fix: set HOME=/root for rbenv installs to prevent path mismatch

When running in certain LXC environments (e.g. systems with desktop
packages or non-en locales), the HOME variable may resolve to '/'
instead of '/root'. rbenv installs to $HOME/.rbenv, so if HOME is
wrong it ends up in /.rbenv while all service files and PATH exports
hardcode /root/.rbenv, causing 'env: ruby: No such file or directory'.

Explicitly set HOME=/root for all setup_ruby calls that run as root,
and replace all $HOME/.rbenv references in PATH exports and install
steps with /root/.rbenv literals.

Affected scripts:
- ct/sure.sh + install/sure-install.sh (fixes #14479)
- ct/dawarich.sh + install/dawarich-install.sh
- ct/docuseal.sh + install/docuseal-install.sh

Also add TimeoutStartSec=300 to sure.service so db:prepare on first
start does not get killed by the default 90s systemd timeout.

.github/changelogs/2026/05.md

@@ -1,3 +1,128 @@
+## 2026-05-16
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Homelable: replace passlib with bcrypt for password hashing [@MickLesk](https://github.com/MickLesk) ([#14530](https://github.com/community-scripts/ProxmoxVE/pull/14530))
+    - dashy: fix: restore [@CrazyWolf13](https://github.com/CrazyWolf13) ([#14527](https://github.com/community-scripts/ProxmoxVE/pull/14527))
+    - Update Tinyauth source URL in installation script [@MehrunesSky](https://github.com/MehrunesSky) ([#14483](https://github.com/community-scripts/ProxmoxVE/pull/14483))
+    - Excalidraw: Fix build [@tremor021](https://github.com/tremor021) ([#14509](https://github.com/community-scripts/ProxmoxVE/pull/14509))
+
+  - #### ✨ New Features
+
+    - Update authentik version to 2026.2.3 [@thieneret](https://github.com/thieneret) ([#14517](https://github.com/community-scripts/ProxmoxVE/pull/14517))
+
+## 2026-05-15
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - OPNsense: replace undefined msg_warn with inline echo in alloc retry [@MickLesk](https://github.com/MickLesk) ([#14500](https://github.com/community-scripts/ProxmoxVE/pull/14500))
+    - Checkmk: detect OMD version suffix dynamically on update [@MickLesk](https://github.com/MickLesk) ([#14496](https://github.com/community-scripts/ProxmoxVE/pull/14496))
+
+  - #### ✨ New Features
+
+    - SearXNG: enable JSON format by default for API integrations [@MickLesk](https://github.com/MickLesk) ([#14498](https://github.com/community-scripts/ProxmoxVE/pull/14498))
+
+  - #### 🔧 Refactor
+
+    - Refactor: Ollama use tools.func [@MickLesk](https://github.com/MickLesk) ([#14501](https://github.com/community-scripts/ProxmoxVE/pull/14501))
+
+### 💾 Core
+
+  - #### 🐞 Bug Fixes
+
+    - core: fall back to silent mode when no TTY or whiptail unavailable [@MickLesk](https://github.com/MickLesk) ([#14497](https://github.com/community-scripts/ProxmoxVE/pull/14497))
+
+## 2026-05-14
+
+### 🆕 New Scripts
+
+  - CLIProxyAPI ([#14443](https://github.com/community-scripts/ProxmoxVE/pull/14443))
+
+## 2026-05-13
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Fix: Broken Manifold update [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14468](https://github.com/community-scripts/ProxmoxVE/pull/14468))
+    - SoulSync: Fix update function [@tremor021](https://github.com/tremor021) ([#14465](https://github.com/community-scripts/ProxmoxVE/pull/14465))
+    - Reactive-Resume: fix PDF generation timeout in LXC containers [@MickLesk](https://github.com/MickLesk) ([#14416](https://github.com/community-scripts/ProxmoxVE/pull/14416))
+    - (calibre-web) Add --no-sandbox for PDF conversion [@jamesmyatt](https://github.com/jamesmyatt) ([#14461](https://github.com/community-scripts/ProxmoxVE/pull/14461))
+
+### 💾 Core
+
+  - #### 🔧 Refactor
+
+    - tools.func: encode GitHub tag, refine pin logic, add Codeberg [@MickLesk](https://github.com/MickLesk) ([#14473](https://github.com/community-scripts/ProxmoxVE/pull/14473))
+
+## 2026-05-12
+
+### 🆕 New Scripts
+
+  - DocuSeal ([#14445](https://github.com/community-scripts/ProxmoxVE/pull/14445))
+- Authentik ([#14440](https://github.com/community-scripts/ProxmoxVE/pull/14440))
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Save Omada version [@lucacome](https://github.com/lucacome) ([#14433](https://github.com/community-scripts/ProxmoxVE/pull/14433))
+
+  - #### ✨ New Features
+
+    - OpenCloud: bump version to 6.2.0 [@vhsdream](https://github.com/vhsdream) ([#14451](https://github.com/community-scripts/ProxmoxVE/pull/14451))
+
+  - #### 🔧 Refactor
+
+    - misc: bump node versions [@CrazyWolf13](https://github.com/CrazyWolf13) ([#14447](https://github.com/community-scripts/ProxmoxVE/pull/14447))
+
+## 2026-05-11
+
+### 🆕 New Scripts
+
+  - Lychee ([#14424](https://github.com/community-scripts/ProxmoxVE/pull/14424))
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Termix: fix nginx pid path and log paths on update (#) [@MickLesk](https://github.com/MickLesk) ([#14419](https://github.com/community-scripts/ProxmoxVE/pull/14419))
+    - Nginxproxymanager: restore NPM nginx.conf after OpenResty rebuid [@MickLesk](https://github.com/MickLesk) ([#14421](https://github.com/community-scripts/ProxmoxVE/pull/14421))
+
+  - #### 🔧 Refactor
+
+    - InvestBrain: add commented reverse proxy config hints to .env [@MickLesk](https://github.com/MickLesk) ([#14422](https://github.com/community-scripts/ProxmoxVE/pull/14422))
+
+### 🧰 Tools
+
+  - #### 🐞 Bug Fixes
+
+    - Cronmaster: fix unexpected EOF in update_cronmaster script [@MickLesk](https://github.com/MickLesk) ([#14420](https://github.com/community-scripts/ProxmoxVE/pull/14420))
+
+## 2026-05-10
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Save Beszel version [@lucacome](https://github.com/lucacome) ([#14389](https://github.com/community-scripts/ProxmoxVE/pull/14389))
+    - karakeep: Fix SERVER_VERSION update [@MickLesk](https://github.com/MickLesk) ([#14378](https://github.com/community-scripts/ProxmoxVE/pull/14378))
+    - inspIRCd: Fix service not autostarting [@tremor021](https://github.com/tremor021) ([#14368](https://github.com/community-scripts/ProxmoxVE/pull/14368))
+
+  - #### 🔧 Refactor
+
+    - refactor: webcheck [@CrazyWolf13](https://github.com/CrazyWolf13) ([#14391](https://github.com/community-scripts/ProxmoxVE/pull/14391))
+
+### 💾 Core
+
+  - #### 🐞 Bug Fixes
+
+    - [tools.func]: Pin `pnpm` version [@tremor021](https://github.com/tremor021) ([#14386](https://github.com/community-scripts/ProxmoxVE/pull/14386))
+
 ## 2026-05-09
 
 ### 🚀 Updated Scripts

CHANGELOG.md

@@ -50,6 +50,9 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 
 
+
+
+
 
 
 
@@ -63,7 +66,7 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 
 <details>
-<summary><h4>May (9 entries)</h4></summary>
+<summary><h4>May (16 entries)</h4></summary>
 
 [View May 2026 Changelog](.github/changelogs/2026/05.md)
 
@@ -461,6 +464,96 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 </details>
 
+## 2026-05-17
+
+### 🚀 Updated Scripts
+
+  - #### ✨ New Features
+
+    - tools.func: replace max-time with speed-limit stall detection in curl_download [@MickLesk](https://github.com/MickLesk) ([#14545](https://github.com/community-scripts/ProxmoxVE/pull/14545))
+
+## 2026-05-16
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Homelable: replace passlib with bcrypt for password hashing [@MickLesk](https://github.com/MickLesk) ([#14530](https://github.com/community-scripts/ProxmoxVE/pull/14530))
+    - dashy: fix: restore [@CrazyWolf13](https://github.com/CrazyWolf13) ([#14527](https://github.com/community-scripts/ProxmoxVE/pull/14527))
+    - Update Tinyauth source URL in installation script [@MehrunesSky](https://github.com/MehrunesSky) ([#14483](https://github.com/community-scripts/ProxmoxVE/pull/14483))
+    - Excalidraw: Fix build [@tremor021](https://github.com/tremor021) ([#14509](https://github.com/community-scripts/ProxmoxVE/pull/14509))
+
+  - #### ✨ New Features
+
+    - Update authentik version to 2026.2.3 [@thieneret](https://github.com/thieneret) ([#14517](https://github.com/community-scripts/ProxmoxVE/pull/14517))
+
+## 2026-05-15
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - OPNsense: replace undefined msg_warn with inline echo in alloc retry [@MickLesk](https://github.com/MickLesk) ([#14500](https://github.com/community-scripts/ProxmoxVE/pull/14500))
+    - Checkmk: detect OMD version suffix dynamically on update [@MickLesk](https://github.com/MickLesk) ([#14496](https://github.com/community-scripts/ProxmoxVE/pull/14496))
+
+  - #### ✨ New Features
+
+    - SearXNG: enable JSON format by default for API integrations [@MickLesk](https://github.com/MickLesk) ([#14498](https://github.com/community-scripts/ProxmoxVE/pull/14498))
+
+  - #### 🔧 Refactor
+
+    - Refactor: Ollama use tools.func [@MickLesk](https://github.com/MickLesk) ([#14501](https://github.com/community-scripts/ProxmoxVE/pull/14501))
+
+### 💾 Core
+
+  - #### 🐞 Bug Fixes
+
+    - core: fall back to silent mode when no TTY or whiptail unavailable [@MickLesk](https://github.com/MickLesk) ([#14497](https://github.com/community-scripts/ProxmoxVE/pull/14497))
+
+## 2026-05-14
+
+### 🆕 New Scripts
+
+  - CLIProxyAPI ([#14443](https://github.com/community-scripts/ProxmoxVE/pull/14443))
+
+## 2026-05-13
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Fix: Broken Manifold update [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#14468](https://github.com/community-scripts/ProxmoxVE/pull/14468))
+    - SoulSync: Fix update function [@tremor021](https://github.com/tremor021) ([#14465](https://github.com/community-scripts/ProxmoxVE/pull/14465))
+    - Reactive-Resume: fix PDF generation timeout in LXC containers [@MickLesk](https://github.com/MickLesk) ([#14416](https://github.com/community-scripts/ProxmoxVE/pull/14416))
+    - (calibre-web) Add --no-sandbox for PDF conversion [@jamesmyatt](https://github.com/jamesmyatt) ([#14461](https://github.com/community-scripts/ProxmoxVE/pull/14461))
+
+### 💾 Core
+
+  - #### 🔧 Refactor
+
+    - tools.func: encode GitHub tag, refine pin logic, add Codeberg [@MickLesk](https://github.com/MickLesk) ([#14473](https://github.com/community-scripts/ProxmoxVE/pull/14473))
+
+## 2026-05-12
+
+### 🆕 New Scripts
+
+  - DocuSeal ([#14445](https://github.com/community-scripts/ProxmoxVE/pull/14445))
+- Authentik ([#14440](https://github.com/community-scripts/ProxmoxVE/pull/14440))
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Save Omada version [@lucacome](https://github.com/lucacome) ([#14433](https://github.com/community-scripts/ProxmoxVE/pull/14433))
+
+  - #### ✨ New Features
+
+    - OpenCloud: bump version to 6.2.0 [@vhsdream](https://github.com/vhsdream) ([#14451](https://github.com/community-scripts/ProxmoxVE/pull/14451))
+
+  - #### 🔧 Refactor
+
+    - misc: bump node versions [@CrazyWolf13](https://github.com/CrazyWolf13) ([#14447](https://github.com/community-scripts/ProxmoxVE/pull/14447))
+
 ## 2026-05-11
 
 ### 🆕 New Scripts
@@ -971,147 +1064,4 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
   - #### 🔧 Refactor
 
-    - core: fix some pct create issues (telemetry) + cleanup [@MickLesk](https://github.com/MickLesk) ([#13810](https://github.com/community-scripts/ProxmoxVE/pull/13810))
-
-## 2026-04-16
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Add pnpm as a dependency to ghost-cli install [@YourFavoriteKyle](https://github.com/YourFavoriteKyle) ([#13789](https://github.com/community-scripts/ProxmoxVE/pull/13789))
-
-### 💾 Core
-
-  - #### ✨ New Features
-
-    - core: wire ENABLE_MKNOD and ALLOW_MOUNT_FS into LXC features [@MickLesk](https://github.com/MickLesk) ([#13796](https://github.com/community-scripts/ProxmoxVE/pull/13796))
-
-## 2026-04-15
-
-### 🆕 New Scripts
-
-  - iGotify ([#13773](https://github.com/community-scripts/ProxmoxVE/pull/13773))
-- GitHub-Runner ([#13709](https://github.com/community-scripts/ProxmoxVE/pull/13709))
-- Revert "Remove low-install-count CT scripts and installers (#13570)" [@CrazyWolf13](https://github.com/CrazyWolf13) ([#13752](https://github.com/community-scripts/ProxmoxVE/pull/13752))
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - [alpine-nextcloud] Update Nginx MIME types to support .mjs files [@GuiltyFox](https://github.com/GuiltyFox) ([#13771](https://github.com/community-scripts/ProxmoxVE/pull/13771))
-    - Domain Monitor: Fix file ownership after update [@tremor021](https://github.com/tremor021) ([#13759](https://github.com/community-scripts/ProxmoxVE/pull/13759))
-
-  - #### 💥 Breaking Changes
-
-    - Reitti: refactor scripts for v4 - remove RabbitMQ and Photon [@MickLesk](https://github.com/MickLesk) ([#13728](https://github.com/community-scripts/ProxmoxVE/pull/13728))
-
-  - #### 🔧 Refactor
-
-    - Semaphore: add BoltDB to SQLite migration [@tremor021](https://github.com/tremor021) ([#13779](https://github.com/community-scripts/ProxmoxVE/pull/13779))
-
-### 📚 Documentation
-
-  - cleanup: remove docs/, update README & CONTRIBUTING, fix repo config [@MickLesk](https://github.com/MickLesk) ([#13770](https://github.com/community-scripts/ProxmoxVE/pull/13770))
-
-## 2026-04-14
-
-### 🚀 Updated Scripts
-
-  - Immich: Pin photo-processing library revisions [@vhsdream](https://github.com/vhsdream) ([#13748](https://github.com/community-scripts/ProxmoxVE/pull/13748))
-
-  - #### 🐞 Bug Fixes
-
-    - BentoPDF: Nginx fixes [@tremor021](https://github.com/tremor021) ([#13741](https://github.com/community-scripts/ProxmoxVE/pull/13741))
-    - Zerobyte: add git to dependencies to fix bun install failure [@Copilot](https://github.com/Copilot) ([#13721](https://github.com/community-scripts/ProxmoxVE/pull/13721))
-    - alpine-nextcloud-install: do not use deprecated nginx config [@AlexanderStein](https://github.com/AlexanderStein) ([#13726](https://github.com/community-scripts/ProxmoxVE/pull/13726))
-
-  - #### ✨ New Features
-
-    - Mealie: support v3.15+ Nuxt 4 migration [@MickLesk](https://github.com/MickLesk) ([#13731](https://github.com/community-scripts/ProxmoxVE/pull/13731))
-
-  - #### 🔧 Refactor
-
-    - Lyrion: correct service name and version file in update script [@MickLesk](https://github.com/MickLesk) ([#13734](https://github.com/community-scripts/ProxmoxVE/pull/13734))
-    - Changedetection: move env vars from service file to .env [@tremor021](https://github.com/tremor021) ([#13732](https://github.com/community-scripts/ProxmoxVE/pull/13732))
-
-## 2026-04-13
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Slskd: Remove stale Soularr lock file on startup and redirect logs to stderr [@MickLesk](https://github.com/MickLesk) ([#13669](https://github.com/community-scripts/ProxmoxVE/pull/13669))
-    - Bambuddy: preserve database and archive on update [@Copilot](https://github.com/Copilot) ([#13706](https://github.com/community-scripts/ProxmoxVE/pull/13706))
-
-  - #### ✨ New Features
-
-    - Immich: Pin version to 2.7.5 [@vhsdream](https://github.com/vhsdream) ([#13715](https://github.com/community-scripts/ProxmoxVE/pull/13715))
-    - Bytestash: auto backup/restore data on update [@MickLesk](https://github.com/MickLesk) ([#13707](https://github.com/community-scripts/ProxmoxVE/pull/13707))
-    - OpenCloud: pin version to 6.0.0 [@vhsdream](https://github.com/vhsdream) ([#13691](https://github.com/community-scripts/ProxmoxVE/pull/13691))
-
-  - #### 💥 Breaking Changes
-
-    - Mealie: pin version to v3.14.0 in install and update scripts [@Copilot](https://github.com/Copilot) ([#13724](https://github.com/community-scripts/ProxmoxVE/pull/13724))
-
-  - #### 🔧 Refactor
-
-    - core: remove unused TEMP_DIR mktemp leak in build_container / clean sonarqube [@MickLesk](https://github.com/MickLesk) ([#13708](https://github.com/community-scripts/ProxmoxVE/pull/13708))
-
-## 2026-04-12
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Alpine-Wakapi: Remove container checks in update_script function [@MickLesk](https://github.com/MickLesk) ([#13694](https://github.com/community-scripts/ProxmoxVE/pull/13694))
-
-  - #### 🔧 Refactor
-
-    - IronClaw: Install keychain dependencies and launch in a DBus session [@MickLesk](https://github.com/MickLesk) ([#13692](https://github.com/community-scripts/ProxmoxVE/pull/13692))
-    - MeTube: Allow pnpm build scripts to fix ERR_PNPM_IGNORED_BUILDS [@MickLesk](https://github.com/MickLesk) ([#13668](https://github.com/community-scripts/ProxmoxVE/pull/13668))
-
-## 2026-04-11
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Immich: Ensure newline before appending IMMICH_HELMET_FILE to .env [@MickLesk](https://github.com/MickLesk) ([#13667](https://github.com/community-scripts/ProxmoxVE/pull/13667))
-
-  - #### ✨ New Features
-
-    - BentoPDF: replace http-server with nginx to fix WASM initialization timeout [@MickLesk](https://github.com/MickLesk) ([#13625](https://github.com/community-scripts/ProxmoxVE/pull/13625))
-    - Element Synapse: Add MatrixRTC configuration for Element Call support [@MickLesk](https://github.com/MickLesk) ([#13665](https://github.com/community-scripts/ProxmoxVE/pull/13665))
-    - RomM: Use ROMM_BASE_PATH from .env for symlinks and nginx config [@MickLesk](https://github.com/MickLesk) ([#13666](https://github.com/community-scripts/ProxmoxVE/pull/13666))
-    - Immich: Pin version to 2.7.4 [@vhsdream](https://github.com/vhsdream) ([#13661](https://github.com/community-scripts/ProxmoxVE/pull/13661))
-
-  - #### 🔧 Refactor
-
-    - Crafty Controller: Wait for credentials file instead of fixed sleep [@MickLesk](https://github.com/MickLesk) ([#13670](https://github.com/community-scripts/ProxmoxVE/pull/13670))
-    - Refactor: Alpine-Wakapi [@tremor021](https://github.com/tremor021) ([#13656](https://github.com/community-scripts/ProxmoxVE/pull/13656))
-
-## 2026-04-10
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - fix: ensure trailing newline in redis.conf before appending bind directive [@Copilot](https://github.com/Copilot) ([#13647](https://github.com/community-scripts/ProxmoxVE/pull/13647))
-
-  - #### ✨ New Features
-
-    - Immich: Pin version to 2.7.3 [@vhsdream](https://github.com/vhsdream) ([#13631](https://github.com/community-scripts/ProxmoxVE/pull/13631))
-    - Homarr: bind Redis to localhost only [@MickLesk](https://github.com/MickLesk) ([#13552](https://github.com/community-scripts/ProxmoxVE/pull/13552))
-
-### 💾 Core
-
-  - #### 🐞 Bug Fixes
-
-    - tools.func: prevent script crash when entering GitHub token after rate limit [@MickLesk](https://github.com/MickLesk) ([#13638](https://github.com/community-scripts/ProxmoxVE/pull/13638))
-
-### 🧰 Tools
-
-  - #### 🔧 Refactor
-
-    - addons: Filebrowser & Filebrowser-Quantum get warning if host install [@MickLesk](https://github.com/MickLesk) ([#13639](https://github.com/community-scripts/ProxmoxVE/pull/13639))
+    - core: fix some pct create issues (telemetry) + cleanup [@MickLesk](https://github.com/MickLesk) ([#13810](https://github.com/community-scripts/ProxmoxVE/pull/13810))

ct/alpine-tinyauth.sh

@@ -3,7 +3,7 @@ source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxV
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: Slaviša Arežina (tremor021) | Co-Author: Stavros (steveiliop56)
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/steveiliop56/tinyauth
+# Source: https://github.com/tinyauthapp/tinyauth
 
