feat(cloud-init): add interactive SSH key discovery and selection

- Add SSH key discovery from standard paths (/root/.ssh, /etc/ssh)
- Add whiptail-based interactive key selection dialog
- Extract key fingerprints and comments for better identification
- Support multiple key selection with checkboxes
- Auto-skip private keys and known_hosts files
- Restore shell state after library load

CHANGELOG.md

@@ -405,12 +405,24 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
   - Wishlist ([#11527](https://github.com/community-scripts/ProxmoxVE/pull/11527))
 - WriteFreely ([#11524](https://github.com/community-scripts/ProxmoxVE/pull/11524))
 
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Immich: pin version to 2.5.3 [@vhsdream](https://github.com/vhsdream) ([#11515](https://github.com/community-scripts/ProxmoxVE/pull/11515))
+
 ### 💾 Core
 
   - #### ✨ New Features
 
     - core: create vm-core.func from dev [@MickLesk](https://github.com/MickLesk) ([#11528](https://github.com/community-scripts/ProxmoxVE/pull/11528))
 
+### 🧰 Tools
+
+  - #### ✨ New Features
+
+    - [ADDON] Immich Public Proxy addon [@vhsdream](https://github.com/vhsdream) ([#11518](https://github.com/community-scripts/ProxmoxVE/pull/11518))
+
 ### 🌐 Website
 
   - #### 🐞 Bug Fixes

ct/immich.sh

@@ -36,10 +36,6 @@ function update_script() {
     exit
   fi
 
-  setup_uv
-  PNPM_VERSION="$(curl -fsSL "https://raw.githubusercontent.com/immich-app/immich/refs/heads/main/package.json" | jq -r '.packageManager | split("@")[1]')"
-  NODE_VERSION="24" NODE_MODULE="pnpm@${PNPM_VERSION}" setup_nodejs
-
   if [[ ! -f /etc/apt/preferences.d/preferences ]]; then
     msg_info "Adding Debian Testing repo"
     sed -i 's/ trixie-updates/ trixie-updates testing/g' /etc/apt/sources.list.d/debian.sources
@@ -109,7 +105,7 @@ EOF
     msg_ok "Image-processing libraries up to date"
   fi
 
-  RELEASE="2.5.2"
+  RELEASE="2.5.3"
   if check_for_gh_release "immich" "immich-app/immich" "${RELEASE}"; then
     if [[ $(cat ~/.immich) > "2.5.1" ]]; then
       msg_info "Enabling Maintenance Mode"
@@ -164,7 +160,10 @@ EOF
       rm -rf "${APP_DIR:?}"/*
     )
 
+    setup_uv
     CLEAN_INSTALL=1 fetch_and_deploy_gh_release "immich" "immich-app/immich" "tarball" "v${RELEASE}" "$SRC_DIR"
+    PNPM_VERSION="$(jq -r '.packageManager | split("@")[1]' ${SRC_DIR}/package.json)"
+    NODE_VERSION="24" NODE_MODULE="pnpm@${PNPM_VERSION}" setup_nodejs
 
