Update CHANGELOG.md

addons: Filebrowser & Filebrowser-Quantum get warning if host install (#13639 )
* fix(filebrowser-quantum): warn when addon is run directly on Proxmox host Detect /etc/pve and show a clear warning with link to the recommended LXC installer. User must explicitly confirm to continue on the host, addressing the size calculation and indexing issues reported in gtsteffaniak/filebrowser#1893. Closes #13636 * fix(filebrowser): improve host warning text and add to filebrowser addon - Clarify that passthrough drives are not visible on the Proxmox host - Mention incorrect disk usage stats and incomplete file browsing - Add same warning to filebrowser (non-quantum) addon which also serves from / - Reduce verbosity, remove redundant phrasing * fix(filebrowser): fix misleading host warning wording Remove reference to a non-existent dedicated LXC installer. The addons should simply be run inside an LXC or VM instead.
2026-04-10 12:05:06 +02:00 · 2026-04-10 09:29:50 +00:00 · 2026-04-10 11:29:31 +02:00 · 2026-04-10 09:29:19 +00:00 · 2026-04-10 11:28:52 +02:00 · 2026-04-10 08:03:50 +00:00
17 changed files with 232 additions and 21 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -439,6 +439,41 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit

 </details>

+## 2026-04-10
+
+### 🚀 Updated Scripts
+
+  - Immich: Pin version to 2.7.3 [@vhsdream](https://github.com/vhsdream) ([#13631](https://github.com/community-scripts/ProxmoxVE/pull/13631))
+
+  - #### ✨ New Features
+
+    - Homarr: bind Redis to localhost only [@MickLesk](https://github.com/MickLesk) ([#13552](https://github.com/community-scripts/ProxmoxVE/pull/13552))
+
+### 💾 Core
+
+  - #### 🐞 Bug Fixes
+
+    - tools.func: prevent script crash when entering GitHub token after rate limit [@MickLesk](https://github.com/MickLesk) ([#13638](https://github.com/community-scripts/ProxmoxVE/pull/13638))
+
+### 🧰 Tools
+
+  - #### 🔧 Refactor
+
+    - addons: Filebrowser & Filebrowser-Quantum get warning if host install [@MickLesk](https://github.com/MickLesk) ([#13639](https://github.com/community-scripts/ProxmoxVE/pull/13639))
+
+## 2026-04-09
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - boostack: add: git [@CrazyWolf13](https://github.com/CrazyWolf13) ([#13620](https://github.com/community-scripts/ProxmoxVE/pull/13620))
+
+  - #### ✨ New Features
+
+    - Update OPNsense version from 25.7 to 26.1 [@tdn131](https://github.com/tdn131) ([#13626](https://github.com/community-scripts/ProxmoxVE/pull/13626))
+    - CheckMK: Bump Default OS to 13 (trixie) + dynamic codename + fix RELEASE-Tag Fetching [@MickLesk](https://github.com/MickLesk) ([#13610](https://github.com/community-scripts/ProxmoxVE/pull/13610))
+
 ## 2026-04-08

 ### 🆕 New Scripts
@@ -449,13 +484,24 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit

  - #### 🐞 Bug Fixes

+    - immich: disable upgrade-insecure-requests CSP directive [@MickLesk](https://github.com/MickLesk) ([#13600](https://github.com/community-scripts/ProxmoxVE/pull/13600))
    - Immich: v2.7.2 [@vhsdream](https://github.com/vhsdream) ([#13579](https://github.com/community-scripts/ProxmoxVE/pull/13579))
    - Update flaresolverr-install.sh [@maztheman](https://github.com/maztheman) ([#13584](https://github.com/community-scripts/ProxmoxVE/pull/13584))

+  - #### ✨ New Features
+
+    - bambuddy: add mkdir before data restore & add ffmpeg dependency [@MickLesk](https://github.com/MickLesk) ([#13601](https://github.com/community-scripts/ProxmoxVE/pull/13601))
+
  - #### 🔧 Refactor

    - feat: update UHF Server script to use setup_ffmpeg [@zackwithak13](https://github.com/zackwithak13) ([#13564](https://github.com/community-scripts/ProxmoxVE/pull/13564))

