Remove frontend CODEOWNERS, refine PR template

Remove the explicit /frontend/ entry from .github/CODEOWNERS so frontend changes no longer auto-assign @community-scripts/Frontend-Dev. Update the pull request template's "Website update" checklist item to clarify it refers to script metadata (PocketBase/website data) rather than generic website JSON, improving guidance for contributors.

CHANGELOG.md

@@ -442,69 +442,22 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 </details>
 
-## 2026-04-17
-
-### 🆕 New Scripts
-
-  - step-ca ([#13775](https://github.com/community-scripts/ProxmoxVE/pull/13775))
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Umami: Fix update procedure [@tremor021](https://github.com/tremor021) ([#13807](https://github.com/community-scripts/ProxmoxVE/pull/13807))
-
-### 💾 Core
-
-  - #### 🐞 Bug Fixes
-
-    - core: sanitize mount_fs input — strip spaces and trailing commas [@MickLesk](https://github.com/MickLesk) ([#13806](https://github.com/community-scripts/ProxmoxVE/pull/13806))
-
-  - #### 🔧 Refactor
-
-    - core: fix some pct create issues (telemetry) + cleanup [@MickLesk](https://github.com/MickLesk) ([#13810](https://github.com/community-scripts/ProxmoxVE/pull/13810))
-
-## 2026-04-16
-
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Add pnpm as a dependency to ghost-cli install [@YourFavoriteKyle](https://github.com/YourFavoriteKyle) ([#13789](https://github.com/community-scripts/ProxmoxVE/pull/13789))
-
-### 💾 Core
-
-  - #### ✨ New Features
-
-    - core: wire ENABLE_MKNOD and ALLOW_MOUNT_FS into LXC features [@MickLesk](https://github.com/MickLesk) ([#13796](https://github.com/community-scripts/ProxmoxVE/pull/13796))
-
 ## 2026-04-15
 
 ### 🆕 New Scripts
 
-  - iGotify ([#13773](https://github.com/community-scripts/ProxmoxVE/pull/13773))
-- GitHub-Runner ([#13709](https://github.com/community-scripts/ProxmoxVE/pull/13709))
-- Revert "Remove low-install-count CT scripts and installers (#13570)" [@CrazyWolf13](https://github.com/CrazyWolf13) ([#13752](https://github.com/community-scripts/ProxmoxVE/pull/13752))
+  - Revert "Remove low-install-count CT scripts and installers (#13570)" [@CrazyWolf13](https://github.com/CrazyWolf13) ([#13752](https://github.com/community-scripts/ProxmoxVE/pull/13752))
 
 ### 🚀 Updated Scripts
 
   - #### 🐞 Bug Fixes
 
-    - [alpine-nextcloud] Update Nginx MIME types to support .mjs files [@GuiltyFox](https://github.com/GuiltyFox) ([#13771](https://github.com/community-scripts/ProxmoxVE/pull/13771))
     - Domain Monitor: Fix file ownership after update [@tremor021](https://github.com/tremor021) ([#13759](https://github.com/community-scripts/ProxmoxVE/pull/13759))
 
   - #### 💥 Breaking Changes
 
     - Reitti: refactor scripts for v4 - remove RabbitMQ and Photon [@MickLesk](https://github.com/MickLesk) ([#13728](https://github.com/community-scripts/ProxmoxVE/pull/13728))
 
-  - #### 🔧 Refactor
-
-    - Semaphore: add BoltDB to SQLite migration [@tremor021](https://github.com/tremor021) ([#13779](https://github.com/community-scripts/ProxmoxVE/pull/13779))
-
-### 📚 Documentation
-
-  - cleanup: remove docs/, update README & CONTRIBUTING, fix repo config [@MickLesk](https://github.com/MickLesk) ([#13770](https://github.com/community-scripts/ProxmoxVE/pull/13770))
-
 ## 2026-04-14
 
 ### 🚀 Updated Scripts

ct/ghost.sh

@@ -25,7 +25,7 @@ function update_script() {
   check_container_resources
 
   setup_mariadb
-  NODE_VERSION="22" NODE_MODULE="pnpm" setup_nodejs
+  NODE_VERSION="22" setup_nodejs
   ensure_dependencies git
 
   msg_info "Updating Ghost"

ct/github-runner.sh

@@ -1,71 +0,0 @@
-#!/usr/bin/env bash
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: MickLesk (CanbiZ)
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/actions/runner
-
-APP="GitHub-Runner"
-var_tags="${var_tags:-ci}"
-var_cpu="${var_cpu:-2}"
-var_ram="${var_ram:-2048}"
-var_disk="${var_disk:-8}"
-var_os="${var_os:-debian}"
-var_version="${var_version:-13}"
-var_unprivileged="${var_unprivileged:-1}"
-var_nesting="${var_nesting:-1}"
-var_keyctl="${var_keyctl:-1}"
-
-header_info "$APP"
-variables
-color
-catch_errors
-
-function update_script() {
-  header_info
-  check_container_storage
-  check_container_resources
-
-  if [[ ! -f /opt/actions-runner/run.sh ]]; then
-    msg_error "No ${APP} Installation Found!"
-    exit 1
-  fi
-
-  if check_for_gh_release "actions-runner" "actions/runner"; then
-    msg_info "Stopping Service"
-    systemctl stop actions-runner
-    msg_ok "Stopped Service"
-
-    msg_info "Backing up runner configuration"
-    BACKUP_DIR="/opt/actions-runner.backup"
-    mkdir -p "$BACKUP_DIR"
-    for f in .runner .credentials .credentials_rsaparams .env .path; do
-      [[ -f /opt/actions-runner/$f ]] && cp -a /opt/actions-runner/$f "$BACKUP_DIR/"
-    done
-    msg_ok "Backed up configuration"
-
-    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "actions-runner" "actions/runner" "prebuild" "latest" "/opt/actions-runner" "actions-runner-linux-x64-*.tar.gz"
-
-    msg_info "Restoring runner configuration"
-    for f in .runner .credentials .credentials_rsaparams .env .path; do
-      [[ -f "$BACKUP_DIR/$f" ]] && cp -a "$BACKUP_DIR/$f" /opt/actions-runner/
-    done
-    rm -rf "$BACKUP_DIR"
-    msg_ok "Restored configuration"
-
-    msg_info "Starting Service"
-    systemctl start actions-runner
-    msg_ok "Started Service"
-    msg_ok "Updated successfully!"
-  fi
-  exit
-}
-
-start
-build_container
-description
-
-msg_ok "Completed successfully!\n"
-echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} After first boot, run config.sh with your token and start the service.${CL}"

ct/headers/github-runner

@@ -1,6 +0,0 @@
-   _______ __  __  __      __          ____                             
-  / ____(_) /_/ / / /_  __/ /_        / __ \__  ______  ____  ___  _____
- / / __/ / __/ /_/ / / / / __ \______/ /_/ / / / / __ \/ __ \/ _ \/ ___/
-/ /_/ / / /_/ __  / /_/ / /_/ /_____/ _, _/ /_/ / / / / / / /  __/ /    
-\____/_/\__/_/ /_/\__,_/_.___/     /_/ |_|\__,_/_/ /_/_/ /_/\___/_/     
-                                                                        

ct/headers/igotify

@@ -1,6 +0,0 @@
-    _ ______      __  _ ____     
-   (_) ____/___  / /_(_) __/_  __
-  / / / __/ __ \/ __/ / /_/ / / /
- / / /_/ / /_/ / /_/ / __/ /_/ / 
-/_/\____/\____/\__/_/_/  \__, /  
-                        /____/   

