Add geopulse (ct)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

CHANGELOG.md

@@ -447,6 +447,7 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
   - #### ✨ New Features
 
+    - core: APT/APK Mirror Fallback for CDN Failures [@MickLesk](https://github.com/MickLesk) ([#13316](https://github.com/community-scripts/ProxmoxVE/pull/13316))
     - core/tools: replace generic return 1 exit_codes with more specific exit_codes [@MickLesk](https://github.com/MickLesk) ([#13311](https://github.com/community-scripts/ProxmoxVE/pull/13311))
 
   - #### 🔧 Refactor

ct/geopulse.sh

@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: CrazyWolf13
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/tess1o/geopulse
+
+APP="GeoPulse"
+var_tags="${var_tags:-location;tracking;gps}"
+var_cpu="${var_cpu:-2}"
+var_ram="${var_ram:-1024}"
+var_disk="${var_disk:-8}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -f /opt/geopulse/backend/geopulse-backend ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "geopulse-backend" "tess1o/geopulse"; then
+    msg_info "Stopping Service"
+    systemctl stop geopulse-backend
+    msg_ok "Stopped Service"
+
+    if [[ "$(uname -m)" == "aarch64" ]]; then
+      if grep -qi "raspberry\|bcm" /proc/cpuinfo 2>/dev/null; then
+        BINARY_PATTERN="geopulse-backend-native-arm64-compat-*"
+      else
+        BINARY_PATTERN="geopulse-backend-native-arm64-[!c]*"
+      fi
+    else
+      if grep -q avx2 /proc/cpuinfo && grep -q bmi2 /proc/cpuinfo && grep -q fma /proc/cpuinfo; then
+        BINARY_PATTERN="geopulse-backend-native-amd64-[!c]*"
+      else
+        BINARY_PATTERN="geopulse-backend-native-amd64-compat-*"
+      fi
+    fi
+
+    fetch_and_deploy_gh_release "geopulse-backend" "tess1o/geopulse" "singlefile" "latest" "/opt/geopulse/backend" "${BINARY_PATTERN}"
+    fetch_and_deploy_gh_release "geopulse-frontend" "tess1o/geopulse" "prebuild" "latest" "/var/www/geopulse" "geopulse-frontend-*.tar.gz"
+
+    msg_info "Starting Service"
+    systemctl start geopulse-backend
+    msg_ok "Started Service"
+    msg_ok "Updated successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"
+echo -e "${INFO}${YW} To create an admin account, run:${CL}"
+echo -e "${TAB}${BGN}/usr/local/bin/create-geopulse-admin${CL}"

