Update CHANGELOG.md (#13090)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

.github/workflows/delete-pocketbase-entry-on-removal.yml

@@ -75,7 +75,8 @@ jobs:
             const http = require('http');
             const url = require('url');
 
-            function request(fullUrl, opts) {
+            function request(fullUrl, opts, redirectCount) {
+              redirectCount = redirectCount || 0;
               return new Promise(function(resolve, reject) {
                 const u = url.parse(fullUrl);
                 const isHttps = u.protocol === 'https:';
@@ -90,6 +91,13 @@ jobs:
                 if (body) options.headers['Content-Length'] = Buffer.byteLength(body);
                 const lib = isHttps ? https : http;
                 const req = lib.request(options, function(res) {
+                  if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+                    if (redirectCount >= 5) return reject(new Error('Too many redirects from ' + fullUrl));
+                    const redirectUrl = url.resolve(fullUrl, res.headers.location);
+                    res.resume();
+                    resolve(request(redirectUrl, opts, redirectCount + 1));
+                    return;
+                  }
                   let data = '';
                   res.on('data', function(chunk) { data += chunk; });
                   res.on('end', function() {

.github/workflows/pocketbase-bot.yml

@@ -0,0 +1,675 @@
+name: PocketBase Bot
+
+on:
+  issue_comment:
+    types: [created]
+
+permissions:
+  issues: write
+  pull-requests: write
+  contents: read
+
+jobs:
+  pocketbase-bot:
+    runs-on: self-hosted
+
+    # Only act on /pocketbase commands
+    if: startsWith(github.event.comment.body, '/pocketbase')
+
+    steps:
+      - name: Execute PocketBase bot command
+        env:
+          POCKETBASE_URL: ${{ secrets.POCKETBASE_URL }}
+          POCKETBASE_COLLECTION: ${{ secrets.POCKETBASE_COLLECTION }}
+          POCKETBASE_ADMIN_EMAIL: ${{ secrets.POCKETBASE_ADMIN_EMAIL }}
+          POCKETBASE_ADMIN_PASSWORD: ${{ secrets.POCKETBASE_ADMIN_PASSWORD }}
+          COMMENT_BODY: ${{ github.event.comment.body }}
+          COMMENT_ID: ${{ github.event.comment.id }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          REPO_OWNER: ${{ github.repository_owner }}
+          REPO_NAME: ${{ github.event.repository.name }}
+          ACTOR: ${{ github.event.comment.user.login }}
+          ACTOR_ASSOCIATION: ${{ github.event.comment.author_association }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          node << 'ENDSCRIPT'
+          (async function () {
+            const https = require('https');
+            const http = require('http');
+            const url = require('url');
+
+            // ── HTTP helper with redirect following ────────────────────────────
+            function request(fullUrl, opts, redirectCount) {
+              redirectCount = redirectCount || 0;
+              return new Promise(function (resolve, reject) {
+                const u = url.parse(fullUrl);
+                const isHttps = u.protocol === 'https:';
+                const body = opts.body;
+                const options = {
+                  hostname: u.hostname,
+                  port: u.port || (isHttps ? 443 : 80),
+                  path: u.path,
+                  method: opts.method || 'GET',
+                  headers: opts.headers || {}
+                };
+                if (body) options.headers['Content-Length'] = Buffer.byteLength(body);
+                const lib = isHttps ? https : http;
+                const req = lib.request(options, function (res) {
+                  if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+                    if (redirectCount >= 5) return reject(new Error('Too many redirects from ' + fullUrl));
+                    const redirectUrl = url.resolve(fullUrl, res.headers.location);
+                    res.resume();
+                    resolve(request(redirectUrl, opts, redirectCount + 1));
+                    return;
+                  }
+                  let data = '';
+                  res.on('data', function (chunk) { data += chunk; });
+                  res.on('end', function () {
+                    resolve({ ok: res.statusCode >= 200 && res.statusCode < 300, statusCode: res.statusCode, body: data });
+                  });
+                });
+                req.on('error', reject);
+                if (body) req.write(body);
+                req.end();
+              });
+            }
+
+            // ── GitHub API helpers ─────────────────────────────────────────────
+            const owner = process.env.REPO_OWNER;
+            const repo = process.env.REPO_NAME;
+            const issueNumber = parseInt(process.env.ISSUE_NUMBER, 10);
+            const commentId = parseInt(process.env.COMMENT_ID, 10);
+            const actor = process.env.ACTOR;
+
+            function ghRequest(path, method, body) {
+              const headers = {
+                'Authorization': 'Bearer ' + process.env.GITHUB_TOKEN,
+                'Accept': 'application/vnd.github+json',
+                'X-GitHub-Api-Version': '2022-11-28',
+                'User-Agent': 'PocketBase-Bot'
+              };
+              const bodyStr = body ? JSON.stringify(body) : undefined;
+              if (bodyStr) headers['Content-Type'] = 'application/json';
+              return request('https://api.github.com' + path, { method: method || 'GET', headers, body: bodyStr });
+            }
+
+            async function addReaction(content) {
+              try {
+                await ghRequest(
+                  '/repos/' + owner + '/' + repo + '/issues/comments/' + commentId + '/reactions',
+                  'POST', { content }
+                );
+              } catch (e) {
+                console.warn('Could not add reaction:', e.message);
+              }
+            }
+
+            async function postComment(text) {
+              const res = await ghRequest(
+                '/repos/' + owner + '/' + repo + '/issues/' + issueNumber + '/comments',
+                'POST', { body: text }
+              );
+              if (!res.ok) console.warn('Could not post comment:', res.body);
+            }
+
+            // ── Permission check ───────────────────────────────────────────────
+            // author_association: OWNER = repo/org owner, MEMBER = org member (includes Contributors team)
+            const association = process.env.ACTOR_ASSOCIATION;
+            if (association !== 'OWNER' && association !== 'MEMBER') {
+              await addReaction('-1');
+              await postComment(
+                '❌ **PocketBase Bot**: @' + actor + ' is not authorized to use this command.\n' +
+                'Only org members (Contributors team) can use `/pocketbase`.'
+              );
+              process.exit(0);
+            }
+
+            // ── Acknowledge ────────────────────────────────────────────────────
+            await addReaction('eyes');
+
+            // ── Parse command ──────────────────────────────────────────────────
+            // Formats (first line of comment):
+            //   /pocketbase <slug> field=value [field=value ...]    ← field updates (simple values)
+            //   /pocketbase <slug> set <field>                       ← value from code block below
+            //   /pocketbase <slug> note list|add|edit|remove ...     ← note management
+            //   /pocketbase <slug> method list                        ← list install methods
+            //   /pocketbase <slug> method <type> cpu=N ram=N hdd=N   ← edit install method resources
+            const commentBody = process.env.COMMENT_BODY || '';
+            const lines = commentBody.trim().split('\n');
+            const firstLine = lines[0].trim();
+            const withoutCmd = firstLine.replace(/^\/pocketbase\s+/, '').trim();
+
+            // Extract code block content from comment body (```...``` or ```lang\n...```)
+            function extractCodeBlock(body) {
+              const m = body.match(/```[^\n]*\n([\s\S]*?)```/);
+              return m ? m[1].trim() : null;
+            }
+            const codeBlockValue = extractCodeBlock(commentBody);
+
+            const HELP_TEXT =
+              '**Field update (simple):** `/pocketbase <slug> field=value [field=value ...]`\n\n' +
+              '**Field update (HTML/multiline) — value from code block:**\n' +
+              '````\n' +
+              '/pocketbase <slug> set description\n' +
+              '```html\n' +
+              '<p>Your <b>HTML</b> or multi-line content here</p>\n' +
+              '```\n' +
+              '````\n\n' +
+              '**Note management:**\n' +
+              '```\n' +
+              '/pocketbase <slug> note list\n' +
+              '/pocketbase <slug> note add <type> "<text>"\n' +
+              '/pocketbase <slug> note edit <type> "<old text>" "<new text>"\n' +
+              '/pocketbase <slug> note remove <type> "<text>"\n' +
+              '```\n\n' +
+              '**Install method resources:**\n' +
+              '```\n' +
+              '/pocketbase <slug> method list\n' +
+              '/pocketbase <slug> method <type> hdd=10\n' +
+              '/pocketbase <slug> method <type> cpu=4 ram=2048 hdd=20\n' +
+              '```\n\n' +
+              '**Editable fields:** `name` `description` `logo` `documentation` `website` `project_url` `github` ' +
+              '`config_path` `port` `default_user` `default_passwd` ' +
+              '`updateable` `privileged` `has_arm` `is_dev` ' +
+              '`is_disabled` `disable_message` `is_deleted` `deleted_message`';
+
+            if (!withoutCmd) {
+              await addReaction('-1');
+              await postComment('❌ **PocketBase Bot**: No slug or command specified.\n\n' + HELP_TEXT);
+              process.exit(0);
+            }
+
+            const spaceIdx = withoutCmd.indexOf(' ');
+            const slug = (spaceIdx === -1 ? withoutCmd : withoutCmd.substring(0, spaceIdx)).trim();
+            const rest = spaceIdx === -1 ? '' : withoutCmd.substring(spaceIdx + 1).trim();
+
+            if (!rest) {
+              await addReaction('-1');
+              await postComment('❌ **PocketBase Bot**: No command specified for slug `' + slug + '`.\n\n' + HELP_TEXT);
+              process.exit(0);
+            }
+
+            // ── Allowed fields and their types ─────────────────────────────────
+            // ── PocketBase: authenticate (shared by all paths) ─────────────────
+            const raw = process.env.POCKETBASE_URL.replace(/\/$/, '');
+            const apiBase = /\/api$/i.test(raw) ? raw : raw + '/api';
+            const coll = process.env.POCKETBASE_COLLECTION;
+
+            const authRes = await request(apiBase + '/collections/users/auth-with-password', {
+              method: 'POST',
+              headers: { 'Content-Type': 'application/json' },
+              body: JSON.stringify({
+                identity: process.env.POCKETBASE_ADMIN_EMAIL,
+                password: process.env.POCKETBASE_ADMIN_PASSWORD
+              })
+            });
+            if (!authRes.ok) {
+              await addReaction('-1');
+              await postComment('❌ **PocketBase Bot**: PocketBase authentication failed. CC @' + owner + '/maintainers');
+              process.exit(1);
+            }
+            const token = JSON.parse(authRes.body).token;
+
