB}${OS}${YW} OS: ${GN}${OS_NAME} - Version: ${OS_VERSION}${CL}\"" >>"$PROFILE_FILE"
+  echo -e "echo -e \"${TAB}${OS}${YW} OS: ${GN}\$(grep ^NAME /etc/os-release | cut -d= -f2 | tr -d '\"') - Version: \$(grep ^VERSION_ID /etc/os-release | cut -d= -f2 | tr -d '\"')${CL}\"" >>"$PROFILE_FILE"
   echo -e "echo -e \"${TAB}${HOSTNAME}${YW} Hostname: ${GN}\$(hostname)${CL}\"" >>"$PROFILE_FILE"
   echo -e "echo -e \"${TAB}${INFO}${YW} IP Address: ${GN}\$(ip -4 addr show eth0 | awk '/inet / {print \$2}' | cut -d/ -f1 | head -n 1)${CL}\"" >>"$PROFILE_FILE"
 

misc/build.func

@@ -453,7 +453,7 @@ load_vars_file() {
 
   # Allowed var_* keys
   local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu var_keyctl
     var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
     var_net var_nesting var_ns var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
     var_verbose var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
@@ -505,7 +505,7 @@ default_var_settings() {
   # Allowed var_* keys (alphabetically sorted)
   # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
   local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu var_keyctl
     var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
     var_net var_nesting var_ns var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
     var_verbose var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
@@ -667,7 +667,7 @@ get_app_defaults_path() {
 if ! declare -p VAR_WHITELIST >/dev/null 2>&1; then
   # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
   declare -ag VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu
     var_gateway var_hostname var_ipv6_method var_mac var_mtu
     var_net var_ns var_pw var_ram var_tags var_tun var_unprivileged
     var_verbose var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
@@ -816,6 +816,7 @@ _build_current_app_vars_tmp() {
   _apt_cacher_ip="${APT_CACHER_IP:-}"
   _fuse="${ENABLE_FUSE:-no}"
   _tun="${ENABLE_TUN:-no}"
+  _gpu="${ENABLE_GPU:-no}"
   _nesting="${ENABLE_NESTING:-1}"
   _keyctl="${ENABLE_KEYCTL:-0}"
   _mknod="${ENABLE_MKNOD:-0}"
@@ -865,6 +866,7 @@ _build_current_app_vars_tmp() {
 
     [ -n "$_fuse" ] && echo "var_fuse=$(_sanitize_value "$_fuse")"
     [ -n "$_tun" ] && echo "var_tun=$(_sanitize_value "$_tun")"
+    [ -n "$_gpu" ] && echo "var_gpu=$(_sanitize_value "$_gpu")"
     [ -n "$_nesting" ] && echo "var_nesting=$(_sanitize_value "$_nesting")"
     [ -n "$_keyctl" ] && echo "var_keyctl=$(_sanitize_value "$_keyctl")"
     [ -n "$_mknod" ] && echo "var_mknod=$(_sanitize_value "$_mknod")"
@@ -1011,37 +1013,49 @@ advanced_settings() {
   # Initialize defaults
   TAGS="community-script;${var_tags:-}"
   local STEP=1
-  local MAX_STEP=19
+  local MAX_STEP=28
 
