feat(cloud-init): add interactive SSH key discovery and selection

- Add SSH key discovery from standard paths (/root/.ssh, /etc/ssh) - Add whiptail-based interactive key selection dialog - Extract key fingerprints and comments for better identification - Support multiple key selection with checkboxes - Auto-skip private keys and known_hosts files - Restore shell state after library load
2026-02-05 12:53:27 +01:00 · 2026-02-04 20:26:16 +01:00
12 changed files with 232 additions and 392 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -398,8 +398,6 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 </details>
 ## 2026-02-05
 ## 2026-02-04
 ### 🆕 New Scripts
@@ -409,11 +407,8 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 ### 🚀 Updated Scripts
  - Add log directory and permissions for koillection [@shineangelic](https://github.com/shineangelic) ([#11553](https://github.com/community-scripts/ProxmoxVE/pull/11553))
  - #### 🐞 Bug Fixes
    - [FIX] Scanopy: ensure Scanopy Daemon update [@vhsdream](https://github.com/vhsdream) ([#11541](https://github.com/community-scripts/ProxmoxVE/pull/11541))
    - Immich: pin version to 2.5.3 [@vhsdream](https://github.com/vhsdream) ([#11515](https://github.com/community-scripts/ProxmoxVE/pull/11515))
 ### 💾 Core
@@ -434,10 +429,6 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
    - fix(frontend): implement weighted search scoring for command menu [@ls-root](https://github.com/ls-root) ([#11534](https://github.com/community-scripts/ProxmoxVE/pull/11534))
 ### ❔ Uncategorized
  - [FIX] Immich Public Proxy docs link [@vhsdream](https://github.com/vhsdream) ([#11543](https://github.com/community-scripts/ProxmoxVE/pull/11543))
 ## 2026-02-03
 ### 🆕 New Scripts
--- a/ct/headers/opencloud
+++ b/ct/headers/opencloud
@@ -1,6 +0,0 @@
   ____                   ________                __
  / __ \____  ___  ____  / ____/ /___  __  ______/ /
 / / / / __ \/ _ \/ __ \/ /   / / __ \/ / / / __  / 
 / /_/ / /_/ /  __/ / / / /___/ / /_/ / /_/ / /_/ /  
 \____/ .___/\___/_/ /_/\____/_/\____/\__,_/\__,_/   
    /_/                                             
--- a/ct/koillection.sh
+++ b/ct/koillection.sh
@@ -59,8 +59,6 @@ function update_script() {
    $STD yarn install
    $STD yarn build
    mkdir -p /opt/koillection/public/uploads
    mkdir -p /opt/koillection/var/log
    chown -R www-data:www-data /opt/koillection/var/log
    chown -R www-data:www-data /opt/koillection/public/uploads
    rm -r /opt/koillection-backup
--- a/ct/opencloud.sh
+++ b/ct/opencloud.sh
@@ -1,60 +0,0 @@
 #!/usr/bin/env bash
 source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: vhsdream
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
 # Source: https://opencloud.eu
 APP="OpenCloud"
 var_tags="${var_tags:-files;cloud}"
 var_cpu="${var_cpu:-2}"
 var_ram="${var_ram:-2048}"
 var_disk="${var_disk:-20}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_unprivileged="${var_unprivileged:-1}"
 header_info "$APP"
 variables
 color
 catch_errors
 function update_script() {
  header_info
  check_container_storage
  check_container_resources
  if [[ ! -d /etc/opencloud ]]; then
    msg_error "No ${APP} Installation Found!"