+            // ── PocketBase: find record by slug (shared by all paths) ──────────
+            const recordsUrl = apiBase + '/collections/' + encodeURIComponent(coll) + '/records';
+            const filter = "(slug='" + slug.replace(/'/g, "''") + "')";
+            const listRes = await request(recordsUrl + '?filter=' + encodeURIComponent(filter) + '&perPage=1', {
+              headers: { 'Authorization': token }
+            });
+            const list = JSON.parse(listRes.body);
+            const record = list.items && list.items[0];
+
+            if (!record) {
+              await addReaction('-1');
+              await postComment(
+                '❌ **PocketBase Bot**: No record found for slug `' + slug + '`.\n\n' +
+                'Make sure the script was already pushed to PocketBase (JSON must exist and have been synced).'
+              );
+              process.exit(0);
+            }
+
+            // ── Route: dispatch to subcommand handler ──────────────────────────
+            const noteMatch   = rest.match(/^note\s+(list|add|edit|remove)\b/i);
+            const methodMatch = rest.match(/^method\b/i);
+            const setMatch    = rest.match(/^set\s+(\S+)/i);
+
+            if (noteMatch) {
+              // ── NOTE SUBCOMMAND (reads/writes notes_json on script record) ────
+              const noteAction  = noteMatch[1].toLowerCase();
+              const noteArgsStr = rest.substring(noteMatch[0].length).trim();
+
+              // Parse notes_json from the already-fetched script record
+              // PocketBase may return JSON fields as already-parsed objects
+              let notesArr = [];
+              try {
+                const rawNotes = record.notes_json;
+                notesArr = Array.isArray(rawNotes) ? rawNotes : JSON.parse(rawNotes || '[]');
+              } catch (e) { notesArr = []; }
+
+              // Token parser: unquoted-word OR "quoted string" (supports \" escapes)
+              function parseNoteTokens(str) {
+                const tokens = [];
+                let pos = 0;
+                while (pos < str.length) {
+                  while (pos < str.length && /\s/.test(str[pos])) pos++;
+                  if (pos >= str.length) break;
+                  if (str[pos] === '"') {
+                    pos++;
+                    let start = pos;
+                    while (pos < str.length && str[pos] !== '"') {
+                      if (str[pos] === '\\') pos++;
+                      pos++;
+                    }
+                    tokens.push(str.substring(start, pos).replace(/\\"/g, '"'));
+                    if (pos < str.length) pos++;
+                  } else {
+                    let start = pos;
+                    while (pos < str.length && !/\s/.test(str[pos])) pos++;
+                    tokens.push(str.substring(start, pos));
+                  }
+                }
+                return tokens;
+              }
+
+              function formatNotesList(arr) {
+                if (arr.length === 0) return '*None*';
+                return arr.map(function (n, i) {
+                  return (i + 1) + '. **`' + (n.type || '?') + '`**: ' + (n.text || '');
+                }).join('\n');
+              }
+
+              async function patchNotesJson(arr) {
+                const res = await request(recordsUrl + '/' + record.id, {
+                  method: 'PATCH',
+                  headers: { 'Authorization': token, 'Content-Type': 'application/json' },
+                  body: JSON.stringify({ notes_json: JSON.stringify(arr) })
+                });
+                if (!res.ok) {
+                  await addReaction('-1');
+                  await postComment('❌ **PocketBase Bot**: Failed to update `notes_json`:\n```\n' + res.body + '\n```');
+                  process.exit(1);
+                }
+              }
+
+              if (noteAction === 'list') {
+                await addReaction('+1');
+                await postComment(
+                  'ℹ️ **PocketBase Bot**: Notes for **`' + slug + '`** (' + notesArr.length + ' total)\n\n' +
+                  formatNotesList(notesArr)
+                );
+
+              } else if (noteAction === 'add') {
+                const tokens = parseNoteTokens(noteArgsStr);
+                if (tokens.length < 2) {
+                  await addReaction('-1');
+                  await postComment(
+                    '❌ **PocketBase Bot**: `note add` requires `<type>` and `"<text>"`.\n\n' +
+                    '**Usage:** `/pocketbase ' + slug + ' note add <type> "<text>"`'
+                  );
+                  process.exit(0);
+                }
+                const noteType = tokens[0].toLowerCase();
+                const noteText = tokens.slice(1).join(' ');
+                notesArr.push({ type: noteType, text: noteText });
+                await patchNotesJson(notesArr);
+                await addReaction('+1');
+                await postComment(
+                  '✅ **PocketBase Bot**: Added note to **`' + slug + '`**\n\n' +
+                  '- **Type:** `' + noteType + '`\n' +
+                  '- **Text:** ' + noteText + '\n\n' +
+                  '*Executed by @' + actor + '*'
+                );
+
+              } else if (noteAction === 'edit') {
+                const tokens = parseNoteTokens(noteArgsStr);
+                if (tokens.length < 3) {
+                  await addReaction('-1');
+                  await postComment(
+                    '❌ **PocketBase Bot**: `note edit` requires `<type>`, `"<old text>"`, and `"<new text>"`.\n\n' +
+                    '**Usage:** `/pocketbase ' + slug + ' note edit <type> "<old text>" "<new text>"`\n\n' +
+                    'Use `/pocketbase ' + slug + ' note list` to see current notes.'
+                  );
+                  process.exit(0);
+                }
+                const noteType = tokens[0].toLowerCase();
+                const oldText  = tokens[1];
+                const newText  = tokens[2];
+                const idx = notesArr.findIndex(function (n) {
+                  return n.type.toLowerCase() === noteType && n.text === oldText;
+                });
+                if (idx === -1) {
+                  await addReaction('-1');
+                  await postComment(
+                    '❌ **PocketBase Bot**: No `' + noteType + '` note found with that exact text.\n\n' +
+                    '**Current notes for `' + slug + '`:**\n' + formatNotesList(notesArr)
+                  );
+                  process.exit(0);
+                }
+                notesArr[idx].text = newText;
+                await patchNotesJson(notesArr);
+                await addReaction('+1');
+                await postComment(
+                  '✅ **PocketBase Bot**: Edited note in **`' + slug + '`**\n\n' +
+                  '- **Type:** `' + noteType + '`\n' +
+                  '- **Old:** ' + oldText + '\n' +
+                  '- **New:** ' + newText + '\n\n' +
+                  '*Executed by @' + actor + '*'
+                );
+
+              } else if (noteAction === 'remove') {
+                const tokens = parseNoteTokens(noteArgsStr);
+                if (tokens.length < 2) {
+                  await addReaction('-1');
+                  await postComment(
+                    '❌ **PocketBase Bot**: `note remove` requires `<type>` and `"<text>"`.\n\n' +
+                    '**Usage:** `/pocketbase ' + slug + ' note remove <type> "<text>"`\n\n' +
+                    'Use `/pocketbase ' + slug + ' note list` to see current notes.'
+                  );
+                  process.exit(0);
+                }
+                const noteType = tokens[0].toLowerCase();
+                const noteText = tokens[1];
+                const before   = notesArr.length;
+                notesArr = notesArr.filter(function (n) {
+                  return !(n.type.toLowerCase() === noteType && n.text === noteText);
+                });
+                if (notesArr.length === before) {
+                  await addReaction('-1');
+                  await postComment(
+                    '❌ **PocketBase Bot**: No `' + noteType + '` note found with that exact text.\n\n' +
+                    '**Current notes for `' + slug + '`:**\n' + formatNotesList(notesArr)
+                  );
+                  process.exit(0);
+                }
+                await patchNotesJson(notesArr);
+                await addReaction('+1');
+                await postComment(
+                  '✅ **PocketBase Bot**: Removed note from **`' + slug + '`**\n\n' +
+                  '- **Type:** `' + noteType + '`\n' +
+                  '- **Text:** ' + noteText + '\n\n' +
+                  '*Executed by @' + actor + '*'
+                );
+              }
+
+            } else if (methodMatch) {
+              // ── METHOD SUBCOMMAND (reads/writes install_methods_json on script record) ──
+              const methodArgs     = rest.replace(/^method\s*/i, '').trim();
+              const methodListMode = !methodArgs || methodArgs.toLowerCase() === 'list';
+
+              // Parse install_methods_json from the already-fetched script record
+              // PocketBase may return JSON fields as already-parsed objects
+              let methodsArr = [];
+              try {
+                const rawMethods = record.install_methods_json;
+                methodsArr = Array.isArray(rawMethods) ? rawMethods : JSON.parse(rawMethods || '[]');
+              } catch (e) { methodsArr = []; }
+
+              function formatMethodsList(arr) {
+                if (arr.length === 0) return '*None*';
+                return arr.map(function (im, i) {
+                  const r = im.resources || {};
+                  return (i + 1) + '. **`' + (im.type || '?') + '`** — CPU: `' + (r.cpu != null ? r.cpu : '?') +
+                    '` · RAM: `' + (r.ram != null ? r.ram : '?') + ' MB` · HDD: `' + (r.hdd != null ? r.hdd : '?') + ' GB`';
+                }).join('\n');
+              }
+
+              async function patchInstallMethodsJson(arr) {
+                const res = await request(recordsUrl + '/' + record.id, {
+                  method: 'PATCH',
+                  headers: { 'Authorization': token, 'Content-Type': 'application/json' },
+                  body: JSON.stringify({ install_methods_json: JSON.stringify(arr) })
+                });
+                if (!res.ok) {
+                  await addReaction('-1');
+                  await postComment('❌ **PocketBase Bot**: Failed to update `install_methods_json`:\n```\n' + res.body + '\n```');
+                  process.exit(1);
+                }
+              }
+
+              if (methodListMode) {
+                await addReaction('+1');
+                await postComment(
+                  'ℹ️ **PocketBase Bot**: Install methods for **`' + slug + '`** (' + methodsArr.length + ' total)\n\n' +
+                  formatMethodsList(methodsArr)
+                );
+              } else {
+                // Parse: <type> cpu=N ram=N hdd=N
+                const methodParts = methodArgs.match(/^(\S+)\s+(.+)$/);
+                if (!methodParts) {
+                  await addReaction('-1');
+                  await postComment(
+                    '❌ **PocketBase Bot**: Invalid `method` syntax.\n\n' +
+                    '**Usage:**\n```\n/pocketbase ' + slug + ' method list\n/pocketbase ' + slug + ' method <type> hdd=10\n/pocketbase ' + slug + ' method <type> cpu=4 ram=2048 hdd=20\n```'
+                  );