install/geopulse-install.sh

@@ -0,0 +1,205 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: CrazyWolf13
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/tess1o/geopulse
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+$STD apt install -y \
+  openssl \
+  nginx
+msg_ok "Installed Dependencies"
+
+PG_VERSION="17" PG_MODULES="postgis" setup_postgresql
+PG_DB_NAME="geopulse" PG_DB_USER="geopulse" PG_DB_EXTENSIONS="postgis,postgis_topology" setup_postgresql_db
+
+msg_info "Generating Security Keys"
+mkdir -p /opt/geopulse/{backend,keys}
+mkdir -p /etc/geopulse /var/www/geopulse /var/lib/geopulse/dumps
+mkdir -p /var/log/geopulse/{backend,nginx}
+openssl genpkey -algorithm RSA -out /opt/geopulse/keys/jwt-private-key.pem 2>/dev/null
+openssl rsa -pubout -in /opt/geopulse/keys/jwt-private-key.pem -out /opt/geopulse/keys/jwt-public-key.pem 2>/dev/null
+openssl rand -base64 32 >/opt/geopulse/keys/ai-encryption-key.txt
+chmod 640 /opt/geopulse/keys/jwt-private-key.pem /opt/geopulse/keys/jwt-public-key.pem /opt/geopulse/keys/ai-encryption-key.txt
+msg_ok "Generated Security Keys"
+
+if [[ "$(uname -m)" == "aarch64" ]]; then
+  if grep -qi "raspberry\|bcm" /proc/cpuinfo 2>/dev/null; then
+    BINARY_PATTERN="geopulse-backend-native-arm64-compat-*"
+  else
+    BINARY_PATTERN="geopulse-backend-native-arm64-[!c]*"
+  fi
+else
+  if grep -q avx2 /proc/cpuinfo && grep -q bmi2 /proc/cpuinfo && grep -q fma /proc/cpuinfo; then
+    BINARY_PATTERN="geopulse-backend-native-amd64-[!c]*"
+  else
+    BINARY_PATTERN="geopulse-backend-native-amd64-compat-*"
+  fi
+fi
+
+fetch_and_deploy_gh_release "geopulse-backend" "tess1o/geopulse" "singlefile" "latest" "/opt/geopulse/backend" "${BINARY_PATTERN}"
+fetch_and_deploy_gh_release "geopulse-frontend" "tess1o/geopulse" "prebuild" "latest" "/var/www/geopulse" "geopulse-frontend-*.tar.gz"
+
+msg_info "Configuring GeoPulse"
+cat <<EOF >/etc/geopulse/geopulse.env
+GEOPULSE_PUBLIC_BASE_URL=http://${LOCAL_IP}
+GEOPULSE_UI_URL=http://${LOCAL_IP}
+GEOPULSE_CORS_ENABLED=false
+GEOPULSE_CORS_ORIGINS=
+QUARKUS_HTTP_PORT=8080
+GEOPULSE_POSTGRES_URL=jdbc:postgresql://localhost:5432/${PG_DB_NAME}
+GEOPULSE_POSTGRES_HOST=localhost
+GEOPULSE_POSTGRES_PORT=5432
+GEOPULSE_POSTGRES_DB=${PG_DB_NAME}
+GEOPULSE_POSTGRES_USERNAME=${PG_DB_USER}
+GEOPULSE_POSTGRES_PASSWORD=${PG_DB_PASS}
+GEOPULSE_JWT_PRIVATE_KEY_LOCATION=file:/opt/geopulse/keys/jwt-private-key.pem
+GEOPULSE_JWT_PUBLIC_KEY_LOCATION=file:/opt/geopulse/keys/jwt-public-key.pem
+GEOPULSE_AI_ENCRYPTION_KEY_LOCATION=file:/opt/geopulse/keys/ai-encryption-key.txt
+QUARKUS_LOG_FILE_ENABLE=true
+QUARKUS_LOG_FILE_PATH=/var/log/geopulse/backend/geopulse.log
+QUARKUS_LOG_FILE_ROTATION_MAX_FILE_SIZE=10M
+QUARKUS_LOG_FILE_ROTATION_MAX_BACKUP_INDEX=5
+EOF
+chmod 640 /etc/geopulse/geopulse.env
+msg_ok "Configured GeoPulse"
+
+msg_info "Creating Service"
+cat <<EOF >/etc/systemd/system/geopulse-backend.service
+[Unit]
+Description=GeoPulse Backend
+After=network.target postgresql.service
+Wants=postgresql.service
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/geopulse/backend
+EnvironmentFile=/etc/geopulse/geopulse.env
+ExecStart=/opt/geopulse/backend/geopulse-backend -Dquarkus.http.host=0.0.0.0 -XX:MaximumHeapSizePercent=70 -XX:MaximumYoungGenerationSizePercent=15
+Restart=on-failure
