Add protonmail-bridge (ct)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

CHANGELOG.md

@@ -452,7 +452,8 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 ### 🆕 New Scripts
 
-  - Neko ([#14121](https://github.com/community-scripts/ProxmoxVE/pull/14121))
+  - Nagios ([#14126](https://github.com/community-scripts/ProxmoxVE/pull/14126))
+- Neko ([#14121](https://github.com/community-scripts/ProxmoxVE/pull/14121))
 
 ### 💾 Core
 

ct/headers/nagios

@@ -0,0 +1,6 @@
+    _   __            _           
+   / | / /___ _____ _(_)___  _____
+  /  |/ / __ `/ __ `/ / __ \/ ___/
+ / /|  / /_/ / /_/ / / /_/ (__  ) 
+/_/ |_/\__,_/\__, /_/\____/____/  
+            /____/                

ct/headers/protonmail-bridge

@@ -0,0 +1,6 @@
+    ____             __              __  ___      _ __      ____       _     __         
+   / __ \_________  / /_____  ____  /  |/  /___ _(_) /     / __ )_____(_)___/ /___ ____ 
+  / /_/ / ___/ __ \/ __/ __ \/ __ \/ /|_/ / __ `/ / /_____/ __  / ___/ / __  / __ `/ _ \
+ / ____/ /  / /_/ / /_/ /_/ / / / / /  / / /_/ / / /_____/ /_/ / /  / / /_/ / /_/ /  __/
+/_/   /_/   \____/\__/\____/_/ /_/_/  /_/\__,_/_/_/     /_____/_/  /_/\__,_/\__, /\___/ 
+                                                                           /____/       

ct/nagios.sh

@@ -0,0 +1,90 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: CanbiZ (MickLesk)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/NagiosEnterprises/nagioscore
+
+APP="Nagios"
+var_tags="${var_tags:-monitoring;alerts;infrastructure}"
+var_cpu="${var_cpu:-2}"
+var_ram="${var_ram:-2048}"
+var_disk="${var_disk:-20}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -f /usr/local/nagios/etc/nagios.cfg ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  msg_info "Backing up Configuration"
+  cp -a /usr/local/nagios/etc /opt/nagios-etc-backup
+  msg_ok "Backed up Configuration"
+
+  if check_for_gh_release "nagios" "NagiosEnterprises/nagioscore"; then
+    msg_info "Stopping Nagios"
+    systemctl stop nagios
+    msg_ok "Stopped Nagios"
+
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "nagios" "NagiosEnterprises/nagioscore" "tarball"
+
+    msg_info "Building Nagios Core"
+    cd /opt/nagios
+    $STD ./configure --with-httpd-conf=/etc/apache2/sites-enabled
+    $STD make all
+    $STD make install-groups-users
+    usermod -a -G nagios www-data
+    $STD make install
+    $STD make install-daemoninit
+    $STD make install-commandmode
+    $STD make install-webconf
+    $STD a2enmod rewrite
+    $STD a2enmod cgi
+    msg_ok "Built Nagios Core"
+
+    msg_info "Starting Nagios"
+    systemctl restart apache2
+    systemctl start nagios
+    msg_ok "Started Nagios"
+  fi
+
+  if check_for_gh_release "nagios-plugins" "nagios-plugins/nagios-plugins"; then
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "nagios-plugins" "nagios-plugins/nagios-plugins" "tarball"
+    msg_info "Building Nagios Plugins"
+    cd /opt/nagios-plugins
+    $STD ./tools/setup
+    $STD ./configure
+    $STD make
+    $STD make install
+    msg_ok "Built Nagios Plugins"
+  fi
+
+  msg_info "Restoring Configuration"
+  rm -rf /usr/local/nagios/etc
+  cp -a /opt/nagios-etc-backup /usr/local/nagios/etc
+  rm -rf /opt/nagios-etc-backup
+  msg_ok "Restored Configuration"
+  msg_ok "Updated successfully!"
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}/nagios${CL}"

ct/protonmail-bridge.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: Stephen Chin (steveonjava)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/ProtonMail/proton-bridge
+
+APP="ProtonMail-Bridge"
+var_tags="${var_tags:-mail;proton}"
+var_cpu="${var_cpu:-2}"
+var_ram="${var_ram:-1024}"
+var_disk="${var_disk:-8}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -x /usr/bin/protonmail-bridge ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit 1
+  fi
+
+  if check_for_gh_release "protonmail-bridge" "ProtonMail/proton-bridge"; then
+    local -a bridge_units=(
+      protonmail-bridge
+      protonmail-bridge-imap.socket
+      protonmail-bridge-smtp.socket
+      protonmail-bridge-imap-proxy
+      protonmail-bridge-smtp-proxy
+    )
+    local unit
+    declare -A was_active
+    for unit in "${bridge_units[@]}"; do
+      if systemctl is-active --quiet "$unit" 2>/dev/null; then
+        was_active["$unit"]=1
+      else
+        was_active["$unit"]=0
+      fi
+    done
+
+    msg_info "Stopping Services"
+    systemctl stop protonmail-bridge-imap.socket protonmail-bridge-smtp.socket protonmail-bridge-imap-proxy protonmail-bridge-smtp-proxy protonmail-bridge
+    msg_ok "Stopped Services"
+
+    fetch_and_deploy_gh_release "protonmail-bridge" "ProtonMail/proton-bridge" "binary"
+
+    if [[ -f /home/protonbridge/.protonmailbridge-initialized ]]; then
+      msg_info "Starting Services"
+      for unit in "${bridge_units[@]}"; do
+        if [[ "${was_active[$unit]:-0}" == "1" ]]; then
+          systemctl start "$unit"
+        fi
+      done
+      msg_ok "Started Services"
+    else
+      msg_ok "Initialization not completed. Services remain disabled."
+    fi
+    msg_ok "Updated successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW}One-time configuration is required before Bridge services are enabled.${CL}"
+echo -e "${INFO}${YW}Run this command in the container: protonmailbridge-configure${CL}"

