Update .app files (#13358)

Co-authored-by: GitHub Actions <github-actions[bot]@users.noreply.github.com>

CHANGELOG.md

@@ -428,12 +428,28 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 ## 2026-03-27
 
+### 🆕 New Scripts
+
+  - Matter-Server ([#13355](https://github.com/community-scripts/ProxmoxVE/pull/13355))
+- GeoPulse ([#13320](https://github.com/community-scripts/ProxmoxVE/pull/13320))
+
 ### 🚀 Updated Scripts
 
   - #### 🐞 Bug Fixes
 
     - RevealJS: Switch from gulp to vite [@tremor021](https://github.com/tremor021) ([#13336](https://github.com/community-scripts/ProxmoxVE/pull/13336))
 
+  - #### ✨ New Features
+
+    - Dispatcharr add custom Postgres port support for upgrade [@MickLesk](https://github.com/MickLesk) ([#13347](https://github.com/community-scripts/ProxmoxVE/pull/13347))
+    - Immich: bump to v2.6.3 [@MickLesk](https://github.com/MickLesk) ([#13324](https://github.com/community-scripts/ProxmoxVE/pull/13324))
+
+### 🧰 Tools
+
+  - #### ✨ New Features
+
+    - Refactor/Feature-Bump/Security: Update-Cron-LXCs (Now Local Mode!) [@MickLesk](https://github.com/MickLesk) ([#13339](https://github.com/community-scripts/ProxmoxVE/pull/13339))
+
 ## 2026-03-26
 
 ### 🆕 New Scripts

ct/dispatcharr.sh

@@ -70,7 +70,7 @@ function update_script() {
       source /opt/dispatcharr/.env
       set +o allexport
       if [[ -n "$POSTGRES_DB" ]] && [[ -n "$POSTGRES_USER" ]] && [[ -n "$POSTGRES_PASSWORD" ]]; then
-        PGPASSWORD=$POSTGRES_PASSWORD pg_dump -U $POSTGRES_USER -h ${POSTGRES_HOST:-localhost} $POSTGRES_DB >/tmp/dispatcharr_db_$(date +%F).sql
+        PGPASSWORD=$POSTGRES_PASSWORD pg_dump -U "$POSTGRES_USER" -h "${POSTGRES_HOST:-localhost}" -p "${POSTGRES_PORT:-5432}" "$POSTGRES_DB" >/tmp/dispatcharr_db_$(date +%F).sql
         msg_info "Database backup created"
       fi
     fi

ct/geopulse.sh

@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: CrazyWolf13
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/tess1o/geopulse
+
+APP="GeoPulse"
+var_tags="${var_tags:-location;tracking;gps}"
+var_cpu="${var_cpu:-2}"
+var_ram="${var_ram:-1024}"
+var_disk="${var_disk:-8}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -f /opt/geopulse/backend/geopulse-backend ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "geopulse-backend" "tess1o/geopulse"; then
+    msg_info "Stopping Service"
+    systemctl stop geopulse-backend
+    msg_ok "Stopped Service"
+
+    if [[ "$(uname -m)" == "aarch64" ]]; then
+      if grep -qi "raspberry\|bcm" /proc/cpuinfo 2>/dev/null; then
+        BINARY_PATTERN="geopulse-backend-native-arm64-compat-*"
+      else
+        BINARY_PATTERN="geopulse-backend-native-arm64-[!c]*"
+      fi
+    else
+      if grep -q avx2 /proc/cpuinfo && grep -q bmi2 /proc/cpuinfo && grep -q fma /proc/cpuinfo; then
+        BINARY_PATTERN="geopulse-backend-native-amd64-[!c]*"
+      else
+        BINARY_PATTERN="geopulse-backend-native-amd64-compat-*"
+      fi
+    fi
+
+    fetch_and_deploy_gh_release "geopulse-backend" "tess1o/geopulse" "singlefile" "latest" "/opt/geopulse/backend" "${BINARY_PATTERN}"
+    fetch_and_deploy_gh_release "geopulse-frontend" "tess1o/geopulse" "prebuild" "latest" "/var/www/geopulse" "geopulse-frontend-*.tar.gz"
+
+    msg_info "Starting Service"
+    systemctl start geopulse-backend
+    msg_ok "Started Service"
+    msg_ok "Updated successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"
+echo -e "${INFO}${YW} To create an admin account, run:${CL}"
+echo -e "${TAB}${BGN}/usr/local/bin/create-geopulse-admin${CL}"

ct/headers/geopulse

@@ -0,0 +1,6 @@
+   ______           ____        __        
+  / ____/__  ____  / __ \__  __/ /_______ 
+ / / __/ _ \/ __ \/ /_/ / / / / / ___/ _ \
+/ /_/ /  __/ /_/ / ____/ /_/ / (__  )  __/
+\____/\___/\____/_/    \__,_/_/____/\___/ 
+                                          

ct/headers/matter-server

@@ -0,0 +1,6 @@
+    __  ___      __  __                 _____                          
+   /  |/  /___ _/ /_/ /____  _____     / ___/___  ______   _____  _____
+  / /|_/ / __ `/ __/ __/ _ \/ ___/_____\__ \/ _ \/ ___/ | / / _ \/ ___/
+ / /  / / /_/ / /_/ /_/  __/ /  /_____/__/ /  __/ /   | |/ /  __/ /    
+/_/  /_/\__,_/\__/\__/\___/_/        /____/\___/_/    |___/\___/_/     
+                                                                       

ct/immich.sh

@@ -109,7 +109,7 @@ EOF
     msg_ok "Image-processing libraries up to date"
   fi
 