-  # Store values for back navigation
-  local _ct_type="${CT_TYPE:-1}"
+  # Store values for back navigation - inherit from var_* app defaults
+  local _ct_type="${var_unprivileged:-1}"
   local _pw=""
   local _pw_display="Automatic Login"
   local _ct_id="$NEXTID"
   local _hostname="$NSAPP"
-  local _disk_size="$var_disk"
-  local _core_count="$var_cpu"
-  local _ram_size="$var_ram"
-  local _bridge="vmbr0"
-  local _net="dhcp"
-  local _gate=""
-  local _ipv6_method="auto"
+  local _disk_size="${var_disk:-4}"
+  local _core_count="${var_cpu:-1}"
+  local _ram_size="${var_ram:-1024}"
+  local _bridge="${var_brg:-vmbr0}"
+  local _net="${var_net:-dhcp}"
+  local _gate="${var_gateway:-}"
+  local _ipv6_method="${var_ipv6_method:-auto}"
   local _ipv6_addr=""
   local _ipv6_gate=""
-  local _apt_cacher_ip=""
-  local _mtu=""
-  local _sd=""
-  local _ns=""
-  local _mac=""
-  local _vlan=""
+  local _apt_cacher="${var_apt_cacher:-no}"
+  local _apt_cacher_ip="${var_apt_cacher_ip:-}"
+  local _mtu="${var_mtu:-}"
+  local _sd="${var_searchdomain:-}"
+  local _ns="${var_ns:-}"
+  local _mac="${var_mac:-}"
+  local _vlan="${var_vlan:-}"
   local _tags="$TAGS"
-  local _enable_fuse="no"
-  local _verbose="no"
-  local _enable_keyctl="0"
-  local _enable_mknod="0"
-  local _mount_fs=""
-  local _protect_ct="no"
-  local _ct_timezone=""
+  local _enable_fuse="${var_fuse:-no}"
+  local _enable_tun="${var_tun:-no}"
+  local _enable_gpu="${var_gpu:-no}"
+  local _enable_nesting="${var_nesting:-1}"
+  local _verbose="${var_verbose:-no}"
+  local _enable_keyctl="${var_keyctl:-0}"
+  local _enable_mknod="${var_mknod:-0}"
+  local _mount_fs="${var_mount_fs:-}"
+  local _protect_ct="${var_protection:-no}"
+  
+  # Detect host timezone for default (if not set via var_timezone)
+  local _host_timezone=""
+  if command -v timedatectl >/dev/null 2>&1; then
+    _host_timezone=$(timedatectl show --value --property=Timezone 2>/dev/null || echo "")
+  elif [ -f /etc/timezone ]; then
+    _host_timezone=$(cat /etc/timezone 2>/dev/null || echo "")
+  fi
+  local _ct_timezone="${var_timezone:-$_host_timezone}"
 
   # Helper to show current progress
   show_progress() {
@@ -1491,20 +1505,23 @@ advanced_settings() {
     # STEP 17: SSH Settings
     # ═══════════════════════════════════════════════════════════════════════════
     17)
-      configure_ssh_settings
+      configure_ssh_settings "Step $STEP/$MAX_STEP"
       # configure_ssh_settings handles its own flow, always advance
       ((STEP++))
       ;;
 
     # ═══════════════════════════════════════════════════════════════════════════
-    # STEP 18: FUSE & Verbose Mode
+    # STEP 18: FUSE Support
     # ═══════════════════════════════════════════════════════════════════════════
     18)
+      local fuse_default_flag="--defaultno"
+      [[ "$_enable_fuse" == "yes" || "$_enable_fuse" == "1" ]] && fuse_default_flag=""
+
       if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
         --title "FUSE SUPPORT" \
         --ok-button "Next" --cancel-button "Back" \
-        --defaultno \
-        --yesno "\nEnable FUSE support?\n\nRequired for: rclone, mergerfs, AppImage, etc." 12 58; then
+        $fuse_default_flag \
+        --yesno "\nEnable FUSE support?\n\nRequired for: rclone, mergerfs, AppImage, etc.\n\n(App default: ${var_fuse:-no})" 14 58; then
         _enable_fuse="yes"
       else
         if [ $? -eq 1 ]; then
@@ -1514,26 +1531,255 @@ advanced_settings() {
           continue
         fi
       fi
+      ((STEP++))
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 19: TUN/TAP Support
+    # ═══════════════════════════════════════════════════════════════════════════
+    19)
+      local tun_default_flag="--defaultno"
+      [[ "$_enable_tun" == "yes" || "$_enable_tun" == "1" ]] && tun_default_flag=""
 
       if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
-        --title "VERBOSE MODE" \
-        --defaultno \
-        --yesno "\nEnable Verbose Mode?\n\nShows detailed output during installation." 12 58; then
-        _verbose="yes"
+        --title "TUN/TAP SUPPORT" \
+        --ok-button "Next" --cancel-button "Back" \
+        $tun_default_flag \
+        --yesno "\nEnable TUN/TAP device support?\n\nRequired for: VPN apps (WireGuard, OpenVPN, Tailscale),\nnetwork tunneling, and containerized networking.\n\n(App default: ${var_tun:-no})" 14 62; then
+        _enable_tun="yes"
       else
-        _verbose="no"
+        if [ $? -eq 1 ]; then
+          _enable_tun="no"
+        else
+          ((STEP--))
+          continue
+        fi
       fi
       ((STEP++))
       ;;
 
