fix space

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

CHANGELOG.md

@@ -461,16 +461,36 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 </details>
 
+## 2026-05-12
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Save Omada version [@lucacome](https://github.com/lucacome) ([#14433](https://github.com/community-scripts/ProxmoxVE/pull/14433))
+
 ## 2026-05-11
 
 ### 🆕 New Scripts
 
-  - solidtime ([#14392](https://github.com/community-scripts/ProxmoxVE/pull/14392))
-- shlink ([#14393](https://github.com/community-scripts/ProxmoxVE/pull/14393))
+  - Lychee ([#14424](https://github.com/community-scripts/ProxmoxVE/pull/14424))
 
-### 💾 Core
+### 🚀 Updated Scripts
 
-  - core: support optional POST_INSTALL_SCRIPT (var_post_install_script) hook  [@MickLesk](https://github.com/MickLesk) ([#14160](https://github.com/community-scripts/ProxmoxVE/pull/14160))
+  - #### 🐞 Bug Fixes
+
+    - Termix: fix nginx pid path and log paths on update (#) [@MickLesk](https://github.com/MickLesk) ([#14419](https://github.com/community-scripts/ProxmoxVE/pull/14419))
+    - Nginxproxymanager: restore NPM nginx.conf after OpenResty rebuid [@MickLesk](https://github.com/MickLesk) ([#14421](https://github.com/community-scripts/ProxmoxVE/pull/14421))
+
+  - #### 🔧 Refactor
+
+    - InvestBrain: add commented reverse proxy config hints to .env [@MickLesk](https://github.com/MickLesk) ([#14422](https://github.com/community-scripts/ProxmoxVE/pull/14422))
+
+### 🧰 Tools
+
+  - #### 🐞 Bug Fixes
+
+    - Cronmaster: fix unexpected EOF in update_cronmaster script [@MickLesk](https://github.com/MickLesk) ([#14420](https://github.com/community-scripts/ProxmoxVE/pull/14420))
 
