fix(immich): disable upgrade-insecure-requests CSP directive

Helmet's useDefaults adds upgrade-insecure-requests to the CSP,
which forces browsers to upgrade all HTTP requests to HTTPS.
Since most LXC users access Immich directly via HTTP, this breaks
the web UI completely (CORS errors, spinning logo).

Patch helmet.json after deploy to explicitly null out the directive,
keeping CSP benefits while allowing HTTP access.

Fixes #13597

CHANGELOG.md

@@ -439,25 +439,6 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 </details>
 
-## 2026-04-10
-
-### 🚀 Updated Scripts
-
-  - Immich: Pin version to 2.7.3 [@vhsdream](https://github.com/vhsdream) ([#13631](https://github.com/community-scripts/ProxmoxVE/pull/13631))
-
-## 2026-04-09
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - boostack: add: git [@CrazyWolf13](https://github.com/CrazyWolf13) ([#13620](https://github.com/community-scripts/ProxmoxVE/pull/13620))
-
-  - #### ✨ New Features
-
-    - Update OPNsense version from 25.7 to 26.1 [@tdn131](https://github.com/tdn131) ([#13626](https://github.com/community-scripts/ProxmoxVE/pull/13626))
-    - CheckMK: Bump Default OS to 13 (trixie) + dynamic codename + fix RELEASE-Tag Fetching [@MickLesk](https://github.com/MickLesk) ([#13610](https://github.com/community-scripts/ProxmoxVE/pull/13610))
-
 ## 2026-04-08
 
 ### 🆕 New Scripts
@@ -468,24 +449,13 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
   - #### 🐞 Bug Fixes
 
-    - immich: disable upgrade-insecure-requests CSP directive [@MickLesk](https://github.com/MickLesk) ([#13600](https://github.com/community-scripts/ProxmoxVE/pull/13600))
     - Immich: v2.7.2 [@vhsdream](https://github.com/vhsdream) ([#13579](https://github.com/community-scripts/ProxmoxVE/pull/13579))
     - Update flaresolverr-install.sh [@maztheman](https://github.com/maztheman) ([#13584](https://github.com/community-scripts/ProxmoxVE/pull/13584))
 
-  - #### ✨ New Features
-
-    - bambuddy: add mkdir before data restore & add ffmpeg dependency [@MickLesk](https://github.com/MickLesk) ([#13601](https://github.com/community-scripts/ProxmoxVE/pull/13601))
-
   - #### 🔧 Refactor
 
     - feat: update UHF Server script to use setup_ffmpeg [@zackwithak13](https://github.com/zackwithak13) ([#13564](https://github.com/community-scripts/ProxmoxVE/pull/13564))
 
-### 💾 Core
-
-  - #### ✨ New Features
-
-    - core: add script page badges to descriptions | change donate URL [@MickLesk](https://github.com/MickLesk) ([#13596](https://github.com/community-scripts/ProxmoxVE/pull/13596))
-
 ## 2026-04-07
 
 ### 🗑️ Deleted Scripts

ct/bambuddy.sh

@@ -29,8 +29,6 @@ function update_script() {
     exit
   fi
 
-  ensure_dependencies ffmpeg
-
   if check_for_gh_release "bambuddy" "maziggy/bambuddy"; then
     msg_info "Stopping Service"
     systemctl stop bambuddy
@@ -56,7 +54,6 @@ function update_script() {
     msg_ok "Rebuilt Frontend"
 
     msg_info "Restoring Configuration and Data"
-    mkdir -p /opt/bambuddy/data
     cp /opt/bambuddy.env.bak /opt/bambuddy/.env
     cp -r /opt/bambuddy_data_bak/. /opt/bambuddy/data/
     rm -f /opt/bambuddy.env.bak

ct/bookstack.sh

@@ -29,7 +29,6 @@ function update_script() {
     exit
   fi
   setup_mariadb
-  ensure_dependencies git
   if check_for_gh_release "bookstack" "BookStackApp/BookStack"; then
     msg_info "Stopping Apache2"
     systemctl stop apache2

