Install pytz in backend update script

endurain: Install pytz package during backend setup
Add pytz to the installation requirements for the backend.
2026-06-09 17:15:14 +02:00 · 2026-06-09 10:18:57 +02:00 · 2026-06-09 10:17:53 +02:00 · 2026-06-08 20:46:25 +00:00 · 2026-06-08 20:29:01 +00:00 · 2026-06-08 22:28:40 +02:00
26 changed files with 121 additions and 310 deletions
@@ -480,8 +480,38 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit

 </details>

+## 2026-06-08
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - security: Fix HTTP to HTTPS for all package and repository downloads [@MickLesk](https://github.com/MickLesk) ([#15009](https://github.com/community-scripts/ProxmoxVE/pull/15009))
+    - homelable: preserve MCP server config across updates [@ferr079](https://github.com/ferr079) ([#14996](https://github.com/community-scripts/ProxmoxVE/pull/14996))
+    - changedetection: migrate Python install to uv venv [@ferr079](https://github.com/ferr079) ([#14995](https://github.com/community-scripts/ProxmoxVE/pull/14995))
+
+  - #### 🔧 Refactor
+
+    - Update Flowwiseai to node 24 [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14999](https://github.com/community-scripts/ProxmoxVE/pull/14999))
+
+### 🧰 Tools
+
+  - #### 🐞 Bug Fixes
+
+    - security: Fix MITM RCE vulnerability in microcode scripts (CVE) [@MickLesk](https://github.com/MickLesk) ([#15007](https://github.com/community-scripts/ProxmoxVE/pull/15007))
+
 ## 2026-06-07

+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Immich: use actual installed PostgreSQL version for vchord package [@MickLesk](https://github.com/MickLesk) ([#14989](https://github.com/community-scripts/ProxmoxVE/pull/14989))
+
+  - #### 🔧 Refactor
+
+    - Navidrome: remove genereic filebrowser addon setup [@MickLesk](https://github.com/MickLesk) ([#14991](https://github.com/community-scripts/ProxmoxVE/pull/14991))
+
 ## 2026-06-06

 ### 🆕 New Scripts
@@ -34,13 +34,32 @@ function update_script() {

  NODE_VERSION="24" setup_nodejs

-  msg_info "Updating ${APP}"
-  $STD pip3 install changedetection.io --upgrade --break-system-packages --ignore-installed typing_extensions
-  msg_ok "Updated ${APP}"
+  VENV_PATH="/opt/changedetection/.venv"
+  CHANGEDETECTION_BIN="${VENV_PATH}/bin/changedetection.io"

-  msg_info "Updating Playwright"
-  $STD pip3 install playwright --upgrade --break-system-packages
-  msg_ok "Updated Playwright"
+  PYTHON_VERSION="3.13" setup_uv
+
+  if [[ ! -d "$VENV_PATH" || ! -x "$CHANGEDETECTION_BIN" ]]; then
+    msg_info "Migrating to uv/venv"
+    rm -rf "$VENV_PATH"
+    $STD uv venv --clear "$VENV_PATH"
+    $STD "$VENV_PATH/bin/python" -m ensurepip --upgrade
+    $STD "$VENV_PATH/bin/python" -m pip install --upgrade pip
+    $STD "$VENV_PATH/bin/python" -m pip install changedetection.io playwright
+    msg_ok "Migrated to uv/venv"
+  else
+    msg_info "Updating ${APP}"
+    $STD "$VENV_PATH/bin/python" -m pip install --upgrade changedetection.io playwright
+    msg_ok "Updated ${APP}"
+  fi
+
+  SERVICE_FILE="/etc/systemd/system/changedetection.service"
+  if ! grep -q "${VENV_PATH}/bin/changedetection.io" "$SERVICE_FILE"; then
+    msg_info "Updating systemd service"
+    sed -i "s|^ExecStart=.*|ExecStart=${VENV_PATH}/bin/changedetection.io -d /opt/changedetection -p 5000|" "$SERVICE_FILE"
+    $STD systemctl daemon-reload
+    msg_ok "Updated systemd service"
+  fi

  if [[ -f /etc/systemd/system/browserless.service ]]; then
    msg_info "Updating Browserless (Patience)"
@@ -64,6 +64,7 @@ function update_script() {
    $STD poetry export -f requirements.txt --output requirements.txt --without-hashes
    $STD uv venv --clear
    $STD uv pip install -r requirements.txt
+    $STD uv pip install pytz
    msg_ok "Backend Updated"

    msg_info "Starting Service"
@@ -29,7 +29,7 @@ function update_script() {
    exit
  fi