     # ═══════════════════════════════════════════════════════════════════════════
-    # STEP 19: Confirmation
+    # STEP 20: Nesting Support
     # ═══════════════════════════════════════════════════════════════════════════
-    19)
+    20)
+      local nesting_default_flag=""
+      [[ "$_enable_nesting" == "0" || "$_enable_nesting" == "no" ]] && nesting_default_flag="--defaultno"
+
+      if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "NESTING SUPPORT" \
+        --ok-button "Next" --cancel-button "Back" \
+        $nesting_default_flag \
+        --yesno "\nEnable Nesting?\n\nRequired for: Docker, LXC inside LXC, Podman,\nand other containerization tools.\n\n(App default: ${var_nesting:-1})" 14 58; then
+        _enable_nesting="1"
+      else
+        if [ $? -eq 1 ]; then
+          _enable_nesting="0"
+        else
+          ((STEP--))
+          continue
+        fi
+      fi
+      ((STEP++))
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 21: GPU Passthrough
+    # ═══════════════════════════════════════════════════════════════════════════
+    21)
+      local gpu_default_flag="--defaultno"
+      [[ "$_enable_gpu" == "yes" ]] && gpu_default_flag=""
+
+      if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "GPU PASSTHROUGH" \
+        --ok-button "Next" --cancel-button "Back" \
+        $gpu_default_flag \
+        --yesno "\nEnable GPU Passthrough?\n\nAutomatically detects and passes through available GPUs\n(Intel/AMD/NVIDIA) for hardware acceleration.\n\nRecommended for: Media servers, AI/ML, Transcoding\n\n(App default: ${var_gpu:-no})" 16 62; then
+        _enable_gpu="yes"
+      else
+        if [ $? -eq 1 ]; then
+          _enable_gpu="no"
+        else
+          ((STEP--))
+          continue
+        fi
+      fi
+      ((STEP++))
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 22: Keyctl Support (Docker/systemd)
+    # ═══════════════════════════════════════════════════════════════════════════
+    22)
+      local keyctl_default_flag="--defaultno"
+      [[ "$_enable_keyctl" == "1" ]] && keyctl_default_flag=""
+
+      if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "KEYCTL SUPPORT" \
+        --ok-button "Next" --cancel-button "Back" \
+        $keyctl_default_flag \
+        --yesno "\nEnable Keyctl support?\n\nRequired for: Docker containers, systemd-networkd,\nand kernel keyring operations.\n\nNote: Automatically enabled for unprivileged containers.\n\n(App default: ${var_keyctl:-0})" 16 62; then
+        _enable_keyctl="1"
+      else
+        if [ $? -eq 1 ]; then
+          _enable_keyctl="0"
+        else
+          ((STEP--))
+          continue
+        fi
+      fi
+      ((STEP++))
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 23: APT Cacher Proxy
+    # ═══════════════════════════════════════════════════════════════════════════
+    23)
+      local apt_cacher_default_flag="--defaultno"
+      [[ "$_apt_cacher" == "yes" ]] && apt_cacher_default_flag=""
+
+      if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "APT CACHER PROXY" \
+        --ok-button "Next" --cancel-button "Back" \
+        $apt_cacher_default_flag \
+        --yesno "\nUse APT Cacher-NG proxy?\n\nSpeeds up package downloads by caching them locally.\nRequires apt-cacher-ng running on your network.\n\n(App default: ${var_apt_cacher:-no})" 14 62; then
+        _apt_cacher="yes"
+        # Ask for IP if enabled
+        if result=$(whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+          --title "APT CACHER IP" \
+          --inputbox "\nEnter APT Cacher-NG server IP address:" 10 58 "$_apt_cacher_ip" \
+          3>&1 1>&2 2>&3); then
+          _apt_cacher_ip="$result"
+        fi
+      else
+        if [ $? -eq 1 ]; then
+          _apt_cacher="no"
+          _apt_cacher_ip=""
+        else
+          ((STEP--))
+          continue
+        fi
+      fi
+      ((STEP++))
