fix: pre-fill timezone with host timezone in advanced settings

Advanced Settings Wizard (28 steps):
- Step 18: FUSE Support (inherits var_fuse)
- Step 19: TUN/TAP Support (inherits var_tun)
- Step 20: Nesting Support (inherits var_nesting)
- Step 21: GPU Passthrough (inherits var_gpu)
- Step 22: Keyctl Support (inherits var_keyctl)
- Step 23: APT Cacher Proxy (inherits var_apt_cacher/var_apt_cacher_ip)
- Step 24: Container Timezone (inherits var_timezone)
- Step 25: Container Protection (inherits var_protection)
- Step 26: Device Node Creation (inherits var_mknod)
- Step 27: Mount Filesystems (inherits var_mount_fs)
- Step 28: Verbose Mode & Confirmation

All var_* from CT scripts now pre-populate wizard fields with '(App default: X)' hints.

Documentation:
- New BUILD_FUNC_ADVANCED_SETTINGS.md with full wizard reference
- Updated BUILD_FUNC_ENVIRONMENT_VARIABLES.md with all feature flags
- Updated README.md with new documentation link

CHANGELOG.md

@@ -12,6 +12,20 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 ## 2025-12-08
 
+### 🚀 Updated Scripts
+
+  - typo: tandoor instead of trandoor [@Neonize](https://github.com/Neonize) ([#9771](https://github.com/community-scripts/ProxmoxVE/pull/9771))
+
+  - #### ✨ New Features
+
+    - feat: Add var_gpu flag for GPU passthrough configuration [@MickLesk](https://github.com/MickLesk) ([#9764](https://github.com/community-scripts/ProxmoxVE/pull/9764))
+
+### 💾 Core
+
+  - #### 🐞 Bug Fixes
+
+    - fix: always show SSH access dialog in advanced settings [@MickLesk](https://github.com/MickLesk) ([#9765](https://github.com/community-scripts/ProxmoxVE/pull/9765))
+
 ## 2025-12-07
 
 ### 🚀 Updated Scripts

ct/channels.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-8}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-12}"
 var_unprivileged="${var_unprivileged:-0}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables
@@ -38,4 +39,4 @@ description
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW} Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8089${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8089${CL}"

ct/emby.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-8}"
 var_os="${var_os:-ubuntu}"
 var_version="${var_version:-24.04}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/ersatztv.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-5}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-12}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/fileflows.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-8}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-12}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/frigate.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-20}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-11}"
 var_unprivileged="${var_unprivileged:-0}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables
@@ -38,4 +39,4 @@ description
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW} Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:5000${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:5000${CL}"

ct/immich.sh

@@ -13,6 +13,7 @@ var_ram="${var_ram:-4096}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/jellyfin.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-16}"
 var_os="${var_os:-ubuntu}"
 var_version="${var_version:-24.04}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/ollama.sh

@@ -12,6 +12,7 @@ var_ram="${var_ram:-4096}"
 var_disk="${var_disk:-35}"
 var_os="${var_os:-ubuntu}"
 var_version="${var_version:-24.04}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/openwebui.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-25}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/plex.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-8}"
 var_os="${var_os:-ubuntu}"
 var_version="${var_version:-24.04}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables
@@ -23,8 +24,8 @@ function update_script() {
   header_info
   check_container_storage
   check_container_resources
-  if [[ ! -f /etc/apt/sources.list.d/plexmediaserver.list ]] \
-   && [[ ! -f /etc/apt/sources.list.d/plexmediaserver.sources ]]; then
+  if [[ ! -f /etc/apt/sources.list.d/plexmediaserver.list ]] &&
+    [[ ! -f /etc/apt/sources.list.d/plexmediaserver.sources ]]; then
     msg_error "No ${APP} Installation Found!"
     exit
   fi

ct/tandoor.sh

@@ -65,7 +65,7 @@ EOF
     $STD /opt/tandoor/.venv/bin/python manage.py migrate
     $STD /opt/tandoor/.venv/bin/python manage.py collectstatic --no-input
     rm -rf /opt/tandoor.bak
-    msg_ok "Updated Trandoor"
+    msg_ok "Updated Tandoor"
 
     msg_info "Starting Service"
     systemctl start tandoor

ct/tdarr.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-4}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/tunarr.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-5}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

ct/unmanic.sh

@@ -13,6 +13,7 @@ var_disk="${var_disk:-4}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_unprivileged="${var_unprivileged:-0}"
+var_gpu="${var_gpu:-yes}"
 
 header_info "$APP"
 variables

docs/TECHNICAL_REFERENCE.md

@@ -1,8 +1,8 @@
 # Technical Reference: Configuration System Architecture
 
 > **For Developers and Advanced Users**
-> 
-> *Deep dive into how the defaults and configuration system works*
+>
+> _Deep dive into how the defaults and configuration system works_
 
 ---
 
@@ -123,13 +123,13 @@ VAR_VALUE  := [^\n]*  # Any printable characters except newline
 
 **Constraints**:
 
-| Constraint | Value |
-|-----------|-------|
-| Max file size | 64 KB |
-| Max line length | 1024 bytes |
-| Max variables | 100 |
-| Allowed var names | `var_[a-z_]+` |
-| Value validation | Whitelist + Sanitization |
+| Constraint        | Value                    |
+| ----------------- | ------------------------ |
+| Max file size     | 64 KB                    |
+| Max line length   | 1024 bytes               |
+| Max variables     | 100                      |
+| Allowed var names | `var_[a-z_]+`            |
+| Value validation  | Whitelist + Sanitization |
 
 **Example Valid File**:
 
@@ -206,21 +206,24 @@ var_tags=dns,pihole
 **Purpose**: Safely load variables from .vars files without using `source` or `eval`
 
 **Signature**:
+
 ```bash
 load_vars_file(filepath)
 ```
 
 **Parameters**:
 
-| Param | Type | Required | Example |
-|-------|------|----------|---------|
-| filepath | String | Yes | `/usr/local/community-scripts/default.vars` |
+| Param    | Type   | Required | Example                                     |
+| -------- | ------ | -------- | ------------------------------------------- |
+| filepath | String | Yes      | `/usr/local/community-scripts/default.vars` |
 
 **Returns**:
+
 - `0` on success
 - `1` on error (file missing, parse error, etc.)
 
 **Environment Side Effects**:
+
 - Sets all parsed `var_*` variables as shell variables
 - Does NOT unset variables if file missing (safe)
 - Does NOT affect other variables
@@ -230,25 +233,25 @@ load_vars_file(filepath)
 ```bash
 load_vars_file() {
   local file="$1"
-  
+
   # File must exist
   [ -f "$file" ] || return 0
-  
+
   # Parse line by line (not with source/eval)
   local line key val
   while IFS='=' read -r key val || [ -n "$key" ]; do
     # Skip comments and empty lines
     [[ "$key" =~ ^[[:space:]]*# ]] && continue
     [[ -z "$key" ]] && continue
-    
+
     # Validate key is in whitelist
     _is_whitelisted_key "$key" || continue
-    
+
     # Sanitize and export value
     val="$(_sanitize_value "$val")"
     [ $? -eq 0 ] && export "$key=$val"
   done < "$file"
-  
+
   return 0
 }
 ```
@@ -281,6 +284,7 @@ echo "Allocating ${var_ram} MB RAM"
 **Purpose**: Get the full path for app-specific defaults file
 
 **Signature**:
+
 ```bash
 get_app_defaults_path()
 ```
@@ -288,6 +292,7 @@ get_app_defaults_path()
 **Parameters**: None
 
 **Returns**:
+
 - String: Full path to app defaults file
 
 **Implementation**:
@@ -322,6 +327,7 @@ load_vars_file "$(get_app_defaults_path)"
 **Purpose**: Load and display user global defaults
 
 **Signature**:
+
 ```bash
 default_var_settings()
 ```
@@ -329,6 +335,7 @@ default_var_settings()
 **Parameters**: None
 
 **Returns**:
+
 - `0` on success
 - `1` on error
 
@@ -337,15 +344,15 @@ default_var_settings()
 ```
 1. Find default.vars location
    (usually /usr/local/community-scripts/default.vars)
-   
+
 2. Create if missing
-   
+
 3. Load variables from file
-   
+
 4. Map var_verbose → VERBOSE variable
-   
+
 5. Call base_settings (apply to container config)
-   
+
 6. Call echo_default (display summary)
 ```
 
@@ -354,20 +361,20 @@ default_var_settings()
 ```bash
 default_var_settings() {
   local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu
     var_gateway var_hostname var_ipv6_method var_mac var_mtu
     var_net var_ns var_pw var_ram var_tags var_tun var_unprivileged
     var_verbose var_vlan var_ssh var_ssh_authorized_key
     var_container_storage var_template_storage
   )
-  
+
   # Ensure file exists
   _ensure_default_vars
-  
+
   # Find and load
   local dv="$(_find_default_vars)"
   load_vars_file "$dv"
-  
+
   # Map verbose flag
   if [[ -n "${var_verbose:-}" ]]; then
     case "${var_verbose,,}" in
@@ -375,7 +382,7 @@ default_var_settings() {
       *) VERBOSE="${var_verbose}" ;;
     esac
   fi
-  
+
   # Apply and display
   base_settings "$VERBOSE"
   echo_default
@@ -389,6 +396,7 @@ default_var_settings() {
 **Purpose**: Offer to save current settings as app-specific defaults
 
 **Signature**:
+
 ```bash
 maybe_offer_save_app_defaults()
 ```
@@ -413,10 +421,10 @@ maybe_offer_save_app_defaults()
 ```bash
 maybe_offer_save_app_defaults() {
   local app_vars_path="$(get_app_defaults_path)"
-  
+
   # Build current settings from memory
   local new_tmp="$(_build_current_app_vars_tmp)"
-  
+
   # Check if already exists
   if [ -f "$app_vars_path" ]; then
     # Show diff and ask: Update? Keep? View Diff?
@@ -438,29 +446,31 @@ maybe_offer_save_app_defaults() {
 **Purpose**: Remove dangerous characters/patterns from configuration values
 
 **Signature**:
+
 ```bash
 _sanitize_value(value)
 ```
 
 **Parameters**:
 
-| Param | Type | Required |
-|-------|------|----------|
-| value | String | Yes |
+| Param | Type   | Required |
+| ----- | ------ | -------- |
+| value | String | Yes      |
 
 **Returns**:
+
 - `0` (success) + sanitized value on stdout
 - `1` (failure) + nothing if dangerous
 
 **Dangerous Patterns**:
 
-| Pattern | Threat | Example |
-|---------|--------|---------|
-| `$(...)` | Command substitution | `$(rm -rf /)` |
-| `` ` ` `` | Command substitution | `` `whoami` `` |
-| `;` | Command separator | `value; rm -rf /` |
-| `&` | Background execution | `value & malicious` |
-| `<(` | Process substitution | `<(cat /etc/passwd)` |
+| Pattern   | Threat               | Example              |
+| --------- | -------------------- | -------------------- |
+| `$(...)`  | Command substitution | `$(rm -rf /)`        |
+| `` ` ` `` | Command substitution | `` `whoami` ``       |
+| `;`       | Command separator    | `value; rm -rf /`    |
+| `&`       | Background execution | `value & malicious`  |
+| `<(`      | Process substitution | `<(cat /etc/passwd)` |
 
 **Implementation**:
 
@@ -501,17 +511,19 @@ fi
 **Purpose**: Check if variable name is in allowed whitelist
 
 **Signature**:
+
 ```bash
 _is_whitelisted_key(key)
 ```
 
 **Parameters**:
 
-| Param | Type | Required | Example |
-|-------|------|----------|---------|
-| key | String | Yes | `var_cpu` |
+| Param | Type   | Required | Example   |
+| ----- | ------ | -------- | --------- |
+| key   | String | Yes      | `var_cpu` |
 
