fix(peanut): externalize service env to /etc/peanut/peanut.env

PeaNUT v6 enables authentication by default and on first boot
redirects to a setup page (#14221). Settings can only be controlled
via environment variables (AUTH_DISABLED, WEB_USERNAME, WEB_PASSWORD,
WEB_HOST/PORT, NUT_HOST/PORT) — settings.yml does not cover them.

Refactor the systemd unit to load all runtime configuration from
/etc/peanut/peanut.env (mode 0600) instead of hardcoded Environment=
lines. The file documents every supported variable, with auth-related
options pre-listed but commented out.

Existing installations are migrated transparently in update_script:
the env file is created on first update, hardcoded Environment= lines
are stripped and EnvironmentFile= is injected into the unit.

CHANGELOG.md

@@ -460,29 +460,6 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 ## 2026-05-03
 
-### 🚀 Updated Scripts
-
-  - #### 🐞 Bug Fixes
-
-    - Hortusfox: fix update issues [@tomfrenzel](https://github.com/tomfrenzel) ([#14214](https://github.com/community-scripts/ProxmoxVE/pull/14214))
-
-  - #### ✨ New Features
-
-    - Refactor: PeaNUT for v6 [@MickLesk](https://github.com/MickLesk) ([#14224](https://github.com/community-scripts/ProxmoxVE/pull/14224))
-    - pangolin: pin version, drop manual SQL, use upstream migrator [@MickLesk](https://github.com/MickLesk) ([#14223](https://github.com/community-scripts/ProxmoxVE/pull/14223))
-
-### 💾 Core
-
-  - #### 🐞 Bug Fixes
-
-    - core: fix validate_bridge function [@MichaelOultram](https://github.com/MichaelOultram) ([#14206](https://github.com/community-scripts/ProxmoxVE/pull/14206))
-
-### 🧰 Tools
-
-  - #### 🐞 Bug Fixes
-
-    - pve/pbs scripts: guard sed against missing /etc/apt/sources.list [@MickLesk](https://github.com/MickLesk) ([#14222](https://github.com/community-scripts/ProxmoxVE/pull/14222))
-
 ## 2026-05-02
 
 ### 🆕 New Scripts

ct/hortusfox.sh

@@ -38,15 +38,13 @@ function update_script() {
     mv /opt/hortusfox/ /opt/hortusfox-backup
     msg_ok "Backed up current HortusFox installation"
 
-    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "hortusfox" "danielbrendel/hortusfox-web" "tarball"
+    fetch_and_deploy_gh_release "hortusfox" "danielbrendel/hortusfox-web" "tarball"
 
     msg_info "Updating HortusFox"
     cd /opt/hortusfox
-    cp /opt/hortusfox-backup/.env /opt/hortusfox/.env
-    cp -a /opt/hortusfox-backup/public/img/. /opt/hortusfox/public/img/
-    export COMPOSER_ALLOW_SUPERUSER=1
+    mv /opt/hortusfox-backup/.env /opt/hortusfox/.env
     $STD composer install --no-dev --optimize-autoloader
-    $STD php asatru migrate:upgrade
+    $STD php asatru migrate --no-interaction
     $STD php asatru plants:attributes
     $STD php asatru calendar:classes
     chown -R www-data:www-data /opt/hortusfox

ct/pangolin.sh

@@ -6,7 +6,6 @@ source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxV
 # Source: https://pangolin.net/ | Github: https://github.com/fosrl/pangolin
 
 APP="Pangolin"
-PANGOLIN_VERSION="${PANGOLIN_VERSION:-1.18.2}"
 var_tags="${var_tags:-proxy}"
 var_cpu="${var_cpu:-2}"
 var_ram="${var_ram:-4096}"
@@ -34,7 +33,7 @@ function update_script() {
 
