fix: harden shell scripts against injection and insecure permissions

Security fixes across multiple files: - install.func: Quote command substitutions in mkdir/systemctl to prevent word splitting and globbing on GETTY_OVERRIDE path - build.func: Escape sed special chars (& \) in current_os/hostname/ip before using them as sed replacement strings in update_motd_ip - build.func: Escape regex metacharacters (. |) in $LANG before sed use - build.func: Validate render_gid/video_gid as numeric before sed injection - build.func: Use HTTPS for Alpine APK repositories instead of HTTP - tools.func: Verify GPG dearmor output is non-empty (-s check) - tools.func: Tighten GPU device permissions from 666 to 660 (owner+group) - tools.func: Add chgrp render for /dev/kfd (AMD ROCm) - shinobi-install.sh: chmod 777 -> 644 on version.json - tasmoadmin-install.sh: chmod 777 -> 775 on tmp/data directories - runtipi.sh: chmod 666 -> 660 on settings.json
2026-03-24 19:03:00 +01:00 · 2026-03-23 21:22:58 +01:00
11 changed files with 286 additions and 816 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -426,20 +426,35 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit

 </details>

-## 2026-03-24
+## 2026-03-23

 ### 🆕 New Scripts

-  - Homebrew (Addon) ([#13249](https://github.com/community-scripts/ProxmoxVE/pull/13249))
- NextExplorer ([#13252](https://github.com/community-scripts/ProxmoxVE/pull/13252))
-
-## 2026-03-23
+  - Alpine-Borgbackup-Server ([#13219](https://github.com/community-scripts/ProxmoxVE/pull/13219))

 ### 🚀 Updated Scripts

+  - NginxProxyManager: build OpenResty from source via GitHub releases [@MickLesk](https://github.com/MickLesk) ([#13134](https://github.com/community-scripts/ProxmoxVE/pull/13134))
+
+  - #### 🐞 Bug Fixes
+
+    - Tracearr: modify service restart and modify build ressources [@MickLesk](https://github.com/MickLesk) ([#13230](https://github.com/community-scripts/ProxmoxVE/pull/13230))
+
+  - #### ✨ New Features
+
+    - Kometa: optimize config.yml sed patterns, add Quickstart integration [@MickLesk](https://github.com/MickLesk) ([#13198](https://github.com/community-scripts/ProxmoxVE/pull/13198))
+
  - #### 🔧 Refactor

-    - core: harden shell scripts against injection and insecure permissions [@MickLesk](https://github.com/MickLesk) ([#13239](https://github.com/community-scripts/ProxmoxVE/pull/13239))
+    - Refactor: nginxproxymanager update and OpenResty flow [@MickLesk](https://github.com/MickLesk) ([#13216](https://github.com/community-scripts/ProxmoxVE/pull/13216))
+    - Refactor: PartDB [@MickLesk](https://github.com/MickLesk) ([#13229](https://github.com/community-scripts/ProxmoxVE/pull/13229))
+
+### 💾 Core
+
+  - #### 🔧 Refactor
+
+    - core: alpine - Improve network connectivity and DNS checks [@MickLesk](https://github.com/MickLesk) ([#13222](https://github.com/community-scripts/ProxmoxVE/pull/13222))
+    - core: allow /31 and /32 CIDR with out-of-subnet gateway [@MickLesk](https://github.com/MickLesk) ([#13231](https://github.com/community-scripts/ProxmoxVE/pull/13231))

 ## 2026-03-22

--- a/ct/headers/nextexplorer
+++ b/ct/headers/nextexplorer
@@ -1,6 +0,0 @@
-                    __  ______           __                    
-   ____  ___  _  __/ /_/ ____/  ______  / /___  ________  _____
-  / __ \/ _ \| |/_/ __/ __/ | |/_/ __ \/ / __ \/ ___/ _ \/ ___/
- / / / /  __/>  </ /_/ /____>  </ /_/ / / /_/ / /  /  __/ /    
-/_/ /_/\___/_/|_|\__/_____/_/|_/ .___/_/\____/_/   \___/_/     
-                              /_/                              
--- a/ct/nextexplorer.sh
+++ b/ct/nextexplorer.sh
@@ -1,76 +0,0 @@
-#!/usr/bin/env bash
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: vhsdream
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/nxzai/nextExplorer
-
-APP="nextExplorer"
-var_tags="${var_tags:-files;documents}"
-var_cpu="${var_cpu:-2}"
-var_ram="${var_ram:-3072}"
-var_disk="${var_disk:-8}"
-var_os="${var_os:-debian}"
-var_version="${var_version:-13}"
-var_unprivileged="${var_unprivileged:-1}"
-
-header_info "$APP"
-variables
-color
-catch_errors
-
-function update_script() {
-  header_info
-  check_container_storage
-  check_container_resources
-
-  if [[ ! -d /opt/nextExplorer ]]; then
-    msg_error "No ${APP} Installation Found!"
-    exit
-  fi
-
-  NODE_VERSION="24" setup_nodejs
-
-  if check_for_gh_release "nextExplorer" "nxzai/nextExplorer"; then
-    msg_info "Stopping nextExplorer"
-    $STD systemctl stop nextexplorer
-    msg_ok "Stopped nextExplorer"
-
-    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "nextExplorer" "nxzai/nextExplorer" "tarball" "latest" "/opt/nextExplorer"
-
-    msg_info "Updating nextExplorer"
-    APP_DIR="/opt/nextExplorer/app"
-    mkdir -p "$APP_DIR"
-    cd /opt/nextExplorer
-    export NODE_ENV=production
-    $STD npm ci --omit=dev --workspace backend
-    mv node_modules "$APP_DIR"
-    mv backend/{src,package.json} "$APP_DIR"
-    unset NODE_ENV
-    export NODE_ENV=development
-    $STD npm ci --workspace frontend
-    $STD npm run -w frontend build -- --sourcemap false
-    unset NODE_ENV
-    mv frontend/dist/ "$APP_DIR"/src/public
-    chown -R explorer:explorer "$APP_DIR" /etc/nextExplorer
-    sed -i "\|version|s|$(jq -cr '.version' ${APP_DIR}/package.json)|$(cat ~/.nextexplorer)|" "$APP_DIR"/package.json
-    sed -i 's/app.js/server.js/' /etc/systemd/system/nextexplorer.service && systemctl daemon-reload
-    msg_ok "Updated nextExplorer"
-
-    msg_info "Starting nextExplorer"
-    $STD systemctl start nextexplorer
-    msg_ok "Started nextExplorer"
-    msg_ok "Updated successfully!"
-  fi
-  exit
-}
-
-start
-build_container
-description
-
-msg_ok "Completed successfully!\n"
-echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Access it using the following URL:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
--- a/ct/nginxproxymanager.sh
+++ b/ct/nginxproxymanager.sh
@@ -102,7 +102,6 @@ EOF
    msg_ok "Built OpenResty"
  fi

