Update CHANGELOG.md (#13031 )

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
tools.func: Implement fetch_and_deploy_gh_tag function (#13000 )
2026-03-18 07:53:01 +01:00 · 2026-03-18 06:44:35 +00:00 · 2026-03-18 07:44:13 +01:00 · 2026-03-17 23:00:07 +00:00 · 2026-03-17 22:59:55 +00:00 · 2026-03-17 23:59:40 +01:00
11 changed files with 505 additions and 114 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -423,12 +423,41 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 </details>
-## 2026-03-16
+## 2026-03-18
 ### 💾 Core
  - #### ✨ New Features
    - tools.func: Implement fetch_and_deploy_gh_tag function [@MickLesk](https://github.com/MickLesk) ([#13000](https://github.com/community-scripts/ProxmoxVE/pull/13000))
 ## 2026-03-17
 ### 🚀 Updated Scripts
  - #### 🐞 Bug Fixes
    - Gluetun: add OpenVPN process user and cleanup stale config [@MickLesk](https://github.com/MickLesk) ([#13016](https://github.com/community-scripts/ProxmoxVE/pull/13016))
    - Frigate: check OpenVino model files exist before configuring detector and use curl_with_retry instead of default wget [@MickLesk](https://github.com/MickLesk) ([#13019](https://github.com/community-scripts/ProxmoxVE/pull/13019))
 ### 💾 Core
  - #### 🔧 Refactor
    - tools.func: Update `create_self_signed_cert()` [@tremor021](https://github.com/tremor021) ([#13008](https://github.com/community-scripts/ProxmoxVE/pull/13008))
 ## 2026-03-16
 ### 🆕 New Scripts
  - Gluetun ([#12976](https://github.com/community-scripts/ProxmoxVE/pull/12976))
 - Anytype-Server ([#12974](https://github.com/community-scripts/ProxmoxVE/pull/12974))
 ### 🚀 Updated Scripts
  - #### 🐞 Bug Fixes
    - Immich: use gcc-13 for compilation & add uv python pre-install with retry logic [@MickLesk](https://github.com/MickLesk) ([#12935](https://github.com/community-scripts/ProxmoxVE/pull/12935))
    - Tautulli: add setuptools<81 constraint to update script [@MickLesk](https://github.com/MickLesk) ([#12959](https://github.com/community-scripts/ProxmoxVE/pull/12959))
    - Seerr: add missing build deps [@MickLesk](https://github.com/MickLesk) ([#12960](https://github.com/community-scripts/ProxmoxVE/pull/12960))
    - fix: yubal update [@CrazyWolf13](https://github.com/CrazyWolf13) ([#12961](https://github.com/community-scripts/ProxmoxVE/pull/12961))
--- a/ct/anytype-server.sh
+++ b/ct/anytype-server.sh
@@ -0,0 +1,67 @@
 #!/usr/bin/env bash
 source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: MickLesk (CanbiZ)
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
 # Source: https://anytype.io
 APP="Anytype-Server"
 var_tags="${var_tags:-notes;productivity;sync}"
 var_cpu="${var_cpu:-2}"
 var_ram="${var_ram:-4096}"
 var_disk="${var_disk:-16}"
 var_os="${var_os:-ubuntu}"
 var_version="${var_version:-24.04}"
 var_unprivileged="${var_unprivileged:-1}"
 header_info "$APP"
 variables
 color
 catch_errors
 function update_script() {
  header_info
  check_container_storage
  check_container_resources
  if [[ ! -f /opt/anytype/any-sync-bundle ]]; then
    msg_error "No ${APP} Installation Found!"
    exit
  fi
  if check_for_gh_release "anytype" "grishy/any-sync-bundle"; then
    msg_info "Stopping Service"
    systemctl stop anytype
    msg_ok "Stopped Service"
    msg_info "Backing up Data"
    cp -r /opt/anytype/data /opt/anytype_data_backup
    msg_ok "Backed up Data"
    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "anytype" "grishy/any-sync-bundle" "prebuild" "latest" "/opt/anytype" "any-sync-bundle_*_linux_amd64.tar.gz"
    chmod +x /opt/anytype/any-sync-bundle
    msg_info "Restoring Data"
    cp -r /opt/anytype_data_backup/. /opt/anytype/data
    rm -rf /opt/anytype_data_backup
    msg_ok "Restored Data"
    msg_info "Starting Service"
    systemctl start anytype
    msg_ok "Started Service"
    msg_ok "Updated successfully!"
  fi
  exit
 }
 start
 build_container
 description
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW} Access it using the following URL:${CL}"
 echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:33010${CL}"
 echo -e "${INFO}${YW} Client config file:${CL}"
 echo -e "${TAB}${GATEWAY}${BGN}/opt/anytype/data/client-config.yml${CL}"
--- a/ct/gluetun.sh
+++ b/ct/gluetun.sh
@@ -0,0 +1,61 @@
 #!/usr/bin/env bash
 source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: MickLesk (CanbiZ)
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
 # Source: https://github.com/qdm12/gluetun
 APP="Gluetun"
 var_tags="${var_tags:-vpn;wireguard;openvpn}"
 var_cpu="${var_cpu:-2}"
 var_ram="${var_ram:-2048}"
 var_disk="${var_disk:-8}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_unprivileged="${var_unprivileged:-1}"
 var_tun="${var_tun:-yes}"
 header_info "$APP"
 variables
 color
 catch_errors
 function update_script() {
  header_info
  check_container_storage
  check_container_resources
  if [[ ! -f /usr/local/bin/gluetun ]]; then
    msg_error "No ${APP} Installation Found!"
    exit
  fi
  if check_for_gh_release "gluetun" "qdm12/gluetun"; then
    msg_info "Stopping Service"
    systemctl stop gluetun
    msg_ok "Stopped Service"
    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "gluetun" "qdm12/gluetun" "tarball"
    msg_info "Building Gluetun"
    cd /opt/gluetun
    $STD go mod download
    CGO_ENABLED=0 $STD go build -trimpath -ldflags="-s -w" -o /usr/local/bin/gluetun ./cmd/gluetun/
    msg_ok "Built Gluetun"
    msg_info "Starting Service"
    systemctl start gluetun
    msg_ok "Started Service"
    msg_ok "Updated successfully!"
