NginxProxymanager: set Certbot version in npm.service environment variable (2.15.0)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

CHANGELOG.md

@@ -470,6 +470,28 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 </details>
 
+## 2026-06-01
+
+## 2026-05-31
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Manyfold: regenerate Rails credentials on update to fix encryption mimatch [@MickLesk](https://github.com/MickLesk) ([#14817](https://github.com/community-scripts/ProxmoxVE/pull/14817))
+    - OpenThread-BR: use correct ipv6 configuration [@tomfrenzel](https://github.com/tomfrenzel) ([#14829](https://github.com/community-scripts/ProxmoxVE/pull/14829))
+
+  - #### 🔧 Refactor
+
+    - Webtrees: use PHP CLI for initial setup instead of curl to setup wizard [@MickLesk](https://github.com/MickLesk) ([#14818](https://github.com/community-scripts/ProxmoxVE/pull/14818))
+    - Kima-Hub: use curl_with_retry for ML model downloads to fix possible timeout issues [@MickLesk](https://github.com/MickLesk) ([#14816](https://github.com/community-scripts/ProxmoxVE/pull/14816))
+
+### 🧰 Tools
+
+  - #### 🔧 Refactor
+
+    - PBS4-Upgrade: update current PBS3 packages before switching to Trixie repos [@MickLesk](https://github.com/MickLesk) ([#14815](https://github.com/community-scripts/ProxmoxVE/pull/14815))
+
 ## 2026-05-30
 
 ### 🚀 Updated Scripts

ct/manyfold.sh

@@ -40,8 +40,6 @@ function update_script() {
     CURRENT_VERSION=$(grep -oP 'APP_VERSION=\K[^ ]+' /opt/manyfold/.env || echo "unknown")
     cp -r /opt/manyfold/app/storage /opt/manyfold_storage_backup 2>/dev/null || true
     cp -r /opt/manyfold/app/tmp /opt/manyfold_tmp_backup 2>/dev/null || true
-    cp /opt/manyfold/app/config/credentials.yml.enc /opt/manyfold_credentials.yml.enc 2>/dev/null || true
-    cp /opt/manyfold/app/config/master.key /opt/manyfold_master.key 2>/dev/null || true
     $STD tar -czf "/opt/manyfold_${CURRENT_VERSION}_backup.tar.gz" -C /opt/manyfold app
     msg_ok "Backed up Data"
 
@@ -57,14 +55,12 @@ function update_script() {
     RUBY_VERSION=${RUBY_INSTALL_VERSION} RUBY_INSTALL_RAILS="true" HOME=/home/manyfold setup_ruby
 
     msg_info "Restoring Data"
-    rm -rf /opt/manyfold/app/{storage,tmp,config/credentials.yml.enc,config/master.key}
+    rm -rf /opt/manyfold/app/{storage,tmp}
     cp -r /opt/manyfold_storage_backup /opt/manyfold/app/storage 2>/dev/null || true
     cp -r /opt/manyfold_tmp_backup /opt/manyfold/app/tmp 2>/dev/null || true
-    cp /opt/manyfold_credentials.yml.enc /opt/manyfold/app/config/credentials.yml.enc 2>/dev/null || true
-    cp /opt/manyfold_master.key /opt/manyfold/app/config/master.key 2>/dev/null || true
     chown -R manyfold:manyfold {/home/manyfold,/opt/manyfold}
     chown -R manyfold:manyfold /opt/manyfold/app/storage /opt/manyfold/app/tmp /opt/manyfold/app/config
-    rm -rf /opt/manyfold_storage_backup /opt/manyfold_tmp_backup /opt/manyfold_credentials.yml.enc /opt/manyfold_master.key
+    rm -rf /opt/manyfold_storage_backup /opt/manyfold_tmp_backup
     msg_ok "Restored Data"
 
     msg_info "Installing Manyfold"
@@ -80,6 +76,8 @@ function update_script() {
             bundle install
             corepack prepare '"$YARN_VERSION"' --activate
             corepack use '"$YARN_VERSION"'
+            rm -f config/credentials.yml.enc config/master.key
+            EDITOR=/bin/true bin/rails credentials:edit
             bin/rails db:migrate
             bin/rails assets:precompile
         '