-  NODE_VERSION="20" NODE_MODULE="pnpm" setup_nodejs
+  NODE_VERSION="24" NODE_MODULE="pnpm" setup_nodejs

  msg_info "Updating FlowiseAI (this may take some time)"
  systemctl stop flowise
@@ -1,6 +0,0 @@
-    ____                             ___     
-   / __ \____ _____  ___  __________/ (_)___ 
-  / /_/ / __ `/ __ \/ _ \/ ___/ ___/ / / __ \
- / ____/ /_/ / /_/ /  __/ /  / /__/ / / /_/ /
-/_/    \__,_/ .___/\___/_/   \___/_/_/ .___/ 
-           /_/                      /_/      
@@ -38,6 +38,9 @@ function update_script() {
    msg_info "Backing up Configuration and Data"
    cp /opt/homelable/backend/.env /opt/homelable.env.bak
    cp -r /opt/homelable/data /opt/homelable_data_bak
+    if [[ -f /opt/homelable/mcp/.env ]]; then
+      cp -a /opt/homelable/mcp/.env /opt/homelable-mcp.env.bak
+    fi
    msg_ok "Backed up Configuration and Data"

    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "homelable" "Pouzor/homelable" "tarball" "latest" "/opt/homelable"
@@ -61,6 +64,19 @@ function update_script() {
    rm -rf /opt/homelable_data_bak
    msg_ok "Restored Configuration and Data"

+    if [[ -f /opt/homelable-mcp.env.bak ]]; then
+      msg_info "Restoring MCP Server"
+      cp -a /opt/homelable-mcp.env.bak /opt/homelable/mcp/.env
+      rm -f /opt/homelable-mcp.env.bak
+      MCP_OWNER=$(stat -c '%U' /opt/homelable/mcp/.env)
+      cd /opt/homelable/mcp
+      $STD uv venv --clear /opt/homelable/mcp/.venv
+      $STD uv pip install --python /opt/homelable/mcp/.venv/bin/python -r requirements.txt
+      chown -R "$MCP_OWNER":"$MCP_OWNER" /opt/homelable/mcp
+      systemctl restart homelable-mcp
+      msg_ok "Restored MCP Server"
+    fi
+
    msg_info "Starting Service"
    systemctl start homelable
    msg_ok "Started Service"
@@ -31,7 +31,7 @@ function update_script() {
  fi
  ensure_dependencies python3-lxml
  if ! [[ $(dpkg -s python3-lxml-html-clean 2>/dev/null) ]]; then
-    curl -fsSL "http://archive.ubuntu.com/ubuntu/pool/universe/l/lxml-html-clean/python3-lxml-html-clean_0.1.1-1_all.deb" -o /opt/python3-lxml-html-clean.deb
+    curl -fsSL --proto '=https' "https://archive.ubuntu.com/ubuntu/pool/universe/l/lxml-html-clean/python3-lxml-html-clean_0.1.1-1_all.deb" -o /opt/python3-lxml-html-clean.deb
    $STD dpkg -i /opt/python3-lxml-html-clean.deb
    rm -f /opt/python3-lxml-html-clean.deb
  fi
@@ -1,83 +0,0 @@
-#!/usr/bin/env bash
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: Fabian Pulch (fpulch)
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/paperclipai/paperclip
-
-APP="Paperclip"
-var_tags="${var_tags:-ai;automation;dev-tools}"
-var_cpu="${var_cpu:-4}"
-var_ram="${var_ram:-8192}"
-var_disk="${var_disk:-20}"
-var_os="${var_os:-debian}"
-var_version="${var_version:-13}"
-var_arm64="${var_arm64:-no}"
-var_unprivileged="${var_unprivileged:-1}"
-
-header_info "$APP"
-variables
-color
-catch_errors
-
-function update_script() {
-  header_info
-  check_container_storage
-  check_container_resources
-
-  if [[ ! -d /opt/paperclip-ai ]]; then
-    msg_error "No ${APP} Installation Found!"
-    exit
-  fi
-
-  if check_for_gh_release "paperclip-ai" "paperclipai/paperclip"; then
-    msg_info "Stopping Service"
-    systemctl stop paperclip
-    msg_ok "Stopped Service"
-
-    msg_info "Backing up Configuration"
-    cp /opt/paperclip-ai/.env /opt/paperclip.env.bak
-    msg_ok "Backed up Configuration"
-
-    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "paperclip-ai" "paperclipai/paperclip" "tarball"
-
-    msg_info "Restoring Configuration"
-    mv /opt/paperclip.env.bak /opt/paperclip-ai/.env
-    msg_ok "Restored Configuration"
-
-    msg_info "Rebuilding Paperclip"
-    cd /opt/paperclip-ai
-    export HUSKY=0
-    export NODE_OPTIONS="--max-old-space-size=8192"
-    $STD pnpm install --frozen-lockfile
-    $STD pnpm build
-    unset NODE_OPTIONS
-    msg_ok "Rebuilt Paperclip"
-
-    msg_info "Updating Agent CLIs"
-    $STD npm install -g \
-      @anthropic-ai/claude-code@latest \
-      @openai/codex@latest
-    msg_ok "Updated Agent CLIs"
-
-    msg_info "Running Database Migrations"
-    set -a && source /opt/paperclip-ai/.env && set +a
-    $STD pnpm db:migrate
-    msg_ok "Ran Database Migrations"
-
-    msg_info "Starting Service"
-    systemctl start paperclip
-    msg_ok "Started Service"
-    msg_ok "Updated successfully!"
-  fi
-  exit
-}
-
-start
-build_container
-description
-
-msg_ok "Completed Successfully!\n"
-echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3100${CL}"
@@ -43,19 +43,16 @@ $STD apt-get install -y \
  ca-certificates
 msg_ok "Installed Dependencies"

