fix(2fauth): export PHP_VERSION for nginx config

The PHP_VERSION variable was only available within the setup_php
function call scope. By setting it separately before the function
call, it remains available for the nginx configuration heredoc.

Fixes #11439

CHANGELOG.md

@@ -780,8 +780,6 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
   - #### 🐞 Bug Fixes
 
-    - Prometheus Paperless NGX Exporter: Set correct binary path in systemd unit file [@andygrunwald](https://github.com/andygrunwald) ([#11438](https://github.com/community-scripts/ProxmoxVE/pull/11438))
-    - tracearr: install/update new prestart script from upstream [@durzo](https://github.com/durzo) ([#11433](https://github.com/community-scripts/ProxmoxVE/pull/11433))
     - n8n: Fix dependencies [@tremor021](https://github.com/tremor021) ([#11429](https://github.com/community-scripts/ProxmoxVE/pull/11429))
     - [Hotfix] Bunkerweb update [@vhsdream](https://github.com/vhsdream) ([#11402](https://github.com/community-scripts/ProxmoxVE/pull/11402))
     - [Hotfix] Immich: revert healthcheck feature [@vhsdream](https://github.com/vhsdream) ([#11427](https://github.com/community-scripts/ProxmoxVE/pull/11427))

ct/tracearr.sh

@@ -30,55 +30,6 @@ function update_script() {
 
   NODE_VERSION="24" setup_nodejs
 
-  msg_info "Updating prestart script"
-  cat <<EOF >/data/tracearr/prestart.sh
-#!/usr/bin/env bash
-# =============================================================================
-# Tune PostgreSQL for available resources (runs every startup)
-# =============================================================================
-# timescaledb-tune automatically optimizes PostgreSQL settings based on
-# available RAM and CPU. Safe to run repeatedly - recalculates if resources change.
-if command -v timescaledb-tune &> /dev/null; then
-    total_ram_kb=\$(grep MemTotal /proc/meminfo | awk '{print \$2}')
-    ram_for_tsdb=\$((total_ram_kb / 1024 / 2))
-    timescaledb-tune -yes -memory "\$ram_for_tsdb"MB --quiet 2>/dev/null \
-        || echo "Warning: timescaledb-tune failed (non-fatal)"
-fi
-# =============================================================================
-# Ensure required PostgreSQL settings for Tracearr
-# =============================================================================
-pg_config_file="/etc/postgresql/18/main/postgresql.conf"
-if [ -f \$pg_config_file ]; then
-    # Ensure max_tuples_decompressed_per_dml_transaction is set
-    if grep -q "^timescaledb\.max_tuples_decompressed_per_dml_transaction" \$pg_config_file; then
-        # Setting exists (uncommented) - update if not 0
-        current_value=\$(grep "^timescaledb\.max_tuples_decompressed_per_dml_transaction" \$pg_config_file | grep -oE '[0-9]+' | head -1)
-        if [ -n "\$current_value" ] && [ "\$current_value" -ne 0 ]; then
-            sed -i "s/^timescaledb\.max_tuples_decompressed_per_dml_transaction.*/timescaledb.max_tuples_decompressed_per_dml_transaction = 0/" \$pg_config_file
-        fi
-    elif ! grep -q "^timescaledb\.max_tuples_decompressed_per_dml_transaction" \$pg_config_file; then
-        echo "" >> \$pg_config_file
-        echo "# Allow unlimited tuple decompression for migrations on compressed hypertables" >> \$pg_config_file
-        echo "timescaledb.max_tuples_decompressed_per_dml_transaction = 0" >> \$pg_config_file
-    fi
-    # Ensure max_locks_per_transaction is set (for existing databases)
-    if grep -q "^max_locks_per_transaction" \$pg_config_file; then
-        # Setting exists (uncommented) - update if below 4096
-        current_value=\$(grep "^max_locks_per_transaction" \$pg_config_file | grep -oE '[0-9]+' | head -1)
-        if [ -n "\$current_value" ] && [ "\$current_value" -lt 4096 ]; then
-            sed -i "s/^max_locks_per_transaction.*/max_locks_per_transaction = 4096/" \$pg_config_file
-        fi
-    elif ! grep -q "^max_locks_per_transaction" \$pg_config_file; then
-        echo "" >> \$pg_config_file
-        echo "# Increase lock table size for TimescaleDB hypertables with many chunks" >> \$pg_config_file
-        echo "max_locks_per_transaction = 4096" >> \$pg_config_file
-    fi
-fi
-systemctl restart postgresql
-EOF
-  chmod +x /data/tracearr/prestart.sh
-  msg_ok "Updated prestart script"
-
   if check_for_gh_release "tracearr" "connorgallopo/Tracearr"; then
     msg_info "Stopping Services"
     systemctl stop tracearr postgresql redis
@@ -123,15 +74,10 @@ EOF
     chown -R tracearr:tracearr /data/tracearr
     msg_ok "Configured Tracearr"
 