+RestartSec=10
+StandardOutput=append:/var/log/geopulse/backend/geopulse-stdout.log
+StandardError=append:/var/log/geopulse/backend/geopulse-stderr.log
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable -q --now geopulse-backend
+msg_ok "Created Service"
+
+msg_info "Configuring Nginx"
+mkdir -p /var/cache/nginx/osm_tiles
+cat <<'EOF' >/etc/nginx/sites-available/geopulse.conf
+proxy_cache_path /var/cache/nginx/osm_tiles levels=1:2 keys_zone=osm_cache:100m max_size=10g inactive=30d use_temp_path=off;
+
+map $uri $osm_subdomain {
+    ~^/osm/tiles/a/ "a";
+    ~^/osm/tiles/b/ "b";
+    ~^/osm/tiles/c/ "c";
+    default "a";
+}
+
+server {
+    listen 80;
+    server_name _;
+
+    root /var/www/geopulse;
+    index index.html;
+
+    client_max_body_size 100M;
+
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+    gzip_comp_level 6;
+    gzip_min_length 1000;
+
+    location ~* ^/(?!osm/).*\.(jpg|jpeg|png|gif|ico|css|js)$ {
+        expires 1y;
+        add_header Cache-Control "public, max-age=31536000";
+    }
+
+    location ^~ /osm/tiles/ {
+        resolver 8.8.8.8 valid=300s;
+        resolver_timeout 10s;
+        rewrite ^/osm/tiles/[abc]/(.*)$ /$1 break;
+        proxy_pass https://$osm_subdomain.tile.openstreetmap.org;
+        proxy_cache osm_cache;
+        proxy_cache_key "$scheme$proxy_host$uri";
+        proxy_cache_valid 200 30d;
+        proxy_cache_valid 404 1m;
+        proxy_cache_valid 502 503 504 1m;
+        proxy_ignore_headers Cache-Control Expires Set-Cookie;
+        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+        proxy_cache_background_update on;
+        proxy_cache_lock on;
+        proxy_set_header Cookie "";
+        proxy_set_header Authorization "";
+        proxy_set_header User-Agent "GeoPulse/1.0";
+        proxy_set_header Host $osm_subdomain.tile.openstreetmap.org;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        proxy_connect_timeout 10s;
+        proxy_read_timeout 10s;
+        expires 30d;
+        add_header Cache-Control "public, immutable";
+        add_header X-Cache-Status $upstream_cache_status always;
+    }
+
+    location /api/ {
+        proxy_pass http://localhost:8080/api/;
+        proxy_connect_timeout 3600s;
+        proxy_send_timeout 3600s;
+        proxy_read_timeout 3600s;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    access_log /var/log/geopulse/nginx/access.log;
+    error_log /var/log/geopulse/nginx/error.log;
+}
+EOF
+ln -sf /etc/nginx/sites-available/geopulse.conf /etc/nginx/sites-enabled/
+rm -f /etc/nginx/sites-enabled/default
+systemctl enable -q --now nginx
+systemctl reload nginx
+msg_ok "Configured Nginx"
+
+msg_info "Creating Admin Helper"
+cat <<'EOF' >/usr/local/bin/create-geopulse-admin
+#!/usr/bin/env bash
+read -rp "Enter admin email address: " ADMIN_EMAIL
+if [[ -z "$ADMIN_EMAIL" ]]; then
+  echo "No email provided. Aborting."
+  exit 1
+fi
+sed -i '/^GEOPULSE_ADMIN_EMAIL=/d' /etc/geopulse/geopulse.env
+echo "GEOPULSE_ADMIN_EMAIL=${ADMIN_EMAIL}" >>/etc/geopulse/geopulse.env
+systemctl restart geopulse-backend
+echo "Admin email set to '${ADMIN_EMAIL}'. Register with this email in the GeoPulse UI to receive admin privileges."
+EOF
+chmod +x /usr/local/bin/create-geopulse-admin
+msg_ok "Created Admin Helper"
+
+motd_ssh
+customize
+cleanup_lxc