ct/checkmk.sh

@@ -11,7 +11,7 @@ var_cpu="${var_cpu:-2}"
 var_ram="${var_ram:-2048}"
 var_disk="${var_disk:-6}"
 var_os="${var_os:-debian}"
-var_version="${var_version:-13}"
+var_version="${var_version:-12}"
 var_unprivileged="${var_unprivileged:-1}"
 
 header_info "$APP"
@@ -29,11 +29,10 @@ function update_script() {
   fi
 
   RELEASE=$(curl -fsSL https://api.github.com/repos/checkmk/checkmk/tags | grep "name" | awk '{print substr($2, 3, length($2)-4) }' | tr ' ' '\n' | grep -Ev 'rc|b' | sort -V | tail -n 1)
-  RELEASE="${RELEASE%%+*}"
   msg_info "Updating ${APP} to v${RELEASE}"
   $STD omd stop monitoring
   $STD omd cp monitoring monitoringbackup
-  curl -fsSL "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-raw-${RELEASE}_0.$(get_os_info codename)_amd64.deb" -o "/opt/checkmk.deb"
+  curl -fsSL "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-raw-${RELEASE}_0.bookworm_amd64.deb" -o "/opt/checkmk.deb"
   $STD apt-get install -y /opt/checkmk.deb
   $STD omd --force -V ${RELEASE}.cre update --conflict=install monitoring
   $STD omd start monitoring

ct/immich.sh

@@ -109,7 +109,7 @@ EOF
     msg_ok "Image-processing libraries up to date"
   fi
 
-  RELEASE="v2.7.3"
+  RELEASE="v2.7.2"
   if check_for_gh_release "Immich" "immich-app/immich" "${RELEASE}" "each release is tested individually before the version is updated. Please do not open issues for this"; then
     if [[ $(cat ~/.immich) > "2.5.1" ]]; then
       msg_info "Enabling Maintenance Mode"

install/bambuddy-install.sh

@@ -14,7 +14,7 @@ network_check
 update_os
 
 msg_info "Installing Dependencies"
-$STD apt install -y libglib2.0-0 ffmpeg
+$STD apt install -y libglib2.0-0
 msg_ok "Installed Dependencies"
 
 PYTHON_VERSION="3.13" setup_uv

install/bookstack-install.sh

@@ -14,9 +14,7 @@ network_check
 update_os
 
 msg_info "Installing Dependencies"
-$STD apt install -y \
-  make \
-  git
+$STD apt install -y make
 msg_ok "Installed Dependencies"
 
 PHP_VERSION="8.3" PHP_APACHE="YES" PHP_FPM="YES" PHP_MODULE="ldap,tidy,mysqli" setup_php

install/checkmk-install.sh

@@ -15,8 +15,7 @@ update_os
 
 msg_info "Install Checkmk"
 RELEASE=$(curl -fsSL https://api.github.com/repos/checkmk/checkmk/tags | grep "name" | awk '{print substr($2, 3, length($2)-4) }' | tr ' ' '\n' | grep -Ev 'rc|b' | sort -V | tail -n 1)
-RELEASE="${RELEASE%%+*}"
-curl -fsSL "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-raw-${RELEASE}_0.$(get_os_info codename)_amd64.deb" -o "/opt/checkmk.deb"
+curl -fsSL "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-raw-${RELEASE}_0.bookworm_amd64.deb" -o "/opt/checkmk.deb"
 $STD apt-get install -y /opt/checkmk.deb
 rm -rf /opt/checkmk.deb
 echo "${RELEASE}" >"/opt/checkmk_version.txt"

install/immich-install.sh

@@ -295,7 +295,7 @@ ML_DIR="${APP_DIR}/machine-learning"
 GEO_DIR="${INSTALL_DIR}/geodata"
 mkdir -p {"${APP_DIR}","${UPLOAD_DIR}","${GEO_DIR}","${INSTALL_DIR}"/cache}
 
