Update CHANGELOG.md (#13878)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

.github/changelogs/2026/04.md

@@ -1,3 +1,149 @@
+## 2026-04-18
+
+### 🆕 New Scripts
+
+  - Dagu ([#13830](https://github.com/community-scripts/ProxmoxVE/pull/13830))
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - BabyBuddy: set DJANGO_SETTINGS_MODULE before migrate in update [@MickLesk](https://github.com/MickLesk) ([#13836](https://github.com/community-scripts/ProxmoxVE/pull/13836))
+    - litellm: add prisma generate and use venv binary directly [@MickLesk](https://github.com/MickLesk) ([#13835](https://github.com/community-scripts/ProxmoxVE/pull/13835))
+    - yamtrack: add missing nginx.conf sed edits to update script [@MickLesk](https://github.com/MickLesk) ([#13834](https://github.com/community-scripts/ProxmoxVE/pull/13834))
+
+### 🧰 Tools
+
+  - #### 🐞 Bug Fixes
+
+    - SparkyFitness Garmin Microservice: fix update function [@tomfrenzel](https://github.com/tomfrenzel) ([#13824](https://github.com/community-scripts/ProxmoxVE/pull/13824))
+
+  - #### 🔧 Refactor
+
+    - Clean-Orphan-LVM: check all cluster nodes for VM/CT configs [@MickLesk](https://github.com/MickLesk) ([#13837](https://github.com/community-scripts/ProxmoxVE/pull/13837))
+
+## 2026-04-17
+
+### 🆕 New Scripts
+
+  - step-ca ([#13775](https://github.com/community-scripts/ProxmoxVE/pull/13775))
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - core: pin IGC version to compute-runtime compatible tag (Intel GPU) [@MickLesk](https://github.com/MickLesk) ([#13814](https://github.com/community-scripts/ProxmoxVE/pull/13814))
+    - Fix for bambuddy community script update [@abbasegbeyemi](https://github.com/abbasegbeyemi) ([#13816](https://github.com/community-scripts/ProxmoxVE/pull/13816))
+    - Umami: Fix update procedure [@tremor021](https://github.com/tremor021) ([#13807](https://github.com/community-scripts/ProxmoxVE/pull/13807))
+
+### 💾 Core
+
+  - #### 🐞 Bug Fixes
+
+    - core: sanitize mount_fs input — strip spaces and trailing commas [@MickLesk](https://github.com/MickLesk) ([#13806](https://github.com/community-scripts/ProxmoxVE/pull/13806))
+
+  - #### 🔧 Refactor
+
+    - core: fix some pct create issues (telemetry) + cleanup [@MickLesk](https://github.com/MickLesk) ([#13810](https://github.com/community-scripts/ProxmoxVE/pull/13810))
+
+## 2026-04-16
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Add pnpm as a dependency to ghost-cli install [@YourFavoriteKyle](https://github.com/YourFavoriteKyle) ([#13789](https://github.com/community-scripts/ProxmoxVE/pull/13789))
+
+### 💾 Core
+
+  - #### ✨ New Features
+
+    - core: wire ENABLE_MKNOD and ALLOW_MOUNT_FS into LXC features [@MickLesk](https://github.com/MickLesk) ([#13796](https://github.com/community-scripts/ProxmoxVE/pull/13796))
+
+## 2026-04-15
+
+### 🆕 New Scripts
+
+  - iGotify ([#13773](https://github.com/community-scripts/ProxmoxVE/pull/13773))
+- GitHub-Runner ([#13709](https://github.com/community-scripts/ProxmoxVE/pull/13709))
+- Revert "Remove low-install-count CT scripts and installers (#13570)" [@CrazyWolf13](https://github.com/CrazyWolf13) ([#13752](https://github.com/community-scripts/ProxmoxVE/pull/13752))
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - [alpine-nextcloud] Update Nginx MIME types to support .mjs files [@GuiltyFox](https://github.com/GuiltyFox) ([#13771](https://github.com/community-scripts/ProxmoxVE/pull/13771))
+    - Domain Monitor: Fix file ownership after update [@tremor021](https://github.com/tremor021) ([#13759](https://github.com/community-scripts/ProxmoxVE/pull/13759))
+
+  - #### 💥 Breaking Changes
+
+    - Reitti: refactor scripts for v4 - remove RabbitMQ and Photon [@MickLesk](https://github.com/MickLesk) ([#13728](https://github.com/community-scripts/ProxmoxVE/pull/13728))
+
+  - #### 🔧 Refactor
+
+    - Semaphore: add BoltDB to SQLite migration [@tremor021](https://github.com/tremor021) ([#13779](https://github.com/community-scripts/ProxmoxVE/pull/13779))
+
+### 📚 Documentation
+
+  - cleanup: remove docs/, update README & CONTRIBUTING, fix repo config [@MickLesk](https://github.com/MickLesk) ([#13770](https://github.com/community-scripts/ProxmoxVE/pull/13770))
+
+## 2026-04-14
+
+### 🚀 Updated Scripts
+
+  - Immich: Pin photo-processing library revisions [@vhsdream](https://github.com/vhsdream) ([#13748](https://github.com/community-scripts/ProxmoxVE/pull/13748))
+
+  - #### 🐞 Bug Fixes
+
+    - BentoPDF: Nginx fixes [@tremor021](https://github.com/tremor021) ([#13741](https://github.com/community-scripts/ProxmoxVE/pull/13741))
+    - Zerobyte: add git to dependencies to fix bun install failure [@Copilot](https://github.com/Copilot) ([#13721](https://github.com/community-scripts/ProxmoxVE/pull/13721))
+    - alpine-nextcloud-install: do not use deprecated nginx config [@AlexanderStein](https://github.com/AlexanderStein) ([#13726](https://github.com/community-scripts/ProxmoxVE/pull/13726))
+
+  - #### ✨ New Features
+
+    - Mealie: support v3.15+ Nuxt 4 migration [@MickLesk](https://github.com/MickLesk) ([#13731](https://github.com/community-scripts/ProxmoxVE/pull/13731))
+
+  - #### 🔧 Refactor
+
+    - Lyrion: correct service name and version file in update script [@MickLesk](https://github.com/MickLesk) ([#13734](https://github.com/community-scripts/ProxmoxVE/pull/13734))
+    - Changedetection: move env vars from service file to .env [@tremor021](https://github.com/tremor021) ([#13732](https://github.com/community-scripts/ProxmoxVE/pull/13732))
+
+## 2026-04-13
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Slskd: Remove stale Soularr lock file on startup and redirect logs to stderr [@MickLesk](https://github.com/MickLesk) ([#13669](https://github.com/community-scripts/ProxmoxVE/pull/13669))
+    - Bambuddy: preserve database and archive on update [@Copilot](https://github.com/Copilot) ([#13706](https://github.com/community-scripts/ProxmoxVE/pull/13706))
+
+  - #### ✨ New Features
+
+    - Immich: Pin version to 2.7.5 [@vhsdream](https://github.com/vhsdream) ([#13715](https://github.com/community-scripts/ProxmoxVE/pull/13715))
+    - Bytestash: auto backup/restore data on update [@MickLesk](https://github.com/MickLesk) ([#13707](https://github.com/community-scripts/ProxmoxVE/pull/13707))
+    - OpenCloud: pin version to 6.0.0 [@vhsdream](https://github.com/vhsdream) ([#13691](https://github.com/community-scripts/ProxmoxVE/pull/13691))
+
+  - #### 💥 Breaking Changes
+
+    - Mealie: pin version to v3.14.0 in install and update scripts [@Copilot](https://github.com/Copilot) ([#13724](https://github.com/community-scripts/ProxmoxVE/pull/13724))
+
+  - #### 🔧 Refactor
+
+    - core: remove unused TEMP_DIR mktemp leak in build_container / clean sonarqube [@MickLesk](https://github.com/MickLesk) ([#13708](https://github.com/community-scripts/ProxmoxVE/pull/13708))
+
+## 2026-04-12
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Alpine-Wakapi: Remove container checks in update_script function [@MickLesk](https://github.com/MickLesk) ([#13694](https://github.com/community-scripts/ProxmoxVE/pull/13694))
+
+  - #### 🔧 Refactor
+
+    - IronClaw: Install keychain dependencies and launch in a DBus session [@MickLesk](https://github.com/MickLesk) ([#13692](https://github.com/community-scripts/ProxmoxVE/pull/13692))
+    - MeTube: Allow pnpm build scripts to fix ERR_PNPM_IGNORED_BUILDS [@MickLesk](https://github.com/MickLesk) ([#13668](https://github.com/community-scripts/ProxmoxVE/pull/13668))
+
 ## 2026-04-11
 
 ### 🚀 Updated Scripts

.github/workflows/pocketbase-bot.yml

@@ -337,8 +337,8 @@ jobs:
 
             if (infoMatch) {
               // ── INFO SUBCOMMAND ──────────────────────────────────────────────
-              const notesArr   = readJsonBlob(record.notes_json);
-              const methodsArr = readJsonBlob(record.install_methods_json);
+              const notesArr   = readJsonBlob(record.notes);
+              const methodsArr = readJsonBlob(record.install_methods);
 
               const out = [];
               out.push('ℹ️ **PocketBase Bot**: Info for **`' + slug + '`**\n');
@@ -382,13 +382,13 @@ jobs:
               // ── NOTE SUBCOMMAND ──────────────────────────────────────────────
               const noteAction  = noteMatch[1].toLowerCase();
               const noteArgsStr = rest.substring(noteMatch[0].length).trim();
-              let notesArr = readJsonBlob(record.notes_json);
+              let notesArr = readJsonBlob(record.notes);
 
               async function patchNotes(arr) {
                 const res = await request(recordsUrl + '/' + record.id, {
                   method: 'PATCH',
                   headers: { 'Authorization': token, 'Content-Type': 'application/json' },
-                  body: JSON.stringify({ notes_json: JSON.stringify(arr) })
+                  body: JSON.stringify({ notes: arr })
                 });
                 if (!res.ok) {
                   await addReaction('-1');
@@ -504,7 +504,7 @@ jobs:
               // ── METHOD SUBCOMMAND ────────────────────────────────────────────
               const methodArgs     = rest.replace(/^method\s*/i, '').trim();
               const methodListMode = !methodArgs || methodArgs.toLowerCase() === 'list';
-              let methodsArr = readJsonBlob(record.install_methods_json);
+              let methodsArr = readJsonBlob(record.install_methods);
 
               // Method field classification
               const RESOURCE_KEYS = { cpu: 'number', ram: 'number', hdd: 'number', os: 'string', version: 'string' };
@@ -526,7 +526,7 @@ jobs:
                 const res = await request(recordsUrl + '/' + record.id, {
                   method: 'PATCH',
                   headers: { 'Authorization': token, 'Content-Type': 'application/json' },
-                  body: JSON.stringify({ install_methods_json: arr })
+                  body: JSON.stringify({ install_methods: arr })
                 });
                 if (!res.ok) {
                   await addReaction('-1');

CHANGELOG.md

@@ -38,6 +38,9 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 
 
+
+
+
 
 
 
@@ -51,7 +54,7 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 
 <details>
-<summary><h4>April (11 entries)</h4></summary>
+<summary><h4>April (18 entries)</h4></summary>
 
 [View April 2026 Changelog](.github/changelogs/2026/04.md)
 
@@ -442,6 +445,81 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 </details>
 