-msg_info "Setup Python3"
-$STD apt-get install -y \
-  python3 \
-  python3-dev \
-  python3-pip
-rm -rf /usr/lib/python3.*/EXTERNALLY-MANAGED
-msg_ok "Setup Python3"
+PYTHON_VERSION="3.13" setup_uv

 NODE_VERSION="24" setup_nodejs

 msg_info "Installing Change Detection"
-mkdir /opt/changedetection
-$STD pip3 install changedetection.io
+mkdir -p /opt/changedetection
+$STD uv venv --clear /opt/changedetection/.venv
+$STD /opt/changedetection/.venv/bin/python -m ensurepip --upgrade
+$STD /opt/changedetection/.venv/bin/python -m pip install --upgrade pip
+$STD /opt/changedetection/.venv/bin/python -m pip install changedetection.io
 cat <<EOF >/opt/changedetection/.env
 WEBDRIVER_URL=http://127.0.0.1:4444/wd/hub
 PLAYWRIGHT_DRIVER_URL=ws://localhost:3000/chrome?launch=eyJkZWZhdWx0Vmlld3BvcnQiOnsiaGVpZ2h0Ijo3MjAsIndpZHRoIjoxMjgwfSwiaGVhZGxlc3MiOmZhbHNlLCJzdGVhbHRoIjp0cnVlfQ==&blockAds=true
@@ -64,7 +61,7 @@ msg_ok "Installed Change Detection"

 msg_info "Installing Browserless & Playwright"
 mkdir /opt/browserless
-$STD python3 -m pip install playwright
+$STD /opt/changedetection/.venv/bin/python -m pip install playwright
 $STD git clone https://github.com/browserless/chrome /opt/browserless
 $STD npm ci --include=optional --include=dev --prefix /opt/browserless
 $STD /opt/browserless/node_modules/playwright-core/cli.js install --with-deps &>/dev/null
@@ -121,7 +118,7 @@ Wants=browserless.service
 Type=simple
 EnvironmentFile=/opt/changedetection/.env
 WorkingDirectory=/opt/changedetection
-ExecStart=changedetection.io -d /opt/changedetection -p 5000
+ExecStart=/opt/changedetection/.venv/bin/changedetection.io -d /opt/changedetection -p 5000

 [Install]
 WantedBy=multi-user.target
@@ -16,14 +16,14 @@ update_os
 msg_info "Setting Phoscon Repository"
 setup_deb822_repo \
  "deconz" \
-  "http://phoscon.de/apt/deconz.pub.key" \
-  "http://phoscon.de/apt/deconz" \
+  "https://phoscon.de/apt/deconz.pub.key" \
+  "https://phoscon.de/apt/deconz" \
  "generic"
 msg_ok "Setup Phoscon Repository"

 msg_info "Installing deConz"
-libssl=$(curl -fsSL "http://security.ubuntu.com/ubuntu/pool/main/o/openssl/" | grep -o 'libssl1\.1_1\.1\.1f-1ubuntu2\.2[^"]*amd64\.deb' | head -n1)
-curl -fsSL "http://security.ubuntu.com/ubuntu/pool/main/o/openssl/$libssl" -o "$libssl"
+libssl=$(curl -fsSL --proto '=https' "https://security.ubuntu.com/ubuntu/pool/main/o/openssl/" | grep -o 'libssl1\.1_1\.1\.1f-1ubuntu2\.2[^"]*amd64\.deb' | head -n1)
+curl -fsSL --proto '=https' "https://security.ubuntu.com/ubuntu/pool/main/o/openssl/$libssl" -o "$libssl"
 $STD dpkg -i "$libssl"
 $STD apt install -y deconz
 rm -rf "$libssl"
@@ -88,6 +88,7 @@ $STD poetry self add poetry-plugin-export
 $STD poetry export -f requirements.txt --output requirements.txt --without-hashes
 $STD uv venv --clear
 $STD uv pip install -r requirements.txt
+$STD uv pip install pytz
 msg_ok "Setup Backend"

 msg_info "Creating Service"
@@ -17,7 +17,7 @@ msg_info "Installing Dependencies"
 $STD apt install -y build-essential python3-dev
 msg_ok "Installed Dependencies"

