Fix installation command syntax for dependencies

Replace the unreliable openresty.org apt repository with building
OpenResty from source. Uses fetch_and_deploy_gh_release to download
from github.com/openresty/openresty/releases, then compiles locally.

The apt mirror frequently has sync issues (mismatched file sizes/hashes)
causing 'apt update' to fail with exit code 100.

Changes:
- Use fetch_and_deploy_gh_release for OpenResty source download
- Compile with configure/make/make install
- Add build dependencies (libpcre3-dev, libssl-dev, zlib1g-dev)
- Create systemd service unit for source-built OpenResty
- Update script: remove old apt repo, migrate to source build

CHANGELOG.md

@@ -427,15 +427,23 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 ### 🆕 New Scripts
 
-  - Alpine-Wakapi ([#13119](https://github.com/community-scripts/ProxmoxVE/pull/13119))
+  - iSponsorBlockTV ([#13123](https://github.com/community-scripts/ProxmoxVE/pull/13123))
+- Alpine-Wakapi ([#13119](https://github.com/community-scripts/ProxmoxVE/pull/13119))
 - teleport ([#13086](https://github.com/community-scripts/ProxmoxVE/pull/13086))
 
 ### 🚀 Updated Scripts
 
   - #### ✨ New Features
 
+    - Immich: v2.6.1 [@vhsdream](https://github.com/vhsdream) ([#13111](https://github.com/community-scripts/ProxmoxVE/pull/13111))
     - VM's: add input validation and hostname sanitization to all VM scripts [@MickLesk](https://github.com/MickLesk) ([#12973](https://github.com/community-scripts/ProxmoxVE/pull/12973))
 
+### 🧰 Tools
+
+  - #### 🔧 Refactor
+
+    - Harden code-server addon install script [@MickLesk](https://github.com/MickLesk) ([#13116](https://github.com/community-scripts/ProxmoxVE/pull/13116))
+
 ## 2026-03-19
 
 ### 🚀 Updated Scripts

ct/immich.sh

@@ -83,7 +83,7 @@ EOF
     )
     INTEL_RELEASE="$(grep "intel-opencl-icd_" ./Dockerfile | awk -F '_' '{print $2}')"
     if [[ "$INTEL_RELEASE" != "$(cat ~/.intel_version)" ]]; then
-      msg_info "Updating Intel iGPU dependencies"
+      msg_info "Updating Intel OpenVINO dependencies"
       for url in "${INTEL_URLS[@]}"; do
         curl_with_retry "$url" "$(basename "$url")"
       done
@@ -94,9 +94,9 @@ EOF
       rm ./*.deb
       $STD apt-mark hold libigdgmm12
       dpkg-query -W -f='${Version}\n' intel-opencl-icd >~/.intel_version
-      msg_ok "Intel iGPU dependencies updated"
+      rm -f ./Dockerfile
+      msg_ok "Updated Intel OpenVINO dependencies"
     fi
-    rm ./Dockerfile
   fi
   if [[ -f ~/.immich_library_revisions ]]; then
     libraries=("libjxl" "libheif" "libraw" "imagemagick" "libvips")
@@ -109,7 +109,7 @@ EOF
     msg_ok "Image-processing libraries up to date"
   fi
 
-  RELEASE="v2.5.6"
+  RELEASE="v2.6.1"
   if check_for_gh_release "Immich" "immich-app/immich" "${RELEASE}" "each release is tested individually before the version is updated. Please do not open issues for this"; then
     if [[ $(cat ~/.immich) > "2.5.1" ]]; then
       msg_info "Enabling Maintenance Mode"
@@ -226,14 +226,13 @@ EOF
         [[ $attempt -lt 3 ]] && msg_warn "Python download attempt $attempt failed, retrying..." && sleep 5
       done
       msg_ok "Pre-installed Python ${ML_PYTHON}"
-      msg_info "Updating HW-accelerated machine-learning"
-      $STD uv add --no-sync --optional openvino onnxruntime-openvino==1.24.1 --active -n -p "${ML_PYTHON}" --managed-python
+      msg_info "Updating Intel OpenVINO machine-learning"
       for attempt in $(seq 1 3); do
         $STD sudo --preserve-env=VIRTUAL_ENV,UV_HTTP_TIMEOUT -nu immich uv sync --extra openvino --no-dev --active --link-mode copy -n -p "${ML_PYTHON}" --managed-python && break
         [[ $attempt -lt 3 ]] && msg_warn "uv sync attempt $attempt failed, retrying..." && sleep 10
       done
       patchelf --clear-execstack "${VIRTUAL_ENV}/lib/python3.13/site-packages/onnxruntime/capi/onnxruntime_pybind11_state.cpython-313-x86_64-linux-gnu.so"
-      msg_ok "Updated HW-accelerated machine-learning"
+      msg_ok "Updated Intel OpenVINO machine-learning"
     else
       ML_PYTHON="python3.11"
       msg_info "Pre-installing Python ${ML_PYTHON} for machine-learning"

ct/nginxproxymanager.sh

@@ -154,19 +154,55 @@ EOF
   $STD yarn install --network-timeout 600000
   msg_ok "Initialized Backend"
 