  fi
  exit
 }
 start
 build_container
 description
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW} Access it using the following URL:${CL}"
 echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8000${CL}"
--- a/ct/headers/anytype-server
+++ b/ct/headers/anytype-server
@@ -0,0 +1,6 @@
    ___                __                        _____                          
   /   |  ____  __  __/ /___  ______  ___       / ___/___  ______   _____  _____
  / /| | / __ \/ / / / __/ / / / __ \/ _ \______\__ \/ _ \/ ___/ | / / _ \/ ___/
 / ___ |/ / / / /_/ / /_/ /_/ / /_/ /  __/_____/__/ /  __/ /   | |/ /  __/ /    
 /_/  |_/_/ /_/\__, /\__/\__, / .___/\___/     /____/\___/_/    |___/\___/_/     
             /____/    /____/_/                                                 
--- a/ct/headers/gluetun
+++ b/ct/headers/gluetun
@@ -0,0 +1,6 @@
   ________           __            
  / ____/ /_  _____  / /___  ______ 
 / / __/ / / / / _ \/ __/ / / / __ \
 / /_/ / / /_/ /  __/ /_/ /_/ / / / /
 \____/_/\__,_/\___/\__/\__,_/_/ /_/ 
--- a/ct/immich.sh
+++ b/ct/immich.sh
@@ -76,7 +76,7 @@ EOF
  SOURCE_DIR=${STAGING_DIR}/image-source
  cd /tmp
  if [[ -f ~/.intel_version ]]; then
-    curl -fsSLO https://raw.githubusercontent.com/immich-app/immich/refs/heads/main/machine-learning/Dockerfile
+    curl_with_retry "https://raw.githubusercontent.com/immich-app/immich/refs/heads/main/machine-learning/Dockerfile" "Dockerfile"
    readarray -t INTEL_URLS < <(
      sed -n "/intel-[igc|opencl]/p" ./Dockerfile | awk '{print $3}'
      sed -n "/libigdgmm12/p" ./Dockerfile | awk '{print $3}'
@@ -85,7 +85,7 @@ EOF
    if [[ "$INTEL_RELEASE" != "$(cat ~/.intel_version)" ]]; then
      msg_info "Updating Intel iGPU dependencies"
      for url in "${INTEL_URLS[@]}"; do
-        curl -fsSLO "$url"
+        curl_with_retry "$url" "$(basename "$url")"
      done
      $STD apt-mark unhold libigdgmm12
      $STD apt install -y --allow-downgrades ./libigdgmm12*.deb
@@ -133,7 +133,7 @@ EOF
      $STD sudo -u postgres psql -d immich -c "REINDEX INDEX face_index;"
      $STD sudo -u postgres psql -d immich -c "REINDEX INDEX clip_index;"
    fi
-    ensure_dependencies ccache
+    ensure_dependencies ccache gcc-13 g++-13
    INSTALL_DIR="/opt/${APP}"
    UPLOAD_DIR="$(sed -n '/^IMMICH_MEDIA_LOCATION/s/[^=]*=//p' /opt/immich/.env)"
@@ -166,7 +166,7 @@ EOF
    setup_uv
    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "Immich" "immich-app/immich" "tarball" "${RELEASE}" "$SRC_DIR"
-    PNPM_VERSION="$(jq -r '.packageManager | split("@")[1]' ${SRC_DIR}/package.json)"
+    PNPM_VERSION="$(jq -r '.packageManager | split("@")[1] | split("+")[0]' ${SRC_DIR}/package.json)"
    NODE_VERSION="24" NODE_MODULE="pnpm@${PNPM_VERSION}" setup_nodejs
    msg_info "Updating Immich web and microservices"
@@ -217,15 +217,36 @@ EOF
    chown -R immich:immich "$INSTALL_DIR"
    chown immich:immich ./uv.lock
    export VIRTUAL_ENV="${ML_DIR}"/ml-venv
    export UV_HTTP_TIMEOUT=300
    if [[ -f ~/.openvino ]]; then
      ML_PYTHON="python3.13"
      msg_info "Pre-installing Python ${ML_PYTHON} for machine-learning"
      for attempt in $(seq 1 3); do
        $STD sudo --preserve-env=VIRTUAL_ENV -nu immich uv python install "${ML_PYTHON}" && break
        [[ $attempt -lt 3 ]] && msg_warn "Python download attempt $attempt failed, retrying..." && sleep 5
      done
      msg_ok "Pre-installed Python ${ML_PYTHON}"
      msg_info "Updating HW-accelerated machine-learning"
-      $STD uv add --no-sync --optional openvino onnxruntime-openvino==1.24.1 --active -n -p python3.13 --managed-python
+      $STD uv add --no-sync --optional openvino onnxruntime-openvino==1.24.1 --active -n -p "${ML_PYTHON}" --managed-python
-      $STD sudo --preserve-env=VIRTUAL_ENV -nu immich uv sync --extra openvino --no-dev --active --link-mode copy -n -p python3.13 --managed-python
+      for attempt in $(seq 1 3); do
        $STD sudo --preserve-env=VIRTUAL_ENV,UV_HTTP_TIMEOUT -nu immich uv sync --extra openvino --no-dev --active --link-mode copy -n -p "${ML_PYTHON}" --managed-python && break
        [[ $attempt -lt 3 ]] && msg_warn "uv sync attempt $attempt failed, retrying..." && sleep 10
      done
      patchelf --clear-execstack "${VIRTUAL_ENV}/lib/python3.13/site-packages/onnxruntime/capi/onnxruntime_pybind11_state.cpython-313-x86_64-linux-gnu.so"
      msg_ok "Updated HW-accelerated machine-learning"
    else
      ML_PYTHON="python3.11"