 APP="Alpine-Tinyauth"
 var_tags="${var_tags:-alpine;auth}"
@@ -29,7 +29,7 @@ function update_script() {
   $STD apk -U upgrade
   msg_ok "Updated packages"
 
-  RELEASE=$(curl -s https://api.github.com/repos/steveiliop56/tinyauth/releases/latest | grep "tag_name" | awk '{print substr($2, 3, length($2)-4) }')
+  RELEASE=$(curl -s https://api.github.com/repos/tinyauthapp/tinyauth/releases/latest | grep "tag_name" | awk '{print substr($2, 3, length($2)-4) }')
   if [ "${RELEASE}" != "$(cat ~/.tinyauth 2>/dev/null)" ] || [ ! -f ~/.tinyauth ]; then
     msg_info "Stopping Service"
     $STD service tinyauth stop
@@ -51,7 +51,7 @@ function update_script() {
 
     msg_info "Updating Tinyauth"
     rm -f /opt/tinyauth/tinyauth
-    curl -fsSL "https://github.com/steveiliop56/tinyauth/releases/download/v${RELEASE}/tinyauth-amd64" -o /opt/tinyauth/tinyauth
+    curl -fsSL "https://github.com/tinyauthapp/tinyauth/releases/download/v${RELEASE}/tinyauth-amd64" -o /opt/tinyauth/tinyauth
     chmod +x /opt/tinyauth/tinyauth
     echo "${RELEASE}" >~/.tinyauth
     msg_ok "Updated Tinyauth"

ct/apache-guacamole.sh

@@ -89,7 +89,7 @@ function update_script() {
     # Auth JDBC follows server version
     msg_info "Updating Guacamole Auth JDBC"
     rm -f /etc/guacamole/extensions/guacamole-auth-jdbc-mysql-*.jar
-    curl -fsSL "https://downloads.apache.org/guacamole/${LATEST_SERVER}/binary/guacamole-auth-jdbc-${LATEST_SERVER}.tar.gz" -o "/tmp/guacamole-auth-jdbc.tar.gz"
+    curl_download "/tmp/guacamole-auth-jdbc.tar.gz" "https://downloads.apache.org/guacamole/${LATEST_SERVER}/binary/guacamole-auth-jdbc-${LATEST_SERVER}.tar.gz"
     $STD tar -xf /tmp/guacamole-auth-jdbc.tar.gz -C /tmp
     mv /tmp/guacamole-auth-jdbc-"${LATEST_SERVER}"/mysql/guacamole-auth-jdbc-mysql-"${LATEST_SERVER}".jar /etc/guacamole/extensions/
     echo "${LATEST_SERVER}" >~/.guacamole_auth_jdbc
@@ -101,7 +101,7 @@ function update_script() {
   # Update Guacamole Client
   if [[ "$CURRENT_CLIENT" != "$LATEST_CLIENT" ]]; then
     msg_info "Updating Guacamole Client (${CURRENT_CLIENT} → ${LATEST_CLIENT})"
-    curl -fsSL "https://downloads.apache.org/guacamole/${LATEST_CLIENT}/binary/guacamole-${LATEST_CLIENT}.war" -o "/opt/apache-guacamole/tomcat9/webapps/guacamole.war"
+    curl_download "/opt/apache-guacamole/tomcat9/webapps/guacamole.war" "https://downloads.apache.org/guacamole/${LATEST_CLIENT}/binary/guacamole-${LATEST_CLIENT}.war"
     echo "${LATEST_CLIENT}" >~/.guacamole_client
     msg_ok "Updated Guacamole Client"
   else
@@ -111,7 +111,7 @@ function update_script() {
   # Update MySQL Connector
   if [[ "$CURRENT_MYSQL_CONNECTOR" != "$LATEST_MYSQL_CONNECTOR" ]]; then
     msg_info "Updating MySQL Connector (${CURRENT_MYSQL_CONNECTOR} → ${LATEST_MYSQL_CONNECTOR})"
-    curl -fsSL "https://repo1.maven.org/maven2/com/mysql/mysql-connector-j/${LATEST_MYSQL_CONNECTOR}/mysql-connector-j-${LATEST_MYSQL_CONNECTOR}.jar" -o "/etc/guacamole/lib/mysql-connector-j.jar"
+    curl_download "/etc/guacamole/lib/mysql-connector-j.jar" "https://repo1.maven.org/maven2/com/mysql/mysql-connector-j/${LATEST_MYSQL_CONNECTOR}/mysql-connector-j-${LATEST_MYSQL_CONNECTOR}.jar"
     echo "${LATEST_MYSQL_CONNECTOR}" >~/.guacamole_mysql_connector
     msg_ok "Updated MySQL Connector"
   else
@@ -148,7 +148,7 @@ function update_script() {
   if [[ -f /etc/guacamole/extensions/guacamole-auth-totp-*.jar ]]; then
     msg_info "Updating TOTP Extension"
     rm -f /etc/guacamole/extensions/guacamole-auth-totp-*.jar
-    curl -fsSL "https://downloads.apache.org/guacamole/${LATEST_SERVER}/binary/guacamole-auth-totp-${LATEST_SERVER}.tar.gz" -o "/tmp/guacamole-auth-totp.tar.gz"
+    curl_download "/tmp/guacamole-auth-totp.tar.gz" "https://downloads.apache.org/guacamole/${LATEST_SERVER}/binary/guacamole-auth-totp-${LATEST_SERVER}.tar.gz"
     $STD tar -xf /tmp/guacamole-auth-totp.tar.gz -C /tmp
     mv /tmp/guacamole-auth-totp-"${LATEST_SERVER}"/guacamole-auth-totp-"${LATEST_SERVER}".jar /etc/guacamole/extensions/
     chmod 664 /etc/guacamole/extensions/guacamole-auth-totp-"${LATEST_SERVER}".jar
@@ -160,7 +160,7 @@ function update_script() {
   if [[ -f /etc/guacamole/extensions/guacamole-auth-duo-*.jar ]]; then
     msg_info "Updating DUO Extension"
     rm -f /etc/guacamole/extensions/guacamole-auth-duo-*.jar
-    curl -fsSL "https://downloads.apache.org/guacamole/${LATEST_SERVER}/binary/guacamole-auth-duo-${LATEST_SERVER}.tar.gz" -o "/tmp/guacamole-auth-duo.tar.gz"
+    curl_download "/tmp/guacamole-auth-duo.tar.gz" "https://downloads.apache.org/guacamole/${LATEST_SERVER}/binary/guacamole-auth-duo-${LATEST_SERVER}.tar.gz"
     $STD tar -xf /tmp/guacamole-auth-duo.tar.gz -C /tmp
     mv /tmp/guacamole-auth-duo-"${LATEST_SERVER}"/guacamole-auth-duo-"${LATEST_SERVER}".jar /etc/guacamole/extensions/
     chmod 664 /etc/guacamole/extensions/guacamole-auth-duo-"${LATEST_SERVER}".jar
@@ -172,7 +172,7 @@ function update_script() {
   if [[ -f /etc/guacamole/extensions/guacamole-auth-ldap-*.jar ]]; then
     msg_info "Updating LDAP Extension"
     rm -f /etc/guacamole/extensions/guacamole-auth-ldap-*.jar
-    curl -fsSL "https://downloads.apache.org/guacamole/${LATEST_SERVER}/binary/guacamole-auth-ldap-${LATEST_SERVER}.tar.gz" -o "/tmp/guacamole-auth-ldap.tar.gz"
+    curl_download "/tmp/guacamole-auth-ldap.tar.gz" "https://downloads.apache.org/guacamole/${LATEST_SERVER}/binary/guacamole-auth-ldap-${LATEST_SERVER}.tar.gz"
     $STD tar -xf /tmp/guacamole-auth-ldap.tar.gz -C /tmp
     mv /tmp/guacamole-auth-ldap-"${LATEST_SERVER}"/guacamole-auth-ldap-"${LATEST_SERVER}".jar /etc/guacamole/extensions/
     chmod 664 /etc/guacamole/extensions/guacamole-auth-ldap-"${LATEST_SERVER}".jar
@@ -184,7 +184,7 @@ function update_script() {
   if [[ -f /etc/guacamole/extensions/guacamole-auth-quickconnect-*.jar ]]; then
     msg_info "Updating Quick Connect Extension"
     rm -f /etc/guacamole/extensions/guacamole-auth-quickconnect-*.jar
-    curl -fsSL "https://downloads.apache.org/guacamole/${LATEST_SERVER}/binary/guacamole-auth-quickconnect-${LATEST_SERVER}.tar.gz" -o "/tmp/guacamole-auth-quickconnect.tar.gz"
+    curl_download "/tmp/guacamole-auth-quickconnect.tar.gz" "https://downloads.apache.org/guacamole/${LATEST_SERVER}/binary/guacamole-auth-quickconnect-${LATEST_SERVER}.tar.gz"
     $STD tar -xf /tmp/guacamole-auth-quickconnect.tar.gz -C /tmp
     mv /tmp/guacamole-auth-quickconnect-"${LATEST_SERVER}"/guacamole-auth-quickconnect-"${LATEST_SERVER}".jar /etc/guacamole/extensions/
     chmod 664 /etc/guacamole/extensions/guacamole-auth-quickconnect-"${LATEST_SERVER}".jar
@@ -196,7 +196,7 @@ function update_script() {
   if [[ -f /etc/guacamole/extensions/guacamole-history-recording-storage-*.jar ]]; then
     msg_info "Updating History Recording Storage Extension"
     rm -f /etc/guacamole/extensions/guacamole-history-recording-storage-*.jar
-    curl -fsSL "https://downloads.apache.org/guacamole/${LATEST_SERVER}/binary/guacamole-history-recording-storage-${LATEST_SERVER}.tar.gz" -o "/tmp/guacamole-history-recording-storage.tar.gz"
+    curl_download "/tmp/guacamole-history-recording-storage.tar.gz" "https://downloads.apache.org/guacamole/${LATEST_SERVER}/binary/guacamole-history-recording-storage-${LATEST_SERVER}.tar.gz"
     $STD tar -xf /tmp/guacamole-history-recording-storage.tar.gz -C /tmp
     mv /tmp/guacamole-history-recording-storage-"${LATEST_SERVER}"/guacamole-history-recording-storage-"${LATEST_SERVER}".jar /etc/guacamole/extensions/
     chmod 664 /etc/guacamole/extensions/guacamole-history-recording-storage-"${LATEST_SERVER}".jar

ct/authentik.sh

@@ -0,0 +1,155 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: Thieneret
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/goauthentik/authentik
+
+APP="authentik"
+var_tags="${var_tags:-auth}"
+var_cpu="${var_cpu:-4}"
+var_ram="${var_ram:-4096}"
+var_disk="${var_disk:-16}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -d /opt/authentik ]]; then
+    msg_error "No authentik Installation Found!"
+    exit
+  fi
+
+  NODE_VERSION="24" setup_nodejs
+  setup_go
+  UV_PYTHON_INSTALL_DIR="/usr/local/bin" PYTHON_VERSION="3.14.3" setup_uv
+  setup_rust
+
+  AUTHENTIK_VERSION="version/2026.2.3"
+  XMLSEC_VERSION="1.3.11"
+
+  if check_for_gh_release "geoipupdate" "maxmind/geoipupdate"; then
+    fetch_and_deploy_gh_release "geoipupdate" "maxmind/geoipupdate" "binary"
+  fi
+
+  if check_for_gh_release "xmlsec" "lsh123/xmlsec" "${XMLSEC_VERSION}"; then
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "xmlsec" "lsh123/xmlsec" "tarball" "${XMLSEC_VERSION}" "/opt/xmlsec"
+
+    msg_info "Updating xmlsec"
+    cd /opt/xmlsec
+    $STD ./autogen.sh
+    $STD make -j $(nproc)
+    $STD make check
+    $STD make install
+    $STD ldconfig
+    msg_ok "Updated xmlsec"
+  fi
+
+  if check_for_gh_release "authentik" "goauthentik/authentik" "${AUTHENTIK_VERSION}"; then
+    msg_info "Stopping Services"
+    systemctl stop authentik-server authentik-worker
+	if [[ $(systemctl is-active authentik-ldap) == active ]]; then
+		systemctl stop authentik-ldap
+	fi
+	if [[ $(systemctl is-active authentik-rac) == active ]]; then
+		systemctl stop authentik-rac
+	fi
+	if [[ $(systemctl is-active authentik-radius) == active ]]; then
+		systemctl stop authentik-radius
+	fi
+    msg_ok "Stopped Services"
+
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "authentik" "goauthentik/authentik" "tarball" "${AUTHENTIK_VERSION}" "/opt/authentik"
+
+    msg_info "Updating web"
+    cd /opt/authentik/web
+    export NODE_ENV="production"
+    $STD npm install
+    $STD npm run build
+    $STD npm run build:sfe
+    msg_ok "Updated web"
+
+    msg_info "Updating go proxy"
+    cd /opt/authentik
+    export CGO_ENABLED="1"
+    $STD go mod download
+    $STD go build -o /opt/authentik/authentik-server ./cmd/server
+	$STD go build -o /opt/authentik/ldap ./cmd/ldap
+	$STD go build -o /opt/authentik/rac ./cmd/rac
+	$STD go build -o /opt/authentik/radius ./cmd/radius
+    msg_ok "Updated go proxy"
+
+    msg_info "Updating python server"
+    export UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
+    export UV_COMPILE_BYTECODE="1"
+    export UV_LINK_MODE="copy"
+    export UV_NATIVE_TLS="1"
+    export RUSTUP_PERMIT_COPY_RENAME="true"
+    export UV_PYTHON_INSTALL_DIR="/usr/local/bin"
+    cd /opt/authentik
+    $STD uv sync --frozen --no-install-project --no-dev
+    chown -R authentik:authentik /opt/authentik
+    msg_ok "Updated python server"
+  fi
+
+  msg_info "Starting Services"
+  systemctl start authentik-server authentik-worker
+  if [[ $(systemctl is-enabled authentik-ldap) == enabled ]]; then
+  	systemctl start authentik-ldap
+  fi
+  if [[ $(systemctl is-enabled authentik-rac) == enabled ]]; then
+  	systemctl start authentik-rac
+  fi
+  if [[ $(systemctl is-enabled authentik-radius) == enabled ]]; then
+  	systemctl start authentik-radius
+  fi
+  msg_ok "Started Services"
+  msg_ok "Updated successfully!"
+  exit
+}
+
+start
+build_container
+
+msg_info "Attaching data storage volume"
+$STD pct stop "$CTID"
+if [ "${PROTECT_CT:-}" == "1" ] || [ "${PROTECT_CT:-}" == "yes" ]; then
+  $STD pct set "$CTID" --protection 0
+  $STD pct set "$CTID" -mp0 "${CONTAINER_STORAGE}":1,mp=/opt/authentik-data,backup=1
+  $STD pct set "$CTID" --protection 1
+else
+  $STD pct set "$CTID" -mp0 "${CONTAINER_STORAGE}":1,mp=/opt/authentik-data,backup=1
+fi
+$STD pct start "$CTID"
+for i in {1..10}; do
+  pct status "$CTID" | grep -q "status: running" && break
+  sleep 1
+done
+$STD pct exec "$CTID" -- bash -c "mkdir -p /opt/authentik-data/{certs,media,geoip,templates}; \
+  cp /opt/authentik/tests/GeoLite2-ASN-Test.mmdb /opt/authentik-data/geoip/GeoLite2-ASN.mmdb; \
+  cp /opt/authentik/tests/GeoLite2-City-Test.mmdb /opt/authentik-data/geoip/GeoLite2-City.mmdb; \
+  chown authentik:authentik /opt/authentik-data; \
+  chown -R authentik:authentik /opt/authentik-data/{certs,media,geoip,templates}"
+msg_ok "Attached data storage volume"
+
+msg_info "Starting Services"
+pct exec "$CTID" -- systemctl enable -q --now authentik-server authentik-worker
+msg_ok "Started Services"
+
+description
+
+msg_ok "Completed successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Initial setup URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9000/if/flow/initial-setup/${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9000${CL}"

ct/checkmk.sh

@@ -33,9 +33,14 @@ function update_script() {
   msg_info "Updating checkmk"
   $STD omd stop monitoring
   $STD omd cp monitoring monitoringbackup
-  curl_with_retry "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-community-${RELEASE}_0.$(get_os_info codename)_amd64.deb" "/opt/checkmk.deb"
+  curl_download "/opt/checkmk.deb" "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-community-${RELEASE}_0.$(get_os_info codename)_amd64.deb"
   $STD apt install -y /opt/checkmk.deb
-  $STD omd --force -V ${RELEASE}.cre update --conflict=install monitoring
+  OMD_VERSION=$(omd versions 2>/dev/null | grep "^${RELEASE}" | awk '{print $1}')
+  if [[ -z "${OMD_VERSION}" ]]; then
+    msg_error "Could not find installed OMD version for release ${RELEASE}"
+    exit 1
+  fi
+  $STD omd --force -V "${OMD_VERSION}" update --conflict=install monitoring
   $STD omd start monitoring
   $STD omd -f rm monitoringbackup
   $STD omd cleanup

ct/cliproxyapi.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: mathiasnagler
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/router-for-me/CLIProxyAPI
+
+APP="CLIProxyAPI"
+var_tags="${var_tags:-ai;proxy}"
+var_cpu="${var_cpu:-1}"
+var_ram="${var_ram:-512}"
+var_disk="${var_disk:-2}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -d /opt/cliproxyapi ]]; then
+    msg_error "No CLIProxyAPI Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "cliproxyapi" "router-for-me/CLIProxyAPI"; then
+    msg_info "Stopping CLIProxyAPI"
+    systemctl stop cliproxyapi
+    msg_ok "Stopped CLIProxyAPI"
+
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "cliproxyapi" "router-for-me/CLIProxyAPI" "prebuild" "latest" "/opt/cliproxyapi" "CLIProxyAPI_*_linux_amd64.tar.gz"
+
+    msg_info "Starting CLIProxyAPI"
+    systemctl start cliproxyapi
+    msg_ok "Started CLIProxyAPI"
+    msg_ok "Updated successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8317${CL}"

ct/dashy.sh

@@ -48,7 +48,7 @@ function update_script() {
     msg_ok "Updated Dashy"
 
     msg_info "Restoring conf.yml"
-    cp -R /opt/dashy_conf_backup.yml /opt/dashy/user-data
+    cp /opt/dashy_conf_backup.yml /opt/dashy/user-data/conf.yml
     msg_ok "Restored conf.yml"
 
     msg_info "Cleaning"

ct/dawarich.sh

@@ -45,12 +45,12 @@ function update_script() {
     CLEAN_INSTALL=1 fetch_and_deploy_gh_release "dawarich" "Freika/dawarich" "tarball" "latest" "/opt/dawarich/app"
 