-  RELEASE="v2.6.2"
+  RELEASE="v2.6.3"
   if check_for_gh_release "Immich" "immich-app/immich" "${RELEASE}" "each release is tested individually before the version is updated. Please do not open issues for this"; then
     if [[ $(cat ~/.immich) > "2.5.1" ]]; then
       msg_info "Enabling Maintenance Mode"

ct/matter-server.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/matter-js/python-matter-server
+
+APP="Matter-Server"
+var_tags="${var_tags:-matter;iot;smart-home}"
+var_cpu="${var_cpu:-2}"
+var_ram="${var_ram:-2048}"
+var_disk="${var_disk:-4}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -d /opt/matter-server ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "matter-server" "matter-js/python-matter-server"; then
+    msg_info "Stopping Service"
+    systemctl stop matter-server
+    msg_ok "Stopped Service"
+
+    msg_info "Updating Matter Server"
+    MATTER_VERSION=$(get_latest_github_release "matter-js/python-matter-server")
+    $STD uv pip install --python /opt/matter-server/.venv/bin/python --upgrade "python-matter-server[server]==${MATTER_VERSION}"
+    echo "${MATTER_VERSION}" >~/.matter-server
+    msg_ok "Updated Matter Server"
+
+    fetch_and_deploy_gh_release "chip-ota-provider-app" "home-assistant-libs/matter-linux-ota-provider" "singlefile" "latest" "/usr/local/bin" "chip-ota-provider-app-x86-64"
+
+    msg_info "Starting Service"
+    systemctl start matter-server
+    msg_ok "Started Service"
+    msg_ok "Updated successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Matter Server WebSocket API is running on port 5580.${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}ws://${IP}:5580/ws${CL}"

ct/nginxproxymanager.sh

@@ -28,11 +28,6 @@ function update_script() {
     exit
   fi
 
-  if [[ $(grep -E '^VERSION_ID=' /etc/os-release) == *"12"* ]]; then
-    msg_error "Wrong Debian version detected!"
-    msg_error "Please create a snapshot first. You must upgrade your LXC to Debian Trixie before updating. Visit: https://github.com/community-scripts/ProxmoxVE/discussions/7489"
-    exit
-  fi
 
   if command -v node &>/dev/null; then
     CURRENT_NODE_VERSION=$(node --version | cut -d'v' -f2 | cut -d'.' -f1)