      msg_info "Pre-installing Python ${ML_PYTHON} for machine-learning"
      for attempt in $(seq 1 3); do
        $STD sudo --preserve-env=VIRTUAL_ENV -nu immich uv python install "${ML_PYTHON}" && break
        [[ $attempt -lt 3 ]] && msg_warn "Python download attempt $attempt failed, retrying..." && sleep 5
      done
      msg_ok "Pre-installed Python ${ML_PYTHON}"
      msg_info "Updating machine-learning"
-      $STD sudo --preserve-env=VIRTUAL_ENV -nu immich uv sync --extra cpu --no-dev --active --link-mode copy -n -p python3.11 --managed-python
+      for attempt in $(seq 1 3); do
        $STD sudo --preserve-env=VIRTUAL_ENV,UV_HTTP_TIMEOUT -nu immich uv sync --extra cpu --no-dev --active --link-mode copy -n -p "${ML_PYTHON}" --managed-python && break
        [[ $attempt -lt 3 ]] && msg_warn "uv sync attempt $attempt failed, retrying..." && sleep 10
      done
      msg_ok "Updated machine-learning"
    fi
    cd "$SRC_DIR"
--- a/install/anytype-server-install.sh
+++ b/install/anytype-server-install.sh
@@ -0,0 +1,81 @@
 #!/usr/bin/env bash
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: MickLesk (CanbiZ)
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
 # Source: https://anytype.io
 source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
 color
 verb_ip6
 catch_errors
 setting_up_container
 network_check
 update_os
 setup_mongodb
 msg_info "Configuring MongoDB Replica Set"
 cat <<EOF >>/etc/mongod.conf
 replication:
  replSetName: "rs0"
 EOF
 systemctl restart mongod
 sleep 3
 $STD mongosh --eval 'rs.initiate({_id: "rs0", members: [{_id: 0, host: "127.0.0.1:27017"}]})'
 msg_ok "Configured MongoDB Replica Set"
 msg_info "Installing Redis Stack"
 setup_deb822_repo \
  "redis-stack" \
  "https://packages.redis.io/gpg" \
  "https://packages.redis.io/deb" \
  "jammy" \
  "main"
 $STD apt install -y redis-stack-server
 systemctl enable -q --now redis-stack-server
 msg_ok "Installed Redis Stack"
 fetch_and_deploy_gh_release "anytype" "grishy/any-sync-bundle" "prebuild" "latest" "/opt/anytype" "any-sync-bundle_*_linux_amd64.tar.gz"
 chmod +x /opt/anytype/any-sync-bundle
 msg_info "Configuring Anytype"
 mkdir -p /opt/anytype/data/storage
 cat <<EOF >/opt/anytype/.env
 ANY_SYNC_BUNDLE_CONFIG=/opt/anytype/data/bundle-config.yml
 ANY_SYNC_BUNDLE_CLIENT_CONFIG=/opt/anytype/data/client-config.yml
 ANY_SYNC_BUNDLE_INIT_STORAGE=/opt/anytype/data/storage/
 ANY_SYNC_BUNDLE_INIT_EXTERNAL_ADDRS=${LOCAL_IP}
 ANY_SYNC_BUNDLE_INIT_MONGO_URI=mongodb://127.0.0.1:27017/
 ANY_SYNC_BUNDLE_INIT_REDIS_URI=redis://127.0.0.1:6379/
 ANY_SYNC_BUNDLE_LOG_LEVEL=info
 EOF
 msg_ok "Configured Anytype"
 msg_info "Creating Service"
 cat <<EOF >/etc/systemd/system/anytype.service
 [Unit]
 Description=Anytype Sync Server (any-sync-bundle)
 After=network-online.target mongod.service redis-stack-server.service
 Wants=network-online.target
 Requires=mongod.service redis-stack-server.service
 [Service]
 Type=simple
 User=root
 WorkingDirectory=/opt/anytype
 EnvironmentFile=/opt/anytype/.env
 ExecStart=/opt/anytype/any-sync-bundle start-bundle
 Restart=on-failure
 RestartSec=10
 [Install]
 WantedBy=multi-user.target
 EOF
 systemctl enable -q --now anytype
 msg_ok "Created Service"
 motd_ssh
 customize
 cleanup_lxc
--- a/install/frigate-install.sh
+++ b/install/frigate-install.sh
@@ -146,7 +146,7 @@ ldconfig
 msg_ok "Built libUSB"
 msg_info "Bootstrapping pip"
-wget -q https://bootstrap.pypa.io/get-pip.py -O /tmp/get-pip.py
+curl_with_retry "https://bootstrap.pypa.io/get-pip.py" "/tmp/get-pip.py"
 sed -i 's/args.append("setuptools")/args.append("setuptools==77.0.3")/' /tmp/get-pip.py
 $STD python3 /tmp/get-pip.py "pip"
 rm -f /tmp/get-pip.py
@@ -169,13 +169,13 @@ NODE_VERSION="20" setup_nodejs
 msg_info "Downloading Inference Models"
 mkdir -p /models /openvino-model
-wget -q -O /edgetpu_model.tflite https://github.com/google-coral/test_data/raw/release-frogfish/ssdlite_mobiledet_coco_qat_postprocess_edgetpu.tflite
+curl_with_retry "https://github.com/google-coral/test_data/raw/release-frogfish/ssdlite_mobiledet_coco_qat_postprocess_edgetpu.tflite" "/edgetpu_model.tflite"
-wget -q -O /models/cpu_model.tflite https://github.com/google-coral/test_data/raw/release-frogfish/ssdlite_mobiledet_coco_qat_postprocess.tflite
+curl_with_retry "https://github.com/google-coral/test_data/raw/release-frogfish/ssdlite_mobiledet_coco_qat_postprocess.tflite" "/models/cpu_model.tflite"
 cp /opt/frigate/labelmap.txt /labelmap.txt
 msg_ok "Downloaded Inference Models"