install/nagios-install.sh

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: CanbiZ (MickLesk)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/NagiosEnterprises/nagioscore
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+$STD apt install -y \
+  autoconf \
+  automake \
+  build-essential \
+  bc \
+  dc \
+  gawk \
+  gettext \
+  gperf \
+  libgd-dev \
+  libmcrypt-dev \
+  libnet-snmp-perl \
+  libssl-dev \
+  snmp \
+  apache2 \
+  apache2-utils
+msg_ok "Installed Dependencies"
+
+PHP_APACHE="YES" setup_php
+
+fetch_and_deploy_gh_release "nagios" "NagiosEnterprises/nagioscore" "tarball"
+
+msg_info "Building Nagios Core"
+cd /opt/nagios
+$STD ./configure --with-httpd-conf=/etc/apache2/sites-enabled
+$STD make all
+$STD make install-groups-users
+usermod -a -G nagios www-data
+$STD make install
+$STD make install-daemoninit
+$STD make install-commandmode
+$STD make install-config
+$STD make install-webconf
+$STD a2enmod rewrite
+$STD a2enmod cgi
+msg_ok "Built Nagios Core"
+
+fetch_and_deploy_gh_release "nagios-plugins" "nagios-plugins/nagios-plugins" "tarball"
+
+msg_info "Building Nagios Plugins"
+cd /opt/nagios-plugins
+$STD ./tools/setup
+$STD ./configure
+$STD make
+$STD make install
+msg_ok "Built Nagios Plugins"
+
+msg_info "Configuring Web Authentication"
+$STD htpasswd -bc /usr/local/nagios/etc/htpasswd.users nagiosadmin nagiosadmin
+chown root:www-data /usr/local/nagios/etc/htpasswd.users
+chmod 640 /usr/local/nagios/etc/htpasswd.users
+msg_ok "Configured Web Authentication"
+
+msg_info "Starting Services"
+systemctl enable -q apache2
+systemctl restart apache2
+systemctl enable -q --now nagios
+msg_ok "Started Services"
+
+motd_ssh
+customize
+cleanup_lxc