+## 2026-04-20
+
+### 🚀 Updated Scripts
+
+  - pangolin: create migration tables before data transfer to prevent role loss [@MickLesk](https://github.com/MickLesk) ([#13874](https://github.com/community-scripts/ProxmoxVE/pull/13874))
+
+  - #### 🐞 Bug Fixes
+
+    - Pangolin: pre-apply schema migrations to prevent data loss [@MickLesk](https://github.com/MickLesk) ([#13861](https://github.com/community-scripts/ProxmoxVE/pull/13861))
+    - ActualBudget: change migration messages to warnings [@MickLesk](https://github.com/MickLesk) ([#13860](https://github.com/community-scripts/ProxmoxVE/pull/13860))
+    - slskd: migrate config keys for 0.25.0 breaking change [@MickLesk](https://github.com/MickLesk) ([#13862](https://github.com/community-scripts/ProxmoxVE/pull/13862))
+
+  - #### ✨ New Features
+
+    - Wanderer: add pocketbase CLI wrapper with env [@MickLesk](https://github.com/MickLesk) ([#13863](https://github.com/community-scripts/ProxmoxVE/pull/13863))
+
+  - #### 🔧 Refactor
+
+    - Several Scripts: Bump NodeJS to align Node.js versions with upstream for 5 scripts [@MickLesk](https://github.com/MickLesk) ([#13875](https://github.com/community-scripts/ProxmoxVE/pull/13875))
+    - Refactor: PMG Post Install [@MickLesk](https://github.com/MickLesk) ([#13693](https://github.com/community-scripts/ProxmoxVE/pull/13693))
+
+## 2026-04-19
+
+### 🆕 New Scripts
+
+  - nametag ([#13849](https://github.com/community-scripts/ProxmoxVE/pull/13849))
+
+## 2026-04-18
+
+### 🆕 New Scripts
+
+  - Dagu ([#13830](https://github.com/community-scripts/ProxmoxVE/pull/13830))
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - BabyBuddy: set DJANGO_SETTINGS_MODULE before migrate in update [@MickLesk](https://github.com/MickLesk) ([#13836](https://github.com/community-scripts/ProxmoxVE/pull/13836))
+    - litellm: add prisma generate and use venv binary directly [@MickLesk](https://github.com/MickLesk) ([#13835](https://github.com/community-scripts/ProxmoxVE/pull/13835))
+    - yamtrack: add missing nginx.conf sed edits to update script [@MickLesk](https://github.com/MickLesk) ([#13834](https://github.com/community-scripts/ProxmoxVE/pull/13834))
+
+### 🧰 Tools
+
+  - #### 🐞 Bug Fixes
+
+    - SparkyFitness Garmin Microservice: fix update function [@tomfrenzel](https://github.com/tomfrenzel) ([#13824](https://github.com/community-scripts/ProxmoxVE/pull/13824))
+
+  - #### 🔧 Refactor
+
+    - Clean-Orphan-LVM: check all cluster nodes for VM/CT configs [@MickLesk](https://github.com/MickLesk) ([#13837](https://github.com/community-scripts/ProxmoxVE/pull/13837))
+
+## 2026-04-17
+
+### 🆕 New Scripts
+
+  - step-ca ([#13775](https://github.com/community-scripts/ProxmoxVE/pull/13775))
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - core: pin IGC version to compute-runtime compatible tag (Intel GPU) [@MickLesk](https://github.com/MickLesk) ([#13814](https://github.com/community-scripts/ProxmoxVE/pull/13814))
+    - Fix for bambuddy community script update [@abbasegbeyemi](https://github.com/abbasegbeyemi) ([#13816](https://github.com/community-scripts/ProxmoxVE/pull/13816))
+    - Umami: Fix update procedure [@tremor021](https://github.com/tremor021) ([#13807](https://github.com/community-scripts/ProxmoxVE/pull/13807))
+
+### 💾 Core
+
+  - #### 🐞 Bug Fixes
+
+    - core: sanitize mount_fs input — strip spaces and trailing commas [@MickLesk](https://github.com/MickLesk) ([#13806](https://github.com/community-scripts/ProxmoxVE/pull/13806))
+
+  - #### 🔧 Refactor
+
+    - core: fix some pct create issues (telemetry) + cleanup [@MickLesk](https://github.com/MickLesk) ([#13810](https://github.com/community-scripts/ProxmoxVE/pull/13810))
+
 ## 2026-04-16
 
 ### 🚀 Updated Scripts
@@ -970,175 +1048,4 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
   - #### 🔧 Refactor
 
-    - Harden code-server addon install script [@MickLesk](https://github.com/MickLesk) ([#13116](https://github.com/community-scripts/ProxmoxVE/pull/13116))
-
-## 2026-03-19
-
-### 🚀 Updated Scripts
-
-  - Owncast: increase default disk size from 2GB to 10GB [@Copilot](https://github.com/Copilot) ([#13079](https://github.com/community-scripts/ProxmoxVE/pull/13079))
-
-  - #### 🐞 Bug Fixes
-
-    - fix: remove extra backslash to match single quoted here-doc [@Zelnes](https://github.com/Zelnes) ([#13108](https://github.com/community-scripts/ProxmoxVE/pull/13108))
-    - Reactive-Resume: Upgrade Node to 24 and enable Corepack [@MickLesk](https://github.com/MickLesk) ([#13093](https://github.com/community-scripts/ProxmoxVE/pull/13093))
-    - Increase Tracearr RAM; derive APP_VERSION [@MickLesk](https://github.com/MickLesk) ([#13087](https://github.com/community-scripts/ProxmoxVE/pull/13087))
-    - ProjectSend: Update application access URL [@tremor021](https://github.com/tremor021) ([#13078](https://github.com/community-scripts/ProxmoxVE/pull/13078))
-    - Dispatcharr: use npm install --no-audit --progress=false [@MickLesk](https://github.com/MickLesk) ([#13074](https://github.com/community-scripts/ProxmoxVE/pull/13074))
-    - core: reorder hwaccel setup and adjust GPU group usermod [@MickLesk](https://github.com/MickLesk) ([#13072](https://github.com/community-scripts/ProxmoxVE/pull/13072))
-
-  - #### ✨ New Features
-
-    - tools.func: display pin reason in release-check messages [@MickLesk](https://github.com/MickLesk) ([#13095](https://github.com/community-scripts/ProxmoxVE/pull/13095))
-    - NocoDB: Unpin Version to latest [@MickLesk](https://github.com/MickLesk) ([#13094](https://github.com/community-scripts/ProxmoxVE/pull/13094))
-
-### 💾 Core
-
-  - #### 🐞 Bug Fixes
-
-    - tools.func: use dpkg-query for reliable JDK version detection [@MickLesk](https://github.com/MickLesk) ([#13101](https://github.com/community-scripts/ProxmoxVE/pull/13101))
-
-### 📚 Documentation
-
-  - Update link from helper-scripts.com to community-scripts.org [@adnanvaldes](https://github.com/adnanvaldes) ([#13098](https://github.com/community-scripts/ProxmoxVE/pull/13098))
-- github: add PocketBase bot workflow [@MickLesk](https://github.com/MickLesk) ([#13075](https://github.com/community-scripts/ProxmoxVE/pull/13075))
-
-## 2026-03-18
-
-### 🆕 New Scripts
-
-  - Alpine-Ntfy [@MickLesk](https://github.com/MickLesk) ([#13048](https://github.com/community-scripts/ProxmoxVE/pull/13048))
-- Split-Pro ([#12975](https://github.com/community-scripts/ProxmoxVE/pull/12975))
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Tdarr: use curl_with_retry and correct exit code [@MickLesk](https://github.com/MickLesk) ([#13060](https://github.com/community-scripts/ProxmoxVE/pull/13060))
-    - reitti: fix: v4 [@CrazyWolf13](https://github.com/CrazyWolf13) ([#13039](https://github.com/community-scripts/ProxmoxVE/pull/13039))
-    - Paperless-NGX: increase default RAM to 3GB [@MickLesk](https://github.com/MickLesk) ([#13018](https://github.com/community-scripts/ProxmoxVE/pull/13018))
-    - Plex: restart service after update to apply new version [@MickLesk](https://github.com/MickLesk) ([#13017](https://github.com/community-scripts/ProxmoxVE/pull/13017))
-
-  - #### ✨ New Features
-
-    - tools: centralize GPU group setup via setup_hwaccel [@MickLesk](https://github.com/MickLesk) ([#13044](https://github.com/community-scripts/ProxmoxVE/pull/13044))
-    - Termix: add guacd build and systemd integration [@MickLesk](https://github.com/MickLesk) ([#12999](https://github.com/community-scripts/ProxmoxVE/pull/12999))
-
-  - #### 🔧 Refactor
-
-    - Podman: replace deprecated commands with Quadlets [@MickLesk](https://github.com/MickLesk) ([#13052](https://github.com/community-scripts/ProxmoxVE/pull/13052))
-    - Refactor: Jellyfin repo, ffmpeg package and symlinks [@MickLesk](https://github.com/MickLesk) ([#13045](https://github.com/community-scripts/ProxmoxVE/pull/13045))
-    - pve-scripts-local: Increase default disk size from 4GB to 10GB [@MickLesk](https://github.com/MickLesk) ([#13009](https://github.com/community-scripts/ProxmoxVE/pull/13009))
-
-### 💾 Core
-
-  - #### ✨ New Features
-
-    - tools.func Implement pg_cron setup for setup_postgresql [@MickLesk](https://github.com/MickLesk) ([#13053](https://github.com/community-scripts/ProxmoxVE/pull/13053))
-    - tools.func: Implement check_for_gh_tag function [@MickLesk](https://github.com/MickLesk) ([#12998](https://github.com/community-scripts/ProxmoxVE/pull/12998))
-    - tools.func: Implement fetch_and_deploy_gh_tag function [@MickLesk](https://github.com/MickLesk) ([#13000](https://github.com/community-scripts/ProxmoxVE/pull/13000))
-
-## 2026-03-17
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Gluetun: add OpenVPN process user and cleanup stale config [@MickLesk](https://github.com/MickLesk) ([#13016](https://github.com/community-scripts/ProxmoxVE/pull/13016))
-    - Frigate: check OpenVino model files exist before configuring detector and use curl_with_retry instead of default wget [@MickLesk](https://github.com/MickLesk) ([#13019](https://github.com/community-scripts/ProxmoxVE/pull/13019))
-
-### 💾 Core
-
-  - #### 🔧 Refactor
-
-    - tools.func: Update `create_self_signed_cert()` [@tremor021](https://github.com/tremor021) ([#13008](https://github.com/community-scripts/ProxmoxVE/pull/13008))
-
-## 2026-03-16
-
-### 🆕 New Scripts
-
-  - Gluetun ([#12976](https://github.com/community-scripts/ProxmoxVE/pull/12976))
-- Anytype-Server ([#12974](https://github.com/community-scripts/ProxmoxVE/pull/12974))
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Immich: use gcc-13 for compilation & add uv python pre-install with retry logic [@MickLesk](https://github.com/MickLesk) ([#12935](https://github.com/community-scripts/ProxmoxVE/pull/12935))
-    - Tautulli: add setuptools<81 constraint to update script [@MickLesk](https://github.com/MickLesk) ([#12959](https://github.com/community-scripts/ProxmoxVE/pull/12959))
-    - Seerr: add missing build deps [@MickLesk](https://github.com/MickLesk) ([#12960](https://github.com/community-scripts/ProxmoxVE/pull/12960))
-    - fix: yubal update [@CrazyWolf13](https://github.com/CrazyWolf13) ([#12961](https://github.com/community-scripts/ProxmoxVE/pull/12961))
-
-### 💾 Core
-
-  - #### 🐞 Bug Fixes
-
-    - hwaccel: remove ROCm install from AMD APU setup [@MickLesk](https://github.com/MickLesk) ([#12958](https://github.com/community-scripts/ProxmoxVE/pull/12958))
-
-## 2026-03-15
-
-### 🆕 New Scripts
-
-  - Yamtrack ([#12936](https://github.com/community-scripts/ProxmoxVE/pull/12936))
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Wishlist: use --frozen-lockfile for pnpm install [@MickLesk](https://github.com/MickLesk) ([#12892](https://github.com/community-scripts/ProxmoxVE/pull/12892))
-    - SparkyFitness: use --legacy-peer-deps for npm install [@MickLesk](https://github.com/MickLesk) ([#12888](https://github.com/community-scripts/ProxmoxVE/pull/12888))
-    - Frigate: add fallback for OpenVino labelmap file [@MickLesk](https://github.com/MickLesk) ([#12889](https://github.com/community-scripts/ProxmoxVE/pull/12889))
-
-  - #### 🔧 Refactor
-
-    - Refactor: ITSM-NG [@MickLesk](https://github.com/MickLesk) ([#12918](https://github.com/community-scripts/ProxmoxVE/pull/12918))
-    - core: unify RELEASE variable for check_for_gh_release and fetch_and_deploy [@MickLesk](https://github.com/MickLesk) ([#12917](https://github.com/community-scripts/ProxmoxVE/pull/12917))
-    - Standardize NSAPP names across VM scripts [@MickLesk](https://github.com/MickLesk) ([#12924](https://github.com/community-scripts/ProxmoxVE/pull/12924))
-
-### 💾 Core
-
-  - #### ✨ New Features
-
-    - core: retry downloads with exponential backoff [@MickLesk](https://github.com/MickLesk) ([#12896](https://github.com/community-scripts/ProxmoxVE/pull/12896))
-
-### ❔ Uncategorized
-
-  - [go2rtc] Add ffmpeg dependency to install script [@Copilot](https://github.com/Copilot) ([#12944](https://github.com/community-scripts/ProxmoxVE/pull/12944))
-
-## 2026-03-14
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Patchmon: remove v prefix from pinned version  [@MickLesk](https://github.com/MickLesk) ([#12891](https://github.com/community-scripts/ProxmoxVE/pull/12891))
-
-### 💾 Core
-
-  - #### 🐞 Bug Fixes
-
-    - tools.func: don't abort on AMD repo apt update failure [@MickLesk](https://github.com/MickLesk) ([#12890](https://github.com/community-scripts/ProxmoxVE/pull/12890))
-
-## 2026-03-13
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Hotfix: Removed clean install usage from original script. [@nickheyer](https://github.com/nickheyer) ([#12870](https://github.com/community-scripts/ProxmoxVE/pull/12870))
-
-  - #### 🔧 Refactor
-
-    - Discopanel: V2 Support + Script rewrite [@nickheyer](https://github.com/nickheyer) ([#12763](https://github.com/community-scripts/ProxmoxVE/pull/12763))
-
-### 🧰 Tools
-
-  - update-apps: fix restore path, add PBS support and improve restore messages [@omertahaoztop](https://github.com/omertahaoztop) ([#12528](https://github.com/community-scripts/ProxmoxVE/pull/12528))
-
-  - #### 🐞 Bug Fixes
-
-    - fix(pve-privilege-converter): handle already stopped container in manage_states [@liuqitoday](https://github.com/liuqitoday) ([#12765](https://github.com/community-scripts/ProxmoxVE/pull/12765))
-
-### 📚 Documentation
-
-  - Update: Docs/website metadata workflow [@michelroegl-brunner](https://github.com/michelroegl-brunner) ([#12858](https://github.com/community-scripts/ProxmoxVE/pull/12858))
+    - Harden code-server addon install script [@MickLesk](https://github.com/MickLesk) ([#13116](https://github.com/community-scripts/ProxmoxVE/pull/13116))