     RUBY_VERSION=$(cat /opt/dawarich/app/.ruby-version 2>/dev/null || echo "3.4.6")
-    RUBY_VERSION=${RUBY_VERSION} RUBY_INSTALL_RAILS="false" setup_ruby
+    RUBY_VERSION=${RUBY_VERSION} RUBY_INSTALL_RAILS="false" HOME=/root setup_ruby
 
     msg_info "Running Migrations"
     cd /opt/dawarich/app
     source /root/.profile
-    export PATH="/root/.rbenv/shims:/root/.rbenv/bin:$PATH"
+    export PATH="/root/.rbenv/shims:/root/.rbenv/bin:${PATH}"
     eval "$(/root/.rbenv/bin/rbenv init - bash)"
 
     if ! grep -q "OTP_ENCRYPTION_PRIMARY_KEY" /opt/dawarich/.env; then

ct/docuseal.sh

@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://www.docuseal.com/
+
+APP="DocuSeal"
+var_tags="${var_tags:-document;esignature;pdf}"
+var_cpu="${var_cpu:-4}"
+var_ram="${var_ram:-4096}"
+var_disk="${var_disk:-10}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -d /opt/docuseal ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "docuseal" "docusealco/docuseal"; then
+    msg_info "Stopping Services"
+    systemctl stop docuseal docuseal-sidekiq
+    msg_ok "Stopped Services"
+
+    msg_info "Backing up Data"
+    cp /opt/docuseal/.env /opt/docuseal.env.bak
+    [[ -d /opt/docuseal/data ]] && mv /opt/docuseal/data /opt/docuseal_data.bak
+    msg_ok "Backed up Data"
+
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "docuseal" "docusealco/docuseal" "tarball"
+
+    msg_info "Restoring Data"
+    mv /opt/docuseal.env.bak /opt/docuseal/.env
+    [[ -d /opt/docuseal_data.bak ]] && mv /opt/docuseal_data.bak /opt/docuseal/data
+    msg_ok "Restored Data"
+
+    msg_info "Building Application"
+    cd /opt/docuseal
+    export PATH="/root/.rbenv/bin:/root/.rbenv/shims:${PATH}"
+    eval "$(rbenv init - bash)" 2>/dev/null || true
+    export RAILS_ENV=production
+    export NODE_ENV=production
+    export SECRET_KEY_BASE_DUMMY=1
+    set -a
+    source /opt/docuseal/.env
+    set +a
+    $STD bundle config set --local deployment 'true'
+    $STD bundle config set --local without 'development:test'
+    $STD bundle install -j"$(nproc)"
+    $STD yarn install --network-timeout 1000000
+    $STD ./bin/shakapacker
+    $STD bundle exec rails db:migrate
+    $STD bundle exec bootsnap precompile -j 1 --gemfile app/ lib/
+    chown -R docuseal:docuseal /opt/docuseal
+    msg_ok "Built Application"
+
+    msg_info "Starting Services"
+    systemctl start docuseal docuseal-sidekiq
+    msg_ok "Started Services"
+    msg_ok "Updated successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"

ct/excalidraw.sh

@@ -28,6 +28,9 @@ function update_script() {
     msg_error "No ${APP} Installation Found!"
     exit
   fi
+
+  NODE_VERSION="24" NODE_MODULE="yarn" setup_nodejs
+
   if check_for_gh_release "excalidraw" "excalidraw/excalidraw"; then
     msg_info "Stopping Service"
     systemctl stop excalidraw
@@ -37,6 +40,7 @@ function update_script() {
 
     msg_info "Updating Excalidraw"
     cd /opt/excalidraw
+    $STD yarn config set ignore-engines true
     $STD yarn
     msg_ok "Updated Excalidraw"
 

ct/headers/authentik

@@ -0,0 +1,6 @@
+               __  __               __  _ __  
+  ____ ___  __/ /_/ /_  ___  ____  / /_(_) /__
+ / __ `/ / / / __/ __ \/ _ \/ __ \/ __/ / //_/
+/ /_/ / /_/ / /_/ / / /  __/ / / / /_/ / ,<   
+\__,_/\__,_/\__/_/ /_/\___/_/ /_/\__/_/_/|_|  
+                                              

ct/headers/cliproxyapi

@@ -0,0 +1,6 @@
+   ________    ________                        ___    ____  ____
+  / ____/ /   /  _/ __ \_________  _  ____  __/   |  / __ \/  _/
+ / /   / /    / // /_/ / ___/ __ \| |/_/ / / / /| | / /_/ // /  
+/ /___/ /____/ // ____/ /  / /_/ />  </ /_/ / ___ |/ ____// /   
+\____/_____/___/_/   /_/   \____/_/|_|\__, /_/  |_/_/   /___/   
+                                     /____/                     

ct/headers/docuseal

@@ -0,0 +1,6 @@
+    ____                   _____            __
+   / __ \____  _______  __/ ___/___  ____ _/ /
+  / / / / __ \/ ___/ / / /\__ \/ _ \/ __ `/ / 
+ / /_/ / /_/ / /__/ /_/ /___/ /  __/ /_/ / /  
+/_____/\____/\___/\__,_//____/\___/\__,_/_/   
+                                              

ct/kasm.sh

@@ -35,7 +35,7 @@ function update_script() {
   CURRENT_VERSION=$(readlink -f /opt/kasm/current | awk -F'/' '{print $4}')
   KASM_VERSION=$(curl -s https://kasm.com/downloads | grep -oP '<h1[^>]*>.*?</h1>' | sed -E 's/<\/?h1[^>]*>//g' | grep -oP '\d+\.\d+\.\d+')
   KASM_URL="https://kasm-static-content.s3.amazonaws.com/kasm_release_${KASM_VERSION:-var_kasm_version}.tar.gz"
-  
+
   # KASM_URL=$(curl -fsSL "https://www.kasm.com/downloads" | tr '\n' ' ' | grep -oE 'https://kasm-static-content[^"]*kasm_release_[0-9]+\.[0-9]+\.[0-9]+\.[a-z0-9]+\.tar\.gz' | head -n 1)
   # if [[ -z "$KASM_URL" ]]; then
   #   SERVICE_IMAGE_URL=$(curl -fsSL "https://www.kasm.com/downloads" | tr '\n' ' ' | grep -oE 'https://kasm-static-content[^"]*kasm_release_service_images_amd64_[0-9]+\.[0-9]+\.[0-9]+\.tar\.gz' | head -n 1)
@@ -46,7 +46,7 @@ function update_script() {
   # else
   #   KASM_VERSION=$(echo "$KASM_URL" | sed -E 's/.*kasm_release_([0-9]+\.[0-9]+\.[0-9]+).*/\1/')
   # fi
-  
+
   if [[ -z "$KASM_VERSION" ]] || [[ -z "$KASM_URL" ]]; then
     msg_error "Unable to detect latest Kasm release URL."
     exit 250
@@ -56,10 +56,10 @@ function update_script() {
   msg_info "Removing outdated docker-compose plugin"
   [ -f ~/.docker/cli-plugins/docker-compose ] && rm -rf ~/.docker/cli-plugins/docker-compose
   msg_ok "Removed outdated docker-compose plugin"
-  
+
   if [[ -z "$CURRENT_VERSION" ]] || [[ "$KASM_VERSION" != "$CURRENT_VERSION" ]]; then
     msg_info "Updating Kasm"
-    cd /tmp 
+    cd /tmp
 
     msg_warn "WARNING: This script will run an external installer from a third-party source (https://www.kasmweb.com/)."
     msg_warn "The following code is NOT maintained or audited by our repository."
@@ -71,17 +71,17 @@ function update_script() {
       msg_error "Aborted by user. No changes have been made."
       exit 10
     fi
-    curl -fsSL -o "/tmp/kasm_release_${KASM_VERSION}.tar.gz" "$KASM_URL"
+    curl_download "/tmp/kasm_release_${KASM_VERSION}.tar.gz" "$KASM_URL"
     tar -xf "kasm_release_${KASM_VERSION}.tar.gz"
     chmod +x /tmp/kasm_release/install.sh
     rm -f /tmp/kasm_release_"${KASM_VERSION}".tar.gz
-  
+
     bash /tmp/kasm_release/upgrade.sh --proxy-port 443
     rm -rf /tmp/kasm_release
     msg_ok "Updated successfully!"
   else
     msg_ok "No update required. Kasm is already at v${KASM_VERSION}"
-  
+
   fi
   exit
 }

ct/manyfold.sh

@@ -55,9 +55,20 @@ function update_script() {
 
     RUBY_VERSION=${RUBY_INSTALL_VERSION} RUBY_INSTALL_RAILS="true" HOME=/home/manyfold setup_ruby
 
-    msg_info "Installing Manyfold"
+    msg_info "Restoring Data"
+    rm -rf /opt/manyfold/app/{storage,tmp,config/credentials.yml.enc,config/master.key}
+    cp -r /opt/manyfold_storage_backup /opt/manyfold/app/storage 2>/dev/null || true
+    cp -r /opt/manyfold_tmp_backup /opt/manyfold/app/tmp 2>/dev/null || true
+    cp /opt/manyfold_credentials.yml.enc /opt/manyfold/app/config/credentials.yml.enc 2>/dev/null || true
+    cp /opt/manyfold_master.key /opt/manyfold/app/config/master.key 2>/dev/null || true
     chown -R manyfold:manyfold {/home/manyfold,/opt/manyfold}
-    chown -R manyfold:manyfold /opt/manyfold
+    chown -R manyfold:manyfold /opt/manyfold/app/storage /opt/manyfold/app/tmp /opt/manyfold/app/config
+    rm -rf /opt/manyfold_storage_backup /opt/manyfold_tmp_backup /opt/manyfold_credentials.yml.enc /opt/manyfold_master.key
+    msg_ok "Restored Data"
+
+    msg_info "Installing Manyfold"
+    $STD npm install --global corepack
+    $STD corepack enable yarn
 
     sudo -u manyfold bash -c '
             source /opt/manyfold/.env
@@ -66,7 +77,6 @@ function update_script() {
             cd /opt/manyfold/app
             gem install bundler sidekiq foreman
             bundle install
-            corepack enable yarn
             corepack prepare '"$YARN_VERSION"' --activate
             corepack use '"$YARN_VERSION"'
             bin/rails db:migrate
@@ -74,16 +84,6 @@ function update_script() {
         '
     msg_ok "Installed Manyfold"
 
-    msg_info "Restoring Data"
-    rm -rf /opt/manyfold/app/{storage,tmp,config/credentials.yml.enc,config/master.key}
-    cp -r /opt/manyfold_storage_backup /opt/manyfold/app/storage 2>/dev/null || true
-    cp -r /opt/manyfold_tmp_backup /opt/manyfold/app/tmp 2>/dev/null || true
-    cp /opt/manyfold_credentials.yml.enc /opt/manyfold/app/config/credentials.yml.enc 2>/dev/null || true
-    cp /opt/manyfold_master.key /opt/manyfold/app/config/master.key 2>/dev/null || true
-    chown -R manyfold:manyfold /opt/manyfold/app/storage /opt/manyfold/app/tmp /opt/manyfold/app/config
-    rm -rf /opt/manyfold_storage_backup /opt/manyfold_tmp_backup /opt/manyfold_credentials.yml.enc /opt/manyfold_master.key
-    msg_ok "Restored Data"
-
     msg_info "Restarting Services"
     source /opt/manyfold/.env
     export PATH="/home/manyfold/.rbenv/shims:/home/manyfold/.rbenv/bin:$PATH"

ct/ollama.sh

@@ -27,34 +27,26 @@ function update_script() {
     msg_error "No Ollama Installation Found!"
     exit
   fi
-  RELEASE=$(curl -fsSL https://api.github.com/repos/ollama/ollama/releases/latest | grep "tag_name" | awk -F '"' '{print $4}')
-  if [[ ! -f /opt/Ollama_version.txt ]] || [[ "${RELEASE}" != "$(cat /opt/Ollama_version.txt)" ]]; then
-    if [[ ! -f /opt/Ollama_version.txt ]]; then
-      touch /opt/Ollama_version.txt
-    fi
+  if check_for_gh_release "ollama" "ollama/ollama"; then
     ensure_dependencies zstd
     msg_info "Stopping Services"
     systemctl stop ollama
     msg_ok "Services Stopped"
 
-    TMP_TAR=$(mktemp --suffix=.tar.zst)
-    curl -fL# -C - -o "${TMP_TAR}" "https://github.com/ollama/ollama/releases/download/${RELEASE}/ollama-linux-amd64.tar.zst"
-    msg_info "Updating Ollama to ${RELEASE}"
-    rm -rf /usr/local/lib/ollama
-    rm -rf /usr/local/bin/ollama
-    mkdir -p /usr/local/lib/ollama
-    tar --zstd -xf "${TMP_TAR}" -C /usr/local/lib/ollama
-    ln -sf /usr/local/lib/ollama/bin/ollama /usr/local/bin/ollama
-    rm -f "${TMP_TAR}"
-    echo "${RELEASE}" >/opt/Ollama_version.txt
-    msg_ok "Updated Ollama to ${RELEASE}"
+    OLLAMA_INSTALL_DIR="/usr/local/lib/ollama"
+    rm -rf "$OLLAMA_INSTALL_DIR" /usr/local/bin/ollama
+    mkdir -p "$OLLAMA_INSTALL_DIR"
+    if ! fetch_and_deploy_gh_release "ollama" "ollama/ollama" "prebuild" "latest" "$OLLAMA_INSTALL_DIR" "ollama-linux-amd64.tar.zst"; then
+      msg_error "Download or deployment failed – check network connectivity and GitHub API availability"
+      exit 250
+    fi
+    ln -sf "$OLLAMA_INSTALL_DIR/bin/ollama" /usr/local/bin/ollama
+    msg_ok "Updated Ollama"
 
     msg_info "Starting Services"
     systemctl start ollama
     msg_ok "Started Services"
     msg_ok "Updated successfully!"
-  else
-    msg_ok "No update required. Ollama is already at ${RELEASE}"
   fi
   exit
 }

ct/omada.sh

@@ -38,20 +38,32 @@ function update_script() {
 
   JAVA_VERSION="21" setup_java
 
-  msg_info "Updating Omada Controller"
   OMADA_URL=$(curl -fsSL "https://support.omadanetworks.com/en/download/software/omada-controller/" |
     grep -o 'https://static\.tp-link\.com/upload/software/[^"]*linux_x64[^"]*\.deb' |
     head -n1)
-  OMADA_PKG=$(basename "$OMADA_URL")
-  if [ -z "$OMADA_PKG" ]; then
-    msg_error "Could not retrieve Omada package – server may be down."
-    exit
+  OMADA_PKG=$(basename "${OMADA_URL}")
+  VERSION=$(sed -n 's/.*_v\([0-9.]*\)_.*_\([0-9]\{14\}\)\.deb$/\1-\2/p' <<<"${OMADA_PKG}")
+
+  CURRENT_VERSION=$(cat $HOME/.omada 2>/dev/null || echo "0")
+
+  if dpkg --compare-versions "${VERSION}" gt "${CURRENT_VERSION}"; then
+
+    msg_info "Updating Omada Controller"
+
+    if [ -z "${OMADA_PKG}" ]; then
+      msg_error "Could not retrieve Omada package – server may be down."
+      exit
+    fi
+    curl -fsSL "${OMADA_URL}" -o "${OMADA_PKG}"
+    export DEBIAN_FRONTEND=noninteractive
+    $STD dpkg -i "${OMADA_PKG}"
+    rm -f "${OMADA_PKG}"
+    echo "${VERSION}" >$HOME/.omada
+    msg_ok "Updated Omada Controller to ${VERSION}"
+    msg_ok "Updated successfully!"
+  else
+    msg_ok "No update available: ${APP} (${CURRENT_VERSION})"
   fi
-  curl -fsSL "$OMADA_URL" -o "$OMADA_PKG"
-  export DEBIAN_FRONTEND=noninteractive
-  $STD dpkg -i "$OMADA_PKG"
-  rm -f "$OMADA_PKG"
-  msg_ok "Updated successfully!"
   exit
 }
 

ct/opencloud.sh

@@ -29,7 +29,7 @@ function update_script() {
     exit
   fi
 
-  RELEASE="v6.1.0"
+  RELEASE="v6.2.0"
   if check_for_gh_release "OpenCloud" "opencloud-eu/opencloud" "${RELEASE}" "each release is tested individually before the version is updated. Please do not open issues for this"; then
     msg_info "Stopping services"
     systemctl stop opencloud opencloud-wopi

ct/openwebui.sh

@@ -91,37 +91,22 @@ EOF
 
   if [ -x "/usr/bin/ollama" ]; then
     msg_info "Checking for Ollama Update"
-    OLLAMA_VERSION=$(ollama -v | awk '{print $NF}')
-    RELEASE=$(curl -s https://api.github.com/repos/ollama/ollama/releases/latest | grep "tag_name" | awk '{print substr($2, 3, length($2)-4)}')
-    if [ "$OLLAMA_VERSION" != "$RELEASE" ]; then
-      msg_info "Ollama update available: v$OLLAMA_VERSION -> v$RELEASE"
-      msg_info "Downloading Ollama v$RELEASE \n"
-      curl -fS#LO https://github.com/ollama/ollama/releases/download/v${RELEASE}/ollama-linux-amd64.tar.zst
-      msg_ok "Download Complete"
+    if check_for_gh_release "ollama" "ollama/ollama"; then
+      msg_info "Stopping Ollama Service"
+      systemctl stop ollama
+      msg_ok "Stopped Service"
 
-      if [ -f "ollama-linux-amd64.tar.zst" ]; then
-
-        msg_info "Stopping Ollama Service"
-        systemctl stop ollama
-        msg_ok "Stopped Service"
-
-        msg_info "Installing Ollama"
-        rm -rf /usr/lib/ollama
-        rm -rf /usr/bin/ollama
-        tar --zstd -C /usr -xf ollama-linux-amd64.tar.zst
-        rm -rf ollama-linux-amd64.tar.zst
-        msg_ok "Installed Ollama"
-
-        msg_info "Starting Ollama Service"
-        systemctl start ollama
-        msg_ok "Started Service"
-
-        msg_ok "Ollama updated to version $RELEASE"
+      rm -rf /usr/lib/ollama /usr/bin/ollama
+      if ! fetch_and_deploy_gh_release "ollama" "ollama/ollama" "prebuild" "latest" "/usr/lib/ollama" "ollama-linux-amd64.tar.zst"; then
+        msg_error "Ollama download or deployment failed – check network connectivity and GitHub API availability"
       else
-        msg_error "Ollama download failed. Aborting update."
+        ln -sf /usr/lib/ollama/bin/ollama /usr/bin/ollama
+        msg_ok "Updated Ollama to ${CHECK_UPDATE_RELEASE}"
       fi
-    else
-      msg_ok "Ollama is already up to date."
+
+      msg_info "Starting Ollama Service"
+      systemctl start ollama
+      msg_ok "Started Service"
     fi
   fi
 

ct/soulsync.sh

@@ -44,7 +44,7 @@ function update_script() {
     msg_info "Updating Python Dependencies"
     cd /opt/soulsync
     $STD uv venv --clear /opt/soulsync/.venv --python 3.11
-    $STD /opt/soulsync/.venv/bin/pip install -r requirements.txt
+    $STD uv pip install -r requirements.txt
     msg_ok "Updated Python Dependencies"
 
     mv /opt/soulsync-config.bak /opt/soulsync/config

ct/sure.sh

@@ -64,7 +64,7 @@ EOF
     fi
 
     CLEAN_INSTALL=1 fetch_and_deploy_gh_release "Sure" "we-promise/sure" "tarball" "latest" "/opt/sure"
-    RUBY_VERSION="$(cat /opt/sure/.ruby-version)" RUBY_INSTALL_RAILS=false setup_ruby
+    RUBY_VERSION="$(cat /opt/sure/.ruby-version)" RUBY_INSTALL_RAILS=false HOME=/root setup_ruby
 
     msg_info "Updating Sure"
     source ~/.profile

ct/termix.sh

@@ -29,6 +29,8 @@ function update_script() {
     exit
   fi
 
+  NODE_VERSION="24" setup_nodejs
+
   if check_for_gh_tag "guacd" "apache/guacamole-server"; then
     msg_info "Stopping guacd"
     systemctl stop guacd 2>/dev/null || true
@@ -155,8 +157,6 @@ EOF
       /opt/termix/nginx/client_body
     msg_ok "Recreated Directories"
 
-    NODE_VERSION="24" setup_nodejs
-
     msg_info "Building Frontend"
     cd /opt/termix
     export COREPACK_ENABLE_DOWNLOAD_PROMPT=0
@@ -206,7 +206,10 @@ EOF
       sed -i 's|/app/nginx|/opt/termix/nginx|g' /etc/nginx/nginx.conf
       sed -i 's|listen ${PORT};|listen 80;|g' /etc/nginx/nginx.conf
 
-      nginx -t && systemctl reload nginx
+      rm -f /etc/systemd/system/nginx.service.d/pidfile.conf
+      rm -f /etc/tmpfiles.d/nginx-termix.conf
+      systemctl daemon-reload
+      nginx -t && systemctl restart nginx
       msg_ok "Updated Nginx Configuration"
     else
       msg_warn "Nginx configuration not updated. If Termix doesn't work, restore from backup or update manually."

ct/tinyauth.sh

@@ -3,7 +3,7 @@ source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxV
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: MickLesk (CanbiZ)
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/steveiliop56/tinyauth
+# Source: https://github.com/tinyauthapp/tinyauth
 
 APP="Tinyauth"
 var_tags="${var_tags:-auth}"
@@ -28,12 +28,12 @@ function update_script() {
     exit
   fi
 