 ## 2026-05-10
 

ct/authentik.sh

@@ -0,0 +1,155 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: Thieneret
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/goauthentik/authentik
+
+APP="authentik"
+var_tags="${var_tags:-auth}"
+var_cpu="${var_cpu:-4}"
+var_ram="${var_ram:-4096}"
+var_disk="${var_disk:-16}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -d /opt/authentik ]]; then
+    msg_error "No authentik Installation Found!"
+    exit
+  fi
+
+  NODE_VERSION="24" setup_nodejs
+  setup_go
+  UV_PYTHON_INSTALL_DIR="/usr/local/bin" PYTHON_VERSION="3.14.3" setup_uv
+  setup_rust
+
+  AUTHENTIK_VERSION="version/2026.2.2"
+  XMLSEC_VERSION="1.3.11"
+
+  if check_for_gh_release "geoipupdate" "maxmind/geoipupdate"; then
+    fetch_and_deploy_gh_release "geoipupdate" "maxmind/geoipupdate" "binary"
+  fi
+
+  if check_for_gh_release "xmlsec" "lsh123/xmlsec" "${XMLSEC_VERSION}"; then
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "xmlsec" "lsh123/xmlsec" "tarball" "${XMLSEC_VERSION}" "/opt/xmlsec"
+
+    msg_info "Updating xmlsec"
+    cd /opt/xmlsec
+    $STD ./autogen.sh
+    $STD make -j $(nproc)
+    $STD make check
+    $STD make install
+    $STD ldconfig
+    msg_ok "Updated xmlsec"
+  fi
+
+  if check_for_gh_release "authentik" "goauthentik/authentik" "${AUTHENTIK_VERSION}"; then
+    msg_info "Stopping Services"
+    systemctl stop authentik-server authentik-worker
+	if [[ $(systemctl is-active authentik-ldap) == active ]]; then
+		systemctl stop authentik-ldap
+	fi
+	if [[ $(systemctl is-active authentik-rac) == active ]]; then
+		systemctl stop authentik-rac
+	fi
+	if [[ $(systemctl is-active authentik-radius) == active ]]; then
+		systemctl stop authentik-radius
+	fi
+    msg_ok "Stopped Services"
+
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "authentik" "goauthentik/authentik" "tarball" "${AUTHENTIK_VERSION}" "/opt/authentik"
+
+    msg_info "Updating web"
+    cd /opt/authentik/web
+    export NODE_ENV="production"
+    $STD npm install
+    $STD npm run build
+    $STD npm run build:sfe
+    msg_ok "Updated web"
+
+    msg_info "Updating go proxy"
+    cd /opt/authentik
+    export CGO_ENABLED="1"
+    $STD go mod download
+    $STD go build -o /opt/authentik/authentik-server ./cmd/server
+	$STD go build -o /opt/authentik/ldap ./cmd/ldap
+	$STD go build -o /opt/authentik/rac ./cmd/rac
+	$STD go build -o /opt/authentik/radius ./cmd/radius
+    msg_ok "Updated go proxy"
+
+    msg_info "Updating python server"
+    export UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
+    export UV_COMPILE_BYTECODE="1"
+    export UV_LINK_MODE="copy"
+    export UV_NATIVE_TLS="1"
+    export RUSTUP_PERMIT_COPY_RENAME="true"
+    export UV_PYTHON_INSTALL_DIR="/usr/local/bin"
+    cd /opt/authentik
+    $STD uv sync --frozen --no-install-project --no-dev
+    chown -R authentik:authentik /opt/authentik
+    msg_ok "Updated python server"
+  fi
+
+  msg_info "Starting Services"
+  systemctl start authentik-server authentik-worker
+  if [[ $(systemctl is-enabled authentik-ldap) == enabled ]]; then
+  	systemctl start authentik-ldap
+  fi
+  if [[ $(systemctl is-enabled authentik-rac) == enabled ]]; then
+  	systemctl start authentik-rac
+  fi
+  if [[ $(systemctl is-enabled authentik-radius) == enabled ]]; then
+  	systemctl start authentik-radius
+  fi
+  msg_ok "Started Services"
+  msg_ok "Updated successfully!"
+  exit
+}
+
+start
+build_container
+
+msg_info "Attaching data storage volume"
+$STD pct stop "$CTID"
+if [ "${PROTECT_CT:-}" == "1" ] || [ "${PROTECT_CT:-}" == "yes" ]; then
+  $STD pct set "$CTID" --protection 0
+  $STD pct set "$CTID" -mp0 "${CONTAINER_STORAGE}":1,mp=/opt/authentik-data,backup=1
+  $STD pct set "$CTID" --protection 1
+else
+  $STD pct set "$CTID" -mp0 "${CONTAINER_STORAGE}":1,mp=/opt/authentik-data,backup=1
+fi
+$STD pct start "$CTID"
+for i in {1..10}; do
+  pct status "$CTID" | grep -q "status: running" && break
+  sleep 1
+done
+$STD pct exec "$CTID" -- bash -c "mkdir -p /opt/authentik-data/{certs,media,geoip,templates}; \
+  cp /opt/authentik/tests/GeoLite2-ASN-Test.mmdb /opt/authentik-data/geoip/GeoLite2-ASN.mmdb; \
+  cp /opt/authentik/tests/GeoLite2-City-Test.mmdb /opt/authentik-data/geoip/GeoLite2-City.mmdb; \
+  chown authentik:authentik /opt/authentik-data; \
+  chown -R authentik:authentik /opt/authentik-data/{certs,media,geoip,templates}"
+msg_ok "Attached data storage volume"
+
+msg_info "Starting Services"
+pct exec "$CTID" -- systemctl enable -q --now authentik-server authentik-worker
+msg_ok "Started Services"
+
+description
+
+msg_ok "Completed successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Initial setup URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9000/if/flow/initial-setup/${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:9000${CL}"