misc/alpine-install.func

@@ -135,10 +135,34 @@ network_check() {
   trap 'error_handler $LINENO "$BASH_COMMAND"' ERR
 }
 
-# This function updates the Container OS by running apt-get update and upgrade
+# This function updates the Container OS by running apk upgrade with mirror fallback
 update_os() {
   msg_info "Updating Container OS"
-  $STD apk -U upgrade
+  if ! $STD apk -U upgrade; then
+    msg_warn "apk update failed (dl-cdn.alpinelinux.org), trying alternate mirrors..."
+    local alpine_mirrors="mirror.init7.net ftp.halifax.rwth-aachen.de mirrors.edge.kernel.org alpine.mirror.wearetriple.com mirror.leaseweb.com uk.alpinelinux.org dl-2.alpinelinux.org dl-4.alpinelinux.org"
+    local apk_ok=false
+    for m in $(printf '%s\n' $alpine_mirrors | shuf); do
+      if timeout 2 bash -c "echo >/dev/tcp/$m/80" 2>/dev/null; then
+        msg_custom "${INFO}" "${YW}" "Attempting mirror: ${m}"
+        cat <<EOF >/etc/apk/repositories
+http://$m/alpine/latest-stable/main
+http://$m/alpine/latest-stable/community
+EOF
+        if $STD apk -U upgrade; then
+          msg_ok "CDN set to ${m}: tests passed"
+          apk_ok=true
+          break
+        else
+          msg_warn "Mirror ${m} failed"
+        fi
+      fi
+    done
+    if [[ "$apk_ok" != true ]]; then
+      msg_error "All Alpine mirrors failed. Check network or try again later."
+      exit 1
+    fi
+  fi
   local tools_content
   tools_content=$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/tools.func) || {
     msg_error "Failed to download tools.func"

misc/build.func

@@ -4088,8 +4088,31 @@ https://dl-cdn.alpinelinux.org/alpine/latest-stable/main
 https://dl-cdn.alpinelinux.org/alpine/latest-stable/community
 EOF'
     pct exec "$CTID" -- ash -c "apk add bash newt curl openssh nano mc ncurses jq" >>"$BUILD_LOG" 2>&1 || {
-      msg_error "Failed to install base packages in Alpine container"
-      install_exit_code=1
+      msg_warn "apk install failed (dl-cdn.alpinelinux.org), trying alternate mirrors..."
+      local alpine_exit=0
+      pct exec "$CTID" -- ash -c '
+        ALPINE_MIRRORS="mirror.init7.net ftp.halifax.rwth-aachen.de mirrors.edge.kernel.org alpine.mirror.wearetriple.com mirror.leaseweb.com uk.alpinelinux.org dl-2.alpinelinux.org dl-4.alpinelinux.org"
+        for m in $(printf "%s\n" $ALPINE_MIRRORS | shuf); do
+          if wget -q --spider --timeout=2 "http://$m/alpine/latest-stable/main/" 2>/dev/null; then
+            echo "  Attempting mirror: $m"
+            cat <<EOF >/etc/apk/repositories
+http://$m/alpine/latest-stable/main
+http://$m/alpine/latest-stable/community
+EOF
+            if apk update >/dev/null 2>&1 && apk add bash newt curl openssh nano mc ncurses jq >/dev/null 2>&1; then
+              echo "  CDN set to $m: tests passed"
+              exit 0
+            else
+              echo "  Mirror $m failed"
+            fi
+          fi
+        done
+        exit 2
+      ' && alpine_exit=0 || alpine_exit=$?
+      if [[ $alpine_exit -ne 0 ]]; then
+        msg_error "Failed to install base packages in Alpine container"
+        install_exit_code=1
+      fi
     }
   else
     sleep 3
@@ -4115,9 +4138,140 @@ EOF'
       msg_warn "Skipping timezone setup – zone '$tz' not found in container"
     fi
 