-    msg_info "Starting services"
+    msg_info "Starting Services"
     systemctl start postgresql redis tracearr
-    msg_ok "Started services"
+    msg_ok "Started Services"
     msg_ok "Updated successfully!"
-  else
-    # no new release, just restart service to apply prestart changes
-    msg_info "Restarting service"
-    systemctl restart tracearr
-    msg_ok "Restarted service"
   fi
   exit
 }

ct/vaultwarden.sh

@@ -28,8 +28,12 @@ function update_script() {
     exit
   fi
 
-  VAULT=$(get_latest_github_release "dani-garcia/vaultwarden")
+  VAULT=$(curl -fsSL https://api.github.com/repos/dani-garcia/vaultwarden/releases/latest |
-  WVRELEASE=$(get_latest_github_release "dani-garcia/bw_web_builds")
+    grep "tag_name" |
+    awk '{print substr($2, 2, length($2)-3) }')
+  WVRELEASE=$(curl -fsSL https://api.github.com/repos/dani-garcia/bw_web_builds/releases/latest |
+    grep "tag_name" |
+    awk '{print substr($2, 2, length($2)-3) }')
 
   UPD=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "SUPPORT" --radiolist --cancel-button Exit-Script "Spacebar = Select" 11 58 3 \
     "1" "VaultWarden $VAULT" ON \
@@ -38,68 +42,57 @@ function update_script() {
     3>&1 1>&2 2>&3)
 
   if [ "$UPD" == "1" ]; then
-    if check_for_gh_release "vaultwarden" "dani-garcia/vaultwarden"; then
+    msg_info "Stopping Service"
-      msg_info "Stopping Service"
+    systemctl stop vaultwarden
-      systemctl stop vaultwarden
+    msg_ok "Stopped Service"
-      msg_ok "Stopped Service"
 
-      fetch_and_deploy_gh_release "vaultwarden" "dani-garcia/vaultwarden" "tarball" "latest" "/tmp/vaultwarden-src"
+    msg_info "Updating VaultWarden to $VAULT (Patience)"
-
+    cd ~ && rm -rf vaultwarden
-      msg_info "Updating VaultWarden to $VAULT (Patience)"
+    $STD git clone https://github.com/dani-garcia/vaultwarden
-      cd /tmp/vaultwarden-src
+    cd vaultwarden
-      $STD cargo build --features "sqlite,mysql,postgresql" --release
+    $STD cargo build --features "sqlite,mysql,postgresql" --release
-      if [[ -f /usr/bin/vaultwarden ]]; then
+    DIR=/usr/bin/vaultwarden
-        cp target/release/vaultwarden /usr/bin/
+    if [ -d "$DIR" ]; then
-      else
+      cp target/release/vaultwarden /usr/bin/
-        cp target/release/vaultwarden /opt/vaultwarden/bin/
-      fi
-      cd ~ && rm -rf /tmp/vaultwarden-src
-      msg_ok "Updated VaultWarden to ${VAULT}"
-
-      msg_info "Starting Service"
-      systemctl start vaultwarden
-      msg_ok "Started Service"
-      msg_ok "Updated successfully!"
     else
-      msg_ok "VaultWarden is already up-to-date"
+      cp target/release/vaultwarden /opt/vaultwarden/bin/
     fi
+    cd ~ && rm -rf vaultwarden
+    msg_ok "Updated VaultWarden"
+
+    msg_info "Starting Service"
+    systemctl start vaultwarden
+    msg_ok "Started Service"
+    msg_ok "Updated successfully!"
     exit
   fi
-
   if [ "$UPD" == "2" ]; then
-    if check_for_gh_release "vaultwarden_webvault" "dani-garcia/bw_web_builds"; then
+    msg_info "Stopping Service"
-      msg_info "Stopping Service"
+    systemctl stop vaultwarden
-      systemctl stop vaultwarden
+    msg_ok "Stopped Service"
-      msg_ok "Stopped Service"
 