-NODE_VERSION="20" setup_nodejs
+NODE_VERSION="24" setup_nodejs

 msg_info "Installing FlowiseAI (Patience)"
 $STD npm install -g flowise \
@@ -15,7 +15,7 @@ update_os
 msg_info "Setup GlobaLeaks"
 DISTRO_CODENAME="$(awk -F= '/^VERSION_CODENAME=/{print $2}' /etc/os-release)"
 curl -fsSL https://deb.globaleaks.org/globaleaks.asc | gpg --dearmor -o /etc/apt/trusted.gpg.d/globaleaks.gpg
-echo "deb [signed-by=/etc/apt/trusted.gpg.d/globaleaks.gpg] http://deb.globaleaks.org $DISTRO_CODENAME/" >/etc/apt/sources.list.d/globaleaks.list
+echo "deb [signed-by=/etc/apt/trusted.gpg.d/globaleaks.gpg] https://deb.globaleaks.org $DISTRO_CODENAME/" >/etc/apt/sources.list.d/globaleaks.list
 echo 'APPARMOR_SANDBOXING=0' >/etc/default/globaleaks
 $STD apt update
 $STD apt -y -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold install globaleaks
@@ -149,10 +149,13 @@ msg_ok "Installed packages from Debian Testing repo"
 setup_uv
 PG_VERSION="16" PG_MODULES="pgvector" setup_postgresql

-VCHORD_RELEASE="0.5.3"
-fetch_and_deploy_gh_release "VectorChord" "tensorchord/VectorChord" "binary" "${VCHORD_RELEASE}" "/tmp" "postgresql-16-vchord_*_amd64.deb"
+ACTUAL_PG_VERSION=$(ls /etc/postgresql/ 2>/dev/null | sort -V | tail -1)
+ACTUAL_PG_VERSION=${ACTUAL_PG_VERSION:-16}

-sed -i "s/^#shared_preload.*/shared_preload_libraries = 'vchord.so'/" /etc/postgresql/16/main/postgresql.conf
+VCHORD_RELEASE="0.5.3"
+fetch_and_deploy_gh_release "VectorChord" "tensorchord/VectorChord" "binary" "${VCHORD_RELEASE}" "/tmp" "postgresql-${ACTUAL_PG_VERSION}-vchord_*_amd64.deb"
+
+sed -i "s/^#shared_preload.*/shared_preload_libraries = 'vchord.so'/" /etc/postgresql/${ACTUAL_PG_VERSION}/main/postgresql.conf
 systemctl restart postgresql.service
 PG_DB_NAME="immich" PG_DB_USER="immich" PG_DB_GRANT_SUPERUSER="true" PG_DB_SKIP_ALTER_ROLE="true" setup_postgresql_db

@@ -20,7 +20,7 @@ $STD apt install -y \
  mediainfo

 cat <<EOF >/etc/apt/sources.list.d/non-free.list
-deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
+deb https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
 EOF
 $STD apt update
 $STD apt install -y unrar
@@ -23,11 +23,6 @@ msg_info "Starting Navidrome"
 systemctl enable -q --now navidrome
 msg_ok "Started Navidrome"

-read -p "${TAB3}Do you want to install filebrowser addon? (y/n) " -n 1 -r
-if [[ $REPLY =~ ^[Yy]$ ]]; then
-  bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/tools/addon/filebrowser.sh)"
-fi
-
 motd_ssh
 customize
 cleanup_lxc
@@ -15,7 +15,7 @@ update_os

 msg_info "Installing Dependencies"
 $STD apt install -y python3-lxml wkhtmltopdf
-curl -fsSL "http://archive.ubuntu.com/ubuntu/pool/universe/l/lxml-html-clean/python3-lxml-html-clean_0.1.1-1_all.deb" -o /opt/python3-lxml-html-clean.deb
+curl -fsSL --proto '=https' "https://archive.ubuntu.com/ubuntu/pool/universe/l/lxml-html-clean/python3-lxml-html-clean_0.1.1-1_all.deb" -o /opt/python3-lxml-html-clean.deb
 $STD dpkg -i /opt/python3-lxml-html-clean.deb
 msg_ok "Installed Dependencies"

