fix(api): prevent duplicate post_to_api submissions

Add POST_TO_API_DONE idempotency guard to post_to_api() to prevent
the same telemetry record from being submitted twice with the same
RANDOM_UUID. This mirrors the existing POST_UPDATE_DONE pattern in
post_update_to_api().

post_to_api() is called twice in build.func:
- After storage validation (inside CONTAINER_STORAGE check)
- After create_lxc_container() completes

When both execute, the second call fails with a random_id uniqueness
violation on PocketBase, generating server-side errors.

misc/api.func

@@ -353,6 +353,9 @@ detect_ram() {
 # - Never blocks or fails script execution
 # ------------------------------------------------------------------------------
 post_to_api() {
+  # Prevent duplicate submissions (post_to_api is called from multiple places)
+  [[ "${POST_TO_API_DONE:-}" == "true" ]] && return 0
+
   # Silent fail - telemetry should never break scripts
   command -v curl &>/dev/null || {
     [[ "${DEV_MODE:-}" == "true" ]] && echo "[DEBUG] curl not found, skipping" >&2
@@ -440,6 +443,8 @@ EOF
       -H "Content-Type: application/json" \
       -d "$JSON_PAYLOAD" &>/dev/null || true
   fi
+
+  POST_TO_API_DONE=true
 }
 
 # ------------------------------------------------------------------------------

tools/addon/add-tailscale-lxc.sh

@@ -75,37 +75,14 @@ pct exec "$CTID" -- bash -c '
 set -e
 export DEBIAN_FRONTEND=noninteractive
 
-# Source os-release properly (handles quoted values)
-source /etc/os-release
+ID=$(grep "^ID=" /etc/os-release | cut -d"=" -f2)
+VER=$(grep "^VERSION_CODENAME=" /etc/os-release | cut -d"=" -f2)
 
-# Fallback if DNS is poisoned or blocked
+# fallback if DNS is poisoned or blocked
 ORIG_RESOLV="/etc/resolv.conf"
 BACKUP_RESOLV="/tmp/resolv.conf.backup"
 
-# Check DNS resolution using multiple methods (dig may not be installed)
-dns_check_failed=true
-if command -v dig &>/dev/null; then
-  if dig +short pkgs.tailscale.com 2>/dev/null | grep -qvE "^127\.|^0\.0\.0\.0$|^$"; then
-    dns_check_failed=false
-  fi
-elif command -v host &>/dev/null; then
-  if host pkgs.tailscale.com 2>/dev/null | grep -q "has address"; then
-    dns_check_failed=false
-  fi
-elif command -v nslookup &>/dev/null; then
-  if nslookup pkgs.tailscale.com 2>/dev/null | grep -q "Address:"; then
-    dns_check_failed=false
-  fi
-elif command -v getent &>/dev/null; then
-  if getent hosts pkgs.tailscale.com &>/dev/null; then
-    dns_check_failed=false
-  fi
-else
-  # No DNS tools available, try curl directly and assume DNS works
-  dns_check_failed=false
-fi
-
-if $dns_check_failed; then
+if ! dig +short pkgs.tailscale.com | grep -qvE "^127\.|^0\.0\.0\.0$"; then
   echo "[INFO] DNS resolution for pkgs.tailscale.com failed (blocked or redirected)."
   echo "[INFO] Temporarily overriding /etc/resolv.conf with Cloudflare DNS (1.1.1.1)"
   cp "$ORIG_RESOLV" "$BACKUP_RESOLV"
@@ -115,22 +92,17 @@ fi
 if ! command -v curl &>/dev/null; then
   echo "[INFO] curl not found, installing..."
   apt-get update -qq
- apt update -qq
- apt install -y curl >/dev/null
+  apt-get install -y curl >/dev/null
 fi
 
-# Ensure keyrings directory exists
-mkdir -p /usr/share/keyrings
-
-curl -fsSL "https://pkgs.tailscale.com/stable/${ID}/${VERSION_CODENAME}.noarmor.gpg" \
+curl -fsSL https://pkgs.tailscale.com/stable/${ID}/${VER}.noarmor.gpg \
   | tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
 
-echo "deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/${ID} ${VERSION_CODENAME} main" \
+echo "deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/${ID} ${VER} main" \
   >/etc/apt/sources.list.d/tailscale.list
 
 apt-get update -qq
-apt update -qq
-apt install -y tailscale >/dev/null
+apt-get install -y tailscale >/dev/null
 
 if [[ -f /tmp/resolv.conf.backup ]]; then
   echo "[INFO] Restoring original /etc/resolv.conf"