ct/actualbudget.sh

@@ -48,9 +48,9 @@ function update_script() {
       msg_ok "Updated successfully!"
     fi
   else
-    msg_info "Old Installation Found, you need to migrate your data and recreate to a new container"
-    msg_info "Please follow the instructions on the Actual Budget website to migrate your data"
-    msg_info "https://actualbudget.org/docs/backup-restore/backup"
+    msg_warn "Old Installation Found, you need to migrate your data and recreate to a new container"
+    msg_warn "Please follow the instructions on the Actual Budget website to migrate your data"
+    msg_warn "https://actualbudget.org/docs/backup-restore/backup"
     exit
   fi
   exit

ct/babybuddy.sh

@@ -48,6 +48,7 @@ function update_script() {
     mv /tmp/production.py.bak /opt/babybuddy/babybuddy/settings/production.py
     source .venv/bin/activate
     $STD uv pip install -r requirements.txt
+    export DJANGO_SETTINGS_MODULE=babybuddy.settings.production
     $STD python manage.py migrate
     msg_ok "Updated ${APP}"
 

ct/bambuddy.sh

@@ -48,7 +48,7 @@ function update_script() {
 
     msg_info "Updating Python Dependencies"
     cd /opt/bambuddy
-    $STD uv venv
+    $STD uv venv --clear
     $STD uv pip install -r requirements.txt
     msg_ok "Updated Python Dependencies"
 

ct/dagu.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://dagu.sh/
+
+APP="Dagu"
+var_tags="${var_tags:-automation;workflow;scheduler}"
+var_cpu="${var_cpu:-1}"
+var_ram="${var_ram:-512}"
+var_disk="${var_disk:-4}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -f /opt/dagu/dagu ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "dagu" "dagucloud/dagu"; then
+    msg_info "Stopping Service"
+    systemctl stop dagu
+    msg_ok "Stopped Service"
+
+    msg_info "Backing up Data"
+    cp -r /opt/dagu/data /opt/dagu_data_backup
+    msg_ok "Backed up Data"
+
+    fetch_and_deploy_gh_release "dagu" "dagucloud/dagu" "prebuild" "latest" "/opt/dagu" "dagu_*_linux_amd64.tar.gz"
+
+    msg_info "Restoring Data"
+    mkdir -p /opt/dagu/data
+    cp -r /opt/dagu_data_backup/. /opt/dagu/data
+    rm -rf /opt/dagu_data_backup
+    msg_ok "Restored Data"
+
+    msg_info "Starting Service"
+    systemctl start dagu
+    msg_ok "Started Service"
+    msg_ok "Updated successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8080${CL}"

ct/headers/dagu

@@ -0,0 +1,6 @@
+    ____                   
+   / __ \____ _____ ___  __
+  / / / / __ `/ __ `/ / / /
+ / /_/ / /_/ / /_/ / /_/ / 
+/_____/\__,_/\__, /\__,_/  
+            /____/         

ct/headers/nametag

@@ -0,0 +1,6 @@
+    _   __                     __             
+   / | / /___ _____ ___  ___  / /_____ _____ _
+  /  |/ / __ `/ __ `__ \/ _ \/ __/ __ `/ __ `/
+ / /|  / /_/ / / / / / /  __/ /_/ /_/ / /_/ / 
+/_/ |_/\__,_/_/ /_/ /_/\___/\__/\__,_/\__, /  
+                                     /____/   

ct/headers/step-ca

@@ -0,0 +1,6 @@
+         __                             
+   _____/ /____  ____        _________ _
+  / ___/ __/ _ \/ __ \______/ ___/ __ `/
+ (__  ) /_/  __/ /_/ /_____/ /__/ /_/ / 
+/____/\__/\___/ .___/      \___/\__,_/  
+             /_/                        

ct/iobroker.sh

@@ -27,6 +27,9 @@ function update_script() {
     msg_error "No ${APP} Installation Found!"
     exit
   fi
+
+  NODE_VERSION="24" setup_nodejs
+
   msg_info "Updating ${APP} LXC"
   $STD apt update
   $STD apt -y upgrade

ct/jellyfin.sh

@@ -32,10 +32,16 @@ function update_script() {
   if ! grep -qEi 'ubuntu' /etc/os-release; then
     msg_info "Updating Intel Dependencies"
     rm -f ~/.intel-* || true
-    fetch_and_deploy_gh_release "intel-igc-core-2" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-core-2_*_amd64.deb"
-    fetch_and_deploy_gh_release "intel-igc-opencl-2" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-opencl-2_*_amd64.deb"
+
+    # Fetch compute-runtime first so /tmp/gh_rel.json is populated for IGC tag resolution
     fetch_and_deploy_gh_release "intel-libgdgmm12" "intel/compute-runtime" "binary" "latest" "" "libigdgmm12_*_amd64.deb"
     fetch_and_deploy_gh_release "intel-opencl-icd" "intel/compute-runtime" "binary" "latest" "" "intel-opencl-icd_*_amd64.deb"
+
+    local igc_tag
+    _resolve_igc_tag igc_tag
+
+    fetch_and_deploy_gh_release "intel-igc-core-2" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-core-2_*_amd64.deb"
+    fetch_and_deploy_gh_release "intel-igc-opencl-2" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-opencl-2_*_amd64.deb"
     msg_ok "Updated Intel Dependencies"
   fi
 

ct/kima-hub.sh

@@ -29,6 +29,8 @@ function update_script() {
     exit
   fi
 
+  NODE_VERSION="22" setup_nodejs
+
   if check_for_gh_release "kima-hub" "Chevron7Locked/kima-hub"; then
     msg_info "Stopping Services"
     systemctl stop kima-frontend kima-backend kima-analyzer kima-analyzer-clap

ct/litellm.sh

@@ -38,12 +38,18 @@ function update_script() {
 
   msg_info "Updating LiteLLM"
   $STD "$VENV_PATH/bin/python" -m pip install --upgrade litellm[proxy] prisma
+  $STD "$VENV_PATH/bin/prisma" generate
   msg_ok "LiteLLM updated"
 
   msg_info "Updating DB Schema"
-  $STD uv --directory=/opt/litellm run litellm --config /opt/litellm/litellm.yaml --use_prisma_db_push --skip_server_startup
+  $STD /opt/litellm/.venv/bin/litellm --config /opt/litellm/litellm.yaml --use_prisma_db_push --skip_server_startup
   msg_ok "DB Schema Updated"
 