@@ -1,162 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: Fabian Pulch (fpulch)
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/paperclipai/paperclip
-
-source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
-color
-verb_ip6
-catch_errors
-setting_up_container
-network_check
-update_os
-
-msg_info "Installing Dependencies"
-$STD apt install -y \
-  build-essential \
-  git \
-  ripgrep
-msg_ok "Installed Dependencies"
-
-NODE_VERSION="24" NODE_MODULE="pnpm" setup_nodejs
-PG_VERSION="17" setup_postgresql
-PG_DB_NAME="paperclip" PG_DB_USER="paperclip" setup_postgresql_db
-
-fetch_and_deploy_gh_release "paperclip-ai" "paperclipai/paperclip" "tarball"
-
-msg_info "Building Paperclip"
-cd /opt/paperclip-ai
-export HUSKY=0
-export NODE_OPTIONS="--max-old-space-size=8192"
-$STD pnpm install --frozen-lockfile
-$STD pnpm build
-unset NODE_OPTIONS
-msg_ok "Built Paperclip"
-
-msg_info "Installing Agent CLIs"
-$STD npm install -g \
-  @anthropic-ai/claude-code@latest \
-  @openai/codex@latest
-msg_ok "Installed Agent CLIs"
-
-msg_info "Configuring Paperclip"
-PAPERCLIP_HOME="/opt/paperclip-data"
-PAPERCLIP_CONFIG="${PAPERCLIP_HOME}/instances/default/config.json"
-
-mkdir -p /opt/paperclip-data
-mkdir -p /root/.claude /root/.codex
-BETTER_AUTH_SECRET=$(openssl rand -hex 32)
-cat <<EOF >/opt/paperclip-ai/.env
-DATABASE_URL=postgresql://${PG_DB_USER}:${PG_DB_PASS}@127.0.0.1:5432/${PG_DB_NAME}
-HOST=0.0.0.0
-PORT=3100
-SERVE_UI=true
-PAPERCLIP_HOME=${PAPERCLIP_HOME}
-PAPERCLIP_CONFIG=${PAPERCLIP_CONFIG}
-PAPERCLIP_INSTANCE_ID=default
-PAPERCLIP_DEPLOYMENT_MODE=authenticated
-PAPERCLIP_DEPLOYMENT_EXPOSURE=private
-PAPERCLIP_PUBLIC_URL=http://${LOCAL_IP}:3100
-BETTER_AUTH_SECRET=${BETTER_AUTH_SECRET}
-EOF
-msg_ok "Configured Paperclip"
-
-msg_info "Running Database Migrations"
-set -a && source /opt/paperclip-ai/.env && set +a
-$STD pnpm db:migrate
-msg_ok "Ran Database Migrations"
-
-msg_info "Bootstrapping Paperclip"
-PAPERCLIP_ONBOARD_LOG=/opt/paperclip-ai/paperclip-onboard.log
-PAPERCLIP_BOOTSTRAP_LOG=/opt/paperclip-ai/paperclip-bootstrap.log
-
-for PAPERCLIP_ONBOARD_CMD in \
-  "pnpm paperclipai onboard --yes --bind lan" \
-  "pnpm paperclipai onboard --yes"; do
-  rm -f "$PAPERCLIP_ONBOARD_LOG"
-  setsid env \
-    PAPERCLIP_HOME="$PAPERCLIP_HOME" \
-    PAPERCLIP_CONFIG="$PAPERCLIP_CONFIG" \
-    bash -c 'cd /opt/paperclip-ai && exec "$@"' _ $PAPERCLIP_ONBOARD_CMD \
-    >"$PAPERCLIP_ONBOARD_LOG" 2>&1 &
-  PAPERCLIP_ONBOARD_PID=$!
-  for _ in {1..60}; do
-    if [[ -f "$PAPERCLIP_CONFIG" ]]; then
-      break
-    fi
-    if ! kill -0 "$PAPERCLIP_ONBOARD_PID" 2>/dev/null; then
-      break
-    fi
-    sleep 2
-  done
-  if kill -0 "$PAPERCLIP_ONBOARD_PID" 2>/dev/null; then
-    kill -- -"${PAPERCLIP_ONBOARD_PID}" >/dev/null 2>&1 || true