install/protonmail-bridge-install.sh

@@ -0,0 +1,192 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: Stephen Chin (steveonjava)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/ProtonMail/proton-bridge
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+$STD apt install -y pass
+msg_ok "Installed Dependencies"
+
+msg_info "Creating Service User"
+useradd -r -m -d /home/protonbridge -s /usr/sbin/nologin protonbridge
+install -d -m 0750 -o protonbridge -g protonbridge /home/protonbridge
+msg_ok "Created Service User"
+
+fetch_and_deploy_gh_release "protonmail-bridge" "ProtonMail/proton-bridge" "binary"
+
+msg_info "Creating Services"
+cat <<EOF >/etc/systemd/system/protonmail-bridge.service
+[Unit]
+Description=Proton Mail Bridge (noninteractive)
+After=network-online.target
+Wants=network-online.target
+ConditionPathExists=/home/protonbridge/.protonmailbridge-initialized
+
+[Service]
+Type=simple
+User=protonbridge
+Group=protonbridge
+WorkingDirectory=/home/protonbridge
+Environment=HOME=/home/protonbridge
+ExecStart=/usr/bin/protonmail-bridge --noninteractive
+Restart=always
+RestartSec=3
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=full
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+cat <<'EOF' >/etc/systemd/system/protonmail-bridge-imap.socket
+[Unit]
+Description=Proton Mail Bridge IMAP Socket (143)
+ConditionPathExists=/home/protonbridge/.protonmailbridge-initialized
+
+[Socket]
+ListenStream=143
+Accept=no
+Service=protonmail-bridge-imap-proxy.service
+
+[Install]
+WantedBy=sockets.target
+EOF
+cat <<'EOF' >/etc/systemd/system/protonmail-bridge-imap-proxy.service
+[Unit]
+Description=Proton Mail Bridge IMAP Proxy (143 -> 127.0.0.1:1143)
+After=protonmail-bridge.service
+Requires=protonmail-bridge.service
+ConditionPathExists=/home/protonbridge/.protonmailbridge-initialized
+
+[Service]
+Type=simple
+Sockets=protonmail-bridge-imap.socket
+ExecStart=/usr/lib/systemd/systemd-socket-proxyd 127.0.0.1:1143
+NoNewPrivileges=yes
+PrivateTmp=yes
+EOF
+cat <<'EOF' >/etc/systemd/system/protonmail-bridge-smtp.socket
+[Unit]
+Description=Proton Mail Bridge SMTP Socket (587)
+ConditionPathExists=/home/protonbridge/.protonmailbridge-initialized
+
+[Socket]
+ListenStream=587
+Accept=no
+Service=protonmail-bridge-smtp-proxy.service
+
+[Install]
+WantedBy=sockets.target
+EOF
+cat <<'EOF' >/etc/systemd/system/protonmail-bridge-smtp-proxy.service
+[Unit]
+Description=Proton Mail Bridge SMTP Proxy (587 -> 127.0.0.1:1025)
+After=protonmail-bridge.service
+Requires=protonmail-bridge.service
+ConditionPathExists=/home/protonbridge/.protonmailbridge-initialized
+
+[Service]
+Type=simple
+Sockets=protonmail-bridge-smtp.socket
+ExecStart=/usr/lib/systemd/systemd-socket-proxyd 127.0.0.1:1025
+NoNewPrivileges=yes
+PrivateTmp=yes
+EOF
+msg_ok "Created Services"
+
+msg_info "Creating Helper Commands"
+
+cat <<'EOF' >/usr/local/bin/protonmailbridge-configure
+#!/usr/bin/env bash
+set -euo pipefail
+
+BRIDGE_USER="protonbridge"
+BRIDGE_HOME="/home/${BRIDGE_USER}"
+GNUPG_HOME="${BRIDGE_HOME}/.gnupg"
+MARKER="${BRIDGE_HOME}/.protonmailbridge-initialized"
+
+FIRST_TIME=0
+if [[ ! -f "${MARKER}" ]]; then
+  FIRST_TIME=1
+fi
+
+# Stop sockets/proxies/bridge daemon before configuration
+systemctl stop protonmail-bridge-imap.socket protonmail-bridge-smtp.socket
+systemctl stop protonmail-bridge-imap-proxy protonmail-bridge-smtp-proxy protonmail-bridge
+
+if [[ "${FIRST_TIME}" == "1" ]]; then
+  echo "First-time setup: initializing pass keychain for ${BRIDGE_USER} (required by Proton Mail Bridge on Linux)."
+
+  install -d -m 0700 -o "${BRIDGE_USER}" -g "${BRIDGE_USER}" "${GNUPG_HOME}"
+
+  FPR="$(runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" GNUPGHOME="${GNUPG_HOME}" \
+    gpg --list-secret-keys --with-colons 2>/dev/null | awk -F: '$1=="fpr"{print $10; exit}')"
+
+  if [[ -z "${FPR}" ]]; then
+    runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" GNUPGHOME="${GNUPG_HOME}" \
+      gpg --batch --pinentry-mode loopback --passphrase '' \
+      --quick-gen-key 'ProtonMail Bridge' default default never
+
+    FPR="$(runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" GNUPGHOME="${GNUPG_HOME}" \
+      gpg --list-secret-keys --with-colons 2>/dev/null | awk -F: '$1=="fpr"{print $10; exit}')"
+  fi
+
+  if [[ -z "${FPR}" ]]; then
+    echo "Failed to detect a GPG key fingerprint for ${BRIDGE_USER}." >&2
+    exit 1
+  fi
+
+  runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" GNUPGHOME="${GNUPG_HOME}" \
+    pass init "${FPR}"
+
+  echo
+  echo "To do initial configuration of the Proton Mail Bridge:"
+  echo "Run: login"
+  echo "Run: info"
+  echo "Run: exit"
+  echo
+else
+  echo
+  echo "Launching Proton Mail Bridge CLI for configuration."
+  echo "External access is disabled until you exit."
+  echo "Run: exit"
+  echo
+fi
+
+runuser -u "${BRIDGE_USER}" -- env HOME="${BRIDGE_HOME}" \
+  protonmail-bridge -c
+
+if [[ "${FIRST_TIME}" == "1" ]]; then
+  touch "${MARKER}"
+  chown "${BRIDGE_USER}:${BRIDGE_USER}" "${MARKER}"
+  chmod 0644 "${MARKER}"
+fi
+
+systemctl enable -q --now protonmail-bridge.service protonmail-bridge-imap.socket protonmail-bridge-smtp.socket
+
+if [[ "${FIRST_TIME}" == "1" ]]; then
+  echo "Initialization complete. Services enabled and started."
+else
+  echo "Configuration complete. Services enabled and started."
+fi
+EOF
+chmod +x /usr/local/bin/protonmailbridge-configure
+ln -sf /usr/local/bin/protonmailbridge-configure /usr/bin/protonmailbridge-configure
+msg_ok "Created Helper Commands"
+
+motd_ssh
+customize
+cleanup_lxc