 msg_info "Downloading Audio Model"
-wget -q -O /tmp/yamnet.tar.gz https://www.kaggle.com/api/v1/models/google/yamnet/tfLite/classification-tflite/1/download
+curl_with_retry "https://www.kaggle.com/api/v1/models/google/yamnet/tfLite/classification-tflite/1/download" "/tmp/yamnet.tar.gz"
 $STD tar xzf /tmp/yamnet.tar.gz -C /
 mv /1.tflite /cpu_audio_model.tflite
 cp /opt/frigate/audio-labelmap.txt /audio-labelmap.txt
@@ -205,7 +205,7 @@ msg_ok "Installed OpenVino"
 msg_info "Building OpenVino Model"
 cd /models
-wget -q http://download.tensorflow.org/models/object_detection/ssdlite_mobilenet_v2_coco_2018_05_09.tar.gz
+curl_with_retry "http://download.tensorflow.org/models/object_detection/ssdlite_mobilenet_v2_coco_2018_05_09.tar.gz" "ssdlite_mobilenet_v2_coco_2018_05_09.tar.gz"
 $STD tar -zxf ssdlite_mobilenet_v2_coco_2018_05_09.tar.gz --no-same-owner
 if python3 /opt/frigate/docker/main/build_ov_model.py &>/dev/null; then
  mkdir -p /openvino-model
@@ -219,7 +219,7 @@ if python3 /opt/frigate/docker/main/build_ov_model.py &>/dev/null; then
    if [[ -n "$OV_LABELS" ]]; then
      ln -sf "$OV_LABELS" /openvino-model/coco_91cl_bkgr.txt
    else
-      wget -q "https://raw.githubusercontent.com/openvinotoolkit/open_model_zoo/master/data/dataset_classes/coco_91cl_bkgr.txt" -O /openvino-model/coco_91cl_bkgr.txt
+      curl_with_retry "https://raw.githubusercontent.com/openvinotoolkit/open_model_zoo/master/data/dataset_classes/coco_91cl_bkgr.txt" "/openvino-model/coco_91cl_bkgr.txt"
    fi
  fi
  sed -i 's/truck/car/g' /openvino-model/coco_91cl_bkgr.txt
@@ -246,7 +246,7 @@ msg_info "Configuring Frigate"
 mkdir -p /config /media/frigate
 cp -r /opt/frigate/config/. /config
-curl -fsSL "https://github.com/intel-iot-devkit/sample-videos/raw/master/person-bicycle-car-detection.mp4" -o "/media/frigate/person-bicycle-car-detection.mp4"
+curl_with_retry "https://github.com/intel-iot-devkit/sample-videos/raw/master/person-bicycle-car-detection.mp4" "/media/frigate/person-bicycle-car-detection.mp4"
 echo "tmpfs   /tmp/cache      tmpfs   defaults        0       0" >>/etc/fstab
@@ -289,7 +289,7 @@ detect:
  enabled: false
 EOF
-if grep -q -o -m1 -E 'avx[^ ]*|sse4_2' /proc/cpuinfo; then
+if grep -q -o -m1 -E 'avx[^ ]*|sse4_2' /proc/cpuinfo && [[ -f /openvino-model/ssdlite_mobilenet_v2.xml ]] && [[ -f /openvino-model/coco_91cl_bkgr.txt ]]; then
  cat <<EOF >>/config/config.yml
 ffmpeg:
  hwaccel_args: auto
--- a/install/gluetun-install.sh
+++ b/install/gluetun-install.sh
@@ -0,0 +1,96 @@
 #!/usr/bin/env bash
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: MickLesk (CanbiZ)
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
 # Source: https://github.com/qdm12/gluetun
 source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
 color
 verb_ip6
 catch_errors
 setting_up_container
 network_check
 update_os
 msg_info "Installing Dependencies"
 $STD apt install -y \
  openvpn \
  wireguard-tools \
  iptables
 msg_ok "Installed Dependencies"
 msg_info "Configuring iptables"
 $STD update-alternatives --set iptables /usr/sbin/iptables-legacy
 $STD update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
 ln -sf /usr/sbin/openvpn /usr/sbin/openvpn2.6
 msg_ok "Configured iptables"
 setup_go
 fetch_and_deploy_gh_release "gluetun" "qdm12/gluetun" "tarball"
 msg_info "Building Gluetun"
 cd /opt/gluetun
 $STD go mod download
 CGO_ENABLED=0 $STD go build -trimpath -ldflags="-s -w" -o /usr/local/bin/gluetun ./cmd/gluetun/
 msg_ok "Built Gluetun"
 msg_info "Configuring Gluetun"
 mkdir -p /opt/gluetun-data
 touch /etc/alpine-release
 ln -sf /opt/gluetun-data /gluetun
 cat <<EOF >/opt/gluetun-data/.env
 VPN_SERVICE_PROVIDER=custom
 VPN_TYPE=openvpn
 OPENVPN_CUSTOM_CONFIG=/opt/gluetun-data/custom.ovpn
 OPENVPN_USER=
 OPENVPN_PASSWORD=
 OPENVPN_PROCESS_USER=root
 PUID=0
 PGID=0
 HTTP_CONTROL_SERVER_ADDRESS=:8000
 HTTPPROXY=off
 SHADOWSOCKS=off
 PPROF_ENABLED=no
 PPROF_BLOCK_PROFILE_RATE=0
 PPROF_MUTEX_PROFILE_RATE=0
 PPROF_HTTP_SERVER_ADDRESS=:6060
 FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT=on
 HEALTH_SERVER_ADDRESS=127.0.0.1:9999
 DNS_UPSTREAM_RESOLVERS=cloudflare
 LOG_LEVEL=info
 STORAGE_FILEPATH=/gluetun/servers.json
 PUBLICIP_FILE=/gluetun/ip
 VPN_PORT_FORWARDING_STATUS_FILE=/gluetun/forwarded_port
 TZ=UTC
 EOF
 msg_ok "Configured Gluetun"
 msg_info "Creating Service"
 cat <<EOF >/etc/systemd/system/gluetun.service
 [Unit]
 Description=Gluetun VPN Client
 After=network.target
 [Service]
 Type=simple