+    # Detect broken DNS resolver (e.g. Tailscale MagicDNS) and inject public DNS
+    if ! pct exec "$CTID" -- bash -c "getent hosts deb.debian.org >/dev/null 2>&1 && getent hosts archive.ubuntu.com >/dev/null 2>&1"; then
+      msg_warn "APT repository DNS resolution failed in container, injecting public DNS servers"
+      pct exec "$CTID" -- bash -c "echo -e 'nameserver 8.8.8.8\nnameserver 1.1.1.1' >/etc/resolv.conf"
+    fi
+
     pct exec "$CTID" -- bash -c "apt-get update 2>&1 && apt-get install -y sudo curl mc gnupg2 jq 2>&1" >>"$BUILD_LOG" 2>&1 || {
-      msg_error "apt-get base packages installation failed"
-      install_exit_code=1
+      local failed_mirror
+      failed_mirror=$(pct exec "$CTID" -- bash -c "grep -m1 -oP '(?<=URIs: https?://)[^/]+' /etc/apt/sources.list.d/debian.sources 2>/dev/null || grep -m1 -oP '(?<=deb https?://)[^/]+' /etc/apt/sources.list 2>/dev/null" 2>/dev/null || echo "unknown")
+      msg_warn "apt-get update failed (${failed_mirror}), trying alternate mirrors..."
+      local mirror_exit=0
+      pct exec "$CTID" -- bash -c '
+        APT_BASE="sudo curl mc gnupg2 jq"
+        DISTRO=$(. /etc/os-release 2>/dev/null && echo "$ID" || echo "debian")
+
+        if [ "$DISTRO" = "ubuntu" ]; then
+          EU_MIRRORS="de.archive.ubuntu.com fr.archive.ubuntu.com se.archive.ubuntu.com nl.archive.ubuntu.com it.archive.ubuntu.com ch.archive.ubuntu.com mirrors.xtom.de"
+          US_MIRRORS="us.archive.ubuntu.com archive.ubuntu.com mirrors.edge.kernel.org mirror.csclub.uwaterloo.ca mirrors.ocf.berkeley.edu mirror.math.princeton.edu"
+          AP_MIRRORS="au.archive.ubuntu.com jp.archive.ubuntu.com kr.archive.ubuntu.com tw.archive.ubuntu.com mirror.aarnet.edu.au"
+        else
+          EU_MIRRORS="ftp.de.debian.org ftp.fr.debian.org ftp.nl.debian.org ftp.uk.debian.org ftp.ch.debian.org ftp.se.debian.org ftp.it.debian.org ftp.fau.de ftp.halifax.rwth-aachen.de debian.mirror.lrz.de mirror.init7.net debian.ethz.ch mirrors.dotsrc.org debian.mirrors.ovh.net"
+          US_MIRRORS="ftp.us.debian.org ftp.ca.debian.org debian.csail.mit.edu mirrors.ocf.berkeley.edu mirrors.wikimedia.org debian.osuosl.org mirror.cogentco.com"
+          AP_MIRRORS="ftp.au.debian.org ftp.jp.debian.org ftp.tw.debian.org ftp.kr.debian.org ftp.hk.debian.org ftp.sg.debian.org mirror.aarnet.edu.au mirror.nitc.ac.in"
+        fi
+
+        TZ=$(cat /etc/timezone 2>/dev/null || echo "UTC")
+        case "$TZ" in
+          Europe/*|Arctic/*) REGIONAL="$EU_MIRRORS"; OTHERS="$US_MIRRORS $AP_MIRRORS" ;;
+          America/*) REGIONAL="$US_MIRRORS"; OTHERS="$EU_MIRRORS $AP_MIRRORS" ;;
+          Asia/*|Australia/*|Pacific/*) REGIONAL="$AP_MIRRORS"; OTHERS="$EU_MIRRORS $US_MIRRORS" ;;
+          *) REGIONAL=""; OTHERS="$EU_MIRRORS $US_MIRRORS $AP_MIRRORS" ;;
+        esac
+
+        echo "Acquire::By-Hash \"no\";" >/etc/apt/apt.conf.d/99no-by-hash
+
+        try_mirrors() {
+          for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
+            [ -f "$src" ] && sed -i "s|URIs: http[s]*://[^/]*/|URIs: http://${1}/|g; s|deb http[s]*://[^/]*/|deb http://${1}/|g" "$src"
+          done
+          rm -rf /var/lib/apt/lists/*
+          APT_OUT=$(apt-get update 2>&1)
+          APT_RC=$?
+          if echo "$APT_OUT" | grep -qi "hashsum\|hash sum"; then
+            echo "  Mirror $1 failed (hash mismatch)"
+            return 1
+          elif echo "$APT_OUT" | grep -qi "SSL\|certificate"; then