+  msg_info "Updating Service"
+  sed -i 's|ExecStart=uv --directory=/opt/litellm run litellm|ExecStart=/opt/litellm/.venv/bin/litellm|' /etc/systemd/system/litellm.service
+  systemctl daemon-reload
+  msg_ok "Updated Service"
+
   msg_info "Starting Service"
   systemctl start litellm
   msg_ok "Started Service"

ct/myip.sh

@@ -28,6 +28,8 @@ function update_script() {
     exit
   fi
 
+  NODE_VERSION="24" setup_nodejs
+
   if check_for_gh_release "myip" "jason5ng32/MyIP"; then
     msg_info "Stopping Services"
     systemctl stop myip

ct/nametag.sh

@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/mattogodoy/nametag
+
+APP="Nametag"
+var_tags="${var_tags:-contacts;crm}"
+var_cpu="${var_cpu:-2}"
+var_ram="${var_ram:-2048}"
+var_disk="${var_disk:-8}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -d /opt/nametag ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "nametag" "mattogodoy/nametag"; then
+    msg_info "Stopping Service"
+    systemctl stop nametag
+    msg_ok "Stopped Service"
+
+    msg_info "Backing up Data"
+    cp /opt/nametag/.env /opt/nametag.env.bak
+    cp -r /opt/nametag/data /opt/nametag_data_bak
+    msg_ok "Backed up Data"
+
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "nametag" "mattogodoy/nametag" "tarball" "latest" "/opt/nametag"
+
+    msg_info "Rebuilding Application"
+    cd /opt/nametag
+    $STD npm ci
+    set -a
+    source /opt/nametag/.env
+    set +a
+    $STD npx prisma generate
+    $STD npm run build
+    cp -r /opt/nametag/.next/static /opt/nametag/.next/standalone/.next/static
+    cp -r /opt/nametag/public /opt/nametag/.next/standalone/public
+    msg_ok "Rebuilt Application"
+
+    msg_info "Restoring Data"
+    cp /opt/nametag.env.bak /opt/nametag/.env
+    cp -r /opt/nametag_data_bak/. /opt/nametag/data/
+    rm -f /opt/nametag.env.bak
+    rm -rf /opt/nametag_data_bak
+    msg_ok "Restored Data"
+
+    msg_info "Running Migrations"
+    cd /opt/nametag
+    $STD npx prisma migrate deploy
+    msg_ok "Ran Migrations"
+
+    msg_info "Starting Service"
+    systemctl start nametag
+    msg_ok "Started Service"
+    msg_ok "Updated successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"

ct/outline.sh

@@ -28,7 +28,7 @@ function update_script() {
     exit
   fi
 
-  NODE_VERSION="22" setup_nodejs
+  NODE_VERSION="24" setup_nodejs
 
   if check_for_gh_release "outline" "outline/outline"; then
     msg_info "Stopping Services"

ct/pangolin.sh

@@ -69,7 +69,33 @@ function update_script() {
 
     msg_info "Running database migrations"
     cd /opt/pangolin
-    ENVIRONMENT=prod $STD npx drizzle-kit push --config drizzle.sqlite.config.ts
+
+    # Pre-apply potentially destructive schema changes safely so drizzle-kit
+    # does not recreate tables (which would delete all rows).
+    local DB="/opt/pangolin/config/db/db.sqlite"
+    if [[ -f "$DB" ]]; then
+      sqlite3 "$DB" "ALTER TABLE 'orgs' ADD COLUMN 'settingsLogRetentionDaysConnection' integer DEFAULT 0 NOT NULL;" 2>/dev/null || true
+      sqlite3 "$DB" "ALTER TABLE 'clientSitesAssociationsCache' ADD COLUMN 'isJitMode' integer DEFAULT 0 NOT NULL;" 2>/dev/null || true
+
+      # Create new role-mapping tables and migrate data before drizzle-kit
+      # drops the roleId columns from userOrgs and userInvites.
+      sqlite3 "$DB" "CREATE TABLE IF NOT EXISTS 'userOrgRoles' (
+        'userId' text NOT NULL REFERENCES 'user'('id') ON DELETE CASCADE,
+        'orgId' text NOT NULL REFERENCES 'orgs'('orgId') ON DELETE CASCADE,
+        'roleId' integer NOT NULL REFERENCES 'roles'('roleId') ON DELETE CASCADE,
+        UNIQUE('userId', 'orgId', 'roleId')
+      );" 2>/dev/null || true
+      sqlite3 "$DB" "INSERT OR IGNORE INTO 'userOrgRoles' (userId, orgId, roleId) SELECT userId, orgId, roleId FROM 'userOrgs' WHERE roleId IS NOT NULL;" 2>/dev/null || true
+
+      sqlite3 "$DB" "CREATE TABLE IF NOT EXISTS 'userInviteRoles' (
+        'inviteId' text NOT NULL REFERENCES 'userInvites'('inviteId') ON DELETE CASCADE,
+        'roleId' integer NOT NULL REFERENCES 'roles'('roleId') ON DELETE CASCADE,
+        PRIMARY KEY('inviteId', 'roleId')
+      );" 2>/dev/null || true
+      sqlite3 "$DB" "INSERT OR IGNORE INTO 'userInviteRoles' (inviteId, roleId) SELECT inviteId, roleId FROM 'userInvites' WHERE roleId IS NOT NULL;" 2>/dev/null || true
+    fi
+
+    ENVIRONMENT=prod $STD npx drizzle-kit push --force --config drizzle.sqlite.config.ts
     msg_ok "Ran database migrations"
 
     msg_info "Updating Badger plugin version"

ct/shelfmark.sh

@@ -29,7 +29,7 @@ function update_script() {
     exit
   fi
 
-  NODE_VERSION="22" setup_nodejs
+  NODE_VERSION="24" setup_nodejs
   PYTHON_VERSION="3.12" setup_uv
 
   if check_for_gh_release "shelfmark" "calibrain/shelfmark"; then

ct/slskd.sh

@@ -43,6 +43,10 @@ function update_script() {
 
     msg_info "Restoring config"
     mv /opt/slskd.yml.bak /opt/slskd/config/slskd.yml
+
+    # Migrate 0.25.0 breaking config key renames
+    sed -i 's/^global:/transfers:/' /opt/slskd/config/slskd.yml
+    sed -i 's/^integration:/integrations:/' /opt/slskd/config/slskd.yml
     msg_ok "Restored config"
 
     msg_info "Starting Service(s)"

ct/step-ca.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: Joerg Heinemann (heinemannj)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/smallstep/certificates
+
+APP="step-ca"
+var_tags="${var_tags:-certificate-authority;pki;acme-server}"
+var_cpu="${var_cpu:-1}"
+var_ram="${var_ram:-512}"
+var_disk="${var_disk:-2}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+  if [[ ! -f /etc/apt/sources.list.d/smallstep.sources ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+  msg_info "Updating step-ca and step-cli"
+  $STD apt update
+  $STD apt upgrade -y step-ca step-cli
+  $STD systemctl restart step-ca
+  msg_ok "Updated step-ca and step-cli"
+
+  if check_for_gh_release "step-badger" "lukasz-lobocki/step-badger"; then
+    fetch_and_deploy_gh_release "step-badger" "lukasz-lobocki/step-badger" "prebuild" "latest" "/opt/step-badger" "step-badger_Linux_x86_64.tar.gz"
+    msg_ok "Updated step-badger"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}https://${IP}/provisioners${CL}"

ct/umami.sh

@@ -33,7 +33,9 @@ function update_script() {
     systemctl stop umami
     msg_ok "Stopped Service"
 
-    fetch_and_deploy_gh_release "umami" "umami-software/umami" "tarball"
+    mv /opt/umami/.env /opt/.env.bak
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "umami" "umami-software/umami" "tarball"
+    mv /opt/.env.bak /opt/umami/.env
 
     msg_info "Updating Umami"
     cd /opt/umami

ct/yamtrack.sh

@@ -61,7 +61,10 @@ function update_script() {
     msg_info "Updating Nginx Configuration"
     cp /opt/yamtrack/nginx.conf /etc/nginx/nginx.conf
     sed -i 's|user abc;|user www-data;|' /etc/nginx/nginx.conf
+    sed -i 's|pid /tmp/nginx.pid;|pid /run/nginx.pid;|' /etc/nginx/nginx.conf
     sed -i 's|/yamtrack/staticfiles/|/opt/yamtrack/src/staticfiles/|' /etc/nginx/nginx.conf
+    sed -i 's|error_log /dev/stderr|error_log /var/log/nginx/error.log|' /etc/nginx/nginx.conf
+    sed -i 's|access_log /dev/stdout|access_log /var/log/nginx/access.log|' /etc/nginx/nginx.conf
     $STD systemctl reload nginx
     msg_ok "Updated Nginx Configuration"
 

install/dagu-install.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://dagu.sh/
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+fetch_and_deploy_gh_release "dagu" "dagucloud/dagu" "prebuild" "latest" "/opt/dagu" "dagu_*_linux_amd64.tar.gz"
+
+msg_info "Setting up Dagu"
+mkdir -p /opt/dagu/data
+msg_ok "Set up Dagu"
+
+msg_info "Creating Service"
+cat <<EOF >/etc/systemd/system/dagu.service
+[Unit]
+Description=Dagu Workflow Engine
+After=network.target
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/dagu
+Environment=DAGU_HOME=/opt/dagu/data
+Environment=DAGU_HOST=0.0.0.0
+Environment=DAGU_PORT=8080
+ExecStart=/opt/dagu/dagu start-all
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable -q --now dagu
+msg_ok "Created Service"
+
+motd_ssh
+customize
+cleanup_lxc

install/iobroker-install.sh

@@ -28,7 +28,7 @@ if [[ ! "$CONFIRM" =~ ^([yY][eE][sS]|[yY])$ ]]; then
   exit 10
 fi
 
-NODE_VERSION="22" setup_nodejs
+NODE_VERSION="24" setup_nodejs
 
 msg_info "Installing ioBroker (Patience)"
 $STD bash <(curl -fsSL https://iobroker.net/install.sh)

install/kima-hub-install.sh

@@ -28,7 +28,7 @@ msg_ok "Installed Dependencies"
 
 PG_VERSION="16" PG_MODULES="pgvector" setup_postgresql
 PG_DB_NAME="kima" PG_DB_USER="kima" PG_DB_GRANT_SUPERUSER="true" setup_postgresql_db
-NODE_VERSION="20" setup_nodejs
+NODE_VERSION="22" setup_nodejs
 
 msg_info "Configuring Redis"
 systemctl enable -q --now redis-server

install/litellm-install.sh

@@ -30,6 +30,7 @@ $STD uv venv --clear /opt/litellm/.venv
 $STD /opt/litellm/.venv/bin/python -m ensurepip --upgrade
 $STD /opt/litellm/.venv/bin/python -m pip install --upgrade pip
 $STD /opt/litellm/.venv/bin/python -m pip install litellm[proxy] prisma
+$STD /opt/litellm/.venv/bin/prisma generate
 msg_ok "Installed LiteLLM"
 
 msg_info "Configuring LiteLLM"
@@ -40,7 +41,7 @@ general_settings:
   database_url: postgresql://$PG_DB_USER:$PG_DB_PASS@127.0.0.1:5432/$PG_DB_NAME
   store_model_in_db: true
 EOF
-uv --directory=/opt/litellm run litellm --config /opt/litellm/litellm.yaml --use_prisma_db_push --skip_server_startup
+$STD /opt/litellm/.venv/bin/litellm --config /opt/litellm/litellm.yaml --use_prisma_db_push --skip_server_startup
 msg_ok "Configured LiteLLM"
 
 msg_info "Creating Service"
@@ -50,7 +51,7 @@ Description=LiteLLM
 
 [Service]
 Type=simple
-ExecStart=uv --directory=/opt/litellm run litellm --config /opt/litellm/litellm.yaml
+ExecStart=/opt/litellm/.venv/bin/litellm --config /opt/litellm/litellm.yaml
 Restart=always
 