+### 💾 Core
+
+  - #### ✨ New Features
+
+    - core: add script page badges to descriptions | change donate URL [@MickLesk](https://github.com/MickLesk) ([#13596](https://github.com/community-scripts/ProxmoxVE/pull/13596))
+
 ## 2026-04-07

 ### 🗑️ Deleted Scripts
--- a/ct/bambuddy.sh
+++ b/ct/bambuddy.sh
@@ -29,6 +29,8 @@ function update_script() {
    exit
  fi

+  ensure_dependencies ffmpeg
+
  if check_for_gh_release "bambuddy" "maziggy/bambuddy"; then
    msg_info "Stopping Service"
    systemctl stop bambuddy
@@ -54,6 +56,7 @@ function update_script() {
    msg_ok "Rebuilt Frontend"

    msg_info "Restoring Configuration and Data"
+    mkdir -p /opt/bambuddy/data
    cp /opt/bambuddy.env.bak /opt/bambuddy/.env
    cp -r /opt/bambuddy_data_bak/. /opt/bambuddy/data/
    rm -f /opt/bambuddy.env.bak
--- a/ct/bookstack.sh
+++ b/ct/bookstack.sh
@@ -29,6 +29,7 @@ function update_script() {
    exit
  fi
  setup_mariadb
+  ensure_dependencies git
  if check_for_gh_release "bookstack" "BookStackApp/BookStack"; then
    msg_info "Stopping Apache2"
    systemctl stop apache2
--- a/ct/checkmk.sh
+++ b/ct/checkmk.sh
@@ -11,7 +11,7 @@ var_cpu="${var_cpu:-2}"
 var_ram="${var_ram:-2048}"
 var_disk="${var_disk:-6}"
 var_os="${var_os:-debian}"
-var_version="${var_version:-12}"
+var_version="${var_version:-13}"
 var_unprivileged="${var_unprivileged:-1}"

 header_info "$APP"
@@ -29,10 +29,11 @@ function update_script() {
  fi

  RELEASE=$(curl -fsSL https://api.github.com/repos/checkmk/checkmk/tags | grep "name" | awk '{print substr($2, 3, length($2)-4) }' | tr ' ' '\n' | grep -Ev 'rc|b' | sort -V | tail -n 1)
+  RELEASE="${RELEASE%%+*}"
  msg_info "Updating ${APP} to v${RELEASE}"
  $STD omd stop monitoring
  $STD omd cp monitoring monitoringbackup
-  curl -fsSL "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-raw-${RELEASE}_0.bookworm_amd64.deb" -o "/opt/checkmk.deb"
+  curl -fsSL "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-raw-${RELEASE}_0.$(get_os_info codename)_amd64.deb" -o "/opt/checkmk.deb"
  $STD apt-get install -y /opt/checkmk.deb
  $STD omd --force -V ${RELEASE}.cre update --conflict=install monitoring
  $STD omd start monitoring
--- a/ct/homarr.sh
+++ b/ct/homarr.sh
@@ -65,6 +65,7 @@ EOF

    msg_info "Updating Homarr"
    cp /opt/homarr/redis.conf /etc/redis/redis.conf
+    grep -q '^bind 127.0.0.1 -::1$' /etc/redis/redis.conf || echo "bind 127.0.0.1 -::1" >> /etc/redis/redis.conf
    rm /etc/nginx/nginx.conf
    cp /opt/homarr/nginx.conf /etc/nginx/templates/nginx.conf
    msg_ok "Updated Homarr"
--- a/ct/immich.sh
+++ b/ct/immich.sh
@@ -109,7 +109,7 @@ EOF
    msg_ok "Image-processing libraries up to date"
  fi

-  RELEASE="v2.7.2"
+  RELEASE="v2.7.3"
  if check_for_gh_release "Immich" "immich-app/immich" "${RELEASE}" "each release is tested individually before the version is updated. Please do not open issues for this"; then
    if [[ $(cat ~/.immich) > "2.5.1" ]]; then
      msg_info "Enabling Maintenance Mode"
@@ -181,6 +181,12 @@ EOF
    unset SHARP_IGNORE_GLOBAL_LIBVIPS
    export SHARP_FORCE_GLOBAL_LIBVIPS=true
    $STD pnpm --filter immich --frozen-lockfile --prod --no-optional deploy "$APP_DIR"
+
+    # Patch helmet.json: disable upgrade-insecure-requests for HTTP access
+    if [[ -f "$APP_DIR/helmet.json" ]]; then
+      jq '.contentSecurityPolicy.directives["upgrade-insecure-requests"] = null' "$APP_DIR/helmet.json" >"$APP_DIR/helmet.json.tmp" && mv "$APP_DIR/helmet.json.tmp" "$APP_DIR/helmet.json"
+    fi
+
    cp "$APP_DIR"/package.json "$APP_DIR"/bin
    sed -i "s|^start|${APP_DIR}/bin/start|" "$APP_DIR"/bin/immich-admin

