Helmet's useDefaults adds upgrade-insecure-requests to the CSP,
which forces browsers to upgrade all HTTP requests to HTTPS.
Since most LXC users access Immich directly via HTTP, this breaks
the web UI completely (CORS errors, spinning logo).
Patch helmet.json after deploy to explicitly null out the directive,
keeping CSP benefits while allowing HTTP access.
Fixes#13597
* fix(immich): use start.sh in service, ensure DB_HOSTNAME in .env
* Bump Immich to v2.6.2 and adjust chown handling
Update Immich release references from v2.6.1 to v2.6.2 in ct/immich.sh and install/immich-install.sh. Replace broad recursive chown -R on the install dir with a safer approach that avoids recursing into the upload directory (which may be a mounted volume with restricted permissions): set ownership on the install dir itself, chown each top-level entry except 'upload', and attempt to chown the upload path while ignoring errors. Also adjust ordering for /var/log/immich chown to avoid permission issues when enabling services.
- Install gcc-13/g++-13 and export CC/CXX before compiling custom
photo-processing libraries to work around GCC-14 ICE segfaults
on Debian 13 Trixie (closes#12895)
- Pre-install Python via 'uv python install' with 3-attempt retry
logic before running 'uv sync' to prevent connection reset failures
during machine-learning setup (closes#12926)
- Applied to both fresh install and update paths
* fix(immich): correct LibRaw clone URL to official upstream
The Immich helper script clones LibRaw from:
https://github.com/libraw/libraw.git
This repository does not exist and results in:
fatal: unable to access ... error: 500
exit code: 128
The correct upstream repository is:
https://github.com/LibRaw/LibRaw.git
This should resolve installation failure during the LibRaw compilation stage.
* Fix repository URL for libraw in install script
---------
Co-authored-by: Chris <punk.sand7393@fastmail.com>
* fix(error-handler): prevent silent() from re-enabling error handling during recovery
Root cause: silent() (core.func) unconditionally calls set -Eeuo pipefail
and trap 'error_handler' ERR after every command. When build_container()
intentionally disables error handling for its recovery section, any
intermediate call through silent()/ re-enables it. This causes the
grep/sed pipeline for missing_cmd extraction to trigger error_handler
(grep returns exit code 1 on no match + pipefail = fatal).
Fixes:
1. silent(): Save errexit state before disabling, only restore if it was
active. Callers that intentionally disabled error handling (e.g.
build_container recovery) are no longer silently re-enabled.
2. build.func: Add || true to missing_cmd grep pipeline as defense-in-depth
against pipeline failure propagation.
3. build.func: Add explicit set +Eeuo pipefail / trap - ERR after
post_update_to_api() call, before error classification grep/sed section.
4. build.func: Remove stale global combined_log variable from variables()
that used a different path format (/tmp/install-SESSION-combined.log)
than the actual local variable (/tmp/NSAPP-CTID-SESSION.log). The global
was never written to and caused confusion when error_handler displayed it.
* Update build.func
* chore(install): add Github source links to all setup_nodejs scripts
52 install scripts had a project website in '# Source:' but no GitHub
link. Merged the GitHub repo URL into the Source header as:
# Source: https://website.com/ | Github: https://github.com/OWNER/REPO
Repos sourced from fetch_and_deploy_gh_release calls, get_latest_github_release
calls, or known project repos for npm/pip installed apps.
Two scripts (fumadocs, pve-scripts-local) had no Source line at all —
added one. Shinobi skipped (GitLab-only, no GitHub repo).
* chore(install): add Github source links to all fetch_and_deploy scripts
77 additional install scripts had fetch_and_deploy_gh_release calls but
no GitHub link in the Source header. Merged the primary app repo into
the Source header as:
# Source: https://website.com/ | Github: https://github.com/OWNER/REPO
Where multiple fetch_and_deploy calls existed (app + dependency), the
primary app repo was selected:
- ersatztv: ErsatzTV/ErsatzTV (not ffmpeg)
- firefly: firefly-iii/firefly-iii (not data-importer)
- komga: gotson/komga (not kepubify dep)
- sabnzbd: sabnzbd/sabnzbd (not par2cmdline-turbo dep)
- signoz: SigNoz/signoz (not otel-collector)
- tunarr: chrisbenincasa/tunarr (not ffmpeg dep)
Also fixed cosmos-install.sh double https:// in Source URL.
Skipped: autocaliweb (source already on codeberg, GitHub repos are deps only)
* revert: restore misc/build.func and misc/core.func to main state
These error-handler fixes belong to fix/error-handler-recovery, not to
this sources-only branch.
* chore(ct,tools): sync Source headers with install/ and add Github links to addon scripts
* [ENHANCEMENT] Immich: Support for newer Intel GPUs
- Add support for newer Intel GPUs: Battlemage, Arrow Lake and Panther
Lake by adding v2.22.2 Intel IGC packages
- Fix: ensure libigdgmm12 is installed before other packages during
update
- Fix: Download and install Intel packages in `/tmp` to allow apt to
drop root privileges during installation
* Bump Immich to v2.4.0
* fix(jellyfin): use setup_hwaccel for robust hardware acceleration
Replaces manual hardware acceleration setup with the centralized
setup_hwaccel function from tools.func.