ct/headers/step-ca

@@ -1,6 +0,0 @@
-         __                             
-   _____/ /____  ____        _________ _
-  / ___/ __/ _ \/ __ \______/ ___/ __ `/
- (__  ) /_/  __/ /_/ /_____/ /__/ /_/ / 
-/____/\__/\___/ .___/      \___/\__,_/  
-             /_/                        

ct/igotify.sh

@@ -1,63 +0,0 @@
-#!/usr/bin/env bash
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: pfassina
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/androidseb25/iGotify-Notification-Assistent
-
-APP="iGotify"
-var_tags="${var_tags:-notifications;gotify}"
-var_cpu="${var_cpu:-2}"
-var_ram="${var_ram:-2048}"
-var_disk="${var_disk:-4}"
-var_os="${var_os:-debian}"
-var_version="${var_version:-13}"
-var_unprivileged="${var_unprivileged:-1}"
-
-header_info "$APP"
-variables
-color
-catch_errors
-
-function update_script() {
-  header_info
-  check_container_storage
-  check_container_resources
-
-  if [[ ! -d /opt/igotify ]]; then
-    msg_error "No iGotify Installation Found!"
-    exit
-  fi
-
-  if check_for_gh_release "igotify" "androidseb25/iGotify-Notification-Assistent"; then
-    msg_info "Stopping Service"
-    systemctl stop igotify
-    msg_ok "Stopped Service"
-
-    msg_info "Backing up Configuration"
-    cp /opt/igotify/.env /opt/igotify.env.bak
-    msg_ok "Backed up Configuration"
-
-    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "igotify" "androidseb25/iGotify-Notification-Assistent" "prebuild" "latest" "/opt/igotify" "iGotify-Notification-Service-amd64-v*.zip"
-
-    msg_info "Restoring Configuration"
-    cp /opt/igotify.env.bak /opt/igotify/.env
-    rm -f /opt/igotify.env.bak
-    msg_ok "Restored Configuration"
-
-    msg_info "Starting Service"
-    systemctl start igotify
-    msg_ok "Started Service"
-    msg_ok "Updated successfully!"
-  fi
-  exit
-}
-
-start
-build_container
-description
-
-msg_ok "Completed Successfully!\n"
-echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"

ct/jellyfin.sh

@@ -32,16 +32,10 @@ function update_script() {
   if ! grep -qEi 'ubuntu' /etc/os-release; then
     msg_info "Updating Intel Dependencies"
     rm -f ~/.intel-* || true
-
-    # Fetch compute-runtime first so /tmp/gh_rel.json is populated for IGC tag resolution
+    fetch_and_deploy_gh_release "intel-igc-core-2" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-core-2_*_amd64.deb"
+    fetch_and_deploy_gh_release "intel-igc-opencl-2" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-opencl-2_*_amd64.deb"
     fetch_and_deploy_gh_release "intel-libgdgmm12" "intel/compute-runtime" "binary" "latest" "" "libigdgmm12_*_amd64.deb"
     fetch_and_deploy_gh_release "intel-opencl-icd" "intel/compute-runtime" "binary" "latest" "" "intel-opencl-icd_*_amd64.deb"
-
-    local igc_tag
-    _resolve_igc_tag igc_tag
-
-    fetch_and_deploy_gh_release "intel-igc-core-2" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-core-2_*_amd64.deb"
-    fetch_and_deploy_gh_release "intel-igc-opencl-2" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-opencl-2_*_amd64.deb"
     msg_ok "Updated Intel Dependencies"
   fi
 

ct/semaphore.sh

@@ -29,38 +29,40 @@ function update_script() {
     exit
   fi
 
-  if check_for_gh_release "semaphore" "semaphoreui/semaphore"; then
-    if [[ -f /opt/semaphore/semaphore_db.bolt ]]; then
-      msg_warn "WARNING: Due to bugs with BoltDB database, update script will move your application"
-      msg_warn "to use SQLite database instead. Make sure you have a backup of your data!"
-      echo ""
-      read -r -p "${TAB3}Do you want to continue? (y/N): " CONFIRM
-      if [[ ! "$CONFIRM" =~ ^[Yy]$ ]]; then
-        exit 0
-      else
-        msg_info "Moving from BoltDB to SQLite"
-        sed -i \
-          -e 's|"bolt": {|"sqlite": {|' \
-          -e 's|/semaphore_db.bolt"|/database.sqlite"|' \
-          -e '/semaphore_db.bolt/d' \
-          -e '/"dialect"/d' \
-          -e '/^  },$/a\  "dialect": "sqlite",' \
-          /opt/semaphore/config.json
-        msg_ok "Moved from BoltDB to SQLite"
-      fi
-    fi
+  if [[ -f /opt/semaphore/semaphore_db.bolt ]]; then
+    msg_warn "WARNING: Due to bugs with BoltDB database, update script will move your application"
+    msg_warn "to use SQLite database instead. Unfortunately, this will reset your application and make it a fresh"
+    msg_warn "installation. All your data will be lost!"
+    echo ""
+    read -r -p "${TAB3}Do you want to continue? (y/N): " CONFIRM
+    if [[ ! "$CONFIRM" =~ ^[Yy]$ ]]; then
+      exit 0
+    else
+      msg_info "Moving from BoltDB to SQLite"
+      systemctl stop semaphore
+      rm -rf /opt/semaphore/semaphore_db.bolt
+      sed -i \
+        -e 's|"bolt": {|"sqlite": {|' \
+        -e 's|/semaphore_db.bolt"|/database.sqlite"|' \
+        -e '/semaphore_db.bolt/d' \
+        -e '/"dialect"/d' \
+        -e '/^  },$/a\  "dialect": "sqlite",' \
+        /opt/semaphore/config.json
+      SEM_PW=$(cat ~/semaphore.creds)
+      systemctl start semaphore
+      $STD semaphore user add --admin --login admin --email admin@community-scripts.org --name Administrator --password "${SEM_PW}" --config /opt/semaphore/config.json
 
+      msg_ok "Moved from BoltDB to SQLite"
+    fi
+  fi
+
+  if check_for_gh_release "semaphore" "semaphoreui/semaphore"; then
     msg_info "Stopping Service"
     systemctl stop semaphore
     msg_ok "Stopped Service"
 
     fetch_and_deploy_gh_release "semaphore" "semaphoreui/semaphore" "binary" "latest" "/opt/semaphore" "semaphore_*_linux_amd64.deb"
 
-    if [[ -f /opt/semaphore/semaphore_db.bolt ]]; then
-      $STD semaphore migrate --from-boltdb /opt/semaphore/semaphore_db.bolt --config /opt/semaphore/config.json
-      rm -f /opt/semaphore/semaphore_db.bolt
-    fi
-
     msg_info "Starting Service"
     systemctl start semaphore
     msg_ok "Started Service"

ct/step-ca.sh

@@ -1,50 +0,0 @@
-#!/usr/bin/env bash
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: Joerg Heinemann (heinemannj)
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/smallstep/certificates
-
-APP="step-ca"
-var_tags="${var_tags:-certificate-authority;pki;acme-server}"
-var_cpu="${var_cpu:-1}"
-var_ram="${var_ram:-512}"
-var_disk="${var_disk:-2}"
-var_os="${var_os:-debian}"
-var_version="${var_version:-13}"
-var_unprivileged="${var_unprivileged:-1}"
-
-header_info "$APP"
-variables
-color
-catch_errors
-
-function update_script() {
-  header_info
-  check_container_storage
-  check_container_resources
-  if [[ ! -f /etc/apt/sources.list.d/smallstep.sources ]]; then
-    msg_error "No ${APP} Installation Found!"
-    exit
-  fi
-  msg_info "Updating step-ca and step-cli"
-  $STD apt update
-  $STD apt upgrade -y step-ca step-cli
-  $STD systemctl restart step-ca
-  msg_ok "Updated step-ca and step-cli"
-
-  if check_for_gh_release "step-badger" "lukasz-lobocki/step-badger"; then
-    fetch_and_deploy_gh_release "step-badger" "lukasz-lobocki/step-badger" "prebuild" "latest" "/opt/step-badger" "step-badger_Linux_x86_64.tar.gz"
-    msg_ok "Updated step-badger"
-  fi
-  exit
-}
-
-start
-build_container
-description
-
-msg_ok "Completed successfully!\n"
-echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}https://${IP}/provisioners${CL}"

ct/umami.sh

@@ -33,9 +33,7 @@ function update_script() {
     systemctl stop umami
     msg_ok "Stopped Service"
 