    exit
  fi
  RELEASE="v5.0.1"
  if check_for_gh_release "opencloud" "opencloud-eu/opencloud" "${RELEASE}"; then
    msg_info "Stopping services"
    systemctl stop opencloud opencloud-wopi
    msg_ok "Stopped services"
    msg_info "Updating packages"
    $STD apt-get update
    $STD apt-get dist-upgrade -y
    msg_ok "Updated packages"
    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "opencloud" "opencloud-eu/opencloud" "singlefile" "${RELEASE}" "/usr/bin" "opencloud-*-linux-amd64"
    msg_info "Starting services"
    systemctl start opencloud opencloud-wopi
    msg_ok "Started services"
    msg_ok "Updated successfully"
  fi
  exit
 }
 start
 build_container
 description
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW} Access it using the following URL:${CL}"
 echo -e "${TAB}${GATEWAY}${BGN}https://<your-OpenCloud-FQDN>${CL}"
--- a/ct/scanopy.sh
+++ b/ct/scanopy.sh
@@ -29,7 +29,7 @@ function update_script() {
    exit
  fi
-  if check_for_gh_release "Scanopy" "scanopy/scanopy"; then
+  if check_for_gh_release "scanopy" "scanopy/scanopy"; then
    msg_info "Stopping services"
    systemctl stop scanopy-server
    [[ -f /etc/systemd/system/scanopy-daemon.service ]] && systemctl stop scanopy-daemon
@@ -40,7 +40,7 @@ function update_script() {
    [[ -f /opt/scanopy/oidc.toml ]] && cp /opt/scanopy/oidc.toml /opt/scanopy.oidc.toml
    msg_ok "Backed up configurations"
-    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "Scanopy" "scanopy/scanopy" "tarball" "latest" "/opt/scanopy"
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "scanopy" "scanopy/scanopy" "tarball" "latest" "/opt/scanopy"
    ensure_dependencies pkg-config libssl-dev
    TOOLCHAIN="$(grep "channel" /opt/scanopy/backend/rust-toolchain.toml | awk -F\" '{print $2}')"
@@ -61,22 +61,19 @@ function update_script() {
    $STD npm run build
    msg_ok "Created frontend UI"
-    msg_info "Building Scanopy Server (patience)"
+    msg_info "Building scanopy-server (patience)"
    cd /opt/scanopy/backend
    $STD cargo build --release --bin server
    mv ./target/release/server /usr/bin/scanopy-server
-    msg_ok "Built Scanopy Server"
+    msg_ok "Built scanopy-server"
-    if [[ -f /etc/systemd/system/scanopy-daemon.service ]]; then
+    [[ -f /etc/systemd/system/scanopy-daemon.service ]] &&
-      fetch_and_deploy_gh_release "Scanopy Daemon" "scanopy/scanopy" "singlefile" "latest" "/usr/local/bin" "scanopy-daemon-linux-amd64"
+      fetch_and_deploy_gh_release "scanopy" "scanopy/scanopy" "singlefile" "latest" "/usr/local/bin" "scanopy-daemon-linux-amd64" &&
-      mv "/usr/local/bin/Scanopy Daemon" /usr/local/bin/scanopy-daemon
+      rm -f /usr/bin/scanopy-daemon ~/configure_daemon.sh &&
      rm -f /usr/bin/scanopy-daemon ~/configure_daemon.sh
      sed -i -e 's|usr/bin|usr/local/bin|' \
        -e 's/push/daemon_poll/' \
-        -e 's/pull/server_poll/' /etc/systemd/system/scanopy-daemon.service
+        -e 's/pull/server_poll/' /etc/systemd/system/scanopy-daemon.service &&
      systemctl daemon-reload
      msg_ok "Updated Scanopy Daemon"
    fi
    msg_info "Starting services"
    systemctl start scanopy-server
--- a/frontend/public/json/github-versions.json
+++ b/frontend/public/json/github-versions.json
@@ -1,5 +1,5 @@
 {
-  "generated": "2026-02-05T00:22:14Z",
+  "generated": "2026-02-04T18:17:33Z",
  "versions": [
    {
      "slug": "2fauth",
@@ -445,9 +445,9 @@
    {
      "slug": "headscale",
      "repo": "juanfont/headscale",
-      "version": "v0.28.0",
+      "version": "v0.27.1",
      "pinned": false,
-      "date": "2026-02-04T20:40:23Z"
+      "date": "2025-11-11T19:32:29Z"
    },
    {
      "slug": "healthchecks",
@@ -536,9 +536,9 @@
    {
      "slug": "invoiceninja",
      "repo": "invoiceninja/invoiceninja",
-      "version": "v5.12.54",
+      "version": "v5.12.53",
      "pinned": false,
-      "date": "2026-02-04T23:52:17Z"
+      "date": "2026-02-04T00:52:01Z"
    },
    {
      "slug": "jackett",
@@ -746,9 +746,9 @@
    {
      "slug": "mealie",
      "repo": "mealie-recipes/mealie",
-      "version": "v3.10.2",
+      "version": "v3.10.1",
      "pinned": false,
-      "date": "2026-02-04T23:32:32Z"
+      "date": "2026-02-03T01:04:38Z"
    },
    {
      "slug": "mediamanager",
@@ -781,9 +781,9 @@
    {
      "slug": "metube",
      "repo": "alexta69/metube",
-      "version": "2026.02.04",
+      "version": "2026.02.03",
      "pinned": false,
-      "date": "2026-02-04T20:01:18Z"
+      "date": "2026-02-03T21:49:49Z"
    },
    {
      "slug": "miniflux",
@@ -1096,9 +1096,9 @@
    {
      "slug": "pulse",
      "repo": "rcourtman/Pulse",
-      "version": "v5.1.2",
+      "version": "v5.1.0",
      "pinned": false,