 **Returns**:
+
 - `0` if key is whitelisted
 - `1` if key is NOT whitelisted
 
@@ -573,6 +585,7 @@ Step 4: Use BUILT-IN DEFAULTS
 ### Precedence Examples
 
 **Example 1: Environment Variable Wins**
+
 ```bash
 # Shell environment has highest priority
 $ export var_cpu=16
@@ -583,6 +596,7 @@ $ bash pihole-install.sh
 ```
 
 **Example 2: App Defaults Override User Defaults**
+
 ```bash
 # User Defaults: var_cpu=4
 # App Defaults: var_cpu=2
@@ -593,6 +607,7 @@ $ bash pihole-install.sh
 ```
 
 **Example 3: All Defaults Missing (Built-ins Used)**
+
 ```bash
 # No environment variables set
 # No app defaults file
@@ -611,21 +626,21 @@ $ bash pihole-install.sh
 base_settings() {
   # Priority 1: Environment variables (already set if export used)
   CT_TYPE=${var_unprivileged:-"1"}          # Use existing or default
-  
+
   # Priority 2: Load app defaults (may override above)
   if [ -f "$(get_app_defaults_path)" ]; then
     load_vars_file "$(get_app_defaults_path)"
   fi
-  
+
   # Priority 3: Load user defaults
   if [ -f "/usr/local/community-scripts/default.vars" ]; then
     load_vars_file "/usr/local/community-scripts/default.vars"
   fi
-  
+
   # Priority 4: Apply built-in defaults (lowest)
   CORE_COUNT=${var_cpu:-"${APP_CPU_DEFAULT:-2}"}
   RAM_SIZE=${var_ram:-"${APP_RAM_DEFAULT:-1024}"}
-  
+
   # Result: var_cpu has been set through precedence chain
 }
 ```
@@ -734,14 +749,14 @@ CONTAINER CREATION STARTED
 
 ### Threat Model
 
-| Threat | Mitigation |
-|--------|-----------|
-| **Arbitrary Code Execution** | No `source` or `eval`; manual parsing only |
-| **Variable Injection** | Whitelist of allowed variable names |
-| **Command Substitution** | `_sanitize_value()` blocks `$()`, backticks, etc. |
-| **Path Traversal** | Files locked to `/usr/local/community-scripts/` |
-| **Permission Escalation** | Files created with restricted permissions |
-| **Information Disclosure** | Sensitive variables not logged |
+| Threat                       | Mitigation                                        |
+| ---------------------------- | ------------------------------------------------- |
+| **Arbitrary Code Execution** | No `source` or `eval`; manual parsing only        |
+| **Variable Injection**       | Whitelist of allowed variable names               |
+| **Command Substitution**     | `_sanitize_value()` blocks `$()`, backticks, etc. |
+| **Path Traversal**           | Files locked to `/usr/local/community-scripts/`   |
+| **Permission Escalation**    | Files created with restricted permissions         |
+| **Information Disclosure**   | Sensitive variables not logged                    |
 
 ### Security Controls
 
@@ -798,6 +813,7 @@ fi
 ### Module: `build.func`
 
 **Load Order** (in actual scripts):
+
 1. `#!/usr/bin/env bash` - Shebang
 2. `source /dev/stdin <<<$(curl ... api.func)` - API functions
 3. `source /dev/stdin <<<$(curl ... build.func)` - Build functions
@@ -832,17 +848,17 @@ fi
 