-    mv /opt/umami/.env /opt/.env.bak
-    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "umami" "umami-software/umami" "tarball"
-    mv /opt/.env.bak /opt/umami/.env
+    fetch_and_deploy_gh_release "umami" "umami-software/umami" "tarball"
 
     msg_info "Updating Umami"
     cd /opt/umami

install/alpine-nextcloud-install.sh

@@ -137,7 +137,6 @@ EOF
 sed -i -e 's|memory_limit = 128M|memory_limit = 512M|; $aapc.enable_cli=1' /etc/php83/php.ini
 sed -i -e 's|upload_max_file_size = 2M|upload_max_file_size = 16G|' /etc/php83/php.ini
 sed -i -E '/^php_admin_(flag|value)\[opcache/s/^/;/' /etc/php83/php-fpm.d/nextcloud.conf
-sed -i -e 's| js;| mjs js;|' /etc/nginx/mime.types
 msg_ok "Installed Nextcloud"
 
 msg_info "Adding Additional Nextcloud Packages"

install/ghost-install.sh

@@ -23,7 +23,7 @@ msg_ok "Installed Dependencies"
 
 setup_mariadb
 MARIADB_DB_NAME="ghost" MARIADB_DB_USER="ghostuser" setup_mariadb_db
-NODE_VERSION="22" NODE_MODULE="pnpm" setup_nodejs
+NODE_VERSION="22" setup_nodejs
 
 msg_info "Installing Ghost CLI"
 $STD npm install ghost-cli@latest -g

install/github-runner-install.sh

@@ -1,58 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: MickLesk (CanbiZ)
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://docs.github.com/en/actions/hosting-your-own-runners
-
-source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
-color
-verb_ip6
-catch_errors
-setting_up_container
-network_check
-update_os
-
-msg_info "Installing Dependencies"
-$STD apt install -y \
-  git \
-  gh
-msg_ok "Installed Dependencies"
-
-NODE_VERSION="24" setup_nodejs
-
-msg_info "Creating runner user (no sudo)"
-useradd -m -s /bin/bash runner
-msg_ok "Runner user ready"
-
-fetch_and_deploy_gh_release "actions-runner" "actions/runner" "prebuild" "latest" "/opt/actions-runner" "actions-runner-linux-x64-*.tar.gz"
-
-msg_info "Setting ownership for runner user"
-chown -R runner:runner /opt/actions-runner
-msg_ok "Ownership set"
-
-msg_info "Creating Service"
-cat <<EOF >/etc/systemd/system/actions-runner.service
-[Unit]
-Description=GitHub Actions self-hosted runner
-Documentation=https://docs.github.com/en/actions/hosting-your-own-runners
-After=network-online.target
-Wants=network-online.target
-
-[Service]
-Type=simple
-User=runner
-WorkingDirectory=/opt/actions-runner
-ExecStart=/opt/actions-runner/run.sh
-Restart=on-failure
-RestartSec=10
-
-[Install]
-WantedBy=multi-user.target
-EOF
-systemctl enable -q actions-runner
-msg_ok "Created Service"
-
-motd_ssh
-customize
-cleanup_lxc

install/igotify-install.sh

@@ -1,59 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: pfassina
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/androidseb25/iGotify-Notification-Assistent
-
-source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
-color
-verb_ip6
-catch_errors
-setting_up_container
-network_check
-update_os
-
-msg_info "Installing Dependencies"
-setup_deb822_repo \
-  "microsoft" \
-  "https://packages.microsoft.com/keys/microsoft-2025.asc" \
-  "https://packages.microsoft.com/debian/13/prod/" \
-  "trixie" \
-  "main"
-$STD apt install -y aspnetcore-runtime-10.0
-msg_ok "Installed Dependencies"
-
-fetch_and_deploy_gh_release "igotify" "androidseb25/iGotify-Notification-Assistent" "prebuild" "latest" "/opt/igotify" "iGotify-Notification-Service-amd64-v*.zip"
-
-msg_info "Creating Service"
-cat <<EOF >/opt/igotify/.env
-ASPNETCORE_URLS=http://0.0.0.0:80
-ASPNETCORE_ENVIRONMENT=Production
-GOTIFY_DEFAULTUSER_PASS=
-GOTIFY_URLS=
-GOTIFY_CLIENT_TOKENS=
-SECNTFY_TOKENS=
-EOF
-cat <<EOF >/etc/systemd/system/igotify.service
-[Unit]
-Description=iGotify Notification Service
-After=network.target
-
-[Service]
-EnvironmentFile=/opt/igotify/.env
-WorkingDirectory=/opt/igotify
-ExecStart=/usr/bin/dotnet "/opt/igotify/iGotify Notification Assist.dll"
-Restart=always
-RestartSec=10
-KillSignal=SIGINT
-TimeoutStopSec=10
-
-[Install]
-WantedBy=multi-user.target
-EOF
-systemctl enable -q --now igotify
-msg_ok "Created Service"
-
-motd_ssh
-customize
-cleanup_lxc