-      "date": "2026-02-05T00:18:57Z"
+      "date": "2026-02-04T17:43:59Z"
    },
    {
      "slug": "pve-scripts-local",
@@ -1271,9 +1271,9 @@
    {
      "slug": "speedtest-tracker",
      "repo": "alexjustesen/speedtest-tracker",
-      "version": "v1.13.8",
+      "version": "v1.13.7",
      "pinned": false,
-      "date": "2026-02-04T19:24:23Z"
+      "date": "2026-02-04T16:47:42Z"
    },
    {
      "slug": "spoolman",
--- a/frontend/public/json/immich-public-proxy.json
+++ b/frontend/public/json/immich-public-proxy.json
@@ -9,7 +9,7 @@
  "updateable": true,
  "privileged": false,
  "interface_port": 3000,
-  "documentation": "https://github.com/alangrainger/immich-public-proxy/tree/main/docs",
+  "documentation": "https://github.com/alangrainger/immich-public-proxy/docs",
  "website": "https://github.com/alangrainger/immich-public-proxy",
  "logo": "https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/immich-public-proxy.webp",
  "config_path": "/opt/immich-proxy/app/.env",
--- a/frontend/public/json/opencloud.json
+++ b/frontend/public/json/opencloud.json
@@ -1,64 +0,0 @@
 {
    "name": "OpenCloud",
    "slug": "opencloud",
    "categories": [
        11
    ],
    "date_created": "2025-12-12",
    "type": "ct",
    "updateable": true,
    "privileged": false,
    "interface_port": 443,
    "documentation": "https://docs.opencloud.eu",
    "config_path": "/etc/opencloud/opencloud.env, /etc/opencloud/opencloud.yaml, /etc/opencloud/csp.yaml",
    "website": "https://opencloud.eu",
    "logo": "https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/opencloud.webp",
    "description": "OpenCloud is the file sharing and collaboration solution of the Heinlein Group. Through intelligent file management and a strong open source community, files become valuable resources, effectively structured and usable in the long term. With flexible data rooms and intelligent access rights, teams can access and work together on data anytime, anywhere without barriers, but with a lot of productivity.",
    "install_methods": [
        {
            "type": "default",
            "script": "ct/opencloud.sh",
            "resources": {
                "cpu": 2,
                "ram": 2048,
                "hdd": 20,
                "os": "Debian",
                "version": "13"
            }
        }
    ],
    "default_credentials": {
        "username": "admin",
        "password": "randomly generated during the installation process"
    },
    "notes": [
        {
            "text": "Valid TLS certificates and fully-qualified domain names behind a reverse proxy (Caddy) for 3 services - OpenCloud, Collabora, and WOPI are **REQUIRED**",
            "type": "warning"
        },
        {
            "text": "Forgot your admin password? Check `admin_password` in the 'idm' section in `/etc/opencloud/opencloud.yaml`",
            "type": "info"
        },
        {
            "text": "**Optional External Apps**: extract zip archives from App Store to `/etc/opencloud/assets/apps`",
            "type": "info"
        },
        {
            "text": "**Optional CalDAV and CardDAV**: requires separate Radicale install. Edit and rename `/opt/opencloud/proxy.yaml.bak` and change your Radicale config to use `http_x_remote_user` as the auth method",
            "type": "info"
        },
        {
            "text": "**Optional OpenID**: Authelia and PocketID supported. Uncomment relevant lines in `/opt/opencloud/opencloud.env` and consult OpenCloud GitHub discussions for configuration tips",
            "type": "info"
        },
        {
            "text": "**Optional Full-text Search with Apache Tika**: requires your own Tika LXC. See `https://community-scripts.github.io/ProxmoxVE/scripts?id=apache-tika`",
            "type": "info"
        },
        {
            "text": "**Relevant services**: `opencloud.service`, `opencloud-wopi.service`, `coolwsd.service`",
            "type": "info"
        }
    ]
 }
--- a/install/opencloud-install.sh
+++ b/install/opencloud-install.sh
@@ -1,213 +0,0 @@
 #!/usr/bin/env bash
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: vhsdream
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
 # Source: https://opencloud.eu
 source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
 color
 verb_ip6
 catch_errors
 setting_up_container
 network_check
 update_os
 MAX_ATTEMPTS=3
 servers=("opencloud" "collabora" "wopi")
 attempt=0
 for server in "${servers[@]}"; do
  until ((attempt >= MAX_ATTEMPTS)); do
    attempt=$((attempt + 1))
    read -rp "${TAB3}Enter the FQDN of your ${server^} server (ATTEMPT $attempt/$MAX_ATTEMPTS) (eg $server.domain.tld): " fqdn
    if [[ -z "$fqdn" ]]; then
      msg_warn "Domain cannot be empty!"
