1.2.1.1-beta: notification + LXC + post-install fixes

- flask_notification_routes: PVE webhook X-Webhook-Secret written in
  standard base64 so PVE can decode it (GH #198)
- notification_channels: Gmail SMTP App Password handling — normalize
  tls_mode (None/empty → starttls), reject creds without host (false-
  positive sendmail delivery), surface "AUTH not advertised" hint
- notification_events: is_vzdump_active_on_host() reads /var/log/pve/
  tasks/active directly so backup_start fallback and vm_shutdown
  suppression survive a Monitor restart mid-backup
- notification_templates: extract --storage flag from vzdump log →
  "PBS-Cloud: vm/104/…" instead of generic "PBS:" prefix when multiple
  PBS endpoints exist
- health_monitor: pve_storage_capacity + zfs_pool_capacity respect
  per-item dismiss (don't keep category WARNING/CRITICAL after user
  dismisses); updates_check cache invalidated when /var/log/apt/
  history.log mtime advances
- lxc_mount_points: PVE volume size from subvol quota (df via
  /proc/<host_pid>/root/<target> + lxc.conf size=NNNG fallback);
  host_source_state detects "host detached" zombie binds; per-mount
  subprocess work parallelised via ThreadPoolExecutor so a CT with
  many bind mounts doesn't trip the Caddy 3s reverse-proxy timeout
- virtual-machines: "host detached" badge on bind mounts whose host
  source path disappeared
- auto/customizable_post_install: log2ram FUNC_VERSION 1.1 → 1.2; new
  log2ram-check.sh vacuums journal + truncates non-rotating logs
  (pveproxy/access.log, pveam.log) instead of only calling
  `log2ram write` (which leaves the tmpfs full); auto flow gains the
  missing SystemMaxUse in /etc/systemd/journald.conf

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

scripts/post_install/customizable_post_install.sh

@@ -2350,7 +2350,7 @@ update_pve_appliance_manager() {
 
 
 configure_log2ram() {
-    local FUNC_VERSION="1.1"
+    local FUNC_VERSION="1.2"
     # description: Install Log2RAM with user-chosen RAM size; prompts for size and SSD/M.2 awareness before applying.
     msg_info2 "$(translate "Preparing Log2RAM configuration")"
     sleep 1
@@ -2477,6 +2477,13 @@ EOF
     if [[ "$ENABLE_AUTOSYNC" == true ]]; then
         cat > /usr/local/bin/log2ram-check.sh <<'EOF'
 #!/usr/bin/env bash
+# v1.2 — `log2ram write` only copies tmpfs→disk; it does NOT shrink
+# the tmpfs. When journald or pveproxy/access.log grow past their
+# limits the tmpfs hit 100% and PVE crashed with "No space left on
+# device" on Shell open (community-reported: JC Miñarro, Nicolás P.
+# de A., 17-18/05). We now vacuum the journal and truncate the
+# non-rotating logs that actually consume the tmpfs before calling
+# `log2ram write`.
 PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 CONF_FILE="/etc/log2ram.conf"
 L2R_BIN="$(command -v log2ram || true)"
@@ -2486,7 +2493,8 @@ L2R_BIN="$(command -v log2ram || true)"
 SIZE_MiB="$(grep -E '^SIZE=' "$CONF_FILE" 2>/dev/null | cut -d'=' -f2 | tr -dc '0-9')"
 [[ -z "$SIZE_MiB" ]] && SIZE_MiB=128
 LIMIT_BYTES=$(( SIZE_MiB * 1024 * 1024 ))
-THRESHOLD_BYTES=$(( LIMIT_BYTES * 90 / 100 ))
+WARN_BYTES=$(( LIMIT_BYTES * 80 / 100 ))
+EMERGENCY_BYTES=$(( LIMIT_BYTES * 92 / 100 ))
 
 USED_BYTES="$(df -B1 --output=used /var/log 2>/dev/null | tail -1 | tr -dc '0-9')"
 [[ -z "$USED_BYTES" ]] && exit 0
@@ -2495,8 +2503,24 @@ LOCK="/run/log2ram-check.lock"
 exec 9>"$LOCK" 2>/dev/null || exit 0
 flock -n 9 || exit 0
 
-if (( USED_BYTES > THRESHOLD_BYTES )); then
-  "$L2R_BIN" write 2>/dev/null || true
+# `log2ram write` alone leaves the tmpfs full. Real recovery requires:
+# (a) journal vacuum — journald respects --vacuum-size unconditionally,
+#     unlike SystemMaxUse which only enforces on rotation boundaries;
+# (b) truncating logs that aren't rotated by logrotate (pveproxy, pveam);
+# (c) THEN syncing to disk so the persistent copy reflects reality.
+if (( USED_BYTES > EMERGENCY_BYTES )); then
+    SAFE_JOURNAL_MB=$(( SIZE_MiB * 5 / 100 ))
+    [[ "$SAFE_JOURNAL_MB" -lt 16 ]] && SAFE_JOURNAL_MB=16
+    journalctl --vacuum-size="${SAFE_JOURNAL_MB}M" >/dev/null 2>&1 || true
+    : > /var/log/pveproxy/access.log 2>/dev/null || true
+    : > /var/log/pveproxy/error.log 2>/dev/null || true
+    : > /var/log/pveam.log 2>/dev/null || true
+    "$L2R_BIN" write 2>/dev/null || true
+elif (( USED_BYTES > WARN_BYTES )); then
+    SOFT_JOURNAL_MB=$(( SIZE_MiB * 30 / 100 ))
+    [[ "$SOFT_JOURNAL_MB" -lt 32 ]] && SOFT_JOURNAL_MB=32
+    journalctl --vacuum-size="${SOFT_JOURNAL_MB}M" >/dev/null 2>&1 || true
+    "$L2R_BIN" write 2>/dev/null || true
 fi
 EOF
         chmod +x /usr/local/bin/log2ram-check.sh
@@ -2510,7 +2534,7 @@ MAILTO=""
 EOF
         chmod 0644 /etc/cron.d/log2ram-auto-sync
         chown root:root /etc/cron.d/log2ram-auto-sync
-        msg_ok "$(translate "Auto-sync enabled when /var/log exceeds 90% of") $LOG2RAM_SIZE"
+        msg_ok "$(translate "Auto-sync enabled when /var/log exceeds 80% of") $LOG2RAM_SIZE"
     else
         rm -f /usr/local/bin/log2ram-check.sh /etc/cron.d/log2ram-auto-sync 2>/dev/null || true
         msg_info2 "$(translate "Auto-sync was not enabled")"