 # Section 6: Installation Flow
 - install_script()         # Main entry point
-- advanced_settings()      # 19-step wizard
+- advanced_settings()      # 20-step wizard
 ```
 
 ### Regex Patterns Used
 
-| Pattern | Purpose | Example Match |
-|---------|---------|---|
-| `^[0-9]+([.][0-9]+)?$` | Integer validation | `4`, `192.168` |
-| `^var_[a-z_]+$` | Variable name | `var_cpu`, `var_ssh` |
-| `*'$('*` | Command substitution | `$(whoami)` |
-| `*\`*` | Backtick substitution | `` `cat /etc/passwd` `` |
+| Pattern                | Purpose               | Example Match           |
+| ---------------------- | --------------------- | ----------------------- |
+| `^[0-9]+([.][0-9]+)?$` | Integer validation    | `4`, `192.168`          |
+| `^var_[a-z_]+$`        | Variable name         | `var_cpu`, `var_ssh`    |
+| `*'$('*`               | Command substitution  | `$(whoami)`             |
+| `*\`\*`                | Backtick substitution | `` `cat /etc/passwd` `` |
 
 ---
 
@@ -869,12 +885,12 @@ fi
 
 ### Function Mapping
 
-| Old | New | Location |
-|-----|-----|----------|
-| `read_config()` | `load_vars_file()` | build.func |
-| `write_config()` | `_build_current_app_vars_tmp()` | build.func |
-| None | `maybe_offer_save_app_defaults()` | build.func |
-| None | `get_app_defaults_path()` | build.func |
+| Old              | New                               | Location   |
+| ---------------- | --------------------------------- | ---------- |
+| `read_config()`  | `load_vars_file()`                | build.func |
+| `write_config()` | `_build_current_app_vars_tmp()`   | build.func |
+| None             | `maybe_offer_save_app_defaults()` | build.func |
+| None             | `get_app_defaults_path()`         | build.func |
 
 ---
 

docs/misc/build.func/BUILD_FUNC_ADVANCED_SETTINGS.md

@@ -0,0 +1,164 @@
+# Advanced Settings Wizard Reference
+
+## Overview
+
+The Advanced Settings wizard provides a 28-step interactive configuration for LXC container creation. It allows users to customize every aspect of the container while inheriting sensible defaults from the CT script.
+
+## Key Features
+
+- **Inherit App Defaults**: All `var_*` values from CT scripts pre-populate wizard fields
+- **Back Navigation**: Press Cancel/Back to return to previous step
+- **App Default Hints**: Each dialog shows `(App default: X)` to indicate script defaults
+- **Full Customization**: Every configurable option is accessible
+
+## Wizard Steps
+
+| Step | Title                    | Variable(s)                       | Description                                           |
+| ---- | ------------------------ | --------------------------------- | ----------------------------------------------------- |
+| 1    | Container Type           | `var_unprivileged`                | Privileged (0) or Unprivileged (1) container          |
+| 2    | Root Password            | `var_pw`                          | Set password or use automatic login                   |
+| 3    | Container ID             | `var_ctid`                        | Unique container ID (auto-suggested)                  |
+| 4    | Hostname                 | `var_hostname`                    | Container hostname                                    |
+| 5    | Disk Size                | `var_disk`                        | Disk size in GB                                       |
+| 6    | CPU Cores                | `var_cpu`                         | Number of CPU cores                                   |
+| 7    | RAM Size                 | `var_ram`                         | RAM size in MiB                                       |
+| 8    | Network Bridge           | `var_brg`                         | Network bridge (vmbr0, etc.)                          |
+| 9    | IPv4 Configuration       | `var_net`, `var_gateway`          | DHCP or static IP with gateway                        |
+| 10   | IPv6 Configuration       | `var_ipv6_method`                 | Auto, DHCP, Static, or None                           |
+| 11   | MTU Size                 | `var_mtu`                         | Network MTU (default: 1500)                           |
+| 12   | DNS Search Domain        | `var_searchdomain`                | DNS search domain                                     |
+| 13   | DNS Server               | `var_ns`                          | Custom DNS server IP                                  |
+| 14   | MAC Address              | `var_mac`                         | Custom MAC address (auto-generated if empty)          |
+| 15   | VLAN Tag                 | `var_vlan`                        | VLAN tag ID                                           |
+| 16   | Tags                     | `var_tags`                        | Container tags (comma/semicolon separated)            |
+| 17   | SSH Settings             | `var_ssh`                         | SSH key selection and root access                     |
+| 18   | FUSE Support             | `var_fuse`                        | Enable FUSE for rclone, mergerfs, AppImage            |
+| 19   | TUN/TAP Support          | `var_tun`                         | Enable for VPN apps (WireGuard, OpenVPN, Tailscale)   |
+| 20   | Nesting Support          | `var_nesting`                     | Enable for Docker, LXC in LXC, Podman                 |
+| 21   | GPU Passthrough          | `var_gpu`                         | Auto-detect and pass through Intel/AMD/NVIDIA GPUs    |
+| 22   | Keyctl Support           | `var_keyctl`                      | Enable for Docker, systemd-networkd                   |
+| 23   | APT Cacher Proxy         | `var_apt_cacher`, `var_apt_cacher_ip` | Use apt-cacher-ng for faster downloads            |
+| 24   | Container Timezone       | `var_timezone`                    | Set timezone (e.g., Europe/Berlin)                    |
+| 25   | Container Protection     | `var_protection`                  | Prevent accidental deletion                           |
+| 26   | Device Node Creation     | `var_mknod`                       | Allow mknod (experimental, kernel 5.3+)               |
+| 27   | Mount Filesystems        | `var_mount_fs`                    | Allow specific mounts: nfs, cifs, fuse, etc.          |
+| 28   | Verbose Mode & Confirm   | `var_verbose`                     | Enable verbose output + final confirmation            |
+
+## Default Value Inheritance
+
+The wizard inherits defaults from multiple sources:
+
+```text
+CT Script (var_*) → default.vars → app.vars → User Input
+```
+
+### Example: VPN Container (alpine-wireguard.sh)
+
+```bash
+# CT script sets:
+var_tun="${var_tun:-1}"  # TUN enabled by default
+
+# In Advanced Settings Step 19:
+# Dialog shows: "(App default: 1)" and pre-selects "Yes"
+```
+
+### Example: Media Server (jellyfin.sh)
+
+```bash
+# CT script sets:
+var_gpu="${var_gpu:-yes}"  # GPU enabled by default
+
+# In Advanced Settings Step 21:
+# Dialog shows: "(App default: yes)" and pre-selects "Yes"
+```
+
+## Feature Matrix
+
+| Feature           | Variable         | When to Enable                                      |
+| ----------------- | ---------------- | --------------------------------------------------- |
+| FUSE              | `var_fuse`       | rclone, mergerfs, AppImage, SSHFS                   |
+| TUN/TAP           | `var_tun`        | WireGuard, OpenVPN, Tailscale, VPN containers       |
+| Nesting           | `var_nesting`    | Docker, Podman, LXC-in-LXC, systemd-nspawn          |
+| GPU Passthrough   | `var_gpu`        | Plex, Jellyfin, Emby, Frigate, Ollama, ComfyUI      |
+| Keyctl            | `var_keyctl`     | Docker (unprivileged), systemd-networkd             |
+| Protection        | `var_protection` | Production containers, prevent accidental deletion  |
+| Mknod             | `var_mknod`      | Device node creation (experimental)                 |
+| Mount FS          | `var_mount_fs`   | NFS mounts, CIFS shares, custom filesystems         |
+| APT Cacher        | `var_apt_cacher` | Speed up downloads with local apt-cacher-ng         |
+
+## Confirmation Summary
+
+Step 28 displays a comprehensive summary before creation:
+
+```text
+Container Type: Unprivileged
+Container ID: 100
+Hostname: jellyfin
+
+Resources:
+  Disk: 8 GB
+  CPU: 2 cores
+  RAM: 2048 MiB
+
+Network:
+  Bridge: vmbr0
+  IPv4: dhcp
+  IPv6: auto
+
+Features:
+  FUSE: no | TUN: no
+  Nesting: Enabled | Keyctl: Disabled
+  GPU: yes | Protection: No
+
+Advanced:
+  Timezone: Europe/Berlin
+  APT Cacher: no
+  Verbose: no
+```
+
+## Usage Examples
+
+### Skip to Advanced Settings
+
+```bash
+# Run script, select "Advanced" from menu
+bash -c "$(curl -fsSL https://...jellyfin.sh)"
+# Then select option 3 "Advanced"
+```
+
+### Pre-set Defaults via Environment
+
+```bash
+# Set defaults before running
+export var_cpu=4
+export var_ram=4096
+export var_gpu=yes
+bash -c "$(curl -fsSL https://...jellyfin.sh)"
+# Advanced settings will inherit these values
+```
+
+### Non-Interactive with All Options
+
+```bash
+# Set all variables for fully automated deployment
+export var_unprivileged=1
+export var_cpu=2
+export var_ram=2048
+export var_disk=8
+export var_net=dhcp
+export var_fuse=no
+export var_tun=no
+export var_gpu=yes
+export var_nesting=1
+export var_protection=no
+export var_verbose=no
+bash -c "$(curl -fsSL https://...jellyfin.sh)"
+```
+
+## Notes
+
+- **Cancel at Step 1**: Exits the script entirely
+- **Cancel at Steps 2-28**: Goes back to previous step
+- **Empty fields**: Use default value
+- **Keyctl**: Automatically enabled for unprivileged containers
+- **Nesting**: Enabled by default (required for many apps)

docs/misc/build.func/BUILD_FUNC_ENVIRONMENT_VARIABLES.md

@@ -8,103 +8,142 @@ This document provides a comprehensive reference of all environment variables us
 
 ### Core Container Variables
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `APP` | Application name (e.g., "plex", "nextcloud") | - | Environment | Throughout |
-| `NSAPP` | Namespace application name | `$APP` | Environment | Throughout |
-| `CTID` | Container ID | - | Environment | Container creation |
-| `CT_TYPE` | Container type ("install" or "update") | "install" | Environment | Entry point |
-| `CT_NAME` | Container name | `$APP` | Environment | Container creation |
+| Variable  | Description                                  | Default   | Set In      | Used In            |
+| --------- | -------------------------------------------- | --------- | ----------- | ------------------ |
+| `APP`     | Application name (e.g., "plex", "nextcloud") | -         | Environment | Throughout         |
+| `NSAPP`   | Namespace application name                   | `$APP`    | Environment | Throughout         |
+| `CTID`    | Container ID                                 | -         | Environment | Container creation |
+| `CT_TYPE` | Container type ("install" or "update")       | "install" | Environment | Entry point        |
+| `CT_NAME` | Container name                               | `$APP`    | Environment | Container creation |
 
 ### Operating System Variables
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `var_os` | Operating system selection | "debian" | base_settings() | OS selection |
-| `var_version` | OS version | "12" | base_settings() | Template selection |
-| `var_template` | Template name | Auto-generated | base_settings() | Template download |
+| Variable       | Description                | Default        | Set In          | Used In            |
+| -------------- | -------------------------- | -------------- | --------------- | ------------------ |
+| `var_os`       | Operating system selection | "debian"       | base_settings() | OS selection       |
+| `var_version`  | OS version                 | "12"           | base_settings() | Template selection |
+| `var_template` | Template name              | Auto-generated | base_settings() | Template download  |
 
 ### Resource Configuration Variables
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `var_cpu` | CPU cores | "2" | base_settings() | Container creation |
-| `var_ram` | RAM in MB | "2048" | base_settings() | Container creation |
-| `var_disk` | Disk size in GB | "8" | base_settings() | Container creation |
-| `DISK_SIZE` | Disk size (alternative) | `$var_disk` | Environment | Container creation |
-| `CORE_COUNT` | CPU cores (alternative) | `$var_cpu` | Environment | Container creation |
-| `RAM_SIZE` | RAM size (alternative) | `$var_ram` | Environment | Container creation |
+| Variable     | Description             | Default     | Set In          | Used In            |
+| ------------ | ----------------------- | ----------- | --------------- | ------------------ |
+| `var_cpu`    | CPU cores               | "2"         | base_settings() | Container creation |
+| `var_ram`    | RAM in MB               | "2048"      | base_settings() | Container creation |
+| `var_disk`   | Disk size in GB         | "8"         | base_settings() | Container creation |
+| `DISK_SIZE`  | Disk size (alternative) | `$var_disk` | Environment     | Container creation |
+| `CORE_COUNT` | CPU cores (alternative) | `$var_cpu`  | Environment     | Container creation |
+| `RAM_SIZE`   | RAM size (alternative)  | `$var_ram`  | Environment     | Container creation |
 
 ### Network Configuration Variables
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `var_net` | Network interface | "vmbr0" | base_settings() | Network config |
-| `var_bridge` | Bridge interface | "vmbr0" | base_settings() | Network config |
-| `var_gateway` | Gateway IP | "192.168.1.1" | base_settings() | Network config |
-| `var_ip` | Container IP address | - | User input | Network config |
-| `var_ipv6` | IPv6 address | - | User input | Network config |
-| `var_vlan` | VLAN ID | - | User input | Network config |
-| `var_mtu` | MTU size | "1500" | base_settings() | Network config |
-| `var_mac` | MAC address | Auto-generated | base_settings() | Network config |
-| `NET` | Network interface (alternative) | `$var_net` | Environment | Network config |
-| `BRG` | Bridge interface (alternative) | `$var_bridge` | Environment | Network config |
-| `GATE` | Gateway IP (alternative) | `$var_gateway` | Environment | Network config |
-| `IPV6_METHOD` | IPv6 configuration method | "none" | Environment | Network config |
-| `VLAN` | VLAN ID (alternative) | `$var_vlan` | Environment | Network config |
-| `MTU` | MTU size (alternative) | `$var_mtu` | Environment | Network config |
-| `MAC` | MAC address (alternative) | `$var_mac` | Environment | Network config |
+| Variable      | Description                     | Default        | Set In          | Used In        |
+| ------------- | ------------------------------- | -------------- | --------------- | -------------- |
+| `var_net`     | Network interface               | "vmbr0"        | base_settings() | Network config |
+| `var_bridge`  | Bridge interface                | "vmbr0"        | base_settings() | Network config |
+| `var_gateway` | Gateway IP                      | "192.168.1.1"  | base_settings() | Network config |
+| `var_ip`      | Container IP address            | -              | User input      | Network config |
+| `var_ipv6`    | IPv6 address                    | -              | User input      | Network config |
+| `var_vlan`    | VLAN ID                         | -              | User input      | Network config |
+| `var_mtu`     | MTU size                        | "1500"         | base_settings() | Network config |
+| `var_mac`     | MAC address                     | Auto-generated | base_settings() | Network config |
+| `NET`         | Network interface (alternative) | `$var_net`     | Environment     | Network config |
+| `BRG`         | Bridge interface (alternative)  | `$var_bridge`  | Environment     | Network config |
+| `GATE`        | Gateway IP (alternative)        | `$var_gateway` | Environment     | Network config |
+| `IPV6_METHOD` | IPv6 configuration method       | "none"         | Environment     | Network config |
+| `VLAN`        | VLAN ID (alternative)           | `$var_vlan`    | Environment     | Network config |
+| `MTU`         | MTU size (alternative)          | `$var_mtu`     | Environment     | Network config |
+| `MAC`         | MAC address (alternative)       | `$var_mac`     | Environment     | Network config |
 
 ### Storage Configuration Variables
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `var_template_storage` | Storage for templates | - | select_storage() | Template storage |
-| `var_container_storage` | Storage for container disks | - | select_storage() | Container storage |
-| `TEMPLATE_STORAGE` | Template storage (alternative) | `$var_template_storage` | Environment | Template storage |
-| `CONTAINER_STORAGE` | Container storage (alternative) | `$var_container_storage` | Environment | Container storage |
+| Variable                | Description                     | Default                  | Set In           | Used In           |
+| ----------------------- | ------------------------------- | ------------------------ | ---------------- | ----------------- |
+| `var_template_storage`  | Storage for templates           | -                        | select_storage() | Template storage  |
+| `var_container_storage` | Storage for container disks     | -                        | select_storage() | Container storage |
+| `TEMPLATE_STORAGE`      | Template storage (alternative)  | `$var_template_storage`  | Environment      | Template storage  |
+| `CONTAINER_STORAGE`     | Container storage (alternative) | `$var_container_storage` | Environment      | Container storage |
 
 ### Feature Flags
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `ENABLE_FUSE` | Enable FUSE support | "true" | base_settings() | Container features |
-| `ENABLE_TUN` | Enable TUN/TAP support | "true" | base_settings() | Container features |
-| `ENABLE_KEYCTL` | Enable keyctl support | "true" | base_settings() | Container features |
-| `ENABLE_MOUNT` | Enable mount support | "true" | base_settings() | Container features |
-| `ENABLE_NESTING` | Enable nesting support | "false" | base_settings() | Container features |
-| `ENABLE_PRIVILEGED` | Enable privileged mode | "false" | base_settings() | Container features |
-| `ENABLE_UNPRIVILEGED` | Enable unprivileged mode | "true" | base_settings() | Container features |
-| `VERBOSE` | Enable verbose output | "false" | Environment | Logging |
-| `SSH` | Enable SSH key provisioning | "true" | base_settings() | SSH setup |
+| Variable         | Description                    | Default | Set In                          | Used In            |
+| ---------------- | ------------------------------ | ------- | ------------------------------- | ------------------ |
+| `var_fuse`       | Enable FUSE support            | "no"    | CT script / Advanced Settings   | Container features |
+| `var_tun`        | Enable TUN/TAP support         | "no"    | CT script / Advanced Settings   | Container features |
+| `var_nesting`    | Enable nesting support         | "1"     | CT script / Advanced Settings   | Container features |
+| `var_keyctl`     | Enable keyctl support          | "0"     | CT script / Advanced Settings   | Container features |
+| `var_mknod`      | Allow device node creation     | "0"     | CT script / Advanced Settings   | Container features |
+| `var_mount_fs`   | Allowed filesystem mounts      | ""      | CT script / Advanced Settings   | Container features |
+| `var_protection` | Enable container protection    | "no"    | CT script / Advanced Settings   | Container creation |
+| `var_timezone`   | Container timezone             | ""      | CT script / Advanced Settings   | Container creation |
+| `var_verbose`    | Enable verbose output          | "no"    | Environment / Advanced Settings | Logging            |
+| `var_ssh`        | Enable SSH key provisioning    | "no"    | CT script / Advanced Settings   | SSH setup          |
+| `ENABLE_FUSE`    | FUSE flag (internal)           | "no"    | Advanced Settings               | Container creation |
+| `ENABLE_TUN`     | TUN/TAP flag (internal)        | "no"    | Advanced Settings               | Container creation |
+| `ENABLE_NESTING` | Nesting flag (internal)        | "1"     | Advanced Settings               | Container creation |
+| `ENABLE_KEYCTL`  | Keyctl flag (internal)         | "0"     | Advanced Settings               | Container creation |
+| `ENABLE_MKNOD`   | Mknod flag (internal)          | "0"     | Advanced Settings               | Container creation |
+| `PROTECT_CT`     | Protection flag (internal)     | "no"    | Advanced Settings               | Container creation |
+| `CT_TIMEZONE`    | Timezone setting (internal)    | ""      | Advanced Settings               | Container creation |
+| `VERBOSE`        | Verbose mode flag              | "no"    | Environment                     | Logging            |
+| `SSH`            | SSH access flag                | "no"    | Advanced Settings               | SSH setup          |
+
+### APT Cacher Configuration
+
+| Variable           | Description              | Default | Set In                        | Used In             |
+| ------------------ | ------------------------ | ------- | ----------------------------- | ------------------- |
+| `var_apt_cacher`   | Enable APT cacher proxy  | "no"    | CT script / Advanced Settings | Package management  |
+| `var_apt_cacher_ip`| APT cacher server IP     | ""      | CT script / Advanced Settings | Package management  |
+| `APT_CACHER`       | APT cacher flag          | "no"    | Advanced Settings             | Container creation  |
+| `APT_CACHER_IP`    | APT cacher IP (internal) | ""      | Advanced Settings             | Container creation  |
 
 ### GPU Passthrough Variables
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `GPU_APPS` | List of apps that support GPU | - | Environment | GPU detection |
-| `var_gpu` | GPU selection | - | User input | GPU passthrough |
-| `var_gpu_type` | GPU type (intel/amd/nvidia) | - | detect_gpu_devices() | GPU passthrough |
-| `var_gpu_devices` | GPU device list | - | detect_gpu_devices() | GPU passthrough |
+| Variable     | Description                     | Default | Set In                                      | Used In            |
+| ------------ | ------------------------------- | ------- | ------------------------------------------- | ------------------ |
+| `var_gpu`    | Enable GPU passthrough          | "no"    | CT script / Environment / Advanced Settings | GPU passthrough    |
+| `ENABLE_GPU` | GPU passthrough flag (internal) | "no"    | Advanced Settings                           | Container creation |
+
+**Note**: GPU passthrough is controlled via `var_gpu`. Apps that benefit from GPU acceleration (media servers, AI/ML, transcoding) have `var_gpu=yes` as default in their CT scripts.
+
+**Apps with GPU enabled by default**:
+
+- Media: jellyfin, plex, emby, channels, ersatztv, tunarr, immich
+- Transcoding: tdarr, unmanic, fileflows
+- AI/ML: ollama, openwebui
+- NVR: frigate
+
+**Usage Examples**:
+
+```bash
+# Disable GPU for a specific installation
+var_gpu=no bash -c "$(curl -fsSL https://...jellyfin.sh)"
+
+# Enable GPU for apps without default GPU support
+var_gpu=yes bash -c "$(curl -fsSL https://...debian.sh)"
+
+# Set in default.vars for all apps
+echo "var_gpu=yes" >> /usr/local/community-scripts/default.vars
+```
 
 ### API and Diagnostics Variables
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `DIAGNOSTICS` | Enable diagnostics mode | "false" | Environment | Diagnostics |
-| `METHOD` | Installation method | "install" | Environment | Installation flow |
-| `RANDOM_UUID` | Random UUID for tracking | - | Environment | Logging |
-| `API_TOKEN` | Proxmox API token | - | Environment | API calls |
-| `API_USER` | Proxmox API user | - | Environment | API calls |
+| Variable      | Description              | Default   | Set In      | Used In           |
+| ------------- | ------------------------ | --------- | ----------- | ----------------- |
+| `DIAGNOSTICS` | Enable diagnostics mode  | "false"   | Environment | Diagnostics       |
+| `METHOD`      | Installation method      | "install" | Environment | Installation flow |
+| `RANDOM_UUID` | Random UUID for tracking | -         | Environment | Logging           |
+| `API_TOKEN`   | Proxmox API token        | -         | Environment | API calls         |
+| `API_USER`    | Proxmox API user         | -         | Environment | API calls         |
 
 ### Settings Persistence Variables
 
-| Variable | Description | Default | Set In | Used In |
-|----------|-------------|---------|---------|---------|
-| `SAVE_DEFAULTS` | Save settings as defaults | "false" | User input | Settings persistence |
-| `SAVE_APP_DEFAULTS` | Save app-specific defaults | "false" | User input | Settings persistence |
-| `DEFAULT_VARS_FILE` | Path to default.vars | "/usr/local/community-scripts/default.vars" | Environment | Settings persistence |
-| `APP_DEFAULTS_FILE` | Path to app.vars | "/usr/local/community-scripts/defaults/$APP.vars" | Environment | Settings persistence |
+| Variable            | Description                | Default                                           | Set In      | Used In              |
+| ------------------- | -------------------------- | ------------------------------------------------- | ----------- | -------------------- |
+| `SAVE_DEFAULTS`     | Save settings as defaults  | "false"                                           | User input  | Settings persistence |
+| `SAVE_APP_DEFAULTS` | Save app-specific defaults | "false"                                           | User input  | Settings persistence |
+| `DEFAULT_VARS_FILE` | Path to default.vars       | "/usr/local/community-scripts/default.vars"       | Environment | Settings persistence |
+| `APP_DEFAULTS_FILE` | Path to app.vars           | "/usr/local/community-scripts/defaults/$APP.vars" | Environment | Settings persistence |
 
 ## Variable Precedence Chain
 
@@ -152,6 +191,7 @@ export SSH="true"
 ## Environment Variable Usage Patterns
 
 ### 1. Container Creation
+
 ```bash
 # Basic container creation
 export APP="nextcloud"
@@ -170,6 +210,7 @@ export var_container_storage="local"
 ```
 
 ### 2. GPU Passthrough
+
 ```bash
 # Enable GPU passthrough
 export GPU_APPS="plex,jellyfin,emby"
@@ -178,6 +219,7 @@ export ENABLE_PRIVILEGED="true"
 ```
 
 ### 3. Advanced Network Configuration
+
 ```bash
 # VLAN and IPv6 configuration
 export var_vlan="100"
@@ -187,6 +229,7 @@ export var_mtu="9000"
 ```
 
 ### 4. Storage Configuration
+
 ```bash
 # Custom storage locations
 export var_template_storage="nfs-storage"
@@ -206,6 +249,7 @@ The script validates variables at several points:
 ## Common Variable Combinations
 
