* fix(filebrowser-quantum): warn when addon is run directly on Proxmox host
Detect /etc/pve and show a clear warning with link to the recommended
LXC installer. User must explicitly confirm to continue on the host,
addressing the size calculation and indexing issues reported in
gtsteffaniak/filebrowser#1893.
Closes#13636
* fix(filebrowser): improve host warning text and add to filebrowser addon
- Clarify that passthrough drives are not visible on the Proxmox host
- Mention incorrect disk usage stats and incomplete file browsing
- Add same warning to filebrowser (non-quantum) addon which also serves from /
- Reduce verbosity, remove redundant phrasing
* fix(filebrowser): fix misleading host warning wording
Remove reference to a non-existent dedicated LXC installer.
The addons should simply be run inside an LXC or VM instead.
* fix(tools): prevent script crash when entering GitHub token after rate limit
fetch_and_deploy_gh_release set attempt=0 after accepting a token, then
immediately ran ((0++)) which evaluates to 0 (falsy) causing exit code 1
and killing the script under set -e.
Fix: set attempt=1 and continue to restart the retry loop cleanly,
giving the full max_retries budget with the new token.
Also fix fetch_and_deploy_codeberg_release: replace ((attempt++)) with
attempt=\ to avoid the same zero-evaluation crash on
the first connection timeout (attempt starts at 0 in that loop).
Fixes#13635
* feat(tools): add var_github_token support with token validation
- Add var_github_token to all VAR_WHITELIST arrays in build.func so the
token can be set via default.vars, app.vars, or environment variable
- Map var_github_token -> GITHUB_TOKEN in default_var_settings() (env
variable takes precedence over the var file value)
- Add commented var_github_token example to the default.vars template
- Add validate_github_token() to tools.func:
* Calls GET /user to verify the token is accepted
* Reports expiry date from x-oauth-expiry header (fine-grained PATs)
* Warns when classic PAT is missing public_repo scope
* Returns distinct exit codes: 0=valid, 1=invalid/expired, 2=no scope, 3=error
- Update prompt_for_github_token():
* Non-interactive path now picks up var_github_token automatically
* Interactive path also picks up var_github_token without prompting
* Validates token immediately after entry; loops until valid or Ctrl+C
* Homarr: bind Redis to localhost only
* fix(homarr): make Redis bind directive idempotent
Replace unconditional append with grep guard to prevent duplicate
'bind 127.0.0.1 -::1' entries on repeated updates.
* Fix whitespace in homarr install script
Clean up minor whitespace issues in install/homarr-install.sh: remove an extra space before the here-path in the Redis config append (>>/etc/redis/redis.conf) and strip a trailing space after the nginx service name in the systemctl disable call. These are whitespace-only edits to keep the script tidy and avoid passing unintended whitespace to commands.
Update LXC and VM description blocks to include donation and script page badges. Introduces script_slug, script_url and donate_url variables (derived from SCRIPT_SLUG or NSAPP/APP, normalized to lowercase and dashed) and uses them to build links. Replaces the old Ko-fi "Buy us a coffee" badge with a generic donate badge and adds an "Open Script Page" badge linking to the script detail page.
Helmet's useDefaults adds upgrade-insecure-requests to the CSP,
which forces browsers to upgrade all HTTP requests to HTTPS.
Since most LXC users access Immich directly via HTTP, this breaks
the web UI completely (CORS errors, spinning logo).
Patch helmet.json after deploy to explicitly null out the directive,
keeping CSP benefits while allowing HTTP access.
Fixes#13597