-fetch_and_deploy_gh_release "Immich" "immich-app/immich" "tarball" "v2.7.3" "$SRC_DIR"
+fetch_and_deploy_gh_release "Immich" "immich-app/immich" "tarball" "v2.7.2" "$SRC_DIR"
 PNPM_VERSION="$(jq -r '.packageManager | split("@")[1] | split("+")[0]' ${SRC_DIR}/package.json)"
 NODE_VERSION="24" NODE_MODULE="pnpm@${PNPM_VERSION}" setup_nodejs
 

misc/build.func

@@ -1054,7 +1054,7 @@ load_vars_file() {
 
   # Allowed var_* keys
   local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu var_keyctl
     var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
     var_net var_nesting var_ns var_os var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
     var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage var_searchdomain
@@ -1255,7 +1255,7 @@ default_var_settings() {
   # Allowed var_* keys (alphabetically sorted)
   # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
   local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu var_keyctl
     var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
     var_net var_nesting var_ns var_os var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
     var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
@@ -1350,10 +1350,6 @@ var_verbose=no
 
 # Security (root PW) – empty => autologin
 # var_pw=
-
-# GitHub Personal Access Token (optional – avoids API rate limits during installs)
-# Create at https://github.com/settings/tokens – read-only public access is sufficient
-# var_github_token=ghp_your_token_here
 EOF
 
     # Now choose storages (always prompt unless just one exists)
@@ -1391,11 +1387,6 @@ EOF
     VERBOSE="no"
   fi
 
-  # 4) Map var_github_token → GITHUB_TOKEN (only if not already set in environment)
-  if [[ -z "${GITHUB_TOKEN:-}" && -n "${var_github_token:-}" ]]; then
-    export GITHUB_TOKEN="${var_github_token}"
-  fi
-
   # 4) Apply base settings and show summary
   METHOD="mydefaults-global"
   base_settings "$VERBOSE"
@@ -1428,7 +1419,7 @@ get_app_defaults_path() {
 if ! declare -p VAR_WHITELIST >/dev/null 2>&1; then
   # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
   declare -ag VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu
     var_gateway var_hostname var_ipv6_method var_mac var_mtu
     var_net var_ns var_os var_pw var_ram var_tags var_tun var_unprivileged
     var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
@@ -5915,12 +5906,6 @@ create_lxc_container() {
 # ------------------------------------------------------------------------------
 description() {
   IP=$(pct exec "$CTID" ip a s dev eth0 | awk '/inet / {print $2}' | cut -d/ -f1)
-  local script_slug script_url donate_url
-
-  script_slug="${SCRIPT_SLUG:-${NSAPP}}"
-  script_slug="$(echo "$script_slug" | tr '[:upper:]' '[:lower:]' | tr ' ' '-')"
-  script_url="https://community-scripts.org/scripts/${script_slug}"
-  donate_url="https://community-scripts.org/donate"
 
   # Generate LXC Description
   DESCRIPTION=$(
@@ -5933,14 +5918,8 @@ description() {
   <h2 style='font-size: 24px; margin: 20px 0;'>${APP} LXC</h2>
 
   <p style='margin: 16px 0;'>
-    <a href='${donate_url}' target='_blank' rel='noopener noreferrer'>
-      <img src='https://img.shields.io/badge/❤️-Sponsoring%20%26%20Donations-FF5E5B' alt='Sponsoring and donations' />
-    </a>
-  </p>
-
-  <p style='margin: 12px 0;'>
-    <a href='${script_url}' target='_blank' rel='noopener noreferrer'>
-      <img src='https://img.shields.io/badge/📦-Open%20Script%20Page-00617f' alt='Open script page' />
+    <a href='https://ko-fi.com/community_scripts' target='_blank' rel='noopener noreferrer'>
+      <img src='https://img.shields.io/badge/&#x2615;-Buy us a coffee-blue' alt='spend Coffee' />
     </a>
   </p>
 