--- a/install/bambuddy-install.sh
+++ b/install/bambuddy-install.sh
@@ -14,7 +14,7 @@ network_check
 update_os

 msg_info "Installing Dependencies"
-$STD apt install -y libglib2.0-0
+$STD apt install -y libglib2.0-0 ffmpeg
 msg_ok "Installed Dependencies"

 PYTHON_VERSION="3.13" setup_uv
--- a/install/bookstack-install.sh
+++ b/install/bookstack-install.sh
@@ -14,7 +14,9 @@ network_check
 update_os

 msg_info "Installing Dependencies"
-$STD apt install -y make
+$STD apt install -y \
+  make \
+  git
 msg_ok "Installed Dependencies"

 PHP_VERSION="8.3" PHP_APACHE="YES" PHP_FPM="YES" PHP_MODULE="ldap,tidy,mysqli" setup_php
--- a/install/checkmk-install.sh
+++ b/install/checkmk-install.sh
@@ -15,7 +15,8 @@ update_os

 msg_info "Install Checkmk"
 RELEASE=$(curl -fsSL https://api.github.com/repos/checkmk/checkmk/tags | grep "name" | awk '{print substr($2, 3, length($2)-4) }' | tr ' ' '\n' | grep -Ev 'rc|b' | sort -V | tail -n 1)
-curl -fsSL "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-raw-${RELEASE}_0.bookworm_amd64.deb" -o "/opt/checkmk.deb"
+RELEASE="${RELEASE%%+*}"
+curl -fsSL "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-raw-${RELEASE}_0.$(get_os_info codename)_amd64.deb" -o "/opt/checkmk.deb"
 $STD apt-get install -y /opt/checkmk.deb
 rm -rf /opt/checkmk.deb
 echo "${RELEASE}" >"/opt/checkmk_version.txt"
--- a/install/homarr-install.sh
+++ b/install/homarr-install.sh
@@ -47,6 +47,7 @@ mkdir -p /appdata/redis
 chown -R redis:redis /appdata/redis
 chmod 744 /appdata/redis
 cp /opt/homarr/redis.conf /etc/redis/redis.conf
+grep -q '^bind 127.0.0.1 -::1$' /etc/redis/redis.conf || echo "bind 127.0.0.1 -::1" >>/etc/redis/redis.conf
 rm /etc/nginx/nginx.conf
 mkdir -p /etc/nginx/templates
 cp /opt/homarr/nginx.conf /etc/nginx/templates/nginx.conf
@@ -80,7 +81,7 @@ chmod +x /opt/homarr/run.sh
 systemctl daemon-reload
 systemctl enable -q --now redis-server
 systemctl enable -q --now homarr
-systemctl disable -q --now nginx 
+systemctl disable -q --now nginx
 msg_ok "Created Services"

 motd_ssh
--- a/install/immich-install.sh
+++ b/install/immich-install.sh
@@ -295,7 +295,7 @@ ML_DIR="${APP_DIR}/machine-learning"
 GEO_DIR="${INSTALL_DIR}/geodata"
 mkdir -p {"${APP_DIR}","${UPLOAD_DIR}","${GEO_DIR}","${INSTALL_DIR}"/cache}

-fetch_and_deploy_gh_release "Immich" "immich-app/immich" "tarball" "v2.7.2" "$SRC_DIR"
+fetch_and_deploy_gh_release "Immich" "immich-app/immich" "tarball" "v2.7.3" "$SRC_DIR"
 PNPM_VERSION="$(jq -r '.packageManager | split("@")[1] | split("+")[0]' ${SRC_DIR}/package.json)"
 NODE_VERSION="24" NODE_MODULE="pnpm@${PNPM_VERSION}" setup_nodejs