+                  process.exit(0);
+                }
+                const targetType   = methodParts[1].toLowerCase();
+                const resourcesStr = methodParts[2];
+
+                // Parse resource fields (only cpu/ram/hdd allowed)
+                const RESOURCE_FIELDS = { cpu: true, ram: true, hdd: true };
+                const resourceChanges = {};
+                const rePairs = /([a-z]+)=(\d+)/gi;
+                let m;
+                while ((m = rePairs.exec(resourcesStr)) !== null) {
+                  const key = m[1].toLowerCase();
+                  if (RESOURCE_FIELDS[key]) resourceChanges[key] = parseInt(m[2], 10);
+                }
+                if (Object.keys(resourceChanges).length === 0) {
+                  await addReaction('-1');
+                  await postComment('❌ **PocketBase Bot**: No valid resource fields found. Use `cpu=N`, `ram=N`, `hdd=N`.');
+                  process.exit(0);
+                }
+
+                // Find matching method by type name (case-insensitive)
+                const idx = methodsArr.findIndex(function (im) {
+                  return (im.type || '').toLowerCase() === targetType;
+                });
+                if (idx === -1) {
+                  await addReaction('-1');
+                  const availableTypes = methodsArr.map(function (im) { return im.type || '?'; });
+                  await postComment(
+                    '❌ **PocketBase Bot**: No install method with type `' + targetType + '` found for `' + slug + '`.\n\n' +
+                    '**Available types:** `' + (availableTypes.length ? availableTypes.join('`, `') : '(none)') + '`\n\n' +
+                    'Use `/pocketbase ' + slug + ' method list` to see all methods.'
+                  );
+                  process.exit(0);
+                }
+
+                if (!methodsArr[idx].resources) methodsArr[idx].resources = {};
+                if (resourceChanges.cpu != null) methodsArr[idx].resources.cpu = resourceChanges.cpu;
+                if (resourceChanges.ram != null) methodsArr[idx].resources.ram = resourceChanges.ram;
+                if (resourceChanges.hdd != null) methodsArr[idx].resources.hdd = resourceChanges.hdd;
+
+                await patchInstallMethodsJson(methodsArr);
+
+                const changesLines = Object.entries(resourceChanges)
+                  .map(function ([k, v]) { return '- `' + k + '` → `' + v + (k === 'ram' ? ' MB' : k === 'hdd' ? ' GB' : '') + '`'; })
+                  .join('\n');
+                await addReaction('+1');
+                await postComment(
+                  '✅ **PocketBase Bot**: Updated install method **`' + methodsArr[idx].type + '`** for **`' + slug + '`**\n\n' +
+                  '**Changes applied:**\n' + changesLines + '\n\n' +
+                  '*Executed by @' + actor + '*'
+                );
+              }
+
+            } else if (setMatch) {
+              // ── SET SUBCOMMAND (multi-line / HTML / special chars via code block) ──
+              const fieldName = setMatch[1].toLowerCase();
+              const SET_ALLOWED = {
+                name: 'string', description: 'string', logo: 'string',
+                documentation: 'string', website: 'string', project_url: 'string', github: 'string',
+                config_path: 'string', disable_message: 'string', deleted_message: 'string'
+              };
+              if (!SET_ALLOWED[fieldName]) {
+                await addReaction('-1');
+                await postComment(
+                  '❌ **PocketBase Bot**: `set` only supports text fields.\n\n' +
+                  '**Allowed:** `' + Object.keys(SET_ALLOWED).join('`, `') + '`\n\n' +
+                  'For boolean/number fields use `field=value` syntax instead.'
+                );
+                process.exit(0);
+              }
+              if (!codeBlockValue) {
+                await addReaction('-1');
+                await postComment(
+                  '❌ **PocketBase Bot**: `set` requires a code block with the value.\n\n' +
+                  '**Usage:**\n````\n/pocketbase ' + slug + ' set ' + fieldName + '\n```\nYour content here (HTML, multiline, special chars all fine)\n```\n````'
+                );
+                process.exit(0);
+              }
+              const setPayload = {};
+              setPayload[fieldName] = codeBlockValue;
+              const setPatchRes = await request(recordsUrl + '/' + record.id, {
+                method: 'PATCH',
+                headers: { 'Authorization': token, 'Content-Type': 'application/json' },
+                body: JSON.stringify(setPayload)
+              });
+              if (!setPatchRes.ok) {
+                await addReaction('-1');
+                await postComment('❌ **PocketBase Bot**: PATCH failed for `' + slug + '`:\n```\n' + setPatchRes.body + '\n```');
+                process.exit(1);
+              }
+              const preview = codeBlockValue.length > 300 ? codeBlockValue.substring(0, 300) + '…' : codeBlockValue;
+              await addReaction('+1');
+              await postComment(
+                '✅ **PocketBase Bot**: Set `' + fieldName + '` for **`' + slug + '`**\n\n' +
+                '**Value set:**\n```\n' + preview + '\n```\n\n' +
+                '*Executed by @' + actor + '*'
+              );
+
+            } else {
+              // ── FIELD=VALUE PATH ─────────────────────────────────────────────
+              const fieldsStr = rest;
+
+              // Skipped: slug, script_created/updated, created (auto), categories/
+              // install_methods/notes/type (relations), github_data/install_methods_json/
+              // notes_json (auto-generated), execute_in (select relation), last_update_commit (auto)
+              const ALLOWED_FIELDS = {
+                name:             'string',
+                description:      'string',
+                logo:             'string',
+                documentation:    'string',
+                website:          'string',
+                project_url:      'string',
+                github:           'string',
+                config_path:      'string',
+                port:             'number',
+                default_user:     'nullable_string',
+                default_passwd:   'nullable_string',
+                updateable:       'boolean',
+                privileged:       'boolean',
+                has_arm:          'boolean',
+                is_dev:           'boolean',
+                is_disabled:      'boolean',
+                disable_message:  'string',
+                is_deleted:       'boolean',
+                deleted_message:  'string',
+              };
+
+              // Field=value parser (handles quoted values and empty=null)
+              function parseFields(str) {
+                const fields = {};
+                let pos = 0;
+                while (pos < str.length) {
+                  while (pos < str.length && /\s/.test(str[pos])) pos++;
+                  if (pos >= str.length) break;
+                  let keyStart = pos;
+                  while (pos < str.length && str[pos] !== '=' && !/\s/.test(str[pos])) pos++;
+                  const key = str.substring(keyStart, pos).trim();
+                  if (!key || pos >= str.length || str[pos] !== '=') { pos++; continue; }
+                  pos++;
+                  let value;
+                  if (str[pos] === '"') {
+                    pos++;
+                    let valStart = pos;
+                    while (pos < str.length && str[pos] !== '"') {
+                      if (str[pos] === '\\') pos++;
+                      pos++;
+                    }
+                    value = str.substring(valStart, pos).replace(/\\"/g, '"');
+                    if (pos < str.length) pos++;
+                  } else {
+                    let valStart = pos;
+                    while (pos < str.length && !/\s/.test(str[pos])) pos++;
+                    value = str.substring(valStart, pos);
+                  }
+                  fields[key] = value;
+                }
+                return fields;
+              }
+
+              const parsedFields = parseFields(fieldsStr);
+
+              const unknownFields = Object.keys(parsedFields).filter(function (f) { return !ALLOWED_FIELDS[f]; });
+              if (unknownFields.length > 0) {
+                await addReaction('-1');
+                await postComment(
+                  '❌ **PocketBase Bot**: Unknown field(s): `' + unknownFields.join('`, `') + '`\n\n' +
+                  '**Allowed fields:** `' + Object.keys(ALLOWED_FIELDS).join('`, `') + '`'
+                );
+                process.exit(0);
+              }
+
+              if (Object.keys(parsedFields).length === 0) {
+                await addReaction('-1');
+                await postComment('❌ **PocketBase Bot**: Could not parse any valid `field=value` pairs.\n\n' + HELP_TEXT);
+                process.exit(0);
+              }
+
+              // Cast values to correct types
+              const payload = {};
+              for (const [key, rawVal] of Object.entries(parsedFields)) {
+                const type = ALLOWED_FIELDS[key];
+                if (type === 'boolean') {
+                  if (rawVal === 'true') payload[key] = true;
+                  else if (rawVal === 'false') payload[key] = false;
+                  else {
+                    await addReaction('-1');
+                    await postComment('❌ **PocketBase Bot**: `' + key + '` must be `true` or `false`, got: `' + rawVal + '`');
+                    process.exit(0);
+                  }
+                } else if (type === 'number') {
+                  const n = parseInt(rawVal, 10);
+                  if (isNaN(n)) {
+                    await addReaction('-1');
+                    await postComment('❌ **PocketBase Bot**: `' + key + '` must be a number, got: `' + rawVal + '`');
+                    process.exit(0);
+                  }
+                  payload[key] = n;
+                } else if (type === 'nullable_string') {
+                  payload[key] = rawVal === '' ? null : rawVal;
+                } else {
+                  payload[key] = rawVal;
+                }
+              }
+
+              const patchRes = await request(recordsUrl + '/' + record.id, {
+                method: 'PATCH',
+                headers: { 'Authorization': token, 'Content-Type': 'application/json' },
+                body: JSON.stringify(payload)
+              });
+              if (!patchRes.ok) {
+                await addReaction('-1');
+                await postComment('❌ **PocketBase Bot**: PATCH failed for `' + slug + '`:\n```\n' + patchRes.body + '\n```');
+                process.exit(1);
+              }
+              await addReaction('+1');
+              const changesLines = Object.entries(payload)
+                .map(function ([k, v]) { return '- `' + k + '` → `' + JSON.stringify(v) + '`'; })
+                .join('\n');
+              await postComment(
+                '✅ **PocketBase Bot**: Updated **`' + slug + '`** successfully!\n\n' +
+                '**Changes applied:**\n' + changesLines + '\n\n' +
+                '*Executed by @' + actor + '*'
+              );
+            }
+
+            console.log('Done.');
+          })().catch(function (e) {
+            console.error('Fatal error:', e.message || e);
+            process.exit(1);
+          });
+          ENDSCRIPT
+        shell: bash

