fix(frigate): use curl_with_retry for all downloads

Replace all wget and bare curl calls with curl_with_retry from
tools.func for robust downloads with retry logic, exponential
backoff, and DNS pre-checks. This prevents install failures from
transient network issues during model and dependency downloads.

CHANGELOG.md

@@ -423,45 +423,8 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 </details>
 
-## 2026-03-18
-
-### 🆕 New Scripts
-
-  - split-pro ([#12975](https://github.com/community-scripts/ProxmoxVE/pull/12975))
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Paperless-NGX: increase default RAM to 3GB [@MickLesk](https://github.com/MickLesk) ([#13018](https://github.com/community-scripts/ProxmoxVE/pull/13018))
-    - Plex: restart service after update to apply new version [@MickLesk](https://github.com/MickLesk) ([#13017](https://github.com/community-scripts/ProxmoxVE/pull/13017))
-
-  - #### 🔧 Refactor
-
-    - pve-scripts-local: Increase default disk size from 4GB to 10GB [@MickLesk](https://github.com/MickLesk) ([#13009](https://github.com/community-scripts/ProxmoxVE/pull/13009))
-
-### 💾 Core
-
-  - #### ✨ New Features
-
-    - tools.func: Implement check_for_gh_tag function [@MickLesk](https://github.com/MickLesk) ([#12998](https://github.com/community-scripts/ProxmoxVE/pull/12998))
-    - tools.func: Implement fetch_and_deploy_gh_tag function [@MickLesk](https://github.com/MickLesk) ([#13000](https://github.com/community-scripts/ProxmoxVE/pull/13000))
-
 ## 2026-03-17
 
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Gluetun: add OpenVPN process user and cleanup stale config [@MickLesk](https://github.com/MickLesk) ([#13016](https://github.com/community-scripts/ProxmoxVE/pull/13016))
-    - Frigate: check OpenVino model files exist before configuring detector and use curl_with_retry instead of default wget [@MickLesk](https://github.com/MickLesk) ([#13019](https://github.com/community-scripts/ProxmoxVE/pull/13019))
-
-### 💾 Core
-
-  - #### 🔧 Refactor
-
-    - tools.func: Update `create_self_signed_cert()` [@tremor021](https://github.com/tremor021) ([#13008](https://github.com/community-scripts/ProxmoxVE/pull/13008))
-
 ## 2026-03-16
 
 ### 🆕 New Scripts

ct/headers/split-pro

@@ -1,6 +0,0 @@
-   _____       ___ __        ____           
-  / ___/____  / (_) /_      / __ \_________ 
-  \__ \/ __ \/ / / __/_____/ /_/ / ___/ __ \
- ___/ / /_/ / / / /_/_____/ ____/ /  / /_/ /
-/____/ .___/_/_/\__/     /_/   /_/   \____/ 
-    /_/                                     

ct/paperless-ngx.sh

@@ -8,7 +8,7 @@ source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxV
 APP="Paperless-ngx"
 var_tags="${var_tags:-document;management}"
 var_cpu="${var_cpu:-2}"
-var_ram="${var_ram:-3072}"
+var_ram="${var_ram:-2048}"
 var_disk="${var_disk:-12}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"

ct/plex.sh

@@ -79,11 +79,6 @@ function update_script() {
   $STD apt update
   $STD apt install -y plexmediaserver
   msg_ok "Updated Plex Media Server"
-
-  msg_info "Restarting Plex Media Server"
-  systemctl restart plexmediaserver
-  msg_ok "Restarted Plex Media Server"
-
   msg_ok "Updated successfully!"
   exit
 }

ct/pve-scripts-local.sh

@@ -9,7 +9,7 @@ APP="PVE-Scripts-Local"
 var_tags="${var_tags:-pve-scripts-local}"
 var_cpu="${var_cpu:-2}"
 var_ram="${var_ram:-4096}"
-var_disk="${var_disk:-10}"
+var_disk="${var_disk:-4}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_unprivileged="${var_unprivileged:-1}"