@@ -312,6 +312,12 @@ $STD pnpm --filter immich --frozen-lockfile build
 unset SHARP_IGNORE_GLOBAL_LIBVIPS
 export SHARP_FORCE_GLOBAL_LIBVIPS=true
 $STD pnpm --filter immich --frozen-lockfile --prod --no-optional deploy "$APP_DIR"
+
+# Patch helmet.json: disable upgrade-insecure-requests for HTTP access
+if [[ -f "$APP_DIR/helmet.json" ]]; then
+  jq '.contentSecurityPolicy.directives["upgrade-insecure-requests"] = null' "$APP_DIR/helmet.json" >"$APP_DIR/helmet.json.tmp" && mv "$APP_DIR/helmet.json.tmp" "$APP_DIR/helmet.json"
+fi
+
 cp "$APP_DIR"/package.json "$APP_DIR"/bin
 sed -i "s|^start|${APP_DIR}/bin/start|" "$APP_DIR"/bin/immich-admin

--- a/misc/build.func
+++ b/misc/build.func
@@ -1054,7 +1054,7 @@ load_vars_file() {

  # Allowed var_* keys
  local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_keyctl
    var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
    var_net var_nesting var_ns var_os var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
    var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage var_searchdomain
@@ -1255,7 +1255,7 @@ default_var_settings() {
  # Allowed var_* keys (alphabetically sorted)
  # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
  local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_keyctl
    var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
    var_net var_nesting var_ns var_os var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
    var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
@@ -1350,6 +1350,10 @@ var_verbose=no

 # Security (root PW) – empty => autologin
 # var_pw=
+
+# GitHub Personal Access Token (optional – avoids API rate limits during installs)
+# Create at https://github.com/settings/tokens – read-only public access is sufficient
+# var_github_token=ghp_your_token_here
 EOF

    # Now choose storages (always prompt unless just one exists)
@@ -1387,6 +1391,11 @@ EOF
    VERBOSE="no"
  fi

+  # 4) Map var_github_token → GITHUB_TOKEN (only if not already set in environment)
+  if [[ -z "${GITHUB_TOKEN:-}" && -n "${var_github_token:-}" ]]; then
+    export GITHUB_TOKEN="${var_github_token}"
+  fi
+
  # 4) Apply base settings and show summary
  METHOD="mydefaults-global"
  base_settings "$VERBOSE"
@@ -1419,7 +1428,7 @@ get_app_defaults_path() {
 if ! declare -p VAR_WHITELIST >/dev/null 2>&1; then
  # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
  declare -ag VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu
    var_gateway var_hostname var_ipv6_method var_mac var_mtu
    var_net var_ns var_os var_pw var_ram var_tags var_tun var_unprivileged
    var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
@@ -5906,6 +5915,12 @@ create_lxc_container() {
 # ------------------------------------------------------------------------------
 description() {
  IP=$(pct exec "$CTID" ip a s dev eth0 | awk '/inet / {print $2}' | cut -d/ -f1)
+  local script_slug script_url donate_url
+
+  script_slug="${SCRIPT_SLUG:-${NSAPP}}"
+  script_slug="$(echo "$script_slug" | tr '[:upper:]' '[:lower:]' | tr ' ' '-')"
+  script_url="https://community-scripts.org/scripts/${script_slug}"
+  donate_url="https://community-scripts.org/donate"

  # Generate LXC Description
  DESCRIPTION=$(
@@ -5918,8 +5933,14 @@ description() {
  <h2 style='font-size: 24px; margin: 20px 0;'>${APP} LXC</h2>

  <p style='margin: 16px 0;'>
-    <a href='https://ko-fi.com/community_scripts' target='_blank' rel='noopener noreferrer'>
-      <img src='https://img.shields.io/badge/&#x2615;-Buy us a coffee-blue' alt='spend Coffee' />
+    <a href='${donate_url}' target='_blank' rel='noopener noreferrer'>
+      <img src='https://img.shields.io/badge/❤️-Sponsoring%20%26%20Donations-FF5E5B' alt='Sponsoring and donations' />
+    </a>
+  </p>
+
+  <p style='margin: 12px 0;'>
+    <a href='${script_url}' target='_blank' rel='noopener noreferrer'>
+      <img src='https://img.shields.io/badge/📦-Open%20Script%20Page-00617f' alt='Open script page' />
    </a>
  </p>