   NODE_VERSION="24" setup_nodejs
 
-  if check_for_gh_release "pangolin" "fosrl/pangolin" "$PANGOLIN_VERSION" "Pinned to a tested release because Pangolin's schema changes have repeatedly broken unattended updates. To try a newer version at your own risk, run: 'export PANGOLIN_VERSION=<tag>' and re-run update. If it breaks, please open an issue at https://github.com/community-scripts/ProxmoxVE/issues with the error log."; then
+  if check_for_gh_release "pangolin" "fosrl/pangolin"; then
     msg_info "Stopping Service"
     systemctl stop pangolin
     systemctl stop gerbil
@@ -42,13 +41,9 @@ function update_script() {
 
     msg_info "Creating backup"
     tar -czf /opt/pangolin_config_backup.tar.gz -C /opt/pangolin config
-    if [[ -f /opt/pangolin/config/db/db.sqlite ]]; then
-      cp -a /opt/pangolin/config/db/db.sqlite \
-        "/opt/pangolin/config/db/db.sqlite.pre-${PANGOLIN_VERSION}-$(date +%Y%m%d-%H%M%S).bak"
-    fi
     msg_ok "Created backup"
 
-    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "pangolin" "fosrl/pangolin" "tarball" "$PANGOLIN_VERSION"
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "pangolin" "fosrl/pangolin" "tarball"
     CLEAN_INSTALL=1 fetch_and_deploy_gh_release "gerbil" "fosrl/gerbil" "singlefile" "latest" "/usr/bin" "gerbil_linux_amd64"
 
     msg_info "Updating Pangolin"
@@ -72,16 +67,36 @@ function update_script() {
     rm -f /opt/pangolin_config_backup.tar.gz
     msg_ok "Restored config"
 
-    if ! grep -q '^ExecStartPre=/usr/bin/node dist/migrations.mjs' /etc/systemd/system/pangolin.service 2>/dev/null; then
-      msg_info "Adding migration step to pangolin.service"
-      sed -i '/^ExecStart=\/usr\/bin\/node --enable-source-maps dist\/server.mjs/i ExecStartPre=/usr/bin/node dist/migrations.mjs' /etc/systemd/system/pangolin.service
-      systemctl daemon-reload
-      msg_ok "Updated pangolin.service"
-    fi
-
     msg_info "Running database migrations"
     cd /opt/pangolin
-    ENVIRONMENT=prod $STD node dist/migrations.mjs
+
+    # Pre-apply potentially destructive schema changes safely so drizzle-kit
+    # does not recreate tables (which would delete all rows).
+    local DB="/opt/pangolin/config/db/db.sqlite"
+    if [[ -f "$DB" ]]; then
+      sqlite3 "$DB" "ALTER TABLE 'orgs' ADD COLUMN 'settingsLogRetentionDaysConnection' integer DEFAULT 0 NOT NULL;" 2>/dev/null || true
+      sqlite3 "$DB" "ALTER TABLE 'clientSitesAssociationsCache' ADD COLUMN 'isJitMode' integer DEFAULT 0 NOT NULL;" 2>/dev/null || true
+      sqlite3 "$DB" "ALTER TABLE 'userOrgs' ADD COLUMN 'pamUsername' text;" 2>/dev/null || true
+
+      # Create new role-mapping tables and migrate data before drizzle-kit
+      # drops the roleId columns from userOrgs and userInvites.
+      sqlite3 "$DB" "CREATE TABLE IF NOT EXISTS 'userOrgRoles' (
+        'userId' text NOT NULL REFERENCES 'user'('id') ON DELETE CASCADE,
+        'orgId' text NOT NULL REFERENCES 'orgs'('orgId') ON DELETE CASCADE,
+        'roleId' integer NOT NULL REFERENCES 'roles'('roleId') ON DELETE CASCADE,
+        UNIQUE('userId', 'orgId', 'roleId')
+      );" 2>/dev/null || true
+      sqlite3 "$DB" "INSERT OR IGNORE INTO 'userOrgRoles' (userId, orgId, roleId) SELECT userId, orgId, roleId FROM 'userOrgs' WHERE roleId IS NOT NULL;" 2>/dev/null || true
+
+      sqlite3 "$DB" "CREATE TABLE IF NOT EXISTS 'userInviteRoles' (
+        'inviteId' text NOT NULL REFERENCES 'userInvites'('inviteId') ON DELETE CASCADE,
+        'roleId' integer NOT NULL REFERENCES 'roles'('roleId') ON DELETE CASCADE,
+        PRIMARY KEY('inviteId', 'roleId')
+      );" 2>/dev/null || true
+      sqlite3 "$DB" "INSERT OR IGNORE INTO 'userInviteRoles' (inviteId, roleId) SELECT inviteId, roleId FROM 'userInvites' WHERE roleId IS NOT NULL;" 2>/dev/null || true
+    fi
+
+    ENVIRONMENT=prod $STD npx drizzle-kit push --force --config drizzle.sqlite.config.ts
     msg_ok "Ran database migrations"
 