-  if check_for_gh_release "tinyauth" "steveiliop56/tinyauth"; then
+  if check_for_gh_release "tinyauth" "tinyauthapp/tinyauth"; then
     msg_info "Stopping Service"
     systemctl stop tinyauth
     msg_ok "Stopped Service"
 
-    fetch_and_deploy_gh_release "tinyauth" "steveiliop56/tinyauth" "singlefile" "latest" "/opt/tinyauth" "tinyauth-amd64"
+    fetch_and_deploy_gh_release "tinyauth" "tinyauthapp/tinyauth" "singlefile" "latest" "/opt/tinyauth" "tinyauth-amd64"
 
     msg_info "Starting Service"
     systemctl start tinyauth

ct/trek.sh

@@ -29,6 +29,8 @@ function update_script() {
     exit
   fi
 
+  NODE_VERSION="24" setup_nodejs
+
   if check_for_gh_release "trek" "mauriceboe/TREK"; then
     msg_info "Stopping Service"
     systemctl stop trek

ct/wallabag.sh

@@ -28,7 +28,10 @@ function update_script() {
     msg_error "No ${APP} Installation Found!"
     exit
   fi
+
+  NODE_VERSION="24" setup_nodejs
   setup_mariadb
+  
   if check_for_gh_release "wallabag" "wallabag/wallabag"; then
     msg_info "Stopping Services"
     systemctl stop nginx php8.3-fpm

ct/wikijs.sh

@@ -28,7 +28,7 @@ function update_script() {
     exit
   fi
 
-  NODE_VERSION="22" NODE_MODULE="yarn,node-gyp" setup_nodejs
+  NODE_VERSION="24" NODE_MODULE="yarn,node-gyp" setup_nodejs
 
   if check_for_gh_release "wikijs" "requarks/wiki"; then
     msg_info "Verifying whether ${APP}' new release is v3.x+ and current install uses SQLite."

install/alpine-tinyauth-install.sh

@@ -3,7 +3,7 @@
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: Slaviša Arežina (tremor021) | Co-Author: Stavros (steveiliop56)
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/steveiliop56/tinyauth
+# Source: https://github.com/tinyauthapp/tinyauth
 
 source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
 color
@@ -19,8 +19,8 @@ msg_ok "Installed Dependencies"
 
 msg_info "Installing Tinyauth"
 mkdir -p /opt/tinyauth
-RELEASE=$(curl -s https://api.github.com/repos/steveiliop56/tinyauth/releases/latest | grep "tag_name" | awk '{print substr($2, 3, length($2)-4) }')
-curl -fsSL "https://github.com/steveiliop56/tinyauth/releases/download/v${RELEASE}/tinyauth-amd64" -o /opt/tinyauth/tinyauth
+RELEASE=$(curl -s https://api.github.com/repos/tinyauthapp/tinyauth/releases/latest | grep "tag_name" | awk '{print substr($2, 3, length($2)-4) }')
+curl -fsSL "https://github.com/tinyauthapp/tinyauth/releases/download/v${RELEASE}/tinyauth-amd64" -o /opt/tinyauth/tinyauth
 chmod +x /opt/tinyauth/tinyauth
 PASS=$(openssl rand -base64 8 | tr -dc 'a-zA-Z0-9' | head -c 8)
 USER=$(htpasswd -Bbn "tinyauth" "${PASS}")

install/apache-guacamole-install.sh

@@ -65,12 +65,12 @@ $STD make
 $STD make install
 $STD ldconfig
 echo "${GUAC_SERVER_VERSION}" >~/.guacamole_server
-curl -fsSL "https://downloads.apache.org/guacamole/${GUAC_CLIENT_VERSION}/binary/guacamole-${GUAC_CLIENT_VERSION}.war" -o "/opt/apache-guacamole/tomcat9/webapps/guacamole.war"
+curl_download "/opt/apache-guacamole/tomcat9/webapps/guacamole.war" "https://downloads.apache.org/guacamole/${GUAC_CLIENT_VERSION}/binary/guacamole-${GUAC_CLIENT_VERSION}.war"
 echo "${GUAC_CLIENT_VERSION}" >~/.guacamole_client
-curl -fsSL "https://repo1.maven.org/maven2/com/mysql/mysql-connector-j/${MYSQL_CONNECTOR_VERSION}/mysql-connector-j-${MYSQL_CONNECTOR_VERSION}.jar" -o "/etc/guacamole/lib/mysql-connector-j.jar"
+curl_download "/etc/guacamole/lib/mysql-connector-j.jar" "https://repo1.maven.org/maven2/com/mysql/mysql-connector-j/${MYSQL_CONNECTOR_VERSION}/mysql-connector-j-${MYSQL_CONNECTOR_VERSION}.jar"
 echo "${MYSQL_CONNECTOR_VERSION}" >~/.guacamole_mysql_connector
 cd /root
-curl -fsSL "https://downloads.apache.org/guacamole/${GUAC_SERVER_VERSION}/binary/guacamole-auth-jdbc-${GUAC_SERVER_VERSION}.tar.gz" -o "/root/guacamole-auth-jdbc-${GUAC_SERVER_VERSION}.tar.gz"
+curl_download "/root/guacamole-auth-jdbc-${GUAC_SERVER_VERSION}.tar.gz" "https://downloads.apache.org/guacamole/${GUAC_SERVER_VERSION}/binary/guacamole-auth-jdbc-${GUAC_SERVER_VERSION}.tar.gz"
 $STD tar -xf ~/guacamole-auth-jdbc-"$GUAC_SERVER_VERSION".tar.gz
 mv ~/guacamole-auth-jdbc-"$GUAC_SERVER_VERSION"/mysql/guacamole-auth-jdbc-mysql-"$GUAC_SERVER_VERSION".jar /etc/guacamole/extensions/
 echo "${GUAC_SERVER_VERSION}" >~/.guacamole_auth_jdbc

install/apache-tomcat-install.sh

@@ -66,7 +66,7 @@ esac
 msg_info "Installing Tomcat $TOMCAT_VERSION"
 LATEST_VERSION=$(curl -fsSL "https://dlcdn.apache.org/tomcat/tomcat-$TOMCAT_VERSION/" | grep -oP 'v[0-9]+\.[0-9]+\.[0-9]+(-M[0-9]+)?/' | sort -V | tail -n 1 | sed 's/\/$//; s/v//')
 TOMCAT_URL="https://dlcdn.apache.org/tomcat/tomcat-$TOMCAT_VERSION/v$LATEST_VERSION/bin/apache-tomcat-$LATEST_VERSION.tar.gz"
-curl -fsSL "$TOMCAT_URL" -o "/tmp/tomcat.tar.gz"
+curl_download "/tmp/tomcat.tar.gz" "$TOMCAT_URL"
 mkdir -p /opt/tomcat-$TOMCAT_VERSION
 tar --strip-components=1 -xzf /tmp/tomcat.tar.gz -C /opt/tomcat-$TOMCAT_VERSION
 chown -R root:root /opt/tomcat-$TOMCAT_VERSION

install/authentik-install.sh

@@ -0,0 +1,257 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: Thieneret
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/goauthentik/authentik
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+$STD apt install -y \
+  build-essential \
+  pkg-config \
+  libffi-dev \
+  libxslt-dev \
+  zlib1g-dev \
+  libpq-dev \
+  krb5-multidev \
+  libkrb5-dev \
+  heimdal-multidev \
+  libclang-dev \
+  libltdl-dev \
+  libpq5 \
+  libmaxminddb0 \
+  libkrb5-3 \
+  libkdb5-10 \
+  libkadm5clnt-mit12 \
+  libkadm5clnt7t64-heimdal \
+  libltdl7 \
+  libxslt1.1 \
+  python3-dev \
+  libxml2-dev \
+  libxml2 \
+  libxslt1-dev \
+  automake \
+  autoconf \
+  libtool \
+  libtool-bin \
+  gcc \
+  git
+msg_ok "Installed Dependencies"
+
+NODE_VERSION="24" setup_nodejs
+setup_yq
+setup_go
+UV_PYTHON_INSTALL_DIR="/usr/local/bin" PYTHON_VERSION="3.14.3" setup_uv
+setup_rust
+PG_VERSION="17" setup_postgresql
+PG_DB_NAME="authentik" PG_DB_USER="authentik" PG_DB_GRANT_SUPERUSER="true" setup_postgresql_db
+
+XMLSEC_VERSION="1.3.11"
+AUTHENTIK_VERSION="version/2026.2.3"
+fetch_and_deploy_gh_release "xmlsec" "lsh123/xmlsec" "tarball" "${XMLSEC_VERSION}" "/opt/xmlsec"
+fetch_and_deploy_gh_release "authentik" "goauthentik/authentik" "tarball" "${AUTHENTIK_VERSION}" "/opt/authentik"
+fetch_and_deploy_gh_release "geoipupdate" "maxmind/geoipupdate" "binary"
+
+msg_info "Setup xmlsec"
+cd /opt/xmlsec
+$STD ./autogen.sh
+$STD make -j $(nproc)
+$STD make check
+$STD make install
+$STD ldconfig
+msg_ok "xmlsec installed"
+
+msg_info "Setup web"
+cd /opt/authentik/web
+export NODE_ENV="production"
+$STD npm install
+$STD npm run build
+$STD npm run build:sfe
+msg_ok "Web installed"
+
+msg_info "Setup go proxy"
+cd /opt/authentik
+export CGO_ENABLED="1"
+$STD go mod download
+$STD go build -o /opt/authentik/authentik-server ./cmd/server
+$STD go build -o /opt/authentik/ldap ./cmd/ldap
+$STD go build -o /opt/authentik/rac ./cmd/rac
+$STD go build -o /opt/authentik/radius ./cmd/radius
+msg_ok "Go proxy installed"
+
+cat <<EOF >/usr/local/etc/GeoIP.conf
+AccountID ChangeME
+LicenseKey ChangeME
+EditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country
+DatabaseDirectory /opt/authentik-data/geoip
+RetryFor 5m
+Parallelism 1
+EOF
+
+echo "#39 19 * * 6,4 /usr/bin/geoipupdate -f /usr/local/etc/GeoIP.conf" | crontab -
+
+msg_info "Setup python server"
+export UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
+export UV_COMPILE_BYTECODE="1"
+export UV_LINK_MODE="copy"
+export UV_NATIVE_TLS="1"
+export RUSTUP_PERMIT_COPY_RENAME="true"
+export UV_PYTHON_INSTALL_DIR="/usr/local/bin"
+cd /opt/authentik
+$STD uv sync --frozen --no-install-project --no-dev
+cp /opt/authentik/authentik/sources/kerberos/krb5.conf /etc/krb5.conf
+msg_ok "Installed python server"
+
+msg_info "Creating authentik config"
+mkdir -p /etc/authentik
+mv /opt/authentik/authentik/lib/default.yml /etc/authentik/config.yml
+yq -i ".secret_key = \"$(openssl rand -base64 128 | tr -dc 'a-zA-Z0-9' | head -c64)\"" /etc/authentik/config.yml
+yq -i ".postgresql.password = \"${PG_DB_PASS}\"" /etc/authentik/config.yml
+yq -i ".events.context_processors.geoip = \"/opt/authentik-data/geoip/GeoLite2-City.mmdb\"" /etc/authentik/config.yml
+yq -i ".events.context_processors.asn = \"/opt/authentik-data/geoip/GeoLite2-ASN.mmdb\"" /etc/authentik/config.yml
+yq -i ".blueprints_dir = \"/opt/authentik/blueprints\"" /etc/authentik/config.yml
+yq -i ".cert_discovery_dir = \"/opt/authentik-data/certs\"" /etc/authentik/config.yml
+yq -i ".email.template_dir = \"/opt/authentik-data/templates\"" /etc/authentik/config.yml
+yq -i ".storage.file.path = \"/opt/authentik-data\"" /etc/authentik/config.yml
+yq -i ".disable_startup_analytics = \"true\"" /etc/authentik/config.yml
+$STD useradd -U -s /usr/sbin/nologin -r -M -d /opt/authentik authentik
+chown -R authentik:authentik /opt/authentik
+cat <<EOF >/etc/default/authentik
+TMPDIR=/dev/shm/
+UV_LINK_MODE=copy
+UV_PYTHON_DOWNLOADS=0
+UV_NATIVE_TLS=1
+VENV_PATH=/opt/authentik/.venv
+PYTHONDONTWRITEBYTECODE=1
+PYTHONUNBUFFERED=1
+PATH=/opt/authentik/lifecycle:/opt/authentik/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin
+DJANGO_SETTINGS_MODULE=authentik.root.settings
+PROMETHEUS_MULTIPROC_DIR="/tmp/authentik_prometheus_tmp"
+EOF
+cat <<EOF >/etc/default/authentik_ldap
+AUTHENTIK_HOST="https://127.0.0.1:9443"
+AUTHENTIK_INSECURE="true"
+AUTHENTIK_TOKEN="token-generated-by-authentik"
+EOF
+cat <<EOF >/etc/default/authentik_rac
+AUTHENTIK_HOST="https://127.0.0.1:9443"
+AUTHENTIK_INSECURE="true"
+AUTHENTIK_TOKEN="token-generated-by-authentik"
+EOF
+cat <<EOF >/etc/default/authentik_radius
+AUTHENTIK_HOST="https://127.0.0.1:9443"
+AUTHENTIK_INSECURE="true"
+AUTHENTIK_TOKEN="token-generated-by-authentik"
+EOF
+msg_ok "authentik config created"
+
+msg_info "Creating services"
+cat <<EOF >/etc/systemd/system/authentik-server.service
+[Unit]
+Description=authentik Go Server (API Gateway)
+After=network.target
+Wants=postgresql.service
+
+[Service]
+User=authentik
+Group=authentik
+ExecStartPre=/usr/bin/mkdir -p "\${PROMETHEUS_MULTIPROC_DIR}"
+ExecStart=/opt/authentik/authentik-server
+WorkingDirectory=/opt/authentik/
+Restart=always
+RestartSec=5
+EnvironmentFile=/etc/default/authentik
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF >/etc/systemd/system/authentik-worker.service
+[Unit]
+Description=authentik Worker
+After=network.target postgresql.service
+
+[Service]
+User=authentik
+Group=authentik
+Type=simple
+EnvironmentFile=/etc/default/authentik
+ExecStart=/usr/local/bin/uv run python -m manage worker --pid-file /dev/shm/authentik-worker.pid
+WorkingDirectory=/opt/authentik
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF >/etc/systemd/system/authentik-ldap.service
+[Unit]
+Description=authentik LDAP Outpost
+After=network.target
+Wants=postgresql.service
+
+[Service]
+User=authentik
+Group=authentik
+ExecStart=/opt/authentik/ldap
+WorkingDirectory=/opt/authentik/
+Restart=always
+RestartSec=5
+EnvironmentFile=/etc/default/authentik_ldap
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF >/etc/systemd/system/authentik-rac.service
+[Unit]
+Description=authentik RAC Outpost
+After=network.target
+Wants=postgresql.service
+
+[Service]
+User=authentik
+Group=authentik
+ExecStart=/opt/authentik/rac
+WorkingDirectory=/opt/authentik/
+Restart=always
+RestartSec=5
+EnvironmentFile=/etc/default/authentik_rac
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF >/etc/systemd/system/authentik-radius.service
+[Unit]
+Description=authentik Radius Outpost
+After=network.target
+Wants=postgresql.service
+
+[Service]
+User=authentik
+Group=authentik
+ExecStart=/opt/authentik/radius
+WorkingDirectory=/opt/authentik/
+Restart=always
+RestartSec=5
+EnvironmentFile=/etc/default/authentik_radius
+
+[Install]
+WantedBy=multi-user.target
+EOF
+msg_ok "Services created"
+
+motd_ssh
+customize
+cleanup_lxc

install/calibre-web-install.sh

@@ -52,6 +52,7 @@ After=network.target
 [Service]
 Type=simple
 User=root
+Environment="QTWEBENGINE_CHROMIUM_FLAGS=--no-sandbox"
 WorkingDirectory=/opt/calibre-web
 ExecStart=/opt/calibre-web/.venv/bin/python /opt/calibre-web/cps.py
 Restart=on-failure

install/checkmk-install.sh

@@ -16,7 +16,7 @@ update_os
 msg_info "Install Checkmk"
 RELEASE=$(curl_with_retry "https://api.github.com/repos/checkmk/checkmk/tags" "-" | grep "name" | awk '{print substr($2, 3, length($2)-4) }' | tr ' ' '\n' | grep -Ev 'rc|b' | sort -V | tail -n 1)
 RELEASE="${RELEASE%%+*}"
-curl_with_retry "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-community-${RELEASE}_0.$(get_os_info codename)_amd64.deb" "/opt/checkmk.deb"
+curl_download "/opt/checkmk.deb" "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-community-${RELEASE}_0.$(get_os_info codename)_amd64.deb"
 $STD apt install -y /opt/checkmk.deb
 rm -rf /opt/checkmk.deb
 echo "${RELEASE}" >"/opt/checkmk_version.txt"

install/cliproxyapi-install.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: mathiasnagler
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/router-for-me/CLIProxyAPI
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+$STD apt install -y openssl
+msg_ok "Installed Dependencies"
+
+fetch_and_deploy_gh_release "cliproxyapi" "router-for-me/CLIProxyAPI" "prebuild" "latest" "/opt/cliproxyapi" "CLIProxyAPI_*_linux_amd64.tar.gz"
+
+msg_info "Configuring CLIProxyAPI"
+MANAGEMENT_PASSWORD=$(openssl rand -hex 32)
+API_KEY="sk-$(openssl rand -hex 16)"
+cat <<EOF >/opt/cliproxyapi/config.yaml
+host: ""
+port: 8317
+auth-dir: "/root/.cli-proxy-api"
+remote-management:
+  allow-remote: true
+  secret-key: "${MANAGEMENT_PASSWORD}"
+api-keys:
+  - "${API_KEY}"
+request-retry: 3
+quota-exceeded:
+  switch-project: true
+  switch-preview-model: true
+routing:
+  strategy: "round-robin"
+EOF
+msg_ok "Configured CLIProxyAPI"
+
+msg_info "Creating Service"
+cat <<EOF >/etc/systemd/system/cliproxyapi.service
+[Unit]
+Description=CLIProxyAPI
+After=network.target
+
+[Service]
+Type=simple
+WorkingDirectory=/opt/cliproxyapi
+ExecStart=/opt/cliproxyapi/cli-proxy-api
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable -q --now cliproxyapi
+msg_ok "Created Service"
+
+motd_ssh
+customize
+cleanup_lxc

install/dawarich-install.sh

@@ -72,12 +72,12 @@ msg_ok "Configured Environment"
 