ct/reitti.sh

@@ -89,49 +89,17 @@ EOF
     msg_ok "Started Service"
     msg_ok "Updated successfully!"
   fi
-  
   if check_for_gh_release "photon" "komoot/photon"; then
-    if [[ -f "$HOME/.photon" ]] && [[ "$(cat "$HOME/.photon")" == 0.7 ]]; then
-      CURRENT_VERSION="$(<"$HOME/.photon")"
-      echo
-      echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-      echo "Photon v1 upgrade detected (breaking change)"
-      echo
-      echo "Your current version: $CURRENT_VERSION"
-      echo
-      echo "Photon v1 requires a manual migration before updating."
-      echo
-      echo "You need to:"
-      echo "  1. Remove existing geocoding data (not actual reitti data):"
-      echo "     rm -rf /opt/photon_data"
-      echo
-      echo "  2. Follow the inial setup guide again:"
-      echo "     https://github.com/community-scripts/ProxmoxVE/discussions/8737"
-      echo
-      echo "  3. Re-download and import Photon data for v1"
-      echo
-      read -rp "Do you want to continue anyway? (y/N): " CONTINUE
-      echo
-        
-      if [[ ! "$CONTINUE" =~ ^[Yy]$ ]]; then
-        msg_info "Migration required. Update cancelled."
-        exit 0
-      fi
-        
-      msg_warn "Continuing without migration may break Photon in the future!"
-    fi
-  
     msg_info "Stopping Service"
     systemctl stop photon
     msg_ok "Stopped Service"
 
     rm -f /opt/photon/photon.jar
-    USE_ORIGINAL_FILENAME="true" fetch_and_deploy_gh_release "photon" "komoot/photon" "singlefile" "latest" "/opt/photon" "photon-*.jar"
+    USE_ORIGINAL_FILENAME="true" fetch_and_deploy_gh_release "photon" "komoot/photon" "singlefile" "latest" "/opt/photon" "photon-0*.jar"
     mv /opt/photon/photon-*.jar /opt/photon/photon.jar
 
     msg_info "Starting Service"
     systemctl start photon
-    systemctl restart nginx
     msg_ok "Started Service"
     msg_ok "Updated successfully!"
   fi

ct/sparkyfitness.sh

@@ -51,7 +51,7 @@ function update_script() {
 
     msg_info "Updating Sparky Fitness Backend"
     cd /opt/sparkyfitness/SparkyFitnessServer
-    $STD pnpm install
+    $STD npm install --legacy-peer-deps
     msg_ok "Updated Sparky Fitness Backend"
 
     msg_info "Updating Sparky Fitness Frontend (Patience)"

ct/split-pro.sh

@@ -1,68 +0,0 @@
-#!/usr/bin/env bash
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: johanngrobe
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/oss-apps/split-pro
-
-APP="Split-Pro"
-var_tags="${var_tags:-finance;expense-sharing}"
-var_cpu="${var_cpu:-2}"
-var_ram="${var_ram:-4096}"
-var_disk="${var_disk:-6}"
-var_os="${var_os:-debian}"
-var_version="${var_version:-13}"
-var_unprivileged="${var_unprivileged:-1}"
-
-variables
-color
-catch_errors
-
-function update_script() {
-  header_info
-  check_container_storage
-  check_container_resources
-
-  if [[ ! -d /opt/split-pro ]]; then
-    msg_error "No Split Pro Installation Found!"
-    exit
-  fi
-
-  if check_for_gh_release "split-pro" "oss-apps/split-pro"; then
-    msg_info "Stopping Service"
-    systemctl stop split-pro
-    msg_ok "Stopped Service"
-
-    msg_info "Backing up Data"
-    cp /opt/split-pro/.env /opt/split-pro.env
-    msg_ok "Backed up Data"
-
-    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "split-pro" "oss-apps/split-pro" "tarball"
-
-    msg_info "Building Application"
-    cd /opt/split-pro
-    $STD pnpm install --frozen-lockfile
-    $STD pnpm build
-    cp /opt/split-pro.env /opt/split-pro/.env
-    rm -f /opt/split-pro.env
-    ln -sf /opt/split-pro_data/uploads /opt/split-pro/uploads
-    $STD pnpm exec prisma migrate deploy
-    msg_ok "Built Application"
-
-    msg_info "Starting Service"
-    systemctl start split-pro
-    msg_ok "Started Service"
-    msg_ok "Updated successfully!"
-  fi
-  exit
-}
-
-start
-build_container
-description
-
-msg_ok "Completed successfully!\n"
-echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"