 [Install]

install/myip-install.sh

@@ -13,7 +13,7 @@ setting_up_container
 network_check
 update_os
 
-NODE_VERSION="22" setup_nodejs
+NODE_VERSION="24" setup_nodejs
 fetch_and_deploy_gh_release "myip" "jason5ng32/MyIP" "tarball"
 
 msg_info "Configuring MyIP"

install/nametag-install.sh

@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/mattogodoy/nametag
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+PG_VERSION="16" setup_postgresql
+PG_DB_NAME="nametag_db" PG_DB_USER="nametag" setup_postgresql_db
+NODE_VERSION="20" setup_nodejs
+fetch_and_deploy_gh_release "nametag" "mattogodoy/nametag" "tarball" "latest" "/opt/nametag"
+
+msg_info "Setting up Application"
+cd /opt/nametag
+$STD npm ci
+DATABASE_URL="postgresql://${PG_DB_USER}:${PG_DB_PASS}@127.0.0.1:5432/${PG_DB_NAME}" $STD npx prisma generate
+DATABASE_URL="postgresql://${PG_DB_USER}:${PG_DB_PASS}@127.0.0.1:5432/${PG_DB_NAME}" $STD npx prisma migrate deploy
+msg_ok "Set up Application"
+
+msg_info "Configuring Nametag"
+NEXTAUTH_SECRET=$(openssl rand -base64 32)
+CRON_SECRET=$(openssl rand -base64 16)
+mkdir -p /opt/nametag/data/photos
+cat <<EOF >/opt/nametag/.env
+DATABASE_URL=postgresql://${PG_DB_USER}:${PG_DB_PASS}@127.0.0.1:5432/${PG_DB_NAME}
+NEXTAUTH_URL=http://${LOCAL_IP}:3000
+NEXTAUTH_SECRET=${NEXTAUTH_SECRET}
+CRON_SECRET=${CRON_SECRET}
+PHOTO_STORAGE_PATH=/opt/nametag/data/photos
+NODE_ENV=production
+EOF
+msg_ok "Configured Nametag"
+
+msg_info "Building Application"
+cd /opt/nametag
+set -a
+source /opt/nametag/.env
+set +a
+$STD npm run build
+cp -r /opt/nametag/.next/static /opt/nametag/.next/standalone/.next/static
+cp -r /opt/nametag/public /opt/nametag/.next/standalone/public
+msg_ok "Built Application"
+
+msg_info "Running Production Seed"
+cd /opt/nametag
+$STD npx esbuild prisma/seed.production.ts --platform=node --format=cjs --outfile=prisma/seed.production.js --bundle --external:@prisma/client --external:pg --minify
+$STD node prisma/seed.production.js
+msg_ok "Ran Production Seed"
+
+msg_info "Creating Service"
+cat <<EOF >/etc/systemd/system/nametag.service
+[Unit]
+Description=Nametag - Personal Relationships Manager
+After=network.target postgresql.service
+
+[Service]
+Type=simple
+WorkingDirectory=/opt/nametag
+EnvironmentFile=/opt/nametag/.env
+ExecStart=/usr/bin/node /opt/nametag/.next/standalone/server.js
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable -q --now nametag
+msg_ok "Created Service"
+
+msg_info "Setting up Cron Jobs"
+cat <<EOF >/etc/cron.d/nametag
+0 8 * * * root curl -sf -H "Authorization: Bearer ${CRON_SECRET}" http://127.0.0.1:3000/api/cron/send-reminders >/dev/null 2>&1
+0 3 * * * root curl -sf -H "Authorization: Bearer ${CRON_SECRET}" http://127.0.0.1:3000/api/cron/purge-deleted >/dev/null 2>&1
+EOF
+chmod 644 /etc/cron.d/nametag
+msg_ok "Set up Cron Jobs"
+
+motd_ssh
+customize
+cleanup_lxc

install/outline-install.sh

@@ -20,7 +20,7 @@ $STD apt install -y \
   redis
 msg_ok "Installed Dependencies"
 
-NODE_VERSION="22" setup_nodejs
+NODE_VERSION="24" setup_nodejs
 PG_VERSION="16" setup_postgresql
 PG_DB_NAME="outline" PG_DB_USER="outline" setup_postgresql_db
 

install/shelfmark-install.sh

@@ -115,7 +115,7 @@ else
   msg_ok "Installed internal bypasser dependencies"
 fi
 
-NODE_VERSION="22" setup_nodejs
+NODE_VERSION="24" setup_nodejs
 PYTHON_VERSION="3.12" setup_uv
 
 fetch_and_deploy_gh_release "shelfmark" "calibrain/shelfmark" "tarball" "latest" "/opt/shelfmark"