 NODE_VERSION="22" setup_nodejs
 RUBY_VERSION=$(cat /opt/dawarich/app/.ruby-version 2>/dev/null || echo "3.4.6")
-RUBY_VERSION=${RUBY_VERSION} RUBY_INSTALL_RAILS="false" setup_ruby
+RUBY_VERSION=${RUBY_VERSION} RUBY_INSTALL_RAILS="false" HOME=/root setup_ruby
 
 msg_info "Installing Dawarich"
 cd /opt/dawarich/app
 source /root/.profile
-export PATH="/root/.rbenv/shims:/root/.rbenv/bin:$PATH"
+export PATH="/root/.rbenv/shims:/root/.rbenv/bin:${PATH}"
 eval "$(/root/.rbenv/bin/rbenv init - bash)"
 set -a && source /opt/dawarich/.env && set +a
 $STD gem install bundler

install/docuseal-install.sh

@@ -0,0 +1,164 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://www.docuseal.com/
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+$STD apt install -y \
+  build-essential \
+  git \
+  libpq-dev \
+  libssl-dev \
+  libyaml-dev \
+  libreadline-dev \
+  zlib1g-dev \
+  libffi-dev \
+  libvips42 \
+  libvips-dev \
+  libheif1 \
+  redis-server \
+  fontconfig
+msg_ok "Installed Dependencies"
+
+NODE_VERSION="22" NODE_MODULE="yarn" setup_nodejs
+RUBY_VERSION="4.0.1" RUBY_INSTALL_RAILS="false" HOME=/root setup_ruby
+PG_VERSION="17" setup_postgresql
+PG_DB_NAME="docuseal" PG_DB_USER="docuseal" setup_postgresql_db
+
+msg_info "Downloading Fonts and PDFium"
+mkdir -p /opt/fonts /usr/share/fonts/noto
+ARCH=$(uname -m | sed 's/x86_64/x64/;s/aarch64/arm64/')
+curl -fsSL -o /opt/fonts/GoNotoKurrent-Regular.ttf \
+  https://github.com/satbyy/go-noto-universal/releases/download/v7.0/GoNotoKurrent-Regular.ttf
+curl -fsSL -o /opt/fonts/GoNotoKurrent-Bold.ttf \
+  https://github.com/satbyy/go-noto-universal/releases/download/v7.0/GoNotoKurrent-Bold.ttf
+curl -fsSL -o /opt/fonts/DancingScript-Regular.otf \
+  https://github.com/impallari/DancingScript/raw/master/fonts/DancingScript-Regular.otf
+ln -sf /opt/fonts/GoNotoKurrent-Regular.ttf /usr/share/fonts/noto/
+ln -sf /opt/fonts/GoNotoKurrent-Bold.ttf /usr/share/fonts/noto/
+$STD fc-cache -f
+curl -fsSL -o /tmp/pdfium.tgz \
+  "https://github.com/bblanchon/pdfium-binaries/releases/latest/download/pdfium-linux-${ARCH}.tgz"
+mkdir -p /tmp/pdfium && tar -xzf /tmp/pdfium.tgz -C /tmp/pdfium
+cp /tmp/pdfium/lib/libpdfium.so /usr/lib/libpdfium.so
+rm -rf /tmp/pdfium /tmp/pdfium.tgz
+msg_ok "Downloaded Fonts and PDFium"
+
+fetch_and_deploy_gh_release "docuseal" "docusealco/docuseal" "tarball"
+
+msg_info "Downloading Field Detection Model"
+mkdir -p /opt/docuseal/tmp
+curl -fsSL -o /opt/docuseal/tmp/model.onnx \
+  "https://github.com/docusealco/fields-detection/releases/download/2.0.0/model_704_int8.onnx"
+mkdir -p /opt/docuseal/public/fonts
+ln -sf /opt/fonts/DancingScript-Regular.otf /opt/docuseal/public/fonts/DancingScript-Regular.otf
+msg_ok "Downloaded Field Detection Model"
+
+msg_info "Configuring DocuSeal"
+SECRET_KEY=$(openssl rand -hex 64)
+mkdir -p /opt/docuseal/data
+cat <<EOF >/opt/docuseal/.env
+RAILS_ENV=production
+NODE_ENV=production
+RAILS_LOG_TO_STDOUT=true
+RAILS_SERVE_STATIC_FILES=true
+SECRET_KEY_BASE=${SECRET_KEY}
+DATABASE_URL=postgresql://docuseal:${PG_DB_PASS}@127.0.0.1:5432/docuseal
+REDIS_URL=redis://localhost:6379/0
+WORKDIR=/opt/docuseal/data
+VIPS_MAX_COORD=17000
+EOF
+msg_ok "Configured DocuSeal"
+
+msg_info "Building Application"
+cd /opt/docuseal
+export PATH="/root/.rbenv/bin:/root/.rbenv/shims:${PATH}"
+eval "$(rbenv init - bash)" 2>/dev/null || true
+export RAILS_ENV=production
+export NODE_ENV=production
+export SECRET_KEY_BASE_DUMMY=1
+set -a
+source /opt/docuseal/.env
+set +a
+$STD bundle config set --local deployment 'true'
+$STD bundle config set --local without 'development:test'
+$STD bundle install -j"$(nproc)"
+$STD yarn install --network-timeout 1000000
+$STD ./bin/shakapacker
+$STD bundle exec rails db:migrate
+$STD bundle exec bootsnap precompile -j 1 --gemfile app/ lib/
+msg_ok "Built Application"
+
+msg_info "Enabling Redis"
+systemctl enable -q --now redis-server
+msg_ok "Enabled Redis"
+
+msg_info "Creating docuseal User"
+id docuseal &>/dev/null || useradd -u 2000 -M -s /usr/sbin/nologin -d /opt/docuseal docuseal
+chmod o+x /root
+chmod -R o+rX /root/.rbenv
+chown -R docuseal:docuseal /opt/docuseal /opt/fonts
+msg_ok "Created docuseal User"
+
+msg_info "Creating Services"
+cat <<EOF >/etc/systemd/system/docuseal.service
+[Unit]
+Description=DocuSeal Web
+After=network.target postgresql.service redis-server.service
+
+[Service]
+Type=simple
+User=docuseal
+Group=docuseal
+WorkingDirectory=/opt/docuseal
+EnvironmentFile=/opt/docuseal/.env
+Environment=HOME=/opt/docuseal
+Environment=PATH=/root/.rbenv/shims:/root/.rbenv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+Environment=BUNDLE_GEMFILE=/opt/docuseal/Gemfile
+Environment=BUNDLE_WITHOUT=development:test
+ExecStart=/opt/docuseal/bin/bundle exec puma -C /opt/docuseal/config/puma.rb --dir /opt/docuseal -p 3000
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF >/etc/systemd/system/docuseal-sidekiq.service
+[Unit]
+Description=DocuSeal Sidekiq
+After=network.target postgresql.service redis-server.service
+
+[Service]
+Type=simple
+User=docuseal
+Group=docuseal
+WorkingDirectory=/opt/docuseal
+EnvironmentFile=/opt/docuseal/.env
+Environment=HOME=/opt/docuseal
+Environment=PATH=/root/.rbenv/shims:/root/.rbenv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+Environment=BUNDLE_GEMFILE=/opt/docuseal/Gemfile
+Environment=BUNDLE_WITHOUT=development:test
+ExecStart=/opt/docuseal/bin/bundle exec sidekiq
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable -q --now docuseal docuseal-sidekiq
+msg_ok "Created Services"
+
+motd_ssh
+customize
+cleanup_lxc

install/excalidraw-install.sh

@@ -17,11 +17,12 @@ msg_info "Installing Dependencies"
 $STD apt install -y xdg-utils
 msg_ok "Installed Dependencies"
 
-NODE_VERSION="22" NODE_MODULE="yarn" setup_nodejs
+NODE_VERSION="24" NODE_MODULE="yarn" setup_nodejs
 fetch_and_deploy_gh_release "excalidraw" "excalidraw/excalidraw" "tarball"
 
 msg_info "Configuring Excalidraw"
 cd /opt/excalidraw
+$STD yarn config set ignore-engines true
 $STD yarn
 msg_ok "Setup Excalidraw"
 

install/frigate-install.sh

@@ -169,13 +169,13 @@ NODE_VERSION="20" setup_nodejs
 
 msg_info "Downloading Inference Models"
 mkdir -p /models /openvino-model
-curl_with_retry "https://github.com/google-coral/test_data/raw/release-frogfish/ssdlite_mobiledet_coco_qat_postprocess_edgetpu.tflite" "/edgetpu_model.tflite"
-curl_with_retry "https://github.com/google-coral/test_data/raw/release-frogfish/ssdlite_mobiledet_coco_qat_postprocess.tflite" "/models/cpu_model.tflite"
+curl_download "/edgetpu_model.tflite" "https://github.com/google-coral/test_data/raw/release-frogfish/ssdlite_mobiledet_coco_qat_postprocess_edgetpu.tflite"
+curl_download "/models/cpu_model.tflite" "https://github.com/google-coral/test_data/raw/release-frogfish/ssdlite_mobiledet_coco_qat_postprocess.tflite"
 cp /opt/frigate/labelmap.txt /labelmap.txt
 msg_ok "Downloaded Inference Models"
 
 msg_info "Downloading Audio Model"
-curl_with_retry "https://www.kaggle.com/api/v1/models/google/yamnet/tfLite/classification-tflite/1/download" "/tmp/yamnet.tar.gz"
+curl_download "/tmp/yamnet.tar.gz" "https://www.kaggle.com/api/v1/models/google/yamnet/tfLite/classification-tflite/1/download"
 $STD tar xzf /tmp/yamnet.tar.gz -C /
 mv /1.tflite /cpu_audio_model.tflite
 cp /opt/frigate/audio-labelmap.txt /audio-labelmap.txt
@@ -188,7 +188,7 @@ msg_ok "Installed OpenVino"
 
 msg_info "Building OpenVino Model"
 cd /models
-curl_with_retry "http://download.tensorflow.org/models/object_detection/ssdlite_mobilenet_v2_coco_2018_05_09.tar.gz" "ssdlite_mobilenet_v2_coco_2018_05_09.tar.gz"
+curl_download "ssdlite_mobilenet_v2_coco_2018_05_09.tar.gz" "http://download.tensorflow.org/models/object_detection/ssdlite_mobilenet_v2_coco_2018_05_09.tar.gz"
 $STD tar -zxf ssdlite_mobilenet_v2_coco_2018_05_09.tar.gz --no-same-owner
 if python3 /opt/frigate/docker/main/build_ov_model.py &>/dev/null; then
   mkdir -p /openvino-model
@@ -246,7 +246,7 @@ msg_info "Configuring Frigate"
 mkdir -p /config /media/frigate
 cp -r /opt/frigate/config/. /config
 
-curl_with_retry "https://github.com/intel-iot-devkit/sample-videos/raw/master/person-bicycle-car-detection.mp4" "/media/frigate/person-bicycle-car-detection.mp4"
+curl_download "/media/frigate/person-bicycle-car-detection.mp4" "https://github.com/intel-iot-devkit/sample-videos/raw/master/person-bicycle-car-detection.mp4"
 
 echo "tmpfs   /tmp/cache      tmpfs   defaults        0       0" >>/etc/fstab
 

install/homelable-install.sh

@@ -33,7 +33,7 @@ msg_ok "Set up Python Backend"
 msg_info "Configuring Homelable"
 mkdir -p /opt/homelable/data
 SECRET_KEY=$(openssl rand -hex 32)
-BCRYPT_HASH=$(/opt/homelable/backend/.venv/bin/python -c "from passlib.context import CryptContext; print(CryptContext(schemes=['bcrypt']).hash('admin'))")
+BCRYPT_HASH=$(/opt/homelable/backend/.venv/bin/python -c "import bcrypt; print(bcrypt.hashpw(b'admin', bcrypt.gensalt()).decode())")
 cat <<EOF >/opt/homelable/backend/.env
 SECRET_KEY=${SECRET_KEY}
 SQLITE_PATH=/opt/homelable/data/homelab.db
@@ -59,7 +59,7 @@ while [[ -z "$NEW_PASS" ]]; do
     fi
 done
 
-HASH=$(/opt/homelable/backend/.venv/bin/python -c "from passlib.context import CryptContext; print(CryptContext(schemes=['bcrypt']).hash('${NEW_PASS}'))")
+HASH=$(/opt/homelable/backend/.venv/bin/python -c "import bcrypt; print(bcrypt.hashpw('${NEW_PASS}'.encode(), bcrypt.gensalt()).decode())")
 
 sed -i "s|^AUTH_PASSWORD_HASH=.*|AUTH_PASSWORD_HASH='${HASH}'|" /opt/homelable/backend/.env
 

install/kasm-install.sh

@@ -20,7 +20,7 @@ msg_ok "Installed Docker"
 msg_info "Detecting latest Kasm Workspaces release"
 KASM_VERSION=$(curl -s https://kasm.com/downloads | grep -oP '<h1[^>]*>.*?</h1>' | sed -E 's/<\/?h1[^>]*>//g' | grep -oP '\d+\.\d+\.\d+')
 KASM_URL="https://kasm-static-content.s3.amazonaws.com/kasm_release_${KASM_VERSION:-var_kasm_version}.tar.gz"
-  
+
 # KASM_URL=$(curl -fsSL "https://www.kasm.com/downloads" | tr '\n' ' ' | grep -oE 'https://kasm-static-content[^"]*kasm_release_[0-9]+\.[0-9]+\.[0-9]+\.[a-z0-9]+\.tar\.gz' | head -n 1)
 # if [[ -z "$KASM_URL" ]]; then
 #   SERVICE_IMAGE_URL=$(curl -fsSL "https://www.kasm.com/downloads" | tr '\n' ' ' | grep -oE 'https://kasm-static-content[^"]*kasm_release_service_images_amd64_[0-9]+\.[0-9]+\.[0-9]+\.tar\.gz' | head -n 1)
@@ -50,7 +50,7 @@ if [[ ! "$CONFIRM" =~ ^([yY][eE][sS]|[yY])$ ]]; then
 fi
 
 msg_info "Installing Kasm Workspaces"
-curl -fsSL -o "/opt/kasm_release_${KASM_VERSION}.tar.gz" "$KASM_URL"
+curl_download "/opt/kasm_release_${KASM_VERSION}.tar.gz" "$KASM_URL"
 cd /opt
 tar -xf "kasm_release_${KASM_VERSION}.tar.gz"
 chmod +x /opt/kasm_release/install.sh

install/nextpvr-install.sh

@@ -30,7 +30,7 @@ msg_ok "Installed Dependencies"
 
 msg_info "Setup NextPVR (Patience)"
 cd /opt
-curl -fsSL "https://nextpvr.com/nextpvr-helper.deb" -o "/opt/nextpvr-helper.deb"
+curl_download "/opt/nextpvr-helper.deb" "https://nextpvr.com/nextpvr-helper.deb"
 $STD dpkg -i nextpvr-helper.deb
 rm -rf /opt/nextpvr-helper.deb
 msg_ok "Installed NextPVR"

install/ollama-install.sh

@@ -62,26 +62,15 @@ $STD apt install -y --no-install-recommends intel-basekit-2024.1
 msg_ok "Installed Intel® oneAPI Base Toolkit"
 
 msg_info "Installing Ollama (Patience)"
-RELEASE=$(curl -fsSL https://api.github.com/repos/ollama/ollama/releases/latest | grep "tag_name" | awk -F '"' '{print $4}')
 OLLAMA_INSTALL_DIR="/usr/local/lib/ollama"
 BINDIR="/usr/local/bin"
-mkdir -p $OLLAMA_INSTALL_DIR
-OLLAMA_URL="https://github.com/ollama/ollama/releases/download/${RELEASE}/ollama-linux-amd64.tar.zst"
-TMP_TAR="/tmp/ollama.tar.zst"
-echo -e "\n"
-if curl -fL# -C - -o "$TMP_TAR" "$OLLAMA_URL"; then
-  if tar --zstd -xf "$TMP_TAR" -C "$OLLAMA_INSTALL_DIR"; then
-    ln -sf "$OLLAMA_INSTALL_DIR/bin/ollama" "$BINDIR/ollama"
-    echo "${RELEASE}" >/opt/Ollama_version.txt
-    msg_ok "Installed Ollama ${RELEASE}"
-  else
-    msg_error "Extraction failed – archive corrupt or incomplete"
-    exit 251
-  fi
-else
-  msg_error "Download failed – $OLLAMA_URL not reachable"
+mkdir -p "$OLLAMA_INSTALL_DIR"
+if ! fetch_and_deploy_gh_release "ollama" "ollama/ollama" "prebuild" "latest" "$OLLAMA_INSTALL_DIR" "ollama-linux-amd64.tar.zst"; then
+  msg_error "Failed to download or deploy Ollama – check network connectivity and GitHub API availability"
   exit 250
 fi
+ln -sf "$OLLAMA_INSTALL_DIR/bin/ollama" "$BINDIR/ollama"
+msg_ok "Installed Ollama"
 
 msg_info "Creating ollama User and Group"
 if ! id ollama >/dev/null 2>&1; then

install/omada-install.sh

@@ -28,7 +28,7 @@ fi
 
 if ! dpkg -l | grep -q 'libssl1.1'; then
   msg_info "Installing libssl (if needed)"
-  curl -fsSL "https://security.debian.org/debian-security/pool/updates/main/o/openssl/libssl1.1_1.1.1w-0+deb11u5_amd64.deb" -o "/tmp/libssl.deb"
+  curl_download "/tmp/libssl.deb" "https://security.debian.org/debian-security/pool/updates/main/o/openssl/libssl1.1_1.1.1w-0+deb11u5_amd64.deb"
   $STD dpkg -i /tmp/libssl.deb
   rm -f /tmp/libssl.deb
   msg_ok "Installed libssl1.1"
@@ -38,10 +38,12 @@ msg_info "Installing Omada Controller"
 OMADA_URL=$(curl -fsSL "https://support.omadanetworks.com/en/download/software/omada-controller/" |
   grep -o 'https://static\.tp-link\.com/upload/software/[^"]*linux_x64[^"]*\.deb' |
   head -n1)
-OMADA_PKG=$(basename "$OMADA_URL")
-curl -fsSL "$OMADA_URL" -o "$OMADA_PKG"
-$STD dpkg -i "$OMADA_PKG"
-rm -rf "$OMADA_PKG"
+OMADA_PKG=$(basename "${OMADA_URL}")
+curl_download "${OMADA_PKG}" "${OMADA_URL}"
+$STD dpkg -i "${OMADA_PKG}"
+rm -rf "${OMADA_PKG}"
+VERSION=$(sed -n 's/.*_v\([0-9.]*\)_.*_\([0-9]\{14\}\)\.deb$/\1-\2/p' <<<"${OMADA_PKG}")
+echo "${VERSION}" >$HOME/.omada
 msg_ok "Installed Omada Controller"
 
 motd_ssh

install/opencloud-install.sh

@@ -64,7 +64,7 @@ $STD sudo -u cool coolconfig set-admin-password --user=admin --password="$COOLPA
 echo "$COOLPASS" >~/.coolpass
 msg_ok "Installed Collabora Online"
 
-fetch_and_deploy_gh_release "OpenCloud" "opencloud-eu/opencloud" "singlefile" "v6.1.0" "/usr/bin" "opencloud-*-linux-amd64"
+fetch_and_deploy_gh_release "OpenCloud" "opencloud-eu/opencloud" "singlefile" "v6.2.0" "/usr/bin" "opencloud-*-linux-amd64"
 mv /usr/bin/OpenCloud /usr/bin/opencloud
 
 msg_info "Configuring OpenCloud"

install/openwebui-install.sh

@@ -73,11 +73,11 @@ EOF
   msg_ok "Installed Intel® oneAPI Base Toolkit"
 
   msg_info "Installing Ollama"
-  OLLAMA_RELEASE=$(curl -fsSL https://api.github.com/repos/ollama/ollama/releases/latest | grep "tag_name" | awk -F '"' '{print $4}')
-  curl -fsSLO -C - https://github.com/ollama/ollama/releases/download/${OLLAMA_RELEASE}/ollama-linux-amd64.tar.zst
-  tar --zstd -C /usr -xf ollama-linux-amd64.tar.zst
-  rm -rf ollama-linux-amd64.tar.zst
-  cat <<EOF >/etc/systemd/system/ollama.service
+  if ! fetch_and_deploy_gh_release "ollama" "ollama/ollama" "prebuild" "latest" "/usr/lib/ollama" "ollama-linux-amd64.tar.zst"; then
+    msg_error "Failed to download or deploy Ollama – check network connectivity and GitHub API availability"
+  else
+    ln -sf /usr/lib/ollama/bin/ollama /usr/bin/ollama
+    cat <<EOF >/etc/systemd/system/ollama.service
 [Unit]
 Description=Ollama Service
 After=network-online.target
@@ -93,9 +93,10 @@ RestartSec=3
 [Install]
 WantedBy=multi-user.target
 EOF
-  systemctl enable -q --now ollama
-  echo "ENABLE_OLLAMA_API=true" >/root/.env
-  msg_ok "Installed Ollama"
+    systemctl enable -q --now ollama
+    echo "ENABLE_OLLAMA_API=true" >/root/.env
+    msg_ok "Installed Ollama"
+  fi
 fi
 
 msg_info "Creating Service"

install/reactive-resume-install.sh

@@ -55,7 +55,7 @@ DATABASE_URL=postgresql://${PG_DB_USER}:${PG_DB_PASS}@localhost:5432/${PG_DB_NAM
 AUTH_SECRET=${AUTH_SECRET}
 
 # Printer (headless Chromium for PDF generation)
-PRINTER_ENDPOINT=http://localhost:9222
+PRINTER_ENDPOINT=http://127.0.0.1:9222
 
 # Storage: uses local filesystem (/opt/reactive-resume/data) when S3 is not configured
 # S3_ACCESS_KEY_ID=
@@ -92,7 +92,7 @@ After=network.target
 
 [Service]
 Type=simple
-ExecStart=/usr/bin/chromium --headless --disable-gpu --no-sandbox --disable-dev-shm-usage --remote-debugging-address=127.0.0.1 --remote-debugging-port=9222
+ExecStart=/usr/bin/chromium --headless --disable-gpu --no-sandbox --no-zygote --disable-dev-shm-usage --remote-debugging-address=127.0.0.1 --remote-debugging-port=9222
 Restart=always
 RestartSec=5
 

install/searxng-install.sh

@@ -75,6 +75,9 @@ enabled_plugins:
 search:
   safe_search: 2
   autocomplete: 'google'
+  formats:
+    - html
+    - json
 engines:
   - name: google
     engine: google

install/sure-install.sh

@@ -26,7 +26,7 @@ fetch_and_deploy_gh_release "Sure" "we-promise/sure" "tarball" "latest" "/opt/su
 
