fix(bentopdf): create default config.json to avoid runtime 404

BentoPDF fetches /config.json at runtime. In our build/deploy flow this file
may be missing, causing noisy 404 errors in the browser console.

Create a minimal default config.json ({}), only when absent, during install
and update so custom configs are not overwritten.

CHANGELOG.md

@@ -439,28 +439,6 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 </details>
 
-## 2026-04-10
-
-### 🚀 Updated Scripts
-
-  - Immich: Pin version to 2.7.3 [@vhsdream](https://github.com/vhsdream) ([#13631](https://github.com/community-scripts/ProxmoxVE/pull/13631))
-
-  - #### ✨ New Features
-
-    - Homarr: bind Redis to localhost only [@MickLesk](https://github.com/MickLesk) ([#13552](https://github.com/community-scripts/ProxmoxVE/pull/13552))
-
-### 💾 Core
-
-  - #### 🐞 Bug Fixes
-
-    - tools.func: prevent script crash when entering GitHub token after rate limit [@MickLesk](https://github.com/MickLesk) ([#13638](https://github.com/community-scripts/ProxmoxVE/pull/13638))
-
-### 🧰 Tools
-
-  - #### 🔧 Refactor
-
-    - addons: Filebrowser & Filebrowser-Quantum get warning if host install [@MickLesk](https://github.com/MickLesk) ([#13639](https://github.com/community-scripts/ProxmoxVE/pull/13639))
-
 ## 2026-04-09
 
 ### 🚀 Updated Scripts
@@ -471,7 +449,6 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
   - #### ✨ New Features
 
-    - Update OPNsense version from 25.7 to 26.1 [@tdn131](https://github.com/tdn131) ([#13626](https://github.com/community-scripts/ProxmoxVE/pull/13626))
     - CheckMK: Bump Default OS to 13 (trixie) + dynamic codename + fix RELEASE-Tag Fetching [@MickLesk](https://github.com/MickLesk) ([#13610](https://github.com/community-scripts/ProxmoxVE/pull/13610))
 
 ## 2026-04-08

ct/bentopdf.sh

@@ -42,7 +42,6 @@ function update_script() {
     msg_info "Updating BentoPDF"
     cd /opt/bentopdf
     $STD npm ci --no-audit --no-fund
-    $STD npm install http-server -g
     if [[ -f /opt/production.env ]]; then
       mv /opt/production.env ./.env.production
     else
@@ -52,15 +51,97 @@ function update_script() {
     export SIMPLE_MODE=true
     export VITE_USE_CDN=true
     $STD npm run build:all
+    if [[ ! -f /opt/bentopdf/dist/config.json ]]; then
+      cat <<'EOF' >/opt/bentopdf/dist/config.json
+{}
+EOF
+    fi
     msg_ok "Updated BentoPDF"
 