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 24: Container Timezone
+    # ═══════════════════════════════════════════════════════════════════════════
+    24)
+      local tz_hint="$_ct_timezone"
+      [[ -z "$tz_hint" ]] && tz_hint="(empty - will use host timezone)"
+
+      if result=$(whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "CONTAINER TIMEZONE" \
+        --ok-button "Next" --cancel-button "Back" \
+        --inputbox "\nSet container timezone.\n\nExamples: Europe/Berlin, America/New_York, Asia/Tokyo\n\nHost timezone: ${_host_timezone:-unknown}\n\nLeave empty to inherit from host." 16 62 "$_ct_timezone" \
+        3>&1 1>&2 2>&3); then
+        _ct_timezone="$result"
+        ((STEP++))
+      else
+        ((STEP--))
+      fi
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 25: Container Protection
+    # ═══════════════════════════════════════════════════════════════════════════
+    25)
+      local protect_default_flag="--defaultno"
+      [[ "$_protect_ct" == "yes" || "$_protect_ct" == "1" ]] && protect_default_flag=""
+
+      if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "CONTAINER PROTECTION" \
+        --ok-button "Next" --cancel-button "Back" \
+        $protect_default_flag \
+        --yesno "\nEnable Container Protection?\n\nPrevents accidental deletion of this container.\nYou must disable protection before removing.\n\n(App default: ${var_protection:-no})" 14 62; then
+        _protect_ct="yes"
+      else
+        if [ $? -eq 1 ]; then
+          _protect_ct="no"
+        else
+          ((STEP--))
+          continue
+        fi
+      fi
+      ((STEP++))
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 26: Device Node Creation (mknod)
+    # ═══════════════════════════════════════════════════════════════════════════
+    26)
+      local mknod_default_flag="--defaultno"
+      [[ "$_enable_mknod" == "1" ]] && mknod_default_flag=""
+
+      if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "DEVICE NODE CREATION" \
+        --ok-button "Next" --cancel-button "Back" \
+        $mknod_default_flag \
+        --yesno "\nAllow device node creation (mknod)?\n\nRequired for: Creating device files inside container.\nExperimental feature (requires kernel 5.3+).\n\n(App default: ${var_mknod:-0})" 14 62; then
+        _enable_mknod="1"
+      else
+        if [ $? -eq 1 ]; then
+          _enable_mknod="0"
+        else
+          ((STEP--))
+          continue
+        fi
+      fi
+      ((STEP++))
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 27: Mount Filesystems
+    # ═══════════════════════════════════════════════════════════════════════════
+    27)
+      local mount_hint=""
+      [[ -n "$_mount_fs" ]] && mount_hint="$_mount_fs" || mount_hint="(none)"
+
+      if result=$(whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "MOUNT FILESYSTEMS" \
+        --ok-button "Next" --cancel-button "Back" \
+        --inputbox "\nAllow specific filesystem mounts.\n\nComma-separated list: nfs, cifs, fuse, ext4, etc.\nLeave empty for defaults (none).\n\nCurrent: $mount_hint" 14 62 "$_mount_fs" \
+        3>&1 1>&2 2>&3); then
+        _mount_fs="$result"
+        ((STEP++))
+      else
+        ((STEP--))
+      fi
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 28: Verbose Mode & Confirmation
+    # ═══════════════════════════════════════════════════════════════════════════
+    28)
+      local verbose_default_flag="--defaultno"
+      [[ "$_verbose" == "yes" ]] && verbose_default_flag=""
+
+      if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "VERBOSE MODE" \
+        $verbose_default_flag \
+        --yesno "\nEnable Verbose Mode?\n\nShows detailed output during installation." 12 58; then
+        _verbose="yes"
+      else
+        _verbose="no"
+      fi
       # Build summary
       local ct_type_desc="Unprivileged"
       [[ "$_ct_type" == "0" ]] && ct_type_desc="Privileged"
 