misc/tools.func

@@ -8665,654 +8665,3 @@ EOF
   $STD apt update
   return 0
 }
-
-# ------------------------------------------------------------------------------
-# Get latest GitLab release version.
-# Usage: get_latest_gitlab_release "owner/repo" [strip_v]
-# ------------------------------------------------------------------------------
-get_latest_gitlab_release() {
-  local repo="$1"
-  local strip_v="${2:-true}"
-
-  local repo_encoded
-  repo_encoded=$(printf '%s' "$repo" | sed 's|/|%2F|g')
-
-  local header=()
-  [[ -n "${GITLAB_TOKEN:-}" ]] && header=(-H "PRIVATE-TOKEN: $GITLAB_TOKEN")
-
-  local temp_file
-  temp_file=$(mktemp)
-
-  local http_code
-  http_code=$(curl --connect-timeout 10 --max-time 30 -sSL \
-    -w "%{http_code}" -o "$temp_file" \
-    "${header[@]}" \
-    "https://gitlab.com/api/v4/projects/$repo_encoded/releases?per_page=1&order_by=released_at&sort=desc" 2>/dev/null) || true
-
-  if [[ "$http_code" != "200" ]]; then
-    rm -f "$temp_file"
-    msg_warn "GitLab API call failed for ${repo} (HTTP ${http_code})"
-    return 22
-  fi
-
-  local version
-  version=$(jq -r '.[0].tag_name // empty' "$temp_file")
-  rm -f "$temp_file"
-
-  if [[ -z "$version" ]]; then
-    msg_error "Could not determine latest version for ${repo}"
-    return 250
-  fi
-
-  if [[ "$strip_v" == "true" ]]; then
-    [[ "$version" =~ ^v[0-9] ]] && version="${version:1}"
-  fi
-
-  echo "$version"
-}
-
-# ------------------------------------------------------------------------------
-# Checks for new GitLab release (latest tag).
-#
-# Description:
-#   - Queries the GitLab API for the latest release tag
-#   - Compares it to a local cached version (~/.<app>)
-#   - If newer, sets global CHECK_UPDATE_RELEASE and returns 0
-#
-# Usage:
-#     if check_for_gl_release "myapp" "owner/repo" [optional] "v1.2.3"; then
-#       # trigger update...
-#     fi
-#     exit 0
-#     } (end of update_script not from the function)
-#
-# Notes:
-#   - Requires `jq` (auto-installed if missing)
-#   - Supports GITLAB_TOKEN env var for private/rate-limited repos
-#   - Does not modify anything, only checks version state
-# ------------------------------------------------------------------------------
-check_for_gl_release() {
-  local app="$1"
-  local source="$2"
-  local pinned_version_in="${3:-}" # optional
-  local pin_reason="${4:-}"        # optional reason shown to user
-  local app_lc="${app,,}"
-  local current_file="$HOME/.${app_lc}"
-
-  msg_info "Checking for update: ${app}"
-
-  # DNS check
-  if ! getent hosts gitlab.com >/dev/null 2>&1; then
-    msg_error "Network error: cannot resolve gitlab.com"
-    return 6
-  fi
-
-  ensure_dependencies jq
-
-  local repo_encoded
-  repo_encoded=$(python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1], safe=''))" "$source" 2>/dev/null ||
-    echo "$source" | sed 's|/|%2F|g')
-
-  local header=()
-  [[ -n "${GITLAB_TOKEN:-}" ]] && header=(-H "PRIVATE-TOKEN: $GITLAB_TOKEN")
-
-  local releases_json="" http_code=""
-
-  # For pinned versions, try to fetch the specific release tag first
-  if [[ -n "$pinned_version_in" ]]; then
-    local pinned_encoded="${pinned_version_in//\//%2F}"
-    http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o /tmp/gl_check.json \
-      "${header[@]}" \
-      "https://gitlab.com/api/v4/projects/$repo_encoded/releases/$pinned_encoded" 2>/dev/null) || true
-    if [[ "$http_code" == "200" ]] && [[ -s /tmp/gl_check.json ]]; then
-      releases_json="[$(</tmp/gl_check.json)]"
-    fi
-    rm -f /tmp/gl_check.json
-  fi
-
-  # Fetch full releases list if needed
-  if [[ -z "$releases_json" ]]; then
-    http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o /tmp/gl_check.json \
-      "${header[@]}" \
-      "https://gitlab.com/api/v4/projects/$repo_encoded/releases?per_page=100&order_by=released_at&sort=desc" 2>/dev/null) || true
-
-    if [[ "$http_code" == "200" ]] && [[ -s /tmp/gl_check.json ]]; then
-      releases_json=$(</tmp/gl_check.json)
-    elif [[ "$http_code" == "401" ]]; then
-      msg_error "GitLab API authentication failed (HTTP 401)."
-      if [[ -n "${GITLAB_TOKEN:-}" ]]; then
-        msg_error "Your GITLAB_TOKEN appears to be invalid or expired."
-      else