.github/workflows/push-json-to-pocketbase.yml

@@ -48,7 +48,8 @@ jobs:
           const https = require('https');
           const http = require('http');
           const url = require('url');
-          function request(fullUrl, opts) {
+          function request(fullUrl, opts, redirectCount) {
+            redirectCount = redirectCount || 0;
             return new Promise(function(resolve, reject) {
               const u = url.parse(fullUrl);
               const isHttps = u.protocol === 'https:';
@@ -63,6 +64,13 @@ jobs:
               if (body) options.headers['Content-Length'] = Buffer.byteLength(body);
               const lib = isHttps ? https : http;
               const req = lib.request(options, function(res) {
+                if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+                  if (redirectCount >= 5) return reject(new Error('Too many redirects from ' + fullUrl));
+                  const redirectUrl = url.resolve(fullUrl, res.headers.location);
+                  res.resume();
+                  resolve(request(redirectUrl, opts, redirectCount + 1));
+                  return;
+                }
                 let data = '';
                 res.on('data', function(chunk) { data += chunk; });
                 res.on('end', function() {
@@ -125,15 +133,15 @@ jobs:
           var osVersionToId = {};
           try {
             const res = await request(apiBase + '/collections/z_ref_note_types/records?perPage=500', { headers: { 'Authorization': token } });
-            if (res.ok) JSON.parse(res.body).items?.forEach(function(item) { if (item.type != null) noteTypeToId[item.type] = item.id; });
+            if (res.ok) JSON.parse(res.body).items?.forEach(function(item) { if (item.type != null) { noteTypeToId[item.type] = item.id; noteTypeToId[item.type.toLowerCase()] = item.id; } });
           } catch (e) { console.warn('z_ref_note_types:', e.message); }
           try {
             const res = await request(apiBase + '/collections/z_ref_install_method_types/records?perPage=500', { headers: { 'Authorization': token } });
-            if (res.ok) JSON.parse(res.body).items?.forEach(function(item) { if (item.type != null) installMethodTypeToId[item.type] = item.id; });
+            if (res.ok) JSON.parse(res.body).items?.forEach(function(item) { if (item.type != null) { installMethodTypeToId[item.type] = item.id; installMethodTypeToId[item.type.toLowerCase()] = item.id; } });
           } catch (e) { console.warn('z_ref_install_method_types:', e.message); }
           try {
             const res = await request(apiBase + '/collections/z_ref_os/records?perPage=500', { headers: { 'Authorization': token } });
-            if (res.ok) JSON.parse(res.body).items?.forEach(function(item) { if (item.os != null) osToId[item.os] = item.id; });
+            if (res.ok) JSON.parse(res.body).items?.forEach(function(item) { if (item.os != null) { osToId[item.os] = item.id; osToId[item.os.toLowerCase()] = item.id; } });
           } catch (e) { console.warn('z_ref_os:', e.message); }
           try {
             const res = await request(apiBase + '/collections/z_ref_os_version/records?perPage=500&expand=os', { headers: { 'Authorization': token } });
@@ -154,7 +162,7 @@ jobs:
               name: data.name,
               slug: data.slug,
               script_created: data.date_created || data.script_created,
-              script_updated: data.date_created || data.script_updated,
+              script_updated: new Date().toISOString().split('T')[0],
               updateable: data.updateable,
               privileged: data.privileged,
               port: data.interface_port != null ? data.interface_port : data.port,
@@ -163,8 +171,8 @@ jobs:
               logo: data.logo,
               description: data.description,
               config_path: data.config_path,
-              default_user: (data.default_credentials && data.default_credentials.username) || data.default_user,
+              default_user: (data.default_credentials && data.default_credentials.username) || data.default_user || null,
-              default_passwd: (data.default_credentials && data.default_credentials.password) || data.default_passwd,
+              default_passwd: (data.default_credentials && data.default_credentials.password) || data.default_passwd || null,
               is_dev: false
             };
             var resolvedType = typeValueToId[data.type];
@@ -190,7 +198,7 @@ jobs:
                 var postRes = await request(notesCollUrl, {
                   method: 'POST',
                   headers: { 'Authorization': token, 'Content-Type': 'application/json' },
-                  body: JSON.stringify({ text: note.text || '', type: typeId })
+                  body: JSON.stringify({ text: note.text || '', type: typeId, script: scriptId })
                 });
                 if (postRes.ok) noteIds.push(JSON.parse(postRes.body).id);
               }

.github/workflows/update-script-timestamp-on-sh-change.yml

@@ -83,7 +83,8 @@ jobs:
             const http = require('http');
             const url = require('url');
 
-            function request(fullUrl, opts) {
+            function request(fullUrl, opts, redirectCount) {
+              redirectCount = redirectCount || 0;
               return new Promise(function(resolve, reject) {
                 const u = url.parse(fullUrl);
                 const isHttps = u.protocol === 'https:';
@@ -98,6 +99,13 @@ jobs:
                 if (body) options.headers['Content-Length'] = Buffer.byteLength(body);
                 const lib = isHttps ? https : http;
                 const req = lib.request(options, function(res) {
+                  if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+                    if (redirectCount >= 5) return reject(new Error('Too many redirects from ' + fullUrl));
+                    const redirectUrl = url.resolve(fullUrl, res.headers.location);
+                    res.resume();
+                    resolve(request(redirectUrl, opts, redirectCount + 1));
+                    return;
+                  }
                   let data = '';
                   res.on('data', function(chunk) { data += chunk; });
                   res.on('end', function() {
@@ -151,7 +159,7 @@ jobs:
                 method: 'PATCH',
                 headers: { 'Authorization': token, 'Content-Type': 'application/json' },
                 body: JSON.stringify({
-                  name: record.name || record.slug,
+                  script_updated: new Date().toISOString().split('T')[0],
                   last_update_commit: process.env.PR_URL || process.env.COMMIT_URL || ''
                 })
               });

CHANGELOG.md

@@ -423,27 +423,55 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 </details>
 
+## 2026-03-19
+
+### 🚀 Updated Scripts
+
+  - Owncast: increase default disk size from 2GB to 10GB [@Copilot](https://github.com/Copilot) ([#13079](https://github.com/community-scripts/ProxmoxVE/pull/13079))
+
+  - #### 🐞 Bug Fixes
+
+    - Increase Tracearr RAM; derive APP_VERSION [@MickLesk](https://github.com/MickLesk) ([#13087](https://github.com/community-scripts/ProxmoxVE/pull/13087))
+    - ProjectSend: Update application access URL [@tremor021](https://github.com/tremor021) ([#13078](https://github.com/community-scripts/ProxmoxVE/pull/13078))
+    - Dispatcharr: use npm install --no-audit --progress=false [@MickLesk](https://github.com/MickLesk) ([#13074](https://github.com/community-scripts/ProxmoxVE/pull/13074))
+    - core: reorder hwaccel setup and adjust GPU group usermod [@MickLesk](https://github.com/MickLesk) ([#13072](https://github.com/community-scripts/ProxmoxVE/pull/13072))
+
+### 📚 Documentation
+
+  - github: add PocketBase bot workflow [@MickLesk](https://github.com/MickLesk) ([#13075](https://github.com/community-scripts/ProxmoxVE/pull/13075))
+
 ## 2026-03-18
 
 ### 🆕 New Scripts
 
-  - split-pro ([#12975](https://github.com/community-scripts/ProxmoxVE/pull/12975))
+  - Alpine-Ntfy [@MickLesk](https://github.com/MickLesk) ([#13048](https://github.com/community-scripts/ProxmoxVE/pull/13048))
+- Split-Pro ([#12975](https://github.com/community-scripts/ProxmoxVE/pull/12975))
 
 ### 🚀 Updated Scripts
 
   - #### 🐞 Bug Fixes
 
+    - Tdarr: use curl_with_retry and correct exit code [@MickLesk](https://github.com/MickLesk) ([#13060](https://github.com/community-scripts/ProxmoxVE/pull/13060))
+    - reitti: fix: v4 [@CrazyWolf13](https://github.com/CrazyWolf13) ([#13039](https://github.com/community-scripts/ProxmoxVE/pull/13039))
     - Paperless-NGX: increase default RAM to 3GB [@MickLesk](https://github.com/MickLesk) ([#13018](https://github.com/community-scripts/ProxmoxVE/pull/13018))
     - Plex: restart service after update to apply new version [@MickLesk](https://github.com/MickLesk) ([#13017](https://github.com/community-scripts/ProxmoxVE/pull/13017))
 
+  - #### ✨ New Features
+
+    - tools: centralize GPU group setup via setup_hwaccel [@MickLesk](https://github.com/MickLesk) ([#13044](https://github.com/community-scripts/ProxmoxVE/pull/13044))
+    - Termix: add guacd build and systemd integration [@MickLesk](https://github.com/MickLesk) ([#12999](https://github.com/community-scripts/ProxmoxVE/pull/12999))
+
   - #### 🔧 Refactor
 
+    - Podman: replace deprecated commands with Quadlets [@MickLesk](https://github.com/MickLesk) ([#13052](https://github.com/community-scripts/ProxmoxVE/pull/13052))
+    - Refactor: Jellyfin repo, ffmpeg package and symlinks [@MickLesk](https://github.com/MickLesk) ([#13045](https://github.com/community-scripts/ProxmoxVE/pull/13045))
     - pve-scripts-local: Increase default disk size from 4GB to 10GB [@MickLesk](https://github.com/MickLesk) ([#13009](https://github.com/community-scripts/ProxmoxVE/pull/13009))
 