 PG_VERSION="$(sed -n '/postgres:/s/[^[:digit:]]*//p' /opt/sure/compose.example.yml)" setup_postgresql
 PG_DB_NAME=sure_production PG_DB_USER=sure_user setup_postgresql_db
-RUBY_VERSION="$(cat /opt/sure/.ruby-version)" RUBY_INSTALL_RAILS=false setup_ruby
+RUBY_VERSION="$(cat /opt/sure/.ruby-version)" RUBY_INSTALL_RAILS=false HOME=/root setup_ruby
 
 msg_info "Building Sure"
 cd /opt/sure
@@ -73,6 +73,7 @@ ExecStartPre=/opt/sure/bin/rails db:prepare
 ExecStart=/opt/sure/bin/rails server
 Restart=always
 RestartSec=5
+TimeoutStartSec=300
 StandardOutput=journal
 StandardError=journal
 

install/tasmocompiler-install.sh

@@ -29,7 +29,7 @@ msg_ok "Setup Platformio"
 msg_info "Setup TasmoCompiler"
 mkdir /tmp/Tasmota
 RELEASE=$(curl -fsSL https://api.github.com/repos/benzino77/tasmocompiler/releases/latest | grep "tag_name" | awk '{print substr($2, 3, length($2)-4) }')
-curl -fsSL "https://github.com/benzino77/tasmocompiler/archive/refs/tags/v${RELEASE}.tar.gz" -o "/tmp/v${RELEASE}.tar.gz"
+curl_download "/tmp/v${RELEASE}.tar.gz" "https://github.com/benzino77/tasmocompiler/archive/refs/tags/v${RELEASE}.tar.gz"
 cd /tmp
 tar xzf /tmp/v${RELEASE}.tar.gz
 mv tasmocompiler-${RELEASE}/ /opt/tasmocompiler/

install/termix-install.sh

@@ -54,7 +54,7 @@ cd /opt
 rm -rf /opt/guacamole-server
 msg_ok "Built Guacamole Server (guacd)"
 
-NODE_VERSION="22" setup_nodejs
+NODE_VERSION="24" setup_nodejs
 fetch_and_deploy_gh_release "termix" "Termix-SSH/Termix" "tarball"
 
 msg_info "Building Frontend"
@@ -101,16 +101,17 @@ sed -i 's|/app/nginx|/opt/termix/nginx|g' /etc/nginx/nginx.conf
 sed -i 's|listen ${PORT};|listen 80;|g' /etc/nginx/nginx.conf
 
 mkdir -p /tmp/nginx
-echo "d /tmp/nginx 0755 nobody nobody -" > /etc/tmpfiles.d/nginx-termix.conf
+echo "d /tmp/nginx 0755 nobody nogroup -" >/etc/tmpfiles.d/nginx-termix.conf
 mkdir -p /etc/systemd/system/nginx.service.d/
-cat > /etc/systemd/system/nginx.service.d/pidfile.conf << EOF
+cat >/etc/systemd/system/nginx.service.d/pidfile.conf <<EOF
 [Service]
 PIDFile=/tmp/nginx/nginx.pid
 EOF
 systemctl daemon-reload
 rm -f /etc/nginx/sites-enabled/default
 nginx -t
-systemctl reload nginx
+systemctl enable nginx
+systemctl restart nginx
 msg_ok "Configured Nginx"
 
 msg_info "Creating Service"

install/trek-install.sh

@@ -17,7 +17,7 @@ msg_info "Installing Dependencies"
 $STD apt install -y build-essential
 msg_ok "Installed Dependencies"
 
-NODE_VERSION="22" setup_nodejs
+NODE_VERSION="24" setup_nodejs
 fetch_and_deploy_gh_release "trek" "mauriceboe/TREK" "tarball"
 
 msg_info "Building Client"

install/wallabag-install.sh

@@ -24,7 +24,7 @@ setup_mariadb
 MARIADB_DB_NAME="wallabag" MARIADB_DB_USER="wallabag" setup_mariadb_db
 PHP_VERSION="8.3" PHP_FPM="YES" PHP_MODULE="tidy" setup_php
 setup_composer
-NODE_VERSION="22" setup_nodejs
+NODE_VERSION="24" setup_nodejs
 fetch_and_deploy_gh_release "wallabag" "wallabag/wallabag" "prebuild" "latest" "/opt/wallabag" "wallabag-*.tar.gz"
 
 msg_info "Configuring Wallabag"

install/wikijs-install.sh

@@ -17,7 +17,7 @@ msg_info "Installing Dependencies"
 $STD apt install -y git
 msg_ok "Installed Dependencies"
 
-NODE_VERSION="22" NODE_MODULE="yarn,node-gyp" setup_nodejs
+NODE_VERSION="24" NODE_MODULE="yarn,node-gyp" setup_nodejs
 PG_VERSION="17" setup_postgresql
 PG_DB_NAME="wiki" PG_DB_USER="wikijs_user" PG_DB_EXTENSIONS="pg_trgm" setup_postgresql_db
 fetch_and_deploy_gh_release "wikijs" "requarks/wiki" "prebuild" "latest" "/opt/wikijs" "wiki-js.tar.gz"

misc/api.func

@@ -196,7 +196,7 @@ explain_exit_code() {
   103) echo "Validation: Shell is not Bash" ;;
   104) echo "Validation: Not running as root (or invoked via sudo)" ;;
   105) echo "Validation: Proxmox VE version not supported" ;;
-  106) echo "Validation: Unsupported architecture (requires amd64 or arm64)" ;;
+  106) echo "Validation: Architecture not supported (ARM / PiMox)" ;;
   107) echo "Validation: Kernel key parameters unreadable" ;;
   108) echo "Validation: Kernel key limits exceeded" ;;
   109) echo "Proxmox: No available container ID after max attempts" ;;

misc/build.func

@@ -52,11 +52,6 @@ variables() {
   # as "/tmp/${NSAPP}-${CTID}-${SESSION_ID}.log" (requires CTID, not available here)
   CTTYPE="${CTTYPE:-${CT_TYPE:-1}}"
 
-  # ARM64 Template default variables
-  DEBIAN_DEFAULT_CODENAME="trixie"
-  UBUNTU_DEFAULT_CODENAME="noble"
-  ALPINE_DEFAULT_VERSION="3.23"
-
   # Parse dev_mode early
   parse_dev_mode
 
@@ -1947,7 +1942,7 @@ advanced_settings() {
 
     # ═══════════════════════════════════════════════════════════════════════════
     # STEP 2: Root Password
-    # ═══════════════════════════════════════════════════════════════════════════
+    # ════════════════════════════════════════<EFBFBD><EFBFBD><EFBFBD>═══════════════════════════════<EFBFBD><EFBFBD><EFBFBD>══
     2)
       if PW1=$(whiptail --backtitle "Proxmox VE Helper Scripts [Step $STEP/$MAX_STEP]" \
         --title "ROOT PASSWORD" \
@@ -3057,9 +3052,6 @@ echo_default() {
   echo -e "${DISKSIZE}${BOLD}${DGN}Disk Size: ${BGN}${DISK_SIZE} GB${CL}"
   echo -e "${CPUCORE}${BOLD}${DGN}CPU Cores: ${BGN}${CORE_COUNT}${CL}"
   echo -e "${RAMSIZE}${BOLD}${DGN}RAM Size: ${BGN}${RAM_SIZE} MiB${CL}"
-  if [[ "$(dpkg --print-architecture)" == "arm64" ]]; then
-    echo -e "${INFO}${BOLD}${DGN}Architecture: ${BGN}arm64${CL}"
-  fi
   if [[ -n "${var_gpu:-}" && "${var_gpu}" == "yes" ]]; then
     echo -e "${GPU}${BOLD}${DGN}GPU Passthrough: ${BGN}Enabled${CL}"
   fi
@@ -3096,9 +3088,7 @@ install_script() {
   pve_check
   shell_check
   root_check
-  ensure_whiptail
   arch_check
-  arm64_notice
   ssh_check
   maxkeys_check
   diagnostics_check
@@ -3659,6 +3649,16 @@ start() {
     run_addon_updates
     update_motd_ip
     cleanup_lxc
+  elif ! command -v whiptail &>/dev/null || ! [ -t 0 ]; then
+    msg_info "No interactive terminal detected – defaulting to silent update mode"
+    VERBOSE="no"
+    set_std_mode
+    ensure_profile_loaded
+    get_lxc_ip
+    update_script
+    run_addon_updates
+    update_motd_ip
+    cleanup_lxc
   else
     CHOICE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "${APP} LXC Update/Setting" --menu \
       "Support/Update functions for ${APP} LXC. Choose an option:" \
@@ -4361,23 +4361,19 @@ EOF
       msg_warn "Skipping timezone setup – zone '$tz' not found in container"
     fi
 
-    local _base_pkgs="sudo curl mc gnupg2 jq"
-    if [[ "${ARCH:-amd64}" == "arm64" ]]; then
-      _base_pkgs+=" openssh-server wget gcc"
-    fi
-
     # Detect broken DNS resolver (e.g. Tailscale MagicDNS) and inject public DNS
     if ! pct exec "$CTID" -- bash -c "getent hosts deb.debian.org >/dev/null 2>&1 && getent hosts archive.ubuntu.com >/dev/null 2>&1"; then
       msg_warn "APT repository DNS resolution failed in container, injecting public DNS servers"
       pct exec "$CTID" -- bash -c "echo -e 'nameserver 8.8.8.8\nnameserver 1.1.1.1' >/etc/resolv.conf"
     fi
 
-    pct exec "$CTID" -- bash -c "apt-get update 2>&1 && apt-get install -y ${_base_pkgs} 2>&1" >>"$BUILD_LOG" 2>&1 || {
+    pct exec "$CTID" -- bash -c "apt-get update 2>&1 && apt-get install -y sudo curl mc gnupg2 jq 2>&1" >>"$BUILD_LOG" 2>&1 || {
       local failed_mirror
       failed_mirror=$(pct exec "$CTID" -- bash -c "grep -m1 -oP '(?<=URIs: https?://)[^/]+' /etc/apt/sources.list.d/debian.sources 2>/dev/null || grep -m1 -oP '(?<=deb https?://)[^/]+' /etc/apt/sources.list 2>/dev/null" 2>/dev/null || echo "unknown")
       msg_warn "apt-get update failed (${failed_mirror}), trying alternate mirrors..."
       local mirror_exit=0
-      pct exec "$CTID" -- env APT_BASE="$_base_pkgs" bash -c '
+      pct exec "$CTID" -- bash -c '
+        APT_BASE="sudo curl mc gnupg2 jq"
         DISTRO=$(. /etc/os-release 2>/dev/null && echo "$ID" || echo "debian")
 
         if [ "$DISTRO" = "ubuntu" ]; then
@@ -4487,7 +4483,7 @@ EOF
               [ -f \"\$src\" ] && sed -i \"s|URIs: http[s]*://[^/]*/|URIs: http://${custom_mirror}/|g; s|deb http[s]*://[^/]*/|deb http://${custom_mirror}/|g\" \"\$src\"
             done
             rm -rf /var/lib/apt/lists/*
-            apt-get update >/dev/null 2>&1 && apt-get install -y ${_base_pkgs} >/dev/null 2>&1
+            apt-get update >/dev/null 2>&1 && apt-get install -y sudo curl mc gnupg2 jq >/dev/null 2>&1
           " && break
           msg_warn "Mirror '${custom_mirror}' also failed. Try another or type 'skip'."
         done
@@ -4527,9 +4523,7 @@ EOF
     # that sends "configuring" status AFTER the host already reported "failed"
     export CONTAINER_INSTALLING=true
 
-    local _install_script
-    _install_script="$(curl -fsSL "https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/${var_install}.sh")"
-    lxc-attach -n "$CTID" -- bash -c "$_install_script"
+    lxc-attach -n "$CTID" -- bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/${var_install}.sh)"
     local lxc_exit=$?
 
     unset CONTAINER_INSTALLING
@@ -4924,9 +4918,7 @@ EOF
           # Re-run install script in existing container (don't destroy/recreate)
           set +Eeuo pipefail
           trap - ERR
-          local _install_script
-          _install_script="$(curl -fsSL "https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/${var_install}.sh")"
-          lxc-attach -n "$CTID" -- bash -c "$_install_script"
+          lxc-attach -n "$CTID" -- bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/install/${var_install}.sh)"
           local apt_retry_exit=$?
           set -Eeuo pipefail
           trap 'error_handler' ERR
@@ -5684,72 +5676,6 @@ create_lxc_container() {
     esac
   }
 
-  ARCH="$(dpkg --print-architecture)"
-
-  # Maps OS type + version to the release variant name used by ARM64 template sources.
-  arm64_template_variant() {
-    case "$1:$2" in
-      debian:12) echo "bookworm" ;;
-      debian:13) echo "trixie" ;;
-      debian:) echo "$DEBIAN_DEFAULT_CODENAME" ;;
-
-      ubuntu:24.04) echo "noble" ;;
-      ubuntu:26.04) echo "questing" ;;
-      ubuntu:) echo "$UBUNTU_DEFAULT_CODENAME" ;;
-
-      alpine:*) echo "${2:-$ALPINE_DEFAULT_VERSION}" ;;
-
-      *) return 1 ;;
-    esac
-  }
-
-  # Downloads an ARM64 LXC rootfs template to $1.
-  # Debian: fetches latest release from community-scripts/debian-arm64-lxc on GitHub.
-  # Others: fetches from jenkins.linuxcontainers.org.
-  download_arm64_template() {
-    local dest="$1" url
-
-    mkdir -p "$(dirname "$dest")" || {
-      msg_error "Cannot create template dir."
-      exit 207
-    }
-
-    if [[ "$PCT_OSTYPE" == "debian" ]]; then
-      url=$(
-        curl -fsSL "https://api.github.com/repos/community-scripts/debian-arm64-lxc/releases/latest" |
-          jq -r --arg v "$CUSTOM_TEMPLATE_VARIANT" \
-            '.assets[].browser_download_url | select(test("debian-" + $v + "-arm64-rootfs\\.tar\\.xz$"))' |
-          head -n1
-      )
-
-      [[ -n "$url" ]] || {
-        msg_error "Could not find Debian ${CUSTOM_TEMPLATE_VARIANT} ARM64 template URL."
-        exit 207
-      }
-    else
-      url="https://jenkins.linuxcontainers.org/job/image-${PCT_OSTYPE}/architecture=arm64,release=${CUSTOM_TEMPLATE_VARIANT},variant=default/lastStableBuild/artifact/rootfs.tar.xz"
-    fi
-
-    msg_info "Downloading ${PCT_OSTYPE^} ${CUSTOM_TEMPLATE_VARIANT} ARM64 template"
-    if ! curl -fsSL -o "$dest" "$url"; then
-      msg_error "Failed to download ARM64 template from: $url"
-      exit 208
-    fi
-    msg_ok "Downloaded ARM64 LXC template"
-  }
-
-  download_template() {
-    local dest="${1:-$TEMPLATE_PATH}"
-    if [[ "$ARCH" == "arm64" ]]; then
-      download_arm64_template "$dest"
-    else
-      pveam download "$TEMPLATE_STORAGE" "$TEMPLATE" >>"${BUILD_LOG:-/dev/null}" 2>&1 || {
-        msg_error "Failed to download template '$TEMPLATE' to storage '$TEMPLATE_STORAGE'"
-        exit 222
-      }
-    fi
-  }
-
   # ------------------------------------------------------------------------------
   # Required input variables
   # ------------------------------------------------------------------------------
@@ -5916,120 +5842,153 @@ create_lxc_container() {
   # ------------------------------------------------------------------------------
   # Template discovery & validation
   # ------------------------------------------------------------------------------
-  CUSTOM_TEMPLATE_VARIANT=""
+  TEMPLATE_SEARCH="${PCT_OSTYPE}-${PCT_OSVERSION:-}"
+  case "$PCT_OSTYPE" in
+  debian | ubuntu) TEMPLATE_PATTERN="-standard_" ;;
+  alpine | fedora | rocky | centos) TEMPLATE_PATTERN="-default_" ;;
+  *) TEMPLATE_PATTERN="" ;;
+  esac
 
-  if [[ "$ARCH" == "arm64" ]]; then
-    # ARM64: use custom template download from linuxcontainers.org / GitHub
-    msg_info "Preparing ARM64 template"
+  msg_info "Searching for template '$TEMPLATE_SEARCH'"
 
-    CUSTOM_TEMPLATE_VARIANT=$(arm64_template_variant "$PCT_OSTYPE" "${PCT_OSVERSION:-}") || {
-      msg_error "No ARM64 template mapping for ${PCT_OSTYPE} ${PCT_OSVERSION:-latest}"
-      exit 207
-    }
+  # Initialize variables
+  ONLINE_TEMPLATE=""
+  ONLINE_TEMPLATES=()
 
-    TEMPLATE="${PCT_OSTYPE}-${CUSTOM_TEMPLATE_VARIANT}-rootfs.tar.xz"
-    TEMPLATE_SOURCE="custom-arm64"
-
-    # Resolve template path
-    TEMPLATE_PATH="$(pvesm path "${TEMPLATE_STORAGE}:vztmpl/${TEMPLATE}" 2>/dev/null || true)"
-    if [[ -z "$TEMPLATE_PATH" ]]; then
-      local _tpl_base
-      _tpl_base=$(awk -v s="$TEMPLATE_STORAGE" '
-        $0 ~ "^[^:]+:[[:space:]]*" s "$" {f=1; next}
-        f && /^[^[:space:]]/ {f=0}
-        f && $1 == "path" {print $2; exit}
-      ' /etc/pve/storage.cfg)
-      TEMPLATE_PATH="${_tpl_base:-/var/lib/vz}/template/cache/$TEMPLATE"
-    fi
-
-    # Download if missing, too small, or corrupt
-    if [[ ! -f "$TEMPLATE_PATH" ]]; then
-      download_arm64_template "$TEMPLATE_PATH"
-    elif [[ "$(stat -c%s "$TEMPLATE_PATH")" -lt 1000000 ]] || ! tar -tf "$TEMPLATE_PATH" &>/dev/null; then
-      msg_warn "Local template invalid - re-downloading."
-      rm -f "$TEMPLATE_PATH"
-      download_arm64_template "$TEMPLATE_PATH"
-    else
-      msg_ok "Template ${BL}$TEMPLATE${CL} found locally."
-    fi
+  # Step 1: Check local templates first (instant)
+  mapfile -t LOCAL_TEMPLATES < <(
+    pveam list "$TEMPLATE_STORAGE" 2>/dev/null |
+      awk -v search="${TEMPLATE_SEARCH}" -v pattern="${TEMPLATE_PATTERN}" '$1 ~ search && $1 ~ pattern {print $1}' |
+      sed 's|.*/||' | sort -t - -k 2 -V
+  )
 
+  # Step 2: If local template found, use it immediately (skip pveam update)
+  if [[ ${#LOCAL_TEMPLATES[@]} -gt 0 ]]; then
+    TEMPLATE="${LOCAL_TEMPLATES[-1]}"
+    TEMPLATE_SOURCE="local"
+    msg_ok "Template search completed"
   else
-    TEMPLATE_SEARCH="${PCT_OSTYPE}-${PCT_OSVERSION:-}"
-    case "$PCT_OSTYPE" in
-    debian | ubuntu) TEMPLATE_PATTERN="-standard_" ;;
-    alpine | fedora | rocky | centos) TEMPLATE_PATTERN="-default_" ;;
-    *) TEMPLATE_PATTERN="" ;;
-    esac
+    # Step 3: No local template - need to check online (this may be slow)
+    msg_info "No local template found, checking online catalog..."
 