-  cd /root
  if [ -d /opt/certbot ]; then
    msg_info "Updating Certbot"
    $STD /opt/certbot/bin/pip install --upgrade pip setuptools wheel
--- a/install/kometa-install.sh
+++ b/install/kometa-install.sh
@@ -35,7 +35,7 @@ fetch_and_deploy_gh_release "kometa-quickstart" "Kometa-Team/Quickstart" "tarbal
 msg_info "Installing Kometa Quickstart"
 cd /opt/kometa-quickstart
 $STD uv venv /opt/kometa-quickstart/.venv
-$STD uv pip install -r requirements.txt -p /opt/kometa-quickstart/.venv/bin/python
+$STD /opt/kometa-quickstart/.venv/bin/python -m pip install -r requirements.txt
 msg_ok "Installed Kometa Quickstart"

 msg_info "Creating Service"
--- a/install/nextexplorer-install.sh
+++ b/install/nextexplorer-install.sh
@@ -1,164 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: vhsdream
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/nxzai/nextExplorer
-
-source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
-color
-verb_ip6
-catch_errors
-setting_up_container
-network_check
-update_os
-
-msg_info "Installing Dependencies"
-$STD apt install -y \
-  ripgrep \
-  imagemagick \
-  ffmpeg \
-  libva-drm2 \
-  libva2 \
-  mesa-va-drivers \
-  vainfo
-msg_ok "Installed Dependencies"
-
-NODE_VERSION="24" setup_nodejs
-
-fetch_and_deploy_gh_release "nextExplorer" "nxzai/nextExplorer" "tarball" "latest" "/opt/nextExplorer"
-
-msg_info "Building nextExplorer"
-APP_DIR="/opt/nextExplorer/app"
-LOCAL_IP="$(hostname -I | awk '{print $1}')"
-mkdir -p "$APP_DIR"
-mkdir -p /etc/nextExplorer
-cd /opt/nextExplorer
-export NODE_ENV=production
-$STD npm ci --omit=dev --workspace backend
-mv node_modules "$APP_DIR"
-mv backend/{src,package.json} "$APP_DIR"
-unset NODE_ENV
-
-export NODE_ENV=development
-export NODE_OPTIONS="--max-old-space-size=2048"
-$STD npm ci --workspace frontend
-$STD npm run -w frontend build -- --sourcemap false
-unset NODE_ENV
-mv frontend/dist/ "$APP_DIR"/src/public
-msg_ok "Built nextExplorer"
-
-msg_info "Configuring nextExplorer"
-SECRET=$(openssl rand -hex 32)
-cat <<EOF >/etc/nextExplorer/.env
-NODE_ENV=production
-PORT=3000
-
-VOLUME_ROOT=/mnt
-CONFIG_DIR=/etc/nextExplorer
-CACHE_DIR=/etc/nextExplorer/cache
-# USER_ROOT=
-
-PUBLIC_URL=${LOCAL_IP}:3000
-# TRUST_PROXY=
-# CORS_ORIGINS=
-
-TERMINAL_ENABLED=false
-
-LOG_LEVEL=info
-DEBUG=false
-ENABLE_HTTP_LOGGING=false
-
-AUTH_ENABLED=true
-AUTH_MODE=both
-SESSION_SECRET="${SECRET}"
-# AUTH_MAX_FAILED=
-# AUTH_LOCK_MINUTES=
-# AUTH_USER_EMAIL=
-# AUTH_USER_PASSWORD=
-
-# OIDC_ENABLED=
-# OIDC_ISSUER=
-# OIDC_AUTHORIZATION_URL=
-# OIDC_TOKEN_URL=
-# OIDC_USERINFO_URL=
-# OIDC_CLIENT_ID=
-# OIDC_CLIENT_SECRET=
-# OIDC_CALLBACK_URL=
-# OIDC_LOGOUT_URL=
-# OIDC_SCOPES=
-# OIDC_AUTO_CREATE_USERS=true
-
-# SEARCH_DEEP=
-# SEARCH_RIPGREP=
-# SEARCH_MAX_FILESIZE=
-
-# ONLYOFFICE_URL=
-# ONLYOFFICE_SECRET=
-# ONLYOFFICE_LANG=
-# ONLYOFFICE_FORCE_SAVE=
-# ONLYOFFICE_FILE_EXTENSIONS=
-
-# COLLABORA_URL=
-# COLLABORA_DISCOVERY_URL=
-# COLLABORA_SECRET=
-# COLLABORA_LANG=
-# COLLABORA_FILE_EXTENSIONS=
-
-SHOW_VOLUME_USAGE=true
-# USER_DIR_ENABLED=
-# SKIP_HOME=
-
-# EDITOR_EXTENSIONS=
-
-# FFMPEG_PATH=
-# FFPROBE_PATH=
-
-## Hardware acceleration
-# FFMPEG_HWACCEL=vaapi
-# FFMPEG_HWACCEL_DEVICE=/dev/dri/renderD128
-# FFMPEG_HWACCEL_OUTPUT_FORMAT=nv12
-
-FAVORITES_DEFAULT_ICON=outline.StarIcon
-
-SHARES_ENABLED=true
-# SHARES_TOKEN_LENGTH=10
-# SHARES_MAX_PER_USER=100
-# SHARES_DEFAULT_EXPIRY_DAYS=30
-# SHARES_GUEST_SESSION_HOURS=24
-# SHARES_ALLOW_PASSWORD=true
-# SHARES_ALLOW_ANONYMOUS=true
-EOF
-chmod 600 /etc/nextExplorer/.env
-$STD useradd -U -s /usr/sbin/nologin -m -d /home/explorer explorer
-chown -R explorer:explorer "$APP_DIR" /etc/nextExplorer
-sed -i "\|version|s|$(jq -cr '.version' ${APP_DIR}/package.json)|$(cat ~/.nextexplorer)|" "$APP_DIR"/package.json
-msg_ok "Configured nextExplorer"
-
-msg_info "Creating nextExplorer Service"
-cat <<EOF >/etc/systemd/system/nextexplorer.service
-[Unit]
-Description=nextExplorer Service
-After=network.target
-
-[Service]
-Type=simple
-User=explorer
-Group=explorer
-WorkingDirectory=/opt/nextExplorer/app
-EnvironmentFile=/etc/nextExplorer/.env
-ExecStart=/usr/bin/node ./src/server.js
-Restart=always
-RestartSec=5
-StandardOutput=journal
-StandardError=journal
-
-[Install]
-WantedBy=multi-user.target
-EOF
-$STD systemctl enable -q --now nextexplorer
-msg_ok "Created nextExplorer Service"
-
-motd_ssh
-customize
-cleanup_lxc
--- a/misc/api.func
+++ b/misc/api.func
@@ -348,10 +348,10 @@ explain_exit_code() {
 json_escape() {
  # Escape a string for safe JSON embedding using awk (handles any input size).
  # Pipeline: strip ANSI → remove control chars → escape \ " TAB → join lines with \n
-  printf '%s' "$1" |
-    sed 's/\x1b\[[0-9;]*[a-zA-Z]//g' |
-    tr -d '\000-\010\013\014\016-\037\177\r' |
-    awk '
+  printf '%s' "$1" \
+    | sed 's/\x1b\[[0-9;]*[a-zA-Z]//g' \
+    | tr -d '\000-\010\013\014\016-\037\177\r' \
+    | awk '
        BEGIN { ORS = "" }
        {
          gsub(/\\/, "\\\\")   # backslash → \\
@@ -627,8 +627,8 @@ post_to_api() {

  [[ "${DEV_MODE:-}" == "true" ]] && echo "[DEBUG] post_to_api() DIAGNOSTICS=$DIAGNOSTICS RANDOM_UUID=$RANDOM_UUID NSAPP=$NSAPP" >&2