install/step-ca-install.sh

@@ -1,400 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: Joerg Heinemann (heinemannj)
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/smallstep/certificates
-
-source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
-color
-verb_ip6
-catch_errors
-setting_up_container
-network_check
-update_os
-
-setup_deb822_repo \
-  "smallstep" \
-  "https://packages.smallstep.com/keys/apt/repo-signing-key.gpg" \
-  "https://packages.smallstep.com/stable/debian" \
-  "debs" \
-  "main"
-
-msg_info "Installing step-ca and step-cli"
-$STD apt install -y step-ca step-cli
-
-STEPHOME="/root/.step"
-export STEPPATH=/etc/step-ca
-export STEPHOME=$STEPHOME
-
-sed  -i '1i export STEPPATH=/etc/step-ca' /etc/profile
-sed  -i '1i export STEPHOME=/root/.step' /etc/profile
-
-setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca)
-
-$STD useradd --user-group --system --home $(step path) --shell /bin/false step
-msg_ok "Installed step-ca and step-cli"
-
-DomainName="$(hostname -d)"
-
-PKIName="$(prompt_input "Enter PKIName" "MyHomePKI" 30)"
-PKIProvisioner="$(prompt_input "Enter PKIProvisioner" "pki@$DomainName" 30)"
-AcmeProvisioner="$(prompt_input "Enter AcmeProvisioner" "acme@$DomainName" 30)"
-X509MinDur="$(prompt_input "Enter X509MinDur" "48h" 30)"
-X509MaxDur="$(prompt_input "Enter X509MaxDur" "87600h" 30)"
-X509DefaultDur="$(prompt_input "Enter X509DefaultDur" "168h" 30)"
-
-msg_info "Initializing step-ca"
-DeploymentType="standalone"
-FQDN="$(hostname -f)"
-IP="${LOCAL_IP}"
-LISTENER=":443"
-
-EncryptionPwdDir="$(step path)/encryption"
-PwdFile="$EncryptionPwdDir/ca.pwd"
-ProvisionerPwdFile="$EncryptionPwdDir/provisioner.pwd"
-mkdir -p "$EncryptionPwdDir"
-gpg -q --gen-random --armor 2 32 >"$PwdFile"
-gpg -q --gen-random --armor 2 32 >"$ProvisionerPwdFile"
-
-$STD step ca init --deployment-type="$DeploymentType" --ssh --name="$PKIName" --dns="$FQDN" --dns="$IP" --address="$LISTENER" --provisioner="$PKIProvisioner" --password-file="$PwdFile" --provisioner-password-file="$ProvisionerPwdFile"
-
-ln -s "$PwdFile" "$(step path)/password.txt"
-chown -R step:step $(step path)
-chmod -R 700 $(step path)
-$STD step ca provisioner add "$AcmeProvisioner" --type ACME --admin-name "$AcmeProvisioner"
-$STD step ca provisioner update "$PKIProvisioner" --x509-min-dur="$X509MinDur" --x509-max-dur="$X509MaxDur" --x509-default-dur="$X509DefaultDur" --allow-renewal-after-expiry
-$STD step ca provisioner update "$AcmeProvisioner" --x509-min-dur="$X509MinDur" --x509-max-dur="$X509MaxDur" --x509-default-dur="$X509DefaultDur" --allow-renewal-after-expiry
-$STD step certificate install --all $(step path)/certs/root_ca.crt
-$STD update-ca-certificates
-msg_ok "Initialized step-ca"
-
-msg_info "Start step-ca as a Daemon"
-cat <<'EOF' >/etc/systemd/system/step-ca.service
-[Unit]
-Description=step-ca service
-Documentation=https://smallstep.com/docs/step-ca
-Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
-After=network-online.target
-Wants=network-online.target
-StartLimitIntervalSec=30
-StartLimitBurst=3
-ConditionFileNotEmpty=/etc/step-ca/config/ca.json
-ConditionFileNotEmpty=/etc/step-ca/password.txt
-
-[Service]
-Type=simple
-User=step
-Group=step
-Environment=STEPPATH=/etc/step-ca
-WorkingDirectory=/etc/step-ca
-ExecStart=/usr/bin/step-ca config/ca.json --password-file password.txt
-ExecReload=/bin/kill -USR1 $MAINPID
-Restart=on-failure
-RestartSec=5
-TimeoutStopSec=30
-StartLimitAction=reboot
-
-; Process capabilities & privileges
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-SecureBits=keep-caps
-NoNewPrivileges=yes
-
-; Sandboxing
-SystemCallArchitectures=native
-SystemCallFilter=@system-service
-SystemCallFilter=~@resources @privileged
-RestrictNamespaces=yes
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
-RestrictSUIDSGID=yes
-PrivateMounts=yes
-ProtectControlGroups=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-ProtectSystem=strict
-ProtectHome=yes
-ReadWritePaths=/etc/step-ca/db
-
-; Read only paths
-ReadOnlyPaths=/etc/step-ca
-
-[Install]
-WantedBy=multi-user.target
-EOF
-$STD systemctl enable -q --now step-ca
-msg_ok "Started step-ca as a Daemon"
-
-fetch_and_deploy_gh_release "step-badger" "lukasz-lobocki/step-badger" "prebuild" "latest" "/opt/step-badger" "step-badger_Linux_x86_64.tar.gz"
-ln -s /opt/step-badger/step-badger /usr/local/bin/step-badger
-
-msg_info "Install step-ca Admin script"
-mkdir -p "$STEPHOME"
-cat <<'ADDON_EOF' >"$STEPHOME/step-ca-admin.sh"
-#!/usr/bin/env bash
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: Joerg Heinemann (heinemannj)
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-
-function header_info() {
-  clear
-  cat <<"EOF"
-         __                                 ___       __          _     
-   _____/ /____  ____        _________ _   /   | ____/ /___ ___  (_)___ 
-  / ___/ __/ _ \/ __ \______/ ___/ __ `/  / /| |/ __  / __ `__ \/ / __ \
- (__  ) /_/  __/ /_/ /_____/ /__/ /_/ /  / ___ / /_/ / / / / / / / / / /
-/____/\__/\___/ .___/      \___/\__,_/  /_/  |_\__,_/_/ /_/ /_/_/_/ /_/ 
-             /_/                                                            
-
-EOF
-}
-
-function die() {
-  echo -e "\n${BL}[ERROR]${GN} ${RD}${1}${CL}\n"
-  exit
-}
-
-function success() {
-  echo -e "${BL}[SUCCESS]${GN} ${1}${CL}\n"
-  exit
-}
-
-function whiptail_menu() {
-  MENU_ARRAY=()
-  MSG_MAX_LENGTH=0
-  while read -r TAG ITEM; do
-    OFFSET=2
-    ((${#ITEM} + OFFSET > MSG_MAX_LENGTH)) && MSG_MAX_LENGTH=${#ITEM}+OFFSET
-    MENU_ARRAY+=("$TAG" "$ITEM " "OFF")
-  done < <(echo "$1")
-}
-
-function x509_list() {
-  CERT_LIST=""
-  cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/"
-  cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/"
-  if [[ $(step-badger x509Certs "${STEPHOME}/db-copy" 2>/dev/null) ]]; then
-    CERT_LIST=$(step-badger x509Certs ${STEPHOME}/db-copy 2>/dev/null)
-  fi
-}
-
-function ssh_list() {
-  CERT_LIST=""
-  cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/"
-  cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/"
-  if [[ $(step-badger sshCerts "${STEPHOME}/db-copy" 2>/dev/null) ]]; then
-    CERT_LIST=$(step-badgersshCerts ${STEPHOME}/db-copy 2>/dev/null)
-  fi
-}
-
-function x509_serial_to_cn() {
-  x509_list
-  CN="$(echo "${CERT_LIST}" | grep "${SERIAL_NUMBER}" | awk '{print $2}' | sed 's/CN=//g')"
-  CRT="$STEPHOME/certs/x509/$CN.crt"
-  KEY="$STEPHOME/certs/x509/$CN.key"
-  if ! [[ -f ${CRT} ]]; then
-    die "Certificate ${CRT} not found!"
-  elif ! [[ -f ${KEY} ]]; then
-    die "Private Key ${KEY} not found!"
-  fi
-}
-
-function x509_revoke() {
-  # shellcheck disable=SC2206
-  SERIAL_NUMBER_ARRAY=(${CERT_SERIAL_NUMBERS})
-  for SERIAL_NUMBER in "${SERIAL_NUMBER_ARRAY[@]}"; do
-    echo -e "${BL}[Info]${GN} Revoke x509 Certificate with Serial Number ${BL}${SERIAL_NUMBER}${GN}:${CL}"