    elif [[ "$fqdn" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
      msg_warn "IP address not allowed! Please use a FQDN"
    elif [[ "$fqdn" =~ ^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\.[a-zA-Z]{2,}$ ]]; then
      export ${server^^}_FQDN="$fqdn"
      attempt=0
      break
    else
      msg_warn "Invalid domain format!"
    fi
  done
  if ((attempt >= MAX_ATTEMPTS)); then
    msg_error "No more attempts - aborting script!"
    exit 1
  fi
 done
 msg_info "Installing Collabora Online"
 curl -fsSL https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg -o /etc/apt/keyrings/collaboraonline-release-keyring.gpg
 cat <<EOF >/etc/apt/sources.list.d/colloboraonline.sources
 Types: deb
 URIs: https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-deb
 Suites: ./
 Signed-By: /etc/apt/keyrings/collaboraonline-release-keyring.gpg
 EOF
 $STD apt-get update
 $STD apt-get install -y coolwsd code-brand
 systemctl stop coolwsd
 mkdir -p /etc/systemd/system/coolwsd.service.d
 cat <<EOF >/etc/systemd/system/coolwsd.service.d/override.conf
 [Unit]
 Before=opencloud-wopi.service
 EOF
 systemctl daemon-reload
 COOLPASS="$(openssl rand -base64 36)"
 $STD sudo -u cool coolconfig set-admin-password --user=admin --password="$COOLPASS"
 echo "$COOLPASS" >~/.coolpass
 msg_ok "Installed Collabora Online"
 fetch_and_deploy_gh_release "opencloud" "opencloud-eu/opencloud" "singlefile" "v5.0.1" "/usr/bin" "opencloud-*-linux-amd64"
 msg_info "Configuring OpenCloud"
 DATA_DIR="/var/lib/opencloud/"
 CONFIG_DIR="/etc/opencloud"
 ENV_FILE="${CONFIG_DIR}/opencloud.env"
 mkdir -p "$DATA_DIR" "$CONFIG_DIR"/assets/apps
 curl -fsSL https://raw.githubusercontent.com/opencloud-eu/opencloud-compose/refs/heads/main/config/opencloud/csp.yaml -o "$CONFIG_DIR"/csp.yaml
 curl -fsSL https://raw.githubusercontent.com/opencloud-eu/opencloud-compose/refs/heads/main/config/opencloud/proxy.yaml -o "$CONFIG_DIR"/proxy.yaml.bak
 cat <<EOF >"$ENV_FILE"
 OC_URL=https://${OPENCLOUD_FQDN}
 OC_INSECURE=false
 IDM_CREATE_DEMO_USERS=false
 OC_LOG_LEVEL=warning
 OC_CONFIG_DIR=${CONFIG_DIR}
 OC_BASE_DATA_PATH=${DATA_DIR}
 STORAGE_SYSTEM_OC_ROOT=${DATA_DIR}/storage/metadata
 ## Web
 WEB_ASSET_CORE_PATH=${CONFIG_DIR}/web/assets
 WEB_ASSET_APPS_PATH=${CONFIG_DIR}/web/assets/apps
 WEB_UI_CONFIG_FILE=${CONFIG_DIR}/web/config.json
 # WEB_ASSET_THEMES_PATH=${CONFIG_DIR}/web/assets/themes
 # WEB_UI_THEME_PATH=
 ## Frontend
 FRONTEND_DISABLE_RADICALE=true
 FRONTEND_GROUPWARE_ENABLED=false
 GRAPH_INCLUDE_OCM_SHAREES=true
 ## Proxy
 PROXY_TLS=false
 PROXY_CSP_CONFIG_FILE_LOCATION=${CONFIG_DIR}/csp.yaml
 ## Collaboration - requires VALID TLS
 COLLABORA_DOMAIN=${COLLABORA_FQDN}
 COLLABORATION_APP_NAME="CollaboraOnline"
 COLLABORATION_APP_PRODUCT="Collabora"