+      local nesting_desc="Disabled"
+      [[ "$_enable_nesting" == "1" ]] && nesting_desc="Enabled"
+
+      local keyctl_desc="Disabled"
+      [[ "$_enable_keyctl" == "1" ]] && keyctl_desc="Enabled"
+
+      local protect_desc="No"
+      [[ "$_protect_ct" == "yes" || "$_protect_ct" == "1" ]] && protect_desc="Yes"
+
+      local tz_display="${_ct_timezone:-Host TZ}"
+      local apt_display="${_apt_cacher:-no}"
+      [[ "$_apt_cacher" == "yes" && -n "$_apt_cacher_ip" ]] && apt_display="$_apt_cacher_ip"
+
       local summary="Container Type: $ct_type_desc
 Container ID: $_ct_id
 Hostname: $_hostname
@@ -1548,14 +1794,20 @@ Network:
   IPv4: $_net
   IPv6: $_ipv6_method
 
-Options:
-  FUSE: $_enable_fuse
+Features:
+  FUSE: $_enable_fuse | TUN: $_enable_tun
+  Nesting: $nesting_desc | Keyctl: $keyctl_desc
+  GPU: $_enable_gpu | Protection: $protect_desc
+
+Advanced:
+  Timezone: $tz_display
+  APT Cacher: $apt_display
   Verbose: $_verbose"
 
       if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
         --title "CONFIRM SETTINGS" \
         --ok-button "Create LXC" --cancel-button "Back" \
-        --yesno "$summary\n\nCreate ${APP} LXC with these settings?" 26 58; then
+        --yesno "$summary\n\nCreate ${APP} LXC with these settings?" 32 62; then
         ((STEP++))
       else
         ((STEP--))
@@ -1582,8 +1834,31 @@ Options:
   IPV6_GATE="$_ipv6_gate"
   TAGS="$_tags"
   ENABLE_FUSE="$_enable_fuse"
+  ENABLE_TUN="$_enable_tun"
+  ENABLE_GPU="$_enable_gpu"
+  ENABLE_NESTING="$_enable_nesting"
+  ENABLE_KEYCTL="$_enable_keyctl"
+  ENABLE_MKNOD="$_enable_mknod"
+  ALLOW_MOUNT_FS="$_mount_fs"
+  PROTECT_CT="$_protect_ct"
+  CT_TIMEZONE="$_ct_timezone"
+  APT_CACHER="$_apt_cacher"
+  APT_CACHER_IP="$_apt_cacher_ip"
   VERBOSE="$_verbose"
 
+  # Update var_* based on user choice (for functions that check these)
+  var_gpu="$_enable_gpu"
+  var_fuse="$_enable_fuse"
+  var_tun="$_enable_tun"
+  var_nesting="$_enable_nesting"
+  var_keyctl="$_enable_keyctl"
+  var_mknod="$_enable_mknod"
+  var_mount_fs="$_mount_fs"
+  var_protection="$_protect_ct"
+  var_timezone="$_ct_timezone"
+  var_apt_cacher="$_apt_cacher"
+  var_apt_cacher_ip="$_apt_cacher_ip"
+
   # Format optional values
   [[ -n "$_mtu" ]] && MTU=",mtu=$_mtu" || MTU=""
   [[ -n "$_sd" ]] && SD="-searchdomain=$_sd" || SD=""
@@ -1600,6 +1875,10 @@ Options:
   export UDHCPC_FIX
   export SSH_KEYS_FILE
 
+  # Exit alternate screen buffer before showing summary (so output remains visible)
+  tput rmcup 2>/dev/null || true
+  trap - RETURN
+
   # Display final summary
   echo -e "\n${INFO}${BOLD}${DGN}PVE Version ${PVEVERSION} (Kernel: ${KERNEL_VERSION})${CL}"
   echo -e "${OS}${BOLD}${DGN}Operating System: ${BGN}$var_os${CL}"
@@ -1614,6 +1893,13 @@ Options:
   echo -e "${NETWORK}${BOLD}${DGN}IPv4: ${BGN}$NET${CL}"
   echo -e "${NETWORK}${BOLD}${DGN}IPv6: ${BGN}$IPV6_METHOD${CL}"
   echo -e "${FUSE}${BOLD}${DGN}FUSE Support: ${BGN}$ENABLE_FUSE${CL}"
+  [[ "$ENABLE_TUN" == "yes" ]] && echo -e "${NETWORK}${BOLD}${DGN}TUN/TAP Support: ${BGN}$ENABLE_TUN${CL}"
+  echo -e "${CONTAINERTYPE}${BOLD}${DGN}Nesting: ${BGN}$([ "$ENABLE_NESTING" == "1" ] && echo "Enabled" || echo "Disabled")${CL}"
+  [[ "$ENABLE_KEYCTL" == "1" ]] && echo -e "${CONTAINERTYPE}${BOLD}${DGN}Keyctl: ${BGN}Enabled${CL}"
+  echo -e "${GPU}${BOLD}${DGN}GPU Passthrough: ${BGN}$ENABLE_GPU${CL}"
+  [[ "$PROTECT_CT" == "yes" || "$PROTECT_CT" == "1" ]] && echo -e "${CONTAINERTYPE}${BOLD}${DGN}Protection: ${BGN}Enabled${CL}"
+  [[ -n "$CT_TIMEZONE" ]] && echo -e "${INFO}${BOLD}${DGN}Timezone: ${BGN}$CT_TIMEZONE${CL}"
+  [[ "$APT_CACHER" == "yes" ]] && echo -e "${INFO}${BOLD}${DGN}APT Cacher: ${BGN}$APT_CACHER_IP${CL}"
   echo -e "${SEARCH}${BOLD}${DGN}Verbose Mode: ${BGN}$VERBOSE${CL}"
   echo -e "${CREATING}${BOLD}${RD}Creating a ${APP} LXC using the above advanced settings${CL}"
 }
@@ -1736,6 +2022,9 @@ echo_default() {
   echo -e "${DISKSIZE}${BOLD}${DGN}Disk Size: ${BGN}${DISK_SIZE} GB${CL}"
   echo -e "${CPUCORE}${BOLD}${DGN}CPU Cores: ${BGN}${CORE_COUNT}${CL}"
   echo -e "${RAMSIZE}${BOLD}${DGN}RAM Size: ${BGN}${RAM_SIZE} MiB${CL}"
+  if [[ -n "${var_gpu:-}" && "${var_gpu}" == "yes" ]]; then
+    echo -e "${GPU}${BOLD}${DGN}GPU Passthrough: ${BGN}Enabled${CL}"
+  fi
   if [ "$VERBOSE" == "yes" ]; then
     echo -e "${SEARCH}${BOLD}${DGN}Verbose Mode: ${BGN}Enabled${CL}"
   fi
@@ -2076,6 +2365,10 @@ ssh_discover_default_files() {
 }
 