+            echo "  Mirror $1 failed (SSL/certificate error)"
+            return 1
+          elif [ $APT_RC -ne 0 ]; then
+            echo "  Mirror $1 failed (apt-get update error)"
+            return 1
+          elif apt-get install -y $APT_BASE >/dev/null 2>&1; then
+            echo "  CDN set to $1: tests passed"
+            return 0
+          else
+            echo "  Mirror $1 failed (package install error)"
+            return 1
+          fi
+        }
+
+        scan_reachable() {
+          local result=""
+          for m in $1; do
+            if timeout 2 bash -c "echo >/dev/tcp/$m/80" 2>/dev/null; then
+              result="$result $m"
+            fi
+          done
+          echo "$result" | xargs
+        }
+
+        # Phase 1: Scan global mirrors first (independent of local CDN issues)
+        OTHERS_OK=$(scan_reachable "$OTHERS")
+        OTHERS_PICK=$(printf "%s\n" $OTHERS_OK | shuf | head -3 | xargs)
+
+        for mirror in $OTHERS_PICK; do
+          echo "  Attempting mirror: $mirror"
+          try_mirrors "$mirror" && exit 0
+        done
+
+        # Phase 2: Try primary mirror
+        if [ "$DISTRO" = "ubuntu" ]; then
+          PRIMARY="archive.ubuntu.com"
+        else
+          PRIMARY="ftp.debian.org"
+        fi
+        if timeout 2 bash -c "echo >/dev/tcp/$PRIMARY/80" 2>/dev/null; then
+          echo "  Attempting mirror: $PRIMARY"
+          try_mirrors "$PRIMARY" && exit 0
+        fi
+
+        # Phase 3: Fall back to regional mirrors
+        REGIONAL_OK=$(scan_reachable "$REGIONAL")
+        REGIONAL_PICK=$(printf "%s\n" $REGIONAL_OK | shuf | head -3 | xargs)
+
+        for mirror in $REGIONAL_PICK; do
+          echo "  Attempting mirror: $mirror"
+          try_mirrors "$mirror" && exit 0
+        done
+
+        exit 2
+      ' && mirror_exit=0 || mirror_exit=$?
+      if [[ $mirror_exit -eq 2 ]]; then
+        msg_warn "Multiple mirrors failed (possible CDN synchronization issue)."
+        if [[ "$var_os" == "ubuntu" ]]; then
+          msg_warn "Find Ubuntu mirrors at: https://launchpad.net/ubuntu/+archivemirrors"
+        else
+          msg_warn "Find Debian mirrors at: https://www.debian.org/mirror/list"
+        fi
+        local custom_mirror=""
+        while true; do
+          read -rp "  Enter a mirror hostname (or 'skip' to abort): " custom_mirror </dev/tty
+          [[ -z "$custom_mirror" ]] && continue
+          [[ "$custom_mirror" == "skip" ]] && break
+          [[ ! "$custom_mirror" =~ ^[a-zA-Z0-9._-]+$ ]] && {
+            msg_warn "Invalid hostname format."
+            continue
+          }
+          pct exec "$CTID" -- bash -c "
+            for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
+              [ -f \"\$src\" ] && sed -i \"s|URIs: http[s]*://[^/]*/|URIs: http://${custom_mirror}/|g; s|deb http[s]*://[^/]*/|deb http://${custom_mirror}/|g\" \"\$src\"
+            done
+            rm -rf /var/lib/apt/lists/*
+            apt-get update >/dev/null 2>&1 && apt-get install -y sudo curl mc gnupg2 jq >/dev/null 2>&1
+          " && break
+          msg_warn "Mirror '${custom_mirror}' also failed. Try another or type 'skip'."
+        done
+        if [[ "$custom_mirror" == "skip" ]]; then
+          msg_error "apt-get base packages installation failed"
+          install_exit_code=1
+        fi
+      elif [[ $mirror_exit -ne 0 ]]; then
+        msg_error "apt-get base packages installation failed"
+        install_exit_code=1
+      fi
     }
   fi
 