     msg_info "Starting Service"
-    if grep -q '8080' /etc/systemd/system/bentopdf.service; then
-      sed -i -e 's|/bentopdf|/bentopdf/dist|' \
-        -e 's|npx.*|npx http-server -g -b -d false -r --no-dotfiles|' \
-        /etc/systemd/system/bentopdf.service
-      systemctl daemon-reload
+    ensure_dependencies nginx openssl
+    if [[ ! -f /etc/ssl/private/bentopdf-selfsigned.key || ! -f /etc/ssl/certs/bentopdf-selfsigned.crt ]]; then
+      CERT_CN="$(hostname -I | awk '{print $1}')"
+      $STD openssl req -x509 -nodes -newkey rsa:2048 -days 3650 \
+      -keyout /etc/ssl/private/bentopdf-selfsigned.key \
+      -out /etc/ssl/certs/bentopdf-selfsigned.crt \
+      -subj "/CN=${CERT_CN}"
     fi
+    cat <<'EOF' >/etc/nginx/sites-available/bentopdf
+server {
+    listen 8080;
+    server_name _;
+    return 301 https://$host:8443$request_uri;
+  }
+
+  server {
+    listen 8443 ssl;
+    server_name _;
+    ssl_certificate /etc/ssl/certs/bentopdf-selfsigned.crt;
+    ssl_certificate_key /etc/ssl/private/bentopdf-selfsigned.key;
+    root /opt/bentopdf/dist;
+    index index.html;
+
+    # Required for LibreOffice WASM (Word/Excel/PowerPoint to PDF via SharedArrayBuffer)
+    add_header Cross-Origin-Opener-Policy "same-origin" always;
+    add_header Cross-Origin-Embedder-Policy "require-corp" always;
+    add_header Cross-Origin-Resource-Policy "cross-origin" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+
+    gzip_static on;
+
+    location ~* /libreoffice-wasm/soffice\.wasm\.gz$ {
+      gzip off;
+      types {} default_type application/wasm;
+      add_header Content-Encoding gzip;
+      add_header Vary "Accept-Encoding";
+      add_header Cache-Control "public, immutable";
+    }
+
+    location ~* /libreoffice-wasm/soffice\.data\.gz$ {
+      gzip off;
+      types {} default_type application/octet-stream;
+      add_header Content-Encoding gzip;
+      add_header Vary "Accept-Encoding";
+      add_header Cache-Control "public, immutable";
+    }
+
+    location ~* \.wasm$ {
+      types {} default_type application/wasm;
+      expires 1y;
+      add_header Cache-Control "public, immutable";
+    }
+
+    location ~* \.(wasm\.gz|data\.gz|data)$ {
+      expires 1y;
+      add_header Cache-Control "public, immutable";
+    }
+
+    location / {
+        try_files $uri $uri/ $uri.html =404;
+    }
+
+    error_page 404 /404.html;
+}
+EOF
+    rm -f /etc/nginx/sites-enabled/default
+    ln -sf /etc/nginx/sites-available/bentopdf /etc/nginx/sites-enabled/bentopdf
+    cat <<'EOF' >/etc/systemd/system/bentopdf.service
+[Unit]
+Description=BentoPDF Service
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/sbin/nginx -g "daemon off;"
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+EOF
+    systemctl daemon-reload
     systemctl start bentopdf
     msg_ok "Started Service"
     msg_ok "Updated successfully!"
@@ -75,4 +156,4 @@ description
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW} Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8080${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}https://${IP}:8443${CL}"

ct/homarr.sh

@@ -65,7 +65,6 @@ EOF
 
     msg_info "Updating Homarr"
     cp /opt/homarr/redis.conf /etc/redis/redis.conf
-    grep -q '^bind 127.0.0.1 -::1$' /etc/redis/redis.conf || echo "bind 127.0.0.1 -::1" >> /etc/redis/redis.conf
     rm /etc/nginx/nginx.conf
     cp /opt/homarr/nginx.conf /etc/nginx/templates/nginx.conf
     msg_ok "Updated Homarr"

ct/immich.sh

@@ -109,7 +109,7 @@ EOF
     msg_ok "Image-processing libraries up to date"
   fi
 
-  RELEASE="v2.7.3"
+  RELEASE="v2.7.2"
   if check_for_gh_release "Immich" "immich-app/immich" "${RELEASE}" "each release is tested individually before the version is updated. Please do not open issues for this"; then
     if [[ $(cat ~/.immich) > "2.5.1" ]]; then
       msg_info "Enabling Maintenance Mode"

install/bentopdf-install.sh

@@ -13,32 +13,105 @@ setting_up_container
 network_check
 update_os
 
+ensure_dependencies nginx openssl
+
 NODE_VERSION="24" setup_nodejs
 fetch_and_deploy_gh_release "bentopdf" "alam00000/bentopdf" "tarball" "latest" "/opt/bentopdf"
 
 msg_info "Setup BentoPDF"
 cd /opt/bentopdf
 $STD npm ci --no-audit --no-fund
-$STD npm install http-server -g
 cp ./.env.example ./.env.production
 export NODE_OPTIONS="--max-old-space-size=3072"
 export SIMPLE_MODE=true
 export VITE_USE_CDN=true
 $STD npm run build:all
+if [[ ! -f /opt/bentopdf/dist/config.json ]]; then
+    cat <<'EOF' >/opt/bentopdf/dist/config.json
+{}
+EOF
+fi
 msg_ok "Setup BentoPDF"
 