-  # Set type for later status updates (preserve if already set, e.g. turnkey)
-  TELEMETRY_TYPE="${TELEMETRY_TYPE:-lxc}"
+  # Set type for later status updates
+  TELEMETRY_TYPE="lxc"

  local pve_version=""
  if command -v pveversion &>/dev/null; then
@@ -664,7 +664,7 @@ post_to_api() {
 {
    "random_id": "${RANDOM_UUID}",
    "execution_id": "${EXECUTION_ID:-${RANDOM_UUID}}",
-    "type": "${TELEMETRY_TYPE}",
+    "type": "lxc",
    "nsapp": "${NSAPP:-unknown}",
    "status": "installing",
    "ct_type": ${CT_TYPE:-1},
@@ -692,7 +692,6 @@ EOF
  # Send initial "installing" record with retry.
  # This record MUST exist for all subsequent updates to succeed.
  local http_code="" attempt
-  local _post_success=false
  for attempt in 1 2 3; do
    if [[ "${DEV_MODE:-}" == "true" ]]; then
      http_code=$(curl -sS -w "%{http_code}" -m "${TELEMETRY_TIMEOUT}" -X POST "${TELEMETRY_URL}" \
@@ -704,19 +703,11 @@ EOF
        -H "Content-Type: application/json" \
        -d "$JSON_PAYLOAD" -o /dev/null 2>/dev/null) || http_code="000"
    fi
-    if [[ "$http_code" =~ ^2[0-9]{2}$ ]]; then
-      _post_success=true
-      break
-    fi
+    [[ "$http_code" =~ ^2[0-9]{2}$ ]] && break
    [[ "$attempt" -lt 3 ]] && sleep 1
  done

-  # Only mark done if at least one attempt succeeded.
-  # If all 3 failed, POST_TO_API_DONE stays false so post_update_to_api
-  # and on_exit() know the initial record was never created.
-  # The server has fallback logic to create a new record on status updates,
-  # so subsequent calls can still succeed even without the initial record.
-  POST_TO_API_DONE=${_post_success}
+  POST_TO_API_DONE=true
 }

 # ------------------------------------------------------------------------------
@@ -807,19 +798,15 @@ EOF

  # Send initial "installing" record with retry (must succeed for updates to work)
  local http_code="" attempt
-  local _post_success=false
  for attempt in 1 2 3; do
    http_code=$(curl -sS -w "%{http_code}" -m "${TELEMETRY_TIMEOUT}" -X POST "${TELEMETRY_URL}" \
      -H "Content-Type: application/json" \
      -d "$JSON_PAYLOAD" -o /dev/null 2>/dev/null) || http_code="000"
-    if [[ "$http_code" =~ ^2[0-9]{2}$ ]]; then
-      _post_success=true
-      break
-    fi
+    [[ "$http_code" =~ ^2[0-9]{2}$ ]] && break
    [[ "$attempt" -lt 3 ]] && sleep 1
  done

-  POST_TO_API_DONE=${_post_success}
+  POST_TO_API_DONE=true
 }

 # ------------------------------------------------------------------------------
@@ -1096,12 +1083,6 @@ EOF
 # - Used to group errors in dashboard
 # ------------------------------------------------------------------------------
 categorize_error() {
-  # Allow build.func to override category based on log analysis (exit code 1 subclassification)
-  if [[ -n "${ERROR_CATEGORY_OVERRIDE:-}" ]]; then
-    echo "$ERROR_CATEGORY_OVERRIDE"
-    return
-  fi
-
  local code="$1"
  case "$code" in
  # Network errors (curl/wget)
--- a/misc/build.func
+++ b/misc/build.func
@@ -222,12 +222,9 @@ update_motd_ip() {
    local current_ip="$(hostname -I | awk '{print $1}')"

    # Escape sed special chars in replacement strings (& \ |)
-    current_os="${current_os//\\/\\\\}"
-    current_os="${current_os//&/\\&}"
-    current_hostname="${current_hostname//\\/\\\\}"
-    current_hostname="${current_hostname//&/\\&}"
-    current_ip="${current_ip//\\/\\\\}"
-    current_ip="${current_ip//&/\\&}"
+    current_os="${current_os//\\/\\\\}"; current_os="${current_os//&/\\&}"
+    current_hostname="${current_hostname//\\/\\\\}"; current_hostname="${current_hostname//&/\\&}"
+    current_ip="${current_ip//\\/\\\\}"; current_ip="${current_ip//&/\\&}"

    # Update only if values actually changed
    if ! grep -q "OS:.*$current_os" "$PROFILE_FILE" 2>/dev/null; then
@@ -4226,53 +4223,6 @@ EOF'
      fi
    fi

-    # Defense-in-depth: Ensure error handling stays disabled during recovery.
-    # Some functions (e.g. silent/$STD) unconditionally re-enable set -Eeuo pipefail
-    # and trap 'error_handler' ERR. If any code path above called such a function,
-    # the grep/sed pipelines below would trigger error_handler on non-match (exit 1).
-    set +Eeuo pipefail
-    trap - ERR
-
-    # --- Exit code 1 subclassification: analyze logs BEFORE telemetry call ---
-    # Exit code 1 is generic ("General error"). Analyze logs to determine the
-    # real error category so telemetry gets a useful classification instead of "shell".
-    local is_oom=false
-    local is_network_issue=false
-    local is_apt_issue=false
-    local is_cmd_not_found=false
-    local is_disk_full=false
-
-    if [[ $install_exit_code -eq 1 && -f "$combined_log" ]]; then
-      if grep -qiE 'E: Unable to|E: Package|E: Failed to fetch|dpkg.*error|broken packages|unmet dependencies|dpkg --configure -a' "$combined_log"; then
-        is_apt_issue=true
-      fi
-      if grep -qiE 'Cannot allocate memory|Out of memory|oom-killer|Killed process|JavaScript heap' "$combined_log"; then
-        is_oom=true
-      fi
-      if grep -qiE 'Could not resolve|DNS|Connection refused|Network is unreachable|No route to host|Temporary failure resolving|Failed to fetch' "$combined_log"; then
-        is_network_issue=true
-      fi
-      if grep -qiE ': command not found|No such file or directory.*/s?bin/' "$combined_log"; then
-        is_cmd_not_found=true
-      fi
-      if grep -qiE 'ENOSPC|no space left on device|Disk quota exceeded|errno -28' "$combined_log"; then
-        is_disk_full=true
-      fi
-    fi
-
-    # Set override for categorize_error() so telemetry gets the real category
-    if [[ "$is_apt_issue" == true ]]; then
-      export ERROR_CATEGORY_OVERRIDE="dependency"
-    elif [[ "$is_oom" == true ]]; then
-      export ERROR_CATEGORY_OVERRIDE="resource"
-    elif [[ "$is_network_issue" == true ]]; then
-      export ERROR_CATEGORY_OVERRIDE="network"
-    elif [[ "$is_disk_full" == true ]]; then
-      export ERROR_CATEGORY_OVERRIDE="storage"
-    elif [[ "$is_cmd_not_found" == true ]]; then
-      export ERROR_CATEGORY_OVERRIDE="dependency"
-    fi
-
    # Report failure to telemetry API (now with log available on host)
    # NOTE: Do NOT use msg_info/spinner here — the background spinner process
    # causes SIGTSTP in non-interactive shells (bash -c "$(curl ...)"), which
@@ -4281,6 +4231,13 @@ EOF'
    post_update_to_api "failed" "$install_exit_code"
    $STD echo -e "${TAB}${CM:-✔} Failure reported"