     msg_info "Updating Immich web and microservices"
     cd "$SRC_DIR"/server

frontend/public/json/github-versions.json

@@ -1,5 +1,5 @@
 {
-  "generated": "2026-02-04T12:11:53Z",
+  "generated": "2026-02-04T18:17:33Z",
   "versions": [
     {
       "slug": "2fauth",
@@ -256,9 +256,9 @@
     {
       "slug": "docmost",
       "repo": "docmost/docmost",
-      "version": "v0.25.0",
+      "version": "v0.25.1",
       "pinned": false,
-      "date": "2026-02-04T00:33:45Z"
+      "date": "2026-02-04T15:19:51Z"
     },
     {
       "slug": "domain-locker",
@@ -515,9 +515,9 @@
     {
       "slug": "huntarr",
       "repo": "plexguide/Huntarr.io",
-      "version": "9.1.11",
+      "version": "9.1.12",
       "pinned": false,
-      "date": "2026-02-04T11:30:25Z"
+      "date": "2026-02-04T14:28:36Z"
     },
     {
       "slug": "inspircd",
@@ -1096,9 +1096,9 @@
     {
       "slug": "pulse",
       "repo": "rcourtman/Pulse",
-      "version": "v5.0.17",
+      "version": "v5.1.0",
       "pinned": false,
-      "date": "2026-01-20T19:07:30Z"
+      "date": "2026-02-04T17:43:59Z"
     },
     {
       "slug": "pve-scripts-local",
@@ -1271,9 +1271,9 @@
     {
       "slug": "speedtest-tracker",
       "repo": "alexjustesen/speedtest-tracker",
-      "version": "v1.13.6",
+      "version": "v1.13.7",
       "pinned": false,
-      "date": "2026-02-03T21:20:51Z"
+      "date": "2026-02-04T16:47:42Z"
     },
     {
       "slug": "spoolman",
@@ -1369,9 +1369,9 @@
     {
       "slug": "tianji",
       "repo": "msgbyte/tianji",
-      "version": "v1.31.9",
+      "version": "v1.31.10",
       "pinned": false,
-      "date": "2026-01-31T18:22:40Z"
+      "date": "2026-02-04T17:21:04Z"
     },
     {
       "slug": "traccar",
@@ -1411,9 +1411,9 @@
     {
       "slug": "trip",
       "repo": "itskovacs/TRIP",
-      "version": "1.38.0",
+      "version": "1.38.1",
       "pinned": false,
-      "date": "2026-01-31T15:56:30Z"
+      "date": "2026-02-04T18:10:15Z"
     },
     {
       "slug": "tududi",

frontend/public/json/immich-public-proxy.json

@@ -0,0 +1,44 @@
+{
+  "name": "Immich Public Proxy",
+  "slug": "immich-public-proxy",
+  "categories": [
+    21
+  ],
+  "date_created": "2026-02-04",
+  "type": "addon",
+  "updateable": true,
+  "privileged": false,
+  "interface_port": 3000,
+  "documentation": "https://github.com/alangrainger/immich-public-proxy/docs",
+  "website": "https://github.com/alangrainger/immich-public-proxy",
+  "logo": "https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/immich-public-proxy.webp",
+  "config_path": "/opt/immich-proxy/app/.env",
+  "description": "Share your Immich photos and albums in a safe way without exposing your Immich instance to the public.",
+  "install_methods": [
+    {
+      "type": "default",
+      "script": "tools/addon/immich-public-proxy.sh",
+      "resources": {
+        "cpu": null,
+        "ram": null,
+        "hdd": null,
+        "os": null,
+        "version": null
+      }
+    }
+  ],
+  "default_credentials": {
+    "username": null,
+    "password": null
+  },
+  "notes": [
+    {
+      "text": "Requires Node.js 24+",
+      "type": "info"
+    },
+    {
+      "text": "Update with: update_immich-public-proxy",
+      "type": "info"
+    }
+  ]
+}

install/immich-install.sh

@@ -13,44 +13,44 @@ setting_up_container
 network_check
 update_os
 
-echo ""
-echo ""
-echo -e "🤖 ${BL}Immich Machine Learning Options${CL}"
-echo "─────────────────────────────────────────"
-echo "Please choose your machine-learning type:"
-echo ""
-echo " 1) CPU only (default)"
-echo " 2) Intel OpenVINO (requires GPU passthrough)"
-echo ""
+if [ -d /dev/dri ]; then
+  echo ""
+  echo ""
+  echo -e "🤖 ${BL}Immich Machine Learning Options${CL}"
+  echo "─────────────────────────────────────────"
+  echo "Please choose your machine-learning type:"
+  echo ""
+  echo " 1) CPU only (default)"
+  echo " 2) Intel OpenVINO (requires GPU passthrough)"
+  echo ""
 