install/gluetun-install.sh

@@ -46,9 +46,6 @@ VPN_TYPE=openvpn
 OPENVPN_CUSTOM_CONFIG=/opt/gluetun-data/custom.ovpn
 OPENVPN_USER=
 OPENVPN_PASSWORD=
-OPENVPN_PROCESS_USER=root
-PUID=0
-PGID=0
 HTTP_CONTROL_SERVER_ADDRESS=:8000
 HTTPPROXY=off
 SHADOWSOCKS=off
@@ -79,7 +76,6 @@ User=root
 WorkingDirectory=/opt/gluetun-data
 EnvironmentFile=/opt/gluetun-data/.env
 UnsetEnvironment=USER
-ExecStartPre=/bin/sh -c 'rm -f /etc/openvpn/target.ovpn'
 ExecStart=/usr/local/bin/gluetun
 Restart=on-failure
 RestartSec=5

install/reitti-install.sh

@@ -44,7 +44,7 @@ msg_ok "Configured RabbitMQ"
 
 USE_ORIGINAL_FILENAME="true" fetch_and_deploy_gh_release "reitti" "dedicatedcode/reitti" "singlefile" "latest" "/opt/reitti" "reitti-app.jar"
 mv /opt/reitti/reitti-*.jar /opt/reitti/reitti.jar
-USE_ORIGINAL_FILENAME="true" fetch_and_deploy_gh_release "photon" "komoot/photon" "singlefile" "latest" "/opt/photon" "photon-*.jar"
+USE_ORIGINAL_FILENAME="true" fetch_and_deploy_gh_release "photon" "komoot/photon" "singlefile" "latest" "/opt/photon" "photon-0*.jar"
 mv /opt/photon/photon-*.jar /opt/photon/photon.jar
 
 msg_info "Installing Nginx Tile Cache"

install/sparkyfitness-install.sh

@@ -47,7 +47,7 @@ msg_ok "Configured Sparky Fitness"
 
 msg_info "Building Backend"
 cd /opt/sparkyfitness/SparkyFitnessServer
-$STD pnpm install
+$STD npm install --legacy-peer-deps
 msg_ok "Built Backend"
 
 msg_info "Building Frontend (Patience)"