install/step-ca-install.sh

@@ -0,0 +1,400 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: Joerg Heinemann (heinemannj)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/smallstep/certificates
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+setup_deb822_repo \
+  "smallstep" \
+  "https://packages.smallstep.com/keys/apt/repo-signing-key.gpg" \
+  "https://packages.smallstep.com/stable/debian" \
+  "debs" \
+  "main"
+
+msg_info "Installing step-ca and step-cli"
+$STD apt install -y step-ca step-cli
+
+STEPHOME="/root/.step"
+export STEPPATH=/etc/step-ca
+export STEPHOME=$STEPHOME
+
+sed  -i '1i export STEPPATH=/etc/step-ca' /etc/profile
+sed  -i '1i export STEPHOME=/root/.step' /etc/profile
+
+setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca)
+
+$STD useradd --user-group --system --home $(step path) --shell /bin/false step
+msg_ok "Installed step-ca and step-cli"
+
+DomainName="$(hostname -d)"
+
+PKIName="$(prompt_input "Enter PKIName" "MyHomePKI" 30)"
+PKIProvisioner="$(prompt_input "Enter PKIProvisioner" "pki@$DomainName" 30)"
+AcmeProvisioner="$(prompt_input "Enter AcmeProvisioner" "acme@$DomainName" 30)"
+X509MinDur="$(prompt_input "Enter X509MinDur" "48h" 30)"
+X509MaxDur="$(prompt_input "Enter X509MaxDur" "87600h" 30)"
+X509DefaultDur="$(prompt_input "Enter X509DefaultDur" "168h" 30)"
+
+msg_info "Initializing step-ca"
+DeploymentType="standalone"
+FQDN="$(hostname -f)"
+IP="${LOCAL_IP}"
+LISTENER=":443"
+
+EncryptionPwdDir="$(step path)/encryption"
+PwdFile="$EncryptionPwdDir/ca.pwd"
+ProvisionerPwdFile="$EncryptionPwdDir/provisioner.pwd"
+mkdir -p "$EncryptionPwdDir"
+gpg -q --gen-random --armor 2 32 >"$PwdFile"
+gpg -q --gen-random --armor 2 32 >"$ProvisionerPwdFile"
+
+$STD step ca init --deployment-type="$DeploymentType" --ssh --name="$PKIName" --dns="$FQDN" --dns="$IP" --address="$LISTENER" --provisioner="$PKIProvisioner" --password-file="$PwdFile" --provisioner-password-file="$ProvisionerPwdFile"
+
+ln -s "$PwdFile" "$(step path)/password.txt"
+chown -R step:step $(step path)
+chmod -R 700 $(step path)
+$STD step ca provisioner add "$AcmeProvisioner" --type ACME --admin-name "$AcmeProvisioner"
+$STD step ca provisioner update "$PKIProvisioner" --x509-min-dur="$X509MinDur" --x509-max-dur="$X509MaxDur" --x509-default-dur="$X509DefaultDur" --allow-renewal-after-expiry
+$STD step ca provisioner update "$AcmeProvisioner" --x509-min-dur="$X509MinDur" --x509-max-dur="$X509MaxDur" --x509-default-dur="$X509DefaultDur" --allow-renewal-after-expiry
+$STD step certificate install --all $(step path)/certs/root_ca.crt
+$STD update-ca-certificates
+msg_ok "Initialized step-ca"
+
+msg_info "Start step-ca as a Daemon"
+cat <<'EOF' >/etc/systemd/system/step-ca.service
+[Unit]
+Description=step-ca service
+Documentation=https://smallstep.com/docs/step-ca
+Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
+After=network-online.target
+Wants=network-online.target
+StartLimitIntervalSec=30
+StartLimitBurst=3
+ConditionFileNotEmpty=/etc/step-ca/config/ca.json
+ConditionFileNotEmpty=/etc/step-ca/password.txt
+
+[Service]
+Type=simple
+User=step
+Group=step
+Environment=STEPPATH=/etc/step-ca
+WorkingDirectory=/etc/step-ca
+ExecStart=/usr/bin/step-ca config/ca.json --password-file password.txt
+ExecReload=/bin/kill -USR1 $MAINPID
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+StartLimitAction=reboot
+
+; Process capabilities & privileges
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+SecureBits=keep-caps
+NoNewPrivileges=yes
+
+; Sandboxing
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources @privileged
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+PrivateMounts=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ProtectHome=yes
+ReadWritePaths=/etc/step-ca/db
+
+; Read only paths
+ReadOnlyPaths=/etc/step-ca
+
+[Install]
+WantedBy=multi-user.target
+EOF
+$STD systemctl enable -q --now step-ca
+msg_ok "Started step-ca as a Daemon"
+
+fetch_and_deploy_gh_release "step-badger" "lukasz-lobocki/step-badger" "prebuild" "latest" "/opt/step-badger" "step-badger_Linux_x86_64.tar.gz"
+ln -s /opt/step-badger/step-badger /usr/local/bin/step-badger
+
+msg_info "Install step-ca Admin script"
+mkdir -p "$STEPHOME"
+cat <<'ADDON_EOF' >"$STEPHOME/step-ca-admin.sh"
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: Joerg Heinemann (heinemannj)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+
+function header_info() {
+  clear
+  cat <<"EOF"
+         __                                 ___       __          _     
+   _____/ /____  ____        _________ _   /   | ____/ /___ ___  (_)___ 
+  / ___/ __/ _ \/ __ \______/ ___/ __ `/  / /| |/ __  / __ `__ \/ / __ \
+ (__  ) /_/  __/ /_/ /_____/ /__/ /_/ /  / ___ / /_/ / / / / / / / / / /
+/____/\__/\___/ .___/      \___/\__,_/  /_/  |_\__,_/_/ /_/ /_/_/_/ /_/ 
+             /_/                                                            
+
+EOF
+}
+
+function die() {
+  echo -e "\n${BL}[ERROR]${GN} ${RD}${1}${CL}\n"
+  exit
+}
+
+function success() {
+  echo -e "${BL}[SUCCESS]${GN} ${1}${CL}\n"
+  exit
+}
+
+function whiptail_menu() {
+  MENU_ARRAY=()
+  MSG_MAX_LENGTH=0
+  while read -r TAG ITEM; do
+    OFFSET=2
+    ((${#ITEM} + OFFSET > MSG_MAX_LENGTH)) && MSG_MAX_LENGTH=${#ITEM}+OFFSET
+    MENU_ARRAY+=("$TAG" "$ITEM " "OFF")
+  done < <(echo "$1")
+}
+
+function x509_list() {
+  CERT_LIST=""
+  cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/"
+  cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/"
+  if [[ $(step-badger x509Certs "${STEPHOME}/db-copy" 2>/dev/null) ]]; then
+    CERT_LIST=$(step-badger x509Certs ${STEPHOME}/db-copy 2>/dev/null)
+  fi
+}
+
+function ssh_list() {
+  CERT_LIST=""
+  cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/"
+  cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/"
+  if [[ $(step-badger sshCerts "${STEPHOME}/db-copy" 2>/dev/null) ]]; then
+    CERT_LIST=$(step-badgersshCerts ${STEPHOME}/db-copy 2>/dev/null)
+  fi
+}
+
+function x509_serial_to_cn() {
+  x509_list
+  CN="$(echo "${CERT_LIST}" | grep "${SERIAL_NUMBER}" | awk '{print $2}' | sed 's/CN=//g')"
+  CRT="$STEPHOME/certs/x509/$CN.crt"
+  KEY="$STEPHOME/certs/x509/$CN.key"
+  if ! [[ -f ${CRT} ]]; then
+    die "Certificate ${CRT} not found!"
+  elif ! [[ -f ${KEY} ]]; then
+    die "Private Key ${KEY} not found!"
+  fi
+}
+
+function x509_revoke() {
+  # shellcheck disable=SC2206
+  SERIAL_NUMBER_ARRAY=(${CERT_SERIAL_NUMBERS})
+  for SERIAL_NUMBER in "${SERIAL_NUMBER_ARRAY[@]}"; do
+    echo -e "${BL}[Info]${GN} Revoke x509 Certificate with Serial Number ${BL}${SERIAL_NUMBER}${GN}:${CL}"
+    echo
+    TOKEN=$(step ca token --provisioner="$PROVISIONER" --provisioner-password-file="$PROVISIONER_PASSWORD" --revoke "${SERIAL_NUMBER}")
+    step ca revoke --token "$TOKEN" "${SERIAL_NUMBER}" || die "Failed to revoke certificate!"
+    echo
+  done
+  success "Finished."
+}
+
+function x509_renew() {
+  # shellcheck disable=SC2206
+  SERIAL_NUMBER_ARRAY=(${CERT_SERIAL_NUMBERS})
+  for SERIAL_NUMBER in "${SERIAL_NUMBER_ARRAY[@]}"; do
+    echo -e "${BL}[Info]${GN} Renew x509 Certificate with Serial Number ${BL}${SERIAL_NUMBER}${GN}:${CL}"
+    echo
+    x509_serial_to_cn
+    step ca renew "${CRT}" "${KEY}" --force || die "Failed to renew certificate!"
+    echo
+  done
+  success "Finished."
+}
+
+function x509_inspect() {
+  # shellcheck disable=SC2206
+  SERIAL_NUMBER_ARRAY=(${CERT_SERIAL_NUMBERS})
+  for SERIAL_NUMBER in "${SERIAL_NUMBER_ARRAY[@]}"; do
+    echo -e "${BL}[Info]${GN} Inspect x509 Certificate with Serial Number ${BL}${SERIAL_NUMBER}${GN}:${CL}\n"
+    x509_serial_to_cn
+    step certificate inspect "${CRT}" || die "Failed to inspect certificate!"
+    if ! [[ $(step certificate inspect "${CRT}" | grep "${SERIAL_NUMBER}") ]]; then
+      die "Serial Number ${SERIAL_NUMBER} mismatch!"
+    fi
+    echo -e "\n${BL}[Info]${GN} Public Key:${CL}\n"
+    cat "${CRT}"
+    echo -e "\n${BL}[Info]${GN} Private Key:${CL}\n"
+    cat "${KEY}"
+    echo
+  done
+  success "Finished."
+}
+
+function x509_request() {
+  FQDN=""
+  SAN=""
+
+  while true; do
+    FQDN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nFQDN (e.g. MyLXC.example.com)' 10 50 "$FQDN" 3>&1 1>&2 2>&3)
+    IP=$(dig +short "$FQDN")
+    if [[ -z "$IP" ]]; then
+      die "Resolution failed for $FQDN!"
+    fi
+    HOST=$(echo "$FQDN" | awk -F'.' '{print $1}')
+    IP=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nIP Address (e.g. x.x.x.x)' 10 50 "$IP" 3>&1 1>&2 2>&3)
+    HOST=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nHostname (e.g. MyHostName)' 10 50 "$HOST" 3>&1 1>&2 2>&3)
+    SAN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nSubject Alternative Name(s) (SAN) (e.g. myapp-1.example.com, myapp-2.example.com)' 10 50 "$SAN" 3>&1 1>&2 2>&3)
+    VALID_TO=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nValidity (e.g. 2034-01-31T00:00:00Z)' 10 50 "2034-01-31T00:00:00Z" 3>&1 1>&2 2>&3)
+
+    # shellcheck disable=SC2034
+    if whiptail_yesno=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --yesno "Continue with below?\n
+      FQDN: $FQDN
+      Hostname: $HOST
+      IP Address: $IP
+      Subject Alternative Name(s) (SAN): $SAN
+      Validity: $VALID_TO" --no-button "Change" --yes-button "Continue" 15 70 3>&1 1>&2 2>&3); then
+      break
+    fi
+  done
+
+  echo -e "${BL}[Info]${GN} Request x509 Certificate with subject ${BL}${FQDN}${GN}:${CL}"
+  echo
+  CRT="$STEPHOME/certs/x509/$FQDN.crt"
+  KEY="$STEPHOME/certs/x509/$FQDN.key"
+
+  SAN="$FQDN, $HOST, $IP, $SAN"
+
+  IFS=', ' read -r -a array <<< "$SAN"
+  for element in "${array[@]}"
+  do
+    SAN_ARRAY+=(--san "$element")
+  done
+
+  step ca certificate "$FQDN" "$CRT" "$KEY" \
+    --provisioner="$PROVISIONER" \
+    --provisioner-password-file="$PROVISIONER_PASSWORD" \
+    --not-after="$VALID_TO" \
+    "${SAN_ARRAY[@]}" \
+  || die "Failed to request certificate!"
+
+  echo -e "\n${BL}[Info]${GN} Inspect Certificate:${CL}\n"
+  step certificate inspect "${CRT}" || die "Failed to inspect certificate!"
+  echo -e "\n${BL}[Info]${GN} Public Key:${CL}\n"
+  cat "${CRT}"
+  echo -e "\n${BL}[Info]${GN} Private Key:${CL}\n"
+  cat "${KEY}"
+  echo
+  success "Finished."
+}
+
+set -eEuo pipefail
+# shellcheck disable=SC2034
+# shellcheck disable=SC2116
+# shellcheck disable=SC2028
+YW=$(echo "\033[33m")
+# shellcheck disable=SC2116
+# shellcheck disable=SC2028
+BL=$(echo "\033[36m")
+# shellcheck disable=SC2116
+# shellcheck disable=SC2028
+RD=$(echo "\033[01;31m")
+# shellcheck disable=SC2034
+CM='\xE2\x9C\x94\033'
+# shellcheck disable=SC2116
+# shellcheck disable=SC2028
+GN=$(echo "\033[1;92m")
+# shellcheck disable=SC2116
+# shellcheck disable=SC2028
+CL=$(echo "\033[m")
+
+# Telemetry
+# shellcheck disable=SC1090
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/api.func) 2>/dev/null || true
+declare -f init_tool_telemetry &>/dev/null && init_tool_telemetry "step-ca-admin" "step-ca"
+
+header_info
+
+mkdir --parents "$STEPHOME/db-copy/"
+mkdir --parents "$STEPHOME/certs/ca/_archive/"
+mkdir --parents "$STEPHOME/certs/ssh/_archive/"
+mkdir --parents "$STEPHOME/certs/x509/_archive/"
+
+PROVISIONER=$(jq '.authority.provisioners.[] | select(.type=="JWK") | .name' "$(step path)"/config/ca.json)
+PROVISIONER="${PROVISIONER#\"}"
+PROVISIONER="${PROVISIONER%\"}"
+PROVISIONER_PASSWORD=$(step path)/encryption/provisioner.pwd
+
+whiptail --backtitle "Proxmox VE Helper Scripts" --title "step-ca Admin" --yesno "This will maintain step-ca issued x509 and ssh Certificates. Proceed?" 10 58
+
+MENU_ARRAY=("x509" "Maintain x509 Certificates." "ON")
+MENU_ARRAY+=("ssh" "Maintain ssh Certificates." "OFF")
+CERT_TYPE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step-ca Admin" --radiolist "\nSelect Certificate Type:" 16 48 6 "${MENU_ARRAY[@]}" 3>&1 1>&2 2>&3 | tr -d '"')
+
+[[ -z ${CERT_TYPE} ]] && die "No Certificate Type selected!"
+
+case ${CERT_TYPE} in
+("x509")
+  x509_list
+  CERT_LIST=$(echo "$CERT_LIST" | awk 'NR>1 {print $1 " " $2 "|" $3 "|" $4 "|" $5}')
+  if [[ $CERT_LIST ]]; then
+    whiptail_menu "$CERT_LIST"
+  else
+    MENU_ARRAY=()
+    MSG_MAX_LENGTH=2
+  fi
+  MENU_ARRAY+=("" "Create a new Certificate" "OFF")
+  CERT_SERIAL_NUMBERS=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificates on $(hostname)" --checklist "\nSelect Certificate(s) to maintain:\n" 16 $((MSG_MAX_LENGTH + 55)) 6 "${MENU_ARRAY[@]}" 3>&1 1>&2 2>&3 | tr -d '"')
+
+  [[ -z ${CERT_SERIAL_NUMBERS} ]] && x509_request
+  
+  MENU_ARRAY=("Renew" "Renew x509 Certificates." "ON")
+  MENU_ARRAY+=("Revoke" "Revoke x509 Certificates." "OFF")
+  MENU_ARRAY+=("Inspect" "Inspect x509 Certificates." "OFF")
+  CERT_MAINTENANCE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step-ca Admin" --radiolist "\nSelect Maintenance Type:" 16 48 6 "${MENU_ARRAY[@]}" 3>&1 1>&2 2>&3 | tr -d '"')
+
+  case ${CERT_MAINTENANCE} in
+  ("Renew")
+    x509_renew "${CERT_SERIAL_NUMBERS[@]}"
+    ;;
+  ("Revoke")
+    x509_revoke "${CERT_SERIAL_NUMBERS[@]}"
+    ;;
+  ("Inspect")
+    x509_inspect "${CERT_SERIAL_NUMBERS[@]}"
+    ;;
+  *)
+    die "Unsupported CERT_MAINTENANCE Option!"
+    ;;
+  esac
+  ;;
+("ssh")
+  die "Maintain ssh Certificates - To be implemented in future"
+  ;;
+*)
+  die "Unsupported CERT_TYPE Option!"
+  ;;
+esac
+ADDON_EOF
+chmod 700 "$STEPHOME/step-ca-admin.sh"
+msg_ok "Installed step-ca Admin script"
+
+motd_ssh
+customize
+cleanup_lxc

install/wanderer-install.sh

@@ -60,6 +60,16 @@ wait -n
 EOF
 chmod +x /opt/wanderer/start.sh
 
+cat <<'EOF' >/usr/local/bin/wanderer-pb
+#!/usr/bin/env bash
+set -a
+source /opt/wanderer/.env
+set +a
+cd /opt/wanderer/source/db
+exec ./pocketbase "$@" --dir="$PB_DB_LOCATION"
+EOF
+chmod +x /usr/local/bin/wanderer-pb
+
 cat <<EOF >/etc/systemd/system/wanderer-web.service
 [Unit]
 Description=wanderer

misc/api.func

@@ -344,21 +344,36 @@ explain_exit_code() {
 # - Escapes a string for safe JSON embedding
 # - Strips ANSI escape sequences and non-printable control characters
 # - Handles backslashes, quotes, newlines, tabs, and carriage returns
+# - Uses jq when available (guaranteed correct), falls back to awk
 # ------------------------------------------------------------------------------
 json_escape() {
-  # Escape a string for safe JSON embedding using awk (handles any input size).
-  # Pipeline: strip ANSI → remove control chars → escape \ " TAB → join lines with \n
-  printf '%s' "$1" |
+  local input
+  # Pipeline: strip ANSI → remove control chars → escape for JSON
+  input=$(printf '%s' "$1" |
     sed 's/\x1b\[[0-9;]*[a-zA-Z]//g' |
-    tr -d '\000-\010\013\014\016-\037\177\r' |
+    tr -d '\000-\010\013\014\016-\037\177\r')
+
+  # Prefer jq: guaranteed correct JSON string encoding (handles all edge cases)
+  if command -v jq &>/dev/null; then
+    # jq -Rs reads raw stdin as string, outputs JSON-encoded string with quotes.
+    # We strip the surrounding quotes since the heredoc adds them.
+    printf '%s' "$input" | jq -Rs '.' | sed 's/^"//;s/"$//'
+    return
+  fi
+
+  # Fallback: character-by-character processing with awk (avoids gsub replacement pitfalls)
+  printf '%s' "$input" |
     awk '
-        BEGIN { ORS = "" }
+        BEGIN { ORS="" }
         {
-          gsub(/\\/, "\\\\")   # backslash → \\
-          gsub(/"/, "\\\"")    # double quote → \"
-          gsub(/\t/, "\\t")   # tab → \t
-          if (NR > 1) printf "\\n"
-          printf "%s", $0
+          if (NR > 1) printf "%s", "\\n"
+          for (i = 1; i <= length($0); i++) {
+            c = substr($0, i, 1)
+            if (c == "\\") printf "%s", "\\\\"
+            else if (c == "\"") printf "%s", "\\\""
+            else if (c == "\t") printf "%s", "\\t"
+            else printf "%s", c
+          }
         }'
 }
 

misc/build.func

@@ -979,7 +979,6 @@ base_settings() {
   fi
 
   IPV6_METHOD=${var_ipv6_method:-"none"}
-  IPV6_STATIC=${var_ipv6_static:-""}
   GATE=${var_gateway:-""}
   APT_CACHER=${var_apt_cacher:-""}
   APT_CACHER_IP=${var_apt_cacher_ip:-""}
@@ -1015,8 +1014,12 @@ base_settings() {
   VLAN=${var_vlan:-""}
   SSH=${var_ssh:-"no"}
   SSH_AUTHORIZED_KEY=${var_ssh_authorized_key:-""}
-  UDHCPC_FIX=${var_udhcpc_fix:-""}
-  TAGS="community-script,${var_tags:-}"
+  # Build TAGS: ensure community-script prefix, use semicolons (pct format), no duplicates
+  if [[ "${var_tags:-}" == *community-script* ]]; then
+    TAGS="${var_tags:-community-script}"
+  else
+    TAGS="community-script${var_tags:+;${var_tags}}"
+  fi
   ENABLE_FUSE=${var_fuse:-"${1:-no}"}
   ENABLE_TUN=${var_tun:-"${1:-no}"}
 