ct/headers/authentik

@@ -0,0 +1,6 @@
+               __  __               __  _ __  
+  ____ ___  __/ /_/ /_  ___  ____  / /_(_) /__
+ / __ `/ / / / __/ __ \/ _ \/ __ \/ __/ / //_/
+/ /_/ / /_/ / /_/ / / /  __/ / / / /_/ / ,<   
+\__,_/\__,_/\__/_/ /_/\___/_/ /_/\__/_/_/|_|  
+                                              

ct/headers/lychee

@@ -0,0 +1,6 @@
+    __               __            
+   / /   __  _______/ /_  ___  ___ 
+  / /   / / / / ___/ __ \/ _ \/ _ \
+ / /___/ /_/ / /__/ / / /  __/  __/
+/_____/\__, /\___/_/ /_/\___/\___/ 
+      /____/                       

ct/lychee.sh

@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/LycheeOrg/Lychee
+
+APP="Lychee"
+var_tags="${var_tags:-media;photos;gallery}"
+var_cpu="${var_cpu:-2}"
+var_ram="${var_ram:-2048}"
+var_disk="${var_disk:-8}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -d /opt/lychee ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "lychee" "LycheeOrg/Lychee"; then
+    msg_info "Stopping Services"
+    systemctl stop caddy
+    msg_ok "Stopped Services"
+
+    msg_info "Backing up Data"
+    cp /opt/lychee/.env /opt/lychee.env.bak
+    cp -r /opt/lychee/storage /opt/lychee_storage_backup
+    msg_ok "Backed up Data"
+
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "lychee" "LycheeOrg/Lychee" "prebuild" "latest" "/opt/lychee" "Lychee.zip"
+
+    msg_info "Restoring Data"
+    cp /opt/lychee.env.bak /opt/lychee/.env
+    rm -f /opt/lychee.env.bak
+    cp -r /opt/lychee_storage_backup/. /opt/lychee/storage
+    rm -rf /opt/lychee_storage_backup
+    msg_ok "Restored Data"
+
+    msg_info "Updating Application"
+    cd /opt/lychee
+    $STD php artisan migrate --force
+    $STD php artisan optimize:clear
+    chmod -R 775 /opt/lychee/storage /opt/lychee/bootstrap/cache
+    msg_ok "Updated Application"
+
+    msg_info "Starting Services"
+    systemctl start caddy
+    msg_ok "Started Services"
+    msg_ok "Updated successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"

ct/nginxproxymanager.sh

@@ -92,6 +92,11 @@ ExecStart=/usr/local/openresty/nginx/sbin/nginx -g 'daemon off;'
 [Install]
 WantedBy=multi-user.target
 EOF
+    if [ -f /opt/nginxproxymanager/docker/rootfs/etc/nginx/nginx.conf ]; then
+      cp /opt/nginxproxymanager/docker/rootfs/etc/nginx/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
+      sed -i 's+^daemon+#daemon+g' /usr/local/openresty/nginx/conf/nginx.conf
+      sed -i 's+include conf.d+include /etc/nginx/conf.d+g' /usr/local/openresty/nginx/conf/nginx.conf
+    fi
     sed -i 's/user npm/user root/g; s/^pid/#pid/g' /usr/local/openresty/nginx/conf/nginx.conf
     systemctl daemon-reload
     systemctl unmask openresty 2>/dev/null || true