-read -r -p "${TAB3}Select machine-learning type [1]: " ML_TYPE
-ML_TYPE="${ML_TYPE:-1}"
-if [[ "$ML_TYPE" == "2" ]]; then
-  msg_info "Installing OpenVINO dependencies"
-  touch ~/.openvino
-  $STD apt install -y --no-install-recommends patchelf
-  tmp_dir=$(mktemp -d)
-  $STD pushd "$tmp_dir"
-  curl -fsSLO https://raw.githubusercontent.com/immich-app/base-images/refs/heads/main/server/Dockerfile
-  readarray -t INTEL_URLS < <(
-    sed -n "/intel-[igc|opencl]/p" ./Dockerfile | awk '{print $2}'
-    sed -n "/libigdgmm12/p" ./Dockerfile | awk '{print $3}'
-  )
-  for url in "${INTEL_URLS[@]}"; do
-    curl -fsSLO "$url"
-  done
-  $STD apt install -y ./libigdgmm12*.deb
-  rm ./libigdgmm12*.deb
-  $STD apt install -y ./*.deb
-  $STD apt-mark hold libigdgmm12
-  $STD popd
-  rm -rf "$tmp_dir"
-  dpkg-query -W -f='${Version}\n' intel-opencl-icd >~/.intel_version
-  msg_ok "Installed OpenVINO dependencies"
+  read -r -p "${TAB3}Select machine-learning type [1]: " ML_TYPE
+  ML_TYPE="${ML_TYPE:-1}"
+  if [[ "$ML_TYPE" == "2" ]]; then
+    msg_info "Installing OpenVINO dependencies"
+    touch ~/.openvino
+    $STD apt install -y --no-install-recommends patchelf
+    tmp_dir=$(mktemp -d)
+    $STD pushd "$tmp_dir"
+    curl -fsSLO https://raw.githubusercontent.com/immich-app/base-images/refs/heads/main/server/Dockerfile
+    readarray -t INTEL_URLS < <(
+      sed -n "/intel-[igc|opencl]/p" ./Dockerfile | awk '{print $2}'
+      sed -n "/libigdgmm12/p" ./Dockerfile | awk '{print $3}'
+    )
+    for url in "${INTEL_URLS[@]}"; do
+      curl -fsSLO "$url"
+    done
+    $STD apt install -y ./libigdgmm12*.deb
+    rm ./libigdgmm12*.deb
+    $STD apt install -y ./*.deb
+    $STD apt-mark hold libigdgmm12
+    $STD popd
+    rm -rf "$tmp_dir"
+    dpkg-query -W -f='${Version}\n' intel-opencl-icd >~/.intel_version
+    msg_ok "Installed OpenVINO dependencies"
+  fi
 fi
 
-setup_uv
-
 msg_info "Installing dependencies"
 $STD apt install --no-install-recommends -y \
   git \
@@ -144,8 +144,7 @@ msg_info "Installing packages from Debian Testing repo"
 $STD apt install -t testing --no-install-recommends -yqq libmimalloc3 libde265-dev
 msg_ok "Installed packages from Debian Testing repo"
 
-PNPM_VERSION="$(curl -fsSL "https://raw.githubusercontent.com/immich-app/immich/refs/heads/main/package.json" | jq -r '.packageManager | split("@")[1]')"
-NODE_VERSION="24" NODE_MODULE="pnpm@${PNPM_VERSION}" setup_nodejs
+setup_uv
 PG_VERSION="16" PG_MODULES="pgvector" setup_postgresql
 
 VCHORD_RELEASE="0.5.3"
@@ -290,7 +289,9 @@ ML_DIR="${APP_DIR}/machine-learning"
 GEO_DIR="${INSTALL_DIR}/geodata"
 mkdir -p {"${APP_DIR}","${UPLOAD_DIR}","${GEO_DIR}","${INSTALL_DIR}"/cache}
 
-fetch_and_deploy_gh_release "immich" "immich-app/immich" "tarball" "v2.5.2" "$SRC_DIR"
+fetch_and_deploy_gh_release "immich" "immich-app/immich" "tarball" "v2.5.3" "$SRC_DIR"
+PNPM_VERSION="$(jq -r '.packageManager | split("@")[1]' ${SRC_DIR}/package.json)"
+NODE_VERSION="24" NODE_MODULE="pnpm@${PNPM_VERSION}" setup_nodejs
 
 msg_info "Installing Immich (patience)"
 

misc/cloud-init.func

@@ -28,13 +28,210 @@
 # ==============================================================================
 # These can be overridden before sourcing this library
 
+# Disable 'unbound variable' errors for this library (restored at end)
+_OLD_SET_STATE=$(set +o | grep -E 'set -(e|u|o)')
+set +u
+
 CLOUDINIT_DEFAULT_USER="${CLOUDINIT_DEFAULT_USER:-root}"
 CLOUDINIT_DNS_SERVERS="${CLOUDINIT_DNS_SERVERS:-1.1.1.1 8.8.8.8}"
 CLOUDINIT_SEARCH_DOMAIN="${CLOUDINIT_SEARCH_DOMAIN:-local}"
-CLOUDINIT_SSH_KEYS="${CLOUDINIT_SSH_KEYS:-/root/.ssh/authorized_keys}"
+CLOUDINIT_SSH_KEYS="${CLOUDINIT_SSH_KEYS:-}" # Empty by default - user must explicitly provide keys
 