install/geopulse-install.sh

@@ -0,0 +1,205 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: CrazyWolf13
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/tess1o/geopulse
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+$STD apt install -y \
+  openssl \
+  nginx
+msg_ok "Installed Dependencies"
+
+PG_VERSION="17" PG_MODULES="postgis" setup_postgresql
+PG_DB_NAME="geopulse" PG_DB_USER="geopulse" PG_DB_EXTENSIONS="postgis,postgis_topology" setup_postgresql_db
+
+msg_info "Generating Security Keys"
+mkdir -p /opt/geopulse/{backend,keys}
+mkdir -p /etc/geopulse /var/www/geopulse /var/lib/geopulse/dumps
+mkdir -p /var/log/geopulse/{backend,nginx}
+openssl genpkey -algorithm RSA -out /opt/geopulse/keys/jwt-private-key.pem 2>/dev/null
+openssl rsa -pubout -in /opt/geopulse/keys/jwt-private-key.pem -out /opt/geopulse/keys/jwt-public-key.pem 2>/dev/null
+openssl rand -base64 32 >/opt/geopulse/keys/ai-encryption-key.txt
+chmod 640 /opt/geopulse/keys/jwt-private-key.pem /opt/geopulse/keys/jwt-public-key.pem /opt/geopulse/keys/ai-encryption-key.txt
+msg_ok "Generated Security Keys"
+
+if [[ "$(uname -m)" == "aarch64" ]]; then
+  if grep -qi "raspberry\|bcm" /proc/cpuinfo 2>/dev/null; then
+    BINARY_PATTERN="geopulse-backend-native-arm64-compat-*"
+  else
+    BINARY_PATTERN="geopulse-backend-native-arm64-[!c]*"
+  fi
+else
+  if grep -q avx2 /proc/cpuinfo && grep -q bmi2 /proc/cpuinfo && grep -q fma /proc/cpuinfo; then
+    BINARY_PATTERN="geopulse-backend-native-amd64-[!c]*"
+  else
+    BINARY_PATTERN="geopulse-backend-native-amd64-compat-*"
+  fi
+fi
+
+fetch_and_deploy_gh_release "geopulse-backend" "tess1o/geopulse" "singlefile" "latest" "/opt/geopulse/backend" "${BINARY_PATTERN}"
+fetch_and_deploy_gh_release "geopulse-frontend" "tess1o/geopulse" "prebuild" "latest" "/var/www/geopulse" "geopulse-frontend-*.tar.gz"
+
+msg_info "Configuring GeoPulse"
+cat <<EOF >/etc/geopulse/geopulse.env
+GEOPULSE_PUBLIC_BASE_URL=http://${LOCAL_IP}
+GEOPULSE_UI_URL=http://${LOCAL_IP}
+GEOPULSE_CORS_ENABLED=false
+GEOPULSE_CORS_ORIGINS=
+QUARKUS_HTTP_PORT=8080
+GEOPULSE_POSTGRES_URL=jdbc:postgresql://localhost:5432/${PG_DB_NAME}
+GEOPULSE_POSTGRES_HOST=localhost
+GEOPULSE_POSTGRES_PORT=5432
+GEOPULSE_POSTGRES_DB=${PG_DB_NAME}
+GEOPULSE_POSTGRES_USERNAME=${PG_DB_USER}
+GEOPULSE_POSTGRES_PASSWORD=${PG_DB_PASS}
+GEOPULSE_JWT_PRIVATE_KEY_LOCATION=file:/opt/geopulse/keys/jwt-private-key.pem
+GEOPULSE_JWT_PUBLIC_KEY_LOCATION=file:/opt/geopulse/keys/jwt-public-key.pem
+GEOPULSE_AI_ENCRYPTION_KEY_LOCATION=file:/opt/geopulse/keys/ai-encryption-key.txt
+QUARKUS_LOG_FILE_ENABLE=true
+QUARKUS_LOG_FILE_PATH=/var/log/geopulse/backend/geopulse.log
+QUARKUS_LOG_FILE_ROTATION_MAX_FILE_SIZE=10M
+QUARKUS_LOG_FILE_ROTATION_MAX_BACKUP_INDEX=5
+EOF
+chmod 640 /etc/geopulse/geopulse.env
+msg_ok "Configured GeoPulse"
+
+msg_info "Creating Service"
+cat <<EOF >/etc/systemd/system/geopulse-backend.service
+[Unit]
+Description=GeoPulse Backend
+After=network.target postgresql.service
+Wants=postgresql.service
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/geopulse/backend
+EnvironmentFile=/etc/geopulse/geopulse.env
+ExecStart=/opt/geopulse/backend/geopulse-backend -Dquarkus.http.host=0.0.0.0 -XX:MaximumHeapSizePercent=70 -XX:MaximumYoungGenerationSizePercent=15
+Restart=on-failure
+RestartSec=10
+StandardOutput=append:/var/log/geopulse/backend/geopulse-stdout.log
+StandardError=append:/var/log/geopulse/backend/geopulse-stderr.log
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable -q --now geopulse-backend
+msg_ok "Created Service"
+
+msg_info "Configuring Nginx"
+mkdir -p /var/cache/nginx/osm_tiles
+cat <<'EOF' >/etc/nginx/sites-available/geopulse.conf
+proxy_cache_path /var/cache/nginx/osm_tiles levels=1:2 keys_zone=osm_cache:100m max_size=10g inactive=30d use_temp_path=off;
+
+map $uri $osm_subdomain {
+    ~^/osm/tiles/a/ "a";
+    ~^/osm/tiles/b/ "b";
+    ~^/osm/tiles/c/ "c";
+    default "a";
+}
+
+server {
+    listen 80;
+    server_name _;
+
+    root /var/www/geopulse;
+    index index.html;
+
+    client_max_body_size 100M;
+
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+    gzip_comp_level 6;
+    gzip_min_length 1000;
+
+    location ~* ^/(?!osm/).*\.(jpg|jpeg|png|gif|ico|css|js)$ {
+        expires 1y;
+        add_header Cache-Control "public, max-age=31536000";
+    }
+
+    location ^~ /osm/tiles/ {
+        resolver 8.8.8.8 valid=300s;
+        resolver_timeout 10s;
+        rewrite ^/osm/tiles/[abc]/(.*)$ /$1 break;
+        proxy_pass https://$osm_subdomain.tile.openstreetmap.org;
+        proxy_cache osm_cache;
+        proxy_cache_key "$scheme$proxy_host$uri";
+        proxy_cache_valid 200 30d;
+        proxy_cache_valid 404 1m;
+        proxy_cache_valid 502 503 504 1m;
+        proxy_ignore_headers Cache-Control Expires Set-Cookie;
+        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+        proxy_cache_background_update on;
+        proxy_cache_lock on;
+        proxy_set_header Cookie "";
+        proxy_set_header Authorization "";
+        proxy_set_header User-Agent "GeoPulse/1.0";
+        proxy_set_header Host $osm_subdomain.tile.openstreetmap.org;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        proxy_connect_timeout 10s;
+        proxy_read_timeout 10s;
+        expires 30d;
+        add_header Cache-Control "public, immutable";
+        add_header X-Cache-Status $upstream_cache_status always;
+    }
+
+    location /api/ {
+        proxy_pass http://localhost:8080/api/;
+        proxy_connect_timeout 3600s;
+        proxy_send_timeout 3600s;
+        proxy_read_timeout 3600s;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    access_log /var/log/geopulse/nginx/access.log;
+    error_log /var/log/geopulse/nginx/error.log;
+}
+EOF
+ln -sf /etc/nginx/sites-available/geopulse.conf /etc/nginx/sites-enabled/
+rm -f /etc/nginx/sites-enabled/default
+systemctl enable -q --now nginx
+systemctl reload nginx
+msg_ok "Configured Nginx"
+
+msg_info "Creating Admin Helper"
+cat <<'EOF' >/usr/local/bin/create-geopulse-admin
+#!/usr/bin/env bash
+read -rp "Enter admin email address: " ADMIN_EMAIL
+if [[ -z "$ADMIN_EMAIL" ]]; then
+  echo "No email provided. Aborting."
+  exit 1
+fi
+sed -i '/^GEOPULSE_ADMIN_EMAIL=/d' /etc/geopulse/geopulse.env
+echo "GEOPULSE_ADMIN_EMAIL=${ADMIN_EMAIL}" >>/etc/geopulse/geopulse.env
+systemctl restart geopulse-backend
+echo "Admin email set to '${ADMIN_EMAIL}'. Register with this email in the GeoPulse UI to receive admin privileges."
+EOF
+chmod +x /usr/local/bin/create-geopulse-admin
+msg_ok "Created Admin Helper"
+
+motd_ssh
+customize
+cleanup_lxc