ct/nginxproxymanager.sh

@@ -216,6 +216,12 @@ EOF
     msg_ok "Initialized Backend"
 
     msg_info "Starting Services"
+    CERTBOT_VER=$(/opt/certbot/bin/certbot --version 2>&1 | awk '{print $NF}')
+    if grep -q "Environment=CERTBOT_VERSION" /lib/systemd/system/npm.service; then
+      sed -i "s|Environment=CERTBOT_VERSION=.*|Environment=CERTBOT_VERSION=${CERTBOT_VER}|" /lib/systemd/system/npm.service
+    else
+      sed -i "/Environment=NODE_ENV=production/a Environment=CERTBOT_VERSION=${CERTBOT_VER}" /lib/systemd/system/npm.service
+    fi
     sed -i 's/user npm/user root/g; s/^pid/#pid/g' /usr/local/openresty/nginx/conf/nginx.conf
     sed -r -i 's/^([[:space:]]*)su npm npm/\1#su npm npm/g;' /etc/logrotate.d/nginx-proxy-manager
     systemctl daemon-reload

ct/openthread-br.sh

@@ -70,6 +70,27 @@ function update_script() {
   $STD ninja install
   msg_ok "Rebuilt OpenThread Border Router"
 
+  if ! grep -q "net.ipv6.conf.all.accept_ra=2" /etc/sysctl.d/99-otbr.conf; then
+    msg_info "Configuring Network"
+    cat <<EOF >/etc/sysctl.d/99-otbr.conf
+net.ipv6.conf.all.forwarding=1
+net.ipv6.conf.all.accept_ra=2
+net.ipv6.conf.all.accept_ra_rtr_pref=1
+net.ipv6.conf.all.accept_ra_rt_info_max_plen=64
+net.ipv6.conf.default.forwarding=1
+net.ipv6.conf.default.accept_ra=2
+net.ipv6.conf.default.accept_ra_rtr_pref=1
+net.ipv6.conf.default.accept_ra_rt_info_max_plen=64
+net.ipv6.conf.eth0.forwarding=1
+net.ipv6.conf.eth0.accept_ra=2
+net.ipv6.conf.eth0.accept_ra_rtr_pref=1
+net.ipv6.conf.eth0.accept_ra_rt_info_max_plen=64
+net.ipv4.ip_forward=1
+EOF
+    $STD sysctl -p /etc/sysctl.d/99-otbr.conf
+    msg_ok "Configured Network"
+  fi
+
   msg_info "Starting Services"
   systemctl start otbr-agent
   systemctl start otbr-web