misc/install.func

@@ -210,6 +210,173 @@ network_check() {
 # SECTION 3: OS UPDATE & PACKAGE MANAGEMENT
 # ==============================================================================
 
+# ------------------------------------------------------------------------------
+# apt_update_safe()
+#
+# - Runs apt-get update with CDN mirror fallback
+# - On failure, detects distro (Debian/Ubuntu) and tries alternate mirrors
+# - Three-phase approach: global mirrors → primary mirror → regional mirrors
+# - Falls back to manual user prompt if all auto mirrors fail
+# - Detects hash mismatch, SSL errors, and generic apt failures
+# ------------------------------------------------------------------------------
+apt_update_safe() {
+  if $STD apt-get update; then
+    return 0
+  fi
+
+  local failed_mirror
+  failed_mirror=$(grep -m1 -oP '(?<=URIs: https?://)[^/]+' /etc/apt/sources.list.d/debian.sources 2>/dev/null || grep -m1 -oP '(?<=deb https?://)[^/]+' /etc/apt/sources.list 2>/dev/null || echo "unknown")
+  msg_warn "apt-get update failed (${failed_mirror}), trying alternate mirrors..."
+
+  local distro
+  distro=$(. /etc/os-release 2>/dev/null && echo "$ID" || echo "debian")
+
+  local eu_mirrors us_mirrors ap_mirrors
+  if [[ "$distro" == "ubuntu" ]]; then
+    eu_mirrors="de.archive.ubuntu.com fr.archive.ubuntu.com se.archive.ubuntu.com nl.archive.ubuntu.com it.archive.ubuntu.com ch.archive.ubuntu.com mirrors.xtom.de"
+    us_mirrors="us.archive.ubuntu.com archive.ubuntu.com mirrors.edge.kernel.org mirror.csclub.uwaterloo.ca mirrors.ocf.berkeley.edu mirror.math.princeton.edu"
+    ap_mirrors="au.archive.ubuntu.com jp.archive.ubuntu.com kr.archive.ubuntu.com tw.archive.ubuntu.com mirror.aarnet.edu.au"
+  else
+    eu_mirrors="ftp.de.debian.org ftp.fr.debian.org ftp.nl.debian.org ftp.uk.debian.org ftp.ch.debian.org ftp.se.debian.org ftp.it.debian.org ftp.fau.de ftp.halifax.rwth-aachen.de debian.mirror.lrz.de mirror.init7.net debian.ethz.ch mirrors.dotsrc.org debian.mirrors.ovh.net"
+    us_mirrors="ftp.us.debian.org ftp.ca.debian.org debian.csail.mit.edu mirrors.ocf.berkeley.edu mirrors.wikimedia.org debian.osuosl.org mirror.cogentco.com"
+    ap_mirrors="ftp.au.debian.org ftp.jp.debian.org ftp.tw.debian.org ftp.kr.debian.org ftp.hk.debian.org ftp.sg.debian.org mirror.aarnet.edu.au mirror.nitc.ac.in"
+  fi
+
+  local tz regional others
+  tz=$(cat /etc/timezone 2>/dev/null || echo "UTC")
+  case "$tz" in
+  Europe/* | Arctic/*)
+    regional="$eu_mirrors"
+    others="$us_mirrors $ap_mirrors"
+    ;;
+  America/*)
+    regional="$us_mirrors"
+    others="$eu_mirrors $ap_mirrors"
+    ;;
+  Asia/* | Australia/* | Pacific/*)
+    regional="$ap_mirrors"
+    others="$eu_mirrors $us_mirrors"
+    ;;
+  *)
+    regional=""
+    others="$eu_mirrors $us_mirrors $ap_mirrors"
+    ;;
+  esac
+
+  echo 'Acquire::By-Hash "no";' >/etc/apt/apt.conf.d/99no-by-hash
+
+  _try_apt_mirror() {
+    local m=$1
+    for src in /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list; do
+      [[ -f "$src" ]] && sed -i "s|URIs: http[s]*://[^/]*/|URIs: http://${m}/|g; s|deb http[s]*://[^/]*/|deb http://${m}/|g" "$src"
+    done
+    rm -rf /var/lib/apt/lists/*
+    local out
+    out=$(apt-get update 2>&1)