install/immich-install.sh

@@ -295,7 +295,7 @@ ML_DIR="${APP_DIR}/machine-learning"
 GEO_DIR="${INSTALL_DIR}/geodata"
 mkdir -p {"${APP_DIR}","${UPLOAD_DIR}","${GEO_DIR}","${INSTALL_DIR}"/cache}
 
-fetch_and_deploy_gh_release "Immich" "immich-app/immich" "tarball" "v2.6.2" "$SRC_DIR"
+fetch_and_deploy_gh_release "Immich" "immich-app/immich" "tarball" "v2.6.3" "$SRC_DIR"
 PNPM_VERSION="$(jq -r '.packageManager | split("@")[1] | split("+")[0]' ${SRC_DIR}/package.json)"
 NODE_VERSION="24" NODE_MODULE="pnpm@${PNPM_VERSION}" setup_nodejs
 

install/matter-server-install.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/matter-js/python-matter-server
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+$STD apt install -y \
+  libuv1 \
+  libjson-c5 \
+  libnl-3-200 \
+  libnl-route-3-200 \
+  iputils-ping \
+  iproute2
+msg_ok "Installed Dependencies"
+
+UV_PYTHON="3.12" setup_uv
+
+msg_info "Setting up Matter Server"
+mkdir -p /opt/matter-server/data/credentials
+if [ -L /data ]; then
+  rm -f /data
+fi
+if [ ! -e /data ]; then
+  ln -s /opt/matter-server/data /data
+fi
+$STD uv venv /opt/matter-server/.venv
+MATTER_VERSION=$(get_latest_github_release "matter-js/python-matter-server")
+$STD uv pip install --python /opt/matter-server/.venv/bin/python "python-matter-server[server]==${MATTER_VERSION}"
+echo "${MATTER_VERSION}" >~/.matter-server
+msg_ok "Set up Matter Server"
+
+fetch_and_deploy_gh_release "chip-ota-provider-app" "home-assistant-libs/matter-linux-ota-provider" "singlefile" "latest" "/usr/local/bin" "chip-ota-provider-app-x86-64"
+
+msg_info "Configuring Network"
+cat <<EOF >/etc/sysctl.d/99-matter.conf
+net.ipv4.igmp_max_memberships=1024
+EOF
+$STD sysctl -p /etc/sysctl.d/99-matter.conf
+msg_ok "Configured Network"
+
+msg_info "Creating Service"
+cat <<EOF >/etc/systemd/system/matter-server.service
+[Unit]
+Description=Matter Server
+After=network.target
+
+[Service]
+Type=simple
+User=root
+ExecStart=/opt/matter-server/.venv/bin/matter-server --storage-path /data --paa-root-cert-dir /data/credentials
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable -q --now matter-server
+msg_ok "Created Service"
+
+motd_ssh
+customize
+cleanup_lxc

tools/pve/cron-update-lxcs.sh

@@ -1,11 +1,24 @@
 #!/usr/bin/env bash
 
-# Copyright (c) 2021-2026 tteck
-# Author: tteck (tteckster)
-# License: MIT
-# https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+#
+# This script manages a local cron job for automatic LXC container OS updates.
+# The update script is downloaded once, displayed for review, and installed
+# locally. Cron runs the local copy — no remote code execution at runtime.
+#
 # bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/tools/pve/cron-update-lxcs.sh)"
 