 COLLABORATION_APP_ADDR=https://${COLLABORA_FQDN}
 COLLABORATION_APP_INSECURE=false
 COLLABORATION_HTTP_ADDR=0.0.0.0:9300
 COLLABORATION_WOPI_SRC=https://${WOPI_FQDN}
 COLLABORATION_JWT_SECRET=
 ## Notifications - Email settings
 # NOTIFICATIONS_SMTP_HOST=
 # NOTIFICATIONS_SMTP_PORT=
 # NOTIFICATIONS_SMTP_SENDER=
 # NOTIFICATIONS_SMTP_USERNAME=
 # NOTIFICATIONS_SMTP_PASSWORD=
 # NOTIFICATIONS_SMTP_AUTHENTICATION=login
 ## Encryption method. Possible values are 'starttls', 'ssltls' and 'none'
 # NOTIFICATIONS_SMTP_ENCRYPTION=starttls
 ## Allow insecure connections. Defaults to false.
 # NOTIFICATIONS_SMTP_INSECURE=false
 ## Start additional services at runtime
 ## Examples: notifications, antivirus etc.
 ## Do not uncomment unless configured above.
 # OC_ADD_RUN_SERVICES="notifications"
 ## OpenID - via web browser
 ## uncomment for OpenID in general
 # OC_EXCLUDE_RUN_SERVICES=idp
 # OC_OIDC_ISSUER=<your auth URL>
 # IDP_DOMAIN=<your auth URL>
 # PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
 # PROXY_OIDC_REWRITE_WELLKNOWN=true
 # PROXY_USER_OIDC_CLAIM=preferred_username
 # PROXY_USER_CS3_CLAIM=username
 ## automatically create accounts
 # PROXY_AUTOPROVISION_ACCOUNTS=true
 # WEB_OIDC_SCOPE=openid profile email groups
 # GRAPH_ASSIGN_DEFAULT_USER_ROLE=false
 #
 ## uncomment below if using PocketID
 # WEB_OIDC_CLIENT_ID=<generated in PocketID>
 # WEB_OIDC_METADATA_URL=<your auth URL>/.well-known/openid-configuration
 ## Full Text Search - Apache Tika
 ## Requires a separate install of Tika - see https://community-scripts.github.io/ProxmoxVE/scripts?id=apache-tika
 # SEARCH_EXTRACTOR_TYPE=tika
 # FRONTEND_FULL_TEXT_SEARCH_ENABLED=true
 # SEARCH_EXTRACTOR_TIKA_TIKA_URL=<your-tika-url>
 ## External storage test - Only NFS v4.2+ is supported
 ## User files
 # STORAGE_USERS_POSIX_ROOT=<path-to-your-bind_mount>
 EOF
 cat <<EOF >/etc/systemd/system/opencloud.service
 [Unit]
 Description=OpenCloud server
 After=network-online.target
 [Service]
 Type=simple
 User=opencloud
 Group=opencloud
 EnvironmentFile=${ENV_FILE}
 ExecStart=/usr/bin/opencloud server
 Restart=always
 [Install]
 WantedBy=multi-user.target
 EOF
 cat <<EOF >/etc/systemd/system/opencloud-wopi.service
 [Unit]
 Description=OpenCloud WOPI Server
 Wants=coolwsd.service
 After=opencloud.service coolwsd.service
 [Service]
 Type=simple
 User=opencloud
 Group=opencloud
 EnvironmentFile=${ENV_FILE}
 ExecStartPre=/bin/sleep 10
 ExecStart=/usr/bin/opencloud collaboration server
 Restart=always
 KillSignal=SIGKILL
 KillMode=mixed
 TimeoutStopSec=10
 [Install]
 WantedBy=multi-user.target
 EOF
 $STD sudo -u cool coolconfig set ssl.enable false
 $STD sudo -u cool coolconfig set ssl.termination true
 $STD sudo -u cool coolconfig set ssl.ssl_verification true
 sed -i "s|CSP2\"/>|CSP2\">frame-ancestors https://${OPENCLOUD_FQDN}</content_security_policy>|" /etc/coolwsd/coolwsd.xml
 useradd -r -M -s /usr/sbin/nologin opencloud
 chown -R opencloud:opencloud "$CONFIG_DIR" "$DATA_DIR"
 sudo -u opencloud opencloud init --config-path "$CONFIG_DIR" --insecure no
 OPENCLOUD_SECRET="$(sed -n '/jwt/p' "$CONFIG_DIR"/opencloud.yaml | awk '{print $2}')"
 sed -i "s/JWT_SECRET=/&${OPENCLOUD_SECRET//&/\\&}/" "$ENV_FILE"
 msg_ok "Configured OpenCloud"
 msg_info "Starting services"
 systemctl enable -q --now coolwsd opencloud
 sleep 5
 systemctl enable -q --now opencloud-wopi
 msg_ok "Started services"
 motd_ssh
 customize
 cleanup_lxc
--- a/install/scanopy-install.sh
+++ b/install/scanopy-install.sh
@@ -23,7 +23,7 @@ msg_ok "Installed Dependencies"
 PG_VERSION=17 setup_postgresql
 NODE_VERSION="24" setup_nodejs
 PG_DB_NAME="scanopy_db" PG_DB_USER="scanopy" PG_DB_GRANT_SUPERUSER="true" setup_postgresql_db
-fetch_and_deploy_gh_release "Scanopy" "scanopy/scanopy" "tarball" "latest" "/opt/scanopy"