-      fetch_and_deploy_gh_release "vaultwarden_webvault" "dani-garcia/bw_web_builds" "prebuild" "latest" "/opt/vaultwarden" "bw_web_*.tar.gz"
+    msg_info "Updating Web-Vault to $WVRELEASE"
+    $STD curl -fsSLO https://github.com/dani-garcia/bw_web_builds/releases/download/"$WVRELEASE"/bw_web_"$WVRELEASE".tar.gz
+    $STD tar -zxf bw_web_"$WVRELEASE".tar.gz -C /opt/vaultwarden/
+    rm bw_web_"$WVRELEASE".tar.gz
+    msg_ok "Updated Web-Vault"
 
-      msg_info "Updating Web-Vault to $WVRELEASE"
+    msg_info "Starting Service"
-      rm -rf /opt/vaultwarden/web-vault
+    systemctl start vaultwarden
-      chown -R root:root /opt/vaultwarden/web-vault/
+    msg_ok "Started Service"
-      msg_ok "Updated Web-Vault to ${WVRELEASE}"
+    msg_ok "Updated successfully!"
-
-      msg_info "Starting Service"
-      systemctl start vaultwarden
-      msg_ok "Started Service"
-      msg_ok "Updated successfully!"
-    else
-      msg_ok "Web-Vault is already up-to-date"
-    fi
     exit
   fi
-
   if [ "$UPD" == "3" ]; then
     if NEWTOKEN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --passwordbox "Set the ADMIN_TOKEN" 10 58 3>&1 1>&2 2>&3); then
       if [[ -z "$NEWTOKEN" ]]; then exit; fi
-      ensure_dependencies argon2
+      if ! command -v argon2 >/dev/null 2>&1; then $STD apt-get install -y argon2; fi
       TOKEN=$(echo -n "${NEWTOKEN}" | argon2 "$(openssl rand -base64 32)" -t 2 -m 16 -p 4 -l 64 -e)
       sed -i "s|ADMIN_TOKEN=.*|ADMIN_TOKEN='${TOKEN}'|" /opt/vaultwarden/.env
       if [[ -f /opt/vaultwarden/data/config.json ]]; then
         sed -i "s|\"admin_token\":.*|\"admin_token\": \"${TOKEN}\"|" /opt/vaultwarden/data/config.json
       fi
       systemctl restart vaultwarden
-      msg_ok "Admin token updated"
     fi
     exit
   fi

install/2fauth-install.sh

@@ -17,7 +17,8 @@ msg_info "Installing Dependencies"
 $STD apt install -y nginx
 msg_ok "Installed Dependencies"
 
-PHP_VERSION="8.4" PHP_FPM="YES" setup_php
+export PHP_VERSION="8.4"
+PHP_FPM="YES" setup_php
 setup_composer
 setup_mariadb
 MARIADB_DB_NAME="2fauth_db" MARIADB_DB_USER="2fauth" setup_mariadb_db

install/prometheus-paperless-ngx-exporter-install.sh

@@ -31,7 +31,7 @@ After=network-online.target
 User=root
 Restart=always
 Type=simple
-ExecStart=/usr/bin/prometheus-paperless-exporter \
+ExecStart=/usr/local/bin/prometheus-paperless-exporter \
     --paperless_url=http://paperless.example.org \
     --paperless_auth_token_file=/etc/prometheus-paperless-ngx-exporter/paperless_auth_token_file
 ExecReload=/bin/kill -HUP \$MAINPID