install/split-pro-install.sh

@@ -1,74 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: johanngrobe
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/oss-apps/split-pro
-
-source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
-color
-verb_ip6
-catch_errors
-setting_up_container
-network_check
-update_os
-
-NODE_VERSION="22" NODE_MODULE="pnpm" setup_nodejs
-PG_VERSION="17" PG_MODULES="cron" setup_postgresql
-
-msg_info "Installing Dependencies"
-$STD apt install -y openssl
-msg_ok "Installed Dependencies"
-
-PG_DB_NAME="splitpro" PG_DB_USER="splitpro" PG_DB_EXTENSIONS="pg_cron" setup_postgresql_db
-fetch_and_deploy_gh_release "split-pro" "oss-apps/split-pro" "tarball"
-
-msg_info "Installing Dependencies"
-cd /opt/split-pro
-$STD pnpm install --frozen-lockfile
-msg_ok "Installed Dependencies"
-
-msg_info "Building Split Pro"
-cd /opt/split-pro
-mkdir -p /opt/split-pro_data/uploads
-ln -sf /opt/split-pro_data/uploads /opt/split-pro/uploads
-NEXTAUTH_SECRET=$(openssl rand -base64 32)
-cp .env.example .env
-sed -i "s|^DATABASE_URL=.*|DATABASE_URL=\"postgresql://${PG_DB_USER}:${PG_DB_PASS}@localhost:5432/${PG_DB_NAME}\"|" .env
-sed -i "s|^NEXTAUTH_SECRET=.*|NEXTAUTH_SECRET=\"${NEXTAUTH_SECRET}\"|" .env
-sed -i "s|^NEXTAUTH_URL=.*|NEXTAUTH_URL=\"http://${LOCAL_IP}:3000\"|" .env
-sed -i "s|^NEXTAUTH_URL_INTERNAL=.*|NEXTAUTH_URL_INTERNAL=\"http://localhost:3000\"|" .env
-sed -i "/^POSTGRES_CONTAINER_NAME=/d" .env
-sed -i "/^POSTGRES_USER=/d" .env
-sed -i "/^POSTGRES_PASSWORD=/d" .env
-sed -i "/^POSTGRES_DB=/d" .env
-sed -i "/^POSTGRES_PORT=/d" .env
-$STD pnpm build
-$STD pnpm exec prisma migrate deploy
-msg_ok "Built Split Pro"
-
-msg_info "Creating Service"
-cat <<EOF >/etc/systemd/system/split-pro.service
-[Unit]
-Description=Split Pro
-After=network.target postgresql.service
-Requires=postgresql.service
-
-[Service]
-Type=simple
-User=root
-WorkingDirectory=/opt/split-pro
-EnvironmentFile=/opt/split-pro/.env
-ExecStart=/usr/bin/pnpm start
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
-EOF
-systemctl enable -q --now split-pro
-msg_ok "Created Service"
-
-motd_ssh
-customize
-cleanup_lxc

misc/tools.func

@@ -2077,129 +2077,101 @@ verify_gpg_fingerprint() {
 }
 
 # ------------------------------------------------------------------------------
-# Fetches and deploys a GitHub tag-based source tarball.
+# Get latest GitHub tag for a repository.
 #
 # Description:
-#   - Downloads the source tarball for a given tag from GitHub
-#   - Extracts to the target directory
-#   - Writes the version to ~/.<app>
+#   - Queries the GitHub API for tags (not releases)
+#   - Useful for repos that only create tags, not full releases
+#   - Supports optional prefix filter and version-only extraction
+#   - Returns the latest tag name (printed to stdout)
 #
 # Usage:
-#     fetch_and_deploy_gh_tag "guacd" "apache/guacamole-server"
-#     fetch_and_deploy_gh_tag "guacd" "apache/guacamole-server" "latest" "/opt/guacamole-server"
+#   MONGO_VERSION=$(get_latest_gh_tag "mongodb/mongo-tools")
+#   LATEST=$(get_latest_gh_tag "owner/repo" "v")          # only tags starting with "v"
+#   LATEST=$(get_latest_gh_tag "owner/repo" "" "true")     # strip leading "v"
 #
 # Arguments:
-#   $1 - App name (used for version file ~/.<app>)
-#   $2 - GitHub repo (owner/repo)
-#   $3 - Tag version (default: "latest" → auto-detect via get_latest_gh_tag)
-#   $4 - Target directory (default: /opt/$app)
+#   $1 - GitHub repo (owner/repo)
+#   $2 - Tag prefix filter (optional, e.g. "v" or "100.")
+#   $3 - Strip prefix from result (optional, "true" to strip $2 prefix)
+#
+# Returns:
+#   0 on success (tag printed to stdout), 1 on failure
 #
 # Notes:
-#   - Supports CLEAN_INSTALL=1 to wipe target before extracting
-#   - For repos that only publish tags, not GitHub Releases
+#   - Skips tags containing "rc", "alpha", "beta", "dev", "test"
+#   - Sorts by version number (sort -V) to find the latest
+#   - Respects GITHUB_TOKEN for rate limiting
 # ------------------------------------------------------------------------------
-fetch_and_deploy_gh_tag() {
-  local app="$1"
-  local repo="$2"
-  local version="${3:-latest}"
-  local target="${4:-/opt/$app}"
-  local app_lc=""
-  app_lc="$(echo "${app,,}" | tr -d ' ')"
-  local version_file="$HOME/.${app_lc}"
+get_latest_gh_tag() {
+  local repo="$1"
+  local prefix="${2:-}"
+  local strip_prefix="${3:-false}"
 