+fetch_and_deploy_gh_release "scanopy" "scanopy/scanopy" "tarball" "latest" "/opt/scanopy"
 TOOLCHAIN="$(grep "channel" /opt/scanopy/backend/rust-toolchain.toml | awk -F\" '{print $2}')"
 RUST_TOOLCHAIN=$TOOLCHAIN setup_rust
@@ -35,11 +35,11 @@ $STD npm ci --no-fund --no-audit
 $STD npm run build
 msg_ok "Created frontend UI"
-msg_info "Building Scanopy Server (patience)"
+msg_info "Building scanopy-server (patience)"
 cd /opt/scanopy/backend
 $STD cargo build --release --bin server
 mv ./target/release/server /usr/bin/scanopy-server
-msg_ok "Built Scanopy Server"
+msg_ok "Built scanopy-server"
 msg_info "Configuring server for first-run"
 cat <<EOF >/opt/scanopy/.env
--- a/misc/cloud-init.func
+++ b/misc/cloud-init.func
@@ -28,13 +28,210 @@
 # ==============================================================================
 # These can be overridden before sourcing this library
 # Disable 'unbound variable' errors for this library (restored at end)
 _OLD_SET_STATE=$(set +o | grep -E 'set -(e|u|o)')
 set +u
 CLOUDINIT_DEFAULT_USER="${CLOUDINIT_DEFAULT_USER:-root}"
 CLOUDINIT_DNS_SERVERS="${CLOUDINIT_DNS_SERVERS:-1.1.1.1 8.8.8.8}"
 CLOUDINIT_SEARCH_DOMAIN="${CLOUDINIT_SEARCH_DOMAIN:-local}"
-CLOUDINIT_SSH_KEYS="${CLOUDINIT_SSH_KEYS:-/root/.ssh/authorized_keys}"
+CLOUDINIT_SSH_KEYS="${CLOUDINIT_SSH_KEYS:-}" # Empty by default - user must explicitly provide keys
 # ==============================================================================
-# SECTION 2: HELPER FUNCTIONS
+# SECTION 2: SSH KEY DISCOVERY AND SELECTION
 # ==============================================================================
 # ------------------------------------------------------------------------------
 # _ci_ssh_extract_keys_from_file - Extracts valid SSH public keys from a file
 # ------------------------------------------------------------------------------
 function _ci_ssh_extract_keys_from_file() {
  local file="$1"
  [[ -f "$file" && -r "$file" ]] || return 0
  grep -E '^(ssh-(rsa|ed25519|dss|ecdsa)|ecdsa-sha2-)' "$file" 2>/dev/null || true
 }
 # ------------------------------------------------------------------------------
 # _ci_ssh_discover_files - Scans standard paths for SSH keys
 # ------------------------------------------------------------------------------
 function _ci_ssh_discover_files() {
  local -a cand=()
  shopt -s nullglob
  cand+=(/root/.ssh/authorized_keys /root/.ssh/authorized_keys2)
  cand+=(/root/.ssh/*.pub)
  cand+=(/etc/ssh/authorized_keys /etc/ssh/authorized_keys.d/*)
  shopt -u nullglob
  printf '%s\0' "${cand[@]}"
 }
 # ------------------------------------------------------------------------------
 # _ci_ssh_build_choices - Builds whiptail checklist from SSH key files
 #
 # Sets: CI_SSH_CHOICES (array), CI_SSH_COUNT (int), CI_SSH_MAPFILE (path)
 # ------------------------------------------------------------------------------
 function _ci_ssh_build_choices() {
  local -a files=("$@")
  CI_SSH_CHOICES=()
  CI_SSH_COUNT=0
  CI_SSH_MAPFILE="$(mktemp)"
  local id key typ fp cmt base
  for f in "${files[@]}"; do
    [[ -f "$f" && -r "$f" ]] || continue
    base="$(basename -- "$f")"
    # Skip known_hosts and private keys
    case "$base" in
    known_hosts | known_hosts.* | config) continue ;;
    id_*) [[ "$f" != *.pub ]] && continue ;;
    esac
    while IFS= read -r key; do
      [[ -n "$key" ]] || continue
      typ=""
      fp=""
      cmt=""
      read -r _typ _b64 _cmt <<<"$key"
      typ="${_typ:-key}"
      cmt="${_cmt:-}"
      # Get fingerprint via ssh-keygen if available
      if command -v ssh-keygen >/dev/null 2>&1; then
        fp="$(printf '%s\n' "$key" | ssh-keygen -lf - 2>/dev/null | awk '{print $2}')"
      fi
      # Shorten long comments
      [[ ${#cmt} -gt 40 ]] && cmt="${cmt:0:37}..."