+    # Defense-in-depth: Ensure error handling stays disabled during recovery.
+    # Some functions (e.g. silent/$STD) unconditionally re-enable set -Eeuo pipefail
+    # and trap 'error_handler' ERR. If any code path above called such a function,
+    # the grep/sed pipelines below would trigger error_handler on non-match (exit 1).
+    set +Eeuo pipefail
+    trap - ERR
+
    # Show combined log location
    if [[ -n "$CTID" && -n "${SESSION_ID:-}" ]]; then
      msg_custom "📋" "${YW}" "Installation log: ${combined_log}"
@@ -4309,9 +4266,12 @@ EOF'
    # Prompt user for cleanup with 60s timeout
    echo ""

-    # Extend error detection for non-exit-1 codes (exit 1 was already analyzed above)
-    # The is_* flags were set above for exit code 1 log analysis; here we add
-    # exit-code-specific detections for other codes.
+    # Detect error type for smart recovery options
+    local is_oom=false
+    local is_network_issue=false
+    local is_apt_issue=false
+    local is_cmd_not_found=false
+    local is_disk_full=false
    local error_explanation=""
    if declare -f explain_exit_code >/dev/null 2>&1; then
      error_explanation="$(explain_exit_code "$install_exit_code")"
@@ -4361,6 +4321,26 @@ EOF'
      ;;
    esac

+    # Exit 1 subclassification: analyze logs to identify actual root cause
+    # Many exit 1 errors are actually APT, OOM, network, or command-not-found issues
+    if [[ $install_exit_code -eq 1 && -f "$combined_log" ]]; then
+      if grep -qiE 'E: Unable to|E: Package|E: Failed to fetch|dpkg.*error|broken packages|unmet dependencies|dpkg --configure -a' "$combined_log"; then
+        is_apt_issue=true
+      fi
+      if grep -qiE 'Cannot allocate memory|Out of memory|oom-killer|Killed process|JavaScript heap' "$combined_log"; then
+        is_oom=true
+      fi
+      if grep -qiE 'Could not resolve|DNS|Connection refused|Network is unreachable|No route to host|Temporary failure resolving|Failed to fetch' "$combined_log"; then
+        is_network_issue=true
+      fi
+      if grep -qiE ': command not found|No such file or directory.*/s?bin/' "$combined_log"; then
+        is_cmd_not_found=true
+      fi
+      if grep -qiE 'ENOSPC|no space left on device|Disk quota exceeded|errno -28' "$combined_log"; then
+        is_disk_full=true
+      fi
+    fi
+
    # Show error explanation if available
    if [[ -n "$error_explanation" ]]; then
      echo -e "${TAB}${RD}Error: ${error_explanation}${CL}"
@@ -4562,7 +4542,6 @@ EOF'

          if [[ $apt_retry_code -eq 0 ]]; then
            msg_ok "Installation completed successfully after APT repair!"
-            INSTALL_COMPLETE=true
            post_update_to_api "done" "0" "force"
            return 0
          else
@@ -5737,7 +5716,6 @@ EOF
    systemctl start ping-instances.service
  fi

-  INSTALL_COMPLETE=true
  post_update_to_api "done" "none"
 }

--- a/misc/error_handler.func
+++ b/misc/error_handler.func
@@ -507,23 +507,14 @@ _stop_container_if_installing() {
 on_exit() {
  local exit_code=$?

-  # Report orphaned telemetry records
-  # Two scenarios handled:
-  # 1. POST_TO_API_DONE=true but POST_UPDATE_DONE=false: Record was created but
-  #    never got a final status update → send abort/done now.
-  # 2. POST_TO_API_DONE=false but DIAGNOSTICS=yes: Initial post failed (server
-  #    unreachable/timeout), but the server has fallback create-on-update logic,
-  #    so a status update can still create the record. Worth one last try.
-  if [[ "${POST_UPDATE_DONE:-}" != "true" ]]; then
-    if [[ "${POST_TO_API_DONE:-}" == "true" || "${DIAGNOSTICS:-no}" == "yes" ]]; then
-      if [[ $exit_code -ne 0 ]]; then
-        _send_abort_telemetry "$exit_code"
-      elif [[ "${INSTALL_COMPLETE:-}" == "true" ]] && declare -f post_update_to_api >/dev/null 2>&1; then
-        # Only report success if the install was explicitly marked complete.
-        # Without this guard, early bailouts (e.g. user cancelled) with exit 0
-        # would be falsely reported as successful installations.
-        post_update_to_api "done" "0" 2>/dev/null || true
-      fi
+  # Report orphaned "installing" records to telemetry API
+  # Catches ALL exit paths: errors, signals, AND clean exits where
+  # post_to_api was called but post_update_to_api was never called
+  if [[ "${POST_TO_API_DONE:-}" == "true" && "${POST_UPDATE_DONE:-}" != "true" ]]; then
+    if [[ $exit_code -ne 0 ]]; then
+      _send_abort_telemetry "$exit_code"
+    elif declare -f post_update_to_api >/dev/null 2>&1; then
+      post_update_to_api "done" "0" 2>/dev/null || true
    fi
  fi