 configure_ssh_settings() {
+  local step_info="${1:-}"
+  local backtitle="Proxmox VE Helper Scripts"
+  [[ -n "$step_info" ]] && backtitle="Proxmox VE Helper Scripts [${step_info}]"
+
   SSH_KEYS_FILE="$(mktemp)"
   : >"$SSH_KEYS_FILE"
 
@@ -2085,14 +2378,14 @@ configure_ssh_settings() {
 
   local ssh_key_mode
   if [[ "$default_key_count" -gt 0 ]]; then
-    ssh_key_mode=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "SSH KEY SOURCE" --menu \
+    ssh_key_mode=$(whiptail --backtitle "$backtitle" --title "SSH KEY SOURCE" --menu \
       "Provision SSH keys for root:" 14 72 4 \
       "found" "Select from detected keys (${default_key_count})" \
       "manual" "Paste a single public key" \
       "folder" "Scan another folder (path or glob)" \
       "none" "No keys" 3>&1 1>&2 2>&3) || exit_script
   else
-    ssh_key_mode=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "SSH KEY SOURCE" --menu \
+    ssh_key_mode=$(whiptail --backtitle "$backtitle" --title "SSH KEY SOURCE" --menu \
       "No host keys detected; choose manual/none:" 12 72 2 \
       "manual" "Paste a single public key" \
       "none" "No keys" 3>&1 1>&2 2>&3) || exit_script
@@ -2101,7 +2394,7 @@ configure_ssh_settings() {
   case "$ssh_key_mode" in
   found)
     local selection
-    selection=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "SELECT HOST KEYS" \
+    selection=$(whiptail --backtitle "$backtitle" --title "SELECT HOST KEYS" \
       --checklist "Select one or more keys to import:" 20 140 10 "${CHOICES[@]}" 3>&1 1>&2 2>&3) || exit_script
     for tag in $selection; do
       tag="${tag%\"}"
@@ -2112,13 +2405,13 @@ configure_ssh_settings() {
     done
     ;;
   manual)
-    SSH_AUTHORIZED_KEY="$(whiptail --backtitle "Proxmox VE Helper Scripts" \
+    SSH_AUTHORIZED_KEY="$(whiptail --backtitle "$backtitle" \
       --inputbox "Paste one SSH public key line (ssh-ed25519/ssh-rsa/...)" 10 72 --title "SSH Public Key" 3>&1 1>&2 2>&3)"
     [[ -n "$SSH_AUTHORIZED_KEY" ]] && printf '%s\n' "$SSH_AUTHORIZED_KEY" >>"$SSH_KEYS_FILE"
     ;;
   folder)
     local glob_path
-    glob_path=$(whiptail --backtitle "Proxmox VE Helper Scripts" \
+    glob_path=$(whiptail --backtitle "$backtitle" \
       --inputbox "Enter a folder or glob to scan (e.g. /root/.ssh/*.pub)" 10 72 --title "Scan Folder/Glob" 3>&1 1>&2 2>&3)
     if [[ -n "$glob_path" ]]; then
       shopt -s nullglob
@@ -2128,7 +2421,7 @@ configure_ssh_settings() {
         ssh_build_choices_from_files "${_scan_files[@]}"
         if [[ "$COUNT" -gt 0 ]]; then
           local folder_selection
-          folder_selection=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "SELECT FOLDER KEYS" \
+          folder_selection=$(whiptail --backtitle "$backtitle" --title "SELECT FOLDER KEYS" \
             --checklist "Select key(s) to import:" 20 78 10 "${CHOICES[@]}" 3>&1 1>&2 2>&3) || exit_script
           for tag in $folder_selection; do
             tag="${tag%\"}"
@@ -2138,10 +2431,10 @@ configure_ssh_settings() {
             [[ -n "$line" ]] && printf '%s\n' "$line" >>"$SSH_KEYS_FILE"
           done
         else
-          whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox "No keys found in: $glob_path" 8 60
+          whiptail --backtitle "$backtitle" --msgbox "No keys found in: $glob_path" 8 60
         fi
       else
-        whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox "Path/glob returned no files." 8 60
+        whiptail --backtitle "$backtitle" --msgbox "Path/glob returned no files." 8 60
       fi
     fi
     ;;
@@ -2155,12 +2448,9 @@ configure_ssh_settings() {
     printf '\n' >>"$SSH_KEYS_FILE"
   fi
 
