Helmet's useDefaults adds upgrade-insecure-requests to the CSP,
which forces browsers to upgrade all HTTP requests to HTTPS.
Since most LXC users access Immich directly via HTTP, this breaks
the web UI completely (CORS errors, spinning logo).
Patch helmet.json after deploy to explicitly null out the directive,
keeping CSP benefits while allowing HTTP access.
Fixes#13597
* fix(immich): use start.sh in service, ensure DB_HOSTNAME in .env
* Bump Immich to v2.6.2 and adjust chown handling
Update Immich release references from v2.6.1 to v2.6.2 in ct/immich.sh and install/immich-install.sh. Replace broad recursive chown -R on the install dir with a safer approach that avoids recursing into the upload directory (which may be a mounted volume with restricted permissions): set ownership on the install dir itself, chown each top-level entry except 'upload', and attempt to chown the upload path while ignoring errors. Also adjust ordering for /var/log/immich chown to avoid permission issues when enabling services.
* Display pin reason in release-check messages
Add an optional pin_reason parameter to check_for_gh_release and check_for_codeberg_release and update the no-update messaging to show the provided reason. If no reason is supplied, show a default message indicating the update is temporarily held back due to issues with newer releases. This improves user feedback when versions are intentionally pinned.
* Add informational args to release checks
Pass extra informational strings to check_for_gh_release calls to surface release-specific notes. Updated ct/immich.sh (notes for Immich and VectorChord releases), ct/opencloud.sh (note for OpenCloud), and ct/plant-it.sh (note about web frontend presence). These messages clarify testing/compatibility expectations when checking/releases.
- Install gcc-13/g++-13 and export CC/CXX before compiling custom
photo-processing libraries to work around GCC-14 ICE segfaults
on Debian 13 Trixie (closes#12895)
- Pre-install Python via 'uv python install' with 3-attempt retry
logic before running 'uv sync' to prevent connection reset failures
during machine-learning setup (closes#12926)
- Applied to both fresh install and update paths
* fix(immich): correct LibRaw clone URL to official upstream
The Immich helper script clones LibRaw from:
https://github.com/libraw/libraw.git
This repository does not exist and results in:
fatal: unable to access ... error: 500
exit code: 128
The correct upstream repository is:
https://github.com/LibRaw/LibRaw.git
This should resolve installation failure during the LibRaw compilation stage.
* Fix repository URL for libraw in install script
---------
Co-authored-by: Chris <punk.sand7393@fastmail.com>
* fix(error-handler): prevent silent() from re-enabling error handling during recovery
Root cause: silent() (core.func) unconditionally calls set -Eeuo pipefail
and trap 'error_handler' ERR after every command. When build_container()
intentionally disables error handling for its recovery section, any
intermediate call through silent()/ re-enables it. This causes the
grep/sed pipeline for missing_cmd extraction to trigger error_handler
(grep returns exit code 1 on no match + pipefail = fatal).
Fixes:
1. silent(): Save errexit state before disabling, only restore if it was
active. Callers that intentionally disabled error handling (e.g.
build_container recovery) are no longer silently re-enabled.
2. build.func: Add || true to missing_cmd grep pipeline as defense-in-depth
against pipeline failure propagation.
3. build.func: Add explicit set +Eeuo pipefail / trap - ERR after
post_update_to_api() call, before error classification grep/sed section.
4. build.func: Remove stale global combined_log variable from variables()
that used a different path format (/tmp/install-SESSION-combined.log)
than the actual local variable (/tmp/NSAPP-CTID-SESSION.log). The global
was never written to and caused confusion when error_handler displayed it.
* Update build.func
* chore(install): add Github source links to all setup_nodejs scripts
52 install scripts had a project website in '# Source:' but no GitHub
link. Merged the GitHub repo URL into the Source header as:
# Source: https://website.com/ | Github: https://github.com/OWNER/REPO
Repos sourced from fetch_and_deploy_gh_release calls, get_latest_github_release
calls, or known project repos for npm/pip installed apps.
Two scripts (fumadocs, pve-scripts-local) had no Source line at all —
added one. Shinobi skipped (GitLab-only, no GitHub repo).
* chore(install): add Github source links to all fetch_and_deploy scripts
77 additional install scripts had fetch_and_deploy_gh_release calls but
no GitHub link in the Source header. Merged the primary app repo into
the Source header as:
# Source: https://website.com/ | Github: https://github.com/OWNER/REPO
Where multiple fetch_and_deploy calls existed (app + dependency), the
primary app repo was selected:
- ersatztv: ErsatzTV/ErsatzTV (not ffmpeg)
- firefly: firefly-iii/firefly-iii (not data-importer)
- komga: gotson/komga (not kepubify dep)
- sabnzbd: sabnzbd/sabnzbd (not par2cmdline-turbo dep)
- signoz: SigNoz/signoz (not otel-collector)
- tunarr: chrisbenincasa/tunarr (not ffmpeg dep)
Also fixed cosmos-install.sh double https:// in Source URL.
Skipped: autocaliweb (source already on codeberg, GitHub repos are deps only)
* revert: restore misc/build.func and misc/core.func to main state
These error-handler fixes belong to fix/error-handler-recovery, not to
this sources-only branch.
* chore(ct,tools): sync Source headers with install/ and add Github links to addon scripts
* [FEAT] Immich: enable Maintenance Mode prior to update
- Checks if current version is 2.5.2 or higher
- Also disables Maintenance Mode afterwards
* fix pathing issue; suppress `cd -` output
* [ENHANCEMENT] Immich: Support for newer Intel GPUs
- Add support for newer Intel GPUs: Battlemage, Arrow Lake and Panther
Lake by adding v2.22.2 Intel IGC packages
- Fix: ensure libigdgmm12 is installed before other packages during
update
- Fix: Download and install Intel packages in `/tmp` to allow apt to
drop root privileges during installation
* Bump Immich to v2.4.0