--- a/tools/addon/homebrew.sh
+++ b/tools/addon/homebrew.sh
@@ -1,173 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: MorganCSIT | MickLesk (CanbiZ)
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://brew.sh | Github: https://github.com/Homebrew/brew
-
-if ! command -v curl &>/dev/null; then
-  printf "\r\e[2K%b" '\033[93m Setup Source \033[m' >&2
-  apt-get update >/dev/null 2>&1
-  apt-get install -y curl >/dev/null 2>&1
-fi
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/core.func)
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/tools.func)
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/error_handler.func)
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/api.func) 2>/dev/null || true
-
-# Enable error handling
-set -Eeuo pipefail
-trap 'error_handler' ERR
-load_functions
-init_tool_telemetry "" "addon"
-
-# ==============================================================================
-# CONFIGURATION
-# ==============================================================================
-VERBOSE=${var_verbose:-no}
-APP="homebrew"
-APP_TYPE="tools"
-INSTALL_PATH="/home/linuxbrew/.linuxbrew"
-
-# ==============================================================================
-# OS DETECTION
-# ==============================================================================
-if [[ -f "/etc/alpine-release" ]]; then
-  echo -e "${CROSS} Alpine is not supported by Homebrew. Exiting."
-  exit 1
-elif grep -qE 'ID=debian|ID=ubuntu' /etc/os-release; then
-  OS="Debian"
-else
-  echo -e "${CROSS} Unsupported OS detected. Exiting."
-  exit 1
-fi
-
-# ==============================================================================
-# UNINSTALL
-# ==============================================================================
-function uninstall() {
-  msg_info "Uninstalling Homebrew"
-
-  BREW_USER=$(awk -F: '$3 >= 1000 && $3 < 65534 { print $1; exit }' /etc/passwd)
-  if [[ -n "$BREW_USER" ]]; then
-    BREW_USER_HOME=$(getent passwd "$BREW_USER" | cut -d: -f6)
-    for rc_file in "$BREW_USER_HOME/.bashrc" "$BREW_USER_HOME/.profile"; do
-      if [[ -f "$rc_file" ]]; then
-        sed -i '/# Homebrew (Linuxbrew)/,/^fi$/d' "$rc_file"
-      fi
-    done
-  fi
-
-  rm -rf /home/linuxbrew
-  rm -f /etc/profile.d/homebrew.sh
-  groupdel linuxbrew &>/dev/null || true
-
-  msg_ok "Homebrew has been uninstalled"
-}
-
-# ==============================================================================
-# INSTALL
-# ==============================================================================
-function install() {
-  msg_info "Detecting Non-Root User"
-  BREW_USER=$(awk -F: '$3 >= 1000 && $3 < 65534 { print $1; exit }' /etc/passwd)
-  if [[ -z "$BREW_USER" ]]; then
-    msg_warn "No non-root user found (uid >= 1000). Homebrew cannot run as root."
-    read -r -p "${TAB}Create a 'brew' user automatically? (y/N): " create_user_prompt
-    if [[ "${create_user_prompt,,}" =~ ^(y|yes)$ ]]; then
-      msg_info "Creating user 'brew'"
-      useradd -m -s /bin/bash brew
-      BREW_USER="brew"
-      msg_ok "Created user 'brew'"
-    else
-      msg_error "Cannot install Homebrew without a non-root user. Exiting."
-      exit 1
-    fi
-  fi
-  msg_ok "Detected User: $BREW_USER"
-
-  msg_info "Installing Dependencies"
-  $STD apt update
-  $STD apt install -y build-essential git file procps
-  msg_ok "Installed Dependencies"
-
-  msg_info "Setting Up Homebrew Prefix"
-  export PATH="/usr/sbin:$PATH"
-  groupadd -f linuxbrew
-  mkdir -p /home/linuxbrew/.linuxbrew
-  chown -R "$BREW_USER":linuxbrew /home/linuxbrew
-  chmod 2775 /home/linuxbrew
-  chmod 2775 /home/linuxbrew/.linuxbrew
-  usermod -aG linuxbrew "$BREW_USER"
-  msg_ok "Set Up Homebrew Prefix"
-
-  msg_info "Installing Homebrew"
-  $STD su - "$BREW_USER" -c 'NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"'
-  msg_ok "Installed Homebrew"
-
-  msg_info "Configuring Shell Integration"
-  cat <<'EOF' >/etc/profile.d/homebrew.sh
-#!/bin/bash
-if [ -d "/home/linuxbrew/.linuxbrew" ]; then
-    eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
-fi
-EOF
-  chmod +x /etc/profile.d/homebrew.sh
-
-  BREW_USER_HOME=$(getent passwd "$BREW_USER" | cut -d: -f6)
-  BREW_SHELL_BLOCK='\n# Homebrew (Linuxbrew)\nif [ -d "/home/linuxbrew/.linuxbrew" ]; then\n    eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"\nfi'
-  for rc_file in "$BREW_USER_HOME/.bashrc" "$BREW_USER_HOME/.profile"; do
-    if ! grep -q 'linuxbrew' "$rc_file" 2>/dev/null; then
-      echo -e "$BREW_SHELL_BLOCK" >>"$rc_file"
-    fi
-  done
-  msg_ok "Configured Shell Integration"
-
-  msg_info "Verifying Installation"
-  $STD su - "$BREW_USER" -c 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" && brew --version'
-  msg_ok "Homebrew Verified"
-
-  echo ""
-  msg_ok "Homebrew installed successfully"
-  msg_ok "Ready for user: ${BL}${BREW_USER}${CL}"
-  echo ""
-  echo -e "${TAB}${INFO} Usage: Switch to the brew user with a login shell:"
-  echo -e "${TAB}  ${BL}su - ${BREW_USER}${CL}"
-  echo -e "${TAB}  Then run: ${BL}brew install <package>${CL}"
-  echo -e "${TAB}  Update with: ${BL}brew update${CL}"
-}
-
-# ==============================================================================
-# MAIN
-# ==============================================================================
-header_info
-
-if [[ -d "$INSTALL_PATH" ]]; then
-  msg_warn "Homebrew is already installed."
-  echo ""
-
-  read -r -p "${TAB}Uninstall Homebrew? (y/N): " uninstall_prompt
-  if [[ "${uninstall_prompt,,}" =~ ^(y|yes)$ ]]; then
-    uninstall
-    exit 0
-  fi
-
-  msg_warn "No action selected. Exiting."
-  exit 0
-fi
-
-# Fresh installation
-msg_warn "Homebrew is not installed."
-echo ""
-echo -e "${TAB}${INFO} This will install:"
-echo -e "${TAB}  - Homebrew (Linuxbrew) package manager"
-echo -e "${TAB}  - Shell integration for the detected non-root user"
-echo ""
-
-read -r -p "${TAB}Install Homebrew? (y/N): " install_prompt
-if [[ "${install_prompt,,}" =~ ^(y|yes)$ ]]; then
-  install
-else
-  msg_warn "Installation cancelled. Exiting."
-  exit 0
-fi
--- a/turnkey/turnkey.sh
+++ b/turnkey/turnkey.sh
@@ -1,23 +1,10 @@
 #!/usr/bin/env bash
-# Copyright (c) 2021-2026 community-scripts ORG
+# Copyright (c) 2021-2026 tteck
 # Author: tteck (tteckster)
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# License: MIT
+# https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE

-# Source shared libraries
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/api.func)
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/core.func)
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/error_handler.func)
-load_functions
-catch_errors
-
-APP="TurnKey LXC"
-NSAPP="turnkey"
-DIAGNOSTICS="no"
-METHOD="default"
-RANDOM_UUID="$(cat /proc/sys/kernel/random/uuid)"
-EXECUTION_ID="${RANDOM_UUID}"
-
-header_info() {
+function header_info {
  clear
  cat <<"EOF"
 ______              __ __           __   _  _______
@@ -28,343 +15,281 @@ header_info() {
 EOF
 }

-# Validate if a container ID is available (cluster-aware)
-validate_container_id() {
+set -euo pipefail
+shopt -s expand_aliases
+alias die='EXIT=$? LINE=$LINENO error_exit'
+trap die ERR
+function error_exit() {
+  trap - ERR
+  local DEFAULT='Unknown failure occured.'
+  local REASON="\e[97m${1:-$DEFAULT}\e[39m"
+  local FLAG="\e[91m[ERROR] \e[93m$EXIT@$LINE"
+  msg "$FLAG $REASON" 1>&2
+  [ ! -z ${CTID-} ] && cleanup_ctid
+  exit $EXIT
+}
+function warn() {
+  local REASON="\e[97m$1\e[39m"
+  local FLAG="\e[93m[WARNING]\e[39m"
+  msg "$FLAG $REASON"
+}
+function info() {
+  local REASON="$1"
+  local FLAG="\e[36m[INFO]\e[39m"
+  msg "$FLAG $REASON"
+}
+function msg() {
+  local TEXT="$1"
+  echo -e "$TEXT"
+}
+function validate_container_id() {
  local ctid="$1"
-  [[ "$ctid" =~ ^[0-9]+$ ]] || return 1
-
-  # Cluster-wide check via pvesh
-  if command -v pvesh &>/dev/null; then
-    local cluster_ids
-    cluster_ids=$(pvesh get /cluster/resources --type vm --output-format json 2>/dev/null |
-      grep -oP '"vmid":\s*\K[0-9]+' 2>/dev/null || true)
-    if [[ -n "$cluster_ids" ]] && echo "$cluster_ids" | grep -qw "$ctid"; then
-      return 1
-    fi
+  # Check if ID is numeric
+  if ! [[ "$ctid" =~ ^[0-9]+$ ]]; then
+    return 1
  fi
-
-  # Local fallback
+  # Check if config file exists for VM or LXC
  if [[ -f "/etc/pve/qemu-server/${ctid}.conf" ]] || [[ -f "/etc/pve/lxc/${ctid}.conf" ]]; then
    return 1
  fi
-
-  # Check all cluster nodes
-  if [[ -d "/etc/pve/nodes" ]]; then
-    for node_dir in /etc/pve/nodes/*/; do
-      if [[ -f "${node_dir}qemu-server/${ctid}.conf" ]] || [[ -f "${node_dir}lxc/${ctid}.conf" ]]; then
-        return 1
-      fi
-    done
-  fi
-
-  # Check LVM volumes
+  # Check if ID is used in LVM logical volumes
  if lvs --noheadings -o lv_name 2>/dev/null | grep -qE "(^|[-_])${ctid}($|[-_])"; then
    return 1
  fi
  return 0
 }
-
-get_valid_container_id() {
-  local suggested_id="${1:-$(pvesh get /cluster/nextid 2>/dev/null || echo 100)}"
+function get_valid_container_id() {
+  local suggested_id="${1:-$(pvesh get /cluster/nextid)}"
  while ! validate_container_id "$suggested_id"; do
    suggested_id=$((suggested_id + 1))
  done
  echo "$suggested_id"
 }
-
-cleanup_ctid() {
-  if pct status "$CTID" &>/dev/null; then
-    if [[ "$(pct status "$CTID" | awk '{print $2}')" == "running" ]]; then
-      pct stop "$CTID"
+function cleanup_ctid() {
+  if pct status $CTID &>/dev/null; then
+    if [ "$(pct status $CTID | awk '{print $2}')" == "running" ]; then
+      pct stop $CTID
    fi
-    pct destroy "$CTID"
+    pct destroy $CTID
  fi
 }