-        msg_error "The repository may require authentication. Try: export GITLAB_TOKEN=\"glpat-your_token\""
-      fi
-      rm -f /tmp/gl_check.json
-      return 22
-    elif [[ "$http_code" == "404" ]]; then
-      msg_error "GitLab project not found (HTTP 404). Ensure '${source}' is correct and publicly accessible."
-      rm -f /tmp/gl_check.json
-      return 22
-    elif [[ "$http_code" == "429" ]]; then
-      msg_error "GitLab API rate limit exceeded (HTTP 429)."
-      msg_error "To increase the limit, export a GitLab token: export GITLAB_TOKEN=\"glpat-your_token_here\""
-      rm -f /tmp/gl_check.json
-      return 22
-    elif [[ "$http_code" == "000" || -z "$http_code" ]]; then
-      msg_error "GitLab API connection failed (no response)."
-      msg_error "Check your network/DNS: curl -sSL https://gitlab.com/api/v4/version"
-      rm -f /tmp/gl_check.json
-      return 7
-    else
-      msg_error "Unable to fetch releases for ${app} (HTTP ${http_code})"
-      rm -f /tmp/gl_check.json
-      return 22
-    fi
-    rm -f /tmp/gl_check.json
-  fi
-
-  mapfile -t raw_tags < <(jq -r '.[] | .tag_name' <<<"$releases_json")
-  if ((${#raw_tags[@]} == 0)); then
-    msg_error "No releases found for ${app} on GitLab"
-    return 250
-  fi
-
-  local clean_tags=()
-  for t in "${raw_tags[@]}"; do
-    # Only strip leading 'v' when followed by a digit (e.g. v1.2.3)
-    if [[ "$t" =~ ^v[0-9] ]]; then
-      clean_tags+=("${t:1}")
-    else
-      clean_tags+=("$t")
-    fi
-  done
-
-  local latest_raw="${raw_tags[0]}"
-  local latest_clean="${clean_tags[0]}"
-
-  # current installed (stored without v)
-  local current=""
-  if [[ -f "$current_file" ]]; then
-    current="$(<"$current_file")"
-  else
-    # Migration: search for any /opt/*_version.txt
-    local legacy_files
-    mapfile -t legacy_files < <(find /opt -maxdepth 1 -type f -name "*_version.txt" 2>/dev/null)
-    if ((${#legacy_files[@]} == 1)); then
-      current="$(<"${legacy_files[0]}")"
-      echo "${current#v}" >"$current_file"
-      rm -f "${legacy_files[0]}"
-    fi
-  fi
-  if [[ "$current" =~ ^v[0-9] ]]; then
-    current="${current:1}"
-  fi
-
-  # Pinned version handling
-  if [[ -n "$pinned_version_in" ]]; then
-    local pin_clean
-    if [[ "$pinned_version_in" =~ ^v[0-9] ]]; then
-      pin_clean="${pinned_version_in:1}"
-    else
-      pin_clean="$pinned_version_in"
-    fi
-    local match_raw=""
-    for i in "${!clean_tags[@]}"; do
-      if [[ "${clean_tags[$i]}" == "$pin_clean" ]]; then
-        match_raw="${raw_tags[$i]}"
-        break
-      fi
-    done
-
-    if [[ -z "$match_raw" ]]; then
-      msg_error "Pinned version ${pinned_version_in} not found upstream"
-      return 250
-    fi
-
-    if [[ "$current" != "$pin_clean" ]]; then
-      CHECK_UPDATE_RELEASE="$match_raw"
-      msg_ok "Update available: ${app} ${current:-not installed} → ${pin_clean}"
-      return 0
-    fi
-
-    if [[ -n "$pin_reason" ]]; then
-      msg_ok "No update available: ${app} (${current}) - update held back: ${pin_reason}"
-    else
-      msg_ok "No update available: ${app} (${current}) - update temporarily held back due to issues with newer releases"
-    fi
-    return 1
-  fi
-
-  # No pinning → use latest
-  if [[ -z "$current" || "$current" != "$latest_clean" ]]; then
-    CHECK_UPDATE_RELEASE="$latest_raw"
-    msg_ok "Update available: ${app} ${current:-not installed} → ${latest_clean}"
-    return 0
-  fi
-
-  msg_ok "No update available: ${app} (${latest_clean})"
-  return 1
-}
-
-function fetch_and_deploy_gl_release() {
-  local app="$1"
-  local repo="$2"
-  local mode="${3:-tarball}"
-  local version="${var_appversion:-${4:-latest}}"
-  local target="${5:-/opt/$app}"
-  local asset_pattern="${6:-}"
-
-  if [[ -z "$app" ]]; then
-    app="${repo##*/}"
-    if [[ -z "$app" ]]; then
-      msg_error "fetch_and_deploy_gl_release requires app name or valid repo"
-      return 1
-    fi
-  fi
-
-  local app_lc=$(echo "${app,,}" | tr -d ' ')
-  local version_file="$HOME/.${app_lc}"
-
-  local api_timeout="--connect-timeout 10 --max-time 60"
-  local download_timeout="--connect-timeout 15 --max-time 900"
-
-  local current_version=""
-  [[ -f "$version_file" ]] && current_version=$(<"$version_file")
-