-  msg_info "Updating Certbot"
-  [ -f /etc/apt/trusted.gpg.d/openresty-archive-keyring.gpg ] && rm -f /etc/apt/trusted.gpg.d/openresty-archive-keyring.gpg
-  [ -f /etc/apt/sources.list.d/openresty.list ] && rm -f /etc/apt/sources.list.d/openresty.list
-  [ ! -f /etc/apt/trusted.gpg.d/openresty.gpg ] && curl -fsSL https://openresty.org/package/pubkey.gpg | gpg --dearmor --yes -o /etc/apt/trusted.gpg.d/openresty.gpg
-  [ ! -f /etc/apt/sources.list.d/openresty.sources ] && cat <<'EOF' >/etc/apt/sources.list.d/openresty.sources
-Types: deb
-URIs: http://openresty.org/package/debian/
-Suites: bookworm
-Components: openresty
-Signed-By: /etc/apt/trusted.gpg.d/openresty.gpg
+  msg_info "Cleaning old OpenResty apt repo"
+  rm -f /etc/apt/trusted.gpg.d/openresty-archive-keyring.gpg /etc/apt/trusted.gpg.d/openresty.gpg
+  rm -f /etc/apt/sources.list.d/openresty.list /etc/apt/sources.list.d/openresty.sources
+  if dpkg -l openresty &>/dev/null; then
+    $STD apt remove -y openresty
+    $STD apt autoremove -y
+  fi
+  $STD apt install -y build-essential libpcre3-dev libssl-dev zlib1g-dev
+  msg_ok "Cleaned old OpenResty apt repo"
+
+  CLEAN_INSTALL=1 fetch_and_deploy_gh_release "openresty" "openresty/openresty" "prebuild" "latest" "/opt/openresty" "openresty-*.tar.gz"
+
+  msg_info "Building OpenResty"
+  cd /opt/openresty
+  $STD ./configure \
+    --with-http_v2_module \
+    --with-http_realip_module \
+    --with-http_stub_status_module \
+    --with-http_ssl_module \
+    --with-pcre-jit \
+    --with-stream \
+    --with-stream_ssl_module
+  $STD make -j"$(nproc)"
+  $STD make install
+  rm -rf /opt/openresty
+  if [ ! -f /lib/systemd/system/openresty.service ]; then
+    cat <<'EOF' >/lib/systemd/system/openresty.service
+[Unit]
+Description=The OpenResty Application Platform
+After=syslog.target network-online.target remote-fs.target nss-lookup.target
+Wants=network-online.target
+
+[Service]
+Type=forking
+PIDFile=/usr/local/openresty/nginx/logs/nginx.pid
+ExecStartPre=/usr/local/openresty/nginx/sbin/nginx -t
+ExecStart=/usr/local/openresty/nginx/sbin/nginx
+ExecReload=/bin/kill -s HUP $MAINPID
+ExecStop=/bin/kill -s QUIT $MAINPID
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
 EOF
-  $STD apt update
-  $STD apt -y install openresty
+    systemctl daemon-reload
+  fi
+  msg_ok "Built OpenResty"
+
+  msg_info "Updating Certbot"
   if [ -d /opt/certbot ]; then
     $STD /opt/certbot/bin/pip install --upgrade pip setuptools wheel
     $STD /opt/certbot/bin/pip install --upgrade certbot certbot-dns-cloudflare

install/immich-install.sh

@@ -13,41 +13,43 @@ setting_up_container
 network_check
 update_os
 
-if [ -d /dev/dri ]; then
+if lscpu | grep -q 'GenuineIntel'; then
   echo ""
   echo ""
-  echo -e "🤖 ${BL}Immich Machine Learning Options${CL}"
+  echo -e "🤖 ${BL}Immich Machine-Learning Options${CL}"
   echo "─────────────────────────────────────────"
   echo "Please choose your machine-learning type:"
   echo ""
   echo " 1) CPU only (default)"
-  echo " 2) Intel OpenVINO (requires GPU passthrough)"
+  echo " 2) **NEW** Intel OpenVINO CPU or iGPU"
   echo ""
 