 msg_info "Creating Service"
-cat <<EOF >/etc/systemd/system/bentopdf.service
+if [[ ! -f /etc/ssl/private/bentopdf-selfsigned.key || ! -f /etc/ssl/certs/bentopdf-selfsigned.crt ]]; then
+  CERT_CN="$(hostname -I | awk '{print $1}')"
+  $STD openssl req -x509 -nodes -newkey rsa:2048 -days 3650 \
+    -keyout /etc/ssl/private/bentopdf-selfsigned.key \
+    -out /etc/ssl/certs/bentopdf-selfsigned.crt \
+    -subj "/CN=${CERT_CN}"
+fi
+
+cat <<'EOF' >/etc/nginx/sites-available/bentopdf
+server {
+    listen 8080;
+    server_name _;
+    return 301 https://$host:8443$request_uri;
+}
+
+server {
+    listen 8443 ssl;
+    server_name _;
+    ssl_certificate /etc/ssl/certs/bentopdf-selfsigned.crt;
+    ssl_certificate_key /etc/ssl/private/bentopdf-selfsigned.key;
+    root /opt/bentopdf/dist;
+    index index.html;
+
+    # Required for LibreOffice WASM (Word/Excel/PowerPoint to PDF via SharedArrayBuffer)
+    add_header Cross-Origin-Opener-Policy "same-origin" always;
+    add_header Cross-Origin-Embedder-Policy "require-corp" always;
+    add_header Cross-Origin-Resource-Policy "cross-origin" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+
+    gzip_static on;
+
+    location ~* /libreoffice-wasm/soffice\.wasm\.gz$ {
+        gzip off;
+        types {} default_type application/wasm;
+        add_header Content-Encoding gzip;
+        add_header Vary "Accept-Encoding";
+        add_header Cache-Control "public, immutable";
+    }
+
+    location ~* /libreoffice-wasm/soffice\.data\.gz$ {
+        gzip off;
+        types {} default_type application/octet-stream;
+        add_header Content-Encoding gzip;
+        add_header Vary "Accept-Encoding";
+        add_header Cache-Control "public, immutable";
+    }
+
+    location ~* \.wasm$ {
+        types {} default_type application/wasm;
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    location ~* \.(wasm\.gz|data\.gz|data)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    location / {
+        try_files $uri $uri/ $uri.html =404;
+    }
+
+    error_page 404 /404.html;
+}
+EOF
+rm -f /etc/nginx/sites-enabled/default
+ln -sf /etc/nginx/sites-available/bentopdf /etc/nginx/sites-enabled/bentopdf
+cat <<'EOF' >/etc/systemd/system/bentopdf.service
 [Unit]
 Description=BentoPDF Service
 After=network.target
 
 [Service]
 Type=simple
-WorkingDirectory=/opt/bentopdf/dist
-ExecStart=/usr/bin/npx http-server -g -b -d false -r --no-dotfiles
+ExecStart=/usr/sbin/nginx -g "daemon off;"
+ExecReload=/bin/kill -HUP $MAINPID
 Restart=always
-RestartSec=10
 
 [Install]
 WantedBy=multi-user.target

install/homarr-install.sh

@@ -47,7 +47,6 @@ mkdir -p /appdata/redis
 chown -R redis:redis /appdata/redis
 chmod 744 /appdata/redis
 cp /opt/homarr/redis.conf /etc/redis/redis.conf
-grep -q '^bind 127.0.0.1 -::1$' /etc/redis/redis.conf || echo "bind 127.0.0.1 -::1" >>/etc/redis/redis.conf
 rm /etc/nginx/nginx.conf
 mkdir -p /etc/nginx/templates
 cp /opt/homarr/nginx.conf /etc/nginx/templates/nginx.conf
@@ -81,7 +80,7 @@ chmod +x /opt/homarr/run.sh
 systemctl daemon-reload
 systemctl enable -q --now redis-server
 systemctl enable -q --now homarr
-systemctl disable -q --now nginx
+systemctl disable -q --now nginx 
 msg_ok "Created Services"
 