ct/omada.sh

@@ -38,20 +38,32 @@ function update_script() {
 
   JAVA_VERSION="21" setup_java
 
-  msg_info "Updating Omada Controller"
   OMADA_URL=$(curl -fsSL "https://support.omadanetworks.com/en/download/software/omada-controller/" |
     grep -o 'https://static\.tp-link\.com/upload/software/[^"]*linux_x64[^"]*\.deb' |
     head -n1)
-  OMADA_PKG=$(basename "$OMADA_URL")
-  if [ -z "$OMADA_PKG" ]; then
-    msg_error "Could not retrieve Omada package – server may be down."
-    exit
+  OMADA_PKG=$(basename "${OMADA_URL}")
+  VERSION=$(sed -n 's/.*_v\([0-9.]*\)_.*_\([0-9]\{14\}\)\.deb$/\1-\2/p' <<<"${OMADA_PKG}")
+
+  CURRENT_VERSION=$(cat $HOME/.omada 2>/dev/null || echo "0")
+
+  if dpkg --compare-versions "${VERSION}" gt "${CURRENT_VERSION}"; then
+
+    msg_info "Updating Omada Controller"
+
+    if [ -z "${OMADA_PKG}" ]; then
+      msg_error "Could not retrieve Omada package – server may be down."
+      exit
+    fi
+    curl -fsSL "${OMADA_URL}" -o "${OMADA_PKG}"
+    export DEBIAN_FRONTEND=noninteractive
+    $STD dpkg -i "${OMADA_PKG}"
+    rm -f "${OMADA_PKG}"
+    echo "${VERSION}" >$HOME/.omada
+    msg_ok "Updated Omada Controller to ${VERSION}"
+    msg_ok "Updated successfully!"
+  else
+    msg_ok "No update available: ${APP} (${CURRENT_VERSION})"
   fi
-  curl -fsSL "$OMADA_URL" -o "$OMADA_PKG"
-  export DEBIAN_FRONTEND=noninteractive
-  $STD dpkg -i "$OMADA_PKG"
-  rm -f "$OMADA_PKG"
-  msg_ok "Updated successfully!"
   exit
 }
 