 # ==============================================================================
-# SECTION 2: HELPER FUNCTIONS
+# SECTION 2: SSH KEY DISCOVERY AND SELECTION
+# ==============================================================================
+
+# ------------------------------------------------------------------------------
+# _ci_ssh_extract_keys_from_file - Extracts valid SSH public keys from a file
+# ------------------------------------------------------------------------------
+function _ci_ssh_extract_keys_from_file() {
+  local file="$1"
+  [[ -f "$file" && -r "$file" ]] || return 0
+  grep -E '^(ssh-(rsa|ed25519|dss|ecdsa)|ecdsa-sha2-)' "$file" 2>/dev/null || true
+}
+
+# ------------------------------------------------------------------------------
+# _ci_ssh_discover_files - Scans standard paths for SSH keys
+# ------------------------------------------------------------------------------
+function _ci_ssh_discover_files() {
+  local -a cand=()
+  shopt -s nullglob
+  cand+=(/root/.ssh/authorized_keys /root/.ssh/authorized_keys2)
+  cand+=(/root/.ssh/*.pub)
+  cand+=(/etc/ssh/authorized_keys /etc/ssh/authorized_keys.d/*)
+  shopt -u nullglob
+  printf '%s\0' "${cand[@]}"
+}
+
+# ------------------------------------------------------------------------------
+# _ci_ssh_build_choices - Builds whiptail checklist from SSH key files
+#
+# Sets: CI_SSH_CHOICES (array), CI_SSH_COUNT (int), CI_SSH_MAPFILE (path)
+# ------------------------------------------------------------------------------
+function _ci_ssh_build_choices() {
+  local -a files=("$@")
+  CI_SSH_CHOICES=()
+  CI_SSH_COUNT=0
+  CI_SSH_MAPFILE="$(mktemp)"
+  local id key typ fp cmt base
+
+  for f in "${files[@]}"; do
+    [[ -f "$f" && -r "$f" ]] || continue
+    base="$(basename -- "$f")"
+    # Skip known_hosts and private keys
+    case "$base" in
+    known_hosts | known_hosts.* | config) continue ;;
+    id_*) [[ "$f" != *.pub ]] && continue ;;
+    esac
+
+    while IFS= read -r key; do
+      [[ -n "$key" ]] || continue
+
+      typ=""
+      fp=""
+      cmt=""
+      read -r _typ _b64 _cmt <<<"$key"
+      typ="${_typ:-key}"
+      cmt="${_cmt:-}"
+
+      # Get fingerprint via ssh-keygen if available
+      if command -v ssh-keygen >/dev/null 2>&1; then
+        fp="$(printf '%s\n' "$key" | ssh-keygen -lf - 2>/dev/null | awk '{print $2}')"
+      fi
+
+      # Shorten long comments
+      [[ ${#cmt} -gt 40 ]] && cmt="${cmt:0:37}..."
+
+      CI_SSH_COUNT=$((CI_SSH_COUNT + 1))
+      id="K${CI_SSH_COUNT}"
+      echo "${id}|${key}" >>"$CI_SSH_MAPFILE"
+      CI_SSH_CHOICES+=("$id" "[$typ] ${fp:+$fp }${cmt:+$cmt }— ${base}" "OFF")
+    done < <(_ci_ssh_extract_keys_from_file "$f")
+  done
+}
+
+# ------------------------------------------------------------------------------
+# configure_cloudinit_ssh_keys - Interactive SSH key selection for Cloud-Init
+#
+# Usage: configure_cloudinit_ssh_keys
+# Sets: CLOUDINIT_SSH_KEYS (path to temporary file with selected keys)
+# ------------------------------------------------------------------------------
+function configure_cloudinit_ssh_keys() {
+  local backtitle="Proxmox VE Helper Scripts"
+  local ssh_key_mode
+
+  # Create temp file for selected keys
+  CLOUDINIT_SSH_KEYS_TEMP="$(mktemp)"
+  : >"$CLOUDINIT_SSH_KEYS_TEMP"
+
+  # Discover keys and build choices
+  IFS=$'\0' read -r -d '' -a _def_files < <(_ci_ssh_discover_files && printf '\0')
+  _ci_ssh_build_choices "${_def_files[@]}"
+  local default_key_count="$CI_SSH_COUNT"
+
+  if [[ "$default_key_count" -gt 0 ]]; then
+    ssh_key_mode=$(whiptail --backtitle "$backtitle" --title "SSH KEY SOURCE" --menu \
+      "Provision SSH keys for Cloud-Init VM:" 14 72 4 \
+      "found" "Select from detected keys (${default_key_count})" \
+      "manual" "Paste a single public key" \
+      "folder" "Scan another folder (path or glob)" \
+      "none" "No SSH keys (password auth only)" 3>&1 1>&2 2>&3) || return 1