-  ensure_dependencies jq
-
-  local repo_encoded
-  repo_encoded=$(python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1], safe=''))" "$repo" 2>/dev/null ||
-    echo "$repo" | sed 's|/|%2F|g')
-
-  local api_base="https://gitlab.com/api/v4/projects/$repo_encoded/releases"
-  local api_url
-  if [[ "$version" != "latest" ]]; then
-    api_url="$api_base/$version"
-  else
-    api_url="$api_base?per_page=1&order_by=released_at&sort=desc"
-  fi
-
-  local header=()
-  [[ -n "${GITLAB_TOKEN:-}" ]] && header=(-H "PRIVATE-TOKEN: $GITLAB_TOKEN")
-
-  local max_retries=3 retry_delay=2 attempt=1 success=false http_code
-
-  while ((attempt <= max_retries)); do
-    http_code=$(curl $api_timeout -sSL -w "%{http_code}" -o /tmp/gl_rel.json "${header[@]}" "$api_url" 2>/dev/null) || true
-    if [[ "$http_code" == "200" ]]; then
-      success=true
-      break
-    elif [[ "$http_code" == "429" ]]; then
-      if ((attempt < max_retries)); then
-        msg_warn "GitLab API rate limit hit, retrying in ${retry_delay}s... (attempt $attempt/$max_retries)"
-        sleep "$retry_delay"
-        retry_delay=$((retry_delay * 2))
-      fi
-    else
-      sleep "$retry_delay"
-    fi
-    ((attempt++))
-  done
-
-  if ! $success; then
-    if [[ "$http_code" == "401" ]]; then
-      msg_error "GitLab API authentication failed (HTTP 401)."
-      if [[ -n "${GITLAB_TOKEN:-}" ]]; then
-        msg_error "Your GITLAB_TOKEN appears to be invalid or expired."
-      else
-        msg_error "The repository may require authentication. Try: export GITLAB_TOKEN=\"glpat-your_token\""
-      fi
-    elif [[ "$http_code" == "404" ]]; then
-      msg_error "GitLab project or release not found (HTTP 404)."
-      msg_error "Ensure '$repo' is correct and the project is accessible."
-    elif [[ "$http_code" == "429" ]]; then
-      msg_error "GitLab API rate limit exceeded (HTTP 429)."
-      msg_error "To increase the limit, export a GitLab token before running the script:"
-      msg_error "  export GITLAB_TOKEN=\"glpat-your_token_here\""
-    elif [[ "$http_code" == "000" || -z "$http_code" ]]; then
-      msg_error "GitLab API connection failed (no response)."
-      msg_error "Check your network/DNS: curl -sSL https://gitlab.com/api/v4/version"
-    else
-      msg_error "Failed to fetch release metadata (HTTP $http_code)"
-    fi
-    return 1
-  fi
-
-  local json tag_name
-  json=$(</tmp/gl_rel.json)
-
-  if [[ "$version" == "latest" ]]; then
-    json=$(echo "$json" | jq '.[0] // empty')
-    if [[ -z "$json" || "$json" == "null" ]]; then
-      msg_error "No releases found for $repo on GitLab"
-      return 1
-    fi
-  fi
-
-  tag_name=$(echo "$json" | jq -r '.tag_name // empty')
-  if [[ -z "$tag_name" ]]; then
-    msg_error "Could not determine tag name from release metadata"
-    return 1
-  fi
-  [[ "$tag_name" =~ ^v[0-9] ]] && version="${tag_name:1}" || version="$tag_name"
-  local version_safe="${version//\//-}"
-
-  if [[ "$current_version" == "$version" ]]; then
-    $STD msg_ok "$app is already up-to-date (v$version)"
-    return 0
-  fi
-
-  local tmpdir
-  tmpdir=$(mktemp -d) || return 1
-  local filename=""
-
-  msg_info "Fetching GitLab release: $app ($version)"
-
-  _gl_asset_urls() {
-    local release_json="$1"
-    echo "$release_json" | jq -r '
-      (.assets.links // [])[] | .direct_asset_url // .url
-    '
-  }
-
-  ### Tarball Mode ###
-  if [[ "$mode" == "tarball" || "$mode" == "source" ]]; then
-    local direct_tarball_url="https://gitlab.com/$repo/-/archive/$tag_name/${app_lc}-${version_safe}.tar.gz"
-    filename="${app_lc}-${version_safe}.tar.gz"
-
-    curl $download_timeout -fsSL "${header[@]}" -o "$tmpdir/$filename" "$direct_tarball_url" || {
-      msg_error "Download failed: $direct_tarball_url"
-      rm -rf "$tmpdir"
-      return 1
-    }
-
-    mkdir -p "$target"
-    if [[ "${CLEAN_INSTALL:-0}" == "1" ]]; then
-      rm -rf "${target:?}/"*
-    fi
-
-    tar --no-same-owner -xzf "$tmpdir/$filename" -C "$tmpdir" || {
-      msg_error "Failed to extract tarball"
-      rm -rf "$tmpdir"
-      return 1
-    }
-    local unpack_dir
-    unpack_dir=$(find "$tmpdir" -mindepth 1 -maxdepth 1 -type d | head -n1)
-
-    shopt -s dotglob nullglob
-    cp -r "$unpack_dir"/* "$target/"