+set -euo pipefail
+
+REPO_URL="https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main"
+SCRIPT_URL="${REPO_URL}/tools/pve/update-lxcs-cron.sh"
+LOCAL_SCRIPT="/usr/local/bin/update-lxcs.sh"
+CONF_FILE="/etc/update-lxcs.conf"
+LOG_FILE="/var/log/update-lxcs-cron.log"
+CRON_ENTRY="0 0 * * 0 ${LOCAL_SCRIPT} >>${LOG_FILE} 2>&1"
+
 clear
 cat <<"EOF"
    ______                    __  __          __      __          __   _  ________
@@ -16,41 +29,322 @@ cat <<"EOF"
                               /_/
 EOF
 
-add() {
+info() { echo -e "\n \e[36m[Info]\e[0m $1"; }
+ok() { echo -e " \e[32m[OK]\e[0m $1"; }
+err() { echo -e " \e[31m[Error]\e[0m $1" >&2; }
+
+confirm() {
+  local prompt="${1:-Proceed?}"
   while true; do
-    read -p "This script will add a crontab schedule that updates all LXCs every Sunday at midnight. Proceed(y/n)?" yn
+    read -rp " ${prompt} (y/n): " yn
     case $yn in
-    [Yy]*) break ;;
-    [Nn]*) exit ;;
-    *) echo "Please answer yes or no." ;;
+    [Yy]*) return 0 ;;
+    [Nn]*) return 1 ;;
+    *) echo "  Please answer yes or no." ;;
     esac
   done
-  sh -c '(crontab -l -u root 2>/dev/null; echo "0 0 * * 0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /bin/bash -c \"\$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/tools/pve/update-lxcs-cron.sh)\" >>/var/log/update-lxcs-cron.log 2>/dev/null") | crontab -u root -'
-  clear
-  echo -e "\n To view Cron Update LXCs logs: cat /var/log/update-lxcs-cron.log"
+}
+
+download_script() {
+  local tmp
+  tmp=$(mktemp)
+  if ! curl -fsSL -o "$tmp" "$SCRIPT_URL"; then
+    err "Failed to download script from:\n  ${SCRIPT_URL}"
+    rm -f "$tmp"
+    return 1
+  fi
+  echo "$tmp"
+}
+
+review_script() {
+  local file="$1"
+  local hash
+  hash=$(sha256sum "$file" | awk '{print $1}')
+  echo ""
+  echo -e " \e[1;33m─── Script Content ───────────────────────────────────────────\e[0m"
+  cat "$file"
+  echo -e " \e[1;33m──────────────────────────────────────────────────────────────\e[0m"
+  echo -e " \e[36mSHA256:\e[0m ${hash}"
+  echo -e " \e[36mSource:\e[0m ${SCRIPT_URL}"
+  echo ""
+}
+
+remove_legacy_cron() {
+  if crontab -l -u root 2>/dev/null | grep -q "update-lxcs-cron.sh"; then
+    (crontab -l -u root 2>/dev/null | grep -v "update-lxcs-cron.sh") | crontab -u root -
+    ok "Removed legacy curl-based cron entry"
+  fi
+}
+
+add() {
+  info "Downloading update script..."
+  local tmp
+  tmp=$(download_script) || exit 1
+
+  local hash
+  hash=$(sha256sum "$tmp" | awk '{print $1}')
+  echo ""
+  echo -e " \e[1;33m─── Installation Summary ─────────────────────────────────────\e[0m"
+  echo -e " \e[36mSource:\e[0m       ${SCRIPT_URL}"
+  echo -e " \e[36mSHA256:\e[0m       ${hash}"
+  echo -e " \e[36mInstall to:\e[0m   ${LOCAL_SCRIPT}"
+  echo -e " \e[36mConfig:\e[0m       ${CONF_FILE}"
+  echo -e " \e[36mLog file:\e[0m     ${LOG_FILE}"
+  echo -e " \e[36mCron schedule:\e[0m Every Sunday at midnight (0 0 * * 0)"
+  echo -e " \e[1;33m──────────────────────────────────────────────────────────────\e[0m"
+  echo ""
+
+  if confirm "Review script content before installing?"; then
+    review_script "$tmp"
+  fi
+
+  if ! confirm "Install this script and activate cron schedule?"; then
+    rm -f "$tmp"
+    echo " Aborted."
+    exit 0
+  fi
+
+  remove_legacy_cron
+
+  install -m 0755 "$tmp" "$LOCAL_SCRIPT"
+  rm -f "$tmp"
+  ok "Installed script to ${LOCAL_SCRIPT}"
+
+  if [[ ! -f "$CONF_FILE" ]]; then
+    cat >"$CONF_FILE" <<'CONF'
+# Configuration for automatic LXC container OS updates.
+# Add container IDs to exclude from updates (comma-separated):
+# EXCLUDE=100,101,102
+EXCLUDE=
+CONF
+    ok "Created config ${CONF_FILE}"
+  fi
+
+  (
+    crontab -l -u root 2>/dev/null | grep -v "${LOCAL_SCRIPT}" || true
+    echo "${CRON_ENTRY}"
+  ) | crontab -u root -
+  ok "Added cron schedule: Every Sunday at midnight"
+  echo ""
+  echo -e " \e[36mLocal script:\e[0m ${LOCAL_SCRIPT}"
+  echo -e " \e[36mConfig:\e[0m      ${CONF_FILE}"
+  echo -e " \e[36mLog file:\e[0m    ${LOG_FILE}"
+  echo ""
 }
 