 motd_ssh

install/immich-install.sh

@@ -295,7 +295,7 @@ ML_DIR="${APP_DIR}/machine-learning"
 GEO_DIR="${INSTALL_DIR}/geodata"
 mkdir -p {"${APP_DIR}","${UPLOAD_DIR}","${GEO_DIR}","${INSTALL_DIR}"/cache}
 
-fetch_and_deploy_gh_release "Immich" "immich-app/immich" "tarball" "v2.7.3" "$SRC_DIR"
+fetch_and_deploy_gh_release "Immich" "immich-app/immich" "tarball" "v2.7.2" "$SRC_DIR"
 PNPM_VERSION="$(jq -r '.packageManager | split("@")[1] | split("+")[0]' ${SRC_DIR}/package.json)"
 NODE_VERSION="24" NODE_MODULE="pnpm@${PNPM_VERSION}" setup_nodejs
 

misc/build.func

@@ -1054,7 +1054,7 @@ load_vars_file() {
 
   # Allowed var_* keys
   local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu var_keyctl
     var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
     var_net var_nesting var_ns var_os var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
     var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage var_searchdomain
@@ -1255,7 +1255,7 @@ default_var_settings() {
   # Allowed var_* keys (alphabetically sorted)
   # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
   local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu var_keyctl
     var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
     var_net var_nesting var_ns var_os var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
     var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
@@ -1350,10 +1350,6 @@ var_verbose=no
 
 # Security (root PW) – empty => autologin
 # var_pw=
-
-# GitHub Personal Access Token (optional – avoids API rate limits during installs)
-# Create at https://github.com/settings/tokens – read-only public access is sufficient
-# var_github_token=ghp_your_token_here
 EOF
 
     # Now choose storages (always prompt unless just one exists)
@@ -1391,11 +1387,6 @@ EOF
     VERBOSE="no"
   fi
 
-  # 4) Map var_github_token → GITHUB_TOKEN (only if not already set in environment)
-  if [[ -z "${GITHUB_TOKEN:-}" && -n "${var_github_token:-}" ]]; then
-    export GITHUB_TOKEN="${var_github_token}"
-  fi
-
   # 4) Apply base settings and show summary
   METHOD="mydefaults-global"
   base_settings "$VERBOSE"
@@ -1428,7 +1419,7 @@ get_app_defaults_path() {
 if ! declare -p VAR_WHITELIST >/dev/null 2>&1; then
   # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
   declare -ag VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu
     var_gateway var_hostname var_ipv6_method var_mac var_mtu
     var_net var_ns var_os var_pw var_ram var_tags var_tun var_unprivileged
     var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage

misc/tools.func

@@ -1117,87 +1117,15 @@ is_package_installed() {
   fi
 }
 
-# ------------------------------------------------------------------------------
-# validate_github_token()
-# Checks a GitHub token via the /user endpoint.
-# Prints a status message and returns:
-#   0 - token is valid
-#   1 - token is invalid / expired (HTTP 401)
-#   2 - token has no public repo scope (HTTP 200 but missing scope)
-#   3 - network/API error
-# Also reports expiry date if the token carries an x-oauth-expiry header.
-# ------------------------------------------------------------------------------
-validate_github_token() {
-  local token="${1:-${GITHUB_TOKEN:-}}"
-  [[ -z "$token" ]] && return 3
-
-  local response headers http_code expiry_date scopes
-  headers=$(mktemp)
-  response=$(curl -sSL -w "%{http_code}" \
-    -D "$headers" \
-    -o /dev/null \
-    -H "Authorization: Bearer $token" \
-    -H "Accept: application/vnd.github+json" \
-    -H "X-GitHub-Api-Version: 2022-11-28" \
-    "https://api.github.com/user" 2>/dev/null) || { rm -f "$headers"; return 3; }
-  http_code="$response"
-
-  # Read expiry header (fine-grained PATs carry this)
-  expiry_date=$(grep -i '^github-authentication-token-expiration:' "$headers" \
-    | sed 's/.*: *//' | tr -d '\r\n' || true)
-  # Read token scopes (classic PATs)
-  scopes=$(grep -i '^x-oauth-scopes:' "$headers" \
-    | sed 's/.*: *//' | tr -d '\r\n' || true)
-  rm -f "$headers"
-
-  case "$http_code" in
-    200)
-      if [[ -n "$expiry_date" ]]; then
-        msg_ok "GitHub token is valid (expires: $expiry_date)."
-      else
-        msg_ok "GitHub token is valid (no expiry / fine-grained PAT)."
-      fi
-      # Warn if classic PAT has no public_repo scope
-      if [[ -n "$scopes" && "$scopes" != *"public_repo"* && "$scopes" != *"repo"* ]]; then
-        msg_warn "Token has no 'public_repo' scope - private repos and some release APIs may fail."
-        return 2
-      fi
-      return 0
-      ;;
-    401)
-      msg_error "GitHub token is invalid or expired (HTTP 401)."
-      return 1
-      ;;
-    *)
-      msg_warn "GitHub token validation returned HTTP $http_code - treating as valid."
-      return 0
-      ;;
-  esac
-}
-
 # ------------------------------------------------------------------------------
 # Prompt user to enter a GitHub Personal Access Token (PAT) interactively
 # Returns 0 if a valid token was provided, 1 otherwise
 # ------------------------------------------------------------------------------
 prompt_for_github_token() {
   if [[ ! -t 0 ]]; then
-    # Non-interactive: pick up var_github_token if set (from default.vars / app.vars / env)
-    if [[ -z "${GITHUB_TOKEN:-}" && -n "${var_github_token:-}" ]]; then
-      export GITHUB_TOKEN="${var_github_token}"
-      msg_ok "GitHub token loaded from var_github_token."
-      return 0
-    fi
     return 1
   fi
 
-  # Prefer var_github_token when already set and no interactive override needed
-  if [[ -z "${GITHUB_TOKEN:-}" && -n "${var_github_token:-}" ]]; then
-    export GITHUB_TOKEN="${var_github_token}"
-    msg_ok "GitHub token loaded from var_github_token."
-    validate_github_token || true
-    return 0
-  fi
-
   local reply
   read -rp "${TAB}Would you like to enter a GitHub Personal Access Token (PAT)? [y/N]: " reply
   reply="${reply:-n}"
@@ -1219,16 +1147,10 @@ prompt_for_github_token() {
       msg_warn "Token must not contain spaces. Please try again."
       continue
     fi
-    # Validate before accepting
-    export GITHUB_TOKEN="$token"
-    if validate_github_token "$token"; then
-      break
-    else
-      msg_warn "Please enter a valid token, or press Ctrl+C to abort."
-      unset GITHUB_TOKEN
-    fi
+    break
   done
 
+  export GITHUB_TOKEN="$token"
   msg_ok "GitHub token has been set."
   return 0
 }
@@ -2938,7 +2860,7 @@ function fetch_and_deploy_codeberg_release() {
 
   while ((attempt < ${#api_timeouts[@]})); do
     resp=$(curl --connect-timeout 10 --max-time "${api_timeouts[$attempt]}" -fsSL -w "%{http_code}" -o /tmp/codeberg_rel.json "$api_url") && success=true && break
-    attempt=$((attempt + 1))
+    ((attempt++))
     if ((attempt < ${#api_timeouts[@]})); then
       msg_warn "API request timed out after ${api_timeouts[$((attempt - 1))]}s, retrying... (attempt $((attempt + 1))/${#api_timeouts[@]})"
     fi
@@ -3448,8 +3370,7 @@ function fetch_and_deploy_gh_release() {
         if prompt_for_github_token; then
           header=(-H "Authorization: token $GITHUB_TOKEN")
           retry_delay=2
-          attempt=1
-          continue
+          attempt=0
         fi
       fi
     else

tools/addon/filebrowser-quantum.sh

@@ -43,21 +43,6 @@ IP=$(ip -4 addr show "$IFACE" | awk '/inet / {print $2}' | cut -d/ -f1 | head -n
 [[ -z "$IP" ]] && IP=$(hostname -I | awk '{print $1}')
 [[ -z "$IP" ]] && IP="127.0.0.1"
 