 User=root
 WorkingDirectory=/opt/gluetun-data
 EnvironmentFile=/opt/gluetun-data/.env
 UnsetEnvironment=USER
 ExecStartPre=/bin/sh -c 'rm -f /etc/openvpn/target.ovpn'
 ExecStart=/usr/local/bin/gluetun
 Restart=on-failure
 RestartSec=5
 AmbientCapabilities=CAP_NET_ADMIN
 [Install]
 WantedBy=multi-user.target
 EOF
 systemctl enable -q --now gluetun
 msg_ok "Created Service"
 motd_ssh
 customize
 cleanup_lxc
--- a/install/immich-install.sh
+++ b/install/immich-install.sh
@@ -32,13 +32,13 @@ if [ -d /dev/dri ]; then
    $STD apt install -y --no-install-recommends patchelf
    tmp_dir=$(mktemp -d)
    $STD pushd "$tmp_dir"
-    curl -fsSLO https://raw.githubusercontent.com/immich-app/immich/refs/heads/main/machine-learning/Dockerfile
+    curl_with_retry "https://raw.githubusercontent.com/immich-app/immich/refs/heads/main/machine-learning/Dockerfile" "Dockerfile"
    readarray -t INTEL_URLS < <(
      sed -n "/intel-[igc|opencl]/p" ./Dockerfile | awk '{print $3}'
      sed -n "/libigdgmm12/p" ./Dockerfile | awk '{print $3}'
    )
    for url in "${INTEL_URLS[@]}"; do
-      curl -fsSLO "$url"
+      curl_with_retry "$url" "$(basename "$url")"
    done
    $STD apt install -y ./libigdgmm12*.deb
    rm ./libigdgmm12*.deb
@@ -154,6 +154,10 @@ sed -i "s/^#shared_preload.*/shared_preload_libraries = 'vchord.so'/" /etc/postg
 systemctl restart postgresql.service
 PG_DB_NAME="immich" PG_DB_USER="immich" PG_DB_GRANT_SUPERUSER="true" PG_DB_SKIP_ALTER_ROLE="true" setup_postgresql_db
 msg_info "Installing GCC-13 (available as fallback compiler)"
 $STD apt install -y gcc-13 g++-13
 msg_ok "Installed GCC-13"
 msg_warn "Compiling Custom Photo-processing Libraries (can take anywhere from 15min to 2h)"
 LD_LIBRARY_PATH=/usr/local/lib
 export LD_RUN_PATH=/usr/local/lib
@@ -290,7 +294,7 @@ GEO_DIR="${INSTALL_DIR}/geodata"
 mkdir -p {"${APP_DIR}","${UPLOAD_DIR}","${GEO_DIR}","${INSTALL_DIR}"/cache}
 fetch_and_deploy_gh_release "Immich" "immich-app/immich" "tarball" "v2.5.6" "$SRC_DIR"
-PNPM_VERSION="$(jq -r '.packageManager | split("@")[1]' ${SRC_DIR}/package.json)"
+PNPM_VERSION="$(jq -r '.packageManager | split("@")[1] | split("+")[0]' ${SRC_DIR}/package.json)"
 NODE_VERSION="24" NODE_MODULE="pnpm@${PNPM_VERSION}" setup_nodejs
 msg_info "Installing Immich (patience)"
@@ -340,15 +344,36 @@ cd "$SRC_DIR"/machine-learning
 $STD useradd -U -s /usr/sbin/nologin -r -M -d "$INSTALL_DIR" immich
 mkdir -p "$ML_DIR" && chown -R immich:immich "$INSTALL_DIR"
 export VIRTUAL_ENV="${ML_DIR}/ml-venv"
 export UV_HTTP_TIMEOUT=300
 if [[ -f ~/.openvino ]]; then
  ML_PYTHON="python3.13"
  msg_info "Pre-installing Python ${ML_PYTHON} for machine-learning"
  for attempt in $(seq 1 3); do
    $STD sudo --preserve-env=VIRTUAL_ENV -nu immich uv python install "${ML_PYTHON}" && break
    [[ $attempt -lt 3 ]] && msg_warn "Python download attempt $attempt failed, retrying..." && sleep 5
  done
  msg_ok "Pre-installed Python ${ML_PYTHON}"
  msg_info "Installing HW-accelerated machine-learning"
-  $STD uv add --no-sync --optional openvino onnxruntime-openvino==1.24.1 --active -n -p python3.13 --managed-python
+  $STD uv add --no-sync --optional openvino onnxruntime-openvino==1.24.1 --active -n -p "${ML_PYTHON}" --managed-python
-  $STD sudo --preserve-env=VIRTUAL_ENV -nu immich uv sync --extra openvino --no-dev --active --link-mode copy -n -p python3.13 --managed-python
+  for attempt in $(seq 1 3); do
    $STD sudo --preserve-env=VIRTUAL_ENV,UV_HTTP_TIMEOUT -nu immich uv sync --extra openvino --no-dev --active --link-mode copy -n -p "${ML_PYTHON}" --managed-python && break
    [[ $attempt -lt 3 ]] && msg_warn "uv sync attempt $attempt failed, retrying..." && sleep 10
  done
  patchelf --clear-execstack "${VIRTUAL_ENV}/lib/python3.13/site-packages/onnxruntime/capi/onnxruntime_pybind11_state.cpython-313-x86_64-linux-gnu.so"
  msg_ok "Installed HW-accelerated machine-learning"
 else
  ML_PYTHON="python3.11"
  msg_info "Pre-installing Python ${ML_PYTHON} for machine-learning"
  for attempt in $(seq 1 3); do
    $STD sudo --preserve-env=VIRTUAL_ENV -nu immich uv python install "${ML_PYTHON}" && break
    [[ $attempt -lt 3 ]] && msg_warn "Python download attempt $attempt failed, retrying..." && sleep 5
  done
  msg_ok "Pre-installed Python ${ML_PYTHON}"
  msg_info "Installing machine-learning"
-  $STD sudo --preserve-env=VIRTUAL_ENV -nu immich uv sync --extra cpu --no-dev --active --link-mode copy -n -p python3.11 --managed-python