 remove() {
-  (crontab -l | grep -v "update-lxcs-cron.sh") | crontab -
-  rm -rf /var/log/update-lxcs-cron.log
-  echo "Removed Crontab Schedule from Proxmox VE"
+  if crontab -l -u root 2>/dev/null | grep -q "${LOCAL_SCRIPT}"; then
+    (crontab -l -u root 2>/dev/null | grep -v "${LOCAL_SCRIPT}") | crontab -u root -
+    ok "Removed cron schedule"
+  fi
+  remove_legacy_cron
+  [[ -f "$LOCAL_SCRIPT" ]] && rm -f "$LOCAL_SCRIPT" && ok "Removed ${LOCAL_SCRIPT}"
+  [[ -f "$LOG_FILE" ]] && rm -f "$LOG_FILE" && ok "Removed ${LOG_FILE}"
+  echo -e "\n Cron Update LXCs has been fully removed."
+  echo -e " \e[90mNote: ${CONF_FILE} was kept (remove manually if desired).\e[0m"
 }
 
-OPTIONS=(Add "Add Crontab Schedule"
-  Remove "Remove Crontab Schedule")
+update_script() {
+  if [[ ! -f "$LOCAL_SCRIPT" ]]; then
+    err "No local script found at ${LOCAL_SCRIPT}. Use 'Add' first."
+    exit 1
+  fi
 