install/authentik-install.sh

@@ -0,0 +1,257 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: Thieneret
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/goauthentik/authentik
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+$STD apt install -y \
+  build-essential \
+  pkg-config \
+  libffi-dev \
+  libxslt-dev \
+  zlib1g-dev \
+  libpq-dev \
+  krb5-multidev \
+  libkrb5-dev \
+  heimdal-multidev \
+  libclang-dev \
+  libltdl-dev \
+  libpq5 \
+  libmaxminddb0 \
+  libkrb5-3 \
+  libkdb5-10 \
+  libkadm5clnt-mit12 \
+  libkadm5clnt7t64-heimdal \
+  libltdl7 \
+  libxslt1.1 \
+  python3-dev \
+  libxml2-dev \
+  libxml2 \
+  libxslt1-dev \
+  automake \
+  autoconf \
+  libtool \
+  libtool-bin \
+  gcc \
+  git
+msg_ok "Installed Dependencies"
+
+NODE_VERSION="24" setup_nodejs
+setup_yq
+setup_go
+UV_PYTHON_INSTALL_DIR="/usr/local/bin" PYTHON_VERSION="3.14.3" setup_uv
+setup_rust
+PG_VERSION="17" setup_postgresql
+PG_DB_NAME="authentik" PG_DB_USER="authentik" PG_DB_GRANT_SUPERUSER="true" setup_postgresql_db
+
+XMLSEC_VERSION="1.3.11"
+AUTHENTIK_VERSION="version/2026.2.2"
+fetch_and_deploy_gh_release "xmlsec" "lsh123/xmlsec" "tarball" "${XMLSEC_VERSION}" "/opt/xmlsec"
+fetch_and_deploy_gh_release "authentik" "goauthentik/authentik" "tarball" "${AUTHENTIK_VERSION}" "/opt/authentik"
+fetch_and_deploy_gh_release "geoipupdate" "maxmind/geoipupdate" "binary"
+
+msg_info "Setup xmlsec"
+cd /opt/xmlsec
+$STD ./autogen.sh
+$STD make -j $(nproc)
+$STD make check
+$STD make install
+$STD ldconfig
+msg_ok "xmlsec installed"
+
+msg_info "Setup web"
+cd /opt/authentik/web
+export NODE_ENV="production"
+$STD npm install
+$STD npm run build
+$STD npm run build:sfe
+msg_ok "Web installed"
+
+msg_info "Setup go proxy"
+cd /opt/authentik
+export CGO_ENABLED="1"
+$STD go mod download
+$STD go build -o /opt/authentik/authentik-server ./cmd/server
+$STD go build -o /opt/authentik/ldap ./cmd/ldap
+$STD go build -o /opt/authentik/rac ./cmd/rac
+$STD go build -o /opt/authentik/radius ./cmd/radius
+msg_ok "Go proxy installed"
+
+cat <<EOF >/usr/local/etc/GeoIP.conf
+AccountID ChangeME
+LicenseKey ChangeME
+EditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country
+DatabaseDirectory /opt/authentik-data/geoip
+RetryFor 5m
+Parallelism 1
+EOF
+
+echo "#39 19 * * 6,4 /usr/bin/geoipupdate -f /usr/local/etc/GeoIP.conf" | crontab -
+
+msg_info "Setup python server"
+export UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
+export UV_COMPILE_BYTECODE="1"
+export UV_LINK_MODE="copy"
+export UV_NATIVE_TLS="1"
+export RUSTUP_PERMIT_COPY_RENAME="true"
+export UV_PYTHON_INSTALL_DIR="/usr/local/bin"
+cd /opt/authentik
+$STD uv sync --frozen --no-install-project --no-dev
+cp /opt/authentik/authentik/sources/kerberos/krb5.conf /etc/krb5.conf
+msg_ok "Installed python server"
+
+msg_info "Creating authentik config"
+mkdir -p /etc/authentik
+mv /opt/authentik/authentik/lib/default.yml /etc/authentik/config.yml
+yq -i ".secret_key = \"$(openssl rand -base64 128 | tr -dc 'a-zA-Z0-9' | head -c64)\"" /etc/authentik/config.yml
+yq -i ".postgresql.password = \"${PG_DB_PASS}\"" /etc/authentik/config.yml
+yq -i ".events.context_processors.geoip = \"/opt/authentik-data/geoip/GeoLite2-City.mmdb\"" /etc/authentik/config.yml
+yq -i ".events.context_processors.asn = \"/opt/authentik-data/geoip/GeoLite2-ASN.mmdb\"" /etc/authentik/config.yml
+yq -i ".blueprints_dir = \"/opt/authentik/blueprints\"" /etc/authentik/config.yml