 ### 💾 Core
 
   - #### ✨ New Features
 
+    - tools.func Implement pg_cron setup for setup_postgresql [@MickLesk](https://github.com/MickLesk) ([#13053](https://github.com/community-scripts/ProxmoxVE/pull/13053))
     - tools.func: Implement check_for_gh_tag function [@MickLesk](https://github.com/MickLesk) ([#12998](https://github.com/community-scripts/ProxmoxVE/pull/12998))
     - tools.func: Implement fetch_and_deploy_gh_tag function [@MickLesk](https://github.com/MickLesk) ([#13000](https://github.com/community-scripts/ProxmoxVE/pull/13000))
 

ct/alpine-ntfy.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: cobalt (cobaltgit)
+# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE
+# Source: https://ntfy.sh/
+
+APP="Alpine-ntfy"
+var_tags="${var_tags:-notification}"
+var_cpu="${var_cpu:-1}"
+var_ram="${var_ram:-256}"
+var_disk="${var_disk:-2}"
+var_os="${var_os:-alpine}"
+var_version="${var_version:-3.23}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+  if [[ ! -d /etc/ntfy ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+  msg_info "Updating ntfy LXC"
+  $STD apk -U upgrade
+  setcap 'cap_net_bind_service=+ep' /usr/bin/ntfy
+  msg_ok "Updated ntfy LXC"
+
+  msg_info "Restarting ntfy"
+  rc-service ntfy restart
+  msg_ok "Restarted ntfy"
+  msg_ok "Updated successfully!"
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"

ct/dispatcharr.sh

@@ -110,7 +110,9 @@ function update_script() {
 
     msg_info "Building Frontend"
     cd /opt/dispatcharr/frontend
-    $STD npm install --legacy-peer-deps
+    node -e "const p=require('./package.json');p.overrides=p.overrides||{};p.overrides['webworkify-webpack']='2.1.3';require('fs').writeFileSync('package.json',JSON.stringify(p,null,2));"
+    rm -f package-lock.json
+    $STD npm install --no-audit --progress=false
     $STD npm run build
     msg_ok "Built Frontend"
 

ct/headers/alpine-ntfy

@@ -0,0 +1,6 @@
+    ___    __      _                        __  ____     
+   /   |  / /___  (_)___  ___        ____  / /_/ __/_  __
+  / /| | / / __ \/ / __ \/ _ \______/ __ \/ __/ /_/ / / /
+ / ___ |/ / /_/ / / / / /  __/_____/ / / / /_/ __/ /_/ / 
+/_/  |_/_/ .___/_/_/ /_/\___/     /_/ /_/\__/_/  \__, /  
+        /_/                                     /____/   

ct/jellyfin.sh

@@ -39,14 +39,23 @@ function update_script() {
     msg_ok "Updated Intel Dependencies"
   fi
 
+  msg_info "Setting up Jellyfin Repository"
+  setup_deb822_repo \
+    "jellyfin" \
+    "https://repo.jellyfin.org/jellyfin_team.gpg.key" \
+    "https://repo.jellyfin.org/$(get_os_info id)" \
+    "$(get_os_info codename)"
+  msg_ok "Set up Jellyfin Repository"
+
   msg_info "Updating Jellyfin"
   ensure_dependencies libjemalloc2
   if [[ ! -f /usr/lib/libjemalloc.so ]]; then
     ln -sf /usr/lib/x86_64-linux-gnu/libjemalloc.so.2 /usr/lib/libjemalloc.so
   fi
-  $STD apt update
   $STD apt -y upgrade
-  $STD apt -y --with-new-pkgs upgrade jellyfin jellyfin-server
+  $STD apt -y --with-new-pkgs upgrade jellyfin jellyfin-server jellyfin-ffmpeg7
+  ln -sf /usr/lib/jellyfin-ffmpeg/ffmpeg /usr/bin/ffmpeg
+  ln -sf /usr/lib/jellyfin-ffmpeg/ffprobe /usr/bin/ffprobe
   msg_ok "Updated Jellyfin"
   msg_ok "Updated successfully!"
   exit

ct/owncast.sh

@@ -9,7 +9,7 @@ APP="Owncast"
 var_tags="${var_tags:-broadcasting}"
 var_cpu="${var_cpu:-2}"
 var_ram="${var_ram:-2048}"
-var_disk="${var_disk:-2}"
+var_disk="${var_disk:-10}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_unprivileged="${var_unprivileged:-1}"

ct/podman-homeassistant.sh

@@ -23,7 +23,7 @@ function update_script() {
   header_info
   check_container_storage
   check_container_resources
-  if [[ ! -f /etc/systemd/system/homeassistant.service ]]; then
+  if [[ ! -f /etc/containers/systemd/homeassistant.container ]]; then
     msg_error "No ${APP} Installation Found!"
     exit
   fi

ct/projectsend.sh

@@ -60,4 +60,4 @@ description
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW} Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}/install for the initial setup${CL}"

ct/tdarr.sh

@@ -33,12 +33,16 @@ function update_script() {
   $STD apt upgrade -y
   rm -rf /opt/tdarr/Tdarr_Updater
   cd /opt/tdarr
-  RELEASE=$(curl -fsSL https://f000.backblazeb2.com/file/tdarrs/versions.json | grep -oP '(?<="Tdarr_Updater": ")[^"]+' | grep linux_x64 | head -n 1)
+  RELEASE=$(curl_with_retry "https://f000.backblazeb2.com/file/tdarrs/versions.json" "-" | grep -oP '(?<="Tdarr_Updater": ")[^"]+' | grep linux_x64 | head -n 1)
-  curl -fsSL "$RELEASE" -o Tdarr_Updater.zip
+  curl_with_retry "$RELEASE" "Tdarr_Updater.zip"
   $STD unzip Tdarr_Updater.zip
   chmod +x Tdarr_Updater
   $STD ./Tdarr_Updater
   rm -rf /opt/tdarr/Tdarr_Updater.zip
+  [[ -f /opt/tdarr/Tdarr_Server/Tdarr_Server ]] || {
+    msg_error "Tdarr_Updater failed — tdarr.io may be blocked by local DNS"
+    exit 250
+  }
   msg_ok "Updated Tdarr"
   msg_ok "Updated successfully!"
   exit

ct/termix.sh

@@ -29,10 +29,116 @@ function update_script() {
     exit
   fi
 
+  if check_for_gh_tag "guacd" "apache/guacamole-server"; then
+    msg_info "Stopping guacd"
+    systemctl stop guacd 2>/dev/null || true
+    msg_ok "Stopped guacd"
+
+    ensure_dependencies \
+      libcairo2-dev \
+      libjpeg62-turbo-dev \
+      libpng-dev \
+      libtool-bin \
+      uuid-dev \
+      libvncserver-dev \
+      freerdp3-dev \
+      libssh2-1-dev \
+      libtelnet-dev \
+      libwebsockets-dev \
+      libpulse-dev \
+      libvorbis-dev \
+      libwebp-dev \
+      libssl-dev \
+      libpango1.0-dev \
+      libswscale-dev \
+      libavcodec-dev \
+      libavutil-dev \
+      libavformat-dev
+
+    msg_info "Updating Guacamole Server (guacd)"
+    fetch_and_deploy_gh_tag "guacd" "apache/guacamole-server" "${CHECK_UPDATE_RELEASE}" "/opt/guacamole-server"
+    cd /opt/guacamole-server
+    export CPPFLAGS="-Wno-error=deprecated-declarations"
+    $STD autoreconf -fi
+    $STD ./configure --with-init-dir=/etc/init.d --enable-allow-freerdp-snapshots
+    $STD make
+    $STD make install
+    $STD ldconfig
+    cd /opt
+    rm -rf /opt/guacamole-server
+    msg_ok "Updated Guacamole Server (guacd) to ${CHECK_UPDATE_RELEASE}"
+
+    if [[ ! -f /etc/guacamole/guacd.conf ]]; then
+      mkdir -p /etc/guacamole
+      cat <<EOF >/etc/guacamole/guacd.conf
+[server]
+bind_host = 127.0.0.1
+bind_port = 4822
+EOF
+    fi
+
+    if [[ ! -f /etc/systemd/system/guacd.service ]] || grep -q "Type=forking" /etc/systemd/system/guacd.service 2>/dev/null; then
+      cat <<EOF >/etc/systemd/system/guacd.service
+[Unit]
+Description=Guacamole Proxy Daemon (guacd)
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/sbin/guacd -f -b 127.0.0.1 -l 4822
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+    fi
+
+    if ! grep -q "guacd.service" /etc/systemd/system/termix.service 2>/dev/null; then
+      sed -i '/^After=network.target/s/$/ guacd.service/' /etc/systemd/system/termix.service
+      sed -i '/^\[Unit\]/a Wants=guacd.service' /etc/systemd/system/termix.service
+    fi
+
+    systemctl daemon-reload
+    systemctl enable -q --now guacd
+  fi
+
   if check_for_gh_release "termix" "Termix-SSH/Termix"; then
-    msg_info "Stopping Service"
+    msg_info "Stopping Termix"
     systemctl stop termix
-    msg_ok "Stopped Service"
+    msg_ok "Stopped Termix"
+
+    msg_info "Migrating Configuration"
+    if [[ ! -f /opt/termix/.env ]]; then
+      cat <<EOF >/opt/termix/.env
+NODE_ENV=production
+DATA_DIR=/opt/termix/data
+GUACD_HOST=127.0.0.1
+GUACD_PORT=4822
+EOF
+    fi
+    if ! grep -q "EnvironmentFile" /etc/systemd/system/termix.service 2>/dev/null; then
+      cat <<EOF >/etc/systemd/system/termix.service
+[Unit]
+Description=Termix Backend
+After=network.target guacd.service
+Wants=guacd.service
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/termix
+EnvironmentFile=/opt/termix/.env
+ExecStart=/usr/bin/node /opt/termix/dist/backend/backend/starter.js
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+      systemctl daemon-reload
+    fi
+    msg_ok "Migrated Configuration"
 
     msg_info "Backing up Data"
     cp -r /opt/termix/data /opt/termix_data_backup
@@ -95,16 +201,16 @@ function update_script() {
       sed -i 's|/app/html|/opt/termix/html|g' /etc/nginx/nginx.conf
       sed -i 's|/app/nginx|/opt/termix/nginx|g' /etc/nginx/nginx.conf
       sed -i 's|listen ${PORT};|listen 80;|g' /etc/nginx/nginx.conf
-      
+
       nginx -t && systemctl reload nginx
       msg_ok "Updated Nginx Configuration"
     else
       msg_warn "Nginx configuration not updated. If Termix doesn't work, restore from backup or update manually."
     fi
 