-  if [[ -s "$SSH_KEYS_FILE" || "$PW" == -password* ]]; then
-    if (whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "SSH ACCESS" --yesno "Enable root SSH access?" 10 58); then
-      SSH="yes"
-    else
-      SSH="no"
-    fi
+  # Always show SSH access dialog - user should be able to enable SSH even without keys
+  if (whiptail --backtitle "$backtitle" --defaultno --title "SSH ACCESS" --yesno "Enable root SSH access?" 10 58); then
+    SSH="yes"
   else
     SSH="no"
   fi
@@ -2278,15 +2568,23 @@ build_container() {
   none) ;;
   esac
 
-  # Build FEATURES string
-  if [ "$CT_TYPE" == "1" ]; then
-    FEATURES="keyctl=1,nesting=1"
-  else
+  # Build FEATURES string based on container type and user choices
+  FEATURES=""
+
+  # Nesting support (user configurable, default enabled)
+  if [ "${ENABLE_NESTING:-1}" == "1" ]; then
     FEATURES="nesting=1"
   fi
 
+  # Keyctl for unprivileged containers (needed for Docker)
+  if [ "$CT_TYPE" == "1" ]; then
+    [ -n "$FEATURES" ] && FEATURES="$FEATURES,"
+    FEATURES="${FEATURES}keyctl=1"
+  fi
+
   if [ "$ENABLE_FUSE" == "yes" ]; then
-    FEATURES="$FEATURES,fuse=1"
+    [ -n "$FEATURES" ] && FEATURES="$FEATURES,"
+    FEATURES="${FEATURES}fuse=1"
   fi
 
   # Build PCT_OPTIONS as string for export
@@ -2387,21 +2685,15 @@ build_container() {
   # GPU/USB PASSTHROUGH CONFIGURATION
   # ============================================================================
 
-  # List of applications that benefit from GPU acceleration
-  GPU_APPS=(
-    "immich" "channels" "emby" "ersatztv" "frigate"
-    "jellyfin" "plex" "scrypted" "tdarr" "unmanic"
-    "ollama" "fileflows" "open-webui" "tunarr" "debian"
-    "handbrake" "sunshine" "moonlight" "kodi" "stremio"
-    "viseron"
-  )
-
-  # Check if app needs GPU
+  # Check if GPU passthrough is enabled
+  # Returns true only if var_gpu is explicitly set to "yes"
+  # Can be set via:
+  #   - Environment variable: var_gpu=yes bash -c "..."
+  #   - CT script default: var_gpu="${var_gpu:-no}"
+  #   - Advanced settings wizard
+  #   - App defaults file: /usr/local/community-scripts/defaults/<app>.vars
   is_gpu_app() {
-    local app="${1,,}"
-    for gpu_app in "${GPU_APPS[@]}"; do
-      [[ "$app" == "${gpu_app,,}" ]] && return 0
-    done
+    [[ "${var_gpu:-no}" == "yes" ]] && return 0
     return 1
   }
 
@@ -2491,8 +2783,13 @@ EOF
 
   # Configure GPU passthrough
   configure_gpu_passthrough() {
-    # Skip if not a GPU app and not privileged
-    if [[ "$CT_TYPE" != "0" ]] && ! is_gpu_app "$APP"; then
+    # Skip if:
+    # GPU passthrough is enabled when var_gpu="yes":
+    # - Set via environment variable: var_gpu=yes bash -c "..."
+    # - Set in CT script: var_gpu="${var_gpu:-no}"
+    # - Enabled in advanced_settings wizard
+    # - Configured in app defaults file
+    if ! is_gpu_app "$APP"; then
       return 0
     fi
 

misc/core.func

@@ -123,6 +123,7 @@ icons() {
   CREATING="${TAB}🚀${TAB}${CL}"
   ADVANCED="${TAB}🧩${TAB}${CL}"
   FUSE="${TAB}🗂️${TAB}${CL}"
+  GPU="${TAB}🎮${TAB}${CL}"
   HOURGLASS="${TAB}⏳${TAB}"
 }
 

misc/install.func

@@ -222,21 +222,12 @@ motd_ssh() {
   # Set terminal to 256-color mode
   grep -qxF "export TERM='xterm-256color'" /root/.bashrc || echo "export TERM='xterm-256color'" >>/root/.bashrc
 