+  for attempt in $(seq 1 3); do
    $STD sudo --preserve-env=VIRTUAL_ENV,UV_HTTP_TIMEOUT -nu immich uv sync --extra cpu --no-dev --active --link-mode copy -n -p "${ML_PYTHON}" --managed-python && break
    [[ $attempt -lt 3 ]] && msg_warn "uv sync attempt $attempt failed, retrying..." && sleep 10
  done
  msg_ok "Installed machine-learning"
 fi
 cd "$SRC_DIR"
@@ -365,10 +390,10 @@ ln -s "$UPLOAD_DIR" "$ML_DIR"/upload
 msg_info "Installing GeoNames data"
 cd "$GEO_DIR"
-curl -fsSLZ -O "https://download.geonames.org/export/dump/admin1CodesASCII.txt" \
+curl_with_retry "https://download.geonames.org/export/dump/admin1CodesASCII.txt" "admin1CodesASCII.txt"
-  -O "https://download.geonames.org/export/dump/admin2Codes.txt" \
+curl_with_retry "https://download.geonames.org/export/dump/admin2Codes.txt" "admin2Codes.txt"
-  -O "https://download.geonames.org/export/dump/cities500.zip" \
+curl_with_retry "https://download.geonames.org/export/dump/cities500.zip" "cities500.zip"
-  -O "https://raw.githubusercontent.com/nvkelso/natural-earth-vector/v5.1.2/geojson/ne_10m_admin_0_countries.geojson"
+curl_with_retry "https://raw.githubusercontent.com/nvkelso/natural-earth-vector/v5.1.2/geojson/ne_10m_admin_0_countries.geojson" "ne_10m_admin_0_countries.geojson"
 unzip -q cities500.zip
 date --iso-8601=seconds | tr -d "\n" >geodata-date.txt
 rm cities500.zip
--- a/misc/tools.func
+++ b/misc/tools.func
@@ -2077,100 +2077,85 @@ verify_gpg_fingerprint() {
 }
 # ------------------------------------------------------------------------------
-# Get latest GitHub tag for a repository.
+# Fetches and deploys a GitHub tag-based source tarball.
 #
 # Description:
-#   - Queries the GitHub API for tags (not releases)
+#   - Downloads the source tarball for a given tag from GitHub
-#   - Useful for repos that only create tags, not full releases
+#   - Extracts to the target directory
-#   - Supports optional prefix filter and version-only extraction
+#   - Writes the version to ~/.<app>
 #   - Returns the latest tag name (printed to stdout)
 #
 # Usage:
-#   MONGO_VERSION=$(get_latest_gh_tag "mongodb/mongo-tools")
+#     fetch_and_deploy_gh_tag "guacd" "apache/guacamole-server"
-#   LATEST=$(get_latest_gh_tag "owner/repo" "v")          # only tags starting with "v"
+#     fetch_and_deploy_gh_tag "guacd" "apache/guacamole-server" "latest" "/opt/guacamole-server"
 #   LATEST=$(get_latest_gh_tag "owner/repo" "" "true")     # strip leading "v"
 #
 # Arguments:
-#   $1 - GitHub repo (owner/repo)
+#   $1 - App name (used for version file ~/.<app>)
-#   $2 - Tag prefix filter (optional, e.g. "v" or "100.")
+#   $2 - GitHub repo (owner/repo)
-#   $3 - Strip prefix from result (optional, "true" to strip $2 prefix)
+#   $3 - Tag version (default: "latest" → auto-detect via get_latest_gh_tag)
-#
+#   $4 - Target directory (default: /opt/$app)
 # Returns:
 #   0 on success (tag printed to stdout), 1 on failure
 #
 # Notes:
-#   - Skips tags containing "rc", "alpha", "beta", "dev", "test"
+#   - Supports CLEAN_INSTALL=1 to wipe target before extracting
-#   - Sorts by version number (sort -V) to find the latest
+#   - For repos that only publish tags, not GitHub Releases
 #   - Respects GITHUB_TOKEN for rate limiting
 # ------------------------------------------------------------------------------
-get_latest_gh_tag() {
+fetch_and_deploy_gh_tag() {
-  local repo="$1"
+  local app="$1"
-  local prefix="${2:-}"
+  local repo="$2"
-  local strip_prefix="${3:-false}"
+  local version="${3:-latest}"
  local target="${4:-/opt/$app}"
  local app_lc=""
  app_lc="$(echo "${app,,}" | tr -d ' ')"
  local version_file="$HOME/.${app_lc}"
-  local header_args=()
+  if [[ "$version" == "latest" ]]; then
-  [[ -n "${GITHUB_TOKEN:-}" ]] && header_args=(-H "Authorization: Bearer $GITHUB_TOKEN")
+    version=$(get_latest_gh_tag "$repo") || {
      msg_error "Failed to determine latest tag for ${repo}"
      return 1
    }
  fi
-  local http_code=""
+  local current_version=""
-  http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o /tmp/gh_tags.json \
+  [[ -f "$version_file" ]] && current_version=$(<"$version_file")
    -H 'Accept: application/vnd.github+json' \
    -H 'X-GitHub-Api-Version: 2022-11-28' \
    "${header_args[@]}" \
    "https://api.github.com/repos/${repo}/tags?per_page=100" 2>/dev/null) || true
-  if [[ "$http_code" == "401" ]]; then
+  if [[ "$current_version" == "$version" ]]; then
-    msg_error "GitHub API authentication failed (HTTP 401)."