-    msg_info "Starting Service"
+    msg_info "Starting Termix"
     systemctl start termix
-    msg_ok "Started Service"
+    msg_ok "Started Termix"
     msg_ok "Updated successfully!"
   fi
   exit

ct/tracearr.sh

@@ -8,7 +8,7 @@ source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxV
 APP="Tracearr"
 var_tags="${var_tags:-media}"
 var_cpu="${var_cpu:-2}"
-var_ram="${var_ram:-2048}"
+var_ram="${var_ram:-4096}"
 var_disk="${var_disk:-10}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
@@ -140,7 +140,7 @@ EOF
     msg_ok "Built Tracearr"
 
     msg_info "Configuring Tracearr"
-    sed -i "s/^APP_VERSION=.*/APP_VERSION=$(cat /root/.tracearr)/" /data/tracearr/.env
+    sed -i "s|^APP_VERSION=.*|APP_VERSION=${CHECK_UPDATE_RELEASE#v}|" /data/tracearr/.env
     chmod 600 /data/tracearr/.env
     chown -R tracearr:tracearr /data/tracearr
     mkdir -p /data/backup

install/alpine-ntfy-install.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: cobalt (cobaltgit)
+# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE
+# Source: https://ntfy.sh/
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing ntfy"
+$STD apk add --no-cache ntfy ntfy-openrc libcap
+sed -i '/^listen-http/s/^\(.*\)$/#\1\n/' /etc/ntfy/server.yml
+setcap 'cap_net_bind_service=+ep' /usr/bin/ntfy
+$STD rc-update add ntfy default
+$STD service ntfy start
+msg_ok "Installed ntfy"
+
+motd_ssh
+customize

install/channels-install.sh

@@ -35,7 +35,6 @@ setup_hwaccel
 msg_info "Installing Channels DVR Server (Patience)"
 cd /opt
 $STD bash <(curl -fsSL https://getchannels.com/dvr/setup.sh)
-sed -i -e 's/^sgx:x:104:$/render:x:104:root/' -e 's/^render:x:106:root$/sgx:x:106:/' /etc/group
 msg_ok "Installed Channels DVR Server"
 
 motd_ssh

install/dispatcharr-install.sh

@@ -66,7 +66,9 @@ CELERY_BROKER_URL=redis://localhost:6379/0
 DJANGO_SECRET_KEY=$DJANGO_SECRET
 EOF
 cd /opt/dispatcharr/frontend
-$STD npm install --legacy-peer-deps
+node -e "const p=require('./package.json');p.overrides=p.overrides||{};p.overrides['webworkify-webpack']='2.1.3';require('fs').writeFileSync('package.json',JSON.stringify(p,null,2));"
+rm -f package-lock.json
+$STD npm install --no-audit --progress=false
 $STD npm run build
 msg_ok "Configured Dispatcharr"
 

install/emby-install.sh

@@ -13,17 +13,9 @@ setting_up_container
 network_check
 update_os
 
-setup_hwaccel
-
 fetch_and_deploy_gh_release "emby" "MediaBrowser/Emby.Releases" "binary"
 
-msg_info "Configuring Emby"
+setup_hwaccel "emby"
-if [[ "$CTTYPE" == "0" ]]; then
-  sed -i -e 's/^ssl-cert:x:104:$/render:x:104:root,emby/' -e 's/^render:x:108:root,emby$/ssl-cert:x:108:/' /etc/group
-else
-  sed -i -e 's/^ssl-cert:x:104:$/render:x:104:emby/' -e 's/^render:x:108:emby$/ssl-cert:x:108:/' /etc/group
-fi
-msg_ok "Configured Emby"
 
 motd_ssh
 customize

install/jellyfin-install.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
-# Copyright (c) 2021-2026 tteck
+# Copyright (c) 2021-2026 community-scripts ORG
-# Author: tteck (tteckster)
+# Author: MickLesk (CanbiZ)
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
 # Source: https://jellyfin.org/
 
@@ -14,31 +14,31 @@ network_check
 update_os
 
 msg_custom "ℹ️" "${GN}" "If NVIDIA GPU passthrough is detected, you'll be asked whether to install drivers in the container"
-setup_hwaccel
 
-msg_info "Installing Jellyfin"
+msg_info "Installing Dependencies"
-VERSION="$(awk -F'=' '/^VERSION_CODENAME=/{ print $NF }' /etc/os-release)"
+ensure_dependencies libjemalloc2
-if ! dpkg -s libjemalloc2 >/dev/null 2>&1; then
-  $STD apt install -y libjemalloc2
-fi
 if [[ ! -f /usr/lib/libjemalloc.so ]]; then
   ln -sf /usr/lib/x86_64-linux-gnu/libjemalloc.so.2 /usr/lib/libjemalloc.so
 fi
-if [[ ! -d /etc/apt/keyrings ]]; then
+msg_ok "Installed Dependencies"
-  mkdir -p /etc/apt/keyrings
-fi
-curl -fsSL https://repo.jellyfin.org/jellyfin_team.gpg.key | gpg --dearmor --yes --output /etc/apt/keyrings/jellyfin.gpg
-cat <<EOF >/etc/apt/sources.list.d/jellyfin.sources
-Types: deb
-URIs: https://repo.jellyfin.org/${PCT_OSTYPE}
-Suites: ${VERSION}
-Components: main
-Architectures: amd64
-Signed-By: /etc/apt/keyrings/jellyfin.gpg
-EOF
 
-$STD apt update
+msg_info "Setting up Jellyfin Repository"
-$STD apt install -y jellyfin
+setup_deb822_repo \
+  "jellyfin" \
+  "https://repo.jellyfin.org/jellyfin_team.gpg.key" \
+  "https://repo.jellyfin.org/$(get_os_info id)" \
+  "$(get_os_info codename)"
+msg_ok "Set up Jellyfin Repository"
+
+msg_info "Installing Jellyfin"
+$STD apt install -y jellyfin jellyfin-ffmpeg7
+ln -sf /usr/lib/jellyfin-ffmpeg/ffmpeg /usr/bin/ffmpeg
+ln -sf /usr/lib/jellyfin-ffmpeg/ffprobe /usr/bin/ffprobe
+msg_ok "Installed Jellyfin"
+
+setup_hwaccel "jellyfin"
+
+msg_info "Configuring Jellyfin"
 # Configure log rotation to prevent disk fill (keeps fail2ban compatibility) (PR: #1690 / Issue: #11224)
 cat <<EOF >/etc/logrotate.d/jellyfin
 /var/log/jellyfin/*.log {
@@ -55,12 +55,7 @@ EOF
 chown -R jellyfin:adm /etc/jellyfin
 sleep 10
 systemctl restart jellyfin
-if [[ "$CTTYPE" == "0" ]]; then
+msg_ok "Configured Jellyfin"
-  sed -i -e 's/^ssl-cert:x:104:$/render:x:104:root,jellyfin/' -e 's/^render:x:108:root,jellyfin$/ssl-cert:x:108:/' /etc/group
-else
-  sed -i -e 's/^ssl-cert:x:104:$/render:x:104:jellyfin/' -e 's/^render:x:108:jellyfin$/ssl-cert:x:108:/' /etc/group
-fi
-msg_ok "Installed Jellyfin"
 
 motd_ssh
 customize

install/ollama-install.sh

@@ -42,8 +42,6 @@ EOF
 $STD apt update
 msg_ok "Set up Intel® Repositories"
 
-setup_hwaccel
-
 msg_info "Installing Intel® Level Zero"
 # Debian 13+ has newer Level Zero packages in system repos that conflict with Intel repo packages
 if is_debian && [[ "$(get_os_version_major)" -ge 13 ]]; then
@@ -89,11 +87,11 @@ msg_info "Creating ollama User and Group"
 if ! id ollama >/dev/null 2>&1; then
   useradd -r -s /usr/sbin/nologin -U -m -d /usr/share/ollama ollama
 fi
-$STD usermod -aG render ollama || true
-$STD usermod -aG video ollama || true
 $STD usermod -aG ollama $(id -u -n)
 msg_ok "Created ollama User and adjusted Groups"
 
+setup_hwaccel "ollama"
+
 msg_info "Creating Service"
 cat <<EOF >/etc/systemd/system/ollama.service
 [Unit]

install/plex-install.sh

@@ -13,8 +13,6 @@ setting_up_container
 network_check
 update_os
 
-setup_hwaccel
-
 msg_info "Setting Up Plex Media Server Repository"
 setup_deb822_repo \
   "plexmediaserver" \
@@ -26,13 +24,10 @@ msg_ok "Set Up Plex Media Server Repository"
 
 msg_info "Installing Plex Media Server"
 $STD apt install -y plexmediaserver
-if [[ "$CTTYPE" == "0" ]]; then
-  sed -i -e 's/^ssl-cert:x:104:plex$/render:x:104:root,plex/' -e 's/^render:x:108:root$/ssl-cert:x:108:plex/' /etc/group
-else
-  sed -i -e 's/^ssl-cert:x:104:plex$/render:x:104:plex/' -e 's/^render:x:108:$/ssl-cert:x:108:/' /etc/group
-fi
 msg_ok "Installed Plex Media Server"
 
+setup_hwaccel "plex"
+
 motd_ssh
 customize
 cleanup_lxc

install/podman-homeassistant-install.sh

@@ -45,32 +45,58 @@ systemctl enable -q --now podman.socket
 echo -e 'unqualified-search-registries=["docker.io"]' >>/etc/containers/registries.conf
 msg_ok "Installed Podman"
 