misc/tools.func

@@ -1117,87 +1117,15 @@ is_package_installed() {
   fi
 }
 
-# ------------------------------------------------------------------------------
-# validate_github_token()
-# Checks a GitHub token via the /user endpoint.
-# Prints a status message and returns:
-#   0 - token is valid
-#   1 - token is invalid / expired (HTTP 401)
-#   2 - token has no public repo scope (HTTP 200 but missing scope)
-#   3 - network/API error
-# Also reports expiry date if the token carries an x-oauth-expiry header.
-# ------------------------------------------------------------------------------
-validate_github_token() {
-  local token="${1:-${GITHUB_TOKEN:-}}"
-  [[ -z "$token" ]] && return 3
-
-  local response headers http_code expiry_date scopes
-  headers=$(mktemp)
-  response=$(curl -sSL -w "%{http_code}" \
-    -D "$headers" \
-    -o /dev/null \
-    -H "Authorization: Bearer $token" \
-    -H "Accept: application/vnd.github+json" \
-    -H "X-GitHub-Api-Version: 2022-11-28" \
-    "https://api.github.com/user" 2>/dev/null) || { rm -f "$headers"; return 3; }
-  http_code="$response"
-
-  # Read expiry header (fine-grained PATs carry this)
-  expiry_date=$(grep -i '^github-authentication-token-expiration:' "$headers" \
-    | sed 's/.*: *//' | tr -d '\r\n' || true)
-  # Read token scopes (classic PATs)
-  scopes=$(grep -i '^x-oauth-scopes:' "$headers" \
-    | sed 's/.*: *//' | tr -d '\r\n' || true)
-  rm -f "$headers"
-
-  case "$http_code" in
-    200)
-      if [[ -n "$expiry_date" ]]; then
-        msg_ok "GitHub token is valid (expires: $expiry_date)."
-      else
-        msg_ok "GitHub token is valid (no expiry / fine-grained PAT)."
-      fi
-      # Warn if classic PAT has no public_repo scope
-      if [[ -n "$scopes" && "$scopes" != *"public_repo"* && "$scopes" != *"repo"* ]]; then
-        msg_warn "Token has no 'public_repo' scope - private repos and some release APIs may fail."
-        return 2
-      fi
-      return 0
-      ;;
-    401)
-      msg_error "GitHub token is invalid or expired (HTTP 401)."
-      return 1
-      ;;
-    *)
-      msg_warn "GitHub token validation returned HTTP $http_code - treating as valid."
-      return 0
-      ;;
-  esac
-}
-
 # ------------------------------------------------------------------------------
 # Prompt user to enter a GitHub Personal Access Token (PAT) interactively
 # Returns 0 if a valid token was provided, 1 otherwise
 # ------------------------------------------------------------------------------
 prompt_for_github_token() {
   if [[ ! -t 0 ]]; then
-    # Non-interactive: pick up var_github_token if set (from default.vars / app.vars / env)
-    if [[ -z "${GITHUB_TOKEN:-}" && -n "${var_github_token:-}" ]]; then
-      export GITHUB_TOKEN="${var_github_token}"
-      msg_ok "GitHub token loaded from var_github_token."
-      return 0
-    fi
     return 1
   fi
 
-  # Prefer var_github_token when already set and no interactive override needed
-  if [[ -z "${GITHUB_TOKEN:-}" && -n "${var_github_token:-}" ]]; then
-    export GITHUB_TOKEN="${var_github_token}"
-    msg_ok "GitHub token loaded from var_github_token."
-    validate_github_token || true
-    return 0
-  fi
-
   local reply
   read -rp "${TAB}Would you like to enter a GitHub Personal Access Token (PAT)? [y/N]: " reply
   reply="${reply:-n}"
@@ -1219,16 +1147,10 @@ prompt_for_github_token() {
       msg_warn "Token must not contain spaces. Please try again."
       continue
     fi
-    # Validate before accepting
-    export GITHUB_TOKEN="$token"
-    if validate_github_token "$token"; then
-      break
-    else
-      msg_warn "Please enter a valid token, or press Ctrl+C to abort."
-      unset GITHUB_TOKEN
-    fi
+    break
   done
 