+  else
+    ssh_key_mode=$(whiptail --backtitle "$backtitle" --title "SSH KEY SOURCE" --menu \
+      "No host keys detected. Choose:" 12 72 3 \
+      "manual" "Paste a single public key" \
+      "folder" "Scan another folder (path or glob)" \
+      "none" "No SSH keys (password auth only)" 3>&1 1>&2 2>&3) || return 1
+  fi
+
+  case "$ssh_key_mode" in
+  found)
+    # Show checklist with individual keys
+    local selection
+    selection=$(whiptail --backtitle "$backtitle" --title "SELECT SSH KEYS" \
+      --checklist "Select one or more keys to import:" 20 140 10 "${CI_SSH_CHOICES[@]}" 3>&1 1>&2 2>&3) || return 1
+
+    for tag in $selection; do
+      tag="${tag%\"}"
+      tag="${tag#\"}"
+      local line
+      line=$(grep -E "^${tag}\|" "$CI_SSH_MAPFILE" | head -n1 | cut -d'|' -f2-)
+      [[ -n "$line" ]] && printf '%s\n' "$line" >>"$CLOUDINIT_SSH_KEYS_TEMP"
+    done
+    local imported
+    imported=$(wc -l <"$CLOUDINIT_SSH_KEYS_TEMP")
+    echo -e "${ROOTSSH:-  🔑  }${BOLD}${DGN}SSH Keys: ${BGN}${imported} key(s) selected${CL}"
+    ;;
+  manual)
+    local pubkey
+    pubkey=$(whiptail --backtitle "$backtitle" --title "PASTE SSH PUBLIC KEY" \
+      --inputbox "Paste your SSH public key (ssh-rsa, ssh-ed25519, etc.):" 10 76 3>&1 1>&2 2>&3) || return 1
+    if [[ -n "$pubkey" ]]; then
+      echo "$pubkey" >"$CLOUDINIT_SSH_KEYS_TEMP"
+      echo -e "${ROOTSSH:-  🔑  }${BOLD}${DGN}SSH Keys: ${BGN}1 key added manually${CL}"
+    else
+      echo -e "${ROOTSSH:-  🔑  }${BOLD}${DGN}SSH Keys: ${BGN}none (empty input)${CL}"
+      CLOUDINIT_SSH_KEYS=""
+      rm -f "$CLOUDINIT_SSH_KEYS_TEMP" "$CI_SSH_MAPFILE" 2>/dev/null
+      return 0
+    fi
+    ;;
+  folder)
+    local glob_path
+    glob_path=$(whiptail --backtitle "$backtitle" --title "SCAN FOLDER/GLOB" \
+      --inputbox "Enter a folder or glob to scan (e.g. /root/.ssh/*.pub):" 10 72 3>&1 1>&2 2>&3) || return 1
+    if [[ -n "$glob_path" ]]; then
+      shopt -s nullglob
+      local -a _scan_files=($glob_path)
+      shopt -u nullglob
+      if [[ "${#_scan_files[@]}" -gt 0 ]]; then
+        _ci_ssh_build_choices "${_scan_files[@]}"
+        if [[ "$CI_SSH_COUNT" -gt 0 ]]; then
+          local folder_selection
+          folder_selection=$(whiptail --backtitle "$backtitle" --title "SELECT FOLDER KEYS" \
+            --checklist "Select key(s) to import:" 20 140 10 "${CI_SSH_CHOICES[@]}" 3>&1 1>&2 2>&3) || return 1
+          for tag in $folder_selection; do
+            tag="${tag%\"}"
+            tag="${tag#\"}"
+            local line
+            line=$(grep -E "^${tag}\|" "$CI_SSH_MAPFILE" | head -n1 | cut -d'|' -f2-)
+            [[ -n "$line" ]] && printf '%s\n' "$line" >>"$CLOUDINIT_SSH_KEYS_TEMP"
+          done
+          local imported
+          imported=$(wc -l <"$CLOUDINIT_SSH_KEYS_TEMP")
+          echo -e "${ROOTSSH:-  🔑  }${BOLD}${DGN}SSH Keys: ${BGN}${imported} key(s) from folder${CL}"
+        else
+          whiptail --backtitle "$backtitle" --msgbox "No keys found in: $glob_path" 8 60
+        fi
+      else
+        whiptail --backtitle "$backtitle" --msgbox "Path/glob returned no files." 8 60
+      fi
+    fi
+    ;;
+  none | *)
+    echo -e "${ROOTSSH:-  🔑  }${BOLD}${DGN}SSH Keys: ${BGN}none (password auth only)${CL}"
+    CLOUDINIT_SSH_KEYS=""
+    rm -f "$CLOUDINIT_SSH_KEYS_TEMP" "$CI_SSH_MAPFILE" 2>/dev/null
+    return 0
+    ;;
+  esac
+
+  # Cleanup mapfile
+  rm -f "$CI_SSH_MAPFILE" 2>/dev/null
+
+  # Set the variable for setup_cloud_init to use
+  if [[ -s "$CLOUDINIT_SSH_KEYS_TEMP" ]]; then
+    CLOUDINIT_SSH_KEYS="$CLOUDINIT_SSH_KEYS_TEMP"
+  else
+    CLOUDINIT_SSH_KEYS=""
+    rm -f "$CLOUDINIT_SSH_KEYS_TEMP"
+  fi
+
+  return 0
+}
+
+# ==============================================================================
+# SECTION 3: HELPER FUNCTIONS
 # ==============================================================================
 