+    msg_ok "$app is already up-to-date ($version)"
-    if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+    return 0
-      msg_error "Your GITHUB_TOKEN appears to be invalid or expired."
+  fi
-    else
+
-      msg_error "The repository may require authentication. Try: export GITHUB_TOKEN=\"ghp_your_token\""
+  local tmpdir
-    fi
+  tmpdir=$(mktemp -d) || return 1
-    rm -f /tmp/gh_tags.json
+  local tarball_url="https://github.com/${repo}/archive/refs/tags/${version}.tar.gz"
  local filename="${app_lc}-${version}.tar.gz"
  msg_info "Fetching GitHub tag: ${app} (${version})"
  download_file "$tarball_url" "$tmpdir/$filename" || {
    msg_error "Download failed: $tarball_url"
    rm -rf "$tmpdir"
    return 1
  }
  mkdir -p "$target"
  if [[ "${CLEAN_INSTALL:-0}" == "1" ]]; then
    rm -rf "${target:?}/"*
  fi
-  if [[ "$http_code" == "403" ]]; then
+  tar --no-same-owner -xzf "$tmpdir/$filename" -C "$tmpdir" || {
-    msg_error "GitHub API rate limit exceeded (HTTP 403)."
+    msg_error "Failed to extract tarball"
-    msg_error "To increase the limit, export a GitHub token before running the script:"
+    rm -rf "$tmpdir"
    msg_error "  export GITHUB_TOKEN=\"ghp_your_token_here\""
    rm -f /tmp/gh_tags.json
    return 1
-  fi
+  }
-  if [[ "$http_code" == "000" || -z "$http_code" ]]; then
+  local unpack_dir
-    msg_error "GitHub API connection failed (no response)."
+  unpack_dir=$(find "$tmpdir" -mindepth 1 -maxdepth 1 -type d | head -n1)
    msg_error "Check your network/DNS: curl -sSL https://api.github.com/rate_limit"
    rm -f /tmp/gh_tags.json
    return 1
  fi
-  if [[ "$http_code" != "200" ]] || [[ ! -s /tmp/gh_tags.json ]]; then
+  shopt -s dotglob nullglob
-    msg_error "Unable to fetch tags for ${repo} (HTTP ${http_code})"
+  cp -r "$unpack_dir"/* "$target/"
-    rm -f /tmp/gh_tags.json
+  shopt -u dotglob nullglob
    return 1
  fi
-  local tags_json
+  rm -rf "$tmpdir"
-  tags_json=$(</tmp/gh_tags.json)
+  echo "$version" >"$version_file"
-  rm -f /tmp/gh_tags.json
+  msg_ok "Deployed ${app} ${version} to ${target}"
  # Extract tag names, filter by prefix, exclude pre-release patterns, sort by version
  local latest=""
  latest=$(echo "$tags_json" | grep -oP '"name":\s*"\K[^"]+' |
    { [[ -n "$prefix" ]] && grep "^${prefix}" || cat; } |
    grep -viE '(rc|alpha|beta|dev|test|preview|snapshot)' |
    sort -V | tail -n1)
  if [[ -z "$latest" ]]; then
    msg_warn "No matching tags found for ${repo}${prefix:+ (prefix: $prefix)}"
    return 1
  fi
  if [[ "$strip_prefix" == "true" && -n "$prefix" ]]; then
    latest="${latest#"$prefix"}"
  fi
  echo "$latest"
  return 0
 }
@@ -2519,6 +2504,8 @@ check_for_codeberg_release() {
 # ------------------------------------------------------------------------------
 create_self_signed_cert() {
  local APP_NAME="${1:-${APPLICATION}}"
  local HOSTNAME="$(hostname -f)"
  local IP="$(hostname -I | awk '{print $1}')"
  local APP_NAME_LC=$(echo "${APP_NAME,,}" | tr -d ' ')
  local CERT_DIR="/etc/ssl/${APP_NAME_LC}"
  local CERT_KEY="${CERT_DIR}/${APP_NAME_LC}.key"
@@ -2536,8 +2523,8 @@ create_self_signed_cert() {
  mkdir -p "$CERT_DIR"
  $STD openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
-    -subj "/CN=${APP_NAME}" \
+    -subj "/CN=${HOSTNAME}" \
-    -addext "subjectAltName=DNS:${APP_NAME}" \
+    -addext "subjectAltName=DNS:${HOSTNAME},DNS:localhost,IP:${IP},IP:127.0.0.1" \
    -keyout "$CERT_KEY" \
    -out "$CERT_CRT" || {
    msg_error "Failed to create self-signed certificate"
@@ -4676,16 +4663,9 @@ _setup_rocm() {
    return 0
  }
-  # AMDGPU driver repository (append to same keyring)
+  # Note: The amdgpu/latest/ubuntu repo (kernel driver packages) is intentionally
-  {
+  # omitted — kernel drivers are managed by the Proxmox host, not the LXC container.
-    echo ""
+  # Only the ROCm userspace compute stack is needed inside the container.
    echo "Types: deb"
    echo "URIs: https://repo.radeon.com/amdgpu/latest/ubuntu"
    echo "Suites: ${ROCM_REPO_CODENAME}"
    echo "Components: main"
    echo "Architectures: amd64"
    echo "Signed-By: /etc/apt/keyrings/rocm.gpg"
  } >>/etc/apt/sources.list.d/rocm.sources
  # Pin ROCm packages to prefer radeon repo
  cat <<EOF >/etc/apt/preferences.d/rocm-pin-600
@@ -4694,7 +4674,26 @@ Pin: release o=repo.radeon.com
 Pin-Priority: 600
 EOF
-  $STD apt update || msg_warn "apt update failed (AMD repo may be temporarily unavailable) — continuing anyway"
+  # apt update with retry — repo.radeon.com CDN can be mid-sync (transient size mismatches).
  # Run with ERR trap disabled so a transient failure does not abort the entire install.
  local _apt_ok=0
  for _attempt in 1 2 3; do
    if (
      set +e
      apt-get update -qq 2>&1
      exit $?