   read -r -p "${TAB3}Select machine-learning type [1]: " ML_TYPE
   ML_TYPE="${ML_TYPE:-1}"
   if [[ "$ML_TYPE" == "2" ]]; then
-    msg_info "Installing OpenVINO dependencies"
     touch ~/.openvino
     $STD apt install -y --no-install-recommends patchelf
-    tmp_dir=$(mktemp -d)
-    $STD pushd "$tmp_dir"
-    curl_with_retry "https://raw.githubusercontent.com/immich-app/immich/refs/heads/main/machine-learning/Dockerfile" "Dockerfile"
-    readarray -t INTEL_URLS < <(
-      sed -n "/intel-[igc|opencl]/p" ./Dockerfile | awk '{print $3}'
-      sed -n "/libigdgmm12/p" ./Dockerfile | awk '{print $3}'
-    )
-    for url in "${INTEL_URLS[@]}"; do
-      curl_with_retry "$url" "$(basename "$url")"
-    done
-    $STD apt install -y ./libigdgmm12*.deb
-    rm ./libigdgmm12*.deb
-    $STD apt install -y ./*.deb
-    $STD apt-mark hold libigdgmm12
-    $STD popd
-    rm -rf "$tmp_dir"
-    dpkg-query -W -f='${Version}\n' intel-opencl-icd >~/.intel_version
-    msg_ok "Installed OpenVINO dependencies"
+    if [[ -d /dev/dri ]]; then
+      msg_info "Installing Intel OpenVINO dependencies"
+      tmp_dir=$(mktemp -d)
+      $STD pushd "$tmp_dir"
+      curl_with_retry "https://raw.githubusercontent.com/immich-app/immich/refs/heads/main/machine-learning/Dockerfile" "Dockerfile"
+      readarray -t INTEL_URLS < <(
+        sed -n "/intel-[igc|opencl]/p" ./Dockerfile | awk '{print $3}'
+        sed -n "/libigdgmm12/p" ./Dockerfile | awk '{print $3}'
+      )
+      for url in "${INTEL_URLS[@]}"; do
+        curl_with_retry "$url" "$(basename "$url")"
+      done
+      $STD apt install -y ./libigdgmm12*.deb
+      rm ./libigdgmm12*.deb
+      $STD apt install -y ./*.deb
+      $STD apt-mark hold libigdgmm12
+      $STD popd
+      rm -rf "$tmp_dir"
+      dpkg-query -W -f='${Version}\n' intel-opencl-icd >~/.intel_version
+      msg_ok "Installed Intel OpenVINO dependencies"
+    fi
   fi
 fi
 
@@ -293,7 +295,7 @@ ML_DIR="${APP_DIR}/machine-learning"
 GEO_DIR="${INSTALL_DIR}/geodata"
 mkdir -p {"${APP_DIR}","${UPLOAD_DIR}","${GEO_DIR}","${INSTALL_DIR}"/cache}
 
-fetch_and_deploy_gh_release "Immich" "immich-app/immich" "tarball" "v2.5.6" "$SRC_DIR"
+fetch_and_deploy_gh_release "Immich" "immich-app/immich" "tarball" "v2.6.1" "$SRC_DIR"
 PNPM_VERSION="$(jq -r '.packageManager | split("@")[1] | split("+")[0]' ${SRC_DIR}/package.json)"
 NODE_VERSION="24" NODE_MODULE="pnpm@${PNPM_VERSION}" setup_nodejs
 
@@ -353,14 +355,13 @@ if [[ -f ~/.openvino ]]; then
     [[ $attempt -lt 3 ]] && msg_warn "Python download attempt $attempt failed, retrying..." && sleep 5
   done
   msg_ok "Pre-installed Python ${ML_PYTHON}"
-  msg_info "Installing HW-accelerated machine-learning"
-  $STD uv add --no-sync --optional openvino onnxruntime-openvino==1.24.1 --active -n -p "${ML_PYTHON}" --managed-python
+  msg_info "Installing Intel OpenVINO machine-learning"
   for attempt in $(seq 1 3); do
     $STD sudo --preserve-env=VIRTUAL_ENV,UV_HTTP_TIMEOUT -nu immich uv sync --extra openvino --no-dev --active --link-mode copy -n -p "${ML_PYTHON}" --managed-python && break
     [[ $attempt -lt 3 ]] && msg_warn "uv sync attempt $attempt failed, retrying..." && sleep 10
   done
   patchelf --clear-execstack "${VIRTUAL_ENV}/lib/python3.13/site-packages/onnxruntime/capi/onnxruntime_pybind11_state.cpython-313-x86_64-linux-gnu.so"
-  msg_ok "Installed HW-accelerated machine-learning"
+  msg_ok "Installed Intel OpenVINO machine-learning"
 else
   ML_PYTHON="python3.11"
   msg_info "Pre-installing Python ${ML_PYTHON} for machine-learning"