 ### Development Container
+
 ```bash
 export APP="dev-container"
 export CTID="200"
@@ -220,6 +264,7 @@ export ENABLE_PRIVILEGED="true"
 ```
 
 ### Media Server with GPU
+
 ```bash
 export APP="plex"
 export CTID="300"
@@ -235,6 +280,7 @@ export ENABLE_PRIVILEGED="true"
 ```
 
 ### Lightweight Service
+
 ```bash
 export APP="nginx"
 export CTID="400"

docs/misc/build.func/BUILD_FUNC_FUNCTIONS_REFERENCE.md

@@ -9,30 +9,35 @@ This document provides a comprehensive reference of all functions in `build.func
 ### Initialization Functions
 
 #### `start()`
+
 **Purpose**: Main entry point when build.func is sourced or executed
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Detects execution context (Proxmox host vs container)
 - Captures hard environment variables
 - Sets CT_TYPE based on context
 - Routes to appropriate workflow (install_script or update_script)
-**Dependencies**: None
-**Environment Variables Used**: `CT_TYPE`, `APP`, `CTID`
+  **Dependencies**: None
+  **Environment Variables Used**: `CT_TYPE`, `APP`, `CTID`
 
 #### `variables()`
+
 **Purpose**: Load and resolve all configuration variables using precedence chain
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Loads app-specific .vars file
 - Loads global default.vars file
 - Applies variable precedence chain
 - Sets all configuration variables
-**Dependencies**: `base_settings()`
-**Environment Variables Used**: All configuration variables
+  **Dependencies**: `base_settings()`
+  **Environment Variables Used**: All configuration variables
 
 #### `base_settings()`
+
 **Purpose**: Set built-in default values for all configuration variables
 **Parameters**: None
 **Returns**: None
@@ -43,28 +48,33 @@ This document provides a comprehensive reference of all functions in `build.func
 ### UI and Menu Functions
 
 #### `install_script()`
+
 **Purpose**: Main installation workflow coordinator
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Displays installation mode selection menu
 - Coordinates the entire installation process
 - Handles user interaction and validation
-**Dependencies**: `variables()`, `build_container()`, `default_var_settings()`
-**Environment Variables Used**: `APP`, `CTID`, `var_hostname`
+  **Dependencies**: `variables()`, `build_container()`, `default_var_settings()`
+  **Environment Variables Used**: `APP`, `CTID`, `var_hostname`
 
 #### `advanced_settings()`
+
 **Purpose**: Provide advanced configuration options via whiptail menus
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Displays whiptail menus for configuration
 - Updates configuration variables based on user input
 - Validates user selections
-**Dependencies**: `select_storage()`, `detect_gpu_devices()`
-**Environment Variables Used**: All configuration variables
+  **Dependencies**: `select_storage()`, `detect_gpu_devices()`
+  **Environment Variables Used**: All configuration variables
 
 #### `settings_menu()`
+
 **Purpose**: Display and handle settings configuration menu
 **Parameters**: None
 **Returns**: None
@@ -75,58 +85,68 @@ This document provides a comprehensive reference of all functions in `build.func
 ### Storage Functions
 
 #### `select_storage()`
+
 **Purpose**: Handle storage selection for templates and containers
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Resolves storage preselection
 - Prompts user for storage selection if needed
 - Validates storage availability
 - Sets var_template_storage and var_container_storage
-**Dependencies**: `resolve_storage_preselect()`, `choose_and_set_storage_for_file()`
-**Environment Variables Used**: `var_template_storage`, `var_container_storage`, `TEMPLATE_STORAGE`, `CONTAINER_STORAGE`
+  **Dependencies**: `resolve_storage_preselect()`, `choose_and_set_storage_for_file()`
+  **Environment Variables Used**: `var_template_storage`, `var_container_storage`, `TEMPLATE_STORAGE`, `CONTAINER_STORAGE`
 
 #### `resolve_storage_preselect()`
+
 **Purpose**: Resolve preselected storage options
 **Parameters**:
+
 - `storage_type`: Type of storage (template or container)
-**Returns**: Storage name if valid, empty if invalid
-**Side Effects**: Validates storage availability
-**Dependencies**: None
-**Environment Variables Used**: `var_template_storage`, `var_container_storage`
+  **Returns**: Storage name if valid, empty if invalid
+  **Side Effects**: Validates storage availability
+  **Dependencies**: None
+  **Environment Variables Used**: `var_template_storage`, `var_container_storage`
 
 #### `choose_and_set_storage_for_file()`
+
 **Purpose**: Interactive storage selection via whiptail
 **Parameters**:
+
 - `storage_type`: Type of storage (template or container)
 - `content_type`: Content type (vztmpl or rootdir)
-**Returns**: None
-**Side Effects**:
+  **Returns**: None
+  **Side Effects**:
 - Displays whiptail menu
 - Updates storage variables
 - Validates selection
-**Dependencies**: None
-**Environment Variables Used**: `var_template_storage`, `var_container_storage`
+  **Dependencies**: None
+  **Environment Variables Used**: `var_template_storage`, `var_container_storage`
 
 ### Container Creation Functions
 
 #### `build_container()`
+
 **Purpose**: Validate settings and prepare container creation
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Validates all configuration
 - Checks for conflicts
 - Prepares container configuration
 - Calls create_lxc_container()
-**Dependencies**: `create_lxc_container()`
-**Environment Variables Used**: All configuration variables
+  **Dependencies**: `create_lxc_container()`
+  **Environment Variables Used**: All configuration variables
 
 #### `create_lxc_container()`
+
 **Purpose**: Create the actual LXC container
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Creates LXC container with basic configuration
 - Configures network settings
 - Sets up storage and mount points
@@ -134,108 +154,176 @@ This document provides a comprehensive reference of all functions in `build.func
 - Sets resource limits
 - Configures startup options
 - Starts container
-**Dependencies**: `configure_gpu_passthrough()`, `fix_gpu_gids()`
-**Environment Variables Used**: All configuration variables
+  **Dependencies**: `configure_gpu_passthrough()`, `fix_gpu_gids()`
+  **Environment Variables Used**: All configuration variables
 
 ### GPU and Hardware Functions
 
 #### `detect_gpu_devices()`
+
 **Purpose**: Detect available GPU hardware on the system
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Scans for Intel, AMD, and NVIDIA GPUs
 - Updates var_gpu_type and var_gpu_devices
 - Determines GPU capabilities
-**Dependencies**: None
-**Environment Variables Used**: `var_gpu_type`, `var_gpu_devices`, `GPU_APPS`
+  **Dependencies**: None
+  **Environment Variables Used**: `var_gpu_type`, `var_gpu_devices`, `GPU_APPS`
 
 #### `configure_gpu_passthrough()`
+
 **Purpose**: Configure GPU passthrough for the container
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Adds GPU device entries to container config
 - Configures proper device permissions
 - Sets up device mapping
 - Updates /etc/pve/lxc/<ctid>.conf
-**Dependencies**: `detect_gpu_devices()`
-**Environment Variables Used**: `var_gpu`, `var_gpu_type`, `var_gpu_devices`, `CTID`
+  **Dependencies**: `detect_gpu_devices()`
+  **Environment Variables Used**: `var_gpu`, `var_gpu_type`, `var_gpu_devices`, `CTID`
 
 #### `fix_gpu_gids()`
+
 **Purpose**: Fix GPU group IDs after container creation
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Updates GPU group IDs in container
 - Ensures proper GPU access permissions
 - Configures video and render groups
-**Dependencies**: `configure_gpu_passthrough()`
-**Environment Variables Used**: `CTID`, `var_gpu_type`
+  **Dependencies**: `configure_gpu_passthrough()`
+  **Environment Variables Used**: `CTID`, `var_gpu_type`
+
+### SSH Configuration Functions
+
+#### `configure_ssh_settings()`
+
+**Purpose**: Interactive SSH key and access configuration wizard
+**Parameters**:
+
+- `step_info` (optional): Step indicator string (e.g., "Step 17/19") for consistent dialog headers
+  **Returns**: None
+  **Side Effects**:
+- Creates temporary file for SSH keys
+- Discovers and presents available SSH keys from host
+- Allows manual key entry or folder/glob scanning
+- Sets `SSH` variable to "yes" or "no" based on user selection
+- Sets `SSH_AUTHORIZED_KEY` if manual key provided
+- Populates `SSH_KEYS_FILE` with selected keys
+  **Dependencies**: `ssh_discover_default_files()`, `ssh_build_choices_from_files()`
+  **Environment Variables Used**: `SSH`, `SSH_AUTHORIZED_KEY`, `SSH_KEYS_FILE`
+
+**SSH Key Source Options**:
+
+1. `found` - Select from auto-detected host keys
+2. `manual` - Paste a single public key
+3. `folder` - Scan custom folder or glob pattern
+4. `none` - No SSH keys
+
+**Note**: The "Enable root SSH access?" dialog is always shown, regardless of whether SSH keys or password are configured. This ensures users can always enable SSH access even with automatic login.
+
+#### `ssh_discover_default_files()`
+
+**Purpose**: Discover SSH public key files on the host system
+**Parameters**: None
+**Returns**: Array of discovered key file paths
+**Side Effects**: Scans common SSH key locations
+**Dependencies**: None
+**Environment Variables Used**: `var_ssh_import_glob`
+
+#### `ssh_build_choices_from_files()`
+
+**Purpose**: Build whiptail checklist choices from SSH key files
+**Parameters**:
+
+- Array of file paths to process
+  **Returns**: None
+  **Side Effects**:
+- Sets `CHOICES` array for whiptail checklist
+- Sets `COUNT` variable with number of keys found
+- Creates `MAPFILE` for key tag to content mapping
+  **Dependencies**: None
+  **Environment Variables Used**: `CHOICES`, `COUNT`, `MAPFILE`
 
 ### Settings Persistence Functions
 
 #### `default_var_settings()`
+
 **Purpose**: Offer to save current settings as defaults
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Prompts user to save settings
 - Saves to default.vars file
 - Saves to app-specific .vars file
-**Dependencies**: `maybe_offer_save_app_defaults()`
-**Environment Variables Used**: All configuration variables
+  **Dependencies**: `maybe_offer_save_app_defaults()`
+  **Environment Variables Used**: All configuration variables
 
 #### `maybe_offer_save_app_defaults()`
+
 **Purpose**: Offer to save app-specific defaults
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Prompts user to save app-specific settings
 - Saves to app.vars file
 - Updates app-specific configuration
-**Dependencies**: None
-**Environment Variables Used**: `APP`, `SAVE_APP_DEFAULTS`
+  **Dependencies**: None
+  **Environment Variables Used**: `APP`, `SAVE_APP_DEFAULTS`
 
 ### Utility Functions
 
 #### `validate_settings()`
+
 **Purpose**: Validate all configuration settings
 **Parameters**: None
 **Returns**: 0 if valid, 1 if invalid
 **Side Effects**:
+
 - Checks for configuration conflicts
 - Validates resource limits
 - Validates network configuration
 - Validates storage configuration
-**Dependencies**: None
-**Environment Variables Used**: All configuration variables
+  **Dependencies**: None
+  **Environment Variables Used**: All configuration variables
 
 #### `check_conflicts()`
+
 **Purpose**: Check for configuration conflicts
 **Parameters**: None
 **Returns**: 0 if no conflicts, 1 if conflicts found
 **Side Effects**:
+
 - Checks for conflicting settings
 - Validates resource allocation
 - Checks network configuration
-**Dependencies**: None
-**Environment Variables Used**: All configuration variables
+  **Dependencies**: None
+  **Environment Variables Used**: All configuration variables
 
 #### `cleanup_on_error()`
+
 **Purpose**: Clean up resources on error
 **Parameters**: None
 **Returns**: None
 **Side Effects**:
+
 - Removes partially created containers
 - Cleans up temporary files
 - Resets configuration
-**Dependencies**: None
-**Environment Variables Used**: `CTID`
+  **Dependencies**: None
+  **Environment Variables Used**: `CTID`
 
 ## Function Call Flow
 
 ### Main Installation Flow
+
 ```
 start()
 ├── variables()
@@ -259,6 +347,7 @@ start()
 ```
 
 ### Error Handling Flow
+
 ```
 Error Detection
 ├── validate_settings()
@@ -271,24 +360,29 @@ Error Detection
 ## Function Dependencies
 