+    if echo "$out" | grep -qi "hashsum\|hash sum"; then
+      msg_warn "Mirror ${m} failed (hash mismatch)"
+      return 1
+    elif echo "$out" | grep -qi "SSL\|certificate"; then
+      msg_warn "Mirror ${m} failed (SSL/certificate error)"
+      return 1
+    elif echo "$out" | grep -q "^E:"; then
+      msg_warn "Mirror ${m} failed (apt-get update error)"
+      return 1
+    else
+      msg_ok "CDN set to ${m}: tests passed"
+      return 0
+    fi
+  }
+
+  _scan_reachable() {
+    local result=""
+    for m in $1; do
+      if timeout 2 bash -c "echo >/dev/tcp/$m/80" 2>/dev/null; then
+        result="$result $m"
+      fi
+    done
+    echo "$result" | xargs
+  }
+
+  local apt_ok=false
+
+  # Phase 1: Scan global mirrors first (independent of local CDN issues)
+  local others_ok
+  others_ok=$(_scan_reachable "$others")
+  local others_pick
+  others_pick=$(printf '%s\n' $others_ok | shuf | head -3 | xargs)
+
+  for mirror in $others_pick; do
+    msg_custom "${INFO}" "${YW}" "Attempting mirror: ${mirror}"
+    if _try_apt_mirror "$mirror"; then
+      apt_ok=true
+      break
+    fi
+  done
+
+  # Phase 2: Try primary mirror
+  if [[ "$apt_ok" != true ]]; then
+    local primary
+    if [[ "$distro" == "ubuntu" ]]; then
+      primary="archive.ubuntu.com"
+    else
+      primary="ftp.debian.org"
+    fi
+    if timeout 2 bash -c "echo >/dev/tcp/$primary/80" 2>/dev/null; then
+      msg_custom "${INFO}" "${YW}" "Attempting mirror: ${primary}"
+      if _try_apt_mirror "$primary"; then
+        apt_ok=true
+      fi
+    fi
+  fi
+
+  # Phase 3: Fall back to regional mirrors
+  if [[ "$apt_ok" != true ]]; then
+    local regional_ok
+    regional_ok=$(_scan_reachable "$regional")
+    local regional_pick
+    regional_pick=$(printf '%s\n' $regional_ok | shuf | head -3 | xargs)
+
+    for mirror in $regional_pick; do
+      msg_custom "${INFO}" "${YW}" "Attempting mirror: ${mirror}"
+      if _try_apt_mirror "$mirror"; then
+        apt_ok=true
+        break
+      fi
+    done
+  fi
+
+  # Phase 4: All auto mirrors failed, prompt user
+  if [[ "$apt_ok" != true ]]; then
+    msg_warn "Multiple mirrors failed (possible CDN synchronization issue)."
+    if [[ "$distro" == "ubuntu" ]]; then
+      msg_warn "Find Ubuntu mirrors at: https://launchpad.net/ubuntu/+archivemirrors"
+    else
+      msg_warn "Find Debian mirrors at: https://www.debian.org/mirror/list"
+    fi
+    local custom_mirror
+    while true; do
+      read -rp "  Enter a mirror hostname (or 'skip' to abort): " custom_mirror </dev/tty
+      [[ -z "$custom_mirror" ]] && continue
+      [[ "$custom_mirror" == "skip" ]] && break
+      [[ ! "$custom_mirror" =~ ^[a-zA-Z0-9._-]+$ ]] && {
+        msg_warn "Invalid hostname format."
+        continue
+      }
+      if _try_apt_mirror "$custom_mirror"; then
+        apt_ok=true
+        break
+      fi
+      msg_warn "Mirror '${custom_mirror}' also failed. Try another or type 'skip'."
+    done
+  fi
+
+  if [[ "$apt_ok" != true ]]; then
+    msg_error "All mirrors failed. Check network or try again later."
+    return 1
+  fi
+}
+
 # ------------------------------------------------------------------------------
 # update_os()
 #