-    echo
-    TOKEN=$(step ca token --provisioner="$PROVISIONER" --provisioner-password-file="$PROVISIONER_PASSWORD" --revoke "${SERIAL_NUMBER}")
-    step ca revoke --token "$TOKEN" "${SERIAL_NUMBER}" || die "Failed to revoke certificate!"
-    echo
-  done
-  success "Finished."
-}
-
-function x509_renew() {
-  # shellcheck disable=SC2206
-  SERIAL_NUMBER_ARRAY=(${CERT_SERIAL_NUMBERS})
-  for SERIAL_NUMBER in "${SERIAL_NUMBER_ARRAY[@]}"; do
-    echo -e "${BL}[Info]${GN} Renew x509 Certificate with Serial Number ${BL}${SERIAL_NUMBER}${GN}:${CL}"
-    echo
-    x509_serial_to_cn
-    step ca renew "${CRT}" "${KEY}" --force || die "Failed to renew certificate!"
-    echo
-  done
-  success "Finished."
-}
-
-function x509_inspect() {
-  # shellcheck disable=SC2206
-  SERIAL_NUMBER_ARRAY=(${CERT_SERIAL_NUMBERS})
-  for SERIAL_NUMBER in "${SERIAL_NUMBER_ARRAY[@]}"; do
-    echo -e "${BL}[Info]${GN} Inspect x509 Certificate with Serial Number ${BL}${SERIAL_NUMBER}${GN}:${CL}\n"
-    x509_serial_to_cn
-    step certificate inspect "${CRT}" || die "Failed to inspect certificate!"
-    if ! [[ $(step certificate inspect "${CRT}" | grep "${SERIAL_NUMBER}") ]]; then
-      die "Serial Number ${SERIAL_NUMBER} mismatch!"
-    fi
-    echo -e "\n${BL}[Info]${GN} Public Key:${CL}\n"
-    cat "${CRT}"
-    echo -e "\n${BL}[Info]${GN} Private Key:${CL}\n"
-    cat "${KEY}"
-    echo
-  done
-  success "Finished."
-}
-
-function x509_request() {
-  FQDN=""
-  SAN=""
-
-  while true; do
-    FQDN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nFQDN (e.g. MyLXC.example.com)' 10 50 "$FQDN" 3>&1 1>&2 2>&3)
-    IP=$(dig +short "$FQDN")
-    if [[ -z "$IP" ]]; then
-      die "Resolution failed for $FQDN!"
-    fi
-    HOST=$(echo "$FQDN" | awk -F'.' '{print $1}')
-    IP=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nIP Address (e.g. x.x.x.x)' 10 50 "$IP" 3>&1 1>&2 2>&3)
-    HOST=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nHostname (e.g. MyHostName)' 10 50 "$HOST" 3>&1 1>&2 2>&3)
-    SAN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nSubject Alternative Name(s) (SAN) (e.g. myapp-1.example.com, myapp-2.example.com)' 10 50 "$SAN" 3>&1 1>&2 2>&3)
-    VALID_TO=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nValidity (e.g. 2034-01-31T00:00:00Z)' 10 50 "2034-01-31T00:00:00Z" 3>&1 1>&2 2>&3)
-
-    # shellcheck disable=SC2034
-    if whiptail_yesno=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --yesno "Continue with below?\n
-      FQDN: $FQDN
-      Hostname: $HOST
-      IP Address: $IP
-      Subject Alternative Name(s) (SAN): $SAN
-      Validity: $VALID_TO" --no-button "Change" --yes-button "Continue" 15 70 3>&1 1>&2 2>&3); then
-      break
-    fi
-  done
-
-  echo -e "${BL}[Info]${GN} Request x509 Certificate with subject ${BL}${FQDN}${GN}:${CL}"
-  echo
-  CRT="$STEPHOME/certs/x509/$FQDN.crt"
-  KEY="$STEPHOME/certs/x509/$FQDN.key"
-
-  SAN="$FQDN, $HOST, $IP, $SAN"
-
-  IFS=', ' read -r -a array <<< "$SAN"
-  for element in "${array[@]}"
-  do
-    SAN_ARRAY+=(--san "$element")
-  done
-
-  step ca certificate "$FQDN" "$CRT" "$KEY" \
-    --provisioner="$PROVISIONER" \
-    --provisioner-password-file="$PROVISIONER_PASSWORD" \
-    --not-after="$VALID_TO" \
-    "${SAN_ARRAY[@]}" \
-  || die "Failed to request certificate!"
-
-  echo -e "\n${BL}[Info]${GN} Inspect Certificate:${CL}\n"
-  step certificate inspect "${CRT}" || die "Failed to inspect certificate!"
-  echo -e "\n${BL}[Info]${GN} Public Key:${CL}\n"
-  cat "${CRT}"
-  echo -e "\n${BL}[Info]${GN} Private Key:${CL}\n"
-  cat "${KEY}"
-  echo
-  success "Finished."
-}
-
-set -eEuo pipefail
-# shellcheck disable=SC2034
-# shellcheck disable=SC2116
-# shellcheck disable=SC2028
-YW=$(echo "\033[33m")
-# shellcheck disable=SC2116
-# shellcheck disable=SC2028
-BL=$(echo "\033[36m")
-# shellcheck disable=SC2116
-# shellcheck disable=SC2028
-RD=$(echo "\033[01;31m")
-# shellcheck disable=SC2034
-CM='\xE2\x9C\x94\033'
-# shellcheck disable=SC2116
-# shellcheck disable=SC2028
-GN=$(echo "\033[1;92m")
-# shellcheck disable=SC2116
-# shellcheck disable=SC2028
-CL=$(echo "\033[m")
-
-# Telemetry
-# shellcheck disable=SC1090
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/api.func) 2>/dev/null || true
-declare -f init_tool_telemetry &>/dev/null && init_tool_telemetry "step-ca-admin" "step-ca"
-
-header_info
-
-mkdir --parents "$STEPHOME/db-copy/"
-mkdir --parents "$STEPHOME/certs/ca/_archive/"
-mkdir --parents "$STEPHOME/certs/ssh/_archive/"
-mkdir --parents "$STEPHOME/certs/x509/_archive/"
-
-PROVISIONER=$(jq '.authority.provisioners.[] | select(.type=="JWK") | .name' "$(step path)"/config/ca.json)
-PROVISIONER="${PROVISIONER#\"}"
-PROVISIONER="${PROVISIONER%\"}"
-PROVISIONER_PASSWORD=$(step path)/encryption/provisioner.pwd
-
-whiptail --backtitle "Proxmox VE Helper Scripts" --title "step-ca Admin" --yesno "This will maintain step-ca issued x509 and ssh Certificates. Proceed?" 10 58
-
-MENU_ARRAY=("x509" "Maintain x509 Certificates." "ON")
-MENU_ARRAY+=("ssh" "Maintain ssh Certificates." "OFF")
-CERT_TYPE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step-ca Admin" --radiolist "\nSelect Certificate Type:" 16 48 6 "${MENU_ARRAY[@]}" 3>&1 1>&2 2>&3 | tr -d '"')
-
-[[ -z ${CERT_TYPE} ]] && die "No Certificate Type selected!"
-
-case ${CERT_TYPE} in
-("x509")
-  x509_list
-  CERT_LIST=$(echo "$CERT_LIST" | awk 'NR>1 {print $1 " " $2 "|" $3 "|" $4 "|" $5}')
-  if [[ $CERT_LIST ]]; then
-    whiptail_menu "$CERT_LIST"
-  else
-    MENU_ARRAY=()
-    MSG_MAX_LENGTH=2
-  fi
-  MENU_ARRAY+=("" "Create a new Certificate" "OFF")
-  CERT_SERIAL_NUMBERS=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificates on $(hostname)" --checklist "\nSelect Certificate(s) to maintain:\n" 16 $((MSG_MAX_LENGTH + 55)) 6 "${MENU_ARRAY[@]}" 3>&1 1>&2 2>&3 | tr -d '"')
-
-  [[ -z ${CERT_SERIAL_NUMBERS} ]] && x509_request
-  
-  MENU_ARRAY=("Renew" "Renew x509 Certificates." "ON")
-  MENU_ARRAY+=("Revoke" "Revoke x509 Certificates." "OFF")
-  MENU_ARRAY+=("Inspect" "Inspect x509 Certificates." "OFF")
-  CERT_MAINTENANCE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step-ca Admin" --radiolist "\nSelect Maintenance Type:" 16 48 6 "${MENU_ARRAY[@]}" 3>&1 1>&2 2>&3 | tr -d '"')
-
-  case ${CERT_MAINTENANCE} in
-  ("Renew")
-    x509_renew "${CERT_SERIAL_NUMBERS[@]}"
-    ;;
-  ("Revoke")
-    x509_revoke "${CERT_SERIAL_NUMBERS[@]}"
-    ;;
-  ("Inspect")
-    x509_inspect "${CERT_SERIAL_NUMBERS[@]}"
-    ;;
-  *)
-    die "Unsupported CERT_MAINTENANCE Option!"
-    ;;
-  esac
-  ;;
-("ssh")
-  die "Maintain ssh Certificates - To be implemented in future"
-  ;;
-*)
-  die "Unsupported CERT_TYPE Option!"
-  ;;
-esac
-ADDON_EOF
-chmod 700 "$STEPHOME/step-ca-admin.sh"
-msg_ok "Installed step-ca Admin script"
-
-motd_ssh
-customize
-cleanup_lxc