+yq -i ".cert_discovery_dir = \"/opt/authentik-data/certs\"" /etc/authentik/config.yml
+yq -i ".email.template_dir = \"/opt/authentik-data/templates\"" /etc/authentik/config.yml
+yq -i ".storage.file.path = \"/opt/authentik-data\"" /etc/authentik/config.yml
+yq -i ".disable_startup_analytics = \"true\"" /etc/authentik/config.yml
+$STD useradd -U -s /usr/sbin/nologin -r -M -d /opt/authentik authentik
+chown -R authentik:authentik /opt/authentik
+cat <<EOF >/etc/default/authentik
+TMPDIR=/dev/shm/
+UV_LINK_MODE=copy
+UV_PYTHON_DOWNLOADS=0
+UV_NATIVE_TLS=1
+VENV_PATH=/opt/authentik/.venv
+PYTHONDONTWRITEBYTECODE=1
+PYTHONUNBUFFERED=1
+PATH=/opt/authentik/lifecycle:/opt/authentik/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin
+DJANGO_SETTINGS_MODULE=authentik.root.settings
+PROMETHEUS_MULTIPROC_DIR="/tmp/authentik_prometheus_tmp"
+EOF
+cat <<EOF >/etc/default/authentik_ldap
+AUTHENTIK_HOST="https://127.0.0.1:9443"
+AUTHENTIK_INSECURE="true"
+AUTHENTIK_TOKEN="token-generated-by-authentik"
+EOF
+cat <<EOF >/etc/default/authentik_rac
+AUTHENTIK_HOST="https://127.0.0.1:9443"
+AUTHENTIK_INSECURE="true"
+AUTHENTIK_TOKEN="token-generated-by-authentik"
+EOF
+cat <<EOF >/etc/default/authentik_radius
+AUTHENTIK_HOST="https://127.0.0.1:9443"
+AUTHENTIK_INSECURE="true"
+AUTHENTIK_TOKEN="token-generated-by-authentik"
+EOF
+msg_ok "authentik config created"
+
+msg_info "Creating services"
+cat <<EOF >/etc/systemd/system/authentik-server.service
+[Unit]
+Description=authentik Go Server (API Gateway)
+After=network.target
+Wants=postgresql.service
+
+[Service]
+User=authentik
+Group=authentik
+ExecStartPre=/usr/bin/mkdir -p "\${PROMETHEUS_MULTIPROC_DIR}"
+ExecStart=/opt/authentik/authentik-server
+WorkingDirectory=/opt/authentik/
+Restart=always
+RestartSec=5
+EnvironmentFile=/etc/default/authentik
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF >/etc/systemd/system/authentik-worker.service
+[Unit]
+Description=authentik Worker
+After=network.target postgresql.service
+
+[Service]
+User=authentik
+Group=authentik
+Type=simple
+EnvironmentFile=/etc/default/authentik
+ExecStart=/usr/local/bin/uv run python -m manage worker --pid-file /dev/shm/authentik-worker.pid
+WorkingDirectory=/opt/authentik
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF >/etc/systemd/system/authentik-ldap.service
+[Unit]
+Description=authentik LDAP Outpost
+After=network.target
+Wants=postgresql.service
+
+[Service]
+User=authentik
+Group=authentik
+ExecStart=/opt/authentik/ldap
+WorkingDirectory=/opt/authentik/
+Restart=always
+RestartSec=5
+EnvironmentFile=/etc/default/authentik_ldap
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF >/etc/systemd/system/authentik-rac.service
+[Unit]
+Description=authentik RAC Outpost
+After=network.target
+Wants=postgresql.service
+
+[Service]
+User=authentik
+Group=authentik
+ExecStart=/opt/authentik/rac
+WorkingDirectory=/opt/authentik/
+Restart=always
+RestartSec=5
+EnvironmentFile=/etc/default/authentik_rac
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF >/etc/systemd/system/authentik-radius.service
+[Unit]
+Description=authentik Radius Outpost
+After=network.target
+Wants=postgresql.service
+
+[Service]
+User=authentik
+Group=authentik
+ExecStart=/opt/authentik/radius
+WorkingDirectory=/opt/authentik/
+Restart=always
+RestartSec=5
+EnvironmentFile=/etc/default/authentik_radius
+
+[Install]
+WantedBy=multi-user.target
+EOF
+msg_ok "Services created"
+
+motd_ssh
+customize
+cleanup_lxc