-    wait "$PAPERCLIP_ONBOARD_PID" 2>/dev/null || true
-  fi
-  [[ -f "$PAPERCLIP_CONFIG" ]] && break
-  if ! grep -q "unknown option '--bind'" "$PAPERCLIP_ONBOARD_LOG"; then
-    break
-  fi
-  msg_info "Retrying Paperclip Onboarding"
-done
-
-if [[ ! -f "$PAPERCLIP_CONFIG" ]]; then
-  msg_error "Failed to bootstrap Paperclip"
-  exit 1
-fi
-
-if grep -q 'authenticated' $PAPERCLIP_CONFIG; then
-  pnpm paperclipai auth bootstrap-ceo >"$PAPERCLIP_BOOTSTRAP_LOG" 2>&1 || true
-  PAPERCLIP_INVITE_URL=$(awk -F'Invite URL: ' '/Invite URL:/ {print $2; exit}' "$PAPERCLIP_BOOTSTRAP_LOG")
-  PAPERCLIP_INVITE_EXPIRY=$(awk -F'Expires: ' '/Expires:/ {print $2; exit}' "$PAPERCLIP_BOOTSTRAP_LOG")
-  if [[ -n "$PAPERCLIP_INVITE_URL" ]]; then
-    cat <<EOF >>~/paperclip.creds
-
-Paperclip Admin Invite
-Invite URL: ${PAPERCLIP_INVITE_URL}
-Expires: ${PAPERCLIP_INVITE_EXPIRY}
-EOF
-    msg_ok "Generated Paperclip CEO Invite"
-    echo -e "${INFO}${YW} Open this invite URL to finish Paperclip admin setup:${CL}"
-    echo -e "${TAB}${GATEWAY}${BGN}${PAPERCLIP_INVITE_URL}${CL}"
-    [[ -n "$PAPERCLIP_INVITE_EXPIRY" ]] && echo -e "${TAB}${INFO}${YW}Invite expires: ${PAPERCLIP_INVITE_EXPIRY}${CL}"
-  else
-    msg_warn "Paperclip authenticated mode is enabled, but no CEO invite was generated automatically"
-  fi
-else
-  msg_info "Paperclip Bootstrapped in Local Trusted Mode"
-fi
-rm -f "$PAPERCLIP_ONBOARD_LOG" "$PAPERCLIP_BOOTSTRAP_LOG"
-msg_ok "Bootstrapped Paperclip"
-
-msg_info "Creating Service"
-cat <<EOF >/etc/systemd/system/paperclip.service
-[Unit]
-Description=Paperclip
-After=network.target postgresql.service
-Requires=postgresql.service
-
-[Service]
-Type=simple
-User=root
-WorkingDirectory=/opt/paperclip-ai
-EnvironmentFile=/opt/paperclip-ai/.env
-Environment=HOME=/root
-Environment=CODEX_HOME=/root/.codex
-Environment=PATH=/root/.local/bin:/usr/local/bin:/usr/bin:/bin
-Environment=DISABLE_AUTOUPDATER=1
-ExecStart=/usr/bin/env pnpm paperclipai run
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
-EOF
-systemctl enable -q --now paperclip
-msg_ok "Created Service"
-
-motd_ssh
-customize
-cleanup_lxc
@@ -16,7 +16,7 @@ update_os
 msg_info "Installing Proxmox Backup Server"
 curl -fsSL "https://enterprise.proxmox.com/debian/proxmox-release-trixie.gpg" -o "/etc/apt/trusted.gpg.d/proxmox-release-trixie.gpg"
 cat <<EOF >>/etc/apt/sources.list
-deb http://download.proxmox.com/debian/pbs trixie pbs-no-subscription
+deb https://download.proxmox.com/debian/pbs trixie pbs-no-subscription
 EOF
 $STD apt update
 export DEBIAN_FRONTEND=noninteractive
@@ -96,14 +96,14 @@ if [[ ${prompt,,} =~ ^(y|yes)$ ]]; then
  msg_info "Installing Hardware Acceleration (non-free)"
  pct exec "${privileged_container}" -- bash -c "cat <<EOF >/etc/apt/sources.list.d/non-free.list

-deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
-deb-src http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
+deb https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
+deb-src https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware

-deb http://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
-deb-src http://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
+deb https://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
+deb-src https://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware

-deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
-deb-src http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
+deb https://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
+deb-src https://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
 EOF"

  pct exec "${privileged_container}" -- bash -c "silent() { \"\$@\" >/dev/null 2>&1; } && $STD apt-get update && $STD apt-get install -y intel-media-va-driver-non-free ocl-icd-libopencl1 intel-opencl-icd vainfo intel-gpu-tools && $STD adduser \$(id -u -n) video && $STD adduser \$(id -u -n) render"
@@ -76,7 +76,7 @@ intel() {
  }

  msg_info "Downloading the Intel Processor Microcode Package $microcode"
-  curl -fsSL "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o $(basename "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode")
+  curl -fsSL --proto '=https' "https://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o "$microcode"
  msg_ok "Downloaded the Intel Processor Microcode Package $microcode"

  msg_info "Installing $microcode (Patience)"
@@ -90,7 +90,7 @@ intel() {
  }

  msg_info "Downloading Intel processor microcode package $microcode"
-  curl -fsSL "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o $(basename "http://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode")
+  curl -fsSL --proto '=https' "https://ftp.debian.org/debian/pool/non-free-firmware/i/intel-microcode/$microcode" -o "$microcode"
  msg_ok "Downloaded Intel processor microcode package $microcode"

  msg_info "Installing $microcode (this might take a while)"
@@ -71,9 +71,9 @@ start_routines() {
  yes)
    msg_info "Changing to Proxmox Backup Server 3 Sources"
    cat <<EOF >/etc/apt/sources.list
-deb http://deb.debian.org/debian bookworm main contrib
-deb http://deb.debian.org/debian bookworm-updates main contrib
-deb http://security.debian.org/debian-security bookworm-security main contrib
+deb https://deb.debian.org/debian bookworm main contrib
+deb https://deb.debian.org/debian bookworm-updates main contrib
+deb https://security.debian.org/debian-security bookworm-security main contrib
 EOF
    msg_ok "Changed to Proxmox Backup Server 3 Sources"
    ;;
@@ -105,7 +105,7 @@ EOF
  yes)
    msg_info "Enabling 'pbs-no-subscription' repository"
    cat <<EOF >/etc/apt/sources.list.d/pbs-install-repo.list
-deb http://download.proxmox.com/debian/pbs bookworm pbs-no-subscription
+deb https://download.proxmox.com/debian/pbs bookworm pbs-no-subscription
 EOF
    msg_ok "Enabled 'pbs-no-subscription' repository"
    ;;
@@ -126,9 +126,9 @@ start_routines_3() {
  yes)
    msg_info "Correcting Debian Sources"
    cat <<EOF >/etc/apt/sources.list
-deb http://deb.debian.org/debian ${VERSION} main contrib
-deb http://deb.debian.org/debian ${VERSION}-updates main contrib
-deb http://security.debian.org/debian-security ${VERSION}-security main contrib
+deb https://deb.debian.org/debian ${VERSION} main contrib
+deb https://deb.debian.org/debian ${VERSION}-updates main contrib
+deb https://security.debian.org/debian-security ${VERSION}-security main contrib
 EOF
    msg_ok "Corrected Debian Sources"
    ;;
@@ -115,9 +115,9 @@ start_routines_8() {
  yes)
    msg_info "Correcting Proxmox VE Sources"
    cat <<EOF >/etc/apt/sources.list
-deb http://deb.debian.org/debian bookworm main contrib
-deb http://deb.debian.org/debian bookworm-updates main contrib
-deb http://security.debian.org/debian-security bookworm-security main contrib
+deb https://deb.debian.org/debian bookworm main contrib
+deb https://deb.debian.org/debian bookworm-updates main contrib
+deb https://security.debian.org/debian-security bookworm-security main contrib
 EOF
    echo 'APT::Get::Update::SourceListWarnings::NonFreeFirmware "false";' >/etc/apt/apt.conf.d/no-bookworm-firmware.conf
    msg_ok "Corrected Proxmox VE Sources"
@@ -146,7 +146,7 @@ EOF
  yes)
    msg_info "Enabling 'pve-no-subscription' repository"
    cat <<EOF >/etc/apt/sources.list.d/pve-install-repo.list
-deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
+deb https://download.proxmox.com/debian/pve bookworm pve-no-subscription
 EOF
    msg_ok "Enabled 'pve-no-subscription' repository"
    ;;
@@ -54,9 +54,9 @@ start_routines() {
  whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox --title "PVE8 SOURCES" "This will set the correct sources to update and install Proxmox VE 8." 10 58
  msg_info "Changing to Proxmox VE 8 Sources"
  cat <<EOF >/etc/apt/sources.list
-deb http://ftp.debian.org/debian bookworm main contrib
-deb http://ftp.debian.org/debian bookworm-updates main contrib
-deb http://security.debian.org/debian-security bookworm-security main contrib
+deb https://ftp.debian.org/debian bookworm main contrib
+deb https://ftp.debian.org/debian bookworm-updates main contrib
+deb https://security.debian.org/debian-security bookworm-security main contrib
 EOF
  msg_ok "Changed to Proxmox VE 8 Sources"