 ### Core Dependencies
+
 - `start()` → `install_script()` → `build_container()` → `create_lxc_container()`
 - `variables()` → `base_settings()`
 - `advanced_settings()` → `select_storage()` → `detect_gpu_devices()`
 
 ### Storage Dependencies
+
 - `select_storage()` → `resolve_storage_preselect()`
 - `select_storage()` → `choose_and_set_storage_for_file()`
 
 ### GPU Dependencies
+
 - `configure_gpu_passthrough()` → `detect_gpu_devices()`
 - `fix_gpu_gids()` → `configure_gpu_passthrough()`
 
 ### Settings Dependencies
+
 - `default_var_settings()` → `maybe_offer_save_app_defaults()`
 
 ## Function Usage Examples
 
 ### Basic Container Creation
+
 ```bash
 # Set required variables
 export APP="plex"
@@ -304,6 +398,7 @@ start()  # Entry point
 ```
 
 ### Advanced Configuration
+
 ```bash
 # Set advanced variables
 export var_os="debian"
@@ -319,6 +414,7 @@ advanced_settings()  # Interactive configuration
 ```
 
 ### GPU Passthrough
+
 ```bash
 # Enable GPU passthrough
 export GPU_APPS="plex"
@@ -331,6 +427,7 @@ fix_gpu_gids()  # Fix permissions
 ```
 