+mkdir -p /etc/containers/systemd
+
 read -r -p "${TAB3}Would you like to add Portainer? <y/N> " prompt
 if [[ ${prompt,,} =~ ^(y|yes)$ ]]; then
   msg_info "Installing Portainer $PORTAINER_LATEST_VERSION"
   podman volume create portainer_data >/dev/null
-  $STD podman run -d \
+  cat <<EOF >/etc/containers/systemd/portainer.container
-    -p 8000:8000 \
+[Unit]
-    -p 9443:9443 \
+Description=Portainer Container
-    --name=portainer \
+After=network-online.target
-    --restart=always \
+
-    -v /run/podman/podman.sock:/var/run/docker.sock \
+[Container]
-    -v portainer_data:/data \
+Image=docker.io/portainer/portainer-ce:latest
-    portainer/portainer-ce:latest
+ContainerName=portainer
+PublishPort=8000:8000
+PublishPort=9443:9443
+Volume=/run/podman/podman.sock:/var/run/docker.sock
+Volume=portainer_data:/data
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target multi-user.target
+EOF
+  systemctl daemon-reload
+  $STD systemctl start portainer
   msg_ok "Installed Portainer $PORTAINER_LATEST_VERSION"
 else
   read -r -p "${TAB3}Would you like to add the Portainer Agent? <y/N> " prompt
   if [[ ${prompt,,} =~ ^(y|yes)$ ]]; then
     msg_info "Installing Portainer agent $PORTAINER_AGENT_LATEST_VERSION"
-    podman volume create temp >/dev/null
+    cat <<EOF >/etc/containers/systemd/portainer-agent.container
-    podman volume remove temp >/dev/null
+[Unit]
-    $STD podman run -d \
+Description=Portainer Agent Container
-      -p 9001:9001 \
+After=network-online.target
-      --name portainer_agent \
+
-      --restart=always \
+[Container]
-      -v /run/podman/podman.sock:/var/run/docker.sock \
+Image=docker.io/portainer/agent:latest
-      -v /var/lib/containers/storage/volumes:/var/lib/docker/volumes \
+ContainerName=portainer_agent
-      portainer/agent
+PublishPort=9001:9001
+Volume=/run/podman/podman.sock:/var/run/docker.sock
+Volume=/var/lib/containers/storage/volumes:/var/lib/docker/volumes
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target multi-user.target
+EOF
+    systemctl daemon-reload
+    $STD systemctl start portainer-agent
     msg_ok "Installed Portainer Agent $PORTAINER_AGENT_LATEST_VERSION"
   fi
 fi
@@ -81,19 +107,29 @@ msg_ok "Pulled Home Assistant Image"
 
 msg_info "Installing Home Assistant"
 $STD podman volume create hass_config
-$STD podman run -d \
+cat <<EOF >/etc/containers/systemd/homeassistant.container
-  --name homeassistant \
+[Unit]
-  --restart unless-stopped \
+Description=Home Assistant Container
-  -v /dev:/dev \
+After=network-online.target
-  -v hass_config:/config \
+
-  -v /etc/localtime:/etc/localtime:ro \
+[Container]
-  -v /etc/timezone:/etc/timezone:ro \
+Image=docker.io/homeassistant/home-assistant:stable
-  --net=host \
+ContainerName=homeassistant
-  homeassistant/home-assistant:stable
+Volume=/dev:/dev
-podman generate systemd \
+Volume=hass_config:/config
-  --new --name homeassistant \
+Volume=/etc/localtime:/etc/localtime:ro
-  >/etc/systemd/system/homeassistant.service
+Volume=/etc/timezone:/etc/timezone:ro
-systemctl enable -q --now homeassistant
+Network=host
+
+[Service]
+Restart=always
+TimeoutStartSec=300
+
+[Install]
+WantedBy=default.target multi-user.target
+EOF
+systemctl daemon-reload
+$STD systemctl start homeassistant
 msg_ok "Installed Home Assistant"
 
 motd_ssh

install/podman-install.sh

@@ -45,32 +45,58 @@ systemctl enable -q --now podman.socket
 echo -e 'unqualified-search-registries=["docker.io"]' >>/etc/containers/registries.conf
 msg_ok "Installed Podman"
 
+mkdir -p /etc/containers/systemd
+
 read -r -p "${TAB3}Would you like to add Portainer? <y/N> " prompt
 if [[ ${prompt,,} =~ ^(y|yes)$ ]]; then
   msg_info "Installing Portainer $PORTAINER_LATEST_VERSION"
   podman volume create portainer_data >/dev/null
-  $STD podman run -d \
+  cat <<EOF >/etc/containers/systemd/portainer.container
-    -p 8000:8000 \
+[Unit]
-    -p 9443:9443 \
+Description=Portainer Container
-    --name=portainer \
+After=network-online.target
-    --restart=always \
+
-    -v /run/podman/podman.sock:/var/run/docker.sock \
+[Container]
-    -v portainer_data:/data \
+Image=docker.io/portainer/portainer-ce:latest
-    portainer/portainer-ce:latest
+ContainerName=portainer
+PublishPort=8000:8000
+PublishPort=9443:9443
+Volume=/run/podman/podman.sock:/var/run/docker.sock
+Volume=portainer_data:/data
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target multi-user.target
+EOF
+  systemctl daemon-reload
+  $STD systemctl start portainer
   msg_ok "Installed Portainer $PORTAINER_LATEST_VERSION"
 else
   read -r -p "${TAB3}Would you like to add the Portainer Agent? <y/N> " prompt
   if [[ ${prompt,,} =~ ^(y|yes)$ ]]; then
     msg_info "Installing Portainer agent $PORTAINER_AGENT_LATEST_VERSION"
-    podman volume create temp >/dev/null
+    cat <<EOF >/etc/containers/systemd/portainer-agent.container
-    podman volume remove temp >/dev/null
+[Unit]
-    $STD podman run -d \
+Description=Portainer Agent Container
-      -p 9001:9001 \
+After=network-online.target
-      --name portainer_agent \
+
-      --restart=always \
+[Container]
-      -v /run/podman/podman.sock:/var/run/docker.sock \
+Image=docker.io/portainer/agent:latest
-      -v /var/lib/containers/storage/volumes:/var/lib/docker/volumes \
+ContainerName=portainer_agent
-      portainer/agent
+PublishPort=9001:9001
+Volume=/run/podman/podman.sock:/var/run/docker.sock
+Volume=/var/lib/containers/storage/volumes:/var/lib/docker/volumes
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=default.target multi-user.target
+EOF
+    systemctl daemon-reload
+    $STD systemctl start portainer-agent
     msg_ok "Installed Portainer Agent $PORTAINER_AGENT_LATEST_VERSION"
   fi
 fi

install/tdarr-install.sh

@@ -20,12 +20,16 @@ msg_ok "Installed Dependencies"
 msg_info "Installing Tdarr"
 mkdir -p /opt/tdarr
 cd /opt/tdarr
-RELEASE=$(curl -fsSL https://f000.backblazeb2.com/file/tdarrs/versions.json | grep -oP '(?<="Tdarr_Updater": ")[^"]+' | grep linux_x64 | head -n 1)
+RELEASE=$(curl_with_retry "https://f000.backblazeb2.com/file/tdarrs/versions.json" "-" | grep -oP '(?<="Tdarr_Updater": ")[^"]+' | grep linux_x64 | head -n 1)
-curl -fsSL "$RELEASE" -o Tdarr_Updater.zip
+curl_with_retry "$RELEASE" "Tdarr_Updater.zip"
 $STD unzip Tdarr_Updater.zip
 chmod +x Tdarr_Updater
 $STD ./Tdarr_Updater
 rm -rf /opt/tdarr/Tdarr_Updater.zip
+[[ -f /opt/tdarr/Tdarr_Server/Tdarr_Server ]] || {
+  msg_error "Tdarr_Updater failed — tdarr.io may be blocked by local DNS"
+  exit 250
+}
 msg_ok "Installed Tdarr"
 
 setup_hwaccel

install/termix-install.sh

@@ -19,9 +19,41 @@ $STD apt install -y \
   python3 \
   nginx \
   openssl \
-  gettext-base
+  gettext-base \
+  libcairo2-dev \
+  libjpeg62-turbo-dev \
+  libpng-dev \
+  libtool-bin \
+  uuid-dev \
+  libvncserver-dev \
+  freerdp3-dev \
+  libssh2-1-dev \
+  libtelnet-dev \
+  libwebsockets-dev \
+  libpulse-dev \
+  libvorbis-dev \
+  libwebp-dev \
+  libssl-dev \
+  libpango1.0-dev \
+  libswscale-dev \
+  libavcodec-dev \
+  libavutil-dev \
+  libavformat-dev
 msg_ok "Installed Dependencies"
 
+msg_info "Building Guacamole Server (guacd)"
+fetch_and_deploy_gh_tag "guacd" "apache/guacamole-server" "latest" "/opt/guacamole-server"
+cd /opt/guacamole-server
+export CPPFLAGS="-Wno-error=deprecated-declarations"
+$STD autoreconf -fi
+$STD ./configure --with-init-dir=/etc/init.d --enable-allow-freerdp-snapshots
+$STD make
+$STD make install
+$STD ldconfig
+cd /opt
+rm -rf /opt/guacamole-server
+msg_ok "Built Guacamole Server (guacd)"
+
 NODE_VERSION="22" setup_nodejs
 fetch_and_deploy_gh_release "termix" "Termix-SSH/Termix"
 
@@ -74,17 +106,46 @@ systemctl reload nginx
 msg_ok "Configured Nginx"
 
 msg_info "Creating Service"
+mkdir -p /etc/guacamole
+cat <<EOF >/etc/guacamole/guacd.conf
+[server]
+bind_host = 127.0.0.1
+bind_port = 4822
+EOF
+
+cat <<EOF >/opt/termix/.env
+NODE_ENV=production
+DATA_DIR=/opt/termix/data
+GUACD_HOST=127.0.0.1
+GUACD_PORT=4822
+EOF
+
+cat <<EOF >/etc/systemd/system/guacd.service
+[Unit]
+Description=Guacamole Proxy Daemon (guacd)
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/sbin/guacd -f -b 127.0.0.1 -l 4822
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
 cat <<EOF >/etc/systemd/system/termix.service
 [Unit]
 Description=Termix Backend
-After=network.target
+After=network.target guacd.service
+Wants=guacd.service
 