install/nginxproxymanager-install.sh

@@ -14,12 +14,14 @@ network_check
 update_os
 
 msg_info "Installing Dependencies"
-$STD apt update
-$STD apt -y install \
+$STD apt install -y \
   ca-certificates \
   apache2-utils \
   logrotate \
   build-essential \
+  libpcre3-dev \
+  libssl-dev \
+  zlib1g-dev \
   git
 msg_ok "Installed Dependencies"
 
@@ -39,18 +41,42 @@ $STD /opt/certbot/bin/pip install certbot certbot-dns-cloudflare
 ln -sf /opt/certbot/bin/certbot /usr/local/bin/certbot
 msg_ok "Set up Certbot"
 
-msg_info "Installing Openresty"
-curl -fsSL "https://openresty.org/package/pubkey.gpg" | gpg --dearmor -o /etc/apt/trusted.gpg.d/openresty.gpg
-cat <<'EOF' >/etc/apt/sources.list.d/openresty.sources
-Types: deb
-URIs: http://openresty.org/package/debian/
-Suites: bookworm
-Components: openresty
-Signed-By: /etc/apt/trusted.gpg.d/openresty.gpg
+fetch_and_deploy_gh_release "openresty" "openresty/openresty" "prebuild" "latest" "/opt/openresty" "openresty-*.tar.gz"
+
+msg_info "Building OpenResty"
+cd /opt/openresty
+$STD ./configure \
+  --with-http_v2_module \
+  --with-http_realip_module \
+  --with-http_stub_status_module \
+  --with-http_ssl_module \
+  --with-pcre-jit \
+  --with-stream \
+  --with-stream_ssl_module
+$STD make -j"$(nproc)"
+$STD make install
+rm -rf /opt/openresty
+
+cat <<'EOF' >/lib/systemd/system/openresty.service
+[Unit]
+Description=The OpenResty Application Platform
+After=syslog.target network-online.target remote-fs.target nss-lookup.target
+Wants=network-online.target
+
+[Service]
+Type=forking
+PIDFile=/usr/local/openresty/nginx/logs/nginx.pid
+ExecStartPre=/usr/local/openresty/nginx/sbin/nginx -t
+ExecStart=/usr/local/openresty/nginx/sbin/nginx
+ExecReload=/bin/kill -s HUP $MAINPID
+ExecStop=/bin/kill -s QUIT $MAINPID
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
 EOF
-$STD apt update
-$STD apt -y install openresty
-msg_ok "Installed Openresty"
+systemctl daemon-reload
+msg_ok "Built OpenResty"
 
 NODE_VERSION="22" NODE_MODULE="yarn" setup_nodejs
 

tools/addon/coder-code-server.sh

@@ -89,26 +89,31 @@ VERSION=$(curl -fsSL https://api.github.com/repos/coder/code-server/releases/lat
   awk '{print substr($2, 3, length($2)-4) }')
 
 msg_info "Installing Code-Server v${VERSION}"
+config_path="${HOME}/.config/code-server/config.yaml"
+preexisting_config=false
 
-if [ -f ~/.config/code-server/config.yaml ]; then
-  existing_config=true
+if [ -f "$config_path" ]; then
+  preexisting_config=true
 fi
 
 curl -fOL https://github.com/coder/code-server/releases/download/v"$VERSION"/code-server_"${VERSION}"_amd64.deb &>/dev/null
 dpkg -i code-server_"${VERSION}"_amd64.deb &>/dev/null
 rm -rf code-server_"${VERSION}"_amd64.deb
-mkdir -p ~/.config/code-server/
-systemctl enable -q --now code-server@"$USER"
+mkdir -p "${HOME}/.config/code-server/"
 
-if [ $existing_config = false ]; then
-cat <<EOF >~/.config/code-server/config.yaml
+if [ "$preexisting_config" = false ]; then
+cat <<EOF >"$config_path"
 bind-addr: 0.0.0.0:8680
 auth: none
 password: 
 cert: false
 EOF
 fi
+systemctl enable -q --now code-server@"$USER"
 systemctl restart code-server@"$USER"
+if ! systemctl is-active --quiet code-server@"$USER"; then
+  error_exit "code-server service failed to start."
+fi
 msg_ok "Installed Code-Server v${VERSION} on $hostname"
 
 echo -e "${APP} should be reachable by going to the following URL.