-    msg_info "Searching for template '$TEMPLATE_SEARCH'"
+    # Update catalog with timeout to prevent long hangs
+    if command -v timeout &>/dev/null; then
+      if ! timeout 30 pveam update >/dev/null 2>&1; then
+        msg_warn "Template catalog update timed out (possible network/DNS issue). Run 'pveam update' manually to diagnose."
+      fi
+    else
+      pveam update >/dev/null 2>&1 || msg_warn "Could not update template catalog (pveam update failed)"
+    fi
 
-    # Initialize variables
-    ONLINE_TEMPLATE=""
     ONLINE_TEMPLATES=()
+    mapfile -t ONLINE_TEMPLATES < <(pveam available -section system 2>/dev/null | grep -E '\.(tar\.zst|tar\.xz|tar\.gz)$' | awk '{print $2}' | grep -E "^${TEMPLATE_SEARCH}.*${TEMPLATE_PATTERN}" | sort -t - -k 2 -V 2>/dev/null || true)
+    [[ ${#ONLINE_TEMPLATES[@]} -gt 0 ]] && ONLINE_TEMPLATE="${ONLINE_TEMPLATES[-1]}"
 
-    # Step 1: Check local templates first (instant)
-    mapfile -t LOCAL_TEMPLATES < <(
-      pveam list "$TEMPLATE_STORAGE" 2>/dev/null |
-        awk -v search="${TEMPLATE_SEARCH}" -v pattern="${TEMPLATE_PATTERN}" '$1 ~ search && $1 ~ pattern {print $1}' |
-        sed 's|.*/||' | sort -t - -k 2 -V
+    TEMPLATE="$ONLINE_TEMPLATE"
+    TEMPLATE_SOURCE="online"
+    msg_ok "Template search completed"
+  fi
+
+  # If still no template, try to find alternatives
+  if [[ -z "$TEMPLATE" ]]; then
+    msg_warn "No template found for ${PCT_OSTYPE} ${PCT_OSVERSION}, searching for alternatives..."
+
+    # Get all available versions for this OS type
+    AVAILABLE_VERSIONS=()
+    mapfile -t AVAILABLE_VERSIONS < <(
+      pveam available -section system 2>/dev/null |
+        grep -E '\.(tar\.zst|tar\.xz|tar\.gz)$' |
+        awk -F'\t' '{print $1}' |
+        grep "^${PCT_OSTYPE}-" |
+        sed -E "s/.*${PCT_OSTYPE}-([0-9]+(\.[0-9]+)?).*/\1/" |
+        sort -u -V 2>/dev/null
     )
 
-    # Step 2: If local template found, use it immediately (skip pveam update)
-    if [[ ${#LOCAL_TEMPLATES[@]} -gt 0 ]]; then
-      TEMPLATE="${LOCAL_TEMPLATES[-1]}"
-      TEMPLATE_SOURCE="local"
-      msg_ok "Template search completed"
-    else
-      # Step 3: No local template - need to check online (this may be slow)
-      msg_info "No local template found, checking online catalog..."
+    if [[ ${#AVAILABLE_VERSIONS[@]} -gt 0 ]]; then
+      echo ""
+      echo "${BL}Available ${PCT_OSTYPE} versions:${CL}"
+      for i in "${!AVAILABLE_VERSIONS[@]}"; do
+        echo "  [$((i + 1))] ${AVAILABLE_VERSIONS[$i]}"
+      done
+      echo ""
+      read -p "Select version [1-${#AVAILABLE_VERSIONS[@]}] or press Enter to cancel: " choice </dev/tty
 
-      # Update catalog with timeout to prevent long hangs
-      if command -v timeout &>/dev/null; then
-        if ! timeout 30 pveam update >/dev/null 2>&1; then
-          msg_warn "Template catalog update timed out (possible network/DNS issue). Run 'pveam update' manually to diagnose."
+      if [[ "$choice" =~ ^[0-9]+$ ]] && [[ "$choice" -ge 1 ]] && [[ "$choice" -le ${#AVAILABLE_VERSIONS[@]} ]]; then
+        PCT_OSVERSION="${AVAILABLE_VERSIONS[$((choice - 1))]}"
+        TEMPLATE_SEARCH="${PCT_OSTYPE}-${PCT_OSVERSION}"
+
+        ONLINE_TEMPLATES=()
+        mapfile -t ONLINE_TEMPLATES < <(
+          pveam available -section system 2>/dev/null |
+            grep -E '\.(tar\.zst|tar\.xz|tar\.gz)$' |
+            awk '{print $2}' |
+            grep -E "^${TEMPLATE_SEARCH}-.*${TEMPLATE_PATTERN}" |
+            sort -t - -k 2 -V 2>/dev/null || true
+        )
+
+        if [[ ${#ONLINE_TEMPLATES[@]} -gt 0 ]]; then
+          TEMPLATE="${ONLINE_TEMPLATES[-1]}"
+          TEMPLATE_SOURCE="online"
+        else
+          msg_error "No templates available for ${PCT_OSTYPE} ${PCT_OSVERSION}"
+          exit 225
         fi
       else
-        pveam update >/dev/null 2>&1 || msg_warn "Could not update template catalog (pveam update failed)"
+        msg_custom "🚫" "${YW}" "Installation cancelled"
+        exit 0
       fi
-
-      ONLINE_TEMPLATES=()
-      mapfile -t ONLINE_TEMPLATES < <(pveam available -section system 2>/dev/null | grep -E '\.(tar\.zst|tar\.xz|tar\.gz)$' | awk '{print $2}' | grep -E "^${TEMPLATE_SEARCH}.*${TEMPLATE_PATTERN}" | sort -t - -k 2 -V 2>/dev/null || true)
-      [[ ${#ONLINE_TEMPLATES[@]} -gt 0 ]] && ONLINE_TEMPLATE="${ONLINE_TEMPLATES[-1]}"
-
-      TEMPLATE="$ONLINE_TEMPLATE"
-      TEMPLATE_SOURCE="online"
-      msg_ok "Template search completed"
+    else
+      msg_error "No ${PCT_OSTYPE} templates available at all"
+      exit 225
     fi
+  fi
 
-    # If still no template, try to find alternatives
+  TEMPLATE_PATH="$(pvesm path $TEMPLATE_STORAGE:vztmpl/$TEMPLATE 2>/dev/null || true)"
+  if [[ -z "$TEMPLATE_PATH" ]]; then
+    TEMPLATE_BASE=$(awk -v s="$TEMPLATE_STORAGE" '$1==s {f=1} f && /path/ {print $2; exit}' /etc/pve/storage.cfg)
+    [[ -n "$TEMPLATE_BASE" ]] && TEMPLATE_PATH="$TEMPLATE_BASE/template/cache/$TEMPLATE"
+  fi
+
+  # If we still don't have a path but have a valid template name, construct it
+  if [[ -z "$TEMPLATE_PATH" && -n "$TEMPLATE" ]]; then
+    TEMPLATE_PATH="/var/lib/vz/template/cache/$TEMPLATE"
+  fi
+
+  [[ -n "$TEMPLATE_PATH" ]] || {
     if [[ -z "$TEMPLATE" ]]; then
-      msg_warn "No template found for ${PCT_OSTYPE} ${PCT_OSVERSION}, searching for alternatives..."
+      msg_error "Template ${PCT_OSTYPE} ${PCT_OSVERSION} not available"
 
-      # Get all available versions for this OS type
-      AVAILABLE_VERSIONS=()
+      # Get available versions
       mapfile -t AVAILABLE_VERSIONS < <(
         pveam available -section system 2>/dev/null |
-          grep -E '\.(tar\.zst|tar\.xz|tar\.gz)$' |
-          awk -F'\t' '{print $1}' |
           grep "^${PCT_OSTYPE}-" |
-          sed -E "s/.*${PCT_OSTYPE}-([0-9]+(\.[0-9]+)?).*/\1/" |
-          sort -u -V 2>/dev/null
+          sed -E 's/.*'"${PCT_OSTYPE}"'-([0-9]+\.[0-9]+).*/\1/' |
+          grep -E '^[0-9]+\.[0-9]+$' |
+          sort -u -V 2>/dev/null || sort -u
       )
 
       if [[ ${#AVAILABLE_VERSIONS[@]} -gt 0 ]]; then
-        echo ""
-        echo "${BL}Available ${PCT_OSTYPE} versions:${CL}"
+        echo -e "\n${BL}Available versions:${CL}"
         for i in "${!AVAILABLE_VERSIONS[@]}"; do
           echo "  [$((i + 1))] ${AVAILABLE_VERSIONS[$i]}"
         done
+
         echo ""
-        read -p "Select version [1-${#AVAILABLE_VERSIONS[@]}] or press Enter to cancel: " choice </dev/tty
+        read -p "Select version [1-${#AVAILABLE_VERSIONS[@]}] or Enter to exit: " choice </dev/tty
 
         if [[ "$choice" =~ ^[0-9]+$ ]] && [[ "$choice" -ge 1 ]] && [[ "$choice" -le ${#AVAILABLE_VERSIONS[@]} ]]; then
-          PCT_OSVERSION="${AVAILABLE_VERSIONS[$((choice - 1))]}"
-          TEMPLATE_SEARCH="${PCT_OSTYPE}-${PCT_OSVERSION}"
+          export var_version="${AVAILABLE_VERSIONS[$((choice - 1))]}"
+          export PCT_OSVERSION="$var_version"
+          msg_ok "Switched to ${PCT_OSTYPE} ${var_version}"
 
-          ONLINE_TEMPLATES=()
+          # Retry template search with new version
+          TEMPLATE_SEARCH="${PCT_OSTYPE}-${PCT_OSVERSION:-}"
+
+          mapfile -t LOCAL_TEMPLATES < <(
+            pveam list "$TEMPLATE_STORAGE" 2>/dev/null |
+              awk -v search="${TEMPLATE_SEARCH}-" -v pattern="${TEMPLATE_PATTERN}" '$1 ~ search && $1 ~ pattern {print $1}' |
+              sed 's|.*/||' | sort -t - -k 2 -V
+          )
           mapfile -t ONLINE_TEMPLATES < <(
             pveam available -section system 2>/dev/null |
               grep -E '\.(tar\.zst|tar\.xz|tar\.gz)$' |
@@ -6037,181 +5996,109 @@ create_lxc_container() {
               grep -E "^${TEMPLATE_SEARCH}-.*${TEMPLATE_PATTERN}" |
               sort -t - -k 2 -V 2>/dev/null || true
           )
+          ONLINE_TEMPLATE=""
+          [[ ${#ONLINE_TEMPLATES[@]} -gt 0 ]] && ONLINE_TEMPLATE="${ONLINE_TEMPLATES[-1]}"
 
-          if [[ ${#ONLINE_TEMPLATES[@]} -gt 0 ]]; then
-            TEMPLATE="${ONLINE_TEMPLATES[-1]}"
-            TEMPLATE_SOURCE="online"
+          if [[ ${#LOCAL_TEMPLATES[@]} -gt 0 ]]; then
+            TEMPLATE="${LOCAL_TEMPLATES[-1]}"
+            TEMPLATE_SOURCE="local"
           else
-            msg_error "No templates available for ${PCT_OSTYPE} ${PCT_OSVERSION}"
-            exit 225
+            TEMPLATE="$ONLINE_TEMPLATE"
+            TEMPLATE_SOURCE="online"
           fi
+
+          TEMPLATE_PATH="$(pvesm path $TEMPLATE_STORAGE:vztmpl/$TEMPLATE 2>/dev/null || true)"
+          if [[ -z "$TEMPLATE_PATH" ]]; then
+            TEMPLATE_BASE=$(awk -v s="$TEMPLATE_STORAGE" '$1==s {f=1} f && /path/ {print $2; exit}' /etc/pve/storage.cfg)
+            [[ -n "$TEMPLATE_BASE" ]] && TEMPLATE_PATH="$TEMPLATE_BASE/template/cache/$TEMPLATE"
+          fi
+
+          # If we still don't have a path but have a valid template name, construct it
+          if [[ -z "$TEMPLATE_PATH" && -n "$TEMPLATE" ]]; then
+            TEMPLATE_PATH="/var/lib/vz/template/cache/$TEMPLATE"
+          fi
+
+          [[ -n "$TEMPLATE_PATH" ]] || {
+            msg_error "Template still not found after version change"
+            exit 220
+          }
         else
           msg_custom "🚫" "${YW}" "Installation cancelled"
           exit 0
         fi
       else
         msg_error "No ${PCT_OSTYPE} templates available"
-        exit 225
+        exit 220
       fi
     fi
+  }
 
-    TEMPLATE_PATH="$(pvesm path $TEMPLATE_STORAGE:vztmpl/$TEMPLATE 2>/dev/null || true)"
-    if [[ -z "$TEMPLATE_PATH" ]]; then
-      TEMPLATE_BASE=$(awk -v s="$TEMPLATE_STORAGE" '$1==s {f=1} f && /path/ {print $2; exit}' /etc/pve/storage.cfg)
-      [[ -n "$TEMPLATE_BASE" ]] && TEMPLATE_PATH="$TEMPLATE_BASE/template/cache/$TEMPLATE"
-    fi
+  # Validate that we found a template
+  if [[ -z "$TEMPLATE" ]]; then
+    msg_error "No template found for ${PCT_OSTYPE} ${PCT_OSVERSION}"
+    msg_custom "ℹ️" "${YW}" "Please check:"
+    msg_custom "  •" "${YW}" "Is pveam catalog available? (run: pveam available -section system)"
+    msg_custom "  •" "${YW}" "Does the template exist for your OS version?"
+    exit 225
+  fi
 
-    # If we still don't have a path but have a valid template name, construct it
-    if [[ -z "$TEMPLATE_PATH" && -n "$TEMPLATE" ]]; then
-      TEMPLATE_PATH="/var/lib/vz/template/cache/$TEMPLATE"
-    fi
+  msg_ok "Template ${BL}$TEMPLATE${CL} [$TEMPLATE_SOURCE]"
+  msg_debug "Resolved TEMPLATE_PATH=$TEMPLATE_PATH"
 
-    [[ -n "$TEMPLATE_PATH" ]] || {
-      if [[ -z "$TEMPLATE" ]]; then
-        msg_error "Template ${PCT_OSTYPE} ${PCT_OSVERSION} not available"
-
-        # Get available versions
-        mapfile -t AVAILABLE_VERSIONS < <(
-          pveam available -section system 2>/dev/null |
-            grep "^${PCT_OSTYPE}-" |
-            sed -E 's/.*'"${PCT_OSTYPE}"'-([0-9]+\.[0-9]+).*/\1/' |
-            grep -E '^[0-9]+\.[0-9]+$' |
-            sort -u -V 2>/dev/null || sort -u
-        )
-
-        if [[ ${#AVAILABLE_VERSIONS[@]} -gt 0 ]]; then
-          echo -e "\n${BL}Available versions:${CL}"
-          for i in "${!AVAILABLE_VERSIONS[@]}"; do
-            echo "  [$((i + 1))] ${AVAILABLE_VERSIONS[$i]}"
-          done
-
-          echo ""
-          read -p "Select version [1-${#AVAILABLE_VERSIONS[@]}] or press Enter to exit: " choice </dev/tty
-
-          if [[ "$choice" =~ ^[0-9]+$ ]] && [[ "$choice" -ge 1 ]] && [[ "$choice" -le ${#AVAILABLE_VERSIONS[@]} ]]; then
-            export var_version="${AVAILABLE_VERSIONS[$((choice - 1))]}"
-            export PCT_OSVERSION="$var_version"
-            msg_ok "Switched to ${PCT_OSTYPE} ${var_version}"
-
-            # Retry template search with new version
-            TEMPLATE_SEARCH="${PCT_OSTYPE}-${PCT_OSVERSION:-}"
-
-            mapfile -t LOCAL_TEMPLATES < <(
-              pveam list "$TEMPLATE_STORAGE" 2>/dev/null |
-                awk -v search="${TEMPLATE_SEARCH}-" -v pattern="${TEMPLATE_PATTERN}" '$1 ~ search && $1 ~ pattern {print $1}' |
-                sed 's|.*/||' | sort -t - -k 2 -V
-            )
-            mapfile -t ONLINE_TEMPLATES < <(
-              pveam available -section system 2>/dev/null |
-                grep -E '\.(tar\.zst|tar\.xz|tar\.gz)$' |
-                awk '{print $2}' |
-                grep -E "^${TEMPLATE_SEARCH}-.*${TEMPLATE_PATTERN}" |
-                sort -t - -k 2 -V 2>/dev/null || true
-            )
-            ONLINE_TEMPLATE=""
-            [[ ${#ONLINE_TEMPLATES[@]} -gt 0 ]] && ONLINE_TEMPLATE="${ONLINE_TEMPLATES[-1]}"
-
-            if [[ ${#LOCAL_TEMPLATES[@]} -gt 0 ]]; then
-              TEMPLATE="${LOCAL_TEMPLATES[-1]}"
-              TEMPLATE_SOURCE="local"
-            else
-              TEMPLATE="$ONLINE_TEMPLATE"
-              TEMPLATE_SOURCE="online"
-            fi
-
-            TEMPLATE_PATH="$(pvesm path $TEMPLATE_STORAGE:vztmpl/$TEMPLATE 2>/dev/null || true)"
-            if [[ -z "$TEMPLATE_PATH" ]]; then
-              TEMPLATE_BASE=$(awk -v s="$TEMPLATE_STORAGE" '$1==s {f=1} f && /path/ {print $2; exit}' /etc/pve/storage.cfg)
-              [[ -n "$TEMPLATE_BASE" ]] && TEMPLATE_PATH="$TEMPLATE_BASE/template/cache/$TEMPLATE"
-            fi
-
-            # If we still don't have a path but have a valid template name, construct it
-            if [[ -z "$TEMPLATE_PATH" && -n "$TEMPLATE" ]]; then
-              TEMPLATE_PATH="/var/lib/vz/template/cache/$TEMPLATE"
-            fi
-
-            [[ -n "$TEMPLATE_PATH" ]] || {
-              msg_error "Template still not found after version change"
-              exit 220
-            }
-          else
-            msg_custom "🚫" "${YW}" "Installation cancelled"
-            exit 0
-          fi
-        else
-          msg_error "No ${PCT_OSTYPE} templates available"
-          exit 220
-        fi
-      fi
-    }
-
-    # Validate that we found a template
-    if [[ -z "$TEMPLATE" ]]; then
-      msg_error "No template found for ${PCT_OSTYPE} ${PCT_OSVERSION}"
-      msg_custom "ℹ️" "${YW}" "Please check:"
-      msg_custom "  •" "${YW}" "Is pveam catalog available? (run: pveam available -section system)"
-      msg_custom "  •" "${YW}" "Does the template exist for your OS version?"
-      exit 225
-    fi
-
-    msg_ok "Template ${BL}$TEMPLATE${CL} [$TEMPLATE_SOURCE]"
-    msg_debug "Resolved TEMPLATE_PATH=$TEMPLATE_PATH"
-
-    NEED_DOWNLOAD=0
-    if [[ ! -f "$TEMPLATE_PATH" ]]; then
-      msg_info "Template not present locally, will download it."
+  NEED_DOWNLOAD=0
+  if [[ ! -f "$TEMPLATE_PATH" ]]; then
+    msg_info "Template not present locally – will download."
+    NEED_DOWNLOAD=1
+  elif [[ ! -r "$TEMPLATE_PATH" ]]; then
+    msg_error "Template file exists but is not readable – check permissions."
+    exit 221
+  elif [[ "$(stat -c%s "$TEMPLATE_PATH")" -lt 1000000 ]]; then
+    if [[ -n "$ONLINE_TEMPLATE" ]]; then
+      msg_warn "Template file too small (<1MB) – re-downloading."
       NEED_DOWNLOAD=1
-    elif [[ ! -r "$TEMPLATE_PATH" ]]; then
-      msg_error "Template file exists but is not readable, check permissions."
-      exit 221
-    elif [[ "$(stat -c%s "$TEMPLATE_PATH")" -lt 1000000 ]]; then
-      if [[ -n "$ONLINE_TEMPLATE" ]]; then
-        msg_warn "Template file too small (<1MB), re-downloading."
-        NEED_DOWNLOAD=1
-      else
-        msg_warn "Template looks too small, but no online version exists. Keeping local file."
-      fi
-    elif ! tar -tf "$TEMPLATE_PATH" &>/dev/null; then
-      if [[ -n "$ONLINE_TEMPLATE" ]]; then
-        msg_warn "Template appears corrupted, re-downloading."
-        NEED_DOWNLOAD=1
-      else
-        msg_warn "Template appears corrupted, but no online version exists. Keeping local file."
-      fi
     else
-      $STD msg_ok "Template $TEMPLATE is present and valid."
+      msg_warn "Template looks too small, but no online version exists. Keeping local file."
     fi
+  elif ! tar -tf "$TEMPLATE_PATH" &>/dev/null; then
+    if [[ -n "$ONLINE_TEMPLATE" ]]; then
+      msg_warn "Template appears corrupted – re-downloading."
+      NEED_DOWNLOAD=1
+    else
+      msg_warn "Template appears corrupted, but no online version exists. Keeping local file."
+    fi
+  else
+    $STD msg_ok "Template $TEMPLATE is present and valid."
+  fi
 