-CHOICE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Cron Update LXCs" --menu "Select an option:" 10 58 2 \
-  "${OPTIONS[@]}" 3>&1 1>&2 2>&3)
+  info "Downloading latest version..."
+  local tmp
+  tmp=$(download_script) || exit 1
+
+  if command -v diff &>/dev/null; then
+    local changes
+    changes=$(diff --color=auto "$LOCAL_SCRIPT" "$tmp" 2>/dev/null || true)
+    if [[ -z "$changes" ]]; then
+      ok "Script is already up-to-date (no changes)."
+      rm -f "$tmp"
+      return
+    fi
+    echo ""
+    echo -e " \e[1;33m─── Changes ──────────────────────────────────────────────────\e[0m"
+    echo "$changes"
+    echo -e " \e[1;33m──────────────────────────────────────────────────────────────\e[0m"
+  else
+    review_script "$tmp"
+  fi
+
+  local new_hash old_hash
+  new_hash=$(sha256sum "$tmp" | awk '{print $1}')
+  old_hash=$(sha256sum "$LOCAL_SCRIPT" | awk '{print $1}')
+  echo -e " \e[36mCurrent SHA256:\e[0m ${old_hash}"
+  echo -e " \e[36mNew SHA256:\e[0m     ${new_hash}"
+  echo ""
+
+  if ! confirm "Apply update?"; then
+    rm -f "$tmp"
+    echo " Aborted."
+    return
+  fi
+
+  install -m 0755 "$tmp" "$LOCAL_SCRIPT"
+  rm -f "$tmp"
+  ok "Updated ${LOCAL_SCRIPT}"
+}
+
+view_script() {
+  if [[ ! -f "$LOCAL_SCRIPT" ]]; then
+    err "No local script found at ${LOCAL_SCRIPT}. Use 'Add' first."
+    exit 1
+  fi
+
+  local view_choice
+  view_choice=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "View Script" --menu "What do you want to view?" 12 60 3 \
+    "Worker" "Installed update script (${LOCAL_SCRIPT##*/})" \
+    "Cron" "Cron schedule & configuration" \
+    "Both" "Show everything" \
+    3>&1 1>&2 2>&3) || return 0
+
+  case "$view_choice" in
+  "Worker") view_worker_script ;;
+  "Cron") view_cron_config ;;
+  "Both") view_cron_config && echo "" && view_worker_script ;;
+  esac
+}
+
+view_worker_script() {
+  local hash
+  hash=$(sha256sum "$LOCAL_SCRIPT" | awk '{print $1}')
+  echo ""
+  echo -e " \e[1;33m─── ${LOCAL_SCRIPT} ───\e[0m"
+  cat "$LOCAL_SCRIPT"
+  echo -e " \e[1;33m──────────────────────────────────────────────────────────────\e[0m"
+  echo -e " \e[36mSHA256:\e[0m    ${hash}"
+  echo -e " \e[36mInstalled:\e[0m $(stat -c '%y' "$LOCAL_SCRIPT" 2>/dev/null | cut -d. -f1)"
+  echo ""
+}
+
+view_cron_config() {
+  echo ""
+  echo -e " \e[1;33m─── Cron Configuration ───────────────────────────────────────\e[0m"
+  if crontab -l -u root 2>/dev/null | grep -q "${LOCAL_SCRIPT}"; then
+    local entry
+    entry=$(crontab -l -u root 2>/dev/null | grep "${LOCAL_SCRIPT}")
+    echo -e " \e[36mCron entry:\e[0m  ${entry}"
+    local schedule
+    schedule=$(echo "$entry" | awk '{print $1,$2,$3,$4,$5}')
+    echo -e " \e[36mSchedule:\e[0m    ${schedule} ($(cron_to_human "$schedule"))"
+  else
+    echo -e " \e[31mCron:\e[0m        Not configured"
+  fi
+  if [[ -f "$CONF_FILE" ]]; then
+    echo -e " \e[36mConfig file:\e[0m ${CONF_FILE}"
+    local excludes
+    excludes=$(grep -oP '^\s*EXCLUDE\s*=\s*\K.*' "$CONF_FILE" 2>/dev/null || true)
+    echo -e " \e[36mExcluded:\e[0m    ${excludes:-(none)}"
+    echo ""
+    echo -e " \e[90m--- ${CONF_FILE} ---\e[0m"
+    cat "$CONF_FILE"
+  else
+    echo -e " \e[36mConfig file:\e[0m (not created yet)"
+  fi
+  if [[ -f "$LOG_FILE" ]]; then
+    local log_size
+    log_size=$(du -h "$LOG_FILE" | awk '{print $1}')
+    echo -e " \e[36mLog file:\e[0m    ${LOG_FILE} (${log_size})"
+  fi
+  echo -e " \e[1;33m──────────────────────────────────────────────────────────────\e[0m"
+  echo ""
+}
+
+cron_to_human() {
+  local schedule="$1"
+  case "$schedule" in
+  "0 0 * * 0") echo "Every Sunday at midnight" ;;
+  "0 0 * * *") echo "Daily at midnight" ;;
+  "0 * * * *") echo "Every hour" ;;
+  *) echo "Custom schedule" ;;
+  esac
+}
+
+show_status() {
+  echo ""
+  if [[ -f "$LOCAL_SCRIPT" ]]; then
+    local hash
+    hash=$(sha256sum "$LOCAL_SCRIPT" | awk '{print $1}')
+    ok "Script installed: ${LOCAL_SCRIPT}"
+    echo -e "   \e[36mSHA256:\e[0m    ${hash}"
+    echo -e "   \e[36mInstalled:\e[0m $(stat -c '%y' "$LOCAL_SCRIPT" 2>/dev/null | cut -d. -f1)"
+  else
+    err "Script not installed"
+  fi
+
+  if crontab -l -u root 2>/dev/null | grep -q "${LOCAL_SCRIPT}"; then
+    local schedule
+    schedule=$(crontab -l -u root 2>/dev/null | grep "${LOCAL_SCRIPT}" | awk '{print $1,$2,$3,$4,$5}')
+    ok "Cron active: ${schedule}"
+  else
+    err "Cron not configured"
+  fi
+
+  if [[ -f "$CONF_FILE" ]]; then
+    local excludes
+    excludes=$(grep -oP '^\s*EXCLUDE\s*=\s*\K.*' "$CONF_FILE" 2>/dev/null || echo "(none)")
+    echo -e "   \e[36mExcluded:\e[0m  ${excludes:-"(none)"}"
+  fi
+
+  if [[ -f "$LOG_FILE" ]]; then
+    local log_size last_run
+    log_size=$(du -h "$LOG_FILE" | awk '{print $1}')
+    last_run=$(grep -oP '^\s+\K\w.*' "$LOG_FILE" | tail -1)
+    echo -e "   \e[36mLog file:\e[0m  ${LOG_FILE} (${log_size})"
+    [[ -n "${last_run:-}" ]] && echo -e "   \e[36mLast run:\e[0m  ${last_run}"
+  else
+    echo -e "   \e[36mLog file:\e[0m  (no runs yet)"
+  fi
+  echo ""
+}
+
+run_now() {
+  if [[ ! -f "$LOCAL_SCRIPT" ]]; then
+    err "No local script found at ${LOCAL_SCRIPT}. Use 'Add' first."
+    exit 1
+  fi
+  info "Running update script now..."
+  bash "$LOCAL_SCRIPT" | tee -a "$LOG_FILE"
+  ok "Run completed. Log appended to ${LOG_FILE}"
+}
+
+rotate_log() {
+  if [[ ! -f "$LOG_FILE" ]]; then
+    info "No log file to rotate."
+    return
+  fi
+  local log_size
+  log_size=$(stat -c '%s' "$LOG_FILE" 2>/dev/null || echo 0)
+  local log_size_h
+  log_size_h=$(du -h "$LOG_FILE" | awk '{print $1}')
+  if confirm "Rotate log file? (current size: ${log_size_h})"; then
+    mv "$LOG_FILE" "${LOG_FILE}.old"
+    ok "Rotated: ${LOG_FILE} → ${LOG_FILE}.old"
+  fi
+}
+
+OPTIONS=(
+  Add "Download, review & install cron schedule"
+  Remove "Remove cron schedule & local script"
+  Update "Update local script from repository"
+  Status "Show installation status & last run"
+  Run "Run update script now (manual trigger)"
+  View "View cron config & installed script"
+  Rotate "Rotate log file"
+)
+
+CHOICE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Cron Update LXCs" --menu "Select an option:" 16 68 7 \
+  "${OPTIONS[@]}" 3>&1 1>&2 2>&3) || exit 0
 