--- a/misc/tools.func
+++ b/misc/tools.func
@@ -1117,15 +1117,87 @@ is_package_installed() {
  fi
 }

+# ------------------------------------------------------------------------------
+# validate_github_token()
+# Checks a GitHub token via the /user endpoint.
+# Prints a status message and returns:
+#   0 - token is valid
+#   1 - token is invalid / expired (HTTP 401)
+#   2 - token has no public repo scope (HTTP 200 but missing scope)
+#   3 - network/API error
+# Also reports expiry date if the token carries an x-oauth-expiry header.
+# ------------------------------------------------------------------------------
+validate_github_token() {
+  local token="${1:-${GITHUB_TOKEN:-}}"
+  [[ -z "$token" ]] && return 3
+
+  local response headers http_code expiry_date scopes
+  headers=$(mktemp)
+  response=$(curl -sSL -w "%{http_code}" \
+    -D "$headers" \
+    -o /dev/null \
+    -H "Authorization: Bearer $token" \
+    -H "Accept: application/vnd.github+json" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    "https://api.github.com/user" 2>/dev/null) || { rm -f "$headers"; return 3; }
+  http_code="$response"
+
+  # Read expiry header (fine-grained PATs carry this)
+  expiry_date=$(grep -i '^github-authentication-token-expiration:' "$headers" \
+    | sed 's/.*: *//' | tr -d '\r\n' || true)
+  # Read token scopes (classic PATs)
+  scopes=$(grep -i '^x-oauth-scopes:' "$headers" \
+    | sed 's/.*: *//' | tr -d '\r\n' || true)
+  rm -f "$headers"
+
+  case "$http_code" in
+    200)
+      if [[ -n "$expiry_date" ]]; then
+        msg_ok "GitHub token is valid (expires: $expiry_date)."
+      else
+        msg_ok "GitHub token is valid (no expiry / fine-grained PAT)."
+      fi
+      # Warn if classic PAT has no public_repo scope
+      if [[ -n "$scopes" && "$scopes" != *"public_repo"* && "$scopes" != *"repo"* ]]; then
+        msg_warn "Token has no 'public_repo' scope - private repos and some release APIs may fail."
+        return 2
+      fi
+      return 0
+      ;;
+    401)
+      msg_error "GitHub token is invalid or expired (HTTP 401)."
+      return 1
+      ;;
+    *)
+      msg_warn "GitHub token validation returned HTTP $http_code - treating as valid."
+      return 0
+      ;;
+  esac
+}
+
 # ------------------------------------------------------------------------------
 # Prompt user to enter a GitHub Personal Access Token (PAT) interactively
 # Returns 0 if a valid token was provided, 1 otherwise
 # ------------------------------------------------------------------------------
 prompt_for_github_token() {
  if [[ ! -t 0 ]]; then
+    # Non-interactive: pick up var_github_token if set (from default.vars / app.vars / env)
+    if [[ -z "${GITHUB_TOKEN:-}" && -n "${var_github_token:-}" ]]; then
+      export GITHUB_TOKEN="${var_github_token}"
+      msg_ok "GitHub token loaded from var_github_token."
+      return 0
+    fi
    return 1
  fi

+  # Prefer var_github_token when already set and no interactive override needed
+  if [[ -z "${GITHUB_TOKEN:-}" && -n "${var_github_token:-}" ]]; then
+    export GITHUB_TOKEN="${var_github_token}"
+    msg_ok "GitHub token loaded from var_github_token."
+    validate_github_token || true
+    return 0
+  fi
+
  local reply
  read -rp "${TAB}Would you like to enter a GitHub Personal Access Token (PAT)? [y/N]: " reply
  reply="${reply:-n}"
@@ -1147,10 +1219,16 @@ prompt_for_github_token() {
      msg_warn "Token must not contain spaces. Please try again."
      continue
    fi
-    break
+    # Validate before accepting
+    export GITHUB_TOKEN="$token"
+    if validate_github_token "$token"; then
+      break
+    else
+      msg_warn "Please enter a valid token, or press Ctrl+C to abort."
+      unset GITHUB_TOKEN
+    fi
  done