misc/api.func

@@ -344,36 +344,21 @@ explain_exit_code() {
 # - Escapes a string for safe JSON embedding
 # - Strips ANSI escape sequences and non-printable control characters
 # - Handles backslashes, quotes, newlines, tabs, and carriage returns
-# - Uses jq when available (guaranteed correct), falls back to awk
 # ------------------------------------------------------------------------------
 json_escape() {
-  local input
-  # Pipeline: strip ANSI → remove control chars → escape for JSON
-  input=$(printf '%s' "$1" |
+  # Escape a string for safe JSON embedding using awk (handles any input size).
+  # Pipeline: strip ANSI → remove control chars → escape \ " TAB → join lines with \n
+  printf '%s' "$1" |
     sed 's/\x1b\[[0-9;]*[a-zA-Z]//g' |
-    tr -d '\000-\010\013\014\016-\037\177\r')
-
-  # Prefer jq: guaranteed correct JSON string encoding (handles all edge cases)
-  if command -v jq &>/dev/null; then
-    # jq -Rs reads raw stdin as string, outputs JSON-encoded string with quotes.
-    # We strip the surrounding quotes since the heredoc adds them.
-    printf '%s' "$input" | jq -Rs '.' | sed 's/^"//;s/"$//'
-    return
-  fi
-
-  # Fallback: character-by-character processing with awk (avoids gsub replacement pitfalls)
-  printf '%s' "$input" |
+    tr -d '\000-\010\013\014\016-\037\177\r' |
     awk '
-        BEGIN { ORS="" }
+        BEGIN { ORS = "" }
         {
-          if (NR > 1) printf "%s", "\\n"
-          for (i = 1; i <= length($0); i++) {
-            c = substr($0, i, 1)
-            if (c == "\\") printf "%s", "\\\\"
-            else if (c == "\"") printf "%s", "\\\""
-            else if (c == "\t") printf "%s", "\\t"
-            else printf "%s", c
-          }
+          gsub(/\\/, "\\\\")   # backslash → \\
+          gsub(/"/, "\\\"")    # double quote → \"
+          gsub(/\t/, "\\t")   # tab → \t
+          if (NR > 1) printf "\\n"
+          printf "%s", $0
         }'
 }
 

misc/build.func

@@ -979,6 +979,7 @@ base_settings() {
   fi
 
   IPV6_METHOD=${var_ipv6_method:-"none"}
+  IPV6_STATIC=${var_ipv6_static:-""}
   GATE=${var_gateway:-""}
   APT_CACHER=${var_apt_cacher:-""}
   APT_CACHER_IP=${var_apt_cacher_ip:-""}
@@ -1014,12 +1015,8 @@ base_settings() {
   VLAN=${var_vlan:-""}
   SSH=${var_ssh:-"no"}
   SSH_AUTHORIZED_KEY=${var_ssh_authorized_key:-""}
-  # Build TAGS: ensure community-script prefix, use semicolons (pct format), no duplicates
-  if [[ "${var_tags:-}" == *community-script* ]]; then
-    TAGS="${var_tags:-community-script}"
-  else
-    TAGS="community-script${var_tags:+;${var_tags}}"
-  fi
+  UDHCPC_FIX=${var_udhcpc_fix:-""}
+  TAGS="community-script,${var_tags:-}"
   ENABLE_FUSE=${var_fuse:-"${1:-no}"}
   ENABLE_TUN=${var_tun:-"${1:-no}"}
 
@@ -1028,7 +1025,6 @@ base_settings() {
   ENABLE_NESTING=${var_nesting:-"1"}
   ENABLE_KEYCTL=${var_keyctl:-"0"}
   ENABLE_MKNOD=${var_mknod:-"0"}
-  ALLOW_MOUNT_FS=${var_mount_fs:-""}
   PROTECT_CT=${var_protection:-"no"}
   CT_TIMEZONE=${var_timezone:-"$timezone"}
   [[ "${CT_TIMEZONE:-}" == Etc/* ]] && CT_TIMEZONE="host" # pct doesn't accept Etc/* zones
@@ -1207,22 +1203,6 @@ load_vars_file() {
             continue
           fi
           ;;
-        var_mknod)
-          if [[ "$var_val" != "0" && "$var_val" != "1" ]]; then
-            msg_warn "Invalid mknod value '$var_val' in $file (must be 0 or 1), ignoring"
-            continue
-          fi
-          ;;
-        var_mount_fs)
-          # Normalize: strip spaces, trailing commas
-          var_val="${var_val// /}"
-          var_val="${var_val%%,}"
-          var_val="${var_val##,}"
-          if [[ -n "$var_val" ]] && [[ ! "$var_val" =~ ^[a-zA-Z0-9]+(,[a-zA-Z0-9]+)*$ ]]; then
-            msg_warn "Invalid mount_fs value '$var_val' in $file (comma-separated fs names only, e.g. nfs,cifs), ignoring"
-            continue
-          fi
-          ;;
         var_ipv6_method)
           if [[ "$var_val" != "auto" && "$var_val" != "dhcp" && "$var_val" != "static" && "$var_val" != "none" ]]; then
             msg_warn "Invalid IPv6 method '$var_val' in $file (must be auto/dhcp/static/none), ignoring"
@@ -1448,10 +1428,10 @@ get_app_defaults_path() {
 if ! declare -p VAR_WHITELIST >/dev/null 2>&1; then
   # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
   declare -ag VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_keyctl
-    var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
-    var_net var_nesting var_ns var_os var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
-    var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage var_searchdomain
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu
+    var_gateway var_hostname var_ipv6_method var_mac var_mtu
+    var_net var_ns var_os var_pw var_ram var_tags var_tun var_unprivileged
+    var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
   )
 fi
 
@@ -1801,12 +1781,7 @@ advanced_settings() {
   trap 'tput rmcup 2>/dev/null || true' RETURN
 
   # Initialize defaults
-  # Build TAGS: ensure community-script prefix, use semicolons (pct format), no duplicates
-  if [[ "${var_tags:-}" == *community-script* ]]; then
-    TAGS="${var_tags:-community-script}"
-  else
-    TAGS="community-script${var_tags:+;${var_tags}}"
-  fi
+  TAGS="community-script;${var_tags:-}"
   local STEP=1
   local MAX_STEP=28
 