-  if [[ "$version" == "latest" ]]; then
-    version=$(get_latest_gh_tag "$repo") || {
-      msg_error "Failed to determine latest tag for ${repo}"
-      return 1
-    }
-  fi
+  local header_args=()
+  [[ -n "${GITHUB_TOKEN:-}" ]] && header_args=(-H "Authorization: Bearer $GITHUB_TOKEN")
 
-  local current_version=""
-  [[ -f "$version_file" ]] && current_version=$(<"$version_file")
+  local http_code=""
+  http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o /tmp/gh_tags.json \
+    -H 'Accept: application/vnd.github+json' \
+    -H 'X-GitHub-Api-Version: 2022-11-28' \
+    "${header_args[@]}" \
+    "https://api.github.com/repos/${repo}/tags?per_page=100" 2>/dev/null) || true
 
-  if [[ "$current_version" == "$version" ]]; then
-    msg_ok "$app is already up-to-date ($version)"
-    return 0
-  fi
-
-  local tmpdir
-  tmpdir=$(mktemp -d) || return 1
-  local tarball_url="https://github.com/${repo}/archive/refs/tags/${version}.tar.gz"
-  local filename="${app_lc}-${version}.tar.gz"
-
-  msg_info "Fetching GitHub tag: ${app} (${version})"
-
-  download_file "$tarball_url" "$tmpdir/$filename" || {
-    msg_error "Download failed: $tarball_url"
-    rm -rf "$tmpdir"
+  if [[ "$http_code" == "401" ]]; then
+    msg_error "GitHub API authentication failed (HTTP 401)."
+    if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+      msg_error "Your GITHUB_TOKEN appears to be invalid or expired."
+    else
+      msg_error "The repository may require authentication. Try: export GITHUB_TOKEN=\"ghp_your_token\""
+    fi
+    rm -f /tmp/gh_tags.json
     return 1
-  }
-
-  mkdir -p "$target"
-  if [[ "${CLEAN_INSTALL:-0}" == "1" ]]; then
-    rm -rf "${target:?}/"*
   fi
 
-  tar --no-same-owner -xzf "$tmpdir/$filename" -C "$tmpdir" || {
-    msg_error "Failed to extract tarball"
-    rm -rf "$tmpdir"
+  if [[ "$http_code" == "403" ]]; then
+    msg_error "GitHub API rate limit exceeded (HTTP 403)."
+    msg_error "To increase the limit, export a GitHub token before running the script:"
+    msg_error "  export GITHUB_TOKEN=\"ghp_your_token_here\""
+    rm -f /tmp/gh_tags.json
     return 1
-  }
+  fi
 
-  local unpack_dir
-  unpack_dir=$(find "$tmpdir" -mindepth 1 -maxdepth 1 -type d | head -n1)
+  if [[ "$http_code" == "000" || -z "$http_code" ]]; then
+    msg_error "GitHub API connection failed (no response)."
+    msg_error "Check your network/DNS: curl -sSL https://api.github.com/rate_limit"
+    rm -f /tmp/gh_tags.json
+    return 1
+  fi
 
-  shopt -s dotglob nullglob
-  cp -r "$unpack_dir"/* "$target/"
-  shopt -u dotglob nullglob
+  if [[ "$http_code" != "200" ]] || [[ ! -s /tmp/gh_tags.json ]]; then
+    msg_error "Unable to fetch tags for ${repo} (HTTP ${http_code})"
+    rm -f /tmp/gh_tags.json
+    return 1
+  fi
 