     msg_info "Updating Badger plugin version"

install/pangolin-install.sh

@@ -22,8 +22,7 @@ $STD apt install -y \
 msg_ok "Installed Dependencies"
 
 NODE_VERSION="24" setup_nodejs
-PANGOLIN_VERSION="${PANGOLIN_VERSION:-1.18.2}"
-fetch_and_deploy_gh_release "pangolin" "fosrl/pangolin" "tarball" "$PANGOLIN_VERSION"
+fetch_and_deploy_gh_release "pangolin" "fosrl/pangolin" "tarball"
 fetch_and_deploy_gh_release "gerbil" "fosrl/gerbil" "singlefile" "latest" "/usr/bin" "gerbil_linux_amd64"
 fetch_and_deploy_gh_release "traefik" "traefik/traefik" "prebuild" "latest" "/usr/bin" "traefik_v*_linux_amd64.tar.gz"
 
@@ -205,7 +204,6 @@ User=root
 Environment=NODE_ENV=production
 Environment=ENVIRONMENT=prod
 WorkingDirectory=/opt/pangolin
-ExecStartPre=/usr/bin/node dist/migrations.mjs
 ExecStart=/usr/bin/node --enable-source-maps dist/server.mjs
 Restart=always
 RestartSec=10

misc/build.func

@@ -513,7 +513,7 @@ validate_bridge() {
   [[ -z "$bridge" ]] && return 1
 
   # Check if bridge interface exists
-  if ! ip link show dev "$bridge" &>/dev/null; then
+  if ! ip link show "$bridge" &>/dev/null; then
     return 1
   fi
 

tools/pve/pbs4-upgrade.sh

@@ -57,9 +57,7 @@ start_routines() {
   yes)
     msg_info "Switching to Debian 13 (Trixie) Sources"
     rm -f /etc/apt/sources.list.d/*.list
-    if [ -f /etc/apt/sources.list ]; then
-      sed -i '/proxmox/d;/bookworm/d' /etc/apt/sources.list
-    fi
+    sed -i '/proxmox/d;/bookworm/d' /etc/apt/sources.list || true
     cat >/etc/apt/sources.list.d/debian.sources <<EOF
 Types: deb
 URIs: http://deb.debian.org/debian

tools/pve/post-pbs-install.sh

@@ -188,9 +188,7 @@ start_routines_4() {
   yes)
     msg_info "Correcting Debian Sources (deb822)"
     rm -f /etc/apt/sources.list.d/*.list
-    if [ -f /etc/apt/sources.list ]; then
-      sed -i '/proxmox/d;/bookworm/d' /etc/apt/sources.list
-    fi
+    sed -i '/proxmox/d;/bookworm/d' /etc/apt/sources.list || true
     cat >/etc/apt/sources.list.d/debian.sources <<EOF
 Types: deb
 URIs: http://deb.debian.org/debian/

tools/pve/post-pve-install.sh

@@ -251,10 +251,8 @@ start_routines_9() {
       msg_info "Correcting Proxmox VE Sources (deb822)"
       # remove all existing .list files
       rm -f /etc/apt/sources.list.d/*.list
-      # remove bookworm and proxmox entries from sources.list (if it exists)
-      if [ -f /etc/apt/sources.list ]; then
-        sed -i '/proxmox/d;/bookworm/d' /etc/apt/sources.list
-      fi
+      # remove bookworm and proxmox entries from sources.list
+      sed -i '/proxmox/d;/bookworm/d' /etc/apt/sources.list || true
       # Create new deb822 sources
       cat >/etc/apt/sources.list.d/debian.sources <<EOF
 Types: deb