-# Proxmox Host Warning
-if [[ -d "/etc/pve" ]]; then
-  echo -e "${RD}⚠️  Warning: Running this addon directly on the Proxmox host is not recommended!${CL}"
-  echo -e "${YW}   Only the boot disk will be visible — passthrough drives will not be indexed.${CL}"
-  echo -e "${YW}   This causes incorrect disk usage stats and incomplete file browsing.${CL}"
-  echo -e "${YW}   Run this addon inside an LXC or VM instead and mount your drives there.${CL}"
-  echo ""
-  echo -n "Continue anyway on the Proxmox host? (y/N): "
-  read -r host_confirm
-  if [[ ! "${host_confirm,,}" =~ ^(y|yes)$ ]]; then
-    echo -e "${YW}Aborted.${CL}"
-    exit 0
-  fi
-fi
-
 # OS Detection
 if [[ -f "/etc/alpine-release" ]]; then
   OS="Alpine"

tools/addon/filebrowser.sh

@@ -41,21 +41,6 @@ IP=$(ip -4 addr show "$IFACE" | awk '/inet / {print $2}' | cut -d/ -f1 | head -n
 [[ -z "$IP" ]] && IP=$(hostname -I | awk '{print $1}')
 [[ -z "$IP" ]] && IP="127.0.0.1"
 
-# Proxmox Host Warning
-if [[ -d "/etc/pve" ]]; then
-  echo -e "${RD}⚠️  Warning: Running this addon directly on the Proxmox host is not recommended!${CL}"
-  echo -e "${YW}   Only the boot disk will be visible — passthrough drives will not be indexed.${CL}"
-  echo -e "${YW}   This causes incorrect disk usage stats and incomplete file browsing.${CL}"
-  echo -e "${YW}   Run this addon inside an LXC or VM instead and mount your drives there.${CL}"
-  echo ""
-  echo -n "Continue anyway on the Proxmox host? (y/N): "
-  read -r host_confirm
-  if [[ ! "${host_confirm,,}" =~ ^(y|yes)$ ]]; then
-    echo -e "${YW}Aborted.${CL}"
-    exit 0
-  fi
-fi
-
 # Detect OS
 if [[ -f "/etc/alpine-release" ]]; then
   OS="Alpine"

vm/opnsense-vm.sh

@@ -24,7 +24,7 @@ RANDOM_UUID="$(cat /proc/sys/kernel/random/uuid)"
 METHOD=""
 NSAPP="opnsense-vm"
 var_os="opnsense"
-var_version="26.1"
+var_version="25.7"
 #
 GEN_MAC=02:$(openssl rand -hex 5 | awk '{print toupper($0)}' | sed 's/\(..\)/\1:/g; s/.$//')
 GEN_MAC_LAN=02:$(openssl rand -hex 5 | awk '{print toupper($0)}' | sed 's/\(..\)/\1:/g; s/.$//')
@@ -797,7 +797,7 @@ if [ -n "$WAN_BRG" ]; then
   msg_ok "WAN interface added"
   sleep 5 # Brief pause after adding network interface
 fi
-send_line_to_vm "sh ./opnsense-bootstrap.sh.in -y -f -r 26.1"
+send_line_to_vm "sh ./opnsense-bootstrap.sh.in -y -f -r 25.7"
 msg_ok "OPNsense VM is being installed, do not close the terminal, or the installation will fail."
 #We need to wait for the OPNsense build proccess to finish, this takes a few minutes
 sleep 1000