      CI_SSH_COUNT=$((CI_SSH_COUNT + 1))
      id="K${CI_SSH_COUNT}"
      echo "${id}|${key}" >>"$CI_SSH_MAPFILE"
      CI_SSH_CHOICES+=("$id" "[$typ] ${fp:+$fp }${cmt:+$cmt }— ${base}" "OFF")
    done < <(_ci_ssh_extract_keys_from_file "$f")
  done
 }
 # ------------------------------------------------------------------------------
 # configure_cloudinit_ssh_keys - Interactive SSH key selection for Cloud-Init
 #
 # Usage: configure_cloudinit_ssh_keys
 # Sets: CLOUDINIT_SSH_KEYS (path to temporary file with selected keys)
 # ------------------------------------------------------------------------------
 function configure_cloudinit_ssh_keys() {
  local backtitle="Proxmox VE Helper Scripts"
  local ssh_key_mode
  # Create temp file for selected keys
  CLOUDINIT_SSH_KEYS_TEMP="$(mktemp)"
  : >"$CLOUDINIT_SSH_KEYS_TEMP"
  # Discover keys and build choices
  IFS=$'\0' read -r -d '' -a _def_files < <(_ci_ssh_discover_files && printf '\0')
  _ci_ssh_build_choices "${_def_files[@]}"
  local default_key_count="$CI_SSH_COUNT"
  if [[ "$default_key_count" -gt 0 ]]; then
    ssh_key_mode=$(whiptail --backtitle "$backtitle" --title "SSH KEY SOURCE" --menu \
      "Provision SSH keys for Cloud-Init VM:" 14 72 4 \
      "found" "Select from detected keys (${default_key_count})" \
      "manual" "Paste a single public key" \
      "folder" "Scan another folder (path or glob)" \
      "none" "No SSH keys (password auth only)" 3>&1 1>&2 2>&3) || return 1
  else
    ssh_key_mode=$(whiptail --backtitle "$backtitle" --title "SSH KEY SOURCE" --menu \
      "No host keys detected. Choose:" 12 72 3 \
      "manual" "Paste a single public key" \
      "folder" "Scan another folder (path or glob)" \
      "none" "No SSH keys (password auth only)" 3>&1 1>&2 2>&3) || return 1
  fi
  case "$ssh_key_mode" in
  found)
    # Show checklist with individual keys
    local selection
    selection=$(whiptail --backtitle "$backtitle" --title "SELECT SSH KEYS" \
      --checklist "Select one or more keys to import:" 20 140 10 "${CI_SSH_CHOICES[@]}" 3>&1 1>&2 2>&3) || return 1
    for tag in $selection; do
      tag="${tag%\"}"
      tag="${tag#\"}"
      local line
      line=$(grep -E "^${tag}\|" "$CI_SSH_MAPFILE" | head -n1 | cut -d'|' -f2-)
      [[ -n "$line" ]] && printf '%s\n' "$line" >>"$CLOUDINIT_SSH_KEYS_TEMP"
    done
    local imported
    imported=$(wc -l <"$CLOUDINIT_SSH_KEYS_TEMP")
    echo -e "${ROOTSSH:-  🔑  }${BOLD}${DGN}SSH Keys: ${BGN}${imported} key(s) selected${CL}"
    ;;
  manual)
    local pubkey
    pubkey=$(whiptail --backtitle "$backtitle" --title "PASTE SSH PUBLIC KEY" \
      --inputbox "Paste your SSH public key (ssh-rsa, ssh-ed25519, etc.):" 10 76 3>&1 1>&2 2>&3) || return 1
    if [[ -n "$pubkey" ]]; then
      echo "$pubkey" >"$CLOUDINIT_SSH_KEYS_TEMP"
      echo -e "${ROOTSSH:-  🔑  }${BOLD}${DGN}SSH Keys: ${BGN}1 key added manually${CL}"
    else
      echo -e "${ROOTSSH:-  🔑  }${BOLD}${DGN}SSH Keys: ${BGN}none (empty input)${CL}"
      CLOUDINIT_SSH_KEYS=""
      rm -f "$CLOUDINIT_SSH_KEYS_TEMP" "$CI_SSH_MAPFILE" 2>/dev/null
      return 0
    fi
    ;;
  folder)
    local glob_path
    glob_path=$(whiptail --backtitle "$backtitle" --title "SCAN FOLDER/GLOB" \
      --inputbox "Enter a folder or glob to scan (e.g. /root/.ssh/*.pub):" 10 72 3>&1 1>&2 2>&3) || return 1
    if [[ -n "$glob_path" ]]; then
      shopt -s nullglob
      local -a _scan_files=($glob_path)
      shopt -u nullglob
      if [[ "${#_scan_files[@]}" -gt 0 ]]; then
        _ci_ssh_build_choices "${_scan_files[@]}"