-  export GITHUB_TOKEN="$token"
  msg_ok "GitHub token has been set."
  return 0
 }
@@ -2860,7 +2938,7 @@ function fetch_and_deploy_codeberg_release() {

  while ((attempt < ${#api_timeouts[@]})); do
    resp=$(curl --connect-timeout 10 --max-time "${api_timeouts[$attempt]}" -fsSL -w "%{http_code}" -o /tmp/codeberg_rel.json "$api_url") && success=true && break
-    ((attempt++))
+    attempt=$((attempt + 1))
    if ((attempt < ${#api_timeouts[@]})); then
      msg_warn "API request timed out after ${api_timeouts[$((attempt - 1))]}s, retrying... (attempt $((attempt + 1))/${#api_timeouts[@]})"
    fi
@@ -3370,7 +3448,8 @@ function fetch_and_deploy_gh_release() {
        if prompt_for_github_token; then
          header=(-H "Authorization: token $GITHUB_TOKEN")
          retry_delay=2
-          attempt=0
+          attempt=1
+          continue
        fi
      fi
    else
--- a/misc/vm-core.func
+++ b/misc/vm-core.func
@@ -577,6 +577,13 @@ check_hostname_conflict() {
 }

 set_description() {
+  local app_name script_slug script_url donate_url
+  app_name=$(echo "${APP,,}" | tr ' ' '-')
+  script_slug="${SCRIPT_SLUG:-${app_name}}"
+  script_slug="$(echo "$script_slug" | tr '[:upper:]' '[:lower:]' | tr ' ' '-')"
+  script_url="https://community-scripts.org/scripts/${script_slug}"
+  donate_url="https://community-scripts.org/donate"
+
  DESCRIPTION=$(
    cat <<EOF
 <div align='center'>
@@ -587,8 +594,14 @@ set_description() {
  <h2 style='font-size: 24px; margin: 20px 0;'>${NSAPP} VM</h2>

  <p style='margin: 16px 0;'>
-    <a href='https://ko-fi.com/community_scripts' target='_blank' rel='noopener noreferrer'>
-      <img src='https://img.shields.io/badge/&#x2615;-Buy us a coffee-blue' alt='spend Coffee' />
+    <a href='${donate_url}' target='_blank' rel='noopener noreferrer'>
+      <img src='https://img.shields.io/badge/❤️-Sponsoring%20%26%20Donations-FF5E5B' alt='Sponsoring and donations' />
+    </a>
+  </p>
+
+  <p style='margin: 12px 0;'>
+    <a href='${script_url}' target='_blank' rel='noopener noreferrer'>
+      <img src='https://img.shields.io/badge/📦-Open%20Script%20Page-00617f' alt='Open script page' />
    </a>
  </p>

--- a/tools/addon/filebrowser-quantum.sh
+++ b/tools/addon/filebrowser-quantum.sh
@@ -43,6 +43,21 @@ IP=$(ip -4 addr show "$IFACE" | awk '/inet / {print $2}' | cut -d/ -f1 | head -n
 [[ -z "$IP" ]] && IP=$(hostname -I | awk '{print $1}')
 [[ -z "$IP" ]] && IP="127.0.0.1"

+# Proxmox Host Warning
+if [[ -d "/etc/pve" ]]; then
+  echo -e "${RD}⚠️  Warning: Running this addon directly on the Proxmox host is not recommended!${CL}"
+  echo -e "${YW}   Only the boot disk will be visible — passthrough drives will not be indexed.${CL}"
+  echo -e "${YW}   This causes incorrect disk usage stats and incomplete file browsing.${CL}"
+  echo -e "${YW}   Run this addon inside an LXC or VM instead and mount your drives there.${CL}"
+  echo ""
+  echo -n "Continue anyway on the Proxmox host? (y/N): "
+  read -r host_confirm
+  if [[ ! "${host_confirm,,}" =~ ^(y|yes)$ ]]; then
+    echo -e "${YW}Aborted.${CL}"
+    exit 0
+  fi
+fi
+
 # OS Detection
 if [[ -f "/etc/alpine-release" ]]; then
  OS="Alpine"
--- a/tools/addon/filebrowser.sh
+++ b/tools/addon/filebrowser.sh
@@ -41,6 +41,21 @@ IP=$(ip -4 addr show "$IFACE" | awk '/inet / {print $2}' | cut -d/ -f1 | head -n
 [[ -z "$IP" ]] && IP=$(hostname -I | awk '{print $1}')
 [[ -z "$IP" ]] && IP="127.0.0.1"