@@ -1211,7 +1214,11 @@ load_vars_file() {
           fi
           ;;
         var_mount_fs)
-          if [[ ! "$var_val" =~ ^[a-zA-Z0-9,]+$ ]]; then
+          # Normalize: strip spaces, trailing commas
+          var_val="${var_val// /}"
+          var_val="${var_val%%,}"
+          var_val="${var_val##,}"
+          if [[ -n "$var_val" ]] && [[ ! "$var_val" =~ ^[a-zA-Z0-9]+(,[a-zA-Z0-9]+)*$ ]]; then
             msg_warn "Invalid mount_fs value '$var_val' in $file (comma-separated fs names only, e.g. nfs,cifs), ignoring"
             continue
           fi
@@ -1794,7 +1801,12 @@ advanced_settings() {
   trap 'tput rmcup 2>/dev/null || true' RETURN
 
   # Initialize defaults
-  TAGS="community-script;${var_tags:-}"
+  # Build TAGS: ensure community-script prefix, use semicolons (pct format), no duplicates
+  if [[ "${var_tags:-}" == *community-script* ]]; then
+    TAGS="${var_tags:-community-script}"
+  else
+    TAGS="community-script${var_tags:+;${var_tags}}"
+  fi
   local STEP=1
   local MAX_STEP=28
 
@@ -2531,6 +2543,13 @@ advanced_settings() {
     # STEP 22: Keyctl Support (Docker/systemd)
     # ═══════════════════════════════════════════════════════════════════════════
     22)
+      # Keyctl is always required for unprivileged containers — skip dialog
+      if [[ "$_ct_type" == "1" ]]; then
+        _enable_keyctl="1"
+        ((STEP++))
+        continue
+      fi
+
       local keyctl_default_flag="--defaultno"
       [[ "$_enable_keyctl" == "1" ]] && keyctl_default_flag=""
 
@@ -2538,7 +2557,7 @@ advanced_settings() {
         --title "KEYCTL SUPPORT" \
         --ok-button "Next" --cancel-button "Back" \
         $keyctl_default_flag \
-        --yesno "\nEnable Keyctl support?\n\nRequired for: Docker containers, systemd-networkd,\nand kernel keyring operations.\n\nNote: Automatically enabled for unprivileged containers.\n\n(App default: ${var_keyctl:-0})" 16 62; then
+        --yesno "\nEnable Keyctl support?\n\nRequired for: Docker containers, systemd-networkd,\nand kernel keyring operations.\n\n(App default: ${var_keyctl:-0})" 14 62; then
         _enable_keyctl="1"
       else
         if [ $? -eq 1 ]; then
@@ -2668,6 +2687,10 @@ advanced_settings() {
         --ok-button "Next" --cancel-button "Back" \
         --inputbox "\nAllow specific filesystem mounts.\n\nComma-separated list: nfs, cifs, fuse, ext4, etc.\nLeave empty for defaults (none).\n\nCurrent: $mount_hint" 14 62 "$_mount_fs" \
         3>&1 1>&2 2>&3); then
+        # Normalize: strip spaces and trailing/leading commas
+        result="${result// /}"
+        result="${result%%,}"
+        result="${result##,}"
         _mount_fs="$result"
         ((STEP++))
       else
@@ -2794,13 +2817,6 @@ Advanced:
   [[ -n "$_mac" ]] && MAC=",hwaddr=$_mac" || MAC=""
   [[ -n "$_vlan" ]] && VLAN=",tag=$_vlan" || VLAN=""
 
-  # Alpine UDHCPC fix
-  if [ "$var_os" == "alpine" ] && [ "$NET" == "dhcp" ] && [ -n "$_ns" ]; then
-    UDHCPC_FIX="yes"
-  else
-    UDHCPC_FIX="no"
-  fi
-  export UDHCPC_FIX
   export SSH_KEYS_FILE
 
   # Exit alternate screen buffer before showing summary (so output remains visible)
@@ -3638,8 +3654,16 @@ build_container() {
 
   # Mount filesystem types (user configurable via advanced settings)
   if [ -n "${ALLOW_MOUNT_FS:-}" ]; then
-    [ -n "$FEATURES" ] && FEATURES="$FEATURES,"
-    FEATURES="${FEATURES}mount=${ALLOW_MOUNT_FS//,/;}"
+    # Sanitize: strip spaces, trailing/leading commas, then convert commas to semicolons
+    local _mount_clean="${ALLOW_MOUNT_FS// /}"
+    _mount_clean="${_mount_clean%%,}"
+    _mount_clean="${_mount_clean##,}"
+    _mount_clean="${_mount_clean%%;}"  
+    _mount_clean="${_mount_clean//,/;}"
+    if [ -n "$_mount_clean" ]; then
+      [ -n "$FEATURES" ] && FEATURES="$FEATURES,"
+      FEATURES="${FEATURES}mount=${_mount_clean}"
+    fi
   fi
 
   # Build PCT_OPTIONS as string for export
@@ -5781,6 +5805,9 @@ create_lxc_container() {
   msg_debug "Logfile: $LOGFILE"
 
   # First attempt (PCT_OPTIONS is a multi-line string, use it directly)
+  # Disable globbing: unquoted $PCT_OPTIONS needs word-splitting but must not glob-expand
+  # (e.g. passwords containing * or ? would match filenames otherwise)
+  set -f
   if ! pct create "$CTID" "${TEMPLATE_STORAGE}:vztmpl/${TEMPLATE}" $PCT_OPTIONS >"$LOGFILE" 2>&1; then
     msg_debug "Container creation failed on ${TEMPLATE_STORAGE}. Checking error..."
 
@@ -5888,6 +5915,7 @@ create_lxc_container() {
       fi
     fi # close CTID collision else-branch
   fi
+  set +f  # re-enable globbing after pct create block
 
   # Verify container exists (allow up to 10s for pmxcfs sync in clusters)
   local _pct_visible=false

misc/tools.func

@@ -1139,39 +1139,42 @@ validate_github_token() {
     -H "Authorization: Bearer $token" \
     -H "Accept: application/vnd.github+json" \
     -H "X-GitHub-Api-Version: 2022-11-28" \
-    "https://api.github.com/user" 2>/dev/null) || { rm -f "$headers"; return 3; }
+    "https://api.github.com/user" 2>/dev/null) || {
+    rm -f "$headers"
+    return 3
+  }
   http_code="$response"
 
   # Read expiry header (fine-grained PATs carry this)
-  expiry_date=$(grep -i '^github-authentication-token-expiration:' "$headers" \
-    | sed 's/.*: *//' | tr -d '\r\n' || true)
+  expiry_date=$(grep -i '^github-authentication-token-expiration:' "$headers" |
+    sed 's/.*: *//' | tr -d '\r\n' || true)
   # Read token scopes (classic PATs)
-  scopes=$(grep -i '^x-oauth-scopes:' "$headers" \
-    | sed 's/.*: *//' | tr -d '\r\n' || true)
+  scopes=$(grep -i '^x-oauth-scopes:' "$headers" |
+    sed 's/.*: *//' | tr -d '\r\n' || true)
   rm -f "$headers"
 
   case "$http_code" in
-    200)
-      if [[ -n "$expiry_date" ]]; then
-        msg_ok "GitHub token is valid (expires: $expiry_date)."
-      else
-        msg_ok "GitHub token is valid (no expiry / fine-grained PAT)."
-      fi
-      # Warn if classic PAT has no public_repo scope
-      if [[ -n "$scopes" && "$scopes" != *"public_repo"* && "$scopes" != *"repo"* ]]; then
-        msg_warn "Token has no 'public_repo' scope - private repos and some release APIs may fail."
-        return 2
-      fi
-      return 0
-      ;;
-    401)
-      msg_error "GitHub token is invalid or expired (HTTP 401)."
-      return 1
-      ;;
-    *)
-      msg_warn "GitHub token validation returned HTTP $http_code - treating as valid."
-      return 0
-      ;;
+  200)
+    if [[ -n "$expiry_date" ]]; then
+      msg_ok "GitHub token is valid (expires: $expiry_date)."
+    else
+      msg_ok "GitHub token is valid (no expiry / fine-grained PAT)."
+    fi
+    # Warn if classic PAT has no public_repo scope
+    if [[ -n "$scopes" && "$scopes" != *"public_repo"* && "$scopes" != *"repo"* ]]; then
+      msg_warn "Token has no 'public_repo' scope - private repos and some release APIs may fail."
+      return 2
+    fi
+    return 0
+    ;;
+  401)
+    msg_error "GitHub token is invalid or expired (HTTP 401)."
+    return 1
+    ;;
+  *)
+    msg_warn "GitHub token validation returned HTTP $http_code - treating as valid."
+    return 0
+    ;;
   esac
 }
 
@@ -4604,6 +4607,23 @@ function setup_hwaccel() {
   msg_ok "Setup Hardware Acceleration"
 }
 
+# ══════════════════════════════════════════════════════════════════════════════
+# Resolve the IGC tag that the latest compute-runtime was built against.
+# Must be called AFTER a fetch_and_deploy_gh_release for intel/compute-runtime
+# so that /tmp/gh_rel.json contains the compute-runtime release metadata.
+# Sets the variable named by $1 (default: igc_tag) to the discovered tag.
+# ══════════════════════════════════════════════════════════════════════════════
+_resolve_igc_tag() {
+  local -n _out_ref="${1:-igc_tag}"
+  _out_ref="latest"
+  if [[ -f /tmp/gh_rel.json ]]; then
+    local _body _parsed
+    _body=$(jq -r '.body // empty' /tmp/gh_rel.json 2>/dev/null) || return 0
+    _parsed=$(grep -oP 'intel-graphics-compiler/releases/tag/\K[^\s\)]+' <<<"$_body" | head -1)
+    [[ -n "$_parsed" ]] && _out_ref="$_parsed"
+  fi
+}
+
 # ══════════════════════════════════════════════════════════════════════════════
 # Intel Arc GPU Setup
 # ══════════════════════════════════════════════════════════════════════════════
@@ -4630,12 +4650,17 @@ _setup_intel_arc() {
     if [[ "$os_codename" == "trixie" || "$os_codename" == "sid" ]]; then
       msg_info "Fetching Intel compute-runtime from GitHub for Arc support"
 