install/kima-hub-install.sh

@@ -56,20 +56,20 @@ msg_ok "Installed Python Dependencies"
 msg_info "Downloading Essentia ML Models"
 mkdir -p /opt/kima-hub/models
 cd /opt/kima-hub/models
-curl -fsSL -o msd-musicnn-1.pb "https://essentia.upf.edu/models/autotagging/msd/msd-musicnn-1.pb"
+curl_with_retry "https://essentia.upf.edu/models/autotagging/msd/msd-musicnn-1.pb" "msd-musicnn-1.pb"
-curl -fsSL -o mood_happy-msd-musicnn-1.pb "https://essentia.upf.edu/models/classification-heads/mood_happy/mood_happy-msd-musicnn-1.pb"
+curl_with_retry "https://essentia.upf.edu/models/classification-heads/mood_happy/mood_happy-msd-musicnn-1.pb" "mood_happy-msd-musicnn-1.pb"
-curl -fsSL -o mood_sad-msd-musicnn-1.pb "https://essentia.upf.edu/models/classification-heads/mood_sad/mood_sad-msd-musicnn-1.pb"
+curl_with_retry "https://essentia.upf.edu/models/classification-heads/mood_sad/mood_sad-msd-musicnn-1.pb" "mood_sad-msd-musicnn-1.pb"
-curl -fsSL -o mood_relaxed-msd-musicnn-1.pb "https://essentia.upf.edu/models/classification-heads/mood_relaxed/mood_relaxed-msd-musicnn-1.pb"
+curl_with_retry "https://essentia.upf.edu/models/classification-heads/mood_relaxed/mood_relaxed-msd-musicnn-1.pb" "mood_relaxed-msd-musicnn-1.pb"
-curl -fsSL -o mood_aggressive-msd-musicnn-1.pb "https://essentia.upf.edu/models/classification-heads/mood_aggressive/mood_aggressive-msd-musicnn-1.pb"
+curl_with_retry "https://essentia.upf.edu/models/classification-heads/mood_aggressive/mood_aggressive-msd-musicnn-1.pb" "mood_aggressive-msd-musicnn-1.pb"
-curl -fsSL -o mood_party-msd-musicnn-1.pb "https://essentia.upf.edu/models/classification-heads/mood_party/mood_party-msd-musicnn-1.pb"
+curl_with_retry "https://essentia.upf.edu/models/classification-heads/mood_party/mood_party-msd-musicnn-1.pb" "mood_party-msd-musicnn-1.pb"
-curl -fsSL -o mood_acoustic-msd-musicnn-1.pb "https://essentia.upf.edu/models/classification-heads/mood_acoustic/mood_acoustic-msd-musicnn-1.pb"
+curl_with_retry "https://essentia.upf.edu/models/classification-heads/mood_acoustic/mood_acoustic-msd-musicnn-1.pb" "mood_acoustic-msd-musicnn-1.pb"
-curl -fsSL -o mood_electronic-msd-musicnn-1.pb "https://essentia.upf.edu/models/classification-heads/mood_electronic/mood_electronic-msd-musicnn-1.pb"
+curl_with_retry "https://essentia.upf.edu/models/classification-heads/mood_electronic/mood_electronic-msd-musicnn-1.pb" "mood_electronic-msd-musicnn-1.pb"
-curl -fsSL -o danceability-msd-musicnn-1.pb "https://essentia.upf.edu/models/classification-heads/danceability/danceability-msd-musicnn-1.pb"
+curl_with_retry "https://essentia.upf.edu/models/classification-heads/danceability/danceability-msd-musicnn-1.pb" "danceability-msd-musicnn-1.pb"
-curl -fsSL -o voice_instrumental-msd-musicnn-1.pb "https://essentia.upf.edu/models/classification-heads/voice_instrumental/voice_instrumental-msd-musicnn-1.pb"
+curl_with_retry "https://essentia.upf.edu/models/classification-heads/voice_instrumental/voice_instrumental-msd-musicnn-1.pb" "voice_instrumental-msd-musicnn-1.pb"
 msg_ok "Downloaded Essentia ML Models"
 
 msg_info "Downloading CLAP Model"
-curl -fsSL -o /opt/kima-hub/models/music_audioset_epoch_15_esc_90.14.pt "https://huggingface.co/lukewys/laion_clap/resolve/main/music_audioset_epoch_15_esc_90.14.pt"
+CURL_TIMEOUT=600 curl_with_retry "https://huggingface.co/lukewys/laion_clap/resolve/main/music_audioset_epoch_15_esc_90.14.pt" "/opt/kima-hub/models/music_audioset_epoch_15_esc_90.14.pt"
 msg_ok "Downloaded CLAP Model"
 
 msg_info "Building Backend"

install/nginxproxymanager-install.sh

@@ -160,7 +160,8 @@ $STD yarn install --network-timeout 600000
 msg_ok "Initialized Backend"
 
 msg_info "Creating Service"
-cat <<'EOF' >/lib/systemd/system/npm.service
+CERTBOT_VER=$(/opt/certbot/bin/certbot --version 2>&1 | awk '{print $NF}')
+cat <<EOF >/lib/systemd/system/npm.service
 [Unit]
 Description=Nginx Proxy Manager
 After=network.target
@@ -169,6 +170,7 @@ Wants=openresty.service
 [Service]
 Type=simple
 Environment=NODE_ENV=production
+Environment=CERTBOT_VERSION=${CERTBOT_VER}
 ExecStartPre=-mkdir -p /tmp/nginx/body /data/letsencrypt-acme-challenge
 ExecStart=/usr/bin/node index.js --abort_on_uncaught_exception --max_old_space_size=250
 WorkingDirectory=/app