-    shopt -u dotglob nullglob
-
-  ### Binary Mode ###
-  elif [[ "$mode" == "binary" ]]; then
-    local arch
-    arch=$(dpkg --print-architecture 2>/dev/null || uname -m)
-    [[ "$arch" == "x86_64" ]] && arch="amd64"
-    [[ "$arch" == "aarch64" ]] && arch="arm64"
-
-    local assets url_match=""
-    assets=$(_gl_asset_urls "$json")
-
-    if [[ -n "$asset_pattern" ]]; then
-      for u in $assets; do
-        case "${u##*/}" in
-        $asset_pattern)
-          url_match="$u"
-          break
-          ;;
-        esac
-      done
-    fi
-
-    if [[ -z "$url_match" ]]; then
-      for u in $assets; do
-        if [[ "$u" =~ ($arch|amd64|x86_64|aarch64|arm64).*\.deb$ ]]; then
-          url_match="$u"
-          break
-        fi
-      done
-    fi
-
-    if [[ -z "$url_match" ]]; then
-      for u in $assets; do
-        [[ "$u" =~ \.deb$ ]] && url_match="$u" && break
-      done
-    fi
-
-    if [[ -z "$url_match" ]]; then
-      local fallback_json
-      if fallback_json=$(_gl_scan_older_releases "$repo" "$repo_encoded" "https://gitlab.com" "binary" "$asset_pattern" "$tag_name"); then
-        json="$fallback_json"
-        tag_name=$(echo "$json" | jq -r '.tag_name // empty')
-        [[ "$tag_name" =~ ^v[0-9] ]] && version="${tag_name:1}" || version="$tag_name"
-        msg_info "Fetching GitLab release: $app ($version)"
-        assets=$(_gl_asset_urls "$json")
-        if [[ -n "$asset_pattern" ]]; then
-          for u in $assets; do
-            case "${u##*/}" in $asset_pattern)
-              url_match="$u"
-              break
-              ;;
-            esac
-          done
-        fi
-        if [[ -z "$url_match" ]]; then
-          for u in $assets; do
-            [[ "$u" =~ ($arch|amd64|x86_64|aarch64|arm64).*\.deb$ ]] && url_match="$u" && break
-          done
-        fi
-        if [[ -z "$url_match" ]]; then
-          for u in $assets; do
-            [[ "$u" =~ \.deb$ ]] && url_match="$u" && break
-          done
-        fi
-      fi
-    fi
-
-    if [[ -z "$url_match" ]]; then
-      msg_error "No suitable .deb asset found for $app"
-      rm -rf "$tmpdir"
-      return 1
-    fi
-
-    filename="${url_match##*/}"
-    curl $download_timeout -fsSL "${header[@]}" -o "$tmpdir/$filename" "$url_match" || {
-      msg_error "Download failed: $url_match"
-      rm -rf "$tmpdir"
-      return 1
-    }
-
-    chmod 644 "$tmpdir/$filename"
-    local dpkg_opts=""
-    [[ "${DPKG_FORCE_CONFOLD:-}" == "1" ]] && dpkg_opts="-o Dpkg::Options::=--force-confold"
-    [[ "${DPKG_FORCE_CONFNEW:-}" == "1" ]] && dpkg_opts="-o Dpkg::Options::=--force-confnew"
-    DEBIAN_FRONTEND=noninteractive SYSTEMD_OFFLINE=1 $STD apt install -y $dpkg_opts "$tmpdir/$filename" || {
-      SYSTEMD_OFFLINE=1 $STD dpkg -i "$tmpdir/$filename" || {
-        msg_error "Both apt and dpkg installation failed"
-        rm -rf "$tmpdir"
-        return 1
-      }
-    }
-
-  ### Prebuild Mode ###
-  elif [[ "$mode" == "prebuild" ]]; then
-    local pattern="${6%\"}"
-    pattern="${pattern#\"}"
-    [[ -z "$pattern" ]] && {
-      msg_error "Mode 'prebuild' requires 6th parameter (asset filename pattern)"
-      rm -rf "$tmpdir"
-      return 1
-    }
-
-    local asset_url=""
-    for u in $(_gl_asset_urls "$json"); do
-      filename_candidate="${u##*/}"
-      case "$filename_candidate" in
-      $pattern)
-        asset_url="$u"
-        break
-        ;;
-      esac
-    done
-
-    if [[ -z "$asset_url" ]]; then
-      local fallback_json
-      if fallback_json=$(_gl_scan_older_releases "$repo" "$repo_encoded" "https://gitlab.com" "prebuild" "$pattern" "$tag_name"); then
-        json="$fallback_json"
-        tag_name=$(echo "$json" | jq -r '.tag_name // empty')
-        [[ "$tag_name" =~ ^v[0-9] ]] && version="${tag_name:1}" || version="$tag_name"
-        msg_info "Fetching GitLab release: $app ($version)"
-        for u in $(_gl_asset_urls "$json"); do
-          filename_candidate="${u##*/}"
-          case "$filename_candidate" in $pattern)
-            asset_url="$u"
-            break
-            ;;
-          esac
-        done
-      fi
-    fi
-
-    [[ -z "$asset_url" ]] && {
-      msg_error "No asset matching '$pattern' found"
-      rm -rf "$tmpdir"