        if [[ "$CI_SSH_COUNT" -gt 0 ]]; then
          local folder_selection
          folder_selection=$(whiptail --backtitle "$backtitle" --title "SELECT FOLDER KEYS" \
            --checklist "Select key(s) to import:" 20 140 10 "${CI_SSH_CHOICES[@]}" 3>&1 1>&2 2>&3) || return 1
          for tag in $folder_selection; do
            tag="${tag%\"}"
            tag="${tag#\"}"
            local line
            line=$(grep -E "^${tag}\|" "$CI_SSH_MAPFILE" | head -n1 | cut -d'|' -f2-)
            [[ -n "$line" ]] && printf '%s\n' "$line" >>"$CLOUDINIT_SSH_KEYS_TEMP"
          done
          local imported
          imported=$(wc -l <"$CLOUDINIT_SSH_KEYS_TEMP")
          echo -e "${ROOTSSH:-  🔑  }${BOLD}${DGN}SSH Keys: ${BGN}${imported} key(s) from folder${CL}"
        else
          whiptail --backtitle "$backtitle" --msgbox "No keys found in: $glob_path" 8 60
        fi
      else
        whiptail --backtitle "$backtitle" --msgbox "Path/glob returned no files." 8 60
      fi
    fi
    ;;
  none | *)
    echo -e "${ROOTSSH:-  🔑  }${BOLD}${DGN}SSH Keys: ${BGN}none (password auth only)${CL}"
    CLOUDINIT_SSH_KEYS=""
    rm -f "$CLOUDINIT_SSH_KEYS_TEMP" "$CI_SSH_MAPFILE" 2>/dev/null
    return 0
    ;;
  esac
  # Cleanup mapfile
  rm -f "$CI_SSH_MAPFILE" 2>/dev/null
  # Set the variable for setup_cloud_init to use
  if [[ -s "$CLOUDINIT_SSH_KEYS_TEMP" ]]; then
    CLOUDINIT_SSH_KEYS="$CLOUDINIT_SSH_KEYS_TEMP"
  else
    CLOUDINIT_SSH_KEYS=""
    rm -f "$CLOUDINIT_SSH_KEYS_TEMP"
  fi
  return 0
 }
 # ==============================================================================
 # SECTION 3: HELPER FUNCTIONS
 # ==============================================================================
 # ------------------------------------------------------------------------------
@@ -144,9 +341,10 @@ function setup_cloud_init() {
  local cipassword=$(openssl rand -base64 16)
  qm set "$vmid" --cipassword "$cipassword" >/dev/null
-  # Add SSH keys if available
+  # Add SSH keys only if explicitly provided (not auto-imported from host)
-  if [ -f "$CLOUDINIT_SSH_KEYS" ]; then
+  if [ -n "${CLOUDINIT_SSH_KEYS:-}" ] && [ -f "$CLOUDINIT_SSH_KEYS" ]; then
    qm set "$vmid" --sshkeys "$CLOUDINIT_SSH_KEYS" >/dev/null 2>&1 || true
    _ci_msg_info "SSH keys imported from: $CLOUDINIT_SSH_KEYS"
  fi
  # Configure network
@@ -459,6 +657,11 @@ export -f wait_for_cloud_init 2>/dev/null || true
 export -f validate_ip_cidr 2>/dev/null || true
 export -f validate_ip 2>/dev/null || true
 # Restore previous shell options if they were saved
 if [ -n "${_OLD_SET_STATE:-}" ]; then
  eval "$_OLD_SET_STATE"
 fi
 # ==============================================================================
 # SECTION 7: EXAMPLES & DOCUMENTATION
 # ==============================================================================
--- a/tools/headers/immich-public-proxy
+++ b/tools/headers/immich-public-proxy
@@ -1,6 +0,0 @@
    ____                    _      __       ____        __    ___         ____                       
   /  _/___ ___  ____ ___  (_)____/ /_     / __ \__  __/ /_  / (_)____   / __ \_________  _  ____  __
   / // __ `__ \/ __ `__ \/ / ___/ __ \   / /_/ / / / / __ \/ / / ___/  / /_/ / ___/ __ \| |/_/ / / /
 _/ // / / / / / / / / / / / /__/ / / /  / ____/ /_/ / /_/ / / / /__   / ____/ /  / /_/ />  </ /_/ / 
 /___/_/ /_/ /_/_/ /_/ /_/_/\___/_/ /_/  /_/    \__,_/_.___/_/_/\___/  /_/   /_/   \____/_/|_|\__, /  
                                                                                            /____/