-select_storage() {
-  local class="$1" content content_label
-  case "$class" in
-  container)
-    content='rootdir'
-    content_label='Container'
-    ;;
-  template)
-    content='vztmpl'
-    content_label='Container template'
-    ;;
-  *)
-    msg_error "Invalid storage class '$class'"
-    return 1
-    ;;
-  esac
-
-  local -a MENU=()
-  local MSG_MAX_LENGTH=0
-
-  while read -r line; do
-    local TAG TYPE FREE ITEM OFFSET=2
-    TAG=$(echo "$line" | awk '{print $1}')
-    TYPE=$(echo "$line" | awk '{printf "%-10s", $2}')
-    FREE=$(echo "$line" | numfmt --field 4-6 --from-unit=K --to=iec --format %.2f | awk '{printf( "%9sB", $6)}')
-    ITEM="  Type: $TYPE Free: $FREE "
-    ((${#ITEM} + OFFSET > MSG_MAX_LENGTH)) && MSG_MAX_LENGTH=$((${#ITEM} + OFFSET))
-    MENU+=("$TAG" "$ITEM" "OFF")
-  done < <(pvesm status -content "$content" | awk 'NR>1')
-
-  if [[ $((${#MENU[@]} / 3)) -eq 0 ]]; then
-    msg_error "'$content_label' needs to be selected for at least one storage location."
-    return 1
-  elif [[ $((${#MENU[@]} / 3)) -eq 1 ]]; then
-    printf '%s' "${MENU[0]}"
-  else
-    local STORAGE
-    while [[ -z "${STORAGE:+x}" ]]; do
-      STORAGE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Storage Pools" --radiolist \
-        "Which storage pool for the ${content_label,,}?\n\n" \
-        16 $((MSG_MAX_LENGTH + 23)) 6 \
-        "${MENU[@]}" 3>&1 1>&2 2>&3) || exit_script
-    done
-    printf '%s' "$STORAGE"
-  fi
-}
-
-# ==============================================================================
-# MAIN
-# ==============================================================================
-
-# Cleanup on error: destroy container, report telemetry, and restart monitor
-turnkey_cleanup() {
-  local exit_code=$?
-  if [[ $exit_code -ne 0 ]]; then
-    # Report failure to telemetry
-    if [[ "${POST_TO_API_DONE:-}" == "true" && "${POST_UPDATE_DONE:-}" != "true" ]]; then
-      post_update_to_api "failed" "$exit_code" 2>/dev/null || true
-    fi
-    # Destroy failed container
-    if [[ -n "${CTID:-}" ]]; then
-      cleanup_ctid 2>/dev/null || true
-    fi
-  fi
-  if [[ -f /etc/systemd/system/ping-instances.service ]]; then
-    systemctl start ping-instances.service 2>/dev/null || true
-  fi
-}
-trap turnkey_cleanup EXIT
-
 # Stop Proxmox VE Monitor-All if running
 if systemctl is-active -q ping-instances.service; then
  systemctl stop ping-instances.service
 fi
-
-pve_check
-shell_check
-root_check
-
-# Read diagnostics preference (same logic as build.func diagnostics_check)
-DIAG_CONFIG="/usr/local/community-scripts/diagnostics"
-if [[ -f "$DIAG_CONFIG" ]]; then
-  DIAGNOSTICS=$(awk -F '=' '/^DIAGNOSTICS/ {print $2}' "$DIAG_CONFIG") || true
-  DIAGNOSTICS="${DIAGNOSTICS:-no}"
-fi
-
 header_info
-whiptail --backtitle "Proxmox VE Helper Scripts" --title "TurnKey LXCs" --yesno \
-  "This will allow for the creation of one of the many TurnKey LXC Containers. Proceed?" 10 68 || exit_script
-
-# Update template catalog early so the menu reflects the latest available templates
-msg_info "Updating LXC template list"
-pveam update >/dev/null
-msg_ok "Updated LXC template list"
-
-# Build TurnKey selection menu dynamically from available templates
-declare -A TURNKEY_TEMPLATES
+whiptail --backtitle "Proxmox VE Helper Scripts" --title "TurnKey LXCs" --yesno "This will allow for the creation of one of the many TurnKey LXC Containers. Proceed?" 10 68
 TURNKEY_MENU=()
 MSG_MAX_LENGTH=0
-while IFS=$'\t' read -r TEMPLATE_FILE TAG ITEM; do
-  TURNKEY_TEMPLATES["$TAG"]="$TEMPLATE_FILE"
+while read -r TAG ITEM; do
  OFFSET=2
-  ((${#ITEM} + OFFSET > MSG_MAX_LENGTH)) && MSG_MAX_LENGTH=$((${#ITEM} + OFFSET))
+  ((${#ITEM} + OFFSET > MSG_MAX_LENGTH)) && MSG_MAX_LENGTH=${#ITEM}+OFFSET
  TURNKEY_MENU+=("$TAG" "$ITEM " "OFF")
-done < <(pveam available -section turnkeylinux | awk '{
-  tpl = $2
-  if (match(tpl, /debian-([0-9]+)-turnkey-([^_]+)_([^_]+)_/, m)) {
-    app = m[2]; deb = m[1]; ver = m[3]
-    display = app
-    gsub(/-/, " ", display)
-    n = split(display, words, " ")
-    display = ""
-    for (i = 1; i <= n; i++) {
-      words[i] = toupper(substr(words[i], 1, 1)) substr(words[i], 2)
-      display = display (i > 1 ? " " : "") words[i]
-    }
-    tag = app "-" deb
-    printf "%s\t%s\t%s | Debian %s | %s\n", tpl, tag, display, deb, ver
-  }
-}' | sort -t$'\t' -k2,2)
+done < <(
+  cat <<EOF
+ansible Ansible
+bookstack BookStack
+core Core
+faveo-helpdesk Faveo Helpdesk
+fileserver File Server
+gallery Gallery
+gameserver Game Server
+gitea Gitea
+gitlab GitLab
+invoice-ninja Invoice Ninja
+mediaserver Media Server
+nextcloud Nextcloud
+observium Observium
+odoo Odoo
+openldap OpenLDAP
+openvpn OpenVPN
+owncloud ownCloud
+phpbb phpBB
+torrentserver Torrent Server
+wireguard WireGuard
+wordpress Wordpress
+zoneminder ZoneMinder
+EOF
+)
+turnkey=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "TurnKey LXCs" --radiolist "\nSelect a TurnKey LXC to create:\n" 16 $((MSG_MAX_LENGTH + 58)) 6 "${TURNKEY_MENU[@]}" 3>&1 1>&2 2>&3 | tr -d '"')
+[ -z "$turnkey" ] && {
+  whiptail --backtitle "Proxmox VE Helper Scripts" --title "No TurnKey LXC Selected" --msgbox "It appears that no TurnKey LXC container was selected" 10 68
+  msg "Done"
+  exit
+}