install/tracearr-install.sh

@@ -109,34 +109,18 @@ if command -v timescaledb-tune &> /dev/null; then
         || echo "Warning: timescaledb-tune failed (non-fatal)"
 fi
 # =============================================================================
-# Ensure required PostgreSQL settings for Tracearr
+# Ensure TimescaleDB decompression limit is set (for existing databases)
 # =============================================================================
+# This setting allows migrations to modify compressed hypertable data.
+# Without it, bulk UPDATEs on compressed sessions will fail with
+# "tuple decompression limit exceeded" errors.
 pg_config_file="/etc/postgresql/18/main/postgresql.conf"
 if [ -f \$pg_config_file ]; then
-    # Ensure max_tuples_decompressed_per_dml_transaction is set
+    if ! grep -q "max_tuples_decompressed_per_dml_transaction" \$pg_config_file; then
-    if grep -q "^timescaledb\.max_tuples_decompressed_per_dml_transaction" \$pg_config_file; then
-        # Setting exists (uncommented) - update if not 0
-        current_value=\$(grep "^timescaledb\.max_tuples_decompressed_per_dml_transaction" \$pg_config_file | grep -oE '[0-9]+' | head -1)
-        if [ -n "\$current_value" ] && [ "\$current_value" -ne 0 ]; then
-            sed -i "s/^timescaledb\.max_tuples_decompressed_per_dml_transaction.*/timescaledb.max_tuples_decompressed_per_dml_transaction = 0/" \$pg_config_file
-        fi
-    elif ! grep -q "^timescaledb\.max_tuples_decompressed_per_dml_transaction" \$pg_config_file; then
         echo "" >> \$pg_config_file
         echo "# Allow unlimited tuple decompression for migrations on compressed hypertables" >> \$pg_config_file
         echo "timescaledb.max_tuples_decompressed_per_dml_transaction = 0" >> \$pg_config_file
     fi
-    # Ensure max_locks_per_transaction is set (for existing databases)
-    if grep -q "^max_locks_per_transaction" \$pg_config_file; then
-        # Setting exists (uncommented) - update if below 4096
-        current_value=\$(grep "^max_locks_per_transaction" \$pg_config_file | grep -oE '[0-9]+' | head -1)
-        if [ -n "\$current_value" ] && [ "\$current_value" -lt 4096 ]; then
-            sed -i "s/^max_locks_per_transaction.*/max_locks_per_transaction = 4096/" \$pg_config_file
-        fi
-    elif ! grep -q "^max_locks_per_transaction" \$pg_config_file; then
-        echo "" >> \$pg_config_file
-        echo "# Increase lock table size for TimescaleDB hypertables with many chunks" >> \$pg_config_file
-        echo "max_locks_per_transaction = 4096" >> \$pg_config_file
-    fi
 fi
 systemctl restart postgresql
 EOF

install/vaultwarden-install.sh

@@ -14,7 +14,7 @@ network_check
 update_os
 
 msg_info "Installing Dependencies"
-$STD apt install -y \
+$STD apt install -y git \
   build-essential \
   pkgconf \
   libssl-dev \
@@ -24,25 +24,34 @@ $STD apt install -y \
   ssl-cert
 msg_ok "Installed Dependencies"
 
-setup_rust
+WEBVAULT=$(curl -fsSL https://api.github.com/repos/dani-garcia/bw_web_builds/releases/latest | grep "tag_name" | awk '{print substr($2, 2, length($2)-3) }')
-fetch_and_deploy_gh_release "vaultwarden" "dani-garcia/vaultwarden" "tarball" "latest" "/tmp/vaultwarden-src"
+VAULT=$(curl -fsSL https://api.github.com/repos/dani-garcia/vaultwarden/releases/latest | grep "tag_name" | awk '{print substr($2, 2, length($2)-3) }')
 