@@ -2543,13 +2518,6 @@ advanced_settings() {
     # STEP 22: Keyctl Support (Docker/systemd)
     # ═══════════════════════════════════════════════════════════════════════════
     22)
-      # Keyctl is always required for unprivileged containers — skip dialog
-      if [[ "$_ct_type" == "1" ]]; then
-        _enable_keyctl="1"
-        ((STEP++))
-        continue
-      fi
-
       local keyctl_default_flag="--defaultno"
       [[ "$_enable_keyctl" == "1" ]] && keyctl_default_flag=""
 
@@ -2557,7 +2525,7 @@ advanced_settings() {
         --title "KEYCTL SUPPORT" \
         --ok-button "Next" --cancel-button "Back" \
         $keyctl_default_flag \
-        --yesno "\nEnable Keyctl support?\n\nRequired for: Docker containers, systemd-networkd,\nand kernel keyring operations.\n\n(App default: ${var_keyctl:-0})" 14 62; then
+        --yesno "\nEnable Keyctl support?\n\nRequired for: Docker containers, systemd-networkd,\nand kernel keyring operations.\n\nNote: Automatically enabled for unprivileged containers.\n\n(App default: ${var_keyctl:-0})" 16 62; then
         _enable_keyctl="1"
       else
         if [ $? -eq 1 ]; then
@@ -2687,10 +2655,6 @@ advanced_settings() {
         --ok-button "Next" --cancel-button "Back" \
         --inputbox "\nAllow specific filesystem mounts.\n\nComma-separated list: nfs, cifs, fuse, ext4, etc.\nLeave empty for defaults (none).\n\nCurrent: $mount_hint" 14 62 "$_mount_fs" \
         3>&1 1>&2 2>&3); then
-        # Normalize: strip spaces and trailing/leading commas
-        result="${result// /}"
-        result="${result%%,}"
-        result="${result##,}"
         _mount_fs="$result"
         ((STEP++))
       else
@@ -2747,7 +2711,6 @@ Network:
 Features:
   FUSE: $_enable_fuse | TUN: $_enable_tun
   Nesting: $nesting_desc | Keyctl: $keyctl_desc
-  Mknod: $([ "$_enable_mknod" == "1" ] && echo Enabled || echo Disabled) | Mount FS: ${_mount_fs:-(none)}
   GPU: $_enable_gpu | Protection: $protect_desc
 
 Advanced:
@@ -2817,6 +2780,13 @@ Advanced:
   [[ -n "$_mac" ]] && MAC=",hwaddr=$_mac" || MAC=""
   [[ -n "$_vlan" ]] && VLAN=",tag=$_vlan" || VLAN=""
 
+  # Alpine UDHCPC fix
+  if [ "$var_os" == "alpine" ] && [ "$NET" == "dhcp" ] && [ -n "$_ns" ]; then
+    UDHCPC_FIX="yes"
+  else
+    UDHCPC_FIX="no"
+  fi
+  export UDHCPC_FIX
   export SSH_KEYS_FILE
 
   # Exit alternate screen buffer before showing summary (so output remains visible)
@@ -2841,8 +2811,6 @@ Advanced:
   echo -e "${CONTAINERTYPE}${BOLD}${DGN}Nesting: ${BGN}$([ "${ENABLE_NESTING:-1}" == "1" ] && echo "Enabled" || echo "Disabled")${CL}"
   [[ "${ENABLE_KEYCTL:-0}" == "1" ]] && echo -e "${CONTAINERTYPE}${BOLD}${DGN}Keyctl: ${BGN}Enabled${CL}"
   echo -e "${GPU}${BOLD}${DGN}GPU Passthrough: ${BGN}${ENABLE_GPU:-no}${CL}"
-  [[ "${ENABLE_MKNOD:-0}" == "1" ]] && echo -e "${CONTAINERTYPE}${BOLD}${DGN}Mknod: ${BGN}Enabled${CL}"
-  [[ -n "${ALLOW_MOUNT_FS:-}" ]] && echo -e "${CONTAINERTYPE}${BOLD}${DGN}Mount FS: ${BGN}${ALLOW_MOUNT_FS}${CL}"
   [[ "${PROTECT_CT:-no}" == "yes" || "${PROTECT_CT:-no}" == "1" ]] && echo -e "${CONTAINERTYPE}${BOLD}${DGN}Protection: ${BGN}Enabled${CL}"
   [[ -n "${CT_TIMEZONE:-}" ]] && echo -e "${INFO}${BOLD}${DGN}Timezone: ${BGN}$CT_TIMEZONE${CL}"
   [[ "$APT_CACHER" == "yes" ]] && echo -e "${INFO}${BOLD}${DGN}APT Cacher: ${BGN}$APT_CACHER_IP${CL}"
@@ -2865,8 +2833,6 @@ Advanced:
   log_msg "IPv6: $IPV6_METHOD"
   log_msg "FUSE Support: ${ENABLE_FUSE:-no}"
   log_msg "Nesting: $([ "${ENABLE_NESTING:-1}" == "1" ] && echo "Enabled" || echo "Disabled")"
-  log_msg "Mknod: $([ "${ENABLE_MKNOD:-0}" == "1" ] && echo "Enabled" || echo "Disabled")"
-  [[ -n "${ALLOW_MOUNT_FS:-}" ]] && log_msg "Mount FS: ${ALLOW_MOUNT_FS}"
   log_msg "GPU Passthrough: ${ENABLE_GPU:-no}"
   log_msg "Verbose Mode: $VERBOSE"
   log_msg "Session ID: ${SESSION_ID}"
@@ -3646,26 +3612,6 @@ build_container() {
     FEATURES="${FEATURES}fuse=1"
   fi
 
-  # Mknod support (user configurable via advanced settings)
-  if [ "${ENABLE_MKNOD:-0}" == "1" ]; then
-    [ -n "$FEATURES" ] && FEATURES="$FEATURES,"
-    FEATURES="${FEATURES}mknod=1"
-  fi
-
-  # Mount filesystem types (user configurable via advanced settings)
-  if [ -n "${ALLOW_MOUNT_FS:-}" ]; then
-    # Sanitize: strip spaces, trailing/leading commas, then convert commas to semicolons
-    local _mount_clean="${ALLOW_MOUNT_FS// /}"
-    _mount_clean="${_mount_clean%%,}"
-    _mount_clean="${_mount_clean##,}"
-    _mount_clean="${_mount_clean%%;}"  
-    _mount_clean="${_mount_clean//,/;}"
-    if [ -n "$_mount_clean" ]; then
-      [ -n "$FEATURES" ] && FEATURES="$FEATURES,"
-      FEATURES="${FEATURES}mount=${_mount_clean}"
-    fi
-  fi
-
   # Build PCT_OPTIONS as string for export
   local _func_url
   if [ "$var_os" == "alpine" ]; then
@@ -5805,9 +5751,6 @@ create_lxc_container() {
   msg_debug "Logfile: $LOGFILE"
 
   # First attempt (PCT_OPTIONS is a multi-line string, use it directly)
-  # Disable globbing: unquoted $PCT_OPTIONS needs word-splitting but must not glob-expand
-  # (e.g. passwords containing * or ? would match filenames otherwise)
-  set -f
   if ! pct create "$CTID" "${TEMPLATE_STORAGE}:vztmpl/${TEMPLATE}" $PCT_OPTIONS >"$LOGFILE" 2>&1; then
     msg_debug "Container creation failed on ${TEMPLATE_STORAGE}. Checking error..."
 