+# Proxmox Host Warning
+if [[ -d "/etc/pve" ]]; then
+  echo -e "${RD}⚠️  Warning: Running this addon directly on the Proxmox host is not recommended!${CL}"
+  echo -e "${YW}   Only the boot disk will be visible — passthrough drives will not be indexed.${CL}"
+  echo -e "${YW}   This causes incorrect disk usage stats and incomplete file browsing.${CL}"
+  echo -e "${YW}   Run this addon inside an LXC or VM instead and mount your drives there.${CL}"
+  echo ""
+  echo -n "Continue anyway on the Proxmox host? (y/N): "
+  read -r host_confirm
+  if [[ ! "${host_confirm,,}" =~ ^(y|yes)$ ]]; then
+    echo -e "${YW}Aborted.${CL}"
+    exit 0
+  fi
+fi
+
 # Detect OS
 if [[ -f "/etc/alpine-release" ]]; then
  OS="Alpine"
--- a/vm/opnsense-vm.sh
+++ b/vm/opnsense-vm.sh
@@ -24,7 +24,7 @@ RANDOM_UUID="$(cat /proc/sys/kernel/random/uuid)"
 METHOD=""
 NSAPP="opnsense-vm"
 var_os="opnsense"
-var_version="25.7"
+var_version="26.1"
 #
 GEN_MAC=02:$(openssl rand -hex 5 | awk '{print toupper($0)}' | sed 's/\(..\)/\1:/g; s/.$//')
 GEN_MAC_LAN=02:$(openssl rand -hex 5 | awk '{print toupper($0)}' | sed 's/\(..\)/\1:/g; s/.$//')
@@ -797,7 +797,7 @@ if [ -n "$WAN_BRG" ]; then
  msg_ok "WAN interface added"
  sleep 5 # Brief pause after adding network interface
 fi
-send_line_to_vm "sh ./opnsense-bootstrap.sh.in -y -f -r 25.7"
+send_line_to_vm "sh ./opnsense-bootstrap.sh.in -y -f -r 26.1"
 msg_ok "OPNsense VM is being installed, do not close the terminal, or the installation will fail."
 #We need to wait for the OPNsense build proccess to finish, this takes a few minutes
 sleep 1000
Author	SHA1	Message	Date
github-actions[bot]	095e5e0f3c	Update CHANGELOG.md	2026-04-10 09:29:50 +00:00
CanbiZ (MickLesk)	5e865278e9	addons: Filebrowser & Filebrowser-Quantum get warning if host install (#13639 ) * fix(filebrowser-quantum): warn when addon is run directly on Proxmox host Detect /etc/pve and show a clear warning with link to the recommended LXC installer. User must explicitly confirm to continue on the host, addressing the size calculation and indexing issues reported in gtsteffaniak/filebrowser#1893. Closes #13636 * fix(filebrowser): improve host warning text and add to filebrowser addon - Clarify that passthrough drives are not visible on the Proxmox host - Mention incorrect disk usage stats and incomplete file browsing - Add same warning to filebrowser (non-quantum) addon which also serves from / - Reduce verbosity, remove redundant phrasing * fix(filebrowser): fix misleading host warning wording Remove reference to a non-existent dedicated LXC installer. The addons should simply be run inside an LXC or VM instead.	2026-04-10 11:29:31 +02:00
community-scripts-pr-app[bot]	a18642a8f8	Update CHANGELOG.md (#13640 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-10 09:29:19 +00:00
CanbiZ (MickLesk)	9a82ec48b2	tools.func: prevent script crash when entering GitHub token after rate limit (#13638 ) * fix(tools): prevent script crash when entering GitHub token after rate limit fetch_and_deploy_gh_release set attempt=0 after accepting a token, then immediately ran ((0++)) which evaluates to 0 (falsy) causing exit code 1 and killing the script under set -e. Fix: set attempt=1 and continue to restart the retry loop cleanly, giving the full max_retries budget with the new token. Also fix fetch_and_deploy_codeberg_release: replace ((attempt++)) with attempt=\ to avoid the same zero-evaluation crash on the first connection timeout (attempt starts at 0 in that loop). Fixes #13635 * feat(tools): add var_github_token support with token validation - Add var_github_token to all VAR_WHITELIST arrays in build.func so the token can be set via default.vars, app.vars, or environment variable - Map var_github_token -> GITHUB_TOKEN in default_var_settings() (env variable takes precedence over the var file value) - Add commented var_github_token example to the default.vars template - Add validate_github_token() to tools.func: * Calls GET /user to verify the token is accepted * Reports expiry date from x-oauth-expiry header (fine-grained PATs) * Warns when classic PAT is missing public_repo scope * Returns distinct exit codes: 0=valid, 1=invalid/expired, 2=no scope, 3=error - Update prompt_for_github_token(): * Non-interactive path now picks up var_github_token automatically * Interactive path also picks up var_github_token without prompting * Validates token immediately after entry; loops until valid or Ctrl+C	2026-04-10 11:28:52 +02:00