-if [[ ${#TURNKEY_MENU[@]} -eq 0 ]]; then
-  msg_error "No TurnKey templates found. Check your internet connection or template repository."
-  exit 1
-fi
-
-selected=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "TurnKey LXCs" --radiolist \
-  "\nSelect a TurnKey LXC to create:\n" 20 $((MSG_MAX_LENGTH + 58)) 12 \
-  "${TURNKEY_MENU[@]}" 3>&1 1>&2 2>&3 | tr -d '"') || exit_script
-
-if [[ -z "$selected" ]]; then
-  whiptail --backtitle "Proxmox VE Helper Scripts" --title "No TurnKey LXC Selected" \
-    --msgbox "It appears that no TurnKey LXC container was selected" 10 68
-  exit_script
-fi
-
-# Extract template filename and app name from selection
-TEMPLATE="${TURNKEY_TEMPLATES[$selected]}"
-turnkey="${selected%-*}"
-
-# Generate random password
+# Setup script environment
 PASS="$(openssl rand -base64 8)"
-
-# Prompt for Container ID
-NEXT_ID=$(pvesh get /cluster/nextid 2>/dev/null || echo 100)
+# Prompt user to confirm container ID
 while true; do
-  CTID=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Container ID" \
-    --inputbox "Enter the container ID..." 8 40 "$NEXT_ID" 3>&1 1>&2 2>&3) || exit_script
+  CTID=$(whiptail --backtitle "Container ID" --title "Choose the Container ID" --inputbox "Enter the container ID..." 8 40 $(pvesh get /cluster/nextid) 3>&1 1>&2 2>&3)

-  if [[ -z "$CTID" ]]; then
-    msg_error "No Container ID selected"
-    exit_script
-  fi
+  # Check if user cancelled
+  [ -z "$CTID" ] && die "No Container ID selected"

+  # Validate Container ID
  if ! validate_container_id "$CTID"; then
    SUGGESTED_ID=$(get_valid_container_id "$CTID")
-    if whiptail --backtitle "Proxmox VE Helper Scripts" --title "ID Already In Use" --yesno \
-      "Container/VM ID $CTID is already in use.\n\nWould you like to use the next available ID ($SUGGESTED_ID)?" 10 58; then
+    if whiptail --backtitle "Container ID" --title "ID Already In Use" --yesno "Container/VM ID $CTID is already in use.\n\nWould you like to use the next available ID ($SUGGESTED_ID)?" 10 58; then
      CTID="$SUGGESTED_ID"
      break
    fi
+    # User declined, loop back to input
  else
    break
  fi
 done
-
-# Prompt for Hostname
-HOST_NAME=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Hostname" \
-  --inputbox "Enter the container hostname..." 8 40 "turnkey-${turnkey}" 3>&1 1>&2 2>&3) || exit_script
-
-# Container options
-PCT_OPTIONS=(
-  -features keyctl=1,nesting=1
-  -hostname "$HOST_NAME"
-  -tags community-script
-  -onboot 1
-  -cores 2
-  -memory 2048
-  -password "$PASS"
-  -net0 name=eth0,bridge=vmbr0,ip=dhcp
-  -unprivileged 1
-  -arch "$(dpkg --print-architecture)"
+# Prompt user to confirm Hostname
+HOST_NAME=$(whiptail --backtitle "Hostname" --title "Choose the Hostname" --inputbox "Enter the containers Hostname..." 8 40 "turnkey-${turnkey}" 3>&1 1>&2 2>&3)
+PCT_OPTIONS="
+    -features keyctl=1,nesting=1
+    -hostname $HOST_NAME
+    -tags community-script
+    -onboot 1
+    -cores 2
+    -memory 2048
+    -password $PASS
+    -net0 name=eth0,bridge=vmbr0,ip=dhcp
+    -unprivileged 1
+  "
+DEFAULT_PCT_OPTIONS=(
+  -arch $(dpkg --print-architecture)
 )

-# Storage selection
-TEMPLATE_STORAGE=$(select_storage template) || {
-  msg_error "Failed to select template storage"
-  exit 1
-}
-msg_ok "Using '${BL}${TEMPLATE_STORAGE}${CL}' for template storage"
+# Set the CONTENT and CONTENT_LABEL variables
+function select_storage() {
+  local CLASS=$1
+  local CONTENT
+  local CONTENT_LABEL
+  case $CLASS in
+  container)
+    CONTENT='rootdir'
+    CONTENT_LABEL='Container'
+    ;;
+  template)
+    CONTENT='vztmpl'
+    CONTENT_LABEL='Container template'
+    ;;
+  *) false || die "Invalid storage class." ;;
+  esac

-CONTAINER_STORAGE=$(select_storage container) || {
-  msg_error "Failed to select container storage"
-  exit 1
-}
-msg_ok "Using '${BL}${CONTAINER_STORAGE}${CL}' for container storage"
+  # Query all storage locations
+  local -a MENU
+  while read -r line; do
+    local TAG=$(echo $line | awk '{print $1}')
+    local TYPE=$(echo $line | awk '{printf "%-10s", $2}')
+    local FREE=$(echo $line | numfmt --field 4-6 --from-unit=K --to=iec --format %.2f | awk '{printf( "%9sB", $6)}')
+    local ITEM="  Type: $TYPE Free: $FREE "
+    local OFFSET=2
+    if [[ $((${#ITEM} + $OFFSET)) -gt ${MSG_MAX_LENGTH:-} ]]; then
+      local MSG_MAX_LENGTH=$((${#ITEM} + $OFFSET))
+    fi
+    MENU+=("$TAG" "$ITEM" "OFF")
+  done < <(pvesm status -content $CONTENT | awk 'NR>1')