@@ -5915,7 +5858,6 @@ create_lxc_container() {
       fi
     fi # close CTID collision else-branch
   fi
-  set +f  # re-enable globbing after pct create block
 
   # Verify container exists (allow up to 10s for pmxcfs sync in clusters)
   local _pct_visible=false

misc/tools.func

@@ -1139,42 +1139,39 @@ validate_github_token() {
     -H "Authorization: Bearer $token" \
     -H "Accept: application/vnd.github+json" \
     -H "X-GitHub-Api-Version: 2022-11-28" \
-    "https://api.github.com/user" 2>/dev/null) || {
-    rm -f "$headers"
-    return 3
-  }
+    "https://api.github.com/user" 2>/dev/null) || { rm -f "$headers"; return 3; }
   http_code="$response"
 
   # Read expiry header (fine-grained PATs carry this)
-  expiry_date=$(grep -i '^github-authentication-token-expiration:' "$headers" |
-    sed 's/.*: *//' | tr -d '\r\n' || true)
+  expiry_date=$(grep -i '^github-authentication-token-expiration:' "$headers" \
+    | sed 's/.*: *//' | tr -d '\r\n' || true)
   # Read token scopes (classic PATs)
-  scopes=$(grep -i '^x-oauth-scopes:' "$headers" |
-    sed 's/.*: *//' | tr -d '\r\n' || true)
+  scopes=$(grep -i '^x-oauth-scopes:' "$headers" \
+    | sed 's/.*: *//' | tr -d '\r\n' || true)
   rm -f "$headers"
 
   case "$http_code" in
-  200)
-    if [[ -n "$expiry_date" ]]; then
-      msg_ok "GitHub token is valid (expires: $expiry_date)."
-    else
-      msg_ok "GitHub token is valid (no expiry / fine-grained PAT)."
-    fi
-    # Warn if classic PAT has no public_repo scope
-    if [[ -n "$scopes" && "$scopes" != *"public_repo"* && "$scopes" != *"repo"* ]]; then
-      msg_warn "Token has no 'public_repo' scope - private repos and some release APIs may fail."
-      return 2
-    fi
-    return 0
-    ;;
-  401)
-    msg_error "GitHub token is invalid or expired (HTTP 401)."
-    return 1
-    ;;
-  *)
-    msg_warn "GitHub token validation returned HTTP $http_code - treating as valid."
-    return 0
-    ;;
+    200)
+      if [[ -n "$expiry_date" ]]; then
+        msg_ok "GitHub token is valid (expires: $expiry_date)."
+      else
+        msg_ok "GitHub token is valid (no expiry / fine-grained PAT)."
+      fi
+      # Warn if classic PAT has no public_repo scope
+      if [[ -n "$scopes" && "$scopes" != *"public_repo"* && "$scopes" != *"repo"* ]]; then
+        msg_warn "Token has no 'public_repo' scope - private repos and some release APIs may fail."
+        return 2
+      fi
+      return 0
+      ;;
+    401)
+      msg_error "GitHub token is invalid or expired (HTTP 401)."
+      return 1
+      ;;
+    *)
+      msg_warn "GitHub token validation returned HTTP $http_code - treating as valid."
+      return 0
+      ;;
   esac
 }
 
@@ -4607,23 +4604,6 @@ function setup_hwaccel() {
   msg_ok "Setup Hardware Acceleration"
 }
 
-# ══════════════════════════════════════════════════════════════════════════════
-# Resolve the IGC tag that the latest compute-runtime was built against.
-# Must be called AFTER a fetch_and_deploy_gh_release for intel/compute-runtime
-# so that /tmp/gh_rel.json contains the compute-runtime release metadata.
-# Sets the variable named by $1 (default: igc_tag) to the discovered tag.
-# ══════════════════════════════════════════════════════════════════════════════
-_resolve_igc_tag() {
-  local -n _out_ref="${1:-igc_tag}"
-  _out_ref="latest"
-  if [[ -f /tmp/gh_rel.json ]]; then
-    local _body _parsed
-    _body=$(jq -r '.body // empty' /tmp/gh_rel.json 2>/dev/null) || return 0
-    _parsed=$(grep -oP 'intel-graphics-compiler/releases/tag/\K[^\s\)]+' <<<"$_body" | head -1)
-    [[ -n "$_parsed" ]] && _out_ref="$_parsed"
-  fi
-}
-
 # ══════════════════════════════════════════════════════════════════════════════
 # Intel Arc GPU Setup
 # ══════════════════════════════════════════════════════════════════════════════
@@ -4650,17 +4630,12 @@ _setup_intel_arc() {
     if [[ "$os_codename" == "trixie" || "$os_codename" == "sid" ]]; then
       msg_info "Fetching Intel compute-runtime from GitHub for Arc support"
 
-      # Fetch a compute-runtime package first so /tmp/gh_rel.json is populated,
-      # then resolve the matching IGC tag from the release notes.
       # libigdgmm - bundled in compute-runtime releases
       fetch_and_deploy_gh_release "libigdgmm12" "intel/compute-runtime" "binary" "latest" "" "libigdgmm12_*_amd64.deb" || true
 
-      local igc_tag
-      _resolve_igc_tag igc_tag
-
-      # Intel Graphics Compiler – pinned to the version compute-runtime expects
-      fetch_and_deploy_gh_release "intel-igc-core" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-core-2_*_amd64.deb" || true
-      fetch_and_deploy_gh_release "intel-igc-opencl" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-opencl-2_*_amd64.deb" || true
+      # Intel Graphics Compiler (note: packages have -2 suffix)
+      fetch_and_deploy_gh_release "intel-igc-core" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-core-2_*_amd64.deb" || true
+      fetch_and_deploy_gh_release "intel-igc-opencl" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-opencl-2_*_amd64.deb" || true
 
       # Compute Runtime (depends on IGC and gmmlib)
       fetch_and_deploy_gh_release "intel-opencl-icd" "intel/compute-runtime" "binary" "latest" "" "intel-opencl-icd_*_amd64.deb" || true
@@ -4710,17 +4685,12 @@ _setup_intel_modern() {
     if [[ "$os_codename" == "trixie" || "$os_codename" == "sid" ]]; then
       msg_info "Fetching Intel compute-runtime from GitHub"
 
-      # Fetch a compute-runtime package first so /tmp/gh_rel.json is populated,
-      # then resolve the matching IGC tag from the release notes.
       # libigdgmm first (bundled in compute-runtime releases)
       fetch_and_deploy_gh_release "libigdgmm12" "intel/compute-runtime" "binary" "latest" "" "libigdgmm12_*_amd64.deb" || true
 
-      local igc_tag
-      _resolve_igc_tag igc_tag
-
-      # Intel Graphics Compiler – pinned to the version compute-runtime expects
-      fetch_and_deploy_gh_release "intel-igc-core" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-core-2_*_amd64.deb" || true
-      fetch_and_deploy_gh_release "intel-igc-opencl" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-opencl-2_*_amd64.deb" || true
+      # Intel Graphics Compiler (note: packages have -2 suffix)
+      fetch_and_deploy_gh_release "intel-igc-core" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-core-2_*_amd64.deb" || true
+      fetch_and_deploy_gh_release "intel-igc-opencl" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-opencl-2_*_amd64.deb" || true
 
       # Compute Runtime
       fetch_and_deploy_gh_release "intel-opencl-icd" "intel/compute-runtime" "binary" "latest" "" "intel-opencl-icd_*_amd64.deb" || true