 ### Settings Persistence
+
 ```bash
 # Save settings as defaults
 export SAVE_DEFAULTS="true"
@@ -344,15 +441,18 @@ maybe_offer_save_app_defaults()  # Save app defaults
 ## Function Error Handling
 
 ### Validation Functions
+
 - `validate_settings()`: Returns 0 for valid, 1 for invalid
 - `check_conflicts()`: Returns 0 for no conflicts, 1 for conflicts
 
 ### Error Recovery
+
 - `cleanup_on_error()`: Cleans up on any error
 - Error codes are propagated up the call stack
 - Critical errors cause script termination
 
 ### Error Types
+
 1. **Configuration Errors**: Invalid settings or conflicts
 2. **Resource Errors**: Insufficient resources or conflicts
 3. **Network Errors**: Invalid network configuration

docs/misc/build.func/README.md

@@ -6,6 +6,16 @@ This directory contains comprehensive documentation for the `build.func` script,
 
 ## Documentation Files
 
+### 🎛️ [BUILD_FUNC_ADVANCED_SETTINGS.md](./BUILD_FUNC_ADVANCED_SETTINGS.md)
+Complete reference for the 28-step Advanced Settings wizard, including all configurable options and their inheritance behavior.
+
+**Contents:**
+- All 28 wizard steps explained
+- Default value inheritance
+- Feature matrix (when to enable each feature)
+- Confirmation summary format
+- Usage examples
+
 ### 📊 [BUILD_FUNC_FLOWCHART.md](./BUILD_FUNC_FLOWCHART.md)
 Visual ASCII flowchart showing the main execution flow, decision trees, and key decision points in the build.func script.
 

frontend/public/json/versions.json

@@ -1,4 +1,79 @@
 [
+  {
+    "name": "openobserve/openobserve",
+    "version": "v0.30.0-rc1",
+    "date": "2025-12-08T11:46:24Z"
+  },
+  {
+    "name": "ventoy/Ventoy",
+    "version": "v1.1.08",
+    "date": "2025-12-08T10:13:51Z"
+  },
+  {
+    "name": "zitadel/zitadel",
+    "version": "v4.7.1",
+    "date": "2025-12-08T10:05:21Z"
+  },
+  {
+    "name": "meilisearch/meilisearch",
+    "version": "latest",
+    "date": "2025-12-08T09:36:54Z"
+  },
+  {
+    "name": "WGDashboard/WGDashboard",
+    "version": "v4.3.0.2",
+    "date": "2025-12-08T09:01:37Z"
+  },
+  {
+    "name": "mattermost/mattermost",
+    "version": "v10.11.8",
+    "date": "2025-11-21T17:06:07Z"
+  },
+  {
+    "name": "nzbgetcom/nzbget",
+    "version": "v25.4",
+    "date": "2025-10-09T10:27:01Z"
+  },
+  {
+    "name": "morpheus65535/bazarr",
+    "version": "v1.5.3",
+    "date": "2025-09-20T12:12:33Z"
+  },
+  {
+    "name": "Jackett/Jackett",
+    "version": "v0.24.420",
+    "date": "2025-12-08T05:55:34Z"
+  },
+  {
+    "name": "firefly-iii/firefly-iii",
+    "version": "v6.4.9",
+    "date": "2025-11-28T20:36:20Z"
+  },
+  {
+    "name": "documenso/documenso",
+    "version": "v2.2.0",
+    "date": "2025-12-08T03:33:34Z"
+  },
+  {
+    "name": "chrisbenincasa/tunarr",
+    "version": "v0.23.0-alpha.31",
+    "date": "2025-12-08T02:39:59Z"
+  },
+  {
+    "name": "jeedom/core",
+    "version": "4.5",
+    "date": "2025-12-08T00:27:05Z"
+  },
+  {
+    "name": "steveiliop56/tinyauth",
+    "version": "v4.1.0",
+    "date": "2025-11-23T12:13:34Z"
+  },
+  {
+    "name": "maxdorninger/MediaManager",
+    "version": "v1.10.0",
+    "date": "2025-12-07T23:41:51Z"
+  },
   {
     "name": "Part-DB/Part-DB-server",
     "version": "v2.3.0",
@@ -10,9 +85,9 @@
     "date": "2025-12-07T19:19:08Z"
   },
   {
-    "name": "firefly-iii/firefly-iii",
-    "version": "v6.4.9",
-    "date": "2025-11-28T20:36:20Z"
+    "name": "keycloak/keycloak",
+    "version": "26.4.7",
+    "date": "2025-12-01T08:14:11Z"
   },
   {
     "name": "seerr-team/seerr",
@@ -24,16 +99,6 @@
     "version": "v1.15.5",
     "date": "2025-12-07T12:24:21Z"
   },
-  {
-    "name": "morpheus65535/bazarr",
-    "version": "v1.5.3",
-    "date": "2025-09-20T12:12:33Z"
-  },
-  {
-    "name": "Jackett/Jackett",
-    "version": "v0.24.415",
-    "date": "2025-12-07T05:56:32Z"
-  },
   {
     "name": "BerriAI/litellm",
     "version": "v1.80.8.rc.1",
@@ -44,26 +109,11 @@
     "version": "v2.20.1",
     "date": "2025-12-07T01:14:23Z"
   },
-  {
-    "name": "steveiliop56/tinyauth",
-    "version": "v4.1.0",
-    "date": "2025-11-23T12:13:34Z"
-  },
-  {
-    "name": "jeedom/core",
-    "version": "4.5",
-    "date": "2025-12-07T00:27:06Z"
-  },
   {
     "name": "sysadminsmedia/homebox",
     "version": "v0.22.0-rc.2",
     "date": "2025-12-06T21:24:28Z"
   },
-  {
-    "name": "keycloak/keycloak",
-    "version": "26.4.7",
-    "date": "2025-12-01T08:14:11Z"
-  },
   {
     "name": "Koenkk/zigbee2mqtt",
     "version": "2.7.1",
@@ -134,11 +184,6 @@
     "version": "v2.1.1",
     "date": "2025-12-05T23:48:08Z"
   },
-  {
-    "name": "chrisbenincasa/tunarr",
-    "version": "v0.23.0-alpha.30",
-    "date": "2025-12-05T21:23:38Z"
-  },
   {
     "name": "home-assistant/core",
     "version": "2025.12.1",
@@ -199,11 +244,6 @@
     "version": "2025.11.4",
     "date": "2025-12-05T03:54:58Z"
   },
-  {
-    "name": "documenso/documenso",
-    "version": "v2.2.4",
-    "date": "2025-12-05T01:23:23Z"
-  },
   {
     "name": "transmission/transmission",
     "version": "4.0.1-beta.1",
@@ -299,11 +339,6 @@
     "version": "v25.11.5",
     "date": "2025-12-03T14:51:03Z"
   },
-  {
-    "name": "meilisearch/meilisearch",
-    "version": "latest",
-    "date": "2025-12-03T14:19:01Z"
-  },
   {
     "name": "Graylog2/graylog2-server",
     "version": "6.2.10",
@@ -319,16 +354,6 @@
     "version": "v0.104.0",
     "date": "2025-12-03T06:48:38Z"
   },
-  {
-    "name": "mattermost/mattermost",
-    "version": "v10.11.8",
-    "date": "2025-11-21T17:06:07Z"
-  },
-  {
-    "name": "openobserve/openobserve",
-    "version": "v0.20.2",
-    "date": "2025-12-03T02:20:57Z"
-  },
   {
     "name": "hyperion-project/hyperion.ng",
     "version": "2.1.1",
@@ -389,11 +414,6 @@
     "version": "jenkins-2.540",
     "date": "2025-12-02T16:56:49Z"
   },
-  {
-    "name": "nzbgetcom/nzbget",
-    "version": "v25.4",
-    "date": "2025-10-09T10:27:01Z"
-  },
   {
     "name": "docker/compose",
     "version": "v5.0.0",
@@ -869,11 +889,6 @@
     "version": "4.10.1",
     "date": "2025-11-15T04:36:48Z"
   },
-  {
-    "name": "zitadel/zitadel",
-    "version": "v4.7.0",
-    "date": "2025-11-14T09:45:13Z"
-  },
   {
     "name": "runtipi/runtipi",
     "version": "v4.6.5",
@@ -999,11 +1014,6 @@
     "version": "v3.0.9",
     "date": "2025-11-04T07:28:45Z"
   },
-  {
-    "name": "maxdorninger/MediaManager",
-    "version": "v1.9.1",
-    "date": "2025-11-02T21:14:50Z"
-  },
   {
     "name": "motioneye-project/motioneye",
     "version": "0.42.1",
@@ -1179,11 +1189,6 @@
     "version": "v0.23.0",
     "date": "2025-09-17T10:15:51Z"
   },
-  {
-    "name": "WGDashboard/WGDashboard",
-    "version": "v4.3.0.1",
-    "date": "2025-09-17T08:50:39Z"
-  },
   {
     "name": "Checkmk/checkmk",
     "version": "v2.4.0p12",
@@ -1249,11 +1254,6 @@
     "version": "0.6.25",
     "date": "2025-08-24T08:51:55Z"
   },
-  {
-    "name": "ventoy/Ventoy",
-    "version": "v1.1.07",
-    "date": "2025-08-18T16:13:54Z"
-  },
   {
     "name": "lldap/lldap",
     "version": "v0.6.2",

misc/build.func

@@ -453,7 +453,7 @@ load_vars_file() {
 
   # Allowed var_* keys
   local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu var_keyctl
     var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
     var_net var_nesting var_ns var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
     var_verbose var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
@@ -505,7 +505,7 @@ default_var_settings() {
   # Allowed var_* keys (alphabetically sorted)
   # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
   local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu var_keyctl
     var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
     var_net var_nesting var_ns var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
     var_verbose var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
@@ -667,7 +667,7 @@ get_app_defaults_path() {
 if ! declare -p VAR_WHITELIST >/dev/null 2>&1; then
   # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
   declare -ag VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu
     var_gateway var_hostname var_ipv6_method var_mac var_mtu
     var_net var_ns var_pw var_ram var_tags var_tun var_unprivileged
     var_verbose var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
@@ -816,6 +816,7 @@ _build_current_app_vars_tmp() {
   _apt_cacher_ip="${APT_CACHER_IP:-}"
   _fuse="${ENABLE_FUSE:-no}"
   _tun="${ENABLE_TUN:-no}"
+  _gpu="${ENABLE_GPU:-no}"
   _nesting="${ENABLE_NESTING:-1}"
   _keyctl="${ENABLE_KEYCTL:-0}"
   _mknod="${ENABLE_MKNOD:-0}"
@@ -865,6 +866,7 @@ _build_current_app_vars_tmp() {
 
     [ -n "$_fuse" ] && echo "var_fuse=$(_sanitize_value "$_fuse")"
     [ -n "$_tun" ] && echo "var_tun=$(_sanitize_value "$_tun")"
+    [ -n "$_gpu" ] && echo "var_gpu=$(_sanitize_value "$_gpu")"
     [ -n "$_nesting" ] && echo "var_nesting=$(_sanitize_value "$_nesting")"
     [ -n "$_keyctl" ] && echo "var_keyctl=$(_sanitize_value "$_keyctl")"
     [ -n "$_mknod" ] && echo "var_mknod=$(_sanitize_value "$_mknod")"
@@ -1011,37 +1013,49 @@ advanced_settings() {
   # Initialize defaults
   TAGS="community-script;${var_tags:-}"
   local STEP=1
-  local MAX_STEP=19
+  local MAX_STEP=28
 
-  # Store values for back navigation
-  local _ct_type="${CT_TYPE:-1}"
+  # Store values for back navigation - inherit from var_* app defaults
+  local _ct_type="${var_unprivileged:-1}"
   local _pw=""
   local _pw_display="Automatic Login"
   local _ct_id="$NEXTID"
   local _hostname="$NSAPP"
-  local _disk_size="$var_disk"
-  local _core_count="$var_cpu"
-  local _ram_size="$var_ram"
-  local _bridge="vmbr0"
-  local _net="dhcp"
-  local _gate=""
-  local _ipv6_method="auto"
+  local _disk_size="${var_disk:-4}"
+  local _core_count="${var_cpu:-1}"
+  local _ram_size="${var_ram:-1024}"
+  local _bridge="${var_brg:-vmbr0}"
+  local _net="${var_net:-dhcp}"
+  local _gate="${var_gateway:-}"
+  local _ipv6_method="${var_ipv6_method:-auto}"
   local _ipv6_addr=""
   local _ipv6_gate=""
-  local _apt_cacher_ip=""
-  local _mtu=""
-  local _sd=""
-  local _ns=""
-  local _mac=""
-  local _vlan=""
+  local _apt_cacher="${var_apt_cacher:-no}"
+  local _apt_cacher_ip="${var_apt_cacher_ip:-}"
+  local _mtu="${var_mtu:-}"
+  local _sd="${var_searchdomain:-}"
+  local _ns="${var_ns:-}"
+  local _mac="${var_mac:-}"
+  local _vlan="${var_vlan:-}"
   local _tags="$TAGS"
-  local _enable_fuse="no"
-  local _verbose="no"
-  local _enable_keyctl="0"
-  local _enable_mknod="0"
-  local _mount_fs=""
-  local _protect_ct="no"
-  local _ct_timezone=""
+  local _enable_fuse="${var_fuse:-no}"
+  local _enable_tun="${var_tun:-no}"
+  local _enable_gpu="${var_gpu:-no}"
+  local _enable_nesting="${var_nesting:-1}"
+  local _verbose="${var_verbose:-no}"
+  local _enable_keyctl="${var_keyctl:-0}"
+  local _enable_mknod="${var_mknod:-0}"
+  local _mount_fs="${var_mount_fs:-}"
+  local _protect_ct="${var_protection:-no}"
+  