+      # Fetch a compute-runtime package first so /tmp/gh_rel.json is populated,
+      # then resolve the matching IGC tag from the release notes.
       # libigdgmm - bundled in compute-runtime releases
       fetch_and_deploy_gh_release "libigdgmm12" "intel/compute-runtime" "binary" "latest" "" "libigdgmm12_*_amd64.deb" || true
 
-      # Intel Graphics Compiler (note: packages have -2 suffix)
-      fetch_and_deploy_gh_release "intel-igc-core" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-core-2_*_amd64.deb" || true
-      fetch_and_deploy_gh_release "intel-igc-opencl" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-opencl-2_*_amd64.deb" || true
+      local igc_tag
+      _resolve_igc_tag igc_tag
+
+      # Intel Graphics Compiler – pinned to the version compute-runtime expects
+      fetch_and_deploy_gh_release "intel-igc-core" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-core-2_*_amd64.deb" || true
+      fetch_and_deploy_gh_release "intel-igc-opencl" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-opencl-2_*_amd64.deb" || true
 
       # Compute Runtime (depends on IGC and gmmlib)
       fetch_and_deploy_gh_release "intel-opencl-icd" "intel/compute-runtime" "binary" "latest" "" "intel-opencl-icd_*_amd64.deb" || true
@@ -4685,12 +4710,17 @@ _setup_intel_modern() {
     if [[ "$os_codename" == "trixie" || "$os_codename" == "sid" ]]; then
       msg_info "Fetching Intel compute-runtime from GitHub"
 
+      # Fetch a compute-runtime package first so /tmp/gh_rel.json is populated,
+      # then resolve the matching IGC tag from the release notes.
       # libigdgmm first (bundled in compute-runtime releases)
       fetch_and_deploy_gh_release "libigdgmm12" "intel/compute-runtime" "binary" "latest" "" "libigdgmm12_*_amd64.deb" || true
 
-      # Intel Graphics Compiler (note: packages have -2 suffix)
-      fetch_and_deploy_gh_release "intel-igc-core" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-core-2_*_amd64.deb" || true
-      fetch_and_deploy_gh_release "intel-igc-opencl" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-opencl-2_*_amd64.deb" || true
+      local igc_tag
+      _resolve_igc_tag igc_tag
+
+      # Intel Graphics Compiler – pinned to the version compute-runtime expects
+      fetch_and_deploy_gh_release "intel-igc-core" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-core-2_*_amd64.deb" || true
+      fetch_and_deploy_gh_release "intel-igc-opencl" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-opencl-2_*_amd64.deb" || true
 
       # Compute Runtime
       fetch_and_deploy_gh_release "intel-opencl-icd" "intel/compute-runtime" "binary" "latest" "" "intel-opencl-icd_*_amd64.deb" || true

tools/addon/sparkyfitness-garmin.sh

@@ -69,6 +69,9 @@ function update() {
     msg_ok "Stopped service"
 
     CLEAN_INSTALL=1 fetch_and_deploy_gh_release "sparkyfitness-garmin" "CodeWithCJ/SparkyFitness" "tarball" "latest" $INSTALL_PATH
+    cd $INSTALL_PATH/SparkyFitnessGarmin
+    $STD uv venv --clear .venv
+    $STD uv pip install -r requirements.txt
 
     msg_info "Starting service"
     systemctl start sparkyfitness-garmin

tools/pve/clean-orphaned-lvm.sh

@@ -37,8 +37,9 @@ function find_orphaned_lvm {
     fi
 
     container_id=$(echo "$lv" | grep -oE "[0-9]+" | head -1)
-    # Check if the ID exists as a VM or LXC container
-    if [ -f "/etc/pve/lxc/${container_id}.conf" ] || [ -f "/etc/pve/qemu-server/${container_id}.conf" ]; then
+    # Check if the ID exists as a VM or LXC container on any cluster node
+    if compgen -G "/etc/pve/nodes/*/lxc/${container_id}.conf" >/dev/null 2>&1 ||
+      compgen -G "/etc/pve/nodes/*/qemu-server/${container_id}.conf" >/dev/null 2>&1; then
       continue
     fi
 

tools/pve/post-pmg-install.sh

@@ -47,7 +47,8 @@ msg_error() {
 source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/api.func) 2>/dev/null || true
 declare -f init_tool_telemetry &>/dev/null && init_tool_telemetry "post-pmg-install" "pve"
 
-if ! grep -q "Proxmox Mail Gateway" /etc/issue 2>/dev/null; then
+if ! dpkg -s proxmox-mailgateway-container >/dev/null 2>&1 &&
+  ! dpkg -s proxmox-mailgateway >/dev/null 2>&1; then
   msg_error "This script is only intended for Proxmox Mail Gateway"
   exit 232
 fi
@@ -57,14 +58,24 @@ repo_state() {
   local repo="$1"
   local file=""
   local state="missing"
-  for f in /etc/apt/sources.list /etc/apt/sources.list.d/*.list; do
+  for f in /etc/apt/sources.list /etc/apt/sources.list.d/*.list /etc/apt/sources.list.d/*.sources; do
     [[ -f "$f" ]] || continue
     if grep -q "$repo" "$f"; then
       file="$f"
-      if grep -qE "^[^#].*${repo}" "$f"; then
-        state="active"
-      elif grep -qE "^#.*${repo}" "$f"; then
-        state="disabled"
+      if [[ "$f" == *.sources ]]; then
+        # deb822 format: check Enabled field
+        if grep -qiE '^Enabled:\s*no' "$f"; then
+          state="disabled"
+        else
+          state="active"
+        fi
+      else
+        # legacy format
+        if grep -qE "^[^#].*${repo}" "$f"; then
+          state="active"
+        elif grep -qE "^#.*${repo}" "$f"; then
+          state="disabled"
+        fi
       fi
       break
     fi
@@ -72,6 +83,28 @@ repo_state() {
   echo "$state $file"
 }
 
+toggle_repo() {
+  # $1 = file, $2 = action (enable|disable)
+  local file="$1" action="$2"
+  if [[ "$file" == *.sources ]]; then
+    if [[ "$action" == "disable" ]]; then
+      if grep -qiE '^Enabled:' "$file"; then
+        sed -i 's/^Enabled:.*/Enabled: no/' "$file"
+      else
+        echo "Enabled: no" >>"$file"
+      fi
+    else
+      sed -i 's/^Enabled:.*/Enabled: yes/' "$file"
+    fi
+  else
+    if [[ "$action" == "disable" ]]; then
+      sed -i '/^[^#]/s/^/# /' "$file"
+    else
+      sed -i 's/^# *//' "$file"
+    fi
+  fi
+}
+
 start_routines() {
   header_info
   VERSION="$(awk -F'=' '/^VERSION_CODENAME=/{ print $NF }' /etc/os-release)"
@@ -84,11 +117,20 @@ start_routines() {
   case $CHOICE in
   yes)
     msg_info "Correcting Debian Sources"
-    cat <<EOF >/etc/apt/sources.list
-deb http://deb.debian.org/debian ${VERSION} main contrib
-deb http://deb.debian.org/debian ${VERSION}-updates main contrib
-deb http://security.debian.org/debian-security ${VERSION}-security main contrib
+    cat <<EOF >/etc/apt/sources.list.d/debian.sources
+Types: deb
+URIs: http://deb.debian.org/debian
+Suites: ${VERSION} ${VERSION}-updates
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+Types: deb
+URIs: http://security.debian.org/debian-security
+Suites: ${VERSION}-security
+Components: main contrib non-free non-free-firmware
+Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 EOF
+    rm -f /etc/apt/sources.list
     msg_ok "Corrected Debian Sources"
     ;;
   no) msg_error "Selected no to Correcting Debian Sources" ;;
@@ -108,7 +150,7 @@ EOF
     keep) msg_ok "Kept 'pmg-enterprise' repository" ;;
     disable)
       msg_info "Disabling 'pmg-enterprise' repository"
-      sed -i "s/^[^#].*pmg-enterprise/# &/" "$file"
+      toggle_repo "$file" disable
       msg_ok "Disabled 'pmg-enterprise' repository"
       ;;
     delete)
@@ -128,7 +170,7 @@ EOF
     case $CHOICE in
     enable)
       msg_info "Enabling 'pmg-enterprise' repository"
-      sed -i "s/^#.*pmg-enterprise/deb/" "$file"
+      toggle_repo "$file" enable
       msg_ok "Enabled 'pmg-enterprise' repository"
       ;;
     keep) msg_ok "Kept 'pmg-enterprise' repository disabled" ;;
@@ -149,8 +191,12 @@ EOF
     case $CHOICE in
     yes)
       msg_info "Adding 'pmg-enterprise' repository"
-      cat >/etc/apt/sources.list.d/pmg-enterprise.list <<EOF
-deb https://enterprise.proxmox.com/debian/pmg ${VERSION} pmg-enterprise
+      cat >/etc/apt/sources.list.d/pmg-enterprise.sources <<EOF
+Types: deb
+URIs: https://enterprise.proxmox.com/debian/pmg
+Suites: ${VERSION}
+Components: pmg-enterprise
+Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
 EOF
       msg_ok "Added 'pmg-enterprise' repository"
       ;;
@@ -173,7 +219,7 @@ EOF
     keep) msg_ok "Kept 'pmg-no-subscription' repository" ;;
     disable)
       msg_info "Disabling 'pmg-no-subscription' repository"
-      sed -i "s/^[^#].*pmg-no-subscription/# &/" "$file"
+      toggle_repo "$file" disable
       msg_ok "Disabled 'pmg-no-subscription' repository"
       ;;
     delete)
@@ -193,7 +239,7 @@ EOF
     case $CHOICE in
     enable)
       msg_info "Enabling 'pmg-no-subscription' repository"
-      sed -i "s/^#.*pmg-no-subscription/deb/" "$file"
+      toggle_repo "$file" enable
       msg_ok "Enabled 'pmg-no-subscription' repository"
       ;;
     keep) msg_ok "Kept 'pmg-no-subscription' repository disabled" ;;
@@ -213,8 +259,12 @@ EOF
     case $CHOICE in
     yes)
       msg_info "Adding 'pmg-no-subscription' repository"
-      cat >/etc/apt/sources.list.d/pmg-install-repo.list <<EOF
-deb http://download.proxmox.com/debian/pmg ${VERSION} pmg-no-subscription
+      cat >/etc/apt/sources.list.d/pmg-no-subscription.sources <<EOF
+Types: deb
+URIs: http://download.proxmox.com/debian/pmg
+Suites: ${VERSION}
+Components: pmg-no-subscription
+Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
 EOF
       msg_ok "Added 'pmg-no-subscription' repository"
       ;;
@@ -236,8 +286,13 @@ EOF
     case $CHOICE in
     yes)
       msg_info "Adding 'pmgtest' repository (disabled)"
-      cat >/etc/apt/sources.list.d/pmgtest-for-beta.list <<EOF
-# deb http://download.proxmox.com/debian/pmg ${VERSION} pmgtest
+      cat >/etc/apt/sources.list.d/pmgtest.sources <<EOF
+Types: deb
+URIs: http://download.proxmox.com/debian/pmg
+Suites: ${VERSION}
+Components: pmgtest
+Signed-By: /usr/share/keyrings/proxmox-archive-keyring.gpg
+Enabled: no
 EOF
       msg_ok "Added 'pmgtest' repository"
       ;;