-      return 1
-    }
-
-    filename="${asset_url##*/}"
-    curl $download_timeout -fsSL "${header[@]}" -o "$tmpdir/$filename" "$asset_url" || {
-      msg_error "Download failed: $asset_url"
-      rm -rf "$tmpdir"
-      return 1
-    }
-
-    local unpack_tmp
-    unpack_tmp=$(mktemp -d)
-    mkdir -p "$target"
-    if [[ "${CLEAN_INSTALL:-0}" == "1" ]]; then
-      rm -rf "${target:?}/"*
-    fi
-
-    if [[ "$filename" == *.zip ]]; then
-      ensure_dependencies unzip
-      unzip -q "$tmpdir/$filename" -d "$unpack_tmp" || {
-        msg_error "Failed to extract ZIP archive"
-        rm -rf "$tmpdir" "$unpack_tmp"
-        return 1
-      }
-    elif [[ "$filename" == *.tar.* || "$filename" == *.tgz || "$filename" == *.txz ]]; then
-      tar --no-same-owner -xf "$tmpdir/$filename" -C "$unpack_tmp" || {
-        msg_error "Failed to extract TAR archive"
-        rm -rf "$tmpdir" "$unpack_tmp"
-        return 1
-      }
-    else
-      msg_error "Unsupported archive format: $filename"
-      rm -rf "$tmpdir" "$unpack_tmp"
-      return 1
-    fi
-
-    local top_entries inner_dir
-    top_entries=$(find "$unpack_tmp" -mindepth 1 -maxdepth 1)
-    if [[ "$(echo "$top_entries" | wc -l)" -eq 1 && -d "$top_entries" ]]; then
-      inner_dir="$top_entries"
-      shopt -s dotglob nullglob
-      if compgen -G "$inner_dir/*" >/dev/null; then
-        cp -r "$inner_dir"/* "$target/" || {
-          msg_error "Failed to copy contents from $inner_dir to $target"
-          rm -rf "$tmpdir" "$unpack_tmp"
-          return 1
-        }
-      else
-        msg_error "Inner directory is empty: $inner_dir"
-        rm -rf "$tmpdir" "$unpack_tmp"
-        return 1
-      fi
-      shopt -u dotglob nullglob
-    else
-      shopt -s dotglob nullglob
-      if compgen -G "$unpack_tmp/*" >/dev/null; then
-        cp -r "$unpack_tmp"/* "$target/" || {
-          msg_error "Failed to copy contents to $target"
-          rm -rf "$tmpdir" "$unpack_tmp"
-          return 1
-        }
-      else
-        msg_error "Unpacked archive is empty"
-        rm -rf "$tmpdir" "$unpack_tmp"
-        return 1
-      fi
-      shopt -u dotglob nullglob
-    fi
-
-  ### Singlefile Mode ###
-  elif [[ "$mode" == "singlefile" ]]; then
-    local pattern="${6%\"}"
-    pattern="${pattern#\"}"
-    [[ -z "$pattern" ]] && {
-      msg_error "Mode 'singlefile' requires 6th parameter (asset filename pattern)"
-      rm -rf "$tmpdir"
-      return 1
-    }
-
-    local asset_url=""
-    for u in $(_gl_asset_urls "$json"); do
-      filename_candidate="${u##*/}"
-      case "$filename_candidate" in
-      $pattern)
-        asset_url="$u"
-        break
-        ;;
-      esac
-    done
-
-    if [[ -z "$asset_url" ]]; then
-      local fallback_json
-      if fallback_json=$(_gl_scan_older_releases "$repo" "$repo_encoded" "https://gitlab.com" "singlefile" "$pattern" "$tag_name"); then
-        json="$fallback_json"
-        tag_name=$(echo "$json" | jq -r '.tag_name // empty')
-        [[ "$tag_name" =~ ^v[0-9] ]] && version="${tag_name:1}" || version="$tag_name"
-        msg_info "Fetching GitLab release: $app ($version)"
-        for u in $(_gl_asset_urls "$json"); do
-          filename_candidate="${u##*/}"
-          case "$filename_candidate" in $pattern)
-            asset_url="$u"
-            break
-            ;;
-          esac
-        done
-      fi
-    fi
-
-    [[ -z "$asset_url" ]] && {
-      msg_error "No asset matching '$pattern' found"
-      rm -rf "$tmpdir"
-      return 1
-    }
-
-    filename="${asset_url##*/}"
-    mkdir -p "$target"
-
-    local use_filename="${USE_ORIGINAL_FILENAME:-false}"
-    local target_file="$app"
-    [[ "$use_filename" == "true" ]] && target_file="$filename"
-
-    curl $download_timeout -fsSL "${header[@]}" -o "$target/$target_file" "$asset_url" || {
-      msg_error "Download failed: $asset_url"
-      rm -rf "$tmpdir"
-      return 1
-    }
-
-    if [[ "$target_file" != *.jar && -f "$target/$target_file" ]]; then
-      chmod +x "$target/$target_file"
-    fi
-
-  else
-    msg_error "Unknown mode: $mode"
-    rm -rf "$tmpdir"
-    return 1
-  fi
-
-  echo "$version" >"$version_file"
-  msg_ok "Deployed: $app ($version)"
-  rm -rf "$tmpdir"
-}