-  # Get OS information (Debian / Ubuntu)
-  if [ -f "/etc/os-release" ]; then
-    OS_NAME=$(grep ^NAME /etc/os-release | cut -d= -f2 | tr -d '"')
-    OS_VERSION=$(grep ^VERSION_ID /etc/os-release | cut -d= -f2 | tr -d '"')
-  elif [ -f "/etc/debian_version" ]; then
-    OS_NAME="Debian"
-    OS_VERSION=$(cat /etc/debian_version)
-  fi
-
   PROFILE_FILE="/etc/profile.d/00_lxc-details.sh"
   echo "echo -e \"\"" >"$PROFILE_FILE"
   echo -e "echo -e \"${BOLD}${APPLICATION} LXC Container${CL}"\" >>"$PROFILE_FILE"
   echo -e "echo -e \"${TAB}${GATEWAY}${YW} Provided by: ${GN}community-scripts ORG ${YW}| GitHub: ${GN}https://github.com/community-scripts/ProxmoxVE${CL}\"" >>"$PROFILE_FILE"
   echo "echo \"\"" >>"$PROFILE_FILE"
-  echo -e "echo -e \"${TAB}${OS}${YW} OS: ${GN}${OS_NAME} - Version: ${OS_VERSION}${CL}\"" >>"$PROFILE_FILE"
+  echo -e "echo -e \"${TAB}${OS}${YW} OS: ${GN}\$(grep ^NAME /etc/os-release | cut -d= -f2 | tr -d '\"') - Version: \$(grep ^VERSION_ID /etc/os-release | cut -d= -f2 | tr -d '\"')${CL}\"" >>"$PROFILE_FILE"
   echo -e "echo -e \"${TAB}${HOSTNAME}${YW} Hostname: ${GN}\$(hostname)${CL}\"" >>"$PROFILE_FILE"
   echo -e "echo -e \"${TAB}${INFO}${YW} IP Address: ${GN}\$(hostname -I | awk '{print \$1}')${CL}\"" >>"$PROFILE_FILE"
 

misc/tools.func

@@ -72,17 +72,17 @@ stop_all_services() {
   local service_patterns=("$@")
 
   for pattern in "${service_patterns[@]}"; do
-    # Find all matching services
+    # Find all matching services (grep || true to handle no matches)
+    local services
+    services=$(systemctl list-units --type=service --all 2>/dev/null |
+      grep -oE "${pattern}[^ ]*\.service" 2>/dev/null | sort -u) || true
 
-    systemctl list-units --type=service --all 2>/dev/null |
-      grep -oE "${pattern}[^ ]*\.service" |
-      sort -u |
+    if [[ -n "$services" ]]; then
       while read -r service; do
-
         $STD systemctl stop "$service" 2>/dev/null || true
         $STD systemctl disable "$service" 2>/dev/null || true
-      done
-
+      done <<<"$services"
+    fi
   done
 
 }

vm/opnsense-vm.sh

@@ -24,7 +24,7 @@ RANDOM_UUID="$(cat /proc/sys/kernel/random/uuid)"
 METHOD=""
 NSAPP="opnsense-vm"
 var_os="opnsense"
-var_version="25.1"
+var_version="25.7"
 #
 GEN_MAC=02:$(openssl rand -hex 5 | awk '{print toupper($0)}' | sed 's/\(..\)/\1:/g; s/.$//')
 GEN_MAC_LAN=02:$(openssl rand -hex 5 | awk '{print toupper($0)}' | sed 's/\(..\)/\1:/g; s/.$//')
@@ -670,7 +670,7 @@ if [ -n "$WAN_BRG" ]; then
   msg_ok "WAN interface added"
   sleep 5  # Brief pause after adding network interface
 fi
-send_line_to_vm "sh ./opnsense-bootstrap.sh.in -y -f -r 25.1"
+send_line_to_vm "sh ./opnsense-bootstrap.sh.in -y -f -r 25.7"
 msg_ok "OPNsense VM is being installed, do not close the terminal, or the installation will fail."
 #We need to wait for the OPNsense build proccess to finish, this takes a few minutes
 sleep 1000