 case $CHOICE in
-"Add")
-  add
-  ;;
-"Remove")
-  remove
-  ;;
-*)
-  echo "Exiting..."
-  exit 0
-  ;;
+"Add") add ;;
+"Remove") remove ;;
+"Update") update_script ;;
+"Status") show_status ;;
+"Run") run_now ;;
+"View") view_script ;;
+"Rotate") rotate_log ;;
 esac

tools/pve/update-lxcs-cron.sh

@@ -1,23 +1,43 @@
 #!/usr/bin/env bash
 
-# Copyright (c) 2021-2026 tteck
-# Author: tteck (tteckster)
-# License: MIT
-# https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+#
+# This script is installed locally by cron-update-lxcs.sh and executed
+# by cron. It updates all LXC containers using their native package manager.
+
+CONF_FILE="/etc/update-lxcs.conf"
 
 echo -e "\n $(date)"
+
+# Collect excluded containers from arguments
 excluded_containers=("$@")
+
+# Merge exclusions from config file if it exists
+if [[ -f "$CONF_FILE" ]]; then
+  conf_exclude=$(grep -oP '^\s*EXCLUDE\s*=\s*\K[0-9,]+' "$CONF_FILE" 2>/dev/null || true)
+  IFS=',' read -ra conf_ids <<<"$conf_exclude"
+  for id in "${conf_ids[@]}"; do
+    id="${id// /}"
+    [[ -n "$id" ]] && excluded_containers+=("$id")
+  done
+fi
+
 function update_container() {
-  container=$1
-  name=$(pct exec "$container" hostname)
-  echo -e "\n [Info] Updating $container : $name \n"
+  local container=$1
+  local name
+  name=$(pct exec "$container" hostname 2>/dev/null || echo "unknown")
+  local os
   os=$(pct config "$container" | awk '/^ostype/ {print $2}')
+  echo -e "\n [Info] Updating $container : $name (os: $os)"
   case "$os" in
   alpine) pct exec "$container" -- ash -c "apk -U upgrade" ;;
   archlinux) pct exec "$container" -- bash -c "pacman -Syyu --noconfirm" ;;
   fedora | rocky | centos | alma) pct exec "$container" -- bash -c "dnf -y update && dnf -y upgrade" ;;
-  ubuntu | debian | devuan) pct exec "$container" -- bash -c "apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confold" dist-upgrade -y; rm -rf /usr/lib/python3.*/EXTERNALLY-MANAGED" ;;
+  ubuntu | debian | devuan) pct exec "$container" -- bash -c "apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::='--force-confold' dist-upgrade -y; rm -rf /usr/lib/python3.*/EXTERNALLY-MANAGED" ;;
   opensuse) pct exec "$container" -- bash -c "zypper ref && zypper --non-interactive dup" ;;
+  *) echo " [Warn] Unknown OS type '$os' for container $container, skipping" ;;
   esac
 }
 
@@ -34,16 +54,19 @@ for container in $(pct list | awk '{if(NR>1) print $1}'); do
     sleep 1
   else
     status=$(pct status "$container")
-    template=$(pct config "$container" | grep -q "template:" && echo "true" || echo "false")
-    if [ "$template" == "false" ] && [ "$status" == "status: stopped" ]; then
+    if pct config "$container" 2>/dev/null | grep -q "^template:"; then
+      echo -e "[Info] Skipping template $container"
+      continue
+    fi
+    if [ "$status" == "status: stopped" ]; then
       echo -e "[Info] Starting $container"
       pct start "$container"
       sleep 5
-      update_container "$container"
+      update_container "$container" || echo " [Error] Update failed for $container"
       echo -e "[Info] Shutting down $container"
-      pct shutdown "$container" &
+      pct shutdown "$container" --timeout 60 &
     elif [ "$status" == "status: running" ]; then
-      update_container "$container"
+      update_container "$container" || echo " [Error] Update failed for $container"
     fi
   fi
 done