-    if [[ "$TEMPLATE_SOURCE" == "local" && -n "$ONLINE_TEMPLATE" && "$TEMPLATE" != "$ONLINE_TEMPLATE" ]]; then
-      msg_warn "Local template is outdated: $TEMPLATE (latest available: $ONLINE_TEMPLATE)"
-      if whiptail --yesno "A newer template is available:\n$ONLINE_TEMPLATE\n\nDo you want to download and use it instead?" 12 70; then
-        TEMPLATE="$ONLINE_TEMPLATE"
-        NEED_DOWNLOAD=1
-      else
-        msg_custom "ℹ️" "${BL}" "Continuing with local template $TEMPLATE"
+  if [[ "$TEMPLATE_SOURCE" == "local" && -n "$ONLINE_TEMPLATE" && "$TEMPLATE" != "$ONLINE_TEMPLATE" ]]; then
+    msg_warn "Local template is outdated: $TEMPLATE (latest available: $ONLINE_TEMPLATE)"
+    if whiptail --yesno "A newer template is available:\n$ONLINE_TEMPLATE\n\nDo you want to download and use it instead?" 12 70; then
+      TEMPLATE="$ONLINE_TEMPLATE"
+      NEED_DOWNLOAD=1
+    else
+      msg_custom "ℹ️" "${BL}" "Continuing with local template $TEMPLATE"
+    fi
+  fi
+
+  if [[ "$NEED_DOWNLOAD" -eq 1 ]]; then
+    [[ -f "$TEMPLATE_PATH" ]] && rm -f "$TEMPLATE_PATH"
+    for attempt in {1..3}; do
+      msg_info "Attempt $attempt: Downloading template $TEMPLATE to $TEMPLATE_STORAGE"
+      if pveam download "$TEMPLATE_STORAGE" "$TEMPLATE" >>"${BUILD_LOG:-/dev/null}" 2>&1; then
+        msg_ok "Template download successful."
+        break
       fi
-    fi
+      if [[ $attempt -eq 3 ]]; then
+        msg_error "Failed after 3 attempts. Please check network access, permissions, or manually run:\n  pveam download $TEMPLATE_STORAGE $TEMPLATE"
+        exit 222
+      fi
+      sleep $((attempt * 5))
+    done
+  fi
 
-    if [[ "$NEED_DOWNLOAD" -eq 1 ]]; then
-      [[ -f "$TEMPLATE_PATH" ]] && rm -f "$TEMPLATE_PATH"
-      for attempt in {1..3}; do
-        msg_info "Attempt $attempt: Downloading template $TEMPLATE to $TEMPLATE_STORAGE"
-        if pveam download "$TEMPLATE_STORAGE" "$TEMPLATE" >>"${BUILD_LOG:-/dev/null}" 2>&1; then
-          msg_ok "Template download successful."
-          break
-        fi
-        if [[ $attempt -eq 3 ]]; then
-          msg_error "Failed after 3 attempts. Please check network access, permissions, or manually run:\n  pveam download $TEMPLATE_STORAGE $TEMPLATE"
-          exit 222
-        fi
-        sleep $((attempt * 5))
-      done
-    fi
-
-    if ! pveam list "$TEMPLATE_STORAGE" 2>/dev/null | grep -q "$TEMPLATE"; then
-      msg_error "Template $TEMPLATE not available in storage $TEMPLATE_STORAGE after download."
-      exit 223
-    fi
+  if ! pveam list "$TEMPLATE_STORAGE" 2>/dev/null | grep -q "$TEMPLATE"; then
+    msg_error "Template $TEMPLATE not available in storage $TEMPLATE_STORAGE after download."
+    exit 223
   fi
 
   # ------------------------------------------------------------------------------
@@ -6288,15 +6175,21 @@ create_lxc_container() {
 
   # Validate template before pct create (while holding lock)
   if [[ ! -s "$TEMPLATE_PATH" || "$(stat -c%s "$TEMPLATE_PATH" 2>/dev/null || echo 0)" -lt 1000000 ]]; then
-    msg_info "Template file missing or too small - downloading"
+    msg_info "Template file missing or too small – downloading"
     rm -f "$TEMPLATE_PATH"
-    download_template
+    pveam download "$TEMPLATE_STORAGE" "$TEMPLATE" >>"${BUILD_LOG:-/dev/null}" 2>&1 || {
+      msg_error "Failed to download template '$TEMPLATE' to storage '$TEMPLATE_STORAGE'"
+      exit 222
+    }
     msg_ok "Template downloaded"
   elif ! tar -tf "$TEMPLATE_PATH" &>/dev/null; then
-    if [[ "$ARCH" == "arm64" || -n "$ONLINE_TEMPLATE" ]]; then
-      msg_info "Template appears corrupted - re-downloading"
+    if [[ -n "$ONLINE_TEMPLATE" ]]; then
+      msg_info "Template appears corrupted – re-downloading"
       rm -f "$TEMPLATE_PATH"
-      download_template
+      pveam download "$TEMPLATE_STORAGE" "$TEMPLATE" >>"${BUILD_LOG:-/dev/null}" 2>&1 || {
+        msg_error "Failed to re-download template '$TEMPLATE'"
+        exit 222
+      }
       msg_ok "Template re-downloaded"
     else
       msg_warn "Template appears corrupted, but no online version exists. Skipping re-download."
@@ -6344,9 +6237,9 @@ create_lxc_container() {
     else
       # Not a CTID collision - check if template issue and retry with fresh download
       if grep -qiE 'unable to open|corrupt|invalid' "$LOGFILE"; then
-        msg_info "Template may be corrupted - re-downloading"
+        msg_info "Template may be corrupted – re-downloading"
         rm -f "$TEMPLATE_PATH"
-        download_template
+        pveam download "$TEMPLATE_STORAGE" "$TEMPLATE" >>"${BUILD_LOG:-/dev/null}" 2>&1
         msg_ok "Template re-downloaded"
       fi
 
@@ -6359,11 +6252,7 @@ create_lxc_container() {
           if [[ ! -f "$LOCAL_TEMPLATE_PATH" ]]; then
             msg_ok "Trying local storage fallback"
             msg_info "Downloading template to local"
-            if [[ "$ARCH" == "arm64" ]]; then
-              download_arm64_template "$LOCAL_TEMPLATE_PATH"
-            else
-              pveam download local "$TEMPLATE" >>"${BUILD_LOG:-/dev/null}" 2>&1
-            fi
+            pveam download local "$TEMPLATE" >>"${BUILD_LOG:-/dev/null}" 2>&1
             msg_ok "Template downloaded to local"
           else
             msg_ok "Trying local storage fallback"

misc/core.func

@@ -344,15 +344,9 @@ pve_check() {
 # - Provides link to ARM64-compatible scripts
 # ------------------------------------------------------------------------------
 arch_check() {
-  local arch
-  arch="$(dpkg --print-architecture)"
-  if [[ "$arch" != "amd64" && "$arch" != "arm64" ]]; then
-    msg_error "This script requires amd64 or arm64 (detected: $arch)."
-    sleep 2
-    exit 106
-  fi
-  if [[ "$arch" == "arm64" && "${var_arm64:-}" != "yes" ]]; then
-    msg_error "This script does not yet support arm64."
+  if [ "$(dpkg --print-architecture)" != "amd64" ]; then
+    msg_error "This script will not work with PiMox (ARM architecture detected)."
+    msg_warn "Visit https://github.com/asylumexp/Proxmox for ARM64 support."
     sleep 2
     exit 106
   fi
@@ -1718,38 +1712,6 @@ function get_lxc_ip() {
   export LOCAL_IP
 }
 
-# ------------------------------------------------------------------------------
-# ensure_whiptail()
-#
-# - Ensures whiptail is installed
-# - Some ARM64 systems will not have whiptail installed
-# - Exits with error message if installation fails
-# ------------------------------------------------------------------------------
-ensure_whiptail() {
-  command -v whiptail >/dev/null 2>&1 && return 0
-
-  msg_info "Installing whiptail"
-  apt_update_safe
-  $STD apt-get install -y whiptail || {
-    msg_error "Failed to install whiptail"
-    exit 100
-  }
-  msg_ok "Installed whiptail"
-}
-
-# ------------------------------------------------------------------------------
-# arm64_notice()
-#
-# - Shows a short warning when running scripts on ARM64 systems
-# ------------------------------------------------------------------------------
-arm64_notice() {
-  [[ "$(dpkg --print-architecture)" == "arm64" ]] || return 0
-
-  whiptail --backtitle "Proxmox VE Helper Scripts" \
-    --title "ARM64 SUPPORT" \
-    --ok-button "Continue" \
-    --msgbox "ARM64 support is in active development.\n\nSome scripts, packages, or application releases may not be fully tested or working yet." 10 68
-}
 # ==============================================================================
 # SIGNAL TRAPS
 # ==============================================================================

misc/error_handler.func

@@ -99,7 +99,7 @@ if ! declare -f explain_exit_code &>/dev/null; then
     103) echo "Validation: Shell is not Bash" ;;
     104) echo "Validation: Not running as root (or invoked via sudo)" ;;
     105) echo "Validation: Proxmox VE version not supported" ;;
-    106) echo "Validation: Unsupported architecture (requires amd64 or arm64)" ;;
+    106) echo "Validation: Architecture not supported (ARM / PiMox)" ;;
     107) echo "Validation: Kernel key parameters unreadable" ;;
     108) echo "Validation: Kernel key limits exceeded" ;;
     109) echo "Proxmox: No available container ID after max attempts" ;;

misc/tools.func

@@ -2394,11 +2394,12 @@ check_for_gh_release() {
 
   # For pinned versions, query the specific release tag directly
   if [[ -n "$pinned_version_in" ]]; then
+    local pinned_version_encoded="${pinned_version_in//\//%2F}"
     http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o /tmp/gh_check.json \
       -H 'Accept: application/vnd.github+json' \
       -H 'X-GitHub-Api-Version: 2022-11-28' \
       "${header_args[@]}" \
-      "https://api.github.com/repos/${source}/releases/tags/${pinned_version_in}" 2>/dev/null) || true
+      "https://api.github.com/repos/${source}/releases/tags/${pinned_version_encoded}" 2>/dev/null) || true
 
     if [[ "$http_code" == "200" ]] && [[ -s /tmp/gh_check.json ]]; then
       releases_json="[$(</tmp/gh_check.json)]"
@@ -2520,11 +2521,18 @@ check_for_gh_release() {
       rm -f "${legacy_files[0]}"
     fi
   fi
-  current="${current#v}"
+  if [[ "$current" =~ ^v[0-9] ]]; then
+    current="${current:1}"
+  fi
 
   # Pinned version handling
   if [[ -n "$pinned_version_in" ]]; then
-    local pin_clean="${pinned_version_in#v}"
+    local pin_clean
+    if [[ "$pinned_version_in" =~ ^v[0-9] ]]; then
+      pin_clean="${pinned_version_in:1}"
+    else
+      pin_clean="$pinned_version_in"
+    fi
     local match_raw=""
     for i in "${!clean_tags[@]}"; do
       if [[ "${clean_tags[$i]}" == "$pin_clean" ]]; then
@@ -2562,7 +2570,6 @@ check_for_gh_release() {
   msg_ok "No update available: ${app} (${latest_clean})"
   return 1
 }
-
 # ------------------------------------------------------------------------------
 # Checks for new Codeberg release (latest tag).
 #
@@ -2788,25 +2795,34 @@ function ensure_usr_local_bin_persist() {
 }
 
 # ------------------------------------------------------------------------------
-# curl_download - Downloads a file with automatic retry and exponential backoff.
+# curl_download - Downloads a file with stall detection and retry.
 #
 # Usage: curl_download <output_file> <url>
 #
-# Retries up to 5 times with increasing --max-time (60/120/240/480/960s).
-# Returns 0 on success, 1 if all attempts fail.
+# Uses --speed-limit / --speed-time instead of a hard --max-time cap so that
+# slow but progressing downloads (e.g. large .deb files from slow mirrors) are
+# never aborted mid-transfer.  Only aborts when throughput drops below 1 KB/s
+# for 60 consecutive seconds (i.e. a genuine stall or dead connection).
+# Retries up to 3 times on failure.
+# Returns 0 on success, 7 if all attempts fail.
 # ------------------------------------------------------------------------------
 function curl_download() {
   local output="$1"
   local url="$2"
-  local timeouts=(60 120 240 480 960)
+  local retries=3
+  local attempt=1
 
-  for i in "${!timeouts[@]}"; do
-    if curl --connect-timeout 15 --max-time "${timeouts[$i]}" -fsSL -o "$output" "$url"; then
+  while ((attempt <= retries)); do
+    if curl --connect-timeout 15 \
+      --speed-limit 1024 \
+      --speed-time 60 \
+      -fsSL -o "$output" "$url"; then
       return 0
     fi
-    if ((i < ${#timeouts[@]} - 1)); then
-      msg_warn "Download timed out after ${timeouts[$i]}s, retrying... (attempt $((i + 2))/${#timeouts[@]})"
+    if ((attempt < retries)); then
+      msg_warn "Download failed or stalled (attempt ${attempt}/${retries}), retrying..."
     fi
+    ((attempt++))
   done
   return 7
 }
@@ -3060,14 +3076,10 @@ function fetch_and_deploy_codeberg_release() {
     # Fall back to architecture heuristic
     if [[ -z "$url_match" ]]; then
       for u in $assets; do
-        [[ "$u" =~ \.deb$ ]] || continue
-        if [[ "${arch,,}" =~ ^(amd64|x86_64)$ ]]; then
-          [[ "$u" =~ (amd64|x86_64).*\.deb$ ]] || continue
-        elif [[ "${arch,,}" =~ ^(arm64|aarch64)$ ]]; then
-          [[ "$u" =~ (arm64|aarch64).*\.deb$ ]] || continue
+        if [[ "$u" =~ ($arch|amd64|x86_64|aarch64|arm64).*\.deb$ ]]; then
+          url_match="$u"
+          break
         fi
-        url_match="$u"
-        break
       done
     fi
 
@@ -3364,11 +3376,7 @@ _gh_scan_older_releases() {
         done)
       fi
       if [[ "$has_match" != "true" ]]; then
-        if [[ "${arch,,}" =~ ^(amd64|x86_64)$ ]]; then
-          has_match=$(echo "$releases_list" | jq -r ".[$i].assets[].browser_download_url" | grep -qE '(amd64|x86_64).*\.deb$' && echo true)
-        elif [[ "${arch,,}" =~ ^(arm64|aarch64)$ ]]; then
-          has_match=$(echo "$releases_list" | jq -r ".[$i].assets[].browser_download_url" | grep -qE '(arm64|aarch64).*\.deb$' && echo true)
-        fi
+        has_match=$(echo "$releases_list" | jq -r ".[$i].assets[].browser_download_url" | grep -qE "($arch|amd64|x86_64|aarch64|arm64).*\.deb$" && echo true)
       fi
       if [[ "$has_match" != "true" ]]; then
         has_match=$(echo "$releases_list" | jq -r ".[$i].assets[].browser_download_url" | grep -qE '\.deb$' && echo true)
@@ -3574,14 +3582,10 @@ function fetch_and_deploy_gh_release() {
     # If no match via explicit pattern, fall back to architecture heuristic
     if [[ -z "$url_match" ]]; then
       for u in $assets; do
-        [[ "$u" =~ \.deb$ ]] || continue
-        if [[ "${arch,,}" =~ ^(amd64|x86_64)$ ]]; then
-          [[ "$u" =~ (amd64|x86_64).*\.deb$ ]] || continue
-        elif [[ "${arch,,}" =~ ^(arm64|aarch64)$ ]]; then
-          [[ "$u" =~ (arm64|aarch64).*\.deb$ ]] || continue
+        if [[ "$u" =~ ($arch|amd64|x86_64|aarch64|arm64).*\.deb$ ]]; then
+          url_match="$u"
+          break
         fi
-        url_match="$u"
-        break
       done
     fi
 
@@ -3612,14 +3616,10 @@ function fetch_and_deploy_gh_release() {
         fi
         if [[ -z "$url_match" ]]; then
           for u in $assets; do
-            [[ "$u" =~ \.deb$ ]] || continue
-            if [[ "${arch,,}" =~ ^(amd64|x86_64)$ ]]; then
-              [[ "$u" =~ (amd64|x86_64).*\.deb$ ]] || continue
-            elif [[ "${arch,,}" =~ ^(arm64|aarch64)$ ]]; then
-              [[ "$u" =~ (arm64|aarch64).*\.deb$ ]] || continue
+            if [[ "$u" =~ ($arch|amd64|x86_64|aarch64|arm64).*\.deb$ ]]; then
+              url_match="$u"
+              break
             fi
-            url_match="$u"
-            break
           done
         fi
         if [[ -z "$url_match" ]]; then
@@ -3987,12 +3987,7 @@ function setup_ffmpeg() {
 
   # Binary fallback mode
   if [[ "$TYPE" == "binary" ]]; then
-    local ffmpeg_arch
-    case "$(dpkg --print-architecture 2>/dev/null || echo amd64)" in
-    arm64) ffmpeg_arch="arm64" ;;
-    *) ffmpeg_arch="amd64" ;;
-    esac
-    if ! CURL_TIMEOUT=300 curl_with_retry "https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-${ffmpeg_arch}-static.tar.xz" "$TMP_DIR/ffmpeg.tar.xz"; then
+    if ! CURL_TIMEOUT=300 curl_with_retry "https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz" "$TMP_DIR/ffmpeg.tar.xz"; then
       msg_error "Failed to download FFmpeg binary"
       rm -rf "$TMP_DIR"
       return 250
@@ -4079,17 +4074,7 @@ function setup_ffmpeg() {
   # If no source download (either VERSION empty or download failed), use binary
   if [[ -z "$VERSION" ]]; then
     msg_info "Setup FFmpeg from pre-built binary"
-    local ffmpeg_arch detected_arch
-    detected_arch="$(dpkg --print-architecture 2>/dev/null || true)"
-    if [[ -z "$detected_arch" ]]; then
-      detected_arch="$(uname -m 2>/dev/null || true)"
-    fi
-    case "$detected_arch" in
-    arm64 | aarch64) ffmpeg_arch="arm64" ;;
-    amd64 | x86_64) ffmpeg_arch="amd64" ;;
-    *) ffmpeg_arch="amd64" ;;
-    esac
-    if ! CURL_TIMEOUT=300 curl_with_retry "https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-${ffmpeg_arch}-static.tar.xz" "$TMP_DIR/ffmpeg.tar.xz"; then
+    if ! CURL_TIMEOUT=300 curl_with_retry "https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz" "$TMP_DIR/ffmpeg.tar.xz"; then
       msg_error "Failed to download FFmpeg pre-built binary"
       rm -rf "$TMP_DIR"
       return 250
@@ -8265,19 +8250,7 @@ function setup_yq() {
     msg_info "Setup yq $LATEST_VERSION"
   fi
 
-  local yq_arch detected_arch
-  if command -v dpkg &>/dev/null; then
-    detected_arch="$(dpkg --print-architecture 2>/dev/null)"
-  else
-    detected_arch="$(uname -m 2>/dev/null)"
-  fi
-
-  case "$detected_arch" in
-  arm64 | aarch64) yq_arch="arm64" ;;
-  amd64 | x86_64) yq_arch="amd64" ;;
-  *) yq_arch="amd64" ;;
-  esac
-  if ! curl_with_retry "https://github.com/${GITHUB_REPO}/releases/download/v${LATEST_VERSION}/yq_linux_${yq_arch}" "$TMP_DIR/yq"; then
+  if ! curl_with_retry "https://github.com/${GITHUB_REPO}/releases/download/v${LATEST_VERSION}/yq_linux_amd64" "$TMP_DIR/yq"; then
     msg_error "Failed to download yq"
     rm -rf "$TMP_DIR"
     return 250

vm/opnsense-vm.sh

@@ -746,7 +746,7 @@ alloc_delay=5
 while :; do
   alloc_err=$(pvesm alloc $STORAGE $VMID $DISK0 4M 2>&1 >/dev/null) && break
   if [[ "$alloc_err" == *"got timeout"* && $alloc_attempt -lt $alloc_max ]]; then
-    msg_warn "pvesm alloc hit zfs timeout (attempt $alloc_attempt/$alloc_max), retrying in ${alloc_delay}s..."
+    echo -e "${YW}[WARN]${CL} pvesm alloc hit zfs timeout (attempt $alloc_attempt/$alloc_max), retrying in ${alloc_delay}s..."
     pvesm free "${DISK0_REF}" &>/dev/null || true
     sleep "$alloc_delay"
     alloc_attempt=$((alloc_attempt + 1))