 # ------------------------------------------------------------------------------
@@ -144,9 +341,10 @@ function setup_cloud_init() {
   local cipassword=$(openssl rand -base64 16)
   qm set "$vmid" --cipassword "$cipassword" >/dev/null
 
-  # Add SSH keys if available
-  if [ -f "$CLOUDINIT_SSH_KEYS" ]; then
+  # Add SSH keys only if explicitly provided (not auto-imported from host)
+  if [ -n "${CLOUDINIT_SSH_KEYS:-}" ] && [ -f "$CLOUDINIT_SSH_KEYS" ]; then
     qm set "$vmid" --sshkeys "$CLOUDINIT_SSH_KEYS" >/dev/null 2>&1 || true
+    _ci_msg_info "SSH keys imported from: $CLOUDINIT_SSH_KEYS"
   fi
 
   # Configure network
@@ -459,6 +657,11 @@ export -f wait_for_cloud_init 2>/dev/null || true
 export -f validate_ip_cidr 2>/dev/null || true
 export -f validate_ip 2>/dev/null || true
 
+# Restore previous shell options if they were saved
+if [ -n "${_OLD_SET_STATE:-}" ]; then
+  eval "$_OLD_SET_STATE"
+fi
+
 # ==============================================================================
 # SECTION 7: EXAMPLES & DOCUMENTATION
 # ==============================================================================