+  # Detect host timezone for default (if not set via var_timezone)
+  local _host_timezone=""
+  if command -v timedatectl >/dev/null 2>&1; then
+    _host_timezone=$(timedatectl show --value --property=Timezone 2>/dev/null || echo "")
+  elif [ -f /etc/timezone ]; then
+    _host_timezone=$(cat /etc/timezone 2>/dev/null || echo "")
+  fi
+  local _ct_timezone="${var_timezone:-$_host_timezone}"
 
   # Helper to show current progress
   show_progress() {
@@ -1491,20 +1505,23 @@ advanced_settings() {
     # STEP 17: SSH Settings
     # ═══════════════════════════════════════════════════════════════════════════
     17)
-      configure_ssh_settings
+      configure_ssh_settings "Step $STEP/$MAX_STEP"
       # configure_ssh_settings handles its own flow, always advance
       ((STEP++))
       ;;
 
     # ═══════════════════════════════════════════════════════════════════════════
-    # STEP 18: FUSE & Verbose Mode
+    # STEP 18: FUSE Support
     # ═══════════════════════════════════════════════════════════════════════════
     18)
+      local fuse_default_flag="--defaultno"
+      [[ "$_enable_fuse" == "yes" || "$_enable_fuse" == "1" ]] && fuse_default_flag=""
+
       if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
         --title "FUSE SUPPORT" \
         --ok-button "Next" --cancel-button "Back" \
-        --defaultno \
-        --yesno "\nEnable FUSE support?\n\nRequired for: rclone, mergerfs, AppImage, etc." 12 58; then
+        $fuse_default_flag \
+        --yesno "\nEnable FUSE support?\n\nRequired for: rclone, mergerfs, AppImage, etc.\n\n(App default: ${var_fuse:-no})" 14 58; then
         _enable_fuse="yes"
       else
         if [ $? -eq 1 ]; then
@@ -1514,26 +1531,255 @@ advanced_settings() {
           continue
         fi
       fi
+      ((STEP++))
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 19: TUN/TAP Support
+    # ═══════════════════════════════════════════════════════════════════════════
+    19)
+      local tun_default_flag="--defaultno"
+      [[ "$_enable_tun" == "yes" || "$_enable_tun" == "1" ]] && tun_default_flag=""
 
       if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
-        --title "VERBOSE MODE" \
-        --defaultno \
-        --yesno "\nEnable Verbose Mode?\n\nShows detailed output during installation." 12 58; then
-        _verbose="yes"
+        --title "TUN/TAP SUPPORT" \
+        --ok-button "Next" --cancel-button "Back" \
+        $tun_default_flag \
+        --yesno "\nEnable TUN/TAP device support?\n\nRequired for: VPN apps (WireGuard, OpenVPN, Tailscale),\nnetwork tunneling, and containerized networking.\n\n(App default: ${var_tun:-no})" 14 62; then
+        _enable_tun="yes"
       else
-        _verbose="no"
+        if [ $? -eq 1 ]; then
+          _enable_tun="no"
+        else
+          ((STEP--))
+          continue
+        fi
       fi
       ((STEP++))
       ;;
 
     # ═══════════════════════════════════════════════════════════════════════════
-    # STEP 19: Confirmation
+    # STEP 20: Nesting Support
     # ═══════════════════════════════════════════════════════════════════════════
-    19)
+    20)
+      local nesting_default_flag=""
+      [[ "$_enable_nesting" == "0" || "$_enable_nesting" == "no" ]] && nesting_default_flag="--defaultno"
+
+      if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "NESTING SUPPORT" \
+        --ok-button "Next" --cancel-button "Back" \
+        $nesting_default_flag \
+        --yesno "\nEnable Nesting?\n\nRequired for: Docker, LXC inside LXC, Podman,\nand other containerization tools.\n\n(App default: ${var_nesting:-1})" 14 58; then
+        _enable_nesting="1"
+      else
+        if [ $? -eq 1 ]; then
+          _enable_nesting="0"
+        else
+          ((STEP--))
+          continue
+        fi
+      fi
+      ((STEP++))
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 21: GPU Passthrough
+    # ═══════════════════════════════════════════════════════════════════════════
+    21)
+      local gpu_default_flag="--defaultno"
+      [[ "$_enable_gpu" == "yes" ]] && gpu_default_flag=""
+
+      if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "GPU PASSTHROUGH" \
+        --ok-button "Next" --cancel-button "Back" \
+        $gpu_default_flag \
+        --yesno "\nEnable GPU Passthrough?\n\nAutomatically detects and passes through available GPUs\n(Intel/AMD/NVIDIA) for hardware acceleration.\n\nRecommended for: Media servers, AI/ML, Transcoding\n\n(App default: ${var_gpu:-no})" 16 62; then
+        _enable_gpu="yes"
+      else
+        if [ $? -eq 1 ]; then
+          _enable_gpu="no"
+        else
+          ((STEP--))
+          continue
+        fi
+      fi
+      ((STEP++))
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 22: Keyctl Support (Docker/systemd)
+    # ═══════════════════════════════════════════════════════════════════════════
+    22)
+      local keyctl_default_flag="--defaultno"
+      [[ "$_enable_keyctl" == "1" ]] && keyctl_default_flag=""
+
+      if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "KEYCTL SUPPORT" \
+        --ok-button "Next" --cancel-button "Back" \
+        $keyctl_default_flag \
+        --yesno "\nEnable Keyctl support?\n\nRequired for: Docker containers, systemd-networkd,\nand kernel keyring operations.\n\nNote: Automatically enabled for unprivileged containers.\n\n(App default: ${var_keyctl:-0})" 16 62; then
+        _enable_keyctl="1"
+      else
+        if [ $? -eq 1 ]; then
+          _enable_keyctl="0"
+        else
+          ((STEP--))
+          continue
+        fi
+      fi
+      ((STEP++))
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 23: APT Cacher Proxy
+    # ═══════════════════════════════════════════════════════════════════════════
+    23)
+      local apt_cacher_default_flag="--defaultno"
+      [[ "$_apt_cacher" == "yes" ]] && apt_cacher_default_flag=""
+
+      if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "APT CACHER PROXY" \
+        --ok-button "Next" --cancel-button "Back" \
+        $apt_cacher_default_flag \
+        --yesno "\nUse APT Cacher-NG proxy?\n\nSpeeds up package downloads by caching them locally.\nRequires apt-cacher-ng running on your network.\n\n(App default: ${var_apt_cacher:-no})" 14 62; then
+        _apt_cacher="yes"
+        # Ask for IP if enabled
+        if result=$(whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+          --title "APT CACHER IP" \
+          --inputbox "\nEnter APT Cacher-NG server IP address:" 10 58 "$_apt_cacher_ip" \
+          3>&1 1>&2 2>&3); then
+          _apt_cacher_ip="$result"
+        fi
+      else
+        if [ $? -eq 1 ]; then
+          _apt_cacher="no"
+          _apt_cacher_ip=""
+        else
+          ((STEP--))
+          continue
+        fi
+      fi
+      ((STEP++))
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 24: Container Timezone
+    # ═══════════════════════════════════════════════════════════════════════════
+    24)
+      local tz_hint="$_ct_timezone"
+      [[ -z "$tz_hint" ]] && tz_hint="(empty - will use host timezone)"
+
+      if result=$(whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "CONTAINER TIMEZONE" \
+        --ok-button "Next" --cancel-button "Back" \
+        --inputbox "\nSet container timezone.\n\nExamples: Europe/Berlin, America/New_York, Asia/Tokyo\n\nHost timezone: ${_host_timezone:-unknown}\n\nLeave empty to inherit from host." 16 62 "$_ct_timezone" \
+        3>&1 1>&2 2>&3); then
+        _ct_timezone="$result"
+        ((STEP++))
+      else
+        ((STEP--))
+      fi
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 25: Container Protection
+    # ═══════════════════════════════════════════════════════════════════════════
+    25)
+      local protect_default_flag="--defaultno"
+      [[ "$_protect_ct" == "yes" || "$_protect_ct" == "1" ]] && protect_default_flag=""
+
+      if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "CONTAINER PROTECTION" \
+        --ok-button "Next" --cancel-button "Back" \
+        $protect_default_flag \
+        --yesno "\nEnable Container Protection?\n\nPrevents accidental deletion of this container.\nYou must disable protection before removing.\n\n(App default: ${var_protection:-no})" 14 62; then
+        _protect_ct="yes"
+      else
+        if [ $? -eq 1 ]; then
+          _protect_ct="no"
+        else
+          ((STEP--))
+          continue
+        fi
+      fi
+      ((STEP++))
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 26: Device Node Creation (mknod)
+    # ═══════════════════════════════════════════════════════════════════════════
+    26)
+      local mknod_default_flag="--defaultno"
+      [[ "$_enable_mknod" == "1" ]] && mknod_default_flag=""
+
+      if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "DEVICE NODE CREATION" \
+        --ok-button "Next" --cancel-button "Back" \
+        $mknod_default_flag \
+        --yesno "\nAllow device node creation (mknod)?\n\nRequired for: Creating device files inside container.\nExperimental feature (requires kernel 5.3+).\n\n(App default: ${var_mknod:-0})" 14 62; then
+        _enable_mknod="1"
+      else
+        if [ $? -eq 1 ]; then
+          _enable_mknod="0"
+        else
+          ((STEP--))
+          continue
+        fi
+      fi
+      ((STEP++))
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 27: Mount Filesystems
+    # ═══════════════════════════════════════════════════════════════════════════
+    27)
+      local mount_hint=""
+      [[ -n "$_mount_fs" ]] && mount_hint="$_mount_fs" || mount_hint="(none)"
+
+      if result=$(whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "MOUNT FILESYSTEMS" \
+        --ok-button "Next" --cancel-button "Back" \
+        --inputbox "\nAllow specific filesystem mounts.\n\nComma-separated list: nfs, cifs, fuse, ext4, etc.\nLeave empty for defaults (none).\n\nCurrent: $mount_hint" 14 62 "$_mount_fs" \
+        3>&1 1>&2 2>&3); then
+        _mount_fs="$result"
+        ((STEP++))
+      else
+        ((STEP--))
+      fi
+      ;;
+
+    # ═══════════════════════════════════════════════════════════════════════════
+    # STEP 28: Verbose Mode & Confirmation
+    # ═══════════════════════════════════════════════════════════════════════════
+    28)
+      local verbose_default_flag="--defaultno"
+      [[ "$_verbose" == "yes" ]] && verbose_default_flag=""
+
+      if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
+        --title "VERBOSE MODE" \
+        $verbose_default_flag \
+        --yesno "\nEnable Verbose Mode?\n\nShows detailed output during installation." 12 58; then
+        _verbose="yes"
+      else
+        _verbose="no"
+      fi
       # Build summary
       local ct_type_desc="Unprivileged"
       [[ "$_ct_type" == "0" ]] && ct_type_desc="Privileged"
 
+      local nesting_desc="Disabled"
+      [[ "$_enable_nesting" == "1" ]] && nesting_desc="Enabled"
+
+      local keyctl_desc="Disabled"
+      [[ "$_enable_keyctl" == "1" ]] && keyctl_desc="Enabled"