install/investbrain-install.sh

@@ -90,6 +90,11 @@ MAIL_PORT=2525
 MAIL_FROM_ADDRESS="investbrain@${LOCAL_IP}"
 
 VITE_APP_NAME=Investbrain
+
+# Reverse Proxy Support (uncomment and set APP_URL/ASSET_URL to your domain when using a reverse proxy)
+# APP_URL=https://your-domain.com
+# ASSET_URL=https://your-domain.com
+# TRUSTED_PROXIES=*
 EOF
 export COMPOSER_ALLOW_SUPERUSER=1
 $STD /usr/local/bin/composer install --no-interaction --no-dev --optimize-autoloader

install/lychee-install.sh

@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/LycheeOrg/Lychee
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+$STD apt install -y \
+  caddy \
+  libimage-exiftool-perl \
+  jpegoptim
+msg_ok "Installed Dependencies"
+
+PHP_VERSION="8.4" PHP_FPM="YES" PHP_MODULE="bcmath,ldap,exif,gd,intl,imagick,redis,zip,pdo_pgsql,pcntl" setup_php
+PG_VERSION="16" setup_postgresql
+PG_DB_NAME="lychee" PG_DB_USER="lychee" setup_postgresql_db
+setup_ffmpeg
+setup_imagemagick
+
+fetch_and_deploy_gh_release "lychee" "LycheeOrg/Lychee" "prebuild" "latest" "/opt/lychee" "Lychee.zip"
+
+msg_info "Configuring Application"
+cd /opt/lychee
+cp .env.example .env
+APP_KEY=$($STD php artisan key:generate --show)
+sed -i "s|^APP_KEY=.*|APP_KEY=${APP_KEY}|" .env
+sed -i "s|^APP_ENV=.*|APP_ENV=production|" .env
+sed -i "s|^APP_DEBUG=.*|APP_DEBUG=false|" .env
+sed -i "s|^APP_URL=.*|APP_URL=http://${LOCAL_IP}|" .env
+sed -i "s|^DB_CONNECTION=.*|DB_CONNECTION=pgsql|" .env
+sed -i "s|^DB_HOST=.*|DB_HOST=127.0.0.1|" .env
+sed -i "s|^DB_PORT=.*|DB_PORT=5432|" .env
+sed -i "s|^#\?DB_DATABASE=.*|DB_DATABASE=${PG_DB_NAME}|" .env
+sed -i "s|^DB_USERNAME=.*|DB_USERNAME=${PG_DB_USER}|" .env
+sed -i "s|^DB_PASSWORD=.*|DB_PASSWORD=${PG_DB_PASS}|" .env
+mkdir -p storage/framework/{cache,sessions,views} storage/logs bootstrap/cache public/dist public/uploads public/sym
+touch public/dist/user.css public/dist/custom.js
+chmod -R 775 storage bootstrap/cache public/dist public/uploads public/sym
+msg_ok "Configured Application"
+
+msg_info "Running Database Migrations"
+cd /opt/lychee
+$STD php artisan migrate --force
+msg_ok "Ran Database Migrations"
+
+chown -R www-data:www-data /opt/lychee
+
+msg_info "Configuring Caddy"
+PHP_VER=$(php -r 'echo PHP_MAJOR_VERSION . "." . PHP_MINOR_VERSION;')
+cat <<EOF >/etc/caddy/Caddyfile
+:80 {
+    root * /opt/lychee/public
+    php_fastcgi unix//run/php/php${PHP_VER}-fpm.sock
+    file_server
+    encode gzip
+}
+EOF
+usermod -aG www-data caddy
+msg_ok "Configured Caddy"
+
+systemctl enable -q --now php${PHP_VER}-fpm
+systemctl restart caddy
+
+motd_ssh
+customize
+cleanup_lxc

install/omada-install.sh

@@ -38,10 +38,12 @@ msg_info "Installing Omada Controller"
 OMADA_URL=$(curl -fsSL "https://support.omadanetworks.com/en/download/software/omada-controller/" |
   grep -o 'https://static\.tp-link\.com/upload/software/[^"]*linux_x64[^"]*\.deb' |
   head -n1)
-OMADA_PKG=$(basename "$OMADA_URL")
-curl -fsSL "$OMADA_URL" -o "$OMADA_PKG"
-$STD dpkg -i "$OMADA_PKG"
-rm -rf "$OMADA_PKG"
+OMADA_PKG=$(basename "${OMADA_URL}")
+curl -fsSL "${OMADA_URL}" -o "${OMADA_PKG}"
+$STD dpkg -i "${OMADA_PKG}"
+rm -rf "${OMADA_PKG}"
+VERSION=$(sed -n 's/.*_v\([0-9.]*\)_.*_\([0-9]\{14\}\)\.deb$/\1-\2/p' <<<"${OMADA_PKG}")
+echo "${VERSION}" >$HOME/.omada
 msg_ok "Installed Omada Controller"
 