install/openthread-br-install.sh

@@ -67,6 +67,17 @@ msg_ok "Built OpenThread Border Router"
 msg_info "Configuring Network"
 cat <<EOF >/etc/sysctl.d/99-otbr.conf
 net.ipv6.conf.all.forwarding=1
+net.ipv6.conf.all.accept_ra=2
+net.ipv6.conf.all.accept_ra_rtr_pref=1
+net.ipv6.conf.all.accept_ra_rt_info_max_plen=64
+net.ipv6.conf.default.forwarding=1
+net.ipv6.conf.default.accept_ra=2
+net.ipv6.conf.default.accept_ra_rtr_pref=1
+net.ipv6.conf.default.accept_ra_rt_info_max_plen=64
+net.ipv6.conf.eth0.forwarding=1
+net.ipv6.conf.eth0.accept_ra=2
+net.ipv6.conf.eth0.accept_ra_rtr_pref=1
+net.ipv6.conf.eth0.accept_ra_rt_info_max_plen=64
 net.ipv4.ip_forward=1
 EOF
 $STD sysctl -p /etc/sysctl.d/99-otbr.conf

install/webtrees-install.sh

@@ -41,29 +41,27 @@ cat <<EOF >/etc/caddy/Caddyfile
 }
 EOF
 usermod -aG www-data caddy
-msg_ok "Configured Caddy"
-
 systemctl enable -q --now php${PHP_VER}-fpm
 systemctl restart caddy
+msg_ok "Configured Caddy"
 
 msg_info "Automating Webtrees Setup"
-sleep 5
+cd /opt/webtrees
 WT_ADMIN_PASS=$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | head -c15)
-curl -sS -X POST "http://127.0.0.1/" \
+$STD sudo -u www-data php /opt/webtrees/index.php config-ini \
-  -d "step=6" \
+  --dbhost=127.0.0.1 \
-  --data-urlencode "baseurl=http://${LOCAL_IP}" \
+  --dbport=3306 \
-  -d "lang=en-US" \
+  --dbuser=webtrees \
-  -d "dbtype=mysql" \
+  --dbpass="${MARIADB_DB_PASS}" \
-  -d "dbhost=127.0.0.1" \
+  --dbname=webtrees \
-  -d "dbport=3306" \
+  --tblpfx=wt_ \
-  -d "dbuser=webtrees" \
+  --base-url="http://${LOCAL_IP}"
-  --data-urlencode "dbpass=${MARIADB_DB_PASS}" \
+$STD sudo -u www-data php /opt/webtrees/index.php user Admin \
-  -d "dbname=webtrees" \
+  --create \
-  -d "tblpfx=wt_" \
+  --real-name="Administrator" \
-  -d "wtname=Administrator" \
+  --email="admin@example.com" \
-  -d "wtuser=Admin" \
+  --password="${WT_ADMIN_PASS}"
-  --data-urlencode "wtpass=${WT_ADMIN_PASS}" \
+$STD sudo -u www-data php /opt/webtrees/index.php user-setting Admin canadmin 1
-  -d "wtemail=admin@example.com" >/dev/null
 
 cat <<EOF >>~/webtrees.creds
 

tools/pve/pbs4-upgrade.sh

@@ -50,6 +50,19 @@ start_routines() {
   no) msg_error "Selected no to Backup" ;;
   esac
 
+  # --- Update Current PBS 3 System ---
+  CHOICE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "PBS 3 UPDATE" --menu \
+    "\nUpdate current PBS 3 (Bookworm) packages before upgrade?" 14 58 2 "yes" " " "no" " " 3>&2 2>&1 1>&3)
+  case $CHOICE in
+  yes)
+    msg_info "Updating current PBS 3 packages"
+    apt-get update
+    DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
+    msg_ok "Updated current PBS 3 packages"
+    ;;
+  no) msg_error "Skipped updating current packages" ;;
+  esac
+
   # --- Debian 13 Sources ---
   CHOICE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "PBS 4 SOURCES" --menu \
     "Switch to Debian 13 (Trixie) sources for PBS 4?" 14 58 2 "yes" " " "no" " " 3>&2 2>&1 1>&3)