+
+      local protect_desc="No"
+      [[ "$_protect_ct" == "yes" || "$_protect_ct" == "1" ]] && protect_desc="Yes"
+
+      local tz_display="${_ct_timezone:-Host TZ}"
+      local apt_display="${_apt_cacher:-no}"
+      [[ "$_apt_cacher" == "yes" && -n "$_apt_cacher_ip" ]] && apt_display="$_apt_cacher_ip"
+
       local summary="Container Type: $ct_type_desc
 Container ID: $_ct_id
 Hostname: $_hostname
@@ -1548,14 +1794,20 @@ Network:
   IPv4: $_net
   IPv6: $_ipv6_method
 
-Options:
-  FUSE: $_enable_fuse
+Features:
+  FUSE: $_enable_fuse | TUN: $_enable_tun
+  Nesting: $nesting_desc | Keyctl: $keyctl_desc
+  GPU: $_enable_gpu | Protection: $protect_desc
+
+Advanced:
+  Timezone: $tz_display
+  APT Cacher: $apt_display
   Verbose: $_verbose"
 
       if whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
         --title "CONFIRM SETTINGS" \
         --ok-button "Create LXC" --cancel-button "Back" \
-        --yesno "$summary\n\nCreate ${APP} LXC with these settings?" 26 58; then
+        --yesno "$summary\n\nCreate ${APP} LXC with these settings?" 32 62; then
         ((STEP++))
       else
         ((STEP--))
@@ -1582,8 +1834,31 @@ Options:
   IPV6_GATE="$_ipv6_gate"
   TAGS="$_tags"
   ENABLE_FUSE="$_enable_fuse"
+  ENABLE_TUN="$_enable_tun"
+  ENABLE_GPU="$_enable_gpu"
+  ENABLE_NESTING="$_enable_nesting"
+  ENABLE_KEYCTL="$_enable_keyctl"
+  ENABLE_MKNOD="$_enable_mknod"
+  ALLOW_MOUNT_FS="$_mount_fs"
+  PROTECT_CT="$_protect_ct"
+  CT_TIMEZONE="$_ct_timezone"
+  APT_CACHER="$_apt_cacher"
+  APT_CACHER_IP="$_apt_cacher_ip"
   VERBOSE="$_verbose"
 
+  # Update var_* based on user choice (for functions that check these)
+  var_gpu="$_enable_gpu"
+  var_fuse="$_enable_fuse"
+  var_tun="$_enable_tun"
+  var_nesting="$_enable_nesting"
+  var_keyctl="$_enable_keyctl"
+  var_mknod="$_enable_mknod"
+  var_mount_fs="$_mount_fs"
+  var_protection="$_protect_ct"
+  var_timezone="$_ct_timezone"
+  var_apt_cacher="$_apt_cacher"
+  var_apt_cacher_ip="$_apt_cacher_ip"
+
   # Format optional values
   [[ -n "$_mtu" ]] && MTU=",mtu=$_mtu" || MTU=""
   [[ -n "$_sd" ]] && SD="-searchdomain=$_sd" || SD=""
@@ -1600,6 +1875,10 @@ Options:
   export UDHCPC_FIX
   export SSH_KEYS_FILE
 
+  # Exit alternate screen buffer before showing summary (so output remains visible)
+  tput rmcup 2>/dev/null || true
+  trap - RETURN
+
   # Display final summary
   echo -e "\n${INFO}${BOLD}${DGN}PVE Version ${PVEVERSION} (Kernel: ${KERNEL_VERSION})${CL}"
   echo -e "${OS}${BOLD}${DGN}Operating System: ${BGN}$var_os${CL}"
@@ -1614,6 +1893,13 @@ Options:
   echo -e "${NETWORK}${BOLD}${DGN}IPv4: ${BGN}$NET${CL}"
   echo -e "${NETWORK}${BOLD}${DGN}IPv6: ${BGN}$IPV6_METHOD${CL}"
   echo -e "${FUSE}${BOLD}${DGN}FUSE Support: ${BGN}$ENABLE_FUSE${CL}"
+  [[ "$ENABLE_TUN" == "yes" ]] && echo -e "${NETWORK}${BOLD}${DGN}TUN/TAP Support: ${BGN}$ENABLE_TUN${CL}"
+  echo -e "${CONTAINERTYPE}${BOLD}${DGN}Nesting: ${BGN}$([ "$ENABLE_NESTING" == "1" ] && echo "Enabled" || echo "Disabled")${CL}"
+  [[ "$ENABLE_KEYCTL" == "1" ]] && echo -e "${CONTAINERTYPE}${BOLD}${DGN}Keyctl: ${BGN}Enabled${CL}"
+  echo -e "${GPU}${BOLD}${DGN}GPU Passthrough: ${BGN}$ENABLE_GPU${CL}"
+  [[ "$PROTECT_CT" == "yes" || "$PROTECT_CT" == "1" ]] && echo -e "${CONTAINERTYPE}${BOLD}${DGN}Protection: ${BGN}Enabled${CL}"
+  [[ -n "$CT_TIMEZONE" ]] && echo -e "${INFO}${BOLD}${DGN}Timezone: ${BGN}$CT_TIMEZONE${CL}"
+  [[ "$APT_CACHER" == "yes" ]] && echo -e "${INFO}${BOLD}${DGN}APT Cacher: ${BGN}$APT_CACHER_IP${CL}"
   echo -e "${SEARCH}${BOLD}${DGN}Verbose Mode: ${BGN}$VERBOSE${CL}"
   echo -e "${CREATING}${BOLD}${RD}Creating a ${APP} LXC using the above advanced settings${CL}"
 }
@@ -1736,6 +2022,9 @@ echo_default() {
   echo -e "${DISKSIZE}${BOLD}${DGN}Disk Size: ${BGN}${DISK_SIZE} GB${CL}"
   echo -e "${CPUCORE}${BOLD}${DGN}CPU Cores: ${BGN}${CORE_COUNT}${CL}"
   echo -e "${RAMSIZE}${BOLD}${DGN}RAM Size: ${BGN}${RAM_SIZE} MiB${CL}"
+  if [[ -n "${var_gpu:-}" && "${var_gpu}" == "yes" ]]; then
+    echo -e "${GPU}${BOLD}${DGN}GPU Passthrough: ${BGN}Enabled${CL}"
+  fi
   if [ "$VERBOSE" == "yes" ]; then
     echo -e "${SEARCH}${BOLD}${DGN}Verbose Mode: ${BGN}Enabled${CL}"
   fi
@@ -2076,6 +2365,10 @@ ssh_discover_default_files() {
 }
 
 configure_ssh_settings() {
+  local step_info="${1:-}"
+  local backtitle="Proxmox VE Helper Scripts"
+  [[ -n "$step_info" ]] && backtitle="Proxmox VE Helper Scripts [${step_info}]"
+
   SSH_KEYS_FILE="$(mktemp)"
   : >"$SSH_KEYS_FILE"
 
@@ -2085,14 +2378,14 @@ configure_ssh_settings() {
 
   local ssh_key_mode
   if [[ "$default_key_count" -gt 0 ]]; then
-    ssh_key_mode=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "SSH KEY SOURCE" --menu \
+    ssh_key_mode=$(whiptail --backtitle "$backtitle" --title "SSH KEY SOURCE" --menu \
       "Provision SSH keys for root:" 14 72 4 \
       "found" "Select from detected keys (${default_key_count})" \
       "manual" "Paste a single public key" \
       "folder" "Scan another folder (path or glob)" \
       "none" "No keys" 3>&1 1>&2 2>&3) || exit_script
   else
-    ssh_key_mode=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "SSH KEY SOURCE" --menu \
+    ssh_key_mode=$(whiptail --backtitle "$backtitle" --title "SSH KEY SOURCE" --menu \
       "No host keys detected; choose manual/none:" 12 72 2 \
       "manual" "Paste a single public key" \
       "none" "No keys" 3>&1 1>&2 2>&3) || exit_script
@@ -2101,7 +2394,7 @@ configure_ssh_settings() {
   case "$ssh_key_mode" in
   found)
     local selection
-    selection=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "SELECT HOST KEYS" \
+    selection=$(whiptail --backtitle "$backtitle" --title "SELECT HOST KEYS" \
       --checklist "Select one or more keys to import:" 20 140 10 "${CHOICES[@]}" 3>&1 1>&2 2>&3) || exit_script
     for tag in $selection; do
       tag="${tag%\"}"
@@ -2112,13 +2405,13 @@ configure_ssh_settings() {
     done
     ;;
   manual)
-    SSH_AUTHORIZED_KEY="$(whiptail --backtitle "Proxmox VE Helper Scripts" \
+    SSH_AUTHORIZED_KEY="$(whiptail --backtitle "$backtitle" \
       --inputbox "Paste one SSH public key line (ssh-ed25519/ssh-rsa/...)" 10 72 --title "SSH Public Key" 3>&1 1>&2 2>&3)"
     [[ -n "$SSH_AUTHORIZED_KEY" ]] && printf '%s\n' "$SSH_AUTHORIZED_KEY" >>"$SSH_KEYS_FILE"
     ;;
   folder)
     local glob_path
-    glob_path=$(whiptail --backtitle "Proxmox VE Helper Scripts" \
+    glob_path=$(whiptail --backtitle "$backtitle" \
       --inputbox "Enter a folder or glob to scan (e.g. /root/.ssh/*.pub)" 10 72 --title "Scan Folder/Glob" 3>&1 1>&2 2>&3)
     if [[ -n "$glob_path" ]]; then
       shopt -s nullglob
@@ -2128,7 +2421,7 @@ configure_ssh_settings() {
         ssh_build_choices_from_files "${_scan_files[@]}"
         if [[ "$COUNT" -gt 0 ]]; then
           local folder_selection
-          folder_selection=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "SELECT FOLDER KEYS" \
+          folder_selection=$(whiptail --backtitle "$backtitle" --title "SELECT FOLDER KEYS" \
             --checklist "Select key(s) to import:" 20 78 10 "${CHOICES[@]}" 3>&1 1>&2 2>&3) || exit_script
           for tag in $folder_selection; do
             tag="${tag%\"}"
@@ -2138,10 +2431,10 @@ configure_ssh_settings() {
             [[ -n "$line" ]] && printf '%s\n' "$line" >>"$SSH_KEYS_FILE"
           done
         else
-          whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox "No keys found in: $glob_path" 8 60
+          whiptail --backtitle "$backtitle" --msgbox "No keys found in: $glob_path" 8 60
         fi
       else
-        whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox "Path/glob returned no files." 8 60
+        whiptail --backtitle "$backtitle" --msgbox "Path/glob returned no files." 8 60
       fi
     fi
     ;;
@@ -2155,12 +2448,9 @@ configure_ssh_settings() {
     printf '\n' >>"$SSH_KEYS_FILE"
   fi
 
-  if [[ -s "$SSH_KEYS_FILE" || "$PW" == -password* ]]; then
-    if (whiptail --backtitle "Proxmox VE Helper Scripts" --defaultno --title "SSH ACCESS" --yesno "Enable root SSH access?" 10 58); then
-      SSH="yes"
-    else
-      SSH="no"
-    fi
+  # Always show SSH access dialog - user should be able to enable SSH even without keys
+  if (whiptail --backtitle "$backtitle" --defaultno --title "SSH ACCESS" --yesno "Enable root SSH access?" 10 58); then
+    SSH="yes"
   else
     SSH="no"
   fi
@@ -2278,15 +2568,23 @@ build_container() {
   none) ;;
   esac
 
-  # Build FEATURES string
-  if [ "$CT_TYPE" == "1" ]; then
-    FEATURES="keyctl=1,nesting=1"
-  else
+  # Build FEATURES string based on container type and user choices
+  FEATURES=""
+
+  # Nesting support (user configurable, default enabled)
+  if [ "${ENABLE_NESTING:-1}" == "1" ]; then
     FEATURES="nesting=1"
   fi
 
+  # Keyctl for unprivileged containers (needed for Docker)
+  if [ "$CT_TYPE" == "1" ]; then
+    [ -n "$FEATURES" ] && FEATURES="$FEATURES,"
+    FEATURES="${FEATURES}keyctl=1"
+  fi
+
   if [ "$ENABLE_FUSE" == "yes" ]; then
-    FEATURES="$FEATURES,fuse=1"
+    [ -n "$FEATURES" ] && FEATURES="$FEATURES,"
+    FEATURES="${FEATURES}fuse=1"
   fi
 
   # Build PCT_OPTIONS as string for export
@@ -2387,21 +2685,15 @@ build_container() {
   # GPU/USB PASSTHROUGH CONFIGURATION
   # ============================================================================
 
-  # List of applications that benefit from GPU acceleration
-  GPU_APPS=(
-    "immich" "channels" "emby" "ersatztv" "frigate"
-    "jellyfin" "plex" "scrypted" "tdarr" "unmanic"
-    "ollama" "fileflows" "open-webui" "tunarr"
-    "handbrake" "sunshine" "moonlight" "kodi" "stremio"
-    "viseron"
-  )
-
-  # Check if app needs GPU
+  # Check if GPU passthrough is enabled
+  # Returns true only if var_gpu is explicitly set to "yes"
+  # Can be set via:
+  #   - Environment variable: var_gpu=yes bash -c "..."
+  #   - CT script default: var_gpu="${var_gpu:-no}"
+  #   - Advanced settings wizard
+  #   - App defaults file: /usr/local/community-scripts/defaults/<app>.vars
   is_gpu_app() {
-    local app="${1,,}"
-    for gpu_app in "${GPU_APPS[@]}"; do
-      [[ "$app" == "${gpu_app,,}" ]] && return 0
-    done
+    [[ "${var_gpu:-no}" == "yes" ]] && return 0
     return 1
   }
 
@@ -2491,8 +2783,13 @@ EOF
 
   # Configure GPU passthrough
   configure_gpu_passthrough() {
-    # Skip if not a GPU app and not privileged
-    if [[ "$CT_TYPE" != "0" ]] && ! is_gpu_app "$APP"; then
+    # Skip if:
+    # GPU passthrough is enabled when var_gpu="yes":
+    # - Set via environment variable: var_gpu=yes bash -c "..."
+    # - Set in CT script: var_gpu="${var_gpu:-no}"
+    # - Enabled in advanced_settings wizard
+    # - Configured in app defaults file
+    if ! is_gpu_app "$APP"; then
       return 0
     fi
 

misc/core.func

@@ -123,6 +123,7 @@ icons() {
   CREATING="${TAB}🚀${TAB}${CL}"
   ADVANCED="${TAB}🧩${TAB}${CL}"
   FUSE="${TAB}🗂️${TAB}${CL}"
+  GPU="${TAB}🎮${TAB}${CL}"
   HOURGLASS="${TAB}⏳${TAB}"
 }