This fixes the installation failure in privileged containers where
/dev/dri does not exist (e.g., when no GPU is passed through).
The setup_hwaccel function includes:
- Proper error handling for missing /dev/dri
- GPU vendor detection (Intel, AMD, NVIDIA)
- Graceful fallback when no GPU is available
Fixes: Installation fails with 'chgrp: cannot access /dev/dri'
when creating privileged containers without GPU passthrough.
* refactor(hwaccel): standardize hardware acceleration across all install scripts
Migrated all install scripts to use the centralized setup_hwaccel function:
- plex-install.sh
- emby-install.sh
- ersatztv-install.sh
- frigate-install.sh
- tdarr-install.sh
- unmanic-install.sh
- channels-install.sh
- ollama-install.sh
- immich-install.sh (added error handling)
Enhanced setup_hwaccel function in tools.func:
- Added -d /dev/dri check before setting permissions
- Added error handling (2>/dev/null || true) for all /dev/dri operations
- Added adduser error handling for video/render groups
- No longer fails if no GPU is detected (graceful skip)
- Added intel-media-va-driver for newer Intel GPUs
- Improved AMD APU support with firmware packages
- Better NVIDIA handling (warning instead of failure)
This fixes installation failures in privileged containers without GPU
passthrough, where /dev/dri does not exist.
Supports: Ubuntu, Debian 12 (Bookworm), Debian 13 (Trixie)
GPU Support: Intel, AMD, NVIDIA (manual driver)
* refactor(hwaccel): complete migration for all GPU apps
Migrated remaining GPU apps to setup_hwaccel:
- fileflows-install.sh
- openwebui-install.sh (added setup_hwaccel - was missing)
- tunarr-install.sh
Also fixed tools/pve/hw-acceleration.sh:
- Added error handling for /dev/dri operations
- Added chmod 660 /dev/dri/* that was missing
- Added error suppression for adduser commands
All 13 GPU apps (var_gpu=yes) now use centralized setup_hwaccel:
jellyfin, plex, emby, ersatztv, frigate, tdarr, unmanic,
channels, ollama, immich, fileflows, openwebui, tunarr
* feat(hwaccel): complete Intel non-free driver support and GID sync
Enhanced setup_hwaccel function:
- Auto-detect Intel GPU generation (Gen 9+ for non-free drivers)
- Debian 12 (Bookworm): Add non-free repo + intel-media-va-driver-non-free
- Debian 13 (Trixie): Add non-free repo + libvpl2 + mesa-opencl-icd
- Ubuntu: Use ubuntu repos with intel-media-va-driver
- Fallback to open drivers if non-free fails
- GID sync for video/render groups (moved from install scripts)
OpenWebUI: Added Intel oneAPI support when installing Ollama
- Intel Level Zero GPU support
- Intel oneAPI Base Toolkit
- Same setup as standalone Ollama install
Cleanup:
- Removed duplicate GID sync from tdarr-install.sh
- Removed duplicate GID sync from unmanic-install.sh
* fix(ersatztv): remove duplicate HW acceleration code
Removed manual Intel HW acceleration setup that remained after
setup_hwaccel migration. The non-free driver prompt is no longer
needed as setup_hwaccel auto-detects Intel GPU generation.
* Update scripts to use Debian 13 and improve update logic
Bump default container OS version from Debian 12 to 13 across multiple LXC setup scripts. Refactor update_script functions for consistency, improve messaging, and standardize apt usage. Update Kimai install and update scripts to use setup_php, setup_composer, and fetch_and_deploy_gh_release helpers, and switch from MySQL to MariaDB. Update Kometa to use Python 3.13. Minor improvements to backup, cleanup, and service management steps in several scripts.
* Refactor install scripts: unify cleanup and apt usage
Replaces repeated apt-get commands with apt for installing dependencies, and consolidates cleanup steps into a single cleanup_lxc function across all install scripts. Also updates repository setup to use setup_deb822_repo where applicable, and makes minor improvements to dependency installation and service setup.
* Update default Debian version to 13 and refactor updates
Set the default Debian version to 13 across all container scripts. Standardize apt command usage by replacing 'apt-get' with 'apt' where appropriate. Remove redundant cleanup steps from update scripts and streamline update logic for consistency. Also, call 'cleanup_lxc' after 'update_script' in the build function.
* Update default OS version to Debian 13 in JSON configs
Updated the 'version' field from '12' to '13' for Debian-based install methods across multiple application JSON files. Also set default OS and version for inspircd. This ensures new containers use the latest supported Debian release.
* fix kimai Update Check
* grammar
* Correct typo in success message
* Fix typo in success message for update
* refactor
* fixed jenkins / improve komodo
---------
Co-authored-by: Tobias <96661824+CrazyWolf13@users.noreply.github.com>
* replace for-loop with curl native for multiple downloads
* add ccache dependency for OCR feature
* Update NodeJS to 24
* bump pinned version to 2.2.0
- Ensure VectorChord upgrades only run if there is also an Immich update
- Ensure pgvector is up-to-date before updating VectorChord
- Move postgresql service restart before extension update commands
- Add reindex commands to update process
- Attempt to address superfluous sharp compilation