 [Service]
 Type=simple
 User=root
 WorkingDirectory=/opt/termix
-Environment=NODE_ENV=production
+EnvironmentFile=/opt/termix/.env
-Environment=DATA_DIR=/opt/termix/data
 ExecStart=/usr/bin/node /opt/termix/dist/backend/backend/starter.js
 Restart=on-failure
 RestartSec=5
@@ -92,7 +153,7 @@ RestartSec=5
 [Install]
 WantedBy=multi-user.target
 EOF
-systemctl enable -q --now termix
+systemctl enable -q --now guacd termix
 msg_ok "Created Service"
 
 motd_ssh

misc/tools.func

@@ -1979,6 +1979,47 @@ extract_version_from_json() {
   fi
 }
 
+# ------------------------------------------------------------------------------
+# Get latest GitHub tag (for repos that only publish tags, not releases).
+#
+# Usage:
+#   get_latest_gh_tag "owner/repo" [prefix]
+#
+# Arguments:
+#   $1 - GitHub repo (owner/repo)
+#   $2 - Optional prefix filter (e.g., "v" to only match tags starting with "v")
+#
+# Returns:
+#   Latest tag name (stdout), or returns 1 on failure
+# ------------------------------------------------------------------------------
+get_latest_gh_tag() {
+  local repo="$1"
+  local prefix="${2:-}"
+  local temp_file
+  temp_file=$(mktemp)
+
+  if ! github_api_call "https://api.github.com/repos/${repo}/tags?per_page=50" "$temp_file"; then
+    rm -f "$temp_file"
+    return 1
+  fi
+
+  local tag=""
+  if [[ -n "$prefix" ]]; then
+    tag=$(jq -r --arg p "$prefix" '[.[] | select(.name | startswith($p))][0].name // empty' "$temp_file")
+  else
+    tag=$(jq -r '.[0].name // empty' "$temp_file")
+  fi
+
+  rm -f "$temp_file"
+
+  if [[ -z "$tag" ]]; then
+    msg_error "No tags found for ${repo}"
+    return 1
+  fi
+
+  echo "$tag"
+}
+
 # ------------------------------------------------------------------------------
 # Get latest GitHub release version with fallback to tags
 # Usage: get_latest_github_release "owner/repo" [strip_v] [include_prerelease]
@@ -4215,6 +4256,8 @@ function setup_gs() {
 #   - NVIDIA requires matching host driver version
 # ------------------------------------------------------------------------------
 function setup_hwaccel() {
+  local service_user="${1:-}"
+
   # Check if user explicitly disabled GPU in advanced settings
   # ENABLE_GPU is exported from build.func
   if [[ "${ENABLE_GPU:-no}" == "no" ]]; then
@@ -4466,7 +4509,7 @@ function setup_hwaccel() {
   # ═══════════════════════════════════════════════════════════════════════════
   # Device Permissions
   # ═══════════════════════════════════════════════════════════════════════════
-  _setup_gpu_permissions "$in_ct"
+  _setup_gpu_permissions "$in_ct" "$service_user"
 
   cache_installed_version "hwaccel" "1.0"
   msg_ok "Setup Hardware Acceleration"
@@ -5100,6 +5143,7 @@ EOF
 # ══════════════════════════════════════════════════════════════════════════════
 _setup_gpu_permissions() {
   local in_ct="$1"
+  local service_user="${2:-}"
 
   # /dev/dri permissions (Intel/AMD)
   if [[ "$in_ct" == "0" && -d /dev/dri ]]; then
@@ -5166,6 +5210,12 @@ _setup_gpu_permissions() {
     chmod 666 /dev/kfd 2>/dev/null || true
     msg_info "AMD ROCm compute device configured"
   fi
+
+  # Add service user to render and video groups for GPU hardware acceleration
+  if [[ -n "$service_user" ]]; then
+    usermod -aG render "$service_user" 2>/dev/null || true
+    usermod -aG video "$service_user" 2>/dev/null || true
+  fi
 }
 
 # ------------------------------------------------------------------------------
@@ -6648,22 +6698,38 @@ EOF
 #   - Optionally uses official PGDG repository for specific versions
 #   - Detects existing PostgreSQL version
 #   - Dumps all databases before upgrade
-#   - Installs optional PG_MODULES (e.g. postgis, contrib)
+#   - Installs optional PG_MODULES (e.g. postgis, contrib, cron)
 #   - Restores dumped data post-upgrade
 #
 # Variables:
 #   USE_PGDG_REPO  - Use official PGDG repository (default: true)
 #                    Set to "false" to use distro packages instead
 #   PG_VERSION    - Major PostgreSQL version (e.g. 15, 16) (default: 16)
-#   PG_MODULES    - Comma-separated list of modules (e.g. "postgis,contrib")
+#   PG_MODULES    - Comma-separated list of modules (e.g. "postgis,contrib,cron")
 #
 # Examples:
-#   setup_postgresql                              # Uses PGDG repo, PG 16
+#   setup_postgresql                                          # Uses PGDG repo, PG 16
-#   PG_VERSION="17" setup_postgresql               # Specific version from PGDG
+#   PG_VERSION="17" setup_postgresql                          # Specific version from PGDG
-#   USE_PGDG_REPO=false setup_postgresql           # Uses distro package instead
+#   USE_PGDG_REPO=false setup_postgresql                      # Uses distro package instead
+#   PG_VERSION="17" PG_MODULES="cron" setup_postgresql        # With pg_cron module
 # ------------------------------------------------------------------------------
 
-function setup_postgresql() {
+# Internal helper: Configure shared_preload_libraries for pg_cron
+_configure_pg_cron_preload() {
+  local modules="${1:-}"
+  [[ -z "$modules" ]] && return 0
+  if [[ ",$modules," == *",cron,"* ]]; then
+    local current_libs
+    current_libs=$(sudo -u postgres psql -tAc "SHOW shared_preload_libraries;" 2>/dev/null || echo "")
+    if [[ "$current_libs" != *"pg_cron"* ]]; then
+      local new_libs="${current_libs:+${current_libs},}pg_cron"
+      $STD sudo -u postgres psql -c "ALTER SYSTEM SET shared_preload_libraries = '${new_libs}';"
+      $STD systemctl restart postgresql
+    fi
+  fi
+}
+
+setup_postgresql() {
   local PG_VERSION="${PG_VERSION:-16}"
   local PG_MODULES="${PG_MODULES:-}"
   local USE_PGDG_REPO="${USE_PGDG_REPO:-true}"
@@ -6701,6 +6767,7 @@ function setup_postgresql() {
           $STD apt install -y "postgresql-${CURRENT_PG_VERSION}-${module}" 2>/dev/null || true
         done
       fi
+      _configure_pg_cron_preload "$PG_MODULES"
       return 0
     fi
 
@@ -6736,6 +6803,7 @@ function setup_postgresql() {
         $STD apt install -y "postgresql-${INSTALLED_VERSION}-${module}" 2>/dev/null || true
       done
     fi
+    _configure_pg_cron_preload "$PG_MODULES"
     return 0
   fi
 
@@ -6757,6 +6825,7 @@ function setup_postgresql() {
         $STD apt install -y "postgresql-${PG_VERSION}-${module}" 2>/dev/null || true
       done
     fi
+    _configure_pg_cron_preload "$PG_MODULES"
     return 0
   fi
 
@@ -6784,13 +6853,16 @@ function setup_postgresql() {
   local SUITE
   case "$DISTRO_CODENAME" in
   trixie | forky | sid)
+
     if verify_repo_available "https://apt.postgresql.org/pub/repos/apt" "trixie-pgdg"; then
       SUITE="trixie-pgdg"
+
     else
       msg_warn "PGDG repo not available for ${DISTRO_CODENAME}, falling back to distro packages"
       USE_PGDG_REPO=false setup_postgresql
       return $?
     fi
+
     ;;
   *)
     SUITE=$(get_fallback_suite "$DISTRO_ID" "$DISTRO_CODENAME" "https://apt.postgresql.org/pub/repos/apt")
@@ -6874,6 +6946,7 @@ function setup_postgresql() {
       }
     done
   fi
+  _configure_pg_cron_preload "$PG_MODULES"
 }
 
 # ------------------------------------------------------------------------------
@@ -6892,6 +6965,7 @@ function setup_postgresql() {
 #   PG_DB_NAME="immich" PG_DB_USER="immich" PG_DB_EXTENSIONS="pgvector" setup_postgresql_db
 #   PG_DB_NAME="ghostfolio" PG_DB_USER="ghostfolio" PG_DB_GRANT_SUPERUSER="true" setup_postgresql_db
 #   PG_DB_NAME="adventurelog" PG_DB_USER="adventurelog" PG_DB_EXTENSIONS="postgis" setup_postgresql_db
+#   PG_DB_NAME="splitpro" PG_DB_USER="splitpro" PG_DB_EXTENSIONS="pg_cron" setup_postgresql_db
 #
 # Variables:
 #   PG_DB_NAME             - Database name (required)
@@ -6923,6 +6997,13 @@ function setup_postgresql_db() {
   $STD sudo -u postgres psql -c "CREATE ROLE $PG_DB_USER WITH LOGIN PASSWORD '$PG_DB_PASS';"
   $STD sudo -u postgres psql -c "CREATE DATABASE $PG_DB_NAME WITH OWNER $PG_DB_USER ENCODING 'UTF8' TEMPLATE template0;"
 
+  # Configure pg_cron database BEFORE creating the extension (must be set before pg_cron loads)
+  if [[ -n "${PG_DB_EXTENSIONS:-}" ]] && [[ ",${PG_DB_EXTENSIONS//[[:space:]]/}," == *",pg_cron,"* ]]; then
+    $STD sudo -u postgres psql -c "ALTER SYSTEM SET cron.database_name = '${PG_DB_NAME}';"
+    $STD sudo -u postgres psql -c "ALTER SYSTEM SET cron.timezone = 'UTC';"
+    $STD systemctl restart postgresql
+  fi
+
   # Install extensions (comma-separated)
   if [[ -n "${PG_DB_EXTENSIONS:-}" ]]; then
     IFS=',' read -ra EXT_LIST <<<"${PG_DB_EXTENSIONS:-}"
@@ -6932,6 +7013,12 @@ function setup_postgresql_db() {
     done
   fi
 
+  # Grant pg_cron schema permissions to DB user
+  if [[ -n "${PG_DB_EXTENSIONS:-}" ]] && [[ ",${PG_DB_EXTENSIONS//[[:space:]]/}," == *",pg_cron,"* ]]; then
+    $STD sudo -u postgres psql -d "$PG_DB_NAME" -c "GRANT USAGE ON SCHEMA cron TO ${PG_DB_USER};"
+    $STD sudo -u postgres psql -d "$PG_DB_NAME" -c "GRANT ALL ON ALL TABLES IN SCHEMA cron TO ${PG_DB_USER};"
+  fi
+
   # ALTER ROLE settings for Django/Rails compatibility (unless skipped)
   if [[ "${PG_DB_SKIP_ALTER_ROLE:-}" != "true" ]]; then
     $STD sudo -u postgres psql -c "ALTER ROLE $PG_DB_USER SET client_encoding TO 'utf8';"
@@ -6973,7 +7060,6 @@ function setup_postgresql_db() {
   export PG_DB_USER
   export PG_DB_PASS
 }
-
 # ------------------------------------------------------------------------------
 # Installs rbenv and ruby-build, installs Ruby and optionally Rails.
 #