@@ -70,7 +70,7 @@ EOF
  whiptail --backtitle "Proxmox VE Helper Scripts" --msgbox --title "PVE8-NO-SUBSCRIPTION" "The 'pve-no-subscription' repository provides access to all of the open-source components of Proxmox VE." 10 58
  msg_info "Enabling 'pve-no-subscription' repository"
  cat <<EOF >/etc/apt/sources.list.d/pve-install-repo.list
-deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
+deb https://download.proxmox.com/debian/pve bookworm pve-no-subscription
 EOF
  msg_ok "Enabled 'pve-no-subscription' repository"
Author	SHA1	Message	Date
CanbiZ (MickLesk)	a592688502	Install pytz in backend update script	2026-06-09 10:18:57 +02:00
CanbiZ (MickLesk)	819d6ce0fb	endurain: Install pytz package during backend setup Add pytz to the installation requirements for the backend.	2026-06-09 10:17:53 +02:00
community-scripts-pr-app[bot]	8792b8037b	Update CHANGELOG.md (#15011 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-06-08 20:46:25 +00:00
community-scripts-pr-app[bot]	b9c115acca	Update CHANGELOG.md (#15010 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-06-08 20:29:01 +00:00
CanbiZ (MickLesk)	3f619e4286	security: Fix HTTP to HTTPS for all package and repository downloads (#15009 ) Co-authored-by: Security Fix <security@community-scripts.org>	2026-06-08 22:28:40 +02:00
CanbiZ (MickLesk)	0f37e30f28	security: Fix MITM RCE vulnerability in microcode scripts (CVE) (#15007 ) Co-authored-by: Security Fix <security@community-scripts.org>	2026-06-08 22:28:17 +02:00
Security Fix	34243ff62f	security: Fix HTTP to HTTPS for package downloads (container-level) - install/deconz-install.sh: Switch GPG key and repository URLs to HTTPS - install/deconz-install.sh: Switch libssl1.1 .deb download to HTTPS with --proto flag - install/odoo-install.sh: Switch python3-lxml-html-clean .deb download to HTTPS - ct/odoo.sh: Switch python3-lxml-html-clean .deb download to HTTPS in update_script Changes: - All http:// → https:// for package/key downloads - Added --proto '=https' to prevent protocol downgrade - Improved quoting for file variables Impact: Prevents MITM attacks on container installations Affected containers: deconz, odoo Related to: security/fix-microcode-https PR (host-level fix)	2026-06-08 21:20:24 +02:00
community-scripts-pr-app[bot]	131545081c	Update CHANGELOG.md (#15004 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-06-08 13:36:24 +00:00
Michel Roegl-Brunner	f98a64b632	Move flowiseai to node 24 to alligne with upstream (#14999 )	2026-06-08 15:35:50 +02:00
community-scripts-pr-app[bot]	56129f7833	Update CHANGELOG.md (#15001 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-06-08 11:34:16 +00:00
Stéphane FERREIRA	68af0f5b41	homelable: preserve MCP server config across updates (#14996 ) * homelable: preserve MCP server config across updates The update path runs CLEAN_INSTALL=1 fetch_and_deploy_gh_release, which wipes /opt/homelable before redeploying. The backup/restore only covers backend/.env and data/, so an optionally-installed MCP server (set up via Pouzor/homelable's own scripts/lxc-mcp-install.sh, which targets exactly this LXC and lives in /opt/homelable/mcp) loses its .env and .venv on every update. The homelable-mcp service then keeps running on deleted inodes and dies at the next restart. Back up mcp/.env when present, and after the deploy restore it, rebuild the venv (same uv pattern as the backend), restore ownership and restart the service. Fully conditional: installs without the MCP are unaffected. * homelable: remove comments per maintainer review	2026-06-08 13:33:50 +02:00
community-scripts-pr-app[bot]	0a21262cf1	Update CHANGELOG.md (#14997 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-06-08 06:33:47 +00:00
Stéphane FERREIRA	b3a2fbbf98	changedetection: migrate Python install to uv venv (#14995 ) The update path installed into the global interpreter with a global --ignore-installed flag, which leaves the previous *.dist-info behind on every dependency bump. Duplicate metadata makes pip resolve against stale requirements (e.g. downgrading pydantic-core) and the service crashes at the next restart. Fixes the typing_extensions workaround (#13548) at the root: in a venv there are no Debian-owned packages to conflict with, so neither --ignore-installed nor --break-system-packages is needed. Follows the existing setup_uv + venv-or-migrate pattern from prometheus-pve-exporter and esphome. Existing installs are migrated automatically on the next update; the systemd unit is repointed to the venv binary. Fixes #14987	2026-06-08 08:33:20 +02:00
community-scripts-pr-app[bot]	373b138fe0	Update CHANGELOG.md (#14994 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-06-07 20:56:35 +00:00
community-scripts-pr-app[bot]	ed8b35f50b	Update CHANGELOG.md (#14993 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-06-07 20:56:14 +00:00
CanbiZ (MickLesk)	eab30076ca	Navidrome: remove genereic filebrowser addon setup (#14991 )	2026-06-07 22:56:12 +02:00
CanbiZ (MickLesk)	dc2193f4bb	Immich: use actual installed PostgreSQL version for vchord package (#14989 )	2026-06-07 22:55:53 +02:00