community-scripts-pr-app[bot]	f2d46dd8c8	Update CHANGELOG.md (#13637 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-10 08:03:50 +00:00
CanbiZ (MickLesk)	2707295eba	Homarr: bind Redis to localhost only (#13552 ) * Homarr: bind Redis to localhost only * fix(homarr): make Redis bind directive idempotent Replace unconditional append with grep guard to prevent duplicate 'bind 127.0.0.1 -::1' entries on repeated updates. * Fix whitespace in homarr install script Clean up minor whitespace issues in install/homarr-install.sh: remove an extra space before the here-path in the Redis config append (>>/etc/redis/redis.conf) and strip a trailing space after the nginx service name in the systemctl disable call. These are whitespace-only edits to keep the script tidy and avoid passing unintended whitespace to commands.	2026-04-10 10:03:22 +02:00
community-scripts-pr-app[bot]	82cc074b05	Update CHANGELOG.md (#13633 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-10 05:20:42 +00:00
Chris	6b224ac649	Immich: Pin version to 2.7.3 (#13631 )	2026-04-10 07:20:17 +02:00
community-scripts-pr-app[bot]	a69f9955f4	Update CHANGELOG.md (#13628 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-09 19:45:36 +00:00
tdn131	7d19269122	Update OPNsense version from 25.7 to 26.1 (#13626 )	2026-04-09 21:45:07 +02:00
community-scripts-pr-app[bot]	498d37ae3a	Update CHANGELOG.md (#13622 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-09 14:44:55 +00:00
Tobias	703ad0ecb7	boostack: add: git (#13620 ) * boostack: add: git * bookstack: add: git	2026-04-09 16:44:11 +02:00
community-scripts-pr-app[bot]	ae6cf7666e	Update CHANGELOG.md (#13613 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-09 08:53:01 +00:00
CanbiZ (MickLesk)	2c2beab3ce	checkmk: default v13 + dynamic codename (#13610 )	2026-04-09 10:52:36 +02:00
community-scripts-pr-app[bot]	a10100d66a	Update CHANGELOG.md (#13605 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-08 21:22:58 +00:00
CanbiZ (MickLesk)	41848653d6	bambuddy: add mkdir before data restore & add ffmpeg dependency (#13601 )	2026-04-08 23:22:34 +02:00
community-scripts-pr-app[bot]	1eb246ee41	Update CHANGELOG.md (#13604 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-08 19:41:23 +00:00
CanbiZ (MickLesk)	68b486be92	Add donate & script page badges to descriptions (#13596 ) Update LXC and VM description blocks to include donation and script page badges. Introduces script_slug, script_url and donate_url variables (derived from SCRIPT_SLUG or NSAPP/APP, normalized to lowercase and dashed) and uses them to build links. Replaces the old Ko-fi "Buy us a coffee" badge with a generic donate badge and adds an "Open Script Page" badge linking to the script detail page.	2026-04-08 21:40:52 +02:00
community-scripts-pr-app[bot]	9dd4bff9c5	Update CHANGELOG.md (#13602 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-08 17:47:34 +00:00
CanbiZ (MickLesk)	ae3e1deece	fix(immich): disable upgrade-insecure-requests CSP directive (#13600 ) Helmet's useDefaults adds upgrade-insecure-requests to the CSP, which forces browsers to upgrade all HTTP requests to HTTPS. Since most LXC users access Immich directly via HTTP, this breaks the web UI completely (CORS errors, spinning logo). Patch helmet.json after deploy to explicitly null out the directive, keeping CSP benefits while allowing HTTP access. Fixes #13597	2026-04-08 19:47:10 +02:00