    ) 2>/dev/null; then
      _apt_ok=1
      break
    fi
    msg_warn "apt update failed (attempt ${_attempt}/3) — AMD repo may be temporarily unavailable, retrying in 30s…"
    sleep 30
  done
  if [[ $_apt_ok -eq 0 ]]; then
    msg_warn "apt update still failing after 3 attempts — skipping ROCm install"
    return 0
  fi
  # Install only runtime packages — full 'rocm' meta-package includes 15GB+ dev tools
  $STD apt install -y rocm-opencl-runtime rocm-hip-runtime rocm-smi-lib 2>/dev/null || {
    msg_warn "ROCm runtime install failed — trying minimal set"
Author	SHA1	Message	Date
community-scripts-pr-app[bot]	37f2e0242d	Update CHANGELOG.md (#13031 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-03-18 06:44:35 +00:00
CanbiZ (MickLesk)	7c62147a00	tools.func: Implement fetch_and_deploy_gh_tag function (#13000 ) * tools.func: Implement fetch_and_deploy_gh_tag function Adds function to fetch and deploy GitHub tag-based source tarballs. * Refactor fetch_and_deploy_gh_tag function and comments Updated the function to fetch and deploy GitHub tags, enhancing its description and usage instructions. * cleanuo	2026-03-18 07:44:13 +01:00
community-scripts-pr-app[bot]	7d11f9acd6	Update CHANGELOG.md (#13029 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-03-17 23:00:07 +00:00
community-scripts-pr-app[bot]	55a877a3e2	Update CHANGELOG.md (#13028 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-03-17 22:59:55 +00:00
CanbiZ (MickLesk)	27c9d7fd07	fix(gluetun): add OpenVPN process user and cleanup stale config (#13016 ) - Add OPENVPN_PROCESS_USER=root, PUID=0, PGID=0 to default .env to prevent gluetun from injecting 'user' directive into target.ovpn which causes 'Unrecognized option' errors on Debian - Add ExecStartPre to remove stale /etc/openvpn/target.ovpn before start - Fixes #12988	2026-03-17 23:59:40 +01:00
CanbiZ (MickLesk)	c907e10334	Frigate: check OpenVino model files exist before configuring detector and use curl_with_retry instead of default wget (#13019 ) * fix(frigate): check OpenVino model files exist before configuring detector When the OpenVino model build fails (e.g. TensorFlow import error), the model files are not created but the config still references them if the CPU supports avx/sse4_2, causing Frigate to crash on start with FileNotFoundError. Now also checks that ssdlite_mobilenet_v2.xml and coco_91cl_bkgr.txt actually exist before configuring the OpenVino detector, falling back to CPU model otherwise. Fixes #12808 * fix(frigate): use curl_with_retry for all downloads Replace all wget and bare curl calls with curl_with_retry from tools.func for robust downloads with retry logic, exponential backoff, and DNS pre-checks. This prevents install failures from transient network issues during model and dependency downloads.	2026-03-17 23:59:28 +01:00
community-scripts-pr-app[bot]	804c462dd3	Update CHANGELOG.md (#13020 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-03-17 20:20:06 +00:00
Slaviša Arežina	9df9a2831e	Update (#13008 )	2026-03-17 21:19:36 +01:00
community-scripts-pr-app[bot]	4aa83fd98e	Update CHANGELOG.md (#12996 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-03-17 07:32:12 +00:00
CanbiZ (MickLesk)	6747f0c340	fix broken rocm setup	2026-03-17 08:31:42 +01:00
MickLesk	8ef2c445c8	immich: increase uv timeout to 300	2026-03-16 20:41:21 +01:00
MickLesk	e4a7ed6965	immcih: crop sha from pnpm	2026-03-16 20:36:21 +01:00
MickLesk	c69dae5326	immich: use curl with retry function	2026-03-16 20:23:46 +01:00
MickLesk	fee4617802	qf: add gcc13 fallback and use gcc14	2026-03-16 20:03:45 +01:00
community-scripts-pr-app[bot]	339301947b	Update .app files (#12982 ) Co-authored-by: GitHub Actions <github-actions[bot]@users.noreply.github.com>	2026-03-16 17:56:32 +01:00
community-scripts-pr-app[bot]	5df3c2cd34	Update CHANGELOG.md (#12981 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-03-16 16:45:48 +00:00
push-app-to-main[bot]	6832e23ff1	Add gluetun (ct) (#12976 ) Co-authored-by: push-app-to-main[bot] <203845782+push-app-to-main[bot]@users.noreply.github.com>	2026-03-16 17:45:22 +01:00
community-scripts-pr-app[bot]	d08ba7a0c4	Update .app files (#12980 ) Co-authored-by: GitHub Actions <github-actions[bot]@users.noreply.github.com>	2026-03-16 17:39:18 +01:00
community-scripts-pr-app[bot]	780c0e055f	Update CHANGELOG.md (#12979 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-03-16 16:34:08 +00:00
push-app-to-main[bot]	c55d0784e2	Anytype-Server (#12974 ) Co-authored-by: push-app-to-main[bot] <203845782+push-app-to-main[bot]@users.noreply.github.com>	2026-03-16 17:33:32 +01:00
community-scripts-pr-app[bot]	2080603464	Update CHANGELOG.md (#12978 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-03-16 16:32:45 +00:00
CanbiZ (MickLesk)	13aea57207	fix(immich): use gcc-13 for compilation & add uv python pre-install with retry (#12935 ) - Install gcc-13/g++-13 and export CC/CXX before compiling custom photo-processing libraries to work around GCC-14 ICE segfaults on Debian 13 Trixie (closes #12895) - Pre-install Python via 'uv python install' with 3-attempt retry logic before running 'uv sync' to prevent connection reset failures during machine-learning setup (closes #12926) - Applied to both fresh install and update paths	2026-03-16 17:32:16 +01:00