tools/addon/immich-public-proxy.sh

@@ -0,0 +1,264 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: vhsdream
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/alangrainger/immich-public-proxy
+
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/core.func)
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/tools.func)
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/error_handler.func)
+
+# Enable error handling
+set -Eeuo pipefail
+trap 'error_handler' ERR
+
+# ==============================================================================
+# CONFIGURATION
+# ==============================================================================
+APP="Immich Public Proxy"
+APP_TYPE="addon"
+INSTALL_PATH="/opt/immich-proxy"
+CONFIG_PATH="/opt/immich-proxy/app"
+DEFAULT_PORT=3000
+
+# Initialize all core functions (colors, formatting, icons, STD mode)
+load_functions
+
+# ==============================================================================
+# HEADER
+# ==============================================================================
+function header_info {
+  clear
+  cat <<"EOF"
+    ____                    _      __          ____
+   /  _/___ ___  ____ ___  (_)____/ /_        / __ \_________  _  ____  __
+   / // __ `__ \/ __ `__ \/ / ___/ __ \______/ /_/ / ___/ __ \| |/_/ / / /
+ _/ // / / / / / / / / / / / /__/ / / /_____/ ____/ /  / /_/ />  </ /_/ /
+/___/_/ /_/ /_/_/ /_/ /_/_/\___/_/ /_/     /_/   /_/   \____/_/|_|\__, /
+                                                                 /____/
+EOF
+}
+
+# ==============================================================================
+# OS DETECTION
+# ==============================================================================
+if [[ -f "/etc/alpine-release" ]]; then
+  msg_error "Alpine is not supported for ${APP}. Use Debian."
+  exit 1
+elif [[ -f "/etc/debian_version" ]]; then
+  OS="Debian"
+  SERVICE_PATH="/etc/systemd/system/immich-proxy.service"
+else
+  echo -e "${CROSS} Unsupported OS detected. Exiting."
+  exit 1
+fi
+
+# ==============================================================================
+# UNINSTALL
+# ==============================================================================
+function uninstall() {
+  msg_info "Uninstalling ${APP}"
+  systemctl disable --now immich-proxy.service &>/dev/null || true
+  rm -f "$SERVICE_PATH"
+  rm -rf "$INSTALL_PATH"
+  rm -f "/usr/local/bin/update_immich-public-proxy"
+  rm -f "$HOME/.immichpublicproxy"
+  msg_ok "${APP} has been uninstalled"
+}
+
+# ==============================================================================
+# UPDATE
+# ==============================================================================
+function update() {
+  if check_for_gh_release "Immich Public Proxy" "alangrainger/immich-public-proxy"; then
+    msg_info "Stopping service"
+    systemctl stop immich-proxy.service &>/dev/null || true
+    msg_ok "Stopped service"
+
+    msg_info "Backing up configuration"
+    cp "$CONFIG_PATH"/.env /tmp/ipp.env.bak 2>/dev/null || true
+    cp "$CONFIG_PATH"/config.json /tmp/ipp.config.json.bak 2>/dev/null || true
+    msg_ok "Backed up configuration"
+
+    NODE_VERSION="24" setup_nodejs
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "Immich Public Proxy" "alangrainger/immich-public-proxy" "tarball" "latest" "$INSTALL_PATH"
+
+    msg_info "Restoring configuration"
+    cp /tmp/ipp.env.bak "$CONFIG_PATH"/.env 2>/dev/null || true
+    cp /tmp/ipp.config.json.bak "$CONFIG_PATH"/config.json 2>/dev/null || true
+    rm -f /tmp/ipp.*.bak
+    msg_ok "Restored configuration"
+
+    msg_info "Installing dependencies"
+    cd "$CONFIG_PATH"
+    $STD npm install
+    msg_ok "Installed dependencies"
+
+    msg_info "Building ${APP}"
+    $STD npm run build
+    msg_ok "Built ${APP}"
+
+    msg_info "Starting service"
+    systemctl start immich-proxy
+    msg_ok "Started service"
+    msg_ok "Updated successfully"
+    exit
+  fi
+}
+
+# ==============================================================================
+# INSTALL
+# ==============================================================================
+function install() {
+  NODE_VERSION="24" setup_nodejs