+  export GITHUB_TOKEN="$token"
   msg_ok "GitHub token has been set."
   return 0
 }
@@ -2938,7 +2860,7 @@ function fetch_and_deploy_codeberg_release() {
 
   while ((attempt < ${#api_timeouts[@]})); do
     resp=$(curl --connect-timeout 10 --max-time "${api_timeouts[$attempt]}" -fsSL -w "%{http_code}" -o /tmp/codeberg_rel.json "$api_url") && success=true && break
-    attempt=$((attempt + 1))
+    ((attempt++))
     if ((attempt < ${#api_timeouts[@]})); then
       msg_warn "API request timed out after ${api_timeouts[$((attempt - 1))]}s, retrying... (attempt $((attempt + 1))/${#api_timeouts[@]})"
     fi
@@ -3448,8 +3370,7 @@ function fetch_and_deploy_gh_release() {
         if prompt_for_github_token; then
           header=(-H "Authorization: token $GITHUB_TOKEN")
           retry_delay=2
-          attempt=1
-          continue
+          attempt=0
         fi
       fi
     else

misc/vm-core.func

@@ -577,13 +577,6 @@ check_hostname_conflict() {
 }
 
 set_description() {
-  local app_name script_slug script_url donate_url
-  app_name=$(echo "${APP,,}" | tr ' ' '-')
-  script_slug="${SCRIPT_SLUG:-${app_name}}"
-  script_slug="$(echo "$script_slug" | tr '[:upper:]' '[:lower:]' | tr ' ' '-')"
-  script_url="https://community-scripts.org/scripts/${script_slug}"
-  donate_url="https://community-scripts.org/donate"
-
   DESCRIPTION=$(
     cat <<EOF
 <div align='center'>
@@ -594,14 +587,8 @@ set_description() {
   <h2 style='font-size: 24px; margin: 20px 0;'>${NSAPP} VM</h2>
 
   <p style='margin: 16px 0;'>
-    <a href='${donate_url}' target='_blank' rel='noopener noreferrer'>
-      <img src='https://img.shields.io/badge/❤️-Sponsoring%20%26%20Donations-FF5E5B' alt='Sponsoring and donations' />
-    </a>
-  </p>
-
-  <p style='margin: 12px 0;'>
-    <a href='${script_url}' target='_blank' rel='noopener noreferrer'>
-      <img src='https://img.shields.io/badge/📦-Open%20Script%20Page-00617f' alt='Open script page' />
+    <a href='https://ko-fi.com/community_scripts' target='_blank' rel='noopener noreferrer'>
+      <img src='https://img.shields.io/badge/&#x2615;-Buy us a coffee-blue' alt='spend Coffee' />
     </a>
   </p>
 

vm/opnsense-vm.sh

@@ -24,7 +24,7 @@ RANDOM_UUID="$(cat /proc/sys/kernel/random/uuid)"
 METHOD=""
 NSAPP="opnsense-vm"
 var_os="opnsense"
-var_version="26.1"
+var_version="25.7"
 #
 GEN_MAC=02:$(openssl rand -hex 5 | awk '{print toupper($0)}' | sed 's/\(..\)/\1:/g; s/.$//')
 GEN_MAC_LAN=02:$(openssl rand -hex 5 | awk '{print toupper($0)}' | sed 's/\(..\)/\1:/g; s/.$//')
@@ -797,7 +797,7 @@ if [ -n "$WAN_BRG" ]; then
   msg_ok "WAN interface added"
   sleep 5 # Brief pause after adding network interface
 fi
-send_line_to_vm "sh ./opnsense-bootstrap.sh.in -y -f -r 26.1"
+send_line_to_vm "sh ./opnsense-bootstrap.sh.in -y -f -r 25.7"
 msg_ok "OPNsense VM is being installed, do not close the terminal, or the installation will fail."
 #We need to wait for the OPNsense build proccess to finish, this takes a few minutes
 sleep 1000