-  rm -rf "$tmpdir"
-  echo "$version" >"$version_file"
-  msg_ok "Deployed ${app} ${version} to ${target}"
-  return 0
-}
-
-# ------------------------------------------------------------------------------
-# Checks for new GitHub tag (for repos without releases).
-#
-# Description:
-#   - Uses get_latest_gh_tag to fetch the latest tag
-#   - Compares it to a local cached version (~/.<app>)
-#   - If newer, sets global CHECK_UPDATE_RELEASE and returns 0
-#
-# Usage:
-#     if check_for_gh_tag "guacd" "apache/guacamole-server"; then
-#       fetch_and_deploy_gh_tag "guacd" "apache/guacamole-server" "/opt/guacamole-server"
-#     fi
-#
-# Notes:
-#   - For repos that only publish tags, not GitHub Releases
-#   - Same interface as check_for_gh_release
-# ------------------------------------------------------------------------------
-check_for_gh_tag() {
-  local app="$1"
-  local repo="$2"
-  local prefix="${3:-}"
-  local app_lc=""
-  app_lc="$(echo "${app,,}" | tr -d ' ')"
-  local current_file="$HOME/.${app_lc}"
-
-  msg_info "Checking for update: ${app}"
+  local tags_json
+  tags_json=$(</tmp/gh_tags.json)
+  rm -f /tmp/gh_tags.json
 
+  # Extract tag names, filter by prefix, exclude pre-release patterns, sort by version
   local latest=""
-  latest=$(get_latest_gh_tag "$repo" "$prefix") || return 1
+  latest=$(echo "$tags_json" | grep -oP '"name":\s*"\K[^"]+' |
+    { [[ -n "$prefix" ]] && grep "^${prefix}" || cat; } |
+    grep -viE '(rc|alpha|beta|dev|test|preview|snapshot)' |
+    sort -V | tail -n1)
 
-  local current=""
-  [[ -f "$current_file" ]] && current="$(<"$current_file")"
-
-  if [[ -z "$current" || "$current" != "$latest" ]]; then
-    CHECK_UPDATE_RELEASE="$latest"
-    msg_ok "Update available: ${app} ${current:-not installed} → ${latest}"
-    return 0
+  if [[ -z "$latest" ]]; then
+    msg_warn "No matching tags found for ${repo}${prefix:+ (prefix: $prefix)}"
+    return 1
   fi
 
-  msg_ok "No update available: ${app} (${latest})"
-  return 1
+  if [[ "$strip_prefix" == "true" && -n "$prefix" ]]; then
+    latest="${latest#"$prefix"}"
+  fi
+
+  echo "$latest"
+  return 0
 }
 
 # ==============================================================================
@@ -2547,8 +2519,6 @@ check_for_codeberg_release() {
 # ------------------------------------------------------------------------------
 create_self_signed_cert() {
   local APP_NAME="${1:-${APPLICATION}}"
-  local HOSTNAME="$(hostname -f)"
-  local IP="$(hostname -I | awk '{print $1}')"
   local APP_NAME_LC=$(echo "${APP_NAME,,}" | tr -d ' ')
   local CERT_DIR="/etc/ssl/${APP_NAME_LC}"
   local CERT_KEY="${CERT_DIR}/${APP_NAME_LC}.key"
@@ -2566,8 +2536,8 @@ create_self_signed_cert() {
 
   mkdir -p "$CERT_DIR"
   $STD openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
-    -subj "/CN=${HOSTNAME}" \
-    -addext "subjectAltName=DNS:${HOSTNAME},DNS:localhost,IP:${IP},IP:127.0.0.1" \
+    -subj "/CN=${APP_NAME}" \
+    -addext "subjectAltName=DNS:${APP_NAME}" \
     -keyout "$CERT_KEY" \
     -out "$CERT_CRT" || {
     msg_error "Failed to create self-signed certificate"