+
+  # Force fresh download by removing version cache
+  rm -f "$HOME/.immichpublicproxy"
+  fetch_and_deploy_gh_release "Immich Public Proxy" "alangrainger/immich-public-proxy" "tarball" "latest" "$INSTALL_PATH"
+
+  msg_info "Installing dependencies"
+  cd "$CONFIG_PATH"
+  $STD npm install
+  msg_ok "Installed dependencies"
+
+  msg_info "Building ${APP}"
+  $STD npm run build
+  msg_ok "Built ${APP}"
+
+  MAX_ATTEMPTS=3
+  attempt=0
+  while true; do
+    attempt=$((attempt + 1))
+    read -rp "${TAB3}Enter your LOCAL Immich IP or domain (ex. 192.168.1.100 or immich.local.lan): " DOMAIN
+    if [[ -z "$DOMAIN" ]]; then
+      if ((attempt >= MAX_ATTEMPTS)); then
+        DOMAIN="${LOCAL_IP:-localhost}"
+        msg_warn "Using fallback: $DOMAIN"
+        break
+      fi
+      msg_warn "Domain cannot be empty! (Attempt $attempt/$MAX_ATTEMPTS)"
+    elif [[ "$DOMAIN" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
+      valid_ip=true
+      IFS='.' read -ra octets <<<"$DOMAIN"
+      for octet in "${octets[@]}"; do
+        if ((octet > 255)); then
+          valid_ip=false
+          break
+        fi
+      done
+      if $valid_ip; then
+        break
+      else
+        msg_warn "Invalid IP address!"
+      fi
+    elif [[ "$DOMAIN" =~ ^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\.[a-zA-Z]{2,}$ || "$DOMAIN" == "localhost" ]]; then
+      break
+    else
+      msg_warn "Invalid domain format!"
+    fi
+  done
+
+  msg_info "Creating configuration"
+  cat <<EOF >"$CONFIG_PATH"/.env
+NODE_ENV=production
+IMMICH_URL=http://${DOMAIN}:2283
+EOF
+  chmod 600 "$CONFIG_PATH"/.env
+  msg_ok "Created configuration"
+
+  msg_info "Creating service"
+  cat <<EOF >"$SERVICE_PATH"
+[Unit]
+Description=Immich Public Proxy
+After=network.target
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=${INSTALL_PATH}
+EnvironmentFile=${CONFIG_PATH}/.env
+ExecStart=/usr/bin/node ${INSTALL_PATH}/app/server.js
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target
+EOF
+  systemctl enable -q --now immich-proxy
+  msg_ok "Created and started service"
+
+  # Create update script (simple wrapper that calls this addon with type=update)
+  msg_info "Creating update script"
+  cat <<'UPDATEEOF' >/usr/local/bin/update_immich-public-proxy
+#!/usr/bin/env bash
+# Immich Public Proxy Update Script
+type=update bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/tools/addon/immich-public-proxy.sh)"
+UPDATEEOF
+  chmod +x /usr/local/bin/update_immich-public-proxy
+  msg_ok "Created update script (/usr/local/bin/update_immich-public-proxy)"
+
+  echo ""
+  msg_ok "${APP} is reachable at: ${BL}http://${LOCAL_IP}:${DEFAULT_PORT}${CL}"
+  echo ""
+  msg_warn "Additional configuration is available at '/opt/immich-proxy/app/config.json'"
+}
+
+# ==============================================================================
+# MAIN
+# ==============================================================================
+
+# Handle type=update (called from update script)
+if [[ "${type:-}" == "update" ]]; then
+  header_info
+  if [[ -d "$INSTALL_PATH" && -f "$SERVICE_PATH" ]]; then
+    update
+  else
+    msg_error "${APP} is not installed. Nothing to update."
+    exit 1
+  fi
+  exit 0
+fi
+
+header_info
+get_lxc_ip
+
+# Check if already installed
+if [[ -d "$INSTALL_PATH" && -f "$SERVICE_PATH" ]]; then
+  msg_warn "${APP} is already installed."
+  echo ""
+
+  echo -n "${TAB}Uninstall ${APP}? (y/N): "
+  read -r uninstall_prompt
+  if [[ "${uninstall_prompt,,}" =~ ^(y|yes)$ ]]; then
+    uninstall
+    exit 0
+  fi
+
+  echo -n "${TAB}Update ${APP}? (y/N): "
+  read -r update_prompt
+  if [[ "${update_prompt,,}" =~ ^(y|yes)$ ]]; then
+    update
+    exit 0
+  fi
+
+  msg_warn "No action selected. Exiting."
+  exit 0
+fi
+
+# Fresh installation
+msg_warn "${APP} is not installed."
+echo ""
+echo -e "${TAB}${INFO} This will install:"
+echo -e "${TAB}  - Node.js 24"
+echo -e "${TAB}  - Immich Public Proxy"
+echo ""
+
+echo -n "${TAB}Install ${APP}? (y/N): "
+read -r install_prompt
+if [[ "${install_prompt,,}" =~ ^(y|yes)$ ]]; then
+  install
+else
+  msg_warn "Installation cancelled. Exiting."
+  exit 0
+fi