-msg_info "Building Vaultwarden (Patience)"
+msg_info "Installing Rust"
-cd /tmp/vaultwarden-src
+curl -fsSL https://sh.rustup.rs -o rustup-init.sh
+$STD bash rustup-init.sh -y --profile minimal
+echo 'export PATH="$HOME/.cargo/bin:$PATH"' >>~/.bashrc
+export PATH="$HOME/.cargo/bin:$PATH"
+rm rustup-init.sh
+msg_ok "Installed Rust"
+
+msg_info "Building Vaultwarden ${VAULT} (Patience)"
+$STD git clone https://github.com/dani-garcia/vaultwarden
+cd vaultwarden
 $STD cargo build --features "sqlite,mysql,postgresql" --release
-msg_ok "Built Vaultwarden"
+msg_ok "Built Vaultwarden ${VAULT}"
 
-msg_info "Setting up Vaultwarden"
 $STD addgroup --system vaultwarden
 $STD adduser --system --home /opt/vaultwarden --shell /usr/sbin/nologin --no-create-home --gecos 'vaultwarden' --ingroup vaultwarden --disabled-login --disabled-password vaultwarden
-mkdir -p /opt/vaultwarden/{bin,data,web-vault}
+mkdir -p /opt/vaultwarden/bin
+mkdir -p /opt/vaultwarden/data
 cp target/release/vaultwarden /opt/vaultwarden/bin/
-cd ~ && rm -rf /tmp/vaultwarden-src
-msg_ok "Set up Vaultwarden"
 
-fetch_and_deploy_gh_release "vaultwarden_webvault" "dani-garcia/bw_web_builds" "prebuild" "latest" "/opt/vaultwarden/web-vault" "bw_web_*.tar.gz"
+msg_info "Downloading Web-Vault ${WEBVAULT}"
+$STD curl -fsSLO https://github.com/dani-garcia/bw_web_builds/releases/download/"$WEBVAULT"/bw_web_"$WEBVAULT".tar.gz
+$STD tar -xzf bw_web_"$WEBVAULT".tar.gz -C /opt/vaultwarden/
+msg_ok "Downloaded Web-Vault ${WEBVAULT}"
 
-msg_info "Configuring Vaultwarden"
 cat <<EOF >/opt/vaultwarden/.env
 ADMIN_TOKEN=''
 ROCKET_ADDRESS=0.0.0.0
@@ -52,23 +61,22 @@ DATABASE_MAX_CONNS=10
 WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault
 WEB_VAULT_ENABLED=true
 EOF
+
 mv /etc/ssl/certs/ssl-cert-snakeoil.pem /opt/vaultwarden/
 mv /etc/ssl/private/ssl-cert-snakeoil.key /opt/vaultwarden/
 
+msg_info "Creating Service"
 chown -R vaultwarden:vaultwarden /opt/vaultwarden/
 chown root:root /opt/vaultwarden/bin/vaultwarden
 chmod +x /opt/vaultwarden/bin/vaultwarden
 chown -R root:root /opt/vaultwarden/web-vault/
 chmod +r /opt/vaultwarden/.env
-msg_ok "Configured Vaultwarden"
 
-msg_info "Creating Service"
+service_path="/etc/systemd/system/vaultwarden.service"
-cat <<EOF >/etc/systemd/system/vaultwarden.service
+echo "[Unit]
-[Unit]
 Description=Bitwarden Server (Powered by Vaultwarden)
 Documentation=https://github.com/dani-garcia/vaultwarden
 After=network.target
-
 [Service]
 User=vaultwarden
 Group=vaultwarden
@@ -91,11 +99,10 @@ LockPersonality=yes
 WorkingDirectory=/opt/vaultwarden
 ReadWriteDirectories=/opt/vaultwarden/data
 AmbientCapabilities=CAP_NET_BIND_SERVICE
-
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target" >$service_path
-EOF
+systemctl daemon-reload
-systemctl enable -q --now vaultwarden
+$STD systemctl enable --now vaultwarden
 msg_ok "Created Service"
 
 motd_ssh