-# Download template if not already cached
-if ! pveam list "$TEMPLATE_STORAGE" | grep -q "$TEMPLATE"; then
-  msg_info "Downloading LXC template"
-  pveam download "$TEMPLATE_STORAGE" "$TEMPLATE" >/dev/null || {
-    msg_error "Failed to download LXC template '${TEMPLATE}'"
-    exit 1
-  }
-  msg_ok "Downloaded LXC template"
+  # Select storage location
+  if [ $((${#MENU[@]} / 3)) -eq 0 ]; then
+    warn "'$CONTENT_LABEL' needs to be selected for at least one storage location."
+    die "Unable to detect valid storage location."
+  elif [ $((${#MENU[@]} / 3)) -eq 1 ]; then
+    printf ${MENU[0]}
+  else
+    local STORAGE
+    while [ -z "${STORAGE:+x}" ]; do
+      STORAGE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Storage Pools" --radiolist \
+        "Which storage pool would you like to use for the ${CONTENT_LABEL,,}?\n\n" \
+        16 $(($MSG_MAX_LENGTH + 23)) 6 \
+        "${MENU[@]}" 3>&1 1>&2 2>&3) || die "Menu aborted."
+    done
+    printf $STORAGE
+  fi
+}
+
+# Get template storage
+TEMPLATE_STORAGE=$(select_storage template)
+info "Using '$TEMPLATE_STORAGE' for template storage."
+
+# Get container storage
+CONTAINER_STORAGE=$(select_storage container)
+info "Using '$CONTAINER_STORAGE' for container storage."
+
+# Update LXC template list
+msg "Updating LXC template list..."
+pveam update >/dev/null
+
+# Get LXC template string
+mapfile -t TEMPLATES < <(pveam available -section turnkeylinux | awk -v turnkey="${turnkey}" '$0 ~ turnkey {print $2}' | sort -t - -k 2 -V)
+[ ${#TEMPLATES[@]} -gt 0 ] || die "Unable to find a template when searching for '${turnkey}'."
+TEMPLATE="${TEMPLATES[-1]}"
+
+# Download LXC template
+if ! pveam list $TEMPLATE_STORAGE | grep -q $TEMPLATE; then
+  msg "Downloading LXC template (Patience)..."
+  pveam download $TEMPLATE_STORAGE $TEMPLATE >/dev/null ||
+    die "A problem occured while downloading the LXC template."
 fi

-# Add rootfs if not specified
-[[ " ${PCT_OPTIONS[*]} " =~ " -rootfs " ]] || PCT_OPTIONS+=(-rootfs "${CONTAINER_STORAGE}:${PCT_DISK_SIZE:-8}")
+# Create variable for 'pct' options
+PCT_OPTIONS=(${PCT_OPTIONS[@]:-${DEFAULT_PCT_OPTIONS[@]}})
+[[ " ${PCT_OPTIONS[@]} " =~ " -rootfs " ]] || PCT_OPTIONS+=(-rootfs $CONTAINER_STORAGE:${PCT_DISK_SIZE:-8})

-# Set telemetry variables for the selected turnkey
-TELEMETRY_TYPE="turnkey"
-NSAPP="turnkey-${turnkey}"
-CT_TYPE=1
-DISK_SIZE="${PCT_DISK_SIZE:-8}"
-CORE_COUNT=2
-RAM_SIZE=2048
-var_os="turnkey"
-var_version="${turnkey}"
+# Create LXC
+msg "Creating LXC container..."
+pct create $CTID ${TEMPLATE_STORAGE}:vztmpl/${TEMPLATE} ${PCT_OPTIONS[@]} >/dev/null ||
+  die "A problem occured while trying to create container."

-# Report installation start to telemetry
-post_to_api
+# Save password
+echo "TurnKey ${turnkey} password: ${PASS}" >>~/turnkey-${turnkey}.creds # file is located in the Proxmox root directory

-# Create LXC container
-msg_info "Creating LXC container"
-pct create "$CTID" "${TEMPLATE_STORAGE}:vztmpl/${TEMPLATE}" "${PCT_OPTIONS[@]}" >/dev/null || {
-  msg_error "Failed to create container"
-  exit 1
-}
-msg_ok "Created LXC container (ID: ${BL}${CTID}${CL})"
-
-# Save credentials securely
-CREDS_FILE=~/turnkey-${turnkey}.creds
-echo "TurnKey ${turnkey} password: ${PASS}" >>"$CREDS_FILE"
-chmod 600 "$CREDS_FILE"
-
-# Configure TUN device access for VPN-based turnkeys
-TUN_DEVICE_REQUIRED=("openvpn")
+# If turnkey is "OpenVPN", add access to the tun device
+TUN_DEVICE_REQUIRED=("openvpn") # Setup this way in case future turnkeys also need tun access
 if printf '%s\n' "${TUN_DEVICE_REQUIRED[@]}" | grep -qw "${turnkey}"; then
-  msg_info "Configuring TUN device access for ${turnkey}"
-  {
-    echo "lxc.cgroup2.devices.allow: c 10:200 rwm"
-    echo "lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file 0 0"
-  } >>"/etc/pve/lxc/${CTID}.conf"
-  msg_ok "TUN device access configured"
+  info "${turnkey} requires access to /dev/net/tun on the host. Modifying the container configuration to allow this."
+  echo "lxc.cgroup2.devices.allow: c 10:200 rwm" >>/etc/pve/lxc/${CTID}.conf
+  echo "lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file 0 0" >>/etc/pve/lxc/${CTID}.conf
  sleep 5
 fi

 # Start container
-msg_info "Starting LXC container"
+msg "Starting LXC Container..."
 pct start "$CTID"
-msg_ok "Started LXC container"
 sleep 10

-# Detect container IP
-msg_info "Detecting IP address"
+# Get container IP
+set +euo pipefail # Turn off error checking
+max_attempts=5
+attempt=1
 IP=""
-for attempt in $(seq 1 5); do
-  IP=$(pct exec "$CTID" -- ip -4 a show dev eth0 2>/dev/null | grep -oP 'inet \K[^/]+' || true)
-  if [[ -n "$IP" ]]; then
+while [[ $attempt -le $max_attempts ]]; do
+  IP=$(pct exec $CTID ip a show dev eth0 | grep -oP 'inet \K[^/]+')
+  if [[ -n $IP ]]; then
    break
+  else
+    warn "Attempt $attempt: IP address not found. Pausing for 5 seconds..."
+    sleep 5
+    ((attempt++))
  fi
-  [[ $attempt -lt 5 ]] && sleep 5
 done

-if [[ -z "$IP" ]]; then
-  msg_warn "IP address not found after 5 attempts"
+if [[ -z $IP ]]; then
+  warn "Maximum number of attempts reached. IP address not found."
  IP="NOT FOUND"
-else
-  msg_ok "IP address: ${BL}${IP}${CL}"
 fi

-# Report success to telemetry
-post_update_to_api "done" "none"
+# Start Proxmox VE Monitor-All if available
+if [[ -f /etc/systemd/system/ping-instances.service ]]; then
+  systemctl start ping-instances.service
+fi

-# Success summary
+# Success message
 header_info
 echo
-msg_ok "TurnKey ${BL}${turnkey}${CL} LXC container '${BL}${CTID}${CL}' was successfully created."
+info "LXC container '$CTID' was successfully created, and its IP address is ${IP}."
 echo
-echo -e "  ${TAB}${YW}IP Address:${CL}  ${BL}${IP}${CL}"
-echo -e "  ${TAB}${YW}Login:${CL}       ${GN}root${CL}"
-echo -e "  ${TAB}${YW}Password:${CL}    ${GN}${PASS}${CL}"
+info "Proceed to the LXC console to complete the setup."
 echo
-echo -e "  ${TAB}Proceed to the LXC console to complete the TurnKey setup."
-echo -e "  ${TAB}Credentials stored in: ${BL}~/turnkey-${turnkey}.creds${CL}"
+info "login: root"
+info "password: $PASS"
+info "(credentials also stored in the root user's root directory in the 'turnkey-${turnkey}.creds' file.)"
 echo