 motd_ssh

tools/addon/cronmaster.sh

@@ -147,7 +147,7 @@ EOF
   # Create update script
   msg_info "Creating update script"
   ensure_usr_local_bin_persist
-  cat <<EOF >/usr/local/bin/update_cronmaster
+  cat <<'EOF' >/usr/local/bin/update_cronmaster
 #!/usr/bin/env bash
 # CronMaster Update Script
 type=update bash -c "$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/tools/addon/cronmaster.sh)"

tools/addon/qbittorrent-exporter.sh

@@ -68,6 +68,24 @@ function uninstall() {
 # ==============================================================================
 function update() {
   if check_for_gh_release "qbittorrent-exporter" "martabal/qbittorrent-exporter"; then
+    if [[ "$(printf '%s\n' "2.0.0" "$CHECK_UPDATE_RELEASE" | sort -V | tail -n1)" == "$CHECK_UPDATE_RELEASE" ]] && \
+       ! grep -q "QBITTORRENT_API_KEY" "$CONFIG_PATH" 2>/dev/null; then
+      echo ""
+      msg_warn "Version 2.0.0 introduces a breaking change: username/password login has been replaced by an API key."
+      echo -e "${TAB3}${INFO} You must create an API key in qBittorrent under Tools > Options > Web UI > API key"
+      echo ""
+      echo -n "${TAB3}Enter your qBittorrent API key (or press Enter to abort): "
+      read -r QBITTORRENT_API_KEY
+      if [[ -z "$QBITTORRENT_API_KEY" ]]; then
+        msg_warn "No API key provided. Update aborted."
+        exit 0
+      fi
+      sed -i '/^QBITTORRENT_USERNAME=/d' "$CONFIG_PATH"
+      sed -i '/^QBITTORRENT_PASSWORD=/d' "$CONFIG_PATH"
+      echo "QBITTORRENT_API_KEY=\"${QBITTORRENT_API_KEY}\"" >>"$CONFIG_PATH"
+      msg_ok "API key saved to configuration"
+    fi
+
     msg_info "Stopping service"
     if [[ "$OS" == "Alpine" ]]; then
       rc-service qbittorrent-exporter stop &>/dev/null
@@ -100,10 +118,9 @@ function update() {
 # INSTALL
 # ==============================================================================
 function install() {
-  read -erp "Enter URL of qBittorrent, example: (http://127.0.0.1:8080): " QBITTORRENT_BASE_URL
-  read -erp "Enter qBittorrent username: " QBITTORRENT_USERNAME
-  read -rsp "Enter qBittorrent password: " QBITTORRENT_PASSWORD
-  printf "\n"
+  read -erp "${TAB3}Enter URL of qBittorrent, example: (http://127.0.0.1:8080): " QBITTORRENT_BASE_URL
+  echo -e "${TAB3}${INFO} Create an API key in qBittorrent under Tools > Options > Web UI > API key"
+  read -erp "${TAB3}Enter qBittorrent API key: " QBITTORRENT_API_KEY
 
   fetch_and_deploy_gh_release "qbittorrent-exporter" "martabal/qbittorrent-exporter" "tarball" "latest"
   setup_go
@@ -116,8 +133,7 @@ function install() {
   cat <<EOF >"$CONFIG_PATH"
 # https://github.com/martabal/qbittorrent-exporter?tab=readme-ov-file#parameters
 QBITTORRENT_BASE_URL="${QBITTORRENT_BASE_URL}"
-QBITTORRENT_USERNAME="${QBITTORRENT_USERNAME}"
-QBITTORRENT_PASSWORD="${QBITTORRENT_PASSWORD}"
+QBITTORRENT_API_KEY="${QBITTORRENT_API_